No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such
|
|
- Iris Ross
- 6 years ago
- Views:
Transcription
1 Vol.17 No.6 J. Comput. Sci. & Technol. Nov Selection of Secure Hyperelliptic Curves of g = 2 Based on a Subfield ZHANG Fangguo ( ) 1, ZHANG Futai ( Ξ) 1;2 and WANG Yumin(Π±Λ) 1 1 P.O.Box 119 Key Laboratory on ISN, Xidian University, Xi'an , P.R. China 2 College of Mathematics and Computer Science, Nanjing Normal University, Nanjing , P.R. China fgzh@hotmail.com Received September 12, 2000; revised October 15, Abstract In the implementation of hyperelliptic curve cryptosystems, a siginificant step is the selection of secure hyperelliptic curves on which the Jacobian is constructed. In this paper, we discuss the hyperelliptic curves of g = 2 such as v 2 + uv = f and v 2 + v = f(u) defined on GF (2 r ). The curves defined on GF (4) and GF (8) are expanded to the curves defined on GF(4) k and GF (8) t respectively, where 38 < k < 70, 25 < t < 50. We also find out all the secure curves of g = 2 that are suitable for establishing cryptosystems. Keywords hyperelliptic curve cryptosystems, Jacobian, subfield 1 Introduction Since the public key cryptosystem based on elliptic curves (ECC) was proposed by Neal Koblitz [1] and Victor Miller in mid-1980's, it has been studied for more than ten years. And now it has been used in practice. ECC is based on the discrete logarithm problem on elliptic curves over finite fields. As an extension, Neal Koblitz [2] proposed the hyperelliptic curve cryptosystem (HCC) in 1989, which is based on the discrete logarithm problem on the Jacobian of hyperelliptic curves over finite fields. Cantor's algorithm [3] provided us with an efficient method to implement the group operation on the Jacobian of a hyperelliptic curve. At the same level of security, the underlying field of HCC is smaller than that of ECC, and almost all the standard discrete logarithm based protocols such as the digital signature algorithm (DSA) and ElGamal can be planted to HCC. So it is estimated that hyperelliptic curves will be the foundation of cryptosystems for the next decade. By now, many theoretical results on elliptic curves are known, however, the known results on hyperelliptic curves are still not enough for the construction of efficient cryptosystems. For these reasons, the study on HCCs has been drawing the attentions of more and more researchers in recent years. The current research on HCC concentrates on finding construction methods for secure hyperelliptic curves and speeding up the arithmetic needed in HCCs. At present, the common method used to compute the order of Jacobian is the Weil conjecture method. How to find a suitable hyperelliptic curve efficiently is still a major open problem in the study and implementation of HCCs. Koblitz [1] discussed the hyperelliptic curves with g = 2 based on GF (2), but the curves were attacked by Frey [4] and they were thought as insecure. Yasuyuki Sakai [5] tried to find out the secure hyperelliptic curves with g = 2 based on GF (2), but failed. In this paper, we discuss the hyperelliptic curves of g = 2 with the form of v 2 + uv = f(u) or v 2 + v = f(u). We extend two types of curves defined on GF (4) and GF (8) to GF (4) k and GF (8) t respectively. We also find out all the secure curves suitable for establishing cryptosystems, where 36 < k < 70, 25 < t < Secure Hyperelliptic Curves A hyperelliptic curve C of genus g is a curve defined on a finite field F q (q = p r and p is a prime), and its Jacobian J(C; F q n) over F q n is an abelian group, and ( p q n 1) 2g» #J(C; F q n)» ( p q n +1) 2g. More details can be found in [2, 6, 7]. The discrete algorithm problem in J(C; F q n) is: given two This work is supported by the National NKBRSF `973' Program of China (Grant No.G ).
2 No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such an m exists). If the order of the Jacobian group of a hyperelliptic curve is the same as the order of the group of rational points on an elliptic curve, the security of the cryptosystems established on the two groups will be the same. From the view point of complexity, HCDLP is a problem of NP co-am [8]. The security of an HCC is based on the difficulty of solving the discrete logarithm problem in the Jacobian of the curve, taking into account the existing attacks to the discrete logarithm in the Jacobian of a hyperelliptic curve, to establish a secure HCC, we should select the hyperelliptic curve so that its Jacobian satisfies the following conditions: 1) #J(C; F q n) should have a large prime factor so as to prevent the attacks of Shanks' Baby-step- Giant-step and Pohlig-Hellman's methods. Since the time complexity of Pohlig-Hellman's method is proportional to the square root of the largest prime factor of #J(C; F q n), so far it is demanded that this largest prime factor should be at least 160 bits in length. 2) In order to prevent the attack of Frey [4] which uses the Tate pairing generation of MOV attacks, the large prime factor of #J(C; F q n) should not divides (q n ) k 1, here k < (log q n ) 2. 3) 2g +1» log q n. Adleman-DeMarrais-Huang [9] found a subexponent time algorithm to solve the DL in the Jacobian of hyperelliptic curves of a big genus over a finite field in According to the discussion of P. Gaudry [10], it is sufficient for us to consider the case when g» 4. 4) The Jacobian of a hyperelliptic curve over the large prime field GF (p) should not have p-order subgroup to prevent the attack generated by Ruck [11] which is similar to the attack on the elliptic curve with the traces of the Frobenius map. 3 Using Weil Conjecture to Construct Secure Jacobian In order to construct secure hyperelliptic curve cryptosystems, we must compute the order of the Jacobian first. A hyperelliptic curve, C, of genus g = 2 defined over a finite field F q has the form: v 2 + (h 2 u 2 + h 1 u + h 0 )v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0, where h i and f i 2 F q. We will use the Weil conjecture to compute the order of the Jacobian [6]. And in the following, we will modify the algorithm in [6]. Algorithm 1. 1) First we find out the discriminant that the hyperelliptic curve has no singular points. 2) Go through all the values of C 0 coefficients h i and f i that satisfy, and compute the number of rational points M 1 and M 2 of the hyperelliptic curve over F q on F q and F q 2. 3) Compute a 1 = M 1 1 q, a 2 = (M 2 1 q 2 + a 2 1)=2. 4) Compute the numerator P (x) = x 4 + a 1x 3 + a 2x 2 + qa 1 x + q 2 of the Zate function. From the Weil conjecture method of computing orders, we can know that #J(C; F q n) is completely determined by P (x). So, the curves defined on F q with the same (M 1, M 2) has the same #J(C; F q n). For this reason, the Jacobian of hyperelliptic curves with the same (M 1, M 2) defined on F q are isomorphic since they have the same order. In the result of upper computation, we list out all the (M 1;M 2) and (a 1;a 2) corresponding to different P (x). 5) For each pair of (M 1, M 2), decide whether P (x) is irreducible or not, if reducible, decide the next pair of (M 1, M 2). 6) Solve quartic equation P (x) = 0 in a complex field and get roots ff 1;ff 2;ff 3;ff 4. 7) For each n satisfying (n; r) = 1, compute N n = j1 ff n 1 jj1 ff n 2 jj1 ff n 3 jj1 ff n 4 j; where N n is #J(C; F q n), jj means getting the absolute value for real numbers and the module for complex numbers. 8) Compute factor N n and check whether it has a prime factor larger than which is about a decimal length of 44, if not, return to 5). 9) Verify the FR condition deduced by the Frey verification, that is, to check if the prime factor got in 8) cannot divide (q n ) s 1, where s < (log q n ) 2. 10) Output (M 1;M 2), n, N n and the result of factorization.
3 838 ZHANG Fangguo, ZHANG Futai et al. Vol.17 We complete Steps 1) 4) of the algorithm by C-programming and output the result into a file, and we complete Steps 5) 10) by Mathematical-programming, because Mathematical has the function of sign operation. With respect to hyperelliptic curves of the form v 2 +h(u)v = f(u), it is easy to see that the simpler the polynomial h(u), the simpler the group operation of the Jacobian, and hence the more efficient in its implementation. By Lemma 2 of [7], in the equation of hyperelliptic curves over a finite field of characteristic 2, we have h(u) 6= 0. So we choose h(u) = 1 and h(u) = u in GF (2 n ). 4 Computation Result 4.1 Curves v 2 + uv = f(u) over GF (4) The discriminant that hyperelliptic curves v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 have no singular points is f 2 6= f 1 0. There are 768 curves with the form v 2 + uv = f(u) over GF (4), and there are 6 types of curves with different Jacobians by our computation. Since the M 1 and M 2 of each curve completely determine its Jacobian, we treat the curves with the same M 1 and M 2 as isomorphic. In the following table, (f 0 ;f 1 ;f 2 ;f 3 ;f 4 ) represents the hyperelliptic curve v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0. Extending the hyperelliptic curves with the form v 2 + uv = f(u) over GF (4) to curves over GF (4 n ), where 38 < n < 70, we get some secure hyperelliptic curves (we consider only the case when P (x) is irreducible in the rational number field, since from the discussion of Koblitz [3], we know that the order of the Jacobian of the curve has no such a prime factor if P (x) is reducible in the rational number field). The results are also listed in the table: Table 1. Computation Results of Hyperelliptic Curves with the Form v 2 + uv = f(u) over GF (4) Example P (x) and its reducibility Number of Extension degree n for (f 0 f 1 f 2 f 3 f 4 ) in the rational number field curves which there exist secure curves 4, 24 (01000) x 4 x 3 +4x 2 4x +16irreducible 96 non 8, 24 (12012) x 4 +3x 3 +8x 2 +12x +16reducible 96 // 4, 16 (01002) x 4 x 3 4x +16irreducible , 61, 67 6, 24 (01200) x 4 + x 3 +4x 2 +4x +16irreducible 96 41, 47, 49, 53, 67 2, 24 (12312) x 4 3x 3 +8x 2 12x +16reducible 96 // 6, 16 (01202) x 4 + x 3 +4x +16irreducible , 61 Now, taking the curve (01200) (or (01211) or (01111)) with M 1 = 6 and M 2 = 24 as an example, we list out the order of the Jacobian of the curve over the extended field of GF (4) and its factorization: (n is the extension degree) Table 2. #J(C; GF(4 n )) and Its Factorization of Curves with M 1 = 6 and M 2 = 24 n #J(C; GF(4 n )) and its factorization =2Λ 13 2 Λ 53 Λ 157 Λ 6553 Λ Λ Λ =2Λ 13 Λ =2Λ 13 Λ Λ =2Λ 3 12 Λ 13 Λ 157 Λ 461 Λ 829 Λ Λ Λ Λ =2Λ 13 Λ Λ =2Λ 13 Λ 421 Λ Λ =2Λ 13 Λ 157 Λ 613 Λ 1021 Λ 3877 Λ Λ Λ Λ =2Λ 13 Λ Λ =3 4 Λ 26 Λ 461 Λ Λ =26Λ 157 Λ 229 Λ 457 Λ Λ Λ Λ Λ Λ to be continued
4 No.6 Selection of Secure HC of g = continuation of Table =2Λ 13 Λ 1181 Λ Λ Λ = 2Λ 13 Λ Λ Λ =26Λ 157 Λ 421 Λ 829 Λ Λ Λ Λ Λ =2Λ 3 4 Λ 13 2 Λ 53 Λ 461 Λ 6553 Λ Λ Λ =26Λ 3217 Λ Λ = 2Λ 13 Λ 157 Λ Λ Λ Λ Of all the orders of the Jacobians listed above, only when the extension degree n is 41, 47, 49, 53, 55, 63 and 67, does #J(C; GF (4 n )) have a prime factor bigger than which is of a decimal length 44. By the FR condition (s = 2000) generated by the Frey checking, these curves are all suitable for cryptosystems. But when n is 63, the co-factor of #J(C; GF (4 63 )) corresponding to the prime factor is so big (about a decimal length 31) that it is difficult to select the base point, so it is not suitable for cryptosystems. 4.2 Curves v 2 +v=f(u) over GF (4) The discriminant for the curve v 2 + v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 to have no singular points over GF (4) is that there is no solution over GF (4 4 ) to the system of equations: ρ v 2 + v = + f u5 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 u 4 + f 3 u 3 + f 1 = 0 There are 528 curves with the form v 2 + v = f(u) over GF (4) and 6 types of curves with different Jacobians by our computation. Table 3. Computation Results About Hyperelliptic Curves with the Form v 2 + v = f(u) over GF (4) Example P (x) and its reducibility Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) in rational number field of curves there exist secure curves 5, 33 (01001) x 4 +8x reducible 32 // 5, 17 (11301) x irreducible 64 non 5, 9 (11212) x 4 4x irreducible 48 non 5, 25 (11210) x 4 +4x reducible 64 // 7, 21 (11232) x 4 +2x 3 +4x 2 +8x +16 irreducible 128 non 3, 21 (12210) x 4 2x 3 +4x 2 8x +16 irreducible 192 non There are 192 curves of the form v 2 + v = f(u) defined over GF (4) with the same M 1 = 3 and M 2 = 21, for example, (11233), (20033) and (20123) etc., the order of their Jacobian when extended to the 59th extended field of GF (4) is: #J(C; GF (4 59 )) = =11 Λ But the prime factor of #J(C; GF (4 59 )) cannot pass the FR check. In fact, when i = 5, its large prime factor divides (4 59 ) 5 1. So the curves (11233), (20033) and (20123) over the 59th extended field of GF (4) is insecure. 4.3 Curves v 2 +uv=f(u) over GF (8) The discriminant for curves v 2 + uv = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 over GF (8) to have no singular points is the same as over GF (4), that is f 2 6= f 1 0. There are curves with the form v 2 + uv = f(u) over GF (8) and 40 types of them have different Jacobians. We extend the curves
5 840 ZHANG Fangguo, ZHANG Futai et al. Vol.17 v 2 + uv = f(u) over GF (8) to GF (8 n ), where 25 < n < 50, and list out all the secure curves we get in the following table (we only consider the case where P (x) is irreducible in the rational number field): Table 4. Computation Results About Hyperelliptic Curves with the Form v 2 + uv = f(u) over GF (8) Example P (x) and its reducibility Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) in the rational number field of curves there exist secure curves 16, 64 (01011) x 4 +7x 3 +24x 2 +56x +64 irreducible 64 non 8, 56 (12215) x 4 x 3 4x 2 8x +64 reducible 448 // 8, 72 (05016) x 4 x 3 +4x 2 8x +64 reducible 2208 // 8, 80 (10207) x 4 x 3 +8x 2 8x +64 irreducible 1728 non 2, 64 (10173) x 4 7x 3 +24x 2 56x +64 irreducible 64 non 10, 56 (01101) x 4 + x 3 4x 2 +8x +64 irreducible 448 non 10, 72 (04527) x 4 + x 3 +4x 2 +8x +64 reducible 2208 // 10, 80 (04524) x 4 + x 3 +8x 2 +8x +64 irreducible , 37 12, 88 (05037) x 4 +3x 3 +16x 2 +24x +64 reducible 912 // 4, 64 (02002) x 4 5x 3 +12x 2 40x +64 irreducible 288 non 8, 48 (02003) x 4 x 3 8x 2 8x +64 irreducible , 37, 41 12, 72 (12244) x 4 +3x 3 +8x 2 +24x +64 irreducible , 31, 37, 47 12, 80 (13417) x 4 +3x 3 +12x 2 +24x +64 reducible 864 // 4, 72 (13426) x 4 5x 3 +16x 2 40x +64 reducible 432 // 12, 48 (13422) x 4 +3x 3 4x 2 +24x +64 irreducible , 41, 47 12, 64 (13447) x 4 +3x 3 +4x 2 +24x +64 irreducible , 37, 43 8, 88 (12077) x 4 x 3 +12x 2 8x +64 irreducible , 31, 37 4, 48 (02055) x 4 5x 3 +4x 2 40x +64 irreducible 96 31, 49 6, 88 (12122) x 4 3x 3 +16x 2 24x +64 reducible 912 // 14, 64 (04520) x 4 +5x 3 +12x 2 +40x +64 irreducible , 48 (04505) x 4 + x 3 8x 2 +8x +64 irreducible , 37, 43, 47 6, 72 (04507) x 4 3x 3 +8x 2 24x +64 irreducible , 80 (13117) x 4 3x 3 +12x 2 24x +64 reducible 864 // 14,72 (04515) x 4 +5x 3 +16x 2 +40x +64 reducible 432 // 6, 48 (13122) x 4 3x 3 4x 2 24x +64 irreducible , 64 (12103) x 4 3x 3 +4x 2 24x +64 irreducible , 49 10, 88 (12353) x 4 + x 3 +12x 2 +8x +64 irreducible , 31, 37 14, 48 (02337) x 4 +5x 3 +4x 2 +40x +64 irreducible , 64 (12414) x 4 x 3 8x +64 irreducible , 43, 47 12, 56 (14043) x 4 +3x 3 +24x +64 irreducible , 31, 37, 41 4, 88 (14012) x 4 5x 3 +24x 2 40x +64 irreducible , 31, 47 10, 64 (13120) x 4 + x 3 +8x +64 irreducible , 49 6, 56 (12106) x 4 3x 3 24x +64 irreducible , 43 14, 88 (12116) x 4 +5x 3 +24x 2 +40x +64 irreducible , 37, 43 4, 80 (12432) x 4 5x 3 +20x 2 40x +64 reducible 288 // 14, 80 (12132) x 4 +5x 3 +20x 2 +40x +64 reducible 288 // 4, 56 (35602) x 4 5x 3 +8x 2 40x +64 irreducible 96 non 14, 56 (32345) x 4 +5x 3 +8x 2 +40x +64 irreducible 96 29, 31, 37, 41, 43, 49 16, 80 (36057) x 4 +7x 3 +32x 2 +56x +64 irreducible , 80 (27700) x 4 7x 3 +32x 2 56x +64 irreducible , 43, 47 We only take the curves with M 1 = 12 and M 2 = 72 as examples. There are 1200 curves v 2 + uv = f(u) with the same M 1 = 12 and M 2 = 72 defined over GF (8), for example, (12244), (12261) and (12275), etc., the order of their Jacobian when extended to the 31st extended field of GF (8) is: #J(C; GF (8 31 )) = =4 Λ 25 Λ 1117 Λ It passes the FR check (s = 2000) successfully and hence these curves are secure. 4.4 Curves v 2 +v=f(u) over GF (8) The discriminant for the curve v 2 + v = u 5 + f 4 u 4 + f 3 u 3 + f 2 u 2 + f 1 u + f 0 over GF (8 4 ) to have no singular points is the same as that over GF (4). There are curves of the form v 2 + v = f(u) over GF (8). They can be divided into 12 types of curves with different Jacobians.
6 No.6 Selection of Secure HC of g = Table 5. Computation Results About Hyperelliptic Curves with the Form v 2 + v = f(u) over GF (8) Example P (x) and its reducibility in Number Extension degree n for which (f 0 f 1 f 2 f 3 f 4 ) a rational number field of curves there exist secure curves 5, 81 (01000) x 4 4x 3 +16x 2 32x +64 reducible 2592 // 9, 65 (01001) x reducible 5104 // 13, 65 (01002) x 4 +4x 3 +8x 2 +32x +64 irreducible 3040 non 9, 81 (01003) x 4 +8x irreducible 4608 non 9, 33 (01010) x 4 16x reducible 280 // 17, 65 (01011) x 4 +8x 3 +32x 2 +64x +64 reducible 80 // 9, 97 (01017) x 4 +16x reducible 888 // 13, 81 (01035) x 4 +4x 3 +16x 2 +16x +64 reducible 1504 // 5, 65 (01043) x 4 4x 3 +8x 2 16x +64 irreducible 2784 non 1, 97 (15217) x 4 8x +48x 2 64x irreducible 72 non 1, 65 (10315) x 4 8x 3 +32x 2 64x +64 reducible 160 // 1, 33 (14216) x 4 8x 3 +16x 2 64x +64 reducible 24 // For M 1 = 13 and M 2 = 65, there are 3040 curves v 2 + v = f(u) defined over GF (8). (01002), (03343), and (03776), etc. are examples. The orders of their Jacobians when extended to the 29th, 31st, 35th and 49th extended fields of GF (8) all have a prime factor larger than 2 150, but they cannot pass the FR check. Note that #J(C; GF (8 29 )) = =109 Λ but divides (8 29 ) From Tables 5 and 3, we notice that there is no hyperelliptic curve of the form v 2 + v = f(u) over GF (4) and GF (8) that is suitable for establishing cryptosystems. The reason is that this kind of hyperelliptic curves over a finite field of characteristic 2 is supersingular hyperelliptic curves. This conclusion has been proved by D. Galbraith [12] recently. The FR reduction attack is subexpotential time for supersingular hyperelliptic curves, since in this case, the HCDLP can be converted to DLP over the finite field GF (q k(g) ), here the extension degree k(g) is an integer determined by the genus of the hyperelliptic curve, for examples, k(g) = 6 when g = 1, k(g) = 12 when g = 2, and k(g) = 30 when g = 3, etc. [12]. 5 Conclusion At the same level of security, the underlying field of a hyperelliptic curve is smaller than that of an elliptic curve. So HCCs have advantages over the existing public key cryptosystems and are more suitable for security products such as smart cards if we can find suitable hyperelliptic curves and fast operations on their Jacobians. In this paper, we have discussed the hyperelliptic curves of g = 2 such as v 2 + uv = f and v 2 + v = f(u) and expanded the curves from finite fields GF (4) and GF (8) to GF (4) k and GF (8) t respectively using the Weil's conjecture. We have also found out all the secure curves suitable for cryptosystems for 38 < k < 70 and 25 < t < 50. HCC is an interesting research field. Many people have been paying attention to it. For the results of HCCs to be put into practical use, there are still many problems remain to be solved, such as finding more efficient methods to select secure hyperelliptic curves and fast operations on the Jacobians. Our further study will focus on these problems. References [1] Koblitz N. Elliptic curve cryptosystems. Mathematics of Computation, 1987, 48(177): [2] Koblitz N. Hyperelliptic cryptography. Journal of Cryptology, 1989, (1): [3] Cantor D G. Computing in the Jacobian of a hyperelliptic curve. Mathematics of Computation, 1987, 48: [4] Frey G, Rück H. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Mathematics of Computation, 1994, 62:
7 842 ZHANG Fangguo, ZHANG Futai et al. Vol.17 [5] Sakai Y, Sakurai K, Ishizuka H. Secure hyperelliptic cryptosystems and their performance. In PKC'98, Imai H, Zheng Y (eds.), Springer-Verlag, LNCS 1431, Pacifico Yokohama, Japan, February, 1998, pp [6] Koblitz N. Algebraic Aspects of Cryptography. New York: Springer-Verlag, [7] Menezes A, Wu Y, Zuccherato R. An elementary introduction to hyperelliptic curves. Available at reports97.html [8] Itoh Toshiya, Sakurai Kouichi, Shizuya Hiruki. On the complexity of hyperelliptic discrete logarithm problem. In Advances in EUROCRYPT'91, LNCS 547, Springer-Verlag, Brighton, UK, 1991, pp [9] Adleman L, DeMarrais J, Huang M. A subexponential algorithm for discrete logarithms over the rational subgroup of the Jacobians of large genus hyperelliptic curves over finite fields. In Algorithmic Number Theory (ANTS-1), LNCS 877, Springer-Verlag, Ithaca, New York, 1994, pp [10] Gaudry P. An algorithm for solving the discrete log problem on hyperelliptic curves. In Eurocrypt 2000, Preneel B (ed.), LNCS 1807, Springer-Verlag, Bruges, Belgium, May, 2000, pp [11] Ruck H G. On the discrete logarithms in the divosor class group of curves. Mathematics Computation, 1999, 68: [12] Galbraith S D. Supersingular curves in cryptography. Available at ZHANG Fangguo was born in He received the B.S. degree in mathematics from Yantai Teachers' University in 1996 and the M.S. degree in applied mathematics from Tongji University in He is currently a Ph.D. candidate in cryptography at Xidian University. His research interests are electronic commerce, elliptic curve cryptography and hyperelliptic curve cryptography. ZHANG Futai was born in He received the M.S. degree in fundamental mathematics from Shanxi Normal University in He is currently a Ph.D. candidate in cryptography at Xidian University. His research interests are information security, cryptography and electronic commerce. WANG Yumin was born in He is now a professor, a Ph.D. supervisor in Xidian University, and a member of IEEE. His research interests are the philosophy of communication, information theory, coding and cryptography.
Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over F 2
Design of Hyperelliptic Cryptosystems in Small Characteristic and a Software Implementation over F 2 n Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationSolving Elliptic Curve Discrete Logarithm Problems Using Weil Descent
Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent Michael Jacobson University of Manitoba jacobs@cs.umanitoba.ca Alfred Menezes Certicom Research & University of Waterloo ajmeneze@uwaterloo.ca
More informationHyperelliptic Curve Cryptography
Hyperelliptic Curve Cryptography A SHORT INTRODUCTION Definition (HEC over K): Curve with equation y 2 + h x y = f x with h, f K X Genus g deg h(x) g, deg f x = 2g + 1 f monic Nonsingular 2 Nonsingularity
More informationA message recovery signature scheme equivalent to DSA over elliptic curves
A message recovery signature scheme equivalent to DSA over elliptic curves Atsuko Miyaji Multimedia Development Center Matsushita Electric Industrial Co., LTD. E-mail : miyaji@isl.mei.co.jp Abstract. The
More informationComputing Elliptic Curve Discrete Logarithms with the Negation Map
Computing Elliptic Curve Discrete Logarithms with the Negation Map Ping Wang and Fangguo Zhang School of Information Science and Technology, Sun Yat-Sen University, Guangzhou 510275, China isszhfg@mail.sysu.edu.cn
More informationSkew-Frobenius maps on hyperelliptic curves
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript h been published without reviewing and editing received from the authors: posting the manuscript to SCIS
More informationThe Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem
The Decisional Diffie-Hellman Problem and the Uniform Boundedness Theorem Qi Cheng and Shigenori Uchiyama April 22, 2003 Abstract In this paper, we propose an algorithm to solve the Decisional Diffie-Hellman
More informationEfficient Tate Pairing Computation Using Double-Base Chains
Efficient Tate Pairing Computation Using Double-Base Chains Chang an Zhao, Fangguo Zhang and Jiwu Huang 1 Department of Electronics and Communication Engineering, Sun Yat-Sen University, Guangzhou 510275,
More informationTwo Topics in Hyperelliptic Cryptography
Two Topics in Hyperelliptic Cryptography Florian Hess, Gadiel Seroussi, Nigel Smart Information Theory Research Group HP Laboratories Palo Alto HPL-2000-118 September 19 th, 2000* hyperelliptic curves,
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationMinal Wankhede Barsagade, Dr. Suchitra Meshram
International Journal of Scientific & Engineering Research, Volume 5, Issue 4, April-2014 467 Overview of History of Elliptic Curves and its use in cryptography Minal Wankhede Barsagade, Dr. Suchitra Meshram
More informationElliptic Curve Discrete Logarithm Problem
Elliptic Curve Discrete Logarithm Problem Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM October 19, 2009 Vanessa VITSE (UVSQ) Elliptic Curve Discrete Logarithm Problem October
More informationHyperelliptic curves
1/40 Hyperelliptic curves Pierrick Gaudry Caramel LORIA CNRS, Université de Lorraine, Inria ECC Summer School 2013, Leuven 2/40 Plan What? Why? Group law: the Jacobian Cardinalities, torsion Hyperelliptic
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationGenerating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves
Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves Ezekiel J Kachisa School of Computing Dublin City University Ireland ekachisa@computing.dcu.ie Abstract. Constructing pairing-friendly
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More information190 R. Harasawa, J. Shikata, J. Suzuki, and H. Imai generally requires an exponential time in log q to solve it (V. Miller [15], and J. Silverman and
Comparing the MOV and FR Reductions in Elliptic Curve Cryptography Ryuichi Harasawa 1, Junji Shikata 1, Joe Suzuki 1, and Hideki Imai 2 1 Department of Mathematics, Graduate School of Science, Osaka University,
More informationSupersingular Curves in Cryptography
Supersingular Curves in Cryptography Steven D. Galbraith Mathematics Department, Royal Holloway University of London, Egham, Surrey TW20 0EX, UK. Steven.Galbraith@rhul.ac.uk Abstract. Frey and Rück gave
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationComparing the MOV and FR Reductions in Elliptic Curve Cryptography
Comparing the MOV and FR Reductions in Elliptic Curve Cryptography Ryuichi Harasawa 1, Junji Shikata 1, Joe Suzuki 1, and Hideki Imai 2 1 Department of Mathematics, Graduate School of Science, Osaka University,
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationFaster Point Multiplication on Elliptic Curves with Efficient Endomorphisms
Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms Robert P. Gallant 1, Robert J. Lambert 1, and Scott A. Vanstone 1,2 1 Certicom Research, Canada {rgallant,rlambert,svanstone}@certicom.com
More informationHyperelliptic Curves and Cryptography
Fields Institute Communications Volume 00, 0000 Hyperelliptic Curves and Cryptography Michael Jacobson, Jr. Department of Computer Science University of Calgary Alfred Menezes Department of Combinatorics
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationEfficient Algorithms for Pairing-Based Cryptosystems
Efficient Algorithms for Pairing-Based Cryptosystems Paulo S. L. M. Barreto 1, Hae Y. Kim 1, Ben Lynn 2, and Michael Scott 3 1 Universidade de São Paulo, Escola Politécnica. Av. Prof. Luciano Gualberto,
More informationPerformance of Finite Field Arithmetic in an Elliptic Curve Cryptosystem
1 Performance of Finite Field Arithmetic in an Elliptic Curve Cryptosystem Abstract Zhi Li, John Higgins, Mark Clement 3361 TMCB Brigham Young University Provo, UT 8462 {zli,higgins,clement}@cs.byu.edu
More informationJulio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,
Point Compression Algorithms for Binary Curves Julio López and Ricardo Dahab {jlopez,rdahab}@ic.unicamp.br Institute of Computing (IC) UNICAMP April, 14 2005 Outline Introduction to ECC over GF (2 m )
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More informationFinite fields and cryptology
Computer Science Journal of Moldova, vol.11, no.2(32), 2003 Ennio Cortellini Abstract The problem of a computationally feasible method of finding the discrete logarithm in a (large) finite field is discussed,
More informationElliptic Curve Cryptosystems and Scalar Multiplication
Annals of the University of Craiova, Mathematics and Computer Science Series Volume 37(1), 2010, Pages 27 34 ISSN: 1223-6934 Elliptic Curve Cryptosystems and Scalar Multiplication Nicolae Constantinescu
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationThe only method currently known for inverting nf-exp requires computing shortest vectors in lattices whose dimension is the degree of the number eld.
A one way function based on ideal arithmetic in number elds Johannes Buchmann Sachar Paulus Abstract We present a new one way function based on the diculty of nding shortest vectors in lattices. This new
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationElliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.
Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found
More informationA new conic curve digital signature scheme with message recovery and without one-way hash functions
Annals of the University of Craiova, Mathematics and Computer Science Series Volume 40(2), 2013, Pages 148 153 ISSN: 1223-6934 A new conic curve digital signature scheme with message recovery and without
More informationPublic Key Cryptography with a Group of Unknown Order
Public Key Cryptography with a Group of Unknown Order Richard P. Brent 1 Oxford University rpb@comlab.ox.ac.uk Programming Research Group Report PRG TR 02 00 5 June 2000 Abstract We present algorithms
More informationFast arithmetic and pairing evaluation on genus 2 curves
Fast arithmetic and pairing evaluation on genus 2 curves David Freeman University of California, Berkeley dfreeman@math.berkeley.edu November 6, 2005 Abstract We present two algorithms for fast arithmetic
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationElliptic Curve Public-Key Cryptosystems An Introduction
Elliptic Curve Public-Key Cryptosystems An Introduction Erik De Win and Bart Preneel Katholieke Universiteit Leuven, Dept. Electrical Engineering-ESAT K. Mercierlaan 94, 3001 Heverlee, Belgium {erik.dewin,bart.preneel}@esat.kuleuven.ac.be
More informationEfficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields
Efficient Computation of Tate Pairing in Projective Coordinate Over General Characteristic Fields Sanjit Chatterjee, Palash Sarkar and Rana Barua Cryptology Research Group Applied Statistics Unit Indian
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationOn the Discrete Logarithm Problem on Algebraic Tori
On the Discrete Logarithm Problem on Algebraic Tori R. Granger 1 and F. Vercauteren 2 1 University of Bristol, Department of Computer Science, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB,
More informationSafer parameters for the Chor-Rivest cryptosystem
Safer parameters for the Chor-Rivest cryptosystem L. Hernández Encinas, J. Muñoz Masqué and A. Queiruga Dios Applied Physics Institute, CSIC C/ Serrano 144, 28006-Madrid, Spain {luis, jaime, araceli}@iec.csic.es
More informationPairings for Cryptographers
Pairings for Cryptographers Steven D. Galbraith 1, Kenneth G. Paterson 1, and Nigel P. Smart 2 1 Information Security Group, Royal Holloway, University of London, Egham, Surrey, TW20 0EX, United Kingdom.
More informationThe Computational Square-Root Exponent Problem- Revisited
The Computational Square-Root Exponent Problem- Revisited Fangguo Zhang School of Information Science and Technology, Sun Yat-sen University, Guangzhou 510006, China isszhfg@mail.sysu.edu.cn Abstract.
More informationFast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form
Fast Simultaneous Scalar Multiplication on Elliptic Curve with Montgomery Form Toru Akishita Sony Corporation, 6-7-35 Kitashinagawa Shinagawa-ku, Tokyo, 141-0001, Japan akishita@pal.arch.sony.co.jp Abstract.
More information2.2. The Weil Pairing on Elliptic Curves If A and B are r-torsion points on some elliptic curve E(F q d ), let us denote the r-weil pairing of A and B
Weil Pairing vs. Tate Pairing in IBE systems Ezra Brown, Eric Errthum, David Fu October 10, 2003 1. Introduction Although Boneh and Franklin use the Weil pairing on elliptic curves to create Identity-
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationAn Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves
An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves Pierrick Gaudry LIX, École Polytechnique, 91128 Palaiseau Cedex, France gaudry@lix.polytechnique.fr Abstract. We present an index-calculus
More informationHidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith 2 Pairings in cryptography Elliptic curves have become an important tool in cryptography and pairings have
More informationThe Application of the Mordell-Weil Group to Cryptographic Systems
The Application of the Mordell-Weil Group to Cryptographic Systems by André Weimerskirch A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationThe State of Elliptic Curve Cryptography
Designs, Codes and Cryptography, 19, 173 193 (2000) c 2000 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands. The State of Elliptic Curve Cryptography NEAL KOBLITZ koblitz@math.washington.edu
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationEfficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )
Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 ) Kenneth J. Giuliani 1 and Guang Gong 2 1 Dept. of Combinatorics and Optimization University of Waterloo Waterloo,
More informationThe GHS Attack for Cyclic Extensions of Arbitrary Function Fields
The GHS Attack for Cyclic Extensions of Arbitrary Function Fields Tomohiro Nakayama Abstract It is known that the discrete logarithm problem in the Jacobian group of a higher genus curve can be solved
More informationEfficient Doubling on Genus Two Curves over. binary fields.
Efficient Doubling on Genus Two Curves over Binary Fields Tanja Lange 1, and Marc Stevens 2, 1 Institute for Information Security and Cryptology (ITSC), Ruhr-Universität Bochum Universitätsstraße 150 D-44780
More informationConstructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002
Constructing Abelian Varieties for Pairing-Based Cryptography by David Stephen Freeman A.B. (Harvard University) 2002 A dissertation submitted in partial satisfaction of the requirements for the degree
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationA heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic
ECC, Chennai October 8, 2014 A heuristic quasi-polynomial algorithm for discrete logarithm in small characteristic Razvan Barbulescu 1 Pierrick Gaudry 2 Antoine Joux 3 Emmanuel Thomé 2 IMJ-PRG, Paris Loria,
More informationGENERATORS OF JACOBIANS OF GENUS TWO CURVES
GENERATORS OF JACOBIANS OF GENUS TWO CURVES CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. We prove that in most cases relevant to cryptography, the Frobenius endomorphism on the Jacobian of a genus two curve
More informationAn Introduction to Elliptic and Hyperelliptic Curve Cryptography and the NTRU Cryptosystem
An Introduction to Elliptic and Hyperelliptic Curve Cryptography and the NTRU Cryptosystem Jasper Scholten and Frederik Vercauteren K.U. Leuven, Dept. Elektrotechniek-ESAT/COSIC, Kasteelpark Arenberg 10,
More informationOn Partial Lifting and the Elliptic Curve Discrete Logarithm Problem
On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem Qi Cheng 1 and Ming-Deh Huang 2 1 School of Computer Science The University of Oklahoma Norman, OK 73019, USA. Email: qcheng@cs.ou.edu.
More informationProblème du logarithme discret sur courbes elliptiques
Problème du logarithme discret sur courbes elliptiques Vanessa VITSE Université de Versailles Saint-Quentin, Laboratoire PRISM Groupe de travail équipe ARITH LIRMM Vanessa VITSE (UVSQ) DLP over elliptic
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationSecure Bilinear Diffie-Hellman Bits
Secure Bilinear Diffie-Hellman Bits Steven D. Galbraith 1, Herbie J. Hopkins 1, and Igor E. Shparlinski 2 1 Mathematics Department, Royal Holloway University of London Egham, Surrey, TW20 0EX, UK Steven.Galbraith@rhul.ac.uk,
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationLittle Dragon Two: An efficient Multivariate Public Key Cryptosystem
Little Dragon Two: An efficient Multivariate Public Key Cryptosystem Rajesh P Singh, A.Saikia, B.K.Sarma Department of Mathematics Indian Institute of Technology Guwahati Guwahati -781039, India October
More informationFINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD
FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationShort signatures from the Weil pairing
Short signatures from the Weil pairing Dan Boneh, Ben Lynn, and Hovav Shacham Computer Science Department, Stanford University {dabo,blynn,hovav}@cs.stanford.edu Abstract. We introduce a short signature
More informationMapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n )
International Journal of Network Security, Vol8, No2, PP169 176, Mar 2009 169 Mapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n ) Brian King Indiana University - Purdue University
More informationAPPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW
APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW Savkirat Kaur Department of Mathematics, Dev Samaj College for Women, Ferozepur (India) ABSTRACT Earlier, the role of cryptography was confined to
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationEfficient Algorithms for Pairing-Based Cryptosystems
Efficient Algorithms for Pairing-Based Cryptosystems Paulo S.L.M. Barreto 1, Hae Y. Kim 1, Ben Lynn 2, and Michael Scott 3 1 Universidade de São Paulo, Escola Politécnica Av. Prof. Luciano Gualberto, tr.
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More information6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6.0 Introduction Elliptic curve cryptography (ECC) is the application of elliptic curve in the field of cryptography.basically a form of PKC which applies over the
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationSolving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction
Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Aurore Guillevic and François Morain and Emmanuel Thomé University of Calgary, PIMS CNRS, LIX École Polytechnique, Inria, Loria SAC,
More informationDecomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field
Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field Koh-ichi Nagao nagao@kanto-gakuin.ac.jp Dept. of Engineering, Kanto Gakuin Univ., 1-50-1 Mutsuura Higashi Kanazawa-ku
More informationElliptic Curves and Cryptography
Elliptic Curves and Cryptography Aleksandar Jurišić Alfred J. Menezes March 23, 2005 Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is
More informationBackground of Pairings
Background of Pairings Tanja Lange Department of Mathematics and Computer Science Technische Universiteit Eindhoven The Netherlands tanja@hyperelliptic.org 04.09.2007 Tanja Lange Background of Pairings
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationElliptic Curves and Their Applications to Cryptography: An Introduction. Andreas Enge
Elliptic Curves and Their Applications to Cryptography: An Introduction Andreas Enge September 1999 Contents List of Tables List of Figures Foreword Preface 1 Public Key Cryptography 1.1 Private versus
More information