Results 1  10
of
12
On Small Characteristic Algebraic Tori in PairingBased Cryptography
, 2004
"... The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmet ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identitybased cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.
Rethinking low genus hyperelliptic jacobian arithmetic over binary fields: Interplay of field arithmetic and explicit formulae
"... Abstract. In this paper, we present several improvements on the best known explicit formulæ for hyperelliptic curves of genus three and four in characteristic two, including the issue of reducing memory requirements. To show the effectiveness of these improvements and to allow a fair comparison of t ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
Abstract. In this paper, we present several improvements on the best known explicit formulæ for hyperelliptic curves of genus three and four in characteristic two, including the issue of reducing memory requirements. To show the effectiveness of these improvements and to allow a fair comparison of the curves of different genera, we implement all formulæ using a highly optimized software library for arithmetic in binary fields. This library was designed to minimize the impact of a whole series of overheads which have a larger significance as the genus of the curves increases. The current state of the art in attacks against the discrete logarithm problem is taken into account for the choice of the field and group sizes. Performance tests are done on two personal computers with very different architectures. Our results can be shortly summarized as follows: Curves of genus three provide performance similar, or better, to that of curves of genus two, and these two types of curves can perform faster than elliptic curves – indeed on some processors often twice as fast. Curves of genus four attain a performance level comparable to elliptic curves. A large choice of curves is therefore available for the deployment of curvebased cryptography, with curves of genus three and four providing their own advantages as larger cofactors can be allowed for the group order.
On the Discrete Logarithm Problem on Algebraic Tori
 In Advances in Cryptology (CRYPTO 2005), Springer LNCS 3621, 66–85
, 2005
"... Abstract. Using a recent idea of Gaudry and exploiting rational representations of algebraic tori, we present an index calculus type algorithm for solving the discrete logarithm problem that works directly in these groups. Using a prototype implementation, we obtain practical upper bounds for the di ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. Using a recent idea of Gaudry and exploiting rational representations of algebraic tori, we present an index calculus type algorithm for solving the discrete logarithm problem that works directly in these groups. Using a prototype implementation, we obtain practical upper bounds for the difficulty of solving the DLP in the tori T2(Fpm)and T6(Fpm) for various p and m. Our results do not affect the security of the cryptosystems LUC, XTR, or CEILIDH over prime fields. However, the practical efficiency of our method against other methods needs further examining, for certain choices of p and m in regions of cryptographic interest. 1
Elliptic curve cryptography: The serpentine course of a paradigm shift
 J. NUMBER THEORY
, 2008
"... Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on “social construction of technology” can contribute to a better understanding of this history.
Cryptographic Implications of Hess' Generalized GHS Attack
 Applicable Algebra in Engineering, Communication and Computing
, 2004
"... A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent a ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields F q 5 are weak. In this paper, we examine characteristic two finite fields Fq n for weakness under Hess' generalization of the GHS attack. We show that the fields F q 7 are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over F q 7 , namely those curves E for which #E(F q 7) is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields F q 3 are partially weak, that the fields F q 6 are potentially weak, and that the fields F q 8 are potentially partially weak. Finally, we argue that the other fields F 2 N where N is not divisible by 3, 5, 6, 7 or 8, are not weak under Hess' generalized GHS attack.
Decomposed Attack for the Jacobian of a Hyperelliptic Curve over an Extension Field
"... Abstract. We study the solution of the discrete logarithm problem for the Jacobian of a curve of genus g defined over an extension field Fqn, by decomposed attack, considering a external elements B0 given by points of the curve whose xcoordinates are defined in Fq. In the decomposed attack, an elem ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. We study the solution of the discrete logarithm problem for the Jacobian of a curve of genus g defined over an extension field Fqn, by decomposed attack, considering a external elements B0 given by points of the curve whose xcoordinates are defined in Fq. In the decomposed attack, an element of the group which is written by a sum of some elements of external elements is called (potentially) decomposed and the set of the terms, that appear in the sum, is called decomposed factor. In order for the running of the decomposed attack, a test for the (potential) decomposeness and the computation of the decomposed factor are needed. Here, we show that the test to determine if an element of the Jacobian (i.e., reduced divisor) is written by an ng sum of the elements of the external elements and the computation of decomposed factor are reduced to the problem of solving some multivariable polynomial system of equations by using the RiemannRoch theorem. In particular, in the case of a hyperelliptic curve, we construct a concrete system of equations, which satisfies these properties and consists of (n 2 − n)g quadratic equations. Moreover, in the case of (g, n) = (1, 3), (2, 2) and (3, 2), we give examples of the concrete computation of the decomposed factors by using the computer algebra system Magma.
Compression for trace zero subgroups of elliptic curves
 Trends in Mathematics 8, 93–100 (2005) Pairings 131
, 2004
"... Abstract. We give details of a compression/decompression algorithm for points in trace zero subgroups of elliptic curves over Fqr, for r = 3 and 5. 1. ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We give details of a compression/decompression algorithm for points in trace zero subgroups of elliptic curves over Fqr, for r = 3 and 5. 1.
COMPRESSION IN FINITE FIELDS AND TORUSBASED CRYPTOGRAPHY
"... This paper is dedicated to the memory of the cat Ceilidh. Abstract. We present efficient compression algorithms for subgroups of multiplicative groups of finite fields, we use our compression algorithms to construct efficient public key cryptosystems called T2 and CEILIDH, we disprove some conjectur ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
This paper is dedicated to the memory of the cat Ceilidh. Abstract. We present efficient compression algorithms for subgroups of multiplicative groups of finite fields, we use our compression algorithms to construct efficient public key cryptosystems called T2 and CEILIDH, we disprove some conjectures, and we use the theory of algebraic tori to give a better understanding of our cryptosystems, the Lucasbased, XTR and GongHarn cryptosystems, and conjectured generalizations. 1.
A GENERIC APPROACH TO SEARCHING FOR JACOBIANS
 MATHEMATICS OF COMPUTATION
, 2009
"... We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
We consider the problem of finding cryptographically suitable Jacobians. By applying a probabilistic generic algorithm to compute the zeta functions of low genus curves drawn from an arbitrary family, we can search for Jacobians containing a large subgroup of prime order. For a suitable distribution of curves, the complexity is subexponential in genus 2, and O(N 1/12) in genus 3. We give examples of genus 2 and genus 3 hyperelliptic curves over prime fields with group orders over 180 bits in size, improving previous results. Our approach is particularly effective over lowdegree extension fields, where in genus 2 we find Jacobians over F p 2 and trace zero varieties over F p 3 with nearprime orders up to 372 bits in size. For p =2 61 − 1, the average time to find a group with 244bit nearprime order is under an hour on a PC.
EFFICIENT HALVING FOR GENUS 3 CURVES OVER BINARY
"... (Communicated by the associate editor name) Abstract. In this article, we deal with fast arithmetic in the Picard group of hyperelliptic curves of genus 3 over binary fields. We investigate both the optimal performance curves, where h(x) = 1, and the more general curves where the degree of h(x) is ..."
Abstract
 Add to MetaCart
(Communicated by the associate editor name) Abstract. In this article, we deal with fast arithmetic in the Picard group of hyperelliptic curves of genus 3 over binary fields. We investigate both the optimal performance curves, where h(x) = 1, and the more general curves where the degree of h(x) is 1, 2 or 3. For the optimal performance curves, we provide explicit halving and doubling formulas; not only for the most frequent case but also for all possible special cases that may occur when performing arithmetic on the proposed curves. In this situation, we show that halving offers equivalent performance to that of doubling when computing scalar multiples (by means of an halveandadd algorithm) in the divisor class group. For the other types of curves where halving may give performance gains (when the group order is twice an odd number), we give explicit halving formulas which outperform the corresponding doubling formulas by about 10 to 20 field multiplications per halving. These savings more than justify the use of halvings for these curves, making them significantly more efficient than previously thought. For halving on genus 3 curves there is no previous work published so far. 1.