Aspects of Pairing Inversion
|
|
- Christiana Skinner
- 5 years ago
- Views:
Transcription
1 Applications of Aspects of ECC Dublin Aspects of
2 Applications of Applications of Aspects of
3 Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear map e : G 1 G 2 G T. Bilinearity: e(p1 + P 2, Q) = e(p 1, Q)e(P 2, Q), e(p, Q1 + Q 2 ) = e(p, Q)e(P, Q 2 ). Non-degenerate: for all P 0: x G2 such that e(p, x) 1 for all Q 0: x G1 such that e(x, Q) 1 Examples: Scalar product on euclidean space, : R n R n R. Weil- and Tate pairings on elliptic curves and abelian varieties. Aspects of
4 Applications of Isomorphisms via pairings Since G 1, G 2, G T have prime order r, they re isomorphic. Pairing with first argument fixed, gives isomorphism between G 2 and G T : φ 2 : G 2 G T : Q φ 2 (Q) = e(p, Q) Pairing with second argument fixed, gives isomorphism between G 1 and G T : φ 1 : G 1 G T : P φ 1 (P) = e(p, Q) Generates all isomorphisms between G i and G T, without need to compute DLOGs. Aspects of
5 Applications of DLP, CDH & DDH Let G, + be a group of prime order r. DLP: Given a tuple (P, ap) compute a. CDH: Given a triple (P, ap, bp) compute abp. DDH: Given a quadruple (P, ap, bp, cp) decide if abp = cp. Aspects of
6 Applications of Pairings in cryptography Exploit bilinearity! MOV: DLP reduction from G 1 to G T : DLP ing 1 : (P, xp) DLP in G T : (φ 1 (P), φ 1 (xp)) = (e(p, Q), e(xp, Q)) Decision DH in G 1 : DDH : (P, ap, bp, cp) test if e(cp, Q) = e(ap, bq) but how get bq? Possible if computable isomorphism ψ 1 : G 1 G 2 with ψ 1 (P) = Q. Identity based crypto, short signatures,... Aspects of
7 Applications of Pairing inversion problems Fixed Argument 1 (FAPI-1) problem: Given P G 1 and z G T, compute Q G 2 such that e(p, Q) = z. Fixed Argument 2 (FAPI-2) problem: Given Q G 2 and z G T, compute P G 1 such that e(p, Q) = z. Generalised (GPI): Given z G T, find P G 1 and Q G 2 with e(p, Q) = z. Aspects of
8 Applications of FAPI s and CDH Generalisation of Verheul s result: e : G 1 G 2 G T is non-degenerate bilinear pairing on cyclic groups of prime order r. Suppose one can solve FAPI-1 and FAPI-2 in polynomial time. Then one can solve CDH in G 1, G 2 and G T in polynomial time. Aspects of
9 Applications of FAPI s and CDH Proof for G 1 : O i is FAPI-i oracle. Let (P, ap, bp) be a CDH input in G 1. Choose random Q G 2 and compute z = e(ap, Q). Call O 1 (P, z) to get aq. Now compute z = e(bp, aq) and call O 2 (Q, z ) to get abp. Aspects of
10 Applications of FAPI s and isomorphisms If one can solve FAPI-1 in polynomial time then one can compute all group isomorphisms ψ 1 : G 1 G 2 in polynomial time. Let P G 1 and Q G 2 be generators, then can compute ψ 1 such that ψ 1 (P) = Q. Similar result holds for FAPI-2. Aspects of
11 Applications of FAPI s and DDH If one can solve FAPI-1 in polynomial time then one can solve DDH in G 1 in polynomial time. Proof: Let (P, ap, bp, cp) be DDH quadruple. Want to test if e(cp, Q) = e(bp, aq)? How to get aq? Choose Q G 2 and let ψ 1 : G 1 G 2 be such that ψ 1 (P) = Q. Compute aq = ψ 1 (ap). Aspects of
12 Applications of Pairing inversion and BDH Bilinear-Diffie-Hellman problem (BDH-1) is: given P, ap, bp G 1 and Q G 2 to compute e(p, Q) ab. If one can solve FAPI-1 in polynomial time then one can solve BDH-1 in polynomial time. Proof: Let (P, ap, bp, Q) be BDH-1 quadruple. Let ψ 1 : G 1 G 2 be such that ψ 1 (P) = Q. Compute aq = ψ 1 (ap) and obtain z = e(bp, aq) = e(p, Q) ab. No implications for finite field crypto? Aspects of
13 Applications of Notation Let E be an elliptic curve over a finite field F q, i.e. E : y 2 = x 3 + ax + b for p > 5 Point sets E(F q k ) define an abelian group for all k 1. Hasse-Weil: number of points in E(F q ) is q + 1 t with t 2 q t is called trace of Frobenius. Aspects of
14 Applications of Torsion subgroups E[r] subgroup of points of order dividing r, i.e. E[r] = {P E(F q ) rp = } Structure of E[r] for gcd(r, q) = 1 is Z/rZ Z/rZ. Let r #E(F q ), then E(F q )[r] gives at least one component. Embedding degree: k minimal with r (q k 1). Note r-roots of unity µ r F. q k If k > 1 then E(F q k )[r] = E[r]. Aspects of
15 Applications of Trace and embedding degree Recall r #E(F q ) and #E(F q ) = q + 1 t So q t 1 mod r. Since x k 1 = d k Φ d(x), have r Φ k (q). Conclusion: r Φ k (t 1), so Φ k (t 1) r. t can be as small as r 1/ϕ(k), but not smaller. Aspects of
16 Applications of Frobenius endomorphism Frobenius: ϕ : E E : (x, y) (x q, y q ) Characteristic polynomial: ϕ 2 [t] ϕ + [q] = 0 Eigenvalues on E[r]: 1 and q since r #E(F q ) For k > 1 have q 1 mod r, thus decomposition of E[r] into Frobenius eigenspaces: E[r] = E(F q k )[r] = P Q with ϕ(p) = P and ϕ(q) = qq Notation used before: G 1 = P and G 2 = Q Aspects of
17 Applications of Miller functions Let P E(F q ) and n N. A Miller function f n,p is any function in F q (E) with divisor (f n,p ) = n(p) ([n]p) (n 1)( ) f n,p is determined up to a constant c F q. f n,p has a zero at P of order n. f n,p has a pole at [n]p of order 1. f n,p has a pole at of order (n 1). For every point Q P, [n]p,, we have f n,p (Q) F q. Aspects of
18 Applications of Miller s algorithm Use double-add algorithm to compute f n,p for any n N. Exploit relation: f m+n,p = f m,p f n,p l[n]p,[m]p v [n+m]p l [n]p,[m]p : the line through [n]p and [m]p v [n+m]p : the vertical line through [n + m]p Evaluate at Q in every step Aspects of
19 Applications of Tate pairing Let P E(F q k )[r] and f r,p F q k (E) with (f r,p ) = r(p) r( ) Note: f r,p has zero of order r at P and pole of order r at. Tate pairing is defined as (assuming normalisation) P, Q r = f r,p (Q) Domain and image are:, r : E(F q k )[r] E(F q k )/re(f q k ) F q k /(F q k ) r Reduced Tate pairing: e(p, Q) = P, Q (qk 1)/r r Aspects of
20 Applications of Ate pairing Non-degenerate pairing defined on G 2 G 1 only. Let S be integer with S q mod r and N = gcd(s k 1, q k 1) Let c S = k 1 i=0 Sk 1 i q i mod N. Then a S : G 2 G 1 µ r, (Q, P) f norm S,Q (P)c S(q k 1)/N defines a bilinear pairing, Typical choices for S are: S = t 1 with t trace of Frobenius. S = q, then no final exponentiation necessary. In general t 1 q, but could be as small as r 1/ϕ(k). Aspects of
21 Applications of Pairing Zoo Pairing Domain Where Who s Red Tate E[r] E/rE All HECs Miller r No eta G 1 G 2 SuSi BGOS t 1 No ate EC G 2 G 1 All ECs HSV t 1 No ate EC G 1 G 2 SuSi HSV t 1 No ate HEC G 2 G 1 All HECs GHOTV q Yes ate HEC G 1 G 2 SuSp GHOTV q Yes Aspects of
22 Applications of Extreme elliptic ate Curves with t = 1 give shortest loop in Miller s algorithm. Let E : y 2 = x over F p with p = , then t = 1, r = , k = 31 and D = 3. Let y λ(q)x ν(q) with λ = 3x 2 Q /(2y Q) and ν = ( x 3 Q + 8)/(2y Q) be the tangent at Q. The function (Q, P) ( y P λ(q)x P ν(q) ) (q k 1)/(3r) defines a non-degenerate pairing on G 2 G 1. Aspects of
23 Applications of Extreme elliptic ate: corollary Since (Q, P) ( y P λ(q)x P ν(q) ) (q k 1)/(3r) defines a non-degenerate pairing on G 2 G 1 we have corollary that for all P G 1 and Q G 2 the expressions (y P λ(q)x P ν(q)) 2 (y [2]P λ(q)x [2]P ν(q)) are 3r-th powers. and (y P λ(q)x P ν(q)) 2 (y P λ([2]q)x P ν([2]q)) Aspects of
24 Applications of Miller inversion Most pairings can be expressed as e(p, Q) := f s,p (Q) d for integers s and d and f s,p a Miller function. Possible approach: find correct d-th root first and then solve for Q in f s,p (Q) Miller inversion: Let P be fixed, let S be a set of points and take z F q k. Compute a point Q S such that z = f s,p (Q) or if no such point exists then output no solution. Aspects of
25 Applications of Miller inversion in polytime Setting: Ate pairing on G 2 G 1. Let S 2 and Q have order > 2. Then f s,q (x, y) can be written as f s,q (x, y) = f 1(x) + yf 2 (x) (x x [s]q ) with deg f 1 (x) (S + 1)/2 and deg f 2 (x) S/2 1. Miller inversion is equivalent with finding root of P(x) := (f 1 (x) z(x x [s]q )) 2 f 2 (x) 2 (x 3 + ax + b) of degree at most S + 1. Note: polynomial defined over F q k, but root over F q. Aspects of
26 Applications of Miller inversion in polytime Finding root of P(x) F q k [x] in F q is computing gcd(x q x, P(x)). Takes O( t 2 log q) operations in F q k or O( t 2 k 2 (log q) 3 ) bit-operations. If t and k grow as a polynomial function of log r, one can solve MI in polynomial time. Lemma: There exist families of parameters of pairing friendly curves for which the Miller inversion problem can be solved in polynomial time. Aspects of
27 Applications of FAPI-1 for ate pairing on small trace curves Recall extreme elliptic ate pairing a 2 (Q, P) ( y P λ(q)x P ν(q) ) (q k 1)/(3r) Problem: given Q = (x Q, y Q ) and a target z µ r F, q k need to solve (y λ(q)x ν(q)) (qk 1)/(3r) = z for some (x, y) E(F q ). Aspects of
28 Applications of FAPI-1 for ate pairing on small trace curves But: there are d = (q k 1)/(3r) possible roots of z. Only one of them of form y λx ν for some (x, y) E(F q ). Easy to compute random d-th roots of z, but hard to select the correct root. Can generate many more equations by a 2 (uq, P) = z u. Simpler problem: given many pairs (a, z) F 2 q k, with z = (a + x) d for some x F q, find x. Easy when d (q k 1), but how hard for d (q k 1)? Aspects of
29 Applications of FAPI-1 P MI Is solving MI sufficient to solve FAPI-1? Most people: no, since given z 0 = f s,p (Q) d, still need to try out all d possible roots. Idea: what if you take a random d-th root? Tate-Lichtenbaum pairing: t(, ) : E(F q )[r] E(F q k )/re(f q k ) F q k /(F q k ) r Reduced TL pairing into µ r : e(, ) = t(, ) (qk 1)/r Aspects of
30 Applications of FAPI-1 P MI For P E(F q )[r] let S 2 (P) denote set {Q E(F q k )} with e(p, Q) = 1 Suppose e(p, Q 1 ) = e(p, Q 2 ), then clearly Q 3 := Q 1 Q 2 S 2 (P) If #S 2 (P) is big enough, then likely that there exists Q E(F q k ) with Q := Q + R with R S 2 (P) and for a random root z of z 0. f s,p (Q ) = z Aspects of
31 Applications of FAPI-1 P MI TL pairing: already have re(f q k ) S 2 (P), but this only gives q k /r 2 points. For k > 1, also have E(F q e) S 2 (P) for all e k. At least have that E(F q )[r] S 2 (P). Since r E(F q ), E(F q )[r] re(f q k ) = {O} and thus S 2 (P) E(F q )[r] re(f q k ) rq k /r 2 d. Suggests that for the TL pairing with k > 1, FAPI-1 P MI. Above fails for ate pairing since only defined on G 2 G 1. Aspects of
32 Applications of A degree bound Ate pairing gave isomorphism of G 1 with µ r of the form f s,q ( ) d with f s,q function of low degree. However: total degree of f s,q ( ) d still very high. Lemma: Let E be an elliptic curve and f F q k (E). Assume that Q f (Q) d defines a non-constant homomorphism G 2 µ r for some positive exponent d. Then d deg(f ) (1/6)#G 2. Aspects of
33 Applications of Conclusions FAPI s and implications for crypto. MI can be easy. Extreme elliptic ate leads to new supposedly hard problem? For TL pairing have FAPI-1 P MI. No homomorphisms of low degree into µ r. Inverting pairings still hard... Aspects of
Ate Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationAspects of Pairing Inversion
Aspects of Pairing Inversion 1 S. Galbraith, and F. Hess, and F. Vercauteren Abstract We discuss some applications of the pairing inversion problem and outline some potential approaches for solving it.
More informationAspects of Pairing Inversion
Aspects of Pairing Inversion S. Galbraith 1, F. Hess 2, and F. Vercauteren 3 1 Mathematics Department, Royal Holloway University of London, Egham, Surrey TW20 0EX, UK. steven.galbraith@rhul.ac.uk 2 Technische
More informationParshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU
Parshuram Budhathoki FAU October 25, 2012 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization Alice, Bob and Charlie want to
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationThe Hidden Root Problem
EPFL 2008 Definition of HRP Let F q k be a finite field where q = p n for prime p. The (Linear) Hidden Root Problem: let r N0 be given and x F q k hidden access to oracle Ox that given (a, b) F 2 q k returns
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationEfficient and Generalized Pairing Computation on Abelian Varieties
ECC 2008 Efficient and Generalized Pairing Computation on Abelian Varieties Hyang-Sook Lee Ewha Womans University Korea Joint Work with Eunjeong Lee (North Carolina State University) Cheol-Min Park (EWHA)
More informationImplementing the Weil, Tate and Ate pairings using Sage software
Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationScalar multiplication in compressed coordinates in the trace-zero subgroup
Scalar multiplication in compressed coordinates in the trace-zero subgroup Giulia Bianco and Elisa Gorla Institut de Mathématiques, Université de Neuchâtel Rue Emile-Argand 11, CH-2000 Neuchâtel, Switzerland
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationFoundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE
Foundations P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE NP problems: IF, DL, Knapsack Hardness of these problems implies the security of cryptosytems? 2 Relations of
More informationOptimal Pairings. F. Vercauteren
Optimal Pairings F. Vercauteren Department of Electrical Engineering, Katholieke Universiteit Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium frederik.vercauteren@esat.kuleuven.be Abstract.
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationUSING ABELIAN VARIETIES TO IMPROVE PAIRING-BASED CRYPTOGRAPHY
USING ABELIAN VARIETIES TO IMPROVE PAIRING-BASED CRYPTOGRAPHY K. RUBIN AND A. SILVERBERG Abstract. We show that supersingular abelian varieties can be used to obtain higher MOV security per bit, in all
More informationEfficient Computation of Miller's Algorithm in Pairing-Based Cryptography
University of Windsor Scholarship at UWindsor Electronic Theses and Dissertations 2017 Efficient Computation of Miller's Algorithm in Pairing-Based Cryptography Shun Wang University of Windsor Follow this
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationHidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith 2 Pairings in cryptography Elliptic curves have become an important tool in cryptography and pairings have
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationSecure Bilinear Diffie-Hellman Bits
Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationNumber Theory in Cryptology
Number Theory in Cryptology Abhijit Das Department of Computer Science and Engineering Indian Institute of Technology Kharagpur October 15, 2011 What is Number Theory? Theory of natural numbers N = {1,
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationFINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD
FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationElliptic curves: Theory and Applications. Day 3: Counting points.
Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes 1 13-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 1 / 26 Counting points:
More informationElliptic Curves Spring 2015 Lecture #7 02/26/2015
18.783 Elliptic Curves Spring 2015 Lecture #7 02/26/2015 7 Endomorphism rings 7.1 The n-torsion subgroup E[n] Now that we know the degree of the multiplication-by-n map, we can determine the structure
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationThe Eta Pairing Revisited
1 The Eta Pairing Revisited F. Hess, N.P. Smart and F. Vercauteren Abstract In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Baretto
More informationAn Introduction to Elliptic Curve Cryptography
Harald Baier An Introduction to Elliptic Curve Cryptography / Summer term 2013 1/22 An Introduction to Elliptic Curve Cryptography Harald Baier Hochschule Darmstadt, CASED, da/sec Summer term 2013 Harald
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationArithmetic Operators for Pairing-Based Cryptography
Arithmetic Operators for Pairing-Based Cryptography Jean-Luc Beuchat Laboratory of Cryptography and Information Security Graduate School of Systems and Information Engineering University of Tsukuba 1-1-1
More informationCS 6260 Some number theory
CS 6260 Some number theory Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of positive integers and N = {0, 1, 2,...} the set of non-negative integers. If
More informationThe Eta Pairing Revisited
The Eta Pairing Revisited F. Hess 1, N. Smart 2, and Frederik Vercauteren 3 1 Technische Universität Berlin, Fakultät II, Institut für Mathematik, MA 8-1, Strasse des 17. Juni 136, D-10623 Berlin, Germany.
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationWeil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.
Weil pairing Jana Sotáková Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg Wednesday 22 nd June, 2016 Abstract In this talk we are mainly invested in constructing
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationThe Final Exponentiation in Pairing-Based Cryptography
The Final Exponentiation in Pairing-Based Cryptography Barış Bülent Kırlar Department of Mathematics, Süleyman Demirel University, 3220, Isparta, Turkey Institute of Applied Mathematics, Middle East Technical
More informationOptimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationCOUNTING POINTS ON ELLIPTIC CURVES OVER F q
COUNTING POINTS ON ELLIPTIC CURVES OVER F q RENYI TANG Abstract. In this expository paper, we introduce elliptic curves over finite fields and the problem of counting the number of rational points on a
More informationElliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.
Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and
More informationOptimal Pairings. Frederik Vercauteren
Optimal Pairings 1 Frederik Vercauteren Abstract In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with
More informationThe Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem
The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem Qi Cheng and Shigenori Uchiyama April 22, 2003 Abstract In this paper, we propose an algorithm to solve the Decisional Diffie-Hellman
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationArithmetic Progressions Over Quadratic Fields
Arithmetic Progressions Over Quadratic Fields Alexander Diaz, Zachary Flores, Markus Vasquez July 2010 Abstract In 1640 Pierre De Fermat proposed to Bernard Frenicle de Bessy the problem of showing that
More informationMATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION
MATH 431 PART 2: POLYNOMIAL RINGS AND FACTORIZATION 1. Polynomial rings (review) Definition 1. A polynomial f(x) with coefficients in a ring R is n f(x) = a i x i = a 0 + a 1 x + a 2 x 2 + + a n x n i=0
More informationHyperelliptic pairings
Hyperelliptic pairings Steven D. Galbraith 1, Florian Hess 2, and Frederik Vercauteren 3 1 Mathematics Department, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, UK. steven.galbraith@rhul.ac.uk
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationEfficient Algorithms for Pairing-Based Cryptosystems
Efficient Algorithms for Pairing-Based Cryptosystems Paulo S. L. M. Barreto 1, Hae Y. Kim 1, Ben Lynn 2, and Michael Scott 3 1 Universidade de São Paulo, Escola Politécnica. Av. Prof. Luciano Gualberto,
More informationIntroduction to Cryptology. Lecture 20
Introduction to Cryptology Lecture 20 Announcements HW9 due today HW10 posted, due on Thursday 4/30 HW7, HW8 grades are now up on Canvas. Agenda More Number Theory! Our focus today will be on computational
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationComputing the endomorphism ring of an ordinary elliptic curve
Computing the endomorphism ring of an ordinary elliptic curve Massachusetts Institute of Technology April 3, 2009 joint work with Gaetan Bisson http://arxiv.org/abs/0902.4670 Elliptic curves An elliptic
More informationChapter 5. Modular arithmetic. 5.1 The modular ring
Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence
More informationLecture 11: Number Theoretic Assumptions
CS 6903 Modern Cryptography April 24, 2008 Lecture 11: Number Theoretic Assumptions Instructor: Nitesh Saxena Scribe: Robert W.H. Fisher 1 General 1.1 Administrative Homework 3 now posted on course website.
More informationElementary Number Theory and Cryptography, 2014
Elementary Number Theory and Cryptography, 2014 1 Basic Properties of the Integers Z and the rationals Q. Notation. By Z we denote the set of integer numbers and by Q we denote the set of rational numbers.
More information標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装
九州大学学術情報リポジトリ Kyushu University Institutional Repository 標数 3 の超特異楕円曲線上の ηt ペアリングの高速実装 川原, 祐人九州大学大学院数理学府 https://doi.org/10.15017/21704 出版情報 :Kyushu University, 2011, 博士 ( 機能数理学 ), 課程博士バージョン :published
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationShort Signatures from the Weil Pairing
Short Signatures from the Weil Pairing Dan Boneh dabo@cs.stanford.edu Ben Lynn blynn@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We introduce a short signature scheme based on the Computational
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationPAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction
PAIRINGS ON HYPERELLIPTIC CURVES JENNIFER BALAKRISHNAN, JULIANA BELDING, SARAH CHISHOLM, KIRSTEN EISENTRÄGER, KATHERINE E. STANGE, AND EDLYN TESKE Dedicated to the memory of Isabelle Déchène (1974-2009)
More informationA quasi polynomial algorithm for discrete logarithm in small characteristic
CCA seminary January 10, 2014 A quasi polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 LIX, École Polytechnique
More informationCS259C, Final Paper: Discrete Log, CDH, and DDH
CS259C, Final Paper: Discrete Log, CDH, and DDH Deyan Simeonov 12/10/11 1 Introduction and Motivation In this paper we will present an overview of the relations between the Discrete Logarithm (DL), Computational
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More information