1,402 research outputs found
Refinements of Miller's Algorithm over Weierstrass Curves Revisited
In 1986 Victor Miller described an algorithm for computing the Weil pairing
in his unpublished manuscript. This algorithm has then become the core of all
pairing-based cryptosystems. Many improvements of the algorithm have been
presented. Most of them involve a choice of elliptic curves of a \emph{special}
forms to exploit a possible twist during Tate pairing computation. Other
improvements involve a reduction of the number of iterations in the Miller's
algorithm. For the generic case, Blake, Murty and Xu proposed three refinements
to Miller's algorithm over Weierstrass curves. Though their refinements which
only reduce the total number of vertical lines in Miller's algorithm, did not
give an efficient computation as other optimizations, but they can be applied
for computing \emph{both} of Weil and Tate pairings on \emph{all}
pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's
method and show how to perform an elimination of all vertical lines in Miller's
algorithm during Weil/Tate pairings computation on \emph{general} elliptic
curves. Experimental results show that our algorithm is faster about 25% in
comparison with the original Miller's algorithm.Comment: 17 page
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
A Digital Signature Scheme for Long-Term Security
In this paper we propose a signature scheme based on two intractable
problems, namely the integer factorization problem and the discrete logarithm
problem for elliptic curves. It is suitable for applications requiring
long-term security and provides a more efficient solution than the existing
ones
Linearizing torsion classes in the Picard group of algebraic curves over finite fields
We address the problem of computing in the group of -torsion rational
points of the jacobian variety of algebraic curves over finite fields, with a
view toward computing modular representations.Comment: To appear in Journal of Algebr
Ordinary Pairing Friendly Curve of Embedding Degree 1 Whose Order Has Two Large Prime Factors
Recently, composite order pairing–based cryptographies have received much attention. The composite order needs to be as large as the RSA modulus. Thus, they require a certain pairing–friendly elliptic curve that has such a large composite order. This paper proposes an efficient algorithm for generating an ordinary pairing–friendly elliptic curve of the embedding degree 1 whose order has two large prime factors as the RSA modulus. In addition, the generated pairing–friendly curve has an efficient structure for the Gallant–Lambert–Vanstone (GLV) method
Hard isogeny problems over RSA moduli and groups with infeasible inversion
We initiate the study of computational problems on elliptic curve isogeny
graphs defined over RSA moduli. We conjecture that several variants of the
neighbor-search problem over these graphs are hard, and provide a comprehensive
list of cryptanalytic attempts on these problems. Moreover, based on the
hardness of these problems, we provide a construction of groups with infeasible
inversion, where the underlying groups are the ideal class groups of imaginary
quadratic orders.
Recall that in a group with infeasible inversion, computing the inverse of a
group element is required to be hard, while performing the group operation is
easy. Motivated by the potential cryptographic application of building a
directed transitive signature scheme, the search for a group with infeasible
inversion was initiated in the theses of Hohenberger and Molnar (2003). Later
it was also shown to provide a broadcast encryption scheme by Irrer et al.
(2004). However, to date the only case of a group with infeasible inversion is
implied by the much stronger primitive of self-bilinear map constructed by
Yamakawa et al. (2014) based on the hardness of factoring and
indistinguishability obfuscation (iO). Our construction gives a candidate
without using iO.Comment: Significant revision of the article previously titled "A Candidate
Group with Infeasible Inversion" (arXiv:1810.00022v1). Cleared up the
constructions by giving toy examples, added "The Parallelogram Attack" (Sec
5.3.2). 54 pages, 8 figure
Ordinary Pairing Friendly Curve of Embedding Degree 3 Whose Order Has Two Large Prime Factors
This paper proposes a method for generating a certain composite order ordinary pairing–friendly elliptic curve of embedding degree 3. In detail, the order has two large prime factors such as the modulus of RSA cryptography. The method is based on the property that the order of the target pairing–friendly curve is given by a polynomial as r(X) of degree 2 with respect to the integer variable X. When the bit size of the prime factors is about 500 bits, the proposed method averagely takes about 15 minutes on Core 2 Quad (2.66Hz) for generating one
- …