Results 1  10
of
17
On Small Characteristic Algebraic Tori in PairingBased Cryptography
, 2004
"... The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmet ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identitybased cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.
Using Primitive Subgroups to Do More with Fewer Bits
, 2004
"... This paper gives a survey of some ways to improve the ef ciency of discrete logbased cryptography by using the restriction of scalars and the geometry and arithmetic of algebraic tori and abelian varieties. ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
This paper gives a survey of some ways to improve the ef ciency of discrete logbased cryptography by using the restriction of scalars and the geometry and arithmetic of algebraic tori and abelian varieties.
Asymptotically optimal communication for torusbased cryptography
 In Advances in Cryptology (CRYPTO 2004), Springer LNCS 3152
, 2004
"... Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based publickey system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. We introduce a compact and efficient representation of elements of the algebraic torus. This allows us to design a new discretelog based publickey system achieving the optimal communication rate, partially answering the conjecture in [4]. For n the product of distinct primes, we construct efficient ElGamal signature and encryption schemes in a subgroup of F ∗ qn in which the number of bits exchanged is only a φ(n)/n fraction of that required in traditional schemes, while the security offered remains the same. We also present a DiffieHellman key exchange protocol averaging only φ(n) log2 q bits of communication per key. For the cryptographically important cases of n = 30 and n = 210, we transmit a 4/5 and a 24/35 fraction, respectively, of the number of bits required in XTR [14] and recent CEILIDH [24] cryptosystems. 1
On the Discrete Logarithm Problem on Algebraic Tori
 In Advances in Cryptology (CRYPTO 2005), Springer LNCS 3621, 66–85
, 2005
"... Abstract. Using a recent idea of Gaudry and exploiting rational representations of algebraic tori, we present an index calculus type algorithm for solving the discrete logarithm problem that works directly in these groups. Using a prototype implementation, we obtain practical upper bounds for the di ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. Using a recent idea of Gaudry and exploiting rational representations of algebraic tori, we present an index calculus type algorithm for solving the discrete logarithm problem that works directly in these groups. Using a prototype implementation, we obtain practical upper bounds for the difficulty of solving the DLP in the tori T2(Fpm)and T6(Fpm) for various p and m. Our results do not affect the security of the cryptosystems LUC, XTR, or CEILIDH over prime fields. However, the practical efficiency of our method against other methods needs further examining, for certain choices of p and m in regions of cryptographic interest. 1
M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. Cryptology ePrint Archive, Report 2009/565
, 2009
"... Abstract. This paper describes an extremely efficient squaring operation in the socalled ‘cyclotomic subgroup ’ of F × q6, for q ≡ 1 mod 6. This result arises from considering the Weil restriction of scalars of this group from Fq6 to Fq2, and provides efficiency improvements for both pairingbased a ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
Abstract. This paper describes an extremely efficient squaring operation in the socalled ‘cyclotomic subgroup ’ of F × q6, for q ≡ 1 mod 6. This result arises from considering the Weil restriction of scalars of this group from Fq6 to Fq2, and provides efficiency improvements for both pairingbased and torusbased cryptographic protocols. Keywords: Pairingbased cryptography, torusbased cryptography, finite field arithmetic. 1
Hyperelliptic pairings
 IN PAIRING 2007
, 2007
"... We survey recent research on pairings on hyperelliptic curves and present a comparison of the performance characteristics of pairings on elliptic curves and hyperelliptic curves. Our analysis indicates that hyperelliptic curves are not more efficient than elliptic curves for general pairing applicat ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
We survey recent research on pairings on hyperelliptic curves and present a comparison of the performance characteristics of pairings on elliptic curves and hyperelliptic curves. Our analysis indicates that hyperelliptic curves are not more efficient than elliptic curves for general pairing applications.
A Comparison of CEILIDH and XTR
 IN ALGORITHMIC NUMBER THEORY SYMPOSIUM (ANTS), SPRINGERVERLAG LNCS 3076
, 2004
"... We give a comparison of the performance of the recently proposed torusbased public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus T6(Fp). However, while they both attain the same discrete logarithm security and each achieve ..."
Abstract

Cited by 7 (6 self)
 Add to MetaCart
We give a comparison of the performance of the recently proposed torusbased public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus T6(Fp). However, while they both attain the same discrete logarithm security and each achieve a compression factor of three for all data transmissions, the arithmetic performed in each is fundamentally different. In its inception, the designers of CEILIDH were reluctant to claim it offers any particular advantages over XTR other than its exact compression and decompression technique. From both an algorithmic and arithmetic perspective, we develop an e#cientversion of CEILIDH and show that while it seems bound to be inherently slower than XTR, the difference in performance is much smaller than what one might infer from the original description. Also, thanks to CEILIDH's simple group law, it provides a greater flexibility for applications, and maythus be considered a worthwhile alternative to XTR.
On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in f 2
, 1971
"... Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms o ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms of degree one elements. To illustrate the efficiency of the method, we have successfully solved the DLP in the finite field with 2 1971 elements. 1
How to compress rabin ciphertexts and signatures (and more
 Proceedings of Crypto 2004, volume 3152 of LNCS
, 2004
"... Abstract. Ordinarily, RSA and Rabin ciphertexts and signatures are log N bits, where N is a composite modulus; here, we describe how to “compress ” Rabin ciphertexts and signatures (among other things) down to about (2/3) log N bits, while maintaining a tight provable reduction from factoring in the ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. Ordinarily, RSA and Rabin ciphertexts and signatures are log N bits, where N is a composite modulus; here, we describe how to “compress ” Rabin ciphertexts and signatures (among other things) down to about (2/3) log N bits, while maintaining a tight provable reduction from factoring in the random oracle model. The computational overhead of our compression algorithms is small. We also improve upon Coron’s results regarding partialdomainhash signature schemes, reducing by over 300 bits the hash output size necessary to prove adequate security. 1
On compressible pairings and their computation
 In Progress in Cryptology – AFRICACRYPT 2008, volume 5023 of LNCS
, 2008
"... Abstract. In this paper we provide explicit formulæ to compute bilinear pairings in compressed form. We indicate families of curves where the proposed compressed computation method can be applied and where particularly generalized versions of the Eta and Ate pairings due to Zhao et al. are especiall ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. In this paper we provide explicit formulæ to compute bilinear pairings in compressed form. We indicate families of curves where the proposed compressed computation method can be applied and where particularly generalized versions of the Eta and Ate pairings due to Zhao et al. are especially efficient. Our approach introduces more flexibility when trading off computation speed and memory requirement. Furthermore, compressed computation of reduced pairings can be done without any finite field inversions. We also give a performance evaluation and compare the new method with conventional pairing algorithms.