Results 1  10
of
11
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 77 (2 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
ECM on Graphics Cards
"... Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. This paper reports recordsetting performance for the ellipticcurve method of integer factorization: for example, 604.99 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers on a single PC. The stateoftheart GMPECM software handles 171.42 curves/second for ECM stage 1 with B1 = 8192 for 280bit integers using all four cores of a 2.4GHz Core 2 Quad Q6600. The extra speed takes advantage of extra hardware, specifically two NVIDIA GTX 280 graphics cards, using a new ECM implementation introduced in this paper. Our implementation uses Edwards curves, relies on new parallel addition formulas, and is carefully tuned for the highly parallel GPU architecture. On a single GTX 280 the implementation performs 22.66 million modular multiplications per second for a general 280bit modulus. GMPECM, using all four cores of a Q6600, performs 17.91 million multiplications per second. This paper also reports speeds on other graphics processors: for example,
Thomé, When eth roots become easier than factoring
 Progress in Cryptology – Asiacrypt 2007, LNCS 4833
, 2007
"... Abstract. We show that computing eth roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
Abstract. We show that computing eth roots modulo n is easier than factoring n with currently known methods, given subexponential access to an oracle outputting the roots of numbers of the form xi + c. Here c is fixed and xi denotes small integers of the attacker’s choosing. The attack comes in two flavors: – A first version is illustrated here by producing selective roots of the form xi + c in Ln ( 1 q 3 32
On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in f 2
, 1971
"... Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms o ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms of degree one elements. To illustrate the efficiency of the method, we have successfully solved the DLP in the finite field with 2 1971 elements. 1
Cryptography meets voting
, 2005
"... We survey the contributions of the entire theoretical computer science/cryptography community during 19752002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We survey the contributions of the entire theoretical computer science/cryptography community during 19752002 that impact the question of how to run verifiable elections with secret ballots. The approach based on homomorphic encryptions is the most successful; one such scheme is sketched in detail and argued to be feasible to implement. It is explained precisely what these ideas accomplish but also what they do not accomplish, and a short history of election fraud throughout history is included.
The number field sieve for integers of low weight
, 2006
"... Abstract. We define the weight of an integer N to be the smallest w such that N can be represented as ∑w i=1 ɛi2ci,withɛ1,...,ɛw ∈{1, −1}. Since arithmetic modulo a prime of low weight is particularly efficient, it is tempting to use such primes in cryptographic protocols. In this paper we consider ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. We define the weight of an integer N to be the smallest w such that N can be represented as ∑w i=1 ɛi2ci,withɛ1,...,ɛw ∈{1, −1}. Since arithmetic modulo a prime of low weight is particularly efficient, it is tempting to use such primes in cryptographic protocols. In this paper we consider the difficulty of the discrete logarithm problem modulo a prime N of low weight, as well as the difficulty of factoring an integer N of low weight. We describe a version of the number field sieve which handles both problems. In the case that w = 2, the method is the same as the special number field sieve, which runs conjecturally in time exp(((32/9) 1/3 + o(1))(log N) 1/3 (log log N) 2/3)for N →∞. For fixed w>2, we conjecture that there is a constant ξ less than (32/9) 1/3 ((2w − 3)/(w − 1)) 1/3 such that the running time of the algorithm is at most exp((ξ + o(1))(log N) 1/3 (log log N) 2/3)forN→∞. We further conjecture that no ξ less than (32/9) 1/3 ( ( √ 2w − 2 √ 2+1)/(w − 1)) 2/3 has this property. Our analysis reveals that on average the method performs significantly better than it does in the worst case. We consider all the examples given in a recent paper of Koblitz and Menezes and demonstrate that in every case but one, our algorithm runs faster than the standard versions of the number field sieve. 1.
Parallel Solution of Sparse Linear Systems Defined over GF(p)
"... Introduction The security of modern publickey cryptography is usually based on the presumed hardness of problems such as factoring integers or computing discrete logarithms. The Number Field Sieve [19] (NFS) and Function Field Sieve [1] (FFS) oer two examples of algorithms that can attack these pr ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Introduction The security of modern publickey cryptography is usually based on the presumed hardness of problems such as factoring integers or computing discrete logarithms. The Number Field Sieve [19] (NFS) and Function Field Sieve [1] (FFS) oer two examples of algorithms that can attack these problems. Such algorithms are generally speci ed in two phases. The rst phase, sometimes called the sieving step, aims to collect many relations that represent small items of information about the problem one is trying to solve. This phase is easy to parallelise since one can generate the relations independently. It is therefore attractive for distributed, Internet based collaborative computation [26]. The second phase of processing, sometimes called the matrix step, aims to collect the relations and combine them into a single linear system which, when solved, allows one to eciently compute answers to the original problem. Ecient implementation of the matrix step is challenging since the li
REMARKS ON THE NFS COMPLEXITY
"... Abstract. In this contribution we investigate practical issues with implementing the NFS algorithm to solve the DLP arising in XTRbased cryptosystems. We can transform original XTRDLP to a DLP instance in F p 6, where p is a medium sized prime. Unfortunately, for practical ranges of p, the optimal ..."
Abstract
 Add to MetaCart
Abstract. In this contribution we investigate practical issues with implementing the NFS algorithm to solve the DLP arising in XTRbased cryptosystems. We can transform original XTRDLP to a DLP instance in F p 6, where p is a medium sized prime. Unfortunately, for practical ranges of p, the optimal degree of an NFS polynomial is less than the required degree 6. This leads to a problem to find enough smooth equations during the sieve stage of the NFS algorithm. We discuss several techniques that can increase the NFS output, i.e. the number of equations produced during the sieve, without increasing the smoothness bound. 1.
Computational Security for Cryptography
, 2009
"... Since the appearance of publickey cryptography in the DiffieHellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of v ..."
Abstract
 Add to MetaCart
Since the appearance of publickey cryptography in the DiffieHellman seminal paper, many schemes have been proposed, but many have been broken. Indeed, for a long time, the simple fact that a cryptographic algorithm had withstood cryptanalytic attacks for several years was considered as a kind of validation. But some schemes took a long time before being widely studied, and maybe thereafter being broken. A much more convincing line of research has tried to provide “provable ” security for cryptographic protocols, in a complexity theory sense: if one can break the cryptographic protocol, one can efficiently solve the underlying problem. Unfortunately, this initially was a purely theoretical work: very few practical schemes could be proven in this socalled “standard model ” because such a security level rarely meets with efficiency. Ten years ago, Bellare and Rogaway proposed a tradeoff to achieve some kind of validation of efficient schemes, by identifying some concrete cryptographic objects with ideal random ones. The most famous identification appeared in the socalled “randomoracle model”. More recently, another direction has been taken to prove the security of efficient schemes in the standard model (without any ideal assumption) by using stronger computational assumptions. In these lectures, we focus on practical asymmetric protocols together with their “reductionist” security proofs. We cover the two main goals that publickey cryptography is devoted to solve: authentication with digital signatures, and confidentiality with publickey encryption schemes. 1
Algorithmic Number Theory MSRI Publications
"... The impact of the number field sieve on the discrete logarithm problem in finite fields ..."
Abstract
 Add to MetaCart
The impact of the number field sieve on the discrete logarithm problem in finite fields