Pairing-Friendly Elliptic Curves of Prime Order

Similar documents
Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Pairing-Friendly Elliptic Curves for Cryptography

Generating more MNT elliptic curves

Constructing Families of Pairing-Friendly Elliptic Curves

Fast hashing to G2 on pairing friendly curves

Pairings for Cryptography

Generating more Kawazoe-Takahashi Genus 2 Pairing-friendly Hyperelliptic Curves

Asymmetric Pairings. Alfred Menezes (joint work with S. Chatterjee, D. Hankerson & E. Knapp)

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

Optimised versions of the Ate and Twisted Ate Pairings

A TAXONOMY OF PAIRING-FRIENDLY ELLIPTIC CURVES

A brief overwiev of pairings

On near prime-order elliptic curves with small embedding degrees (Full version)

Non-generic attacks on elliptic curve DLPs

On Near Prime-Order Elliptic Curves with Small Embedding Degrees

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field

Pairings at High Security Levels

On compressible pairings and their computation

Katherine Stange. Pairing, Tokyo, Japan, 2007

Some Efficient Algorithms for the Final Exponentiation of η T Pairing

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

Faster Pairings on Special Weierstrass Curves

Efficient Implementation of Cryptographic pairings. Mike Scott Dublin City University

The Number Field Sieve for Barreto-Naehrig Curves: Smoothness of Norms

FINDING COMPOSITE ORDER ORDINARY ELLIPTIC CURVES USING THE COCKS-PINCH METHOD

A New Family of Pairing-Friendly elliptic curves

Constructing Tower Extensions of Finite Fields for Implementation of Pairing-Based Cryptography

Optimal TNFS-secure pairings on elliptic curves with even embedding degree

Faster Squaring in the Cyclotomic Subgroup of Sixth Degree Extensions

Individual Discrete Logarithm in GF(p k ) (last step of the Number Field Sieve algorithm)

Efficient hash maps to G 2 on BLS curves

Genus 2 Curves of p-rank 1 via CM method

Constructing Abelian Varieties for Pairing-Based Cryptography. David Stephen Freeman. A.B. (Harvard University) 2002

A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties

Fast point multiplication algorithms for binary elliptic curves with and without precomputation

You could have invented Supersingular Isogeny Diffie-Hellman

An Analysis of Affine Coordinates for Pairing Computation

Heuristics. pairing-friendly abelian varieties

Optimal Eta Pairing on Supersingular Genus-2 Binary Hyperelliptic Curves

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Speeding up Ate Pairing Computation in Affine Coordinates

Solving Discrete Logarithms on a 170-bit MNT Curve by Pairing Reduction

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Genus 2 Hyperelliptic Curve Families with Explicit Jacobian Order Evaluation and Pairing-Friendly Constructions

Katherine Stange. ECC 2007, Dublin, Ireland

Subgroup security in pairing-based cryptography

Mappings of elliptic curves

The Eta Pairing Revisited

ON THE IMPLEMENTATION OF COMPOSITE-ORDER BILINEAR GROUPS IN CRYPTOGRAPHIC PROTOCOLS SEVERIANO K. SISNEROS THESIS

SM9 identity-based cryptographic algorithms Part 1: General

Four-Dimensional GLV Scalar Multiplication

Constructing genus 2 curves over finite fields

Implementing Cryptographic Pairings over Barreto-Naehrig Curves

Explicit Complex Multiplication

Ate Pairing on Hyperelliptic Curves

Ordinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors

COMPRESSION FOR TRACE ZERO SUBGROUPS OF ELLIPTIC CURVES

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

The Eta Pairing Revisited

Pairings for Cryptographers

Galois Representations

Aspects of Pairing Inversion

Analysis of Optimum Pairing Products at High Security Levels

Représentation RNS des nombres et calcul de couplages

Efficient Algorithms for Pairing-Based Cryptosystems

Generating Prime Order Elliptic Curves: Difficulties and Efficiency Considerations

Counting points on elliptic curves over F q

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Galois theory (Part II)( ) Example Sheet 1

Point counting and real multiplication on K3 surfaces

Compressed Pairings. 1 School of Computing

PAIRINGS ON HYPERELLIPTIC CURVES. 1. Introduction

Computing the image of Galois

USING ABELIAN VARIETIES TO IMPROVE PAIRING-BASED CRYPTOGRAPHY

Unbalancing Pairing-Based Key Exchange Protocols

Fast Formulas for Computing Cryptographic Pairings

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Short Signatures from the Weil Pairing

Fast, twist-secure elliptic curve cryptography from Q-curves

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Arithmetic operators for pairing-based cryptography

Efficient Algorithms for Pairing-Based Cryptosystems

Fully maximal and minimal supersingular abelian varieties

Class invariants by the CRT method

Optimal Pairings. F. Vercauteren

An introduction to supersingular isogeny-based cryptography

Introduction to Elliptic Curves

Problème du logarithme discret sur courbes elliptiques

Efficient Computation of Roots in Finite Fields

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

On Orders of Elliptic Curves over Finite Fields

A Remark on Implementing the Weil Pairing

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

The Final Exponentiation in Pairing-Based Cryptography

Identifying supersingular elliptic curves

Edwards Curves and the ECM Factorisation Method

Faster Computation of the Tate Pairing

Pairings for Cryptographers

On the complexity of computing discrete logarithms in the field F

Transcription:

Pairing-Friendly Elliptic Curves of Prime Order Paulo S. L. M. Barreto 1 Michael Naehrig 2 1 University of São Paulo pbarreto@larc.usp.br 2 RWTH Aachen University mnaehrig@ti.rwth-aachen.de SAC 2005

Outline Constructing pairing-friendly curves (review) prime order, but restricted to k 6 general k, but ρ = log p/log r 2 selected values of k > 6, best result ρ 5 4 New method: curves of prime order and k = 12 construction twisted pairings point and pairing compression

Pairing-Friendly Curves An elliptic curve is pairing-friendly if it contains a subgroup of (large) prime order r such that r p k 1, r p i 1 for 0 < i < k, where k is small enough that arithmetic on Fp k is feasible, large enough that the DLP on F is about as p k intractable as the ECDLP on E(F p )[r].

Pairing-Friendly Curves An elliptic curve is pairing-friendly if it contains a subgroup of (large) prime order r such that r p k 1, r p i 1 for 0 < i < k, where k is small enough that arithmetic on Fp k is feasible, large enough that the DLP on F is about as p k intractable as the ECDLP on E(F p )[r]. Unfortunately, k is usually too large (special construction needed).

Complex Multiplication (CM) The goal: Find p, n (p > 3 prime) and a, b F p s.t. the elliptic curve E : y 2 = x 3 + ax + b has order #E(F p ) = n (and trace of the Frobenius t = p + 1 n). Prerequisite: The CM norm equation DV 2 = 4p t 2 must be satisfied with moderate CM discriminant D.

Some Constructions Miyaji-Nakabayashi-Takano (2001) use the fact that n Φ k (p) to parametrise p, n and t, for k {3, 4, 6} the CM norm equation reduces to a Pell equation DV 2 = 4n(u) (t(u) 2) 2. Restriction: unable to handle larger k (norm equation at least quartic).

Some Constructions Miyaji-Nakabayashi-Takano (2001) use the fact that n Φ k (p) to parametrise p, n and t, for k {3, 4, 6} the CM norm equation reduces to a Pell equation DV 2 = 4n(u) (t(u) 2) 2. Restriction: unable to handle larger k (norm equation at least quartic). Cocks-Pinch (2002) unpublished algorithm based on the property that r n = p + 1 t and r p k 1. t 1 is a primitive k-th root of unity mod r. Restriction: usually ρ = log p /log r 2.

Algebraic Constructions Barreto-Lynn-Scott (2002), Brezing-Weng (2003) For certain values of k and D there exist closed-form parametrisations for families of curves with known equations. (e.g. k = 2 i 3 j and D = 3, or k = 2 i 7 j and D = 7)

Algebraic Constructions Barreto-Lynn-Scott (2002), Brezing-Weng (2003) For certain values of k and D there exist closed-form parametrisations for families of curves with known equations. (e.g. k = 2 i 3 j and D = 3, or k = 2 i 7 j and D = 7) Advantages: ρ closer to 1. (best case: ρ = 5 for k = 8 and D = 3) 4

Algebraic Constructions Barreto-Lynn-Scott (2002), Brezing-Weng (2003) For certain values of k and D there exist closed-form parametrisations for families of curves with known equations. (e.g. k = 2 i 3 j and D = 3, or k = 2 i 7 j and D = 7) Advantages: ρ closer to 1. (best case: ρ = 5 for k = 8 and D = 3) 4 Limitations: solutions known only for small D and curve order always composite (ρ still large ).

The Problem Boneh-Lynn-Shacham (2001) Original challenge: how to build pairing-friendly curves with k > 6? Modified challenge: how to build pairing-friendly curves of prime order with k > 6? Suggested lower bound: k = 10

Extending the MNT Approach Galbraith-McKee-Valença (2004) start from the property n Φ k (p) and parametrise p(u) such that Φ k (p(u)) = n 1 (u)n 2 (u).

Extending the MNT Approach Galbraith-McKee-Valença (2004) start from the property n Φ k (p) and parametrise p(u) such that Φ k (p(u)) = n 1 (u)n 2 (u). Leads to conditions on quadratic p(u) s.t. the factors of Φ k (p(u)) are quartic for k {5, 8, 10, 12}.

Extending the MNT Approach Galbraith-McKee-Valença (2004) start from the property n Φ k (p) and parametrise p(u) such that Φ k (p(u)) = n 1 (u)n 2 (u). Leads to conditions on quadratic p(u) s.t. the factors of Φ k (p(u)) are quartic for k {5, 8, 10, 12}. Result: families of genus 2 curves similar to MNT elliptic curves.

Extending the MNT Approach NB: p(u) must be a prime (or prime power). Some conditions cannot lead to solutions: for k = 12 the parametrisation p(u) = 6u 2 will never produce a prime power.

Extending the MNT Approach NB: p(u) must be a prime (or prime power). Some conditions cannot lead to solutions: for k = 12 the parametrisation p(u) = 6u 2 will never produce a prime power. How about changing the strategy?

New Strategy Start from n Φ k (t(u) 1) and parametrise t(u) s.t. Φ k (t(u) 1) splits into quartic factors n 1 (u)n 2 (u). The only restriction on t(u) is the Hasse bound. Since n(u) is quartic, t(u) must be at most quadratic for k {5, 8, 10, 12}.

New Strategy Start from n Φ k (t(u) 1) and parametrise t(u) s.t. Φ k (t(u) 1) splits into quartic factors n 1 (u)n 2 (u). The only restriction on t(u) is the Hasse bound. Since n(u) is quartic, t(u) must be at most quadratic for k {5, 8, 10, 12}. Most conditions do not lead to a favourable factorisation of the norm equation DV 2 = 4n(u) (t(u) 2) 2.

New Curves The condition t(u) = 6u 2 + 1 does lead to a favourable factorisation for k = 12. Parameters: Φ k (t(u) 1) = n(u)n( u). n(u) = 36u 4 + 36u 3 + 18u 2 + 6u + 1 p(u) = 36u 4 + 36u 3 + 24u 2 + 6u + 1 DV 2 = 4p t 2 = 3(6u 2 + 4u + 1) 2 NB: u Z \ {0} (positive or negative values).

New Curves Since D = 3, the curve equation has the form E(F p ) : y 2 = x 3 + b, with b > 0 adjusted to attain the right order. (A simple sequential search quickly finds a suitable b.) NB: the method always produces p 1 (mod 3) (no supersingular curves).

Twisted Pairings There exists a sextic twist E (F p 2) and an injective group homomorphism ψ : E (F p 2) E(F p 12).

Twisted Pairings There exists a sextic twist E (F p 2) and an injective group homomorphism Define a twisted pairing ψ : E (F p 2) E(F p 12). ê : E(F p ) E (F p 2) F p 12, ê(p, Q) = e(p, ψ(q)).

Twisted Pairings There exists a sextic twist E (F p 2) and an injective group homomorphism Define a twisted pairing ψ : E (F p 2) E(F p 12). ê : E(F p ) E (F p 2) F p 12, ê(p, Q) = e(p, ψ(q)). The field arithmetic needed for non-pairing operations is restricted to F p 2 instead of F p k/2. The homomorphism is only needed when actually computing pairings.

Compressed Pairings Pairing compression is possible with ratio 1 in a way 3 that naturally integrates with point compression. Instead of reducing a point (x, y ) E (F p 2) to its x-coordinate, discard it and keep only the y-coordinate. Recovering (x, y ) creates ambiguity between three possible values of x.

Compressed Pairings Pairing compression is possible with ratio 1 in a way 3 that naturally integrates with point compression. Instead of reducing a point (x, y ) E (F p 2) to its x-coordinate, discard it and keep only the y-coordinate. Recovering (x, y ) creates ambiguity between three possible values of x. The three points that share the same y-coordinate are conjugates, as are the pairing values computed on them (provided the points are n-torsion points). The trace of all three pairing values is the same F p 4 value.

Point Compression Discard one more bit of y, i.e. do not distinguish between y and y. Keep only the information to represent an equivalence class {(x, ±y ), (ζ 3 x, ±y ), (ζ 2 3x, ±y )}.

Point Compression Discard one more bit of y, i.e. do not distinguish between y and y. Keep only the information to represent an equivalence class {(x, ±y ), (ζ 3 x, ±y ), (ζ 2 3x, ±y )}. The F p 2-traces of the pairing values of all six points in the class are equal. Obtain a unique compressed pairing value over F p 2.

Point Compression Discard one more bit of y, i.e. do not distinguish between y and y. Keep only the information to represent an equivalence class {(x, ±y ), (ζ 3 x, ±y ), (ζ 2 3x, ±y )}. The F p 2-traces of the pairing values of all six points in the class are equal. Obtain a unique compressed pairing value over F p 2. Represent points in E (F p 2) with less than log(p 2 ) bits. Pairing compression with ratio 1 6 may be possible.

Work in Progress Reduce the loop length similar to the η T pairing. Use a space-time tradeoff, see Scott (2005). Simplify the final powering.

Work in Progress Reduce the loop length similar to the η T pairing. Use a space-time tradeoff, see Scott (2005). Simplify the final powering. Security assessment of certain features, e.g. sparse curve orders correspond to sparse field sizes - attacks may be possible, but their relevance is uncertain.

More Open Problems How to build pairing-friendly curves of genus g {1, 2, 3, 4} and prime order for k/g < 32 and ϕ(k) > 4 over a field F p m? Are there any real security problems with small D? Can we handle really large D? Lots of other problems...

Thank you!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback