Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986 Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a \emph{special} forms to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Miller's algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Miller's algorithm over Weierstrass curves. Though their refinements which only reduce the total number of vertical lines in Miller's algorithm, did not give an efficient computation as other optimizations, but they can be applied for computing \emph{both} of Weil and Tate pairings on \emph{all} pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's method and show how to perform an elimination of all vertical lines in Miller's algorithm during Weil/Tate pairings computation on \emph{general} elliptic curves. Experimental results show that our algorithm is faster about 25% in comparison with the original Miller's algorithm.Comment: 17 page

Analysing the IOBC Authenticated Encryption Mode

Abstract. The idea of combining a very simple form of added plaintext redundancy with a special mode of data encryption to provide data in-tegrity is an old one; however, despite its wide deployment in protocols such as Kerberos, it has largely been superseded by provably secure au-thenticated encryption techniques. In this paper we cryptanalyse a block cipher mode of operation called IOBC, possibly the only remaining en-cryption mode designed for such use that has not previously been ana-lyzed. We show that IOBC is subject to known-plaintext-based forgery attacks with a complexity of around 2n=3, where n is the block cipher block length.

Post-quantum cryptography

Cryptography is essential for the security of online communication, cars and implanted medical devices. However, many commonly used cryptosystems will be completely broken once large quantum computers exist. Post-quantum cryptography is cryptography under the assumption that the attacker has a large quantum computer; post-quantum cryptosystems strive to remain secure even in this scenario. This relatively young research area has seen some successes in identifying mathematical operations for which quantum algorithms offer little advantage in speed, and then building cryptographic systems around those. The central challenge in post-quantum cryptography is to meet demands for cryptographic usability and flexibility without sacrificing confidence.</p

Two-Face: New Public Key Multivariate Schemes

We present here new multivariate schemes that can be seen as HFE generalization having a property called `Two-Face\u27. Particularly, we present five such families of algorithms named `Dob\u27, `Simple Pat\u27, `General Pat\u27, `Mac\u27, and `Super Two-Face\u27. These families have connections between them, some of them are refinements or generalizations of others. Notably, some of these schemes can be used for public key encryption, and some for public key signature. We introduce also new multivariate quadratic permutations that may have interest beyond cryptography

Failure of the Point Blinding Countermeasure Against Fault Attack in Pairing-Based Cryptography

Article published in the proceedings of the C2SI conference, May 2015.Pairings are mathematical tools that have been proven to be very useful in the construction of many cryptographic protocols. Some of these protocols are suitable for implementation on power constrained devices such as smart cards or smartphone which are subject to side channel attacks. In this paper, we analyse the efficiency of the point blinding countermeasure in pairing based cryptography against side channel attacks. In particular,we show that this countermeasure does not protect Miller's algorithm for pairing computation against fault attack. We then give recommendation for a secure implementation of a pairing based protocol using the Miller algorithm

Computing Optimal Ate Pairings on Elliptic Curves with Embedding Degree 9,159,15 and 2727

Much attention has been given to efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The existing few works in the case of odd embedding degrees require some improvements. This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees k=9, 15 \mbox{ and } 27 which have twists of order three. Mainly, we provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method comparatively to the previous few works that exist in these cases. In particular for $k=15$ and $k=27$ we obtained an improvement, in terms of operations in the base field, of up to $25\%$ and $29\%$ respectively in the computation of the final exponentiation. Also, we obtained that elliptic curves with embedding degree $k=15$ present faster results than BN$12$ curves at the $128$-bit security levels. We provided a MAGMA implementation in each case to ensure the correctness of the formulas used in this work

Efficient Elliptic Curve Diffie-Hellman Computation at the 256-bit Security Level

In this paper we introduce new Montgomery and Edwards form elliptic curve targeted at the 256-bit security level. To this end, we work with three primes, namely $p_1:=2^{506}-45$, $p_2=2^{510}-75$ and $p_3:=2^{521}-1$. While $p_3$ has been considered earlier in the literature, $p_1$ and $p_2$ are new. We define a pair of birationally equivalent Montgomery and Edwards form curves over all the three primes. Efficient 64-bit assembly implementations targeted at Skylake and later generation Intel processors have been made for the shared secret computation phase of the Diffie-Hellman key agreement protocol for the new Montgomery curves. Curve448 of the Transport Layer Security, Version 1.3 is a Montgomery curve which provides security at the 224-bit security level. Compared to the best publicly available 64-bit implementation of Curve448, the new Montgomery curve over $p_1$ leads to a $3\%$-$4\%$ slowdown and the new Montgomery curve over $p_2$ leads to a $4.5\%$-$5\%$ slowdown; on the other hand, 29 and 30.5 extra bits of security respectively are gained. For designers aiming for the 256-bit security level, the new curves over $p_1$ and $p_2$ provide an acceptable trade-off between security and efficiency

Attribute-based encryption with granular revocation

National Research Foundation (NRF) Singapor

Analysis of Step-Reduced SHA-256

This is the first article analyzing the security of SHA-256 against fast collision search which considers the recent attacks by Wang et al. We show the limits of applying techniques known so far to SHA-256. Next we introduce a new type of perturbation vector which circumvents the identified limits. This new technique is then applied to the unmodified SHA-256. Exploiting the combination of Boolean functions and modular addition together with the newly developed technique allows us to derive collision-producing characteristics for step-reduced SHA-256, which was not possible before. Although our results do not threaten the security of SHA-256, we show that the low probability of a single local collision may give rise to a false sense of security