Pairings for Cryptography
|
|
- Lorin Todd
- 5 years ago
- Views:
Transcription
1 Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009
2 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +), (G 2, +), (G 3, ) are abelian groups. bilinear: e(p 1 + P 2, Q 1 ) = e(p 1, Q 1 )e(p 2, Q 1 ), e(p 1, Q 1 + Q 2 ) = e(p 1, Q 1 )e(p 1, Q 2 ), i.e. e(ap, Q) = e(p, Q) a = e(p, aq), a Z. non-degenerate: given 0 P G 1 there is a Q G 2 with e(p, Q) 1. Cryptographic applications require e to be efficiently computable and the DLPs in G 1, G 2, G 3 to be hard.
3 Applications of pairings in cryptography Attack DL-based cryptography on elliptic curves (Menezes-Okamoto-Vanstone-1993, Frey-Rück-1994). Construct crypto systems with certain special properties: One-round tripartite key agreement (Joux-2000), Identity-based, non-interactive key agreement (Ohgishi-Kasahara-2000), Identity-based encryption (Boneh-Franklin-2001), Hierarchical IBE (Gentry-Silverberg-2002), Short signatures (Boneh-Lynn-Shacham-2001), Searchable encryption (Boneh-Di Crescenzo-Ostrovsky-Persiano-2004), Non-interactive proof systems (Groth-Sahai-2008), much more...
4 Elliptic curves Take an elliptic curve E over F q (char(f q ) = p > 3) with Weierstrass equation E : y 2 = x 3 + ax + b, E(F q ) = {(x, y) F 2 q : y2 = x 3 + ax + b} {O}, n = #E(F q ) = q + 1 t, t 2 q, and r n a large prime divisor of n (r p). For F F q : E(F) = {(x, y) F 2 : y 2 = x 3 + ax + b} {O}, E = E(F q ), F q an algebraic closure of F q. E is an abelian group (written additively) with neutral element O.
5 Torsion points and embedding degree The set of r-torsion points on E is E[r] = {P E [r]p = O} = Z/rZ Z/rZ. Since r #E(F q ), we have E(F q )[r]. The embedding degree of E w.r.t. r is the smallest integer k with r q k 1. For k > 1 we have E[r] E(F q k), i. e. E(F q )[r] E(F q k)[r] = E[r].
6 The reduced Tate pairing Let k > 1. The reduced Tate pairing t r : E(F q k)[r] E(F q k)/[r]e(f q k) µ r F q k, (P, Q) f r,p (Q) qk 1 r is a non-degenerate, bilinear map, where f r,p is a function with divisor (f r,p ) = r(p) r(o), µ r is the subgroup of r-th roots of unity in F. q k The computation of the pairing has two stages: evaluation of the Miller function f r,p at Q, the final exponentiation to the power (q k 1)/r.
7 Specific parameters for crypto k should be small, DLPs in all groups must be hard, for efficiency reasons balance the security. Security Extension field EC base point ratio level (bits) size of q k (bits) order r (bits) ρ k ECRYPT II recommendations (2009), ρ = log(q)/ log(r).
8 Small embedding degree The embedding degree condition says r q k 1, r q m 1, m < k or q k 1 (mod r), q m 1 (mod r), m < k. This means: k is the (multiplicative) order of q modulo r, k r 1. There are only ϕ(k) < k elements of order k mod r. Given r and q, it is very unlikely that q is one of them. (Note: r has at least 160 bits.)
9 Pairing-friendly curves Fix a suitable value for k and find primes r, p and a number n with the following conditions: n = p + 1 t, t 2 p, r n, r p k 1, t 2 4p = Dv 2 < 0, D, v Z, D < 0 squarefree, D small enough to compute the Hilbert class polynomial in Q( D). Given such parameters, a corresponding elliptic curve over F p can be constructed by the CM method. See Freeman, Scott, and Teske (A taxonomy of pairing-friendly elliptic curves) for an overview of construction methods and recommendations.
10 MNT curves and Freeman curves MNT curves (2001): ρ 1 and k {3, 4, 6}. k p(u) t(u) 3 12u ± 6u 4 u 2 + u + 1 u or u u ± 2u Freeman curves (2006): ρ 1 and k = 10. p(u) = 25u u u u + 3, t(u) = 10u 2 + 5u + 3. In both families, curves are very rare. Need to solve a Pell equation to find curves. D is variable.
11 BN curves (Barreto-N., 2005) If u Z such that p = p(u) = 36u u u 2 + 6u + 1, n = n(u) = 36u u u 2 + 6u + 1 are both prime, then there exists an ordinary elliptic curve with equation E : y 2 = x 3 + b, b F p, r = n = #E(F p ) is prime, i. e. ρ 1, the embedding degree is k = 12, t 2 4p(u) = 3(6u 2 + 4u + 1) 2. BN curves are ideal for the 128-bit security level.
12 Specific parameters Security Family r k ρ ρ k p k level (bits) (bits) (bits) 80 MNT Fre BN KSS KSS Cyc
13 Three groups In practice, restrict the arguments of the Tate pairing to groups of prime order r. Assume r 2 #E(F p k), k > 1. Define: G 1 = E(F p k)[r] ker(φ p [1]) = E(F p )[r], G 2 = E(F p k)[r] ker(φ p [p]), G 3 = µ r F p k. φ p is the p-power Frobenius on E, i. e. φ p (x, y) = (x p, y p ). It is E(F p k)[r] = G 1 G 2. If P E(F p )[r], then t r (P, P) = 1. Take Q / P = G 1. Can compute the Tate pairing on G 1 G 2 or on G 2 G 1.
14 Two choices The reduced Tate pairing: t r : G 1 G 2 G 3, (P, Q) The ate pairing: Let T = t 1. a T : G 2 G 1 G 3, (Q, P) f r,p (Q) pk 1 r. f T,Q (P) pk 1 r.
15 Miller s algorithm (Tate) Input: P G 1, Q G 2, r = (r m,...,r 0 ) 2 Output: t r (P, Q) = f r,p (Q) pk 1 r R P, f 1 for (i m 1; i 0; i ) do f f 2 l R,R (Q) v [2]R (Q) R [2]R if (r i = 1) then f f l R,P (Q) v R+P (Q) R R + P end if end for f f pk 1 r return f
16 Miller s algorithm (ate) Input: P G 1, Q G 2, T = (t m,...,t 0 ) 2 Output: a T (P, Q) = f T,Q (P) pk 1 r R Q, f 1 for (i m 1; i 0; i ) do f f 2 l R,R (P) v [2]R (P) R [2]R if (t i = 1) then f f l R,Q(P) v R+Q (P) R R + Q end if end for f f pk 1 r return f
17 Line functions Line functions correspond to the lines in the point doubling/addition, l P1,P 2 : line through P 1 and P 2, tangent if P 1 = P 2, v P3 : vertical line through P 3 = P 1 + P 2. P 3 l P1,P 2 P 1 P 2 P 3 l P1,P 1 P 1 v P3 v P3 E P 3 E P 3 (a) addition (b) doubling
18 The final exponentiation Let Φ d be the d-th cyclotomic polynomial. We have X k 1 = Φ d (X). d k r p k 1, r p d 1 for d < k r Φ k (p). Write the final exponent as: p k 1 r = d k, d k Φ d (p) Φk(p). r Let e k, e k, then α (pk 1)/r = 1 for all α F p e since (p e 1) d k, d k Φ d(p). Factors in proper subfields of F p k are mapped to 1 by the final exponentiation.
19 The final exponentiation (k even) p k 1 r = (p k/2 1) pk/2 + 1 Φ k (p) Φk(p). r Use F p k = F p k/2(α), α 2 = β, β a non-square in F p k/2. For f = f 0 + f 1 α F p k: (f 0 + f 1 α) pk/2 = f 0 f 1 α, and (f 0 + f 1 α) pk/2 1 = (f 0 f 1 α)/(f 0 + f 1 α). (p k/2 + 1)/Φ k (p) is a sum of p-powers, use the p-power Frobenius automorphism. k = 12 : f (p6 +1)/r = f (p2 +1) p4 p 2 +1 r = ((f p ) p f) (p4 p 2 +1)/r. The last part is done with multi-exponentiation or by finding a good addition chain for Φ k (p)/r.
20 Using a twist to represent G 2 Here: A twist E of E is a curve isomorphic to E over F p k. A twist is given by E : y 2 = x 3 + (a/ω 4 )x + (b/ω 6 ), ω F p k with isomorphism ψ : E E, (x, y ) (ω 2 x, ω 3 y ). If E is defined over F p k/d and ψ is defined over F p k and no smaller field, d is called the degree of E. Define G 2 := E (F p k/d)[r], then ψ : G 2 G 2 is a group isomorphism. Points in G 2 have a special form.
21 Maximal possible twist degrees d j(e) fields of definition a, b for powers of ω 2 {0, 1728} ω 2 F q k/2 a 0, b 0 ω 3 F q k \ F q k/ ω 4 F q k/4, ω 2 F q k/2 a 0, b = 0 ω 3 F q k \ F q k/2 6 0 ω 6 F q k/6, ω 3 F q k/3 a = 0, b 0 ω 2 F q k/2 E : y 2 = x 3 + (a/ω 4 )x + (b/ω 6 ) ψ : E E, (x, y ) (ω 2 x, ω 3 y )
22 Advantages of using twists If E has a twist of degree d and d k: Replace all curve arithmetic in G 2 (over F p k) by curve arithmetic in G 2 (over F p k/d) For d > 2, curve arithmetic is faster since a = 0 or b = 0. For even k, the x-coordinates of points in G 2 lie in F p k/2, i. e. the vertical line function values v P3 (Q) = x Q x 3 lie in F p k/2 and can be omitted. Can use the twisted ate pairing (e = k/d and T e = (t 1) e mod r): η Te : G 1 G 2 G 3, (P, Q) f Te,P(Q) (pk 1)/r. For d > 2, can have log(t e ) < log(r).
23 Loop shortening There are several possibilities to reduce the number of iterations in Miller s algorithm: Can take Te j mod r for 1 j d 1 instead of T e in the twisted ate pairing. Choose the shortest non-trivial power. For the ate pairing, can replace T by T j mod r for 1 j k 1 to possibly get a shorter loop. More combinations are possible, often leading to optimal pairings with a minimal loop length of log(r)/ϕ(k). For BN curves, the R-ate pairing is optimal: (p R(Q, P) = f c,q (P)(f c,q (P)l [c]q,q (P)) p 12 1)/n, l φp([c]q+q),[c]q(p) where c = 6u + 2.
24 Line functions for ate pairings f f l R,Q (P), R R + Q Do curve arithmetic in Miller s algorithm in G 2. Replace points R, Q G 2 by corresponding points R, Q G 2. Using the slope on the twist: λ = y R y Q x R x Q = ω3 y R ω 3 y Q ω 2 x R ω 2 x Q = ω y R y Q x R x Q Computing the line function on the twist: l R,Q (P) = y R y P λ(x R x P ) = ω 3 y R ω 3 y P ωλ (ω 2 x R ω 2 x P ) = ωλ = ω 3 (y R y P λ(x R x P )) = ω 3 l R,Q (P )
25 Choice of coordinates For real implementations, one tries to avoid inversions by using projective coordinates. Can do pairing computation with only 1 finite field inversion (needed in the final exponentiation). Can avoid inversions completely when using compressed representation of pairing values. The best choice of coordinates is different for different classes of curves. For the fastest explicit formulas to compute the DBL and ADD steps in Miller s algorithm on curves with twists of degree d > 2, see preprint Faster Pairing Computations on Curves with High-Degree Twists (joint work with Craig Costello and Tanja Lange, will be out soon).
26 Thanks for your attention Database and web interface to get and compute parameters of BN curves: ØØÔ»»ÛÛÛºØ ºÖÛØ ¹ Òº»Ö Ö»ÖÝÔØÓ Ö Ô Ý» ÒÙÖÚ ºÔ Ô C-Implementation of several pairings on BN curves: ØØÔ»»ÛÛÛºÖÝÔØÓ ºÓÖ»ÖÝÔØÓ Ñ ÐÖÝÔØÓ ºÓÖ
Pairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Kristin Lauter, Peter L. Montgomery, and Michael Naehrig Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA {klauter, petmon, mnaehrig}@microsoft.com
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationGenerating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves
Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves Ezekiel J Kachisa School of Computing Dublin City University Ireland ekachisa@computing.dcu.ie Abstract. Constructing pairing-friendly
More informationPairing-Friendly Elliptic Curves of Prime Order
Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005 Outline
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationSpeeding up Ate Pairing Computation in Affine Coordinates
Speeding up Ate Pairing Computation in Affine Coordinates Duc-Phong Le and Chik How Tan Temasek Laboratories, National University of Singapore, 5A Engineering Drive 1, #09-02, Singapore 11711. (tslld,tsltch)@nus.edu.sg
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationFast Formulas for Computing Cryptographic Pairings
Fast Formulas for Computing Cryptographic Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology May 28, 2012 1 / 47 Thanks: supervisors and co-authors Prof. Colin Boyd Dr.
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationTampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014
Tampering attacks in pairing-based cryptography Johannes Blömer University of Paderborn September 22, 2014 1 / 16 Pairings Definition 1 A pairing is a bilinear, non-degenerate, and efficiently computable
More informationOn compressible pairings and their computation
On compressible pairings and their computation Michael Naehrig 1, Paulo S. L. M. Barreto 2, and Peter Schwabe 1 1 Department of Mathematics and Computer Science Technische Universiteit Eindhoven, P.O.
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationThe Eta Pairing Revisited
1 The Eta Pairing Revisited F. Hess, N.P. Smart and F. Vercauteren Abstract In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Baretto
More informationEfficient Pairings Computation on Jacobi Quartic Elliptic Curves
Efficient Pairings Computation on Jacobi Quartic Elliptic Curves Sylvain Duquesne 1, Nadia El Mrabet 2, and Emmanuel Fouotsa 3 1 IRMAR, UMR CNRS 6625, Université Rennes 1, Campus de Beaulieu 35042 Rennes
More informationOn near prime-order elliptic curves with small embedding degrees (Full version)
On near prime-order elliptic curves with small embedding degrees (Full version) Duc-Phong Le 1, Nadia El Mrabet 2, and Chik How Tan 1 1 Temasek Laboratories, National University of Singapore {tslld,tsltch}@nus.edu.sg
More informationAsymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)
Asymmetric Pairings Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp) 1 Overview In their 2006 paper "Pairings for cryptographers", Galbraith, Paterson and Smart identified three
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationOn Near Prime-Order Elliptic Curves with Small Embedding Degrees
On Near Prime-Order Elliptic Curves with Small Embedding Degrees Duc-Phong Le, Nadia El Mrabet, Tan Chik How To cite this version: Duc-Phong Le, Nadia El Mrabet, Tan Chik How. On Near Prime-Order Elliptic
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationFaster Pairings on Special Weierstrass Curves
craig.costello@qut.edu.au Queensland University of Technology Pairing 2009 Joint work with Huseyin Hisil, Colin Boyd, Juanma Gonzalez-Nieto, Kenneth Koon-Ho Wong Table of contents 1 Introduction The evolution
More informationA TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES
A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN 1, MICHAEL SCOTT 2, AND EDLYN TESKE 3 1 Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840 USA dfreeman@math.berkeley.edu
More informationPairings on Generalized Huff Curves
Pairings on Generalized Huff Curves Abdoul Aziz Ciss and Djiby Sow Laboratoire d Algèbre, Codage, Cryptologie, Algèbre et Applications Université Cheikh Anta Diop de Dakar, Sénégal BP: 5005, Dakar Fann
More informationFast hashing to G2 on pairing friendly curves
Fast hashing to G2 on pairing friendly curves Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, and Ezekiel J. Kachisa School of Computing Dublin City University Ballymun, Dublin
More informationFixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More informationOrdinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors
Memoirs of the Faculty of Engineering, Okayama University, Vol. 44, pp. 60-68, January 2010 Ordinary Pairing Friendly Curve of Embedding Degree Whose Order Has Two Large Prime Factors Yasuyuki NOGAMI Graduate
More informationEfficient hash maps to G 2 on BLS curves
Efficient hash maps to G 2 on BLS curves Alessandro Budroni 1 and Federico Pintore 2 1 MIRACL Labs, London, England - budroni.alessandro@gmail.com 2 Department of Mathematics, University of Trento, Italy
More informationSubgroup security in pairing-based cryptography
Subgroup security in pairing-based cryptography Paulo S. L. M. Barreto 1, Craig Costello 2, Rafael Misoczki 1, Michael Naehrig 2, Geovandro C. C. F. Pereira 1, and Gustavo Zanon 1 1 Escola Politécnica,
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationKatherine Stange. Pairing, Tokyo, Japan, 2007
via via Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Pairing, Tokyo, Japan, 2007 Outline via Definition of an elliptic net via Definition (KS) Let R be an integral domain,
More informationUSING ABELIAN VARIETIES TO IMPROVE PAIRING-BASED CRYPTOGRAPHY
USING ABELIAN VARIETIES TO IMPROVE PAIRING-BASED CRYPTOGRAPHY K. RUBIN AND A. SILVERBERG Abstract. We show that supersingular abelian varieties can be used to obtain higher MOV security per bit, in all
More informationImplementing the Weil, Tate and Ate pairings using Sage software
Sage days 10, Nancy, France Implementing the Weil, Tate and Ate pairings using Sage software Nadia EL MRABET LIRMM, I3M, Université Montpellier 2 Saturday 11 th October 2008 Outline of the presentation
More informationThe Eta Pairing Revisited
The Eta Pairing Revisited F. Hess 1, N. Smart 2, and Frederik Vercauteren 3 1 Technische Universität Berlin, Fakultät II, Institut für Mathematik, MA 8-1, Strasse des 17. Juni 136, D-10623 Berlin, Germany.
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationFINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD
FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order
More informationOptimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves
CT-RSA 2012 February 29th, 2012 Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves Joint work with: Nicolas Estibals CARAMEL project-team, LORIA, Université de Lorraine / CNRS / INRIA,
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More informationEfficient Tate Pairing Computation Using Double-Base Chains
Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationA TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES
A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN, MICHAEL SCOTT, AND EDLYN TESKE Abstract. Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationConstructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002
Constructing Abelian Varieties for Pairing-Based Cryptography by David Stephen Freeman A.B. (Harvard University) 2002 A dissertation submitted in partial satisfaction of the requirements for the degree
More informationPairing Computation on Elliptic Curves of Jacobi Quartic Form
Pairing Computation on Elliptic Curves of Jacobi Quartic Form Hong Wang, Kunpeng Wang, Lijun Zhang, and Bao Li {hwang,kpwang,ljzhang,lb}@is.ac.cn State Key Laboratory of Information Security Graduate University
More informationThe Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms
The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms by Michael Shantz A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master
More informationSecure Bilinear Diffie-Hellman Bits
Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,
More informationPairing-Friendly Twisted Hessian Curves
Pairing-Friendly Twisted Hessian Curves Chitchanok Chuengsatiansup 1 and Chloe Martindale 2 1 INRIA and ENS de Lyon 46 Allée d Italie 69364 Lyon Cedex 07, France chitchanok.chuengsatiansup@ens-lyon.fr
More informationOptimal Pairings. F. Vercauteren
Optimal Pairings F. Vercauteren Department of Electrical Engineering, Katholieke Universiteit Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium frederik.vercauteren@esat.kuleuven.be Abstract.
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More information2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B
Weil Pairing vs. Tate Pairing in IBE systems Ezra Brown, Eric Errthum, David Fu October 10, 2003 1. Introduction Although Boneh and Franklin use the Weil pairing on elliptic curves to create Identity-
More informationarxiv: v3 [cs.cr] 5 Aug 2014
Further Refinements of Miller Algorithm on Edwards curves Duc-Phong Le, Chik How Tan Temasek Laboratories, National University of Singapore 5A Engineering Drive 1, #09-02, Singapore 117411. arxiv:1305.2694v3
More informationEfficient and Generalized Pairing Computation on Abelian Varieties
ECC 2008 Efficient and Generalized Pairing Computation on Abelian Varieties Hyang-Sook Lee Ewha Womans University Korea Joint Work with Eunjeong Lee (North Carolina State University) Cheol-Min Park (EWHA)
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationSolving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction
Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Aurore Guillevic and François Morain and Emmanuel Thomé University of Calgary, PIMS CNRS, LIX École Polytechnique, Inria, Loria SAC,
More informationPairings for Cryptographers
Pairings for Cryptographers Steven D. Galbraith 1, Kenneth G. Paterson 1, and Nigel P. Smart 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom.
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationFaster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions
Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions Robert Granger and Michael Scott School of Computing, Dublin City University, Glasnevin, Dublin 9, Ireland. {rgranger,mike}@computing.dcu.ie
More informationA Variant of Miller s Formula and Algorithm
A Variant of Miller s Formula and Algorithm John Boxall 1, Nadia El Mrabet 2, Fabien Laguillaumie 3, and Duc-Phong Le 4 1 LMNO Université de Caen Basse-Normandie, France john.boxall@unicaen.fr 2 LIASD
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationOptimal Pairings. Frederik Vercauteren
Optimal Pairings 1 Frederik Vercauteren Abstract In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with
More informationA New Family of Pairing-Friendly elliptic curves
A New Family of Pairing-Friendly elliptic curves Michael Scott 1 and Aurore Guillevic 2 1 MIRACL.com 2 Université de Lorraine, CNRS, Inria, LORIA, Nancy, France May 21, 2018 Abstract There have been recent
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationHeuristics. pairing-friendly abelian varieties
Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall john.boxall@unicaen.fr Laboratoire de Mathématiques Nicolas Oresme, UFR Sciences, Université de Caen Basse-Normandie,
More informationEfficient Computation for Pairing Based
Provisional chapter Chapter 3 Efficient Computation for Pairing Based Cryptography: Efficient Computation A Statefor ofpairing the Art Based Cryptography: A State of the Art Nadia El Mrabet Nadia El Mrabet
More informationON THE IMPLEMENTATION OF COMPOSITE-ORDER BILINEAR GROUPS IN CRYPTOGRAPHIC PROTOCOLS SEVERIANO K. SISNEROS THESIS
ON THE IMPLEMENTATION OF COMPOSITE-ORDER BILINEAR GROUPS IN CRYPTOGRAPHIC PROTOCOLS BY SEVERIANO K. SISNEROS THESIS Submitted in partial fulfillment of the requirements for the degree of Master of Science
More informationIndividual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)
Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm) Aurore Guillevic INRIA Saclay / GRACE Team École Polytechnique / LIX ECC 2015, Sept. 28th Aurore Guillevic (INRIA/LIX)
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationEfficient Algorithms for Pairing-Based Cryptosystems
Efficient Algorithms for Pairing-Based Cryptosystems Paulo S. L. M. Barreto 1, Hae Y. Kim 1, Ben Lynn 2, and Michael Scott 3 1 Universidade de São Paulo, Escola Politécnica. Av. Prof. Luciano Gualberto,
More informationThe Final Exponentiation in Pairing-Based Cryptography
The Final Exponentiation in Pairing-Based Cryptography Barış Bülent Kırlar Department of Mathematics, Süleyman Demirel University, 3220, Isparta, Turkey Institute of Applied Mathematics, Middle East Technical
More informationConstructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography
Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography Naomi Benger and Michael Scott, 1 School of Computing, Dublin City University, Ireland nbenger@computing.dcu.ie
More informationFaster Explicit Formulas for Computing Pairings over Ordinary Curves
Faster Explicit Formulas for Computing Pairings over Ordinary Curves Diego F. Aranha 2, Koray Karabina 1, Patrick Longa 1, Catherine H. Gebotys 1, Julio López 2 1 University of Waterloo, {kkarabin,plonga,cgebotys}@uwaterloo.ca
More informationA Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field
A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field Taichi Sumo, Yuki Mori (Okayama University) Yasuyuki Nogami (Graduate School of Okayama University) Tomoko Matsushima
More informationFaster Computation of the Tate Pairing
Faster Computation of the Tate Pairing Christophe Arène a, Tanja Lange,b, Michael Naehrig b,c, Christophe Ritzenthaler a a Institut de Mathématiques de Luminy 163, avenue de Luminy, Case 907 13288 Marseille
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationMontgomery Algorithm for Modular Multiplication with Systolic Architecture
Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1 Plan 1 Introduction for pairing Montgomery
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationPAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction
PAIRINGS ON HYPERELLIPTIC CURVES JENNIFER BALAKRISHNAN, JULIANA BELDING, SARAH CHISHOLM, KIRSTEN EISENTRÄGER, KATHERINE E. STANGE, AND EDLYN TESKE Dedicated to the memory of Isabelle Déchène (1974-2009)
More informationPairings on elliptic curves over finite commutative rings
Pairings on elliptic curves over finite commutative rings Steven D. Galbraith and James F. McKee Department of Mathematics, Royal Holloway, University of London, Egham, Surrey TW20 0EX, UK. [Steven.Galbraith,James.McKee]@rhul.ac.uk
More informationEfficient Pairing Computation on Supersingular Abelian Varieties
Efficient airing Computation on Supersingular Abelian Varieties aulo S. L. M. Barreto 1, Steven Galbraith 2, Colm Ó héigeartaigh 3, and Michael Scott 3 1 Department of Computing and Digital Systems Engineering,
More informationFaster pairing computation in Edwards coordinates
Faster pairing computation in Edwards coordinates PRISM, Université de Versailles (joint work with Antoine Joux) Journées de Codage et Cryptographie 2008 Edwards coordinates Á Thm: (Bernstein and Lange,
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationImplementing Cryptographic Pairings over Barreto-Naehrig Curves
Implementing Cryptographic Pairings over Barreto-Naehrig Curves Augusto Jun Devegili 1, Michael Scott 2, and Ricardo Dahab 1 1 Instituto de Computação, Universidade Estadual de Campinas Caixa Postal 6176,
More informationA Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties David Freeman Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840, USA
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationImplementing Cryptographic Pairings on Smartcards
Implementing Cryptographic Pairings on Smartcards Michael Scott, Neil Costigan, and Wesam Abdulwahab School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie
More informationEfficient Algorithms for Pairing-Based Cryptosystems
Efficient Algorithms for Pairing-Based Cryptosystems Paulo S.L.M. Barreto 1, Hae Y. Kim 1, Ben Lynn 2, and Michael Scott 3 1 Universidade de São Paulo, Escola Politécnica Av. Prof. Luciano Gualberto, tr.
More information