Heuristics on pairing-friendly abelian varieties

We discuss heuristic asymptotic formulae for the number of pairing-friendly abelian varieties over prime fields, generalizing previous work of one of the authors arXiv:math1107.0307Comment: Pages 6-7 rewritten, other minor changes mad

Pairings in Cryptology: efficiency, security and applications

Abstract The study of pairings can be considered in so many di�erent ways that it may not be useless to state in a few words the plan which has been adopted, and the chief objects at which it has aimed. This is not an attempt to write the whole history of the pairings in cryptology, or to detail every discovery, but rather a general presentation motivated by the two main requirements in cryptology; e�ciency and security. Starting from the basic underlying mathematics, pairing maps are con- structed and a major security issue related to the question of the minimal embedding �eld [12]1 is resolved. This is followed by an exposition on how to compute e�ciently the �nal exponentiation occurring in the calculation of a pairing [124]2 and a thorough survey on the security of the discrete log- arithm problem from both theoretical and implementational perspectives. These two crucial cryptologic requirements being ful�lled an identity based encryption scheme taking advantage of pairings [24]3 is introduced. Then, perceiving the need to hash identities to points on a pairing-friendly elliptic curve in the more general context of identity based cryptography, a new technique to efficiently solve this practical issue is exhibited. Unveiling pairings in cryptology involves a good understanding of both mathematical and cryptologic principles. Therefore, although �rst pre- sented from an abstract mathematical viewpoint, pairings are then studied from a more practical perspective, slowly drifting away toward cryptologic applications

Constructing suitable ordinary pairing-friendly curves: A case of elliptic curves and genus two hyperelliptic curves

One of the challenges in the designing of pairing-based cryptographic protocols is to construct suitable pairing-friendly curves: Curves which would provide e�cient implementation without compromising the security of the protocols. These curves have small embedding degree and large prime order subgroup. Random curves are likely to have large embedding degree and hence are not practical for implementation of pairing-based protocols. In this thesis we review some mathematical background on elliptic and hyperelliptic curves in relation to the construction of pairing-friendly hyper-elliptic curves. We also present the notion of pairing-friendly curves. Furthermore, we construct new pairing-friendly elliptic curves and Jacobians of genus two hyperelliptic curves which would facilitate an efficient implementation in pairing-based protocols. We aim for curves that have smaller values than ever before reported for di�erent embedding degrees. We also discuss optimisation of computing pairing in Tate pairing and its variants. Here we show how to e�ciently multiply a point in a subgroup de�ned on a twist curve by a large cofactor. Our approach uses the theory of addition chains. We also show a new method for implementation of the computation of the hard part of the �nal exponentiation in the calculation of the Tate pairing and its varian

Cryptographic Pairings: Efficiency and DLP security

This thesis studies two important aspects of the use of pairings in cryptography, efficient algorithms and security. Pairings are very useful tools in cryptography, originally used for the cryptanalysis of elliptic curve cryptography, they are now used in key exchange protocols, signature schemes and Identity-based cryptography. This thesis comprises of two parts: Security and Efficient Algorithms. In Part I: Security, the security of pairing-based protocols is considered, with a thorough examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the relationship between the two instances of the DLP will be presented along with a discussion about the appropriate selection of parameters to ensure particular security level. In Part II: Efficient Algorithms, some of the computational issues which arise when using pairings in cryptography are addressed. Pairings can be computationally expensive, so the Pairing-Based Cryptography (PBC) research community is constantly striving to find computational improvements for all aspects of protocols using pairings. The improvements given in this section contribute towards more efficient methods for the computation of pairings, and increase the efficiency of operations necessary in some pairing-based protocol

A CM construction for curves of genus 2 with p-rank 1

We construct Weil numbers corresponding to genus-2 curves with $p$-rank 1 over the finite field \F_{p^2} of $p^2$ elements. The corresponding curves can be constructed using explicit CM constructions. In one of our algorithms, the group of \F_{p^2}-valued points of the Jacobian has prime order, while another allows for a prescribed embedding degree with respect to a subgroup of prescribed order. The curves are defined over \F_{p^2} out of necessity: we show that curves of $p$-rank 1 over \F_p for large $p$ cannot be efficiently constructed using explicit CM constructions.Comment: 19 page

Abelian Varieties with Prescribed Embedding Degree

We present an algorithm that, on input of a CM-field $K$, an integer $k\ge1$, and a prime $r \equiv 1 \bmod k$, constructs a $q$-Weil number \pi \in \O_K corresponding to an ordinary, simple abelian variety $A$ over the field \F of $q$ elements that has an \F-rational point of order $r$ and embedding degree $k$ with respect to $r$. We then discuss how CM-methods over $K$ can be used to explicitly construct $A$.Comment: to appear in ANTS-VII

Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986 Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a \emph{special} forms to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Miller's algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Miller's algorithm over Weierstrass curves. Though their refinements which only reduce the total number of vertical lines in Miller's algorithm, did not give an efficient computation as other optimizations, but they can be applied for computing \emph{both} of Weil and Tate pairings on \emph{all} pairing-friendly elliptic curves. In this paper we extend the Blake-Murty-Xu's method and show how to perform an elimination of all vertical lines in Miller's algorithm during Weil/Tate pairings computation on \emph{general} elliptic curves. Experimental results show that our algorithm is faster about 25% in comparison with the original Miller's algorithm.Comment: 17 page

Abelian varieties in pairing-based cryptography

We study the problem of the embedding degree of an abelian variety over a finite field which is vital in pairing-based cryptography. In particular, we show that for a prescribed CM field $L$ of degree $\geq 4$, prescribed integers $m$, $n$ and any prime $l\equiv 1 \pmod{mn}$, there exists an ordinary abelian variety over a finite field with endomorphism algebra $L$, embedding degree $n$ with respect to $l$ and the field extension generated by the $l$-torsion points of degree $mn$ over the field of definition. We also study a class of absolutely simple higher dimensional abelian varieties whose endomorphism algebras are central over imaginary quadratic fields.Comment: Typos fixe

Solving discrete logarithms on a 170-bit MNT curve by pairing reduction

Pairing based cryptography is in a dangerous position following the breakthroughs on discrete logarithms computations in finite fields of small characteristic. Remaining instances are built over finite fields of large characteristic and their security relies on the fact that the embedding field of the underlying curve is relatively large. How large is debatable. The aim of our work is to sustain the claim that the combination of degree 3 embedding and too small finite fields obviously does not provide enough security. As a computational example, we solve the DLP on a 170-bit MNT curve, by exploiting the pairing embedding to a 508-bit, degree-3 extension of the base field.Comment: to appear in the Lecture Notes in Computer Science (LNCS

Constructing pairing-friendly hyperelliptic curves using Weil restriction

A pairing-friendly curve is a curve over a finite field whose Jacobian has small embedding degree with respect to a large prime-order subgroup. In this paper we construct pairing-friendly genus 2 curves over finite fields $\mathbb{F}_q$ whose Jacobians are ordinary and simple, but not absolutely simple. We show that constructing such curves is equivalent to constructing elliptic curves over $\mathbb{F}_q$ that become pairing-friendly over a finite extension of $\mathbb{F}_q$. Our main proof technique is Weil restriction of elliptic curves. We describe adaptations of the Cocks-Pinch and Brezing-Weng methods that produce genus 2 curves with the desired properties. Our examples include a parametric family of genus 2 curves whose Jacobians have the smallest recorded $\rho$-value for simple, non-supersingular abelian surfaces