11 research outputs found
Fast hashing to G2 on pairing friendly curves
When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order involved in the pairing. Of these is a group of points on the base field E(\F_p) and is instantiated as a group of points with coordinates on some extension field, over a twisted curve E\u27(\F_{p^d}), where divides the embedding degree . While hashing to is relatively easy, hashing to has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on which exploits an efficiently computable homomorphism
Implementing cryptographic pairings: a magma tutorial
In this paper we show an efficient implementation if the Tate, ate, and R-ate pairings in magma. This will be demostrated by using the KSS curves with embedding degree k=1
Computing Optimal Ate Pairings on Elliptic Curves with Embedding Degree and
Much attention has been given to efficient computation of pairings on elliptic curves with even embedding degree since the advent of pairing-based cryptography. The existing few works in the case of odd embedding degrees require some improvements.
This paper considers the computation of optimal ate pairings on elliptic curves of embedding degrees k=9, 15 \mbox{ and } 27 which have twists of order three. Mainly, we provide a detailed arithmetic and cost estimation of operations in the tower extensions field of the corresponding extension fields. A good selection of parameters
enables us to improve the theoretical cost for the Miller step and the final exponentiation using the lattice-based method comparatively to the previous few works that exist in these cases. In particular for and we obtained an improvement, in terms of operations in the base field, of up to and respectively in the computation of the final exponentiation.
Also, we obtained that elliptic curves with embedding degree present faster results than BN curves at the -bit security levels.
We provided a MAGMA implementation in each case to ensure the correctness of the formulas used in this work
Subgroup security in pairing-based cryptography
Pairings are typically implemented using ordinary pairing-friendly elliptic curves. The two input groups of the pairing function are groups of elliptic curve points, while the target group lies in the multiplicative group of a large finite field. At moderate levels of security, at least two of the three pairing groups are necessarily proper subgroups of a much larger composite-order group, which makes pairing implementations potentially susceptible to small-subgroup attacks.
To minimize the chances of such attacks, or the effort required to thwart them, we put forward a property for ordinary pairing-friendly curves called subgroup security. We point out that existing curves in the literature and in publicly available pairing libraries fail to achieve this notion, and propose a list of replacement curves that do offer subgroup security. These curves were chosen to drop into existing libraries with minimal code change, and to sustain state-of-the-art performance numbers. In fact, there are scenarios in which the replacement curves could facilitate faster implementations of protocols because they can remove the need for expensive group exponentiations that test subgroup membership
Notes on Lattice-Based Cryptography
Asymmetrisk kryptering er avhengig av antakelsen om at noen beregningsproblemer er vanskelige å løse. I 1994 viste Peter Shor at de to mest brukte beregningsproblemene, nemlig det diskrete logaritmeproblemet og primtallsfaktorisering, ikke lenger er vanskelige å løse når man bruker en kvantedatamaskin. Siden den gang har forskere jobbet med å finne nye beregningsproblemer som er motstandsdyktige mot kvanteangrep for å erstatte disse to. Gitterbasert kryptografi er forskningsfeltet som bruker kryptografiske primitiver som involverer vanskelige problemer definert på gitter, for eksempel det korteste vektorproblemet og det nærmeste vektorproblemet. NTRU-kryptosystemet, publisert i 1998, var et av de første som ble introdusert på dette feltet. Problemet Learning With Error (LWE) ble introdusert i 2005 av Regev, og det regnes nå som et av de mest lovende beregningsproblemene som snart tas i bruk i stor skala. Å studere vanskelighetsgraden og å finne nye og raskere algoritmer som løser den, ble et ledende forskningstema innen kryptografi.
Denne oppgaven inkluderer følgende bidrag til feltet:
- En ikke-triviell reduksjon av Mersenne Low Hamming Combination Search Problem, det underliggende problemet med et NTRU-lignende kryptosystem, til Integer Linear Programming (ILP). Særlig finner vi en familie av svake nøkler.
- En konkret sikkerhetsanalyse av Integer-RLWE, en vanskelig beregningsproblemvariant av LWE, introdusert av Gu Chunsheng. Vi formaliserer et meet-in-the-middle og et gitterbasert angrep for denne saken, og vi utnytter en svakhet ved parametervalget gitt av Gu, for å bygge et forbedret gitterbasert angrep.
- En forbedring av Blum-Kalai-Wasserman-algoritmen for å løse LWE. Mer spesifikt, introduserer vi et nytt reduksjonstrinn og en ny gjetteprosedyre til algoritmen. Disse tillot oss å utvikle to implementeringer av algoritmen, som er i stand til å løse relativt store LWE-forekomster. Mens den første effektivt bare bruker RAM-minne og er fullt parallelliserbar, utnytter den andre en kombinasjon av RAM og disklagring for å overvinne minnebegrensningene gitt av RAM.
- Vi fyller et tomrom i paringsbasert kryptografi. Dette ved å gi konkrete formler for å beregne hash-funksjon til G2, den andre gruppen i paringsdomenet, for Barreto-Lynn-Scott-familien av paringsvennlige elliptiske kurver.Public-key Cryptography relies on the assumption that some computational problems are hard to solve. In 1994, Peter Shor showed that the two most used computational problems, namely the Discrete Logarithm Problem and the Integer Factoring Problem, are not hard to solve anymore when using a quantum computer. Since then, researchers have worked on finding new computational problems that are resistant to quantum attacks to replace these two. Lattice-based Cryptography is the research field that employs cryptographic primitives involving hard problems defined on lattices, such as the Shortest Vector Problem and the Closest Vector Problem. The NTRU cryptosystem, published in 1998, was one of the first to be introduced in this field. The Learning With Error (LWE) problem was introduced in 2005 by Regev, and it is now considered one of the most promising computational problems to be employed on a large scale in the near future. Studying its hardness and finding new and faster algorithms that solve it became a leading research topic in Cryptology.
This thesis includes the following contributions to the field:
- A non-trivial reduction of the Mersenne Low Hamming Combination Search Problem, the underlying problem of an NTRU-like cryptosystem, to Integer Linear Programming (ILP). In particular, we find a family of weak keys.
- A concrete security analysis of the Integer-RLWE, a hard computational problem variant of LWE introduced by Gu Chunsheng. We formalize a meet-in-the-middle attack and a lattice-based attack for this case, and we exploit a weakness of the parameters choice given by Gu to build an improved lattice-based attack.
- An improvement of the Blum-Kalai-Wasserman algorithm to solve LWE. In particular, we introduce a new reduction step and a new guessing procedure to the algorithm. These allowed us to develop two implementations of the algorithm that are able to solve relatively large LWE instances. While the first one efficiently uses only RAM memory and is fully parallelizable, the second one exploits a combination of RAM and disk storage to overcome the memory limitations given by the RAM.
- We fill a gap in Pairing-based Cryptography by providing concrete formulas to compute hash-maps to G2, the second group in the pairing domain, for the Barreto-Lynn-Scott family of pairing-friendly elliptic curves.Doktorgradsavhandlin
Cryptographic Pairings: Efficiency and DLP security
This thesis studies two important aspects of the use of pairings in cryptography, efficient
algorithms and security.
Pairings are very useful tools in cryptography, originally used for the cryptanalysis of
elliptic curve cryptography, they are now used in key exchange protocols, signature schemes
and Identity-based cryptography.
This thesis comprises of two parts: Security and Efficient Algorithms.
In Part I: Security, the security of pairing-based protocols is considered, with a thorough
examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the
relationship between the two instances of the DLP will be presented along with a discussion
about the appropriate selection of parameters to ensure particular security level.
In Part II: Efficient Algorithms, some of the computational issues which arise when using
pairings in cryptography are addressed. Pairings can be computationally expensive, so
the Pairing-Based Cryptography (PBC) research community is constantly striving to find
computational improvements for all aspects of protocols using pairings. The improvements
given in this section contribute towards more efficient methods for the computation of pairings,
and increase the efficiency of operations necessary in some pairing-based protocol
Constructing suitable ordinary pairing-friendly curves: A case of elliptic curves and genus two hyperelliptic curves
One of the challenges in the designing of pairing-based cryptographic protocols is to construct suitable pairing-friendly curves: Curves which would provide e�cient implementation without compromising the security of the protocols. These curves have small embedding degree and large prime order subgroup. Random curves are likely to have large embedding degree and hence are not practical for implementation of pairing-based protocols.
In this thesis we review some mathematical background on elliptic and hyperelliptic curves in relation to the construction of pairing-friendly hyper-elliptic curves. We also present the notion of pairing-friendly curves. Furthermore, we construct new pairing-friendly elliptic curves and Jacobians of genus two hyperelliptic curves which would facilitate an efficient implementation in pairing-based protocols. We aim for curves that have smaller values than ever before reported for di�erent embedding degrees. We also discuss optimisation of computing pairing in Tate pairing and its variants. Here we show how to e�ciently multiply a point in a subgroup de�ned on a twist curve by a large cofactor. Our approach uses the theory of addition chains. We also show a new method for implementation of the computation of the hard part of the �nal exponentiation in the calculation of the Tate pairing and its varian
Pairings in Cryptology: efficiency, security and applications
Abstract
The study of pairings can be considered in so many di�erent ways that it
may not be useless to state in a few words the plan which has been adopted,
and the chief objects at which it has aimed. This is not an attempt to write
the whole history of the pairings in cryptology, or to detail every discovery,
but rather a general presentation motivated by the two main requirements
in cryptology; e�ciency and security.
Starting from the basic underlying mathematics, pairing maps are con-
structed and a major security issue related to the question of the minimal
embedding �eld [12]1 is resolved. This is followed by an exposition on how
to compute e�ciently the �nal exponentiation occurring in the calculation
of a pairing [124]2 and a thorough survey on the security of the discrete log-
arithm problem from both theoretical and implementational perspectives.
These two crucial cryptologic requirements being ful�lled an identity based
encryption scheme taking advantage of pairings [24]3 is introduced. Then,
perceiving the need to hash identities to points on a pairing-friendly elliptic
curve in the more general context of identity based cryptography, a new
technique to efficiently solve this practical issue is exhibited.
Unveiling pairings in cryptology involves a good understanding of both
mathematical and cryptologic principles. Therefore, although �rst pre-
sented from an abstract mathematical viewpoint, pairings are then studied
from a more practical perspective, slowly drifting away toward cryptologic
applications
Developing an Automatic Generation Tool for Cryptographic Pairing Functions
Pairing-Based Cryptography is receiving steadily more attention from industry, mainly
because of the increasing interest in Identity-Based protocols. Although there are plenty of
applications, efficiently implementing the pairing functions is often difficult as it requires
more knowledge than previous cryptographic primitives. The author presents a tool for
automatically generating optimized code for the pairing functions which can be used in the
construction of such cryptographic protocols.
In the following pages I present my work done on the construction of pairing function
code, its optimizations and how their construction can be automated to ease the work of the
protocol implementer.
Based on the user requirements and the security level, the created cryptographic compiler
chooses and constructs the appropriate elliptic curve. It identifies the supported pairing
function: the Tate, ate, R-ate or pairing lattice/optimal pairing, and its optimized parameters.
Using artificial intelligence algorithms, it generates optimized code for the final exponentiation
and for hashing a point to the required group using the parametrisation of the
chosen family of curves.
Support for several multi-precision libraries has been incorporated: Magma, MIRACL
and RELIC are already included, but more are possible