On Prime-Order Elliptic Curves with Embedding Degrees 3, 4 and 6

Bilinear pairings on elliptic curves have many cryptographic applications such as identity based encryption, one-round three-party key agreement protocols, and short signature schemes. The elliptic curves which are suitable for pairing-based cryptography are called pairing friendly curves. The prime-order pairing friendly curves with embedding degrees k=3,4 and 6 were characterized by Miyaji, Nakabayashi and Takano. We study this characterization of MNT curves in details. We present explicit algorithms to obtain suitable curve parameters and to construct the corresponding elliptic curves. We also give a heuristic lower bound for the expected number of isogeny classes of MNT curves. Moreover, the related theoretical findings are compared with our experimental results

Security evaluation of a key management scheme based on bilinear maps on elliptic curves

In recent years, many applications of elliptic curves to cryptography have been developed. Cryptosystems based on groups of rational points on elliptic curves allow more efficient alternatives to finite field cryptography, which usually requires groups with larger cardinality and lower efficiency. The existence of non-degenerate, bilinear maps on elliptic curves, called pairings, allow the construction of many efficient cryptosystems; however, their security must be carefully studied. We will study the security of a key menagement scheme introduced by Boneh, Gentry and Waters in 2005, which is based on the decisional version of the l-BDHE problem. This is a variant of the classical Diffie-Hellman problem, specifically constructed for pairing-based cryptography. Its hardness, is still a research topic and only some theoretical evidence exists. The aim of this work is to investigate the security of this broadcast encryption system, taking in account a model that proves the hardness of the l-BDHE problem, under strong assumptions. Drawbacks of this approach will be discussed: its main weakness is the system's behaviour during attack simulations, which is far from real. The main result of this thesis is a lower bound on the running time of an adversary solving the above problem. Moreover, also the elliptic curve choice, when implementing an encryption scheme, could affect its security. We will review the main criteria for this choice and we will investigate the existence of elliptic curves suitable for the system of our interest

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Distortion maps for genus two curves

Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove that distortion maps always exist for supersingular curves of genus g>1 and we construct distortion maps in genus 2 (for embedding degrees 4,5,6 and 12).Comment: 16 page

Efficient algorithms for pairing-based cryptosystems

We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics.We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairing-based cryptography

More Discriminants with the Brezing-Weng Method

The Brezing-Weng method is a general framework to generate families of pairing-friendly elliptic curves. Here, we introduce an improvement which can be used to generate more curves with larger discriminants. Apart from the number of curves this yields, it provides an easy way to avoid endomorphism rings with small class number