Discrete logarithms in curves over finite fields

A survey on algorithms for computing discrete logarithms in Jacobians of curves over finite fields

Galois invariant smoothness basis

This text answers a question raised by Joux and the second author about the computation of discrete logarithms in the multiplicative group of finite fields. Given a finite residue field \bK, one looks for a smoothness basis for \bK^* that is left invariant by automorphisms of \bK. For a broad class of finite fields, we manage to construct models that allow such a smoothness basis. This work aims at accelerating discrete logarithm computations in such fields. We treat the cases of codimension one (the linear sieve) and codimension two (the function field sieve)

The Q-curve construction for endomorphism-accelerated elliptic curves

We give a detailed account of the use of $\mathbb{Q}$-curve reductions to construct elliptic curves over $\mathbb{F}\_{p^2}$ with efficiently computable endomorphisms, which can be used to accelerate elliptic curve-based cryptosystems in the same way as Gallant--Lambert--Vanstone (GLV) and Galbraith--Lin--Scott (GLS) endomorphisms. Like GLS (which is a degenerate case of our construction), we offer the advantage over GLV of selecting from a much wider range of curves, and thus finding secure group orders when $p$ is fixed for efficient implementation. Unlike GLS, we also offer the possibility of constructing twist-secure curves. We construct several one-parameter families of elliptic curves over $\mathbb{F}\_{p^2}$ equipped with efficient endomorphisms for every p \textgreater{} 3, and exhibit examples of twist-secure curves over $\mathbb{F}\_{p^2}$ for the efficient Mersenne prime $p = 2^{127}-1$.Comment: To appear in the Journal of Cryptology. arXiv admin note: text overlap with arXiv:1305.540

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Pairing the Volcano

Isogeny volcanoes are graphs whose vertices are elliptic curves and whose edges are $\ell$-isogenies. Algorithms allowing to travel on these graphs were developed by Kohel in his thesis (1996) and later on, by Fouquet and Morain (2001). However, up to now, no method was known, to predict, before taking a step on the volcano, the direction of this step. Hence, in Kohel's and Fouquet-Morain algorithms, many steps are taken before choosing the right direction. In particular, ascending or horizontal isogenies are usually found using a trial-and-error approach. In this paper, we propose an alternative method that efficiently finds all points $P$ of order $\ell$ such that the subgroup generated by $P$ is the kernel of an horizontal or an ascending isogeny. In many cases, our method is faster than previous methods. This is an extended version of a paper published in the proceedings of ANTS 2010. In addition, we treat the case of 2-isogeny volcanoes and we derive from the group structure of the curve and the pairing a new invariant of the endomorphism class of an elliptic curve. Our benchmarks show that the resulting algorithm for endomorphism ring computation is faster than Kohel's method for computing the $\ell$-adic valuation of the conductor of the endomorphism ring for small $\ell$