Elliptic curves with j = 0, 1728 and low embedding degree

Elliptic curves over a finite field Fq with j-invariant 0 or 1728, both supersingular and ordinary, whose embedding degree k is low are studied. In the ordinary case we give conditions characterizing such elliptic curves with fixed embedding degree with respect to a subgroup of prime order . For k = 1, 2, these conditions give parameterizations of q in terms of and two integers m, n. We show several examples of families with infinitely many curves. Similar parameterizations for k ? 3 need a fixed kth root of the unity in the underlying field. Moreover, when the elliptic curve admits distortion maps, an example is provided

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS

Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986 Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a \emph{special} forms to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Miller's algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Miller's algorithm over Weierstrass curves. Though their refinements which only reduce the total number of vertical lines in Miller's algorithm, did not give an efficient computation as other optimizations, but they can be applied for computing \emph{both} of Weil and Tate pairings on \emph{all} pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's method and show how to perform an elimination of all vertical lines in Miller's algorithm during Weil/Tate pairings computation on \emph{general} elliptic curves. Experimental results show that our algorithm is faster about 25% in comparison with the original Miller's algorithm.Comment: 17 page

Non-vanishing Heterotic Superpotentials on Elliptic Fibrations

We present models of heterotic compactification on Calabi-Yau threefolds and compute the non-perturbative superpotential for vector bundle moduli. The key feature of these models is that the threefolds, which are elliptically fibered over del Pezzo surfaces, have homology classes with a unique holomorphic, isolated genus-zero curve. Using the spectral cover construction, we present vector bundles for which we can explicitly calculate the Pfaffians associated with string instantons on these curves. These are shown to be non-zero, thus leading to a non-vanishing superpotential in the 4D effective action. We discuss, in detail, why such compactifications avoid the Beasley-Witten residue theorem.Comment: 1 + 23 page

Complete Intersection Fibers in F-Theory

Global F-theory compactifications whose fibers are realized as complete intersections form a richer set of models than just hypersurfaces. The detailed study of the physics associated with such geometries depends crucially on being able to put the elliptic fiber into Weierstrass form. While such a transformation is always guaranteed to exist, its explicit form is only known in a few special cases. We present a general algorithm for computing the Weierstrass form of elliptic curves defined as complete intersections of different codimensions and use it to solve all cases of complete intersections of two equations in an ambient toric variety. Using this result, we determine the toric Mordell-Weil groups of all 3134 nef partitions obtained from the 4319 three-dimensional reflexive polytopes and find new groups that do not exist for toric hypersurfaces. As an application, we construct several models that cannot be realized as toric hypersurfaces, such as the first toric SU(5) GUT model in the literature with distinctly charged 10 representations and an F-theory model with discrete gauge group Z_4 whose dual fiber has a Mordell-Weil group with Z_4 torsion.Comment: 41 pages, 4 figures and 18 tables; added references in v

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page