Cryptographic Pairings: Efficiency and DLP security

This thesis studies two important aspects of the use of pairings in cryptography, efficient algorithms and security. Pairings are very useful tools in cryptography, originally used for the cryptanalysis of elliptic curve cryptography, they are now used in key exchange protocols, signature schemes and Identity-based cryptography. This thesis comprises of two parts: Security and Efficient Algorithms. In Part I: Security, the security of pairing-based protocols is considered, with a thorough examination of the Discrete Logarithm Problem (DLP) as it occurs in PBC. Results on the relationship between the two instances of the DLP will be presented along with a discussion about the appropriate selection of parameters to ensure particular security level. In Part II: Efficient Algorithms, some of the computational issues which arise when using pairings in cryptography are addressed. Pairings can be computationally expensive, so the Pairing-Based Cryptography (PBC) research community is constantly striving to find computational improvements for all aspects of protocols using pairings. The improvements given in this section contribute towards more efficient methods for the computation of pairings, and increase the efficiency of operations necessary in some pairing-based protocol

Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack

We illustrate a vulnerability introduced to elliptic curve cryptographic protocols when implemented using a function of the OpenSSL cryptographic library. For the given implementation using an elliptic curve E over a binary field with a point G \in E, our attack recovers the majority of the bits of a scalar k when kG is computed using the OpenSSL implementation of the Montgomery ladder. For the Elliptic Curve Digital Signature Algorithm (ECDSA) the scalar k is intended to remain secret. Our attack recovers the scalar k and thus the secret key of the signer and would therefore allow unlimited forgeries. This is possible from snooping on only one signing process and requires computation of less than one second on a quad core desktop when the scalar k (and secret key) is around 571 bits

Fast hashing to G2 on pairing friendly curves

When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order $r$ involved in the pairing. Of these $G_1$ is a group of points on the base field E(\F_p) and $G_2$ is instantiated as a group of points with coordinates on some extension field, over a twisted curve E\u27(\F_{p^d}), where $d$ divides the embedding degree $k$. While hashing to $G_1$ is relatively easy, hashing to $G_2$ has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on $G_2$ which exploits an efficiently computable homomorphism

On the final exponentiation for calculating pairings on ordinary elliptic curves

When using pairing-friendly ordinary elliptic curves to compute the Tate and related pairings, the computation consists of two main components, the Miller loop and the so-called final exponentiation. As a result of good progress being made to reduce the Miller loop component of the algorithm (particularly with the discovery of ``truncated loop\u27\u27 pairings like the R-ate pairing), the final exponentiation has become a more significant component of the overall calculation. Here we exploit the structure of pairing friendly elliptic curves to reduce the computation required for the final exponentiation to a minimum

Seasonal climate summary for the southern hemisphere (summer 2019–20): a summer of extremes

This is a summary of the southern hemisphere atmospheric circulation patterns and meteorological indices for summer 2019–20; an account of seasonal rainfall and temperature for the Australian region is also provided. The antecedent climate conditions and climatic drivers for summer 2019–20 resulted in unprecedented extremes for Australia, with many heat and fire weather extremes. The austral summer of 2019–20 was staged to be hot and dry, with climate drivers supporting higher than average temperatures and lower than average rainfall. These conditions contributed to the highest recorded monthly accumulated national Forest Fire Danger Index. As the dominant climate influence for December receded during the season, dynamic (weather) processes dominated for changeable conditions – particularly in the mid-latitudes. Both January and February were among the 10 hottest on record, although several mid-latitude sites experienced unusually cool days. Across the rest of the hemisphere, conditions were also extreme, with notable drought conditions persisting from spring over large parts of South America. Temperature anomalies for land and ocean areas of the southern hemisphere were respectively the third and second highest on record

Constructing Tower Extensions for the implementation of Pairing-Based Cryptography

A cryptographic pairing evaluates as an element in an extension field, and the evaluation itself involves a considerable amount of extension field arithmetic. It is recognised that organising the extension field as a ``tower\u27\u27 of subfield extensions has many advantages. Here we consider criteria that apply when choosing the best towering construction, and the associated choice of irreducible polynomials for the implementation of pairing-based cryptosystems. We introduce a method for automatically constructing efficient towers for more congruency classes than previous methods, some of which allow faster arithmetic

A note on the practical complexity of the NFS in the medium prime case: Smoothness of Norms

During an ongoing examination of the behaviour, in practice, of the Number Field Sieve (NFS) in the medium prime case we have noticed numerous interesting patterns. In this paper we present findings on run-time observations of an aspect of the sieving stage. The contributions of these observations to the computational mathematics community are twofold: firstly, they bring us a step closer to understanding the true practical effectiveness of the algorithm and secondly, they enabled the development of a test for the effectiveness of the polynomials used in the NFS. The results of this work are of particular interest to cryptographers: the run-time of the NFS determines directly the security level of some discrete logarithm problem based protocols, such as those arising in pairing-based cryptography