Results 1  10
of
26
A taxonomy of pairingfriendly elliptic curves
, 2006
"... Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all ..."
Abstract

Cited by 78 (10 self)
 Add to MetaCart
Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairingfriendly elliptic curves currently existing in the literature. We also include new constructions of pairingfriendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairingfriendly curves to choose to best satisfy a variety of performance and security requirements.
Constructing Elliptic Curves with Prescribed Embedding Degrees
, 2002
"... Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but smal ..."
Abstract

Cited by 51 (16 self)
 Add to MetaCart
Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
On the Selection of PairingFriendly Groups
, 2003
"... We propose a simple algorithm to select group generators suitable for pairingbased cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and very efficient, with an observed performance about 2 to 10 times better than prev ..."
Abstract

Cited by 46 (12 self)
 Add to MetaCart
We propose a simple algorithm to select group generators suitable for pairingbased cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and very efficient, with an observed performance about 2 to 10 times better than previously reported implementations.
Elliptic Curves Suitable for Pairing Based Cryptography
 Designs, Codes and Cryptography
, 2003
"... We give a method for constructing ordinary elliptic curves over finite prime field Fp with small security parameter k with respect to a prime l dividing the group order #E(Fp) such that p << l² ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
We give a method for constructing ordinary elliptic curves over finite prime field Fp with small security parameter k with respect to a prime l dividing the group order #E(Fp) such that p << l²
Compressed Pairings
 In Advances in cryptology – Crypto’2004
, 2004
"... Pairingbased cryptosystems rely on bilinear nondegenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit f ..."
Abstract

Cited by 36 (8 self)
 Add to MetaCart
Pairingbased cryptosystems rely on bilinear nondegenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.
The complexity of class polynomial computation via floating point approximations. ArXiv preprint
, 601
"... Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
Abstract. We analyse the complexity of computing class polynomials, that are an important ingredient for CM constructions of elliptic curves, via complex floating point approximations of their roots. The heart of the algorithm is the evaluation of modular functions in several arguments. The fastest one of the presented approaches uses a technique devised by Dupont to evaluate modular functions by Newton iterations on an expression involving the arithmeticgeometric mean. Under the heuristic assumption, justified by experiments, that the correctness of the result is not perturbed by rounding errors, the algorithm runs in time “p “p ”” 3 2 O Dlog D  M Dlog D  ⊆ O ` Dlog 6+ε D  ´ ⊆ O ` h 2+ε´ for any ε> 0, where D is the CM discriminant, h is the degree of the class polynomial and M(n) is the time needed to multiply two nbit numbers. Up to logarithmic factors, this running time matches the size of the constructed polynomials. The estimate also relies on a new result concerning the complexity of enumerating the class group of an imaginary quadratic order and on a rigorously proven upper bound for the height of class polynomials. 1. Motivation and
Deniable authenticated key establishment for internet protocols
 In Security Protocols Workshop
"... Abstract. We propose two publickey schemes to achieve “deniable authentication” for the Internet Key Exchange (IKE). Our protocols can be implemented using different concrete mechanisms and we discuss different options; in particular we suggest solutions based on elliptic curve pairings. The protoc ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
Abstract. We propose two publickey schemes to achieve “deniable authentication” for the Internet Key Exchange (IKE). Our protocols can be implemented using different concrete mechanisms and we discuss different options; in particular we suggest solutions based on elliptic curve pairings. The protocol designs use the modular construction method of Canetti and Krawczyk which provides the basis for a proof of security. Our schemes can, in some situations, be more efficient than existing IKE protocols as well as having stronger deniability properties. 1
Generating more MNT elliptic curves
, 2004
"... In their seminal paper, Miyaji, Nakabayashi and Takano [12] describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairingbased cryptosystems on ordinary (nonsupersingular) elliptic curves. ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
In their seminal paper, Miyaji, Nakabayashi and Takano [12] describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairingbased cryptosystems on ordinary (nonsupersingular) elliptic curves. We provide an alternative derivation of their results, and extend them to allow for the generation of many more suitable curves.
Practical NonInteractive Key Distribution Based on Pairings
 Proceedings of the International Workshop on Coding and Cryptography (WCC
, 2002
"... We propose a practical noninteractive key distribution protocol based on pairings and de ne a notion of security for such a scheme. We prove the security of the system in this setting under the GDBH assumption, and present some possible realisations using Weil or Tate pairings on supersingular ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
We propose a practical noninteractive key distribution protocol based on pairings and de ne a notion of security for such a scheme. We prove the security of the system in this setting under the GDBH assumption, and present some possible realisations using Weil or Tate pairings on supersingular and ordinary elliptic curves.
Finding composite order ordinary elliptic curves using the cockspinch method. Cryptology ePrint Archive, Report 2009/533
, 2009
"... Abstract. We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting. 1. ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Abstract. We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting. 1.