A note on the construction of pairing-friendly elliptic curves for composite order protocols

In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number $N$. Boneh~\etal~proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order $N$. Displaying such a curve as a public parameter implies revealing a square root $s$ of the complex multiplication discriminant $-D$ modulo $N$. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, under certain conditions. Our conclusion is that the values of $s$ modulo each prime in the factorization of $N$ should be chosen as high entropy input parameters when running the Cocks-Pinch algorithm

Heuristics on pairing-friendly elliptic curves

We present a heuristic asymptotic formula as $x\to \infty$ for the number of isogeny classes of pairing-friendly elliptic curves with fixed embedding degree $k\geq 3$, with fixed discriminant, with rho-value bounded by a fixed $\rho_0$ such that $1<\rho_0<2$, and with prime subgroup order at most $x$.Comment: text substantially rewritten, tables correcte

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS

Yafa-108/146: Implementing ed25519-embedding Cocks-Pinch curves in arkworks-rs

This note describes two pairing-friendly curves that embed ed25519, of different bit security levels. Our search is not novel; it follows the standard recipe of the Cocks-Pinch method. We implemented these two curves on arkworks-rs. This note is intended to document how the parameters are being generated and how to implement these curves in arkworks-rs 0.4.0, for further reference. We name the two curves as Yafa-108 and Yafa-146: - Yafa-108 is estimated to offer 108-bit security, which we parameterized to match the 103-bit security of BN254 - Yafa-146 is estimated to offer 146-bit security, which we parameterized to match the 132-bit security of BLS12-446 or 123-bit security of BLS12-381 We use these curves as an example to demonstrate two things: - The elastic zero-knowledge proof, Gemini (EUROCRYPT \u2722), is more than being elastic, but it is more curve-agnostic and hardware-friendly. - The cost of nonnative field arithmetics can be drastic, and the needs of application-specific curves may be inherent. This result serves as evidence of the necessity of EIP-1962, and the insufficiency of EIP-2537

Cryptographic Pairings: Efficiency and DLP security

This thesis studies two important aspects of the use of pairings in cryptography, efficient algorithms and security. Pairings are very useful tools in cryptography, originally used for the cryptanalysis of elliptic curve cryptography, they are now used in key exchange protocols, signature schemes and Identity-based cryptography. This thesis comprises of two parts: Security and Efficient Algorithms. In Part I: Security, the security of pairing-based protocols is considered, with a thorough examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the relationship between the two instances of the DLP will be presented along with a discussion about the appropriate selection of parameters to ensure particular security level. In Part II: Efficient Algorithms, some of the computational issues which arise when using pairings in cryptography are addressed. Pairings can be computationally expensive, so the Pairing-Based Cryptography (PBC) research community is constantly striving to find computational improvements for all aspects of protocols using pairings. The improvements given in this section contribute towards more efficient methods for the computation of pairings, and increase the efficiency of operations necessary in some pairing-based protocol

Geppetto: Versatile Verifiable Computation

Cloud computing sparked interest in Verifiable Computation protocols, which allow a weak client to securely outsource computations to remote parties. Recent work has dramatically reduced the client’s cost to verify the correctness of results, but the overhead to produce proofs largely remains impractical. Geppetto introduces complementary techniques for reducing prover overhead and increasing prover flexibility. With Multi-QAPs, Geppetto reduces the cost of sharing state between computations (e.g., for MapReduce) or within a single computation by up to two orders of magnitude. Via a careful instantiation of cryptographic primitives, Geppetto also brings down the cost of verifying outsourced cryptographic computations (e.g., verifiably computing on signed data); together with Geppetto’s notion of bounded proof bootstrapping, Geppetto improves on prior bootstrapped systems by five orders of magnitude, albeit at some cost in universality. Geppetto also supports qualitatively new properties like verifying the correct execution of proprietary (i.e., secret) algorithms. Finally, Geppetto’s use of energy-saving circuits brings the prover’s costs more in line with the program’s actual (rather than worst-case) execution time. Geppetto is implemented in a full-fledged, scalable compiler that consumes LLVM code generated from a variety of apps, as well as a large cryptographic library