487 research outputs found
Discrete logarithms in curves over finite fields
A survey on algorithms for computing discrete logarithms in Jacobians of
curves over finite fields
Galois invariant smoothness basis
This text answers a question raised by Joux and the second author about the
computation of discrete logarithms in the multiplicative group of finite
fields. Given a finite residue field \bK, one looks for a smoothness basis
for \bK^* that is left invariant by automorphisms of \bK. For a broad class
of finite fields, we manage to construct models that allow such a smoothness
basis. This work aims at accelerating discrete logarithm computations in such
fields. We treat the cases of codimension one (the linear sieve) and
codimension two (the function field sieve)
The Q-curve construction for endomorphism-accelerated elliptic curves
We give a detailed account of the use of -curve reductions to
construct elliptic curves over with efficiently computable
endomorphisms, which can be used to accelerate elliptic curve-based
cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and
Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case
of our construction), we offer the advantage over GLV of selecting from a much
wider range of curves, and thus finding secure group orders when is fixed
for efficient implementation. Unlike GLS, we also offer the possibility of
constructing twist-secure curves. We construct several one-parameter families
of elliptic curves over equipped with efficient
endomorphisms for every p \textgreater{} 3, and exhibit examples of
twist-secure curves over for the efficient Mersenne prime
.Comment: To appear in the Journal of Cryptology. arXiv admin note: text
overlap with arXiv:1305.540
Still Wrong Use of Pairings in Cryptography
Several pairing-based cryptographic protocols are recently proposed with a
wide variety of new novel applications including the ones in emerging
technologies like cloud computing, internet of things (IoT), e-health systems
and wearable technologies. There have been however a wide range of incorrect
use of these primitives. The paper of Galbraith, Paterson, and Smart (2006)
pointed out most of the issues related to the incorrect use of pairing-based
cryptography. However, we noticed that some recently proposed applications
still do not use these primitives correctly. This leads to unrealizable,
insecure or too inefficient designs of pairing-based protocols. We observed
that one reason is not being aware of the recent advancements on solving the
discrete logarithm problems in some groups. The main purpose of this article is
to give an understandable, informative, and the most up-to-date criteria for
the correct use of pairing-based cryptography. We thereby deliberately avoid
most of the technical details and rather give special emphasis on the
importance of the correct use of bilinear maps by realizing secure
cryptographic protocols. We list a collection of some recent papers having
wrong security assumptions or realizability/efficiency issues. Finally, we give
a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page
Pairing the Volcano
Isogeny volcanoes are graphs whose vertices are elliptic curves and whose
edges are -isogenies. Algorithms allowing to travel on these graphs were
developed by Kohel in his thesis (1996) and later on, by Fouquet and Morain
(2001). However, up to now, no method was known, to predict, before taking a
step on the volcano, the direction of this step. Hence, in Kohel's and
Fouquet-Morain algorithms, many steps are taken before choosing the right
direction. In particular, ascending or horizontal isogenies are usually found
using a trial-and-error approach. In this paper, we propose an alternative
method that efficiently finds all points of order such that the
subgroup generated by is the kernel of an horizontal or an ascending
isogeny. In many cases, our method is faster than previous methods. This is an
extended version of a paper published in the proceedings of ANTS 2010. In
addition, we treat the case of 2-isogeny volcanoes and we derive from the group
structure of the curve and the pairing a new invariant of the endomorphism
class of an elliptic curve. Our benchmarks show that the resulting algorithm
for endomorphism ring computation is faster than Kohel's method for computing
the -adic valuation of the conductor of the endomorphism ring for small
- …