Katherine Stange. Pairing, Tokyo, Japan, 2007
|
|
- Douglas Morton
- 6 years ago
- Views:
Transcription
1 via via Department of Mathematics Brown University Pairing, Tokyo, Japan, 2007
2 Outline via
3 Definition of an elliptic net via Definition (KS) Let R be an integral domain, and A a finite-rank free abelian group. An elliptic net is a map W : A R such that the following recurrence holds for all p, q, r, s A. W (p + q + s)w (p q)w (r + s)w (r) + W (q + r + s)w (q r)w (p + s)w (p) + W (r + p + s)w (r p)w (q + s)w (q) = 0 The recurrence generates the net from finitely many initial values.
4 in their Natural Habitat E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) [3]Q [1]P + [3]Q [2]P + [3]Q via [2]Q [1]P + [2]Q [2]P + [2]Q [1]Q [1]P + [1]Q [2]P + [1]Q [1]P [2]P
5 in their Natural Habitat E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) ( 56 25, 371 ) 125 ( 95 64, 495 ) 512 ( , 2800 ) 6859 via ( 6 1, 16 1 ) ( 1 9, 19 ) 27 ( 39 1, 246 ) 1 ( 1 1, 0 1) ( 2 1, 1 ) 1 ( 5 4, 13 ) 8 ( 0 1, 0 1) ( 3 1, 5 1)
6 in their Natural Habitat E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) ( ) 56, ( ) 95, ( ) 328, via ( 6 1 2, ) ( ) 1, ( 39, 246 ) ( 1 1 2, ) ( 2 1 2, ) ( 5 2 2, ) ( 0 1 2, ) ( 3 1 2, )
7 in their Natural Habitat E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) via
8 in their Natural Habitat E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) via
9 Curve + Points give Net via Theorem (KS) Let E be an elliptic curve defined over a field K. For all v Z n, there exist functions Ψ v : E n K such that the following holds: 1. Each Ψ v is elliptic in each variable. 2. For any fixed P E n, the function W : Z n K defined by W (v) = Ψ v (P) is an elliptic net.
10 Characterising Functions Ψ v via The functions Ψ v may be characterised uniquely by the additional assumptions that 1. Ψ v (P) vanishes exactly when v P = 0 on E. 2. Ψ v = 1 whenever v is e i or e i + e j for some standard basis vectors e i e j. We call W the elliptic net associated to E, P 1,..., P n, and write W E,P. We call P 1,..., P n the basis of W E,P.
11 Division Polynomials Any elliptic curve E has a Weierstrass equation. Suppose E : y 2 = x 3 + Ax + B. The elliptic functions Ψ k are the Division Polynomials in terms of x, y, A, B: via Ψ 1 = 1, Ψ 2 = 2y, Ψ 3 = 3x 4 + 6Ax Bx A 2, Ψ 4 = 4y(x 6 + 5Ax Bx 3 5A 2 x 2 4ABx 8B 2 A 3 ),
12 Net Polynomial Examples In higher rank case, we also have such polynomial representations. Ψ 1,1 = x 1 x 2, ( ) y2 y 2 1 Ψ 2,1 = 2x 1 + x 2, x 2 x 1 Ψ 2, 1 = (y 1 + y 2 ) 2 (2x 1 + x 2 )(x 1 x 2 ) 2, Ψ 1,1,1 = y 1(x 2 x 3 ) + y 2 (x 3 x 1 ) + y 3 (x 1 x 2 ) (x 1 x 2 )(x 1 x 3 )(x 2 x 3 ) Can calculate more via the recurrence..., via Ψ 3,1 = (x 2 x 1 ) 3 (4x1 6 12x 2x x 2 2 x x 2 3 x 1 3 4y2 2 x y 1 2 x 1 3 6x 2 4 x y 2 2 x 2x1 2 18y 1 2 x 2x y1 2 x 2 2 x 1 + x2 6 2y 2 2 x 2 3 2y 1 2 x y 2 4 6y 1 2 y y1 3 y 2 3y1 4 ).
13 Elliptic nets calculate the group law Consider the one-dimensional case. Suppose we have Define Then we have E : y 2 = x 3 + Ax + B. φ k = xψ 2 k Ψ k+1ψ k 1, 4yω k = Ψ k+2 Ψ 2 k 1 Ψ k 2Ψ 2 k+1. [k]p = ( ) φk (P) Ψ k (P) 2, ω k (P) Ψ k (P) 3. via In general, the elliptic net calculates the coordinates of any linear combination of its basis points.
14 Example via E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) Q P
15 Example via E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) Q P
16 Example via E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) Q P
17 Example via E : y 2 + y = x 3 + x 2 2x; P = (0, 0), Q = (1, 0) Q P
18 Lattice Property via For an integer elliptic net, for each prime p, there exists a Lattice of Apparition L A such that W (v) 0 mod p v L Let Ẽ, P 1,..., P n be the images of E, P 1,..., P n under reduction modulo p. Then WẼ, P (taking values in F p ) is simply the reduction of the values of W E,P modulo p. In particular, W E,P (v) 0 mod p if v P = 0 on Ẽ.
19 Example of Reduction Mod 5 of an Elliptic Net via Q P
20 Example of Reduction Mod 5 of an Elliptic Net via Q P
21 Example of Reduction Mod 5 of an Elliptic Net via Q P
22 Example of Reduction Mod 5 of an Elliptic Net via Q P The elliptic net is not periodic modulo the lattice of apparition.
23 Example of Reduction Mod 5 of an Elliptic Net via Q P The elliptic net is not periodic modulo the lattice of apparition. The appropriate translation property should tell how to obtain the green values from the blue values.
24 Example of Reduction Mod 5 of an Elliptic Net via Q P The elliptic net is not periodic modulo the lattice of apparition. The appropriate translation property should tell how to obtain the green values from the blue values. There are such translation properties, and it is within these that the Tate pairing information lies.
25 and Linear Combinations of Points via If W i is the elliptic net associated to E, P i, Q i for i = 1, 2, and [a 1 ]P 1 + [b 1 ]Q 1 = [a 2 ]P 2 + [b 2 ]Q 2 then W 1 (a 1, b 1 ) is not necessarily equal to W 2 (a 2, b 2 ). So how do we propose to compare two elliptic nets supposedly associated to the same linear combinations?
26 Defining a Net on a Free Abelian Cover Let K be a finite or number field. Let Ê be any finite rank free abelian group surjecting onto E(K ). π : Ê E(K ) For a basis P 1, P 2, choose p i Ê such that π(p i ) = P i. We specify an identification via via e i p i. Z 2 = p1, p 2 The elliptic net W associated to E, P 1, P 2 and defined on Z 2 is now identified with an elliptic net W defined on Ê. This allows us to compare elliptic nets associated to different bases.
27 Defining a Special Equivalence Class via Definition Let W 1, W 2 : A K. Suppose f : A K is a quadratic function. If W 1 (v) = f (v)w 2 (v) for all v, then we say W 1 is equivalent to W 2. The basis change formula is an equivalence, when the elliptic nets are viewed as maps on Ê as explained in the previous slide. In this way, we can associate an equivalence class to a subgroup of E(K ).
28 Statement of Theorem via Theorem (KS) Fix a positive m Z. Let E be an elliptic curve defined over a finite field K containing the m-th roots of unity. Let P, Q E(K ), with [m]p = O. Choose S E(K ) such that S / {O, Q}. Choose p, q, s Ê such that π(p) = P, π(q) = Q and π(s) = S. Let W be an elliptic net in the equivalence class associated to a subgroup of E(K ) containing P, Q, and S. Then the quantity T m (P, Q) = is the Tate pairing. W (s + mp + q)w (s) W (s + mp)w (s + q)
29 Choosing an Elliptic Net via Corollary Let E be an elliptic curve defined over a finite field K, m a positive integer, P E(K )[m] and Q E(K ). Then τ m (P, P) = W E,P(m + 2)W E,P (1) W E,P (m + 1)W E,P (2), and τ m (P, Q) = W E,P,Q(m + 1, 1)W E,P,Q (1, 0) W E,P,Q (m + 1, 0)W E,P,Q (1, 1).
30 Elliptic Net Outline 1. Given E, P, Q with [m]p = 0, calculate the initial terms of W E,P,Q. 2. Using the recurrence relation, calculate the terms W (m + 1, 0), W (m + 1, 1). 3. Calculate T m (P, Q) = W (m + 1, 1)/W (m + 1, 0). 4. Perform final exponentiation exactly as in Miller s algorithm. Remarks: There are polynomial formulae for the initial terms of Step 1. Step 4 is also performed in Miller s algorithm and the same efficient methods apply here. The challenge lies in efficient computation of large terms of the net W E,P,Q. via
31 Computing Terms of W E,P,Q via (k-1,1) (k,1) (k+1,1) (k-3,0) (k-2,0) (k-1,0) (k,0) (k+1,0) (k+2,0) (k+3,0) (k+4,0) Figure: A block centred at k
32 Computing Terms of W E,P,Q via Double and add algorithm: Block centred at 2k Block centred at k Block centred at 2k + 1 Each term of the new block requires one instance of the recurrence relation, i.e. several multiplications and an addition.
33 Complexity Let k be the embedding degree. Let P E(F q ) and Q E(F q k ). via S S k M M k squaring in F q squaring in F q k multiplication in F q multiplication in F q k : Double: DoubleAdd: Elliptic Net 6S + (6k + 26)M + S k M k 6S + (6k + 26)M + S k + 2M k : Optimised Miller s 1 Double: 4S + (k + 7)M + S k + M k DoubleAdd: 7S + (2k + 19)M + S k + 2M k 1 Koblitz N., Menezes A., Pairing-based cryptography at high security levels, 2005
34 In Practice Thank you to Michael Scott, Augusto Jun Devigili and Ben Lynn for implementing the algorithm. A timing comparison program is bundled with Ben Lynn s Pairing-Based Cryptography Library at type a: 512 bit base-field, embedding degree 2, 1024 bits security, y 2 = x 3 + x, group order is a Solinas prime. type f: 160 bit base-field, embedding degree 12, 1920 bits security, Barreto-Naehrig curves [Pairing Friendly Elliptic Curves of Prime Order, SAC 2005] via : Miller s Elliptic Net type a ms ms type f ms ms average time of a test suite of 100 randomly generated pairings in each of the two cases
35 Potential Advantages via Naturally inversion-free. Naturally deterministic. Since Double and DoubleAdd steps are similar or the same, is independent of hamming weight and avoids side-channel attacks. Lends itself to time-saving precomputation for repeated pairings e m (P, Q), e.g. where E, m, and P are fixed. Code is simple.
36 Improving the To compute a given pairing, we have many choices: Choice of a point S. Choice of lifts of P, Q, S. Choice of a subgroup of E(K ) containing P and Q, and S. Choice of an elliptic net in the given equivalence class. Choice of scaling of the chosen net. Choice of recurrences used to compute the terms of the net. Choice of order of operations for the computations. In the algorithm I have given, I have made apparently convenient choices for these things. It is very probable significant improvement is possible. via
37 via Elliptic nets provide an alternate computational model for elliptic curves. The terms of an elliptic net compute the Tate and Weil pairings. The resulting algorithm is of comparable complexity to Miller s and is likely to yield to further optimisation. The algorithm may have inherent security and computational benefits. Slides and Pari/GP scripts available at
Katherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationElliptic Nets and Points on Elliptic Curves
Department of Mathematics Brown University http://www.math.brown.edu/~stange/ Algorithmic Number Theory, Turku, Finland, 2007 Outline Geometry and Recurrence Sequences 1 Geometry and Recurrence Sequences
More informationA Note on Scalar Multiplication Using Division Polynomials
1 A Note on Scalar Multiplication Using Division Polynomials Binglong Chen, Chuangqiang Hu and Chang-An Zhao Abstract Scalar multiplication is the most important and expensive operation in elliptic curve
More informationThe Tate Pairing via Elliptic Nets
The Tate Pairing via Elliptic Nets Katherine E. Stange Brown University stange@math.brown.edu November 8, 2006 Abstract We derive a new algorithm for computing the Tate pairing on an elliptic curve over
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationElliptic Nets With Applications to Cryptography
Elliptic Nets With Applications to Cryptography Katherine Stange Brown University http://www.math.brown.edu/~stange/ Elliptic Divisibility Sequences: Seen In Their Natural Habitat Example Elliptic Divisibility
More informationOptimised versions of the Ate and Twisted Ate Pairings
Optimised versions of the Ate and Twisted Ate Pairings Seiichi Matsuda 1, Naoki Kanayama 1, Florian Hess 2, and Eiji Okamoto 1 1 University of Tsukuba, Japan 2 Technische Universität Berlin, Germany Abstract.
More informationPairing-Friendly Elliptic Curves of Prime Order
Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005 Outline
More informationThe Tate Pairing via Elliptic Nets
The Tate Pairing via Elliptic Nets Katherine E. Stange Brown University, Providence, RI 02912, USA Abstract. We derive a new algorithm for computing the Tate pairing on an elliptic curve over a finite
More informationPairings for Cryptography
Pairings for Cryptography Michael Naehrig Technische Universiteit Eindhoven Ñ ÐÖÝÔØÓ ºÓÖ Nijmegen, 11 December 2009 Pairings A pairing is a bilinear, non-degenerate map e : G 1 G 2 G 3, where (G 1, +),
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationImplementing Pairing-Based Cryptosystems
Implementing Pairing-Based Cryptosystems Zhaohui Cheng and Manos Nistazakis School of Computing Science, Middlesex University White Hart Lane, London N17 8HR, UK. {m.z.cheng, e.nistazakis}@mdx.ac.uk Abstract:
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationOrdinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors
Memoirs of the Faculty of Engineering, Okayama University, Vol. 44, pp. 60-68, January 2010 Ordinary Pairing Friendly Curve of Embedding Degree Whose Order Has Two Large Prime Factors Yasuyuki NOGAMI Graduate
More informationOptimal TNFS-secure pairings on elliptic curves with even embedding degree
Optimal TNFS-secure pairings on elliptic curves with even embedding degree Georgios Fotiadis 1 and Chloe Martindale 2 1 University of the Aegean, Greece gfotiadis@aegean.gr 2 Technische Universiteit Eindhoven,
More informationA brief overwiev of pairings
Bordeaux November 22, 2016 A brief overwiev of pairings Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Overview pairings 0 / 37 Plan of the lecture Pairings Pairing-friendly curves Progress of NFS attacks
More informationConstructing Families of Pairing-Friendly Elliptic Curves
Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationElliptic Nets How To Catch an Elliptic Curve Katherine Stange USC Women in Math Seminar November 7,
Elliptic Nets How To Catch an Elliptic Curve Katherine Stange USC Women in Math Seminar November 7, 2007 http://www.math.brown.edu/~stange/ Part I: Elliptic Curves are Groups Elliptic Curves Frequently,
More informationAn Analysis of Affine Coordinates for Pairing Computation
An Analysis of Affine Coordinates for Pairing Computation Michael Naehrig Microsoft Research mnaehrig@microsoft.com joint work with Kristin Lauter and Peter Montgomery Microsoft Research Pairing 2010,
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationFast hashing to G2 on pairing friendly curves
Fast hashing to G2 on pairing friendly curves Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, and Ezekiel J. Kachisa School of Computing Dublin City University Ballymun, Dublin
More informationFormulary for elliptic divisibility sequences and elliptic nets. Let E be the elliptic curve defined over the rationals with Weierstrass equation
Formulary for elliptic divisibility sequences and elliptic nets KATHERINE E STANGE Abstract Just the formulas No warranty is expressed or implied May cause side effects Not to be taken internally Remove
More informationPairings at High Security Levels
Pairings at High Security Levels Michael Naehrig Eindhoven University of Technology michael@cryptojedi.org DoE CRYPTODOC Darmstadt, 21 November 2011 Pairings are efficient!... even at high security levels.
More informationArithmetic operators for pairing-based cryptography
7. Kryptotag November 9 th, 2007 Arithmetic operators for pairing-based cryptography Jérémie Detrey Cosec, B-IT, Bonn, Germany jdetrey@bit.uni-bonn.de Joint work with: Jean-Luc Beuchat Nicolas Brisebarre
More informationAte Pairing on Hyperelliptic Curves
Ate Pairing on Hyperelliptic Curves R. Granger, F. Hess, R. Oyono, N. Thériault F. Vercauteren EUROCRYPT 2007 - Barcelona Pairings Pairings Let G 1, G 2, G T be groups of prime order l. A pairing is a
More informationELLIPTIC CURVES OVER FINITE FIELDS
Further ELLIPTIC CURVES OVER FINITE FIELDS FRANCESCO PAPPALARDI #4 - THE GROUP STRUCTURE SEPTEMBER 7 TH 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationarxiv: v2 [math.nt] 23 Sep 2011
ELLIPTIC DIVISIBILITY SEQUENCES, SQUARES AND CUBES arxiv:1101.3839v2 [math.nt] 23 Sep 2011 Abstract. Elliptic divisibility sequences (EDSs) are generalizations of a class of integer divisibility sequences
More informationComputing the image of Galois
Computing the image of Galois Andrew V. Sutherland Massachusetts Institute of Technology October 9, 2014 Andrew Sutherland (MIT) Computing the image of Galois 1 of 25 Elliptic curves Let E be an elliptic
More informationFINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD
FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD D. BONEH, K. RUBIN, AND A. SILVERBERG Abstract. We apply the Cocks-Pinch method to obtain pairing-friendly composite order
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationA TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES
A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN 1, MICHAEL SCOTT 2, AND EDLYN TESKE 3 1 Department of Mathematics University of California, Berkeley Berkeley, CA 94720-3840 USA dfreeman@math.berkeley.edu
More informationFast point multiplication algorithms for binary elliptic curves with and without precomputation
Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico
More informationA Remark on Implementing the Weil Pairing
A Remark on Implementing the Weil Pairing Cheol Min Park 1, Myung Hwan Kim 1 and Moti Yung 2 1 ISaC and Department of Mathematical Sciences, Seoul National University, Korea {mpcm,mhkim}@math.snu.ac.kr
More informationSolving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction
Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction Aurore Guillevic and François Morain and Emmanuel Thomé University of Calgary, PIMS CNRS, LIX École Polytechnique, Inria, Loria SAC,
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationParshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU
Parshuram Budhathoki FAU October 25, 2012 Motivation Diffie-Hellman Key exchange What is pairing? Divisors Tate pairings Miller s algorithm for Tate pairing Optimization Alice, Bob and Charlie want to
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationEfficient Implementation of Cryptographic pairings. Mike Scott Dublin City University
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things l Efficient algorithms l Suitable elliptic curves We have
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationMappings of elliptic curves
Mappings of elliptic curves Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Isogenies of Elliptic Curves
More informationJulio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,
Point Compression Algorithms for Binary Curves Julio López and Ricardo Dahab {jlopez,rdahab}@ic.unicamp.br Institute of Computing (IC) UNICAMP April, 14 2005 Outline Introduction to ECC over GF (2 m )
More informationConstructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography
Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography Naomi Benger and Michael Scott, 1 School of Computing, Dublin City University, Ireland nbenger@computing.dcu.ie
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationCOMPLEX MULTIPLICATION: LECTURE 15
COMPLEX MULTIPLICATION: LECTURE 15 Proposition 01 Let φ : E 1 E 2 be a non-constant isogeny, then #φ 1 (0) = deg s φ where deg s is the separable degree of φ Proof Silverman III 410 Exercise: i) Consider
More informationOutline of the Seminar Topics on elliptic curves Saarbrücken,
Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5
More informationElliptic Curves, Factorization, and Cryptography
Elliptic Curves, Factorization, and Cryptography Brian Rhee MIT PRIMES May 19, 2017 RATIONAL POINTS ON CONICS The following procedure yields the set of rational points on a conic C given an initial rational
More informationSome Efficient Algorithms for the Final Exponentiation of η T Pairing
Some Efficient Algorithms for the Final Exponentiation of η T Pairing Masaaki Shirase 1, Tsuyoshi Takagi 1, and Eiji Okamoto 2 1 Future University-Hakodate, Japan 2 University of Tsukuba, Japan Abstract.
More informationImplementing Cryptographic Pairings over Barreto-Naehrig Curves
Implementing Cryptographic Pairings over Barreto-Naehrig Curves Augusto Jun Devegili 1, Michael Scott 2, and Ricardo Dahab 1 1 Instituto de Computação, Universidade Estadual de Campinas Caixa Postal 6176,
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationA TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES
A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES DAVID FREEMAN, MICHAEL SCOTT, AND EDLYN TESKE Abstract. Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for
More informationMath/Mthe 418/818. Review Questions
Math/Mthe 418/818 Review Questions 1. Show that the number N of bit operations required to compute the product mn of two integers m, n > 1 satisfies N = O(log(m) log(n)). 2. Can φ(n) be computed in polynomial
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More informationThe Eta Pairing Revisited
1 The Eta Pairing Revisited F. Hess, N.P. Smart and F. Vercauteren Abstract In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Baretto
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationGenerating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves
Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves Ezekiel J Kachisa School of Computing Dublin City University Ireland ekachisa@computing.dcu.ie Abstract. Constructing pairing-friendly
More informationFaster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions
Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions Robert Granger and Michael Scott School of Computing, Dublin City University, Glasnevin, Dublin 9, Ireland. {rgranger,mike}@computing.dcu.ie
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationThe Hidden Root Problem
EPFL 2008 Definition of HRP Let F q k be a finite field where q = p n for prime p. The (Linear) Hidden Root Problem: let r N0 be given and x F q k hidden access to oracle Ox that given (a, b) F 2 q k returns
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationIntroduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationarxiv: v1 [math.nt] 31 Dec 2011
arxiv:1201.0266v1 [math.nt] 31 Dec 2011 Elliptic curves with large torsion and positive rank over number fields of small degree and ECM factorization Andrej Dujella and Filip Najman Abstract In this paper,
More informationEfficient Computation of Roots in Finite Fields
Efficient Computation of Roots in Finite Fields PAULO S. L. M. BARRETO (pbarreto@larc.usp.br) Laboratório de Arquitetura e Redes de Computadores (LARC), Escola Politécnica, Universidade de São Paulo, Brazil.
More informationON TORSION POINTS ON AN ELLIPTIC CURVES VIA DIVISION POLYNOMIALS
UNIVERSITATIS IAGELLONICAE ACTA MATHEMATICA, FASCICULUS XLIII 2005 ON TORSION POINTS ON AN ELLIPTIC CURVES VIA DIVISION POLYNOMIALS by Maciej Ulas Abstract. In this note we propose a new way to prove Nagel
More informationHeuristics. pairing-friendly abelian varieties
Heuristics on pairing-friendly abelian varieties joint work with David Gruenewald John Boxall john.boxall@unicaen.fr Laboratoire de Mathématiques Nicolas Oresme, UFR Sciences, Université de Caen Basse-Normandie,
More informationAnalysis of Optimum Pairing Products at High Security Levels
Analysis of Optimum Pairing Products at High Security Levels Xusheng Zhang and Dongdai Lin Institute of Software, Chinese Academy of Sciences Institute of Information Engineering, Chinese Academy of Sciences
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationWhat About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol?
What About Vulnerability to a Fault Attack of the Miller s Algorithm during an Identity Based Protocol? Nadia EL MRABET LIRMM Laboratory, I3M, CNRS, University Montpellier 2, 161, rue Ada, 34 392 Montpellier,
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationPairing Computation on Elliptic Curves of Jacobi Quartic Form
Pairing Computation on Elliptic Curves of Jacobi Quartic Form Hong Wang, Kunpeng Wang, Lijun Zhang, and Bao Li {hwang,kpwang,ljzhang,lb}@is.ac.cn State Key Laboratory of Information Security Graduate University
More informationFaster Point Multiplication on Elliptic Curves with Efficient Endomorphisms
Faster Point Multiplication on Elliptic Curves with Efficient Endomorphisms Robert P. Gallant 1, Robert J. Lambert 1, and Scott A. Vanstone 1,2 1 Certicom Research, Canada {rgallant,rlambert,svanstone}@certicom.com
More informationSoftware implementation of Koblitz curves over quadratic fields
Software implementation of Koblitz curves over quadratic fields Thomaz Oliveira 1, Julio López 2 and Francisco Rodríguez-Henríquez 1 1 Computer Science Department, Cinvestav-IPN 2 Institute of Computing,
More informationThe Eta Pairing Revisited
The Eta Pairing Revisited F. Hess 1, N. Smart 2, and Frederik Vercauteren 3 1 Technische Universität Berlin, Fakultät II, Institut für Mathematik, MA 8-1, Strasse des 17. Juni 136, D-10623 Berlin, Germany.
More informationHans Wenzl. 4f(x), 4x 3 + 4ax bx + 4c
MATH 104C NUMBER THEORY: NOTES Hans Wenzl 1. DUPLICATION FORMULA AND POINTS OF ORDER THREE We recall a number of useful formulas. If P i = (x i, y i ) are the points of intersection of a line with the
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationEfficient hash maps to G 2 on BLS curves
Efficient hash maps to G 2 on BLS curves Alessandro Budroni 1 and Federico Pintore 2 1 MIRACL Labs, London, England - budroni.alessandro@gmail.com 2 Department of Mathematics, University of Trento, Italy
More informationOn attaching coordinates of Gaussian prime torsion points of y 2 = x 3 + x to Q(i)
On attaching coordinates of Gaussian prime torsion points of y 2 = x 3 + x to Q(i) Gordan Savin and David Quarfoot March 29, 2010 1 Background One of the natural questions that arises in the study of abstract
More informationApplication of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography
Applied Mathematical Sciences, Vol. 10, 2016, no. 45, 2205-2213 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ams.2016.64149 Application of Explicit Hilbert s Pairing to Constructive Class Field
More informationExplicit Complex Multiplication
Explicit Complex Multiplication Benjamin Smith INRIA Saclay Île-de-France & Laboratoire d Informatique de l École polytechnique (LIX) Eindhoven, September 2008 Smith (INRIA & LIX) Explicit CM Eindhoven,
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationSpeeding up the Scalar Multiplication on Binary Huff Curves Using the Frobenius Map
International Journal of Algebra, Vol. 8, 2014, no. 1, 9-16 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ija.2014.311117 Speeding up the Scalar Multiplication on Binary Huff Curves Using the
More informationGenerating more MNT elliptic curves
Generating more MNT elliptic curves Michael Scott 1 and Paulo S. L. M. Barreto 2 1 School of Computer Applications Dublin City University Ballymun, Dublin 9, Ireland. mike@computing.dcu.ie 2 Universidade
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationFast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System
Fast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System Jithra Adikari, Vassil S. Dimitrov, and Pradeep Mishra Department of Electrical and
More informationFast Formulas for Computing Cryptographic Pairings
Fast Formulas for Computing Cryptographic Pairings Craig Costello craig.costello@qut.edu.au Queensland University of Technology May 28, 2012 1 / 47 Thanks: supervisors and co-authors Prof. Colin Boyd Dr.
More informationMinal Wankhede Barsagade, Dr. Suchitra Meshram
International Journal of Scientific & Engineering Research, Volume 5, Issue 4, April-2014 467 Overview of History of Elliptic Curves and its use in cryptography Minal Wankhede Barsagade, Dr. Suchitra Meshram
More information14 Ordinary and supersingular elliptic curves
18.783 Elliptic Curves Spring 2015 Lecture #14 03/31/2015 14 Ordinary and supersingular elliptic curves Let E/k be an elliptic curve over a field of positive characteristic p. In Lecture 7 we proved that
More informationHidden pairings and trapdoor DDH groups. Alexander W. Dent Joint work with Steven D. Galbraith
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith 2 Pairings in cryptography Elliptic curves have become an important tool in cryptography and pairings have
More informationEfficient Computation for Pairing Based
Provisional chapter Chapter 3 Efficient Computation for Pairing Based Cryptography: Efficient Computation A Statefor ofpairing the Art Based Cryptography: A State of the Art Nadia El Mrabet Nadia El Mrabet
More information