Results 1  10
of
24
Breaking 128bit secure supersingular binary curves (or how to solve discrete logarithms in F24·1223 and F212·367), 2014. arXiv report 1402.3668
"... Abstract. In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasipolynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. Using these developments, Adj, Men ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In late 2012 and early 2013 the discrete logarithm problem (DLP) in finite fields of small characteristic underwent a dramatic series of breakthroughs, culminating in a heuristic quasipolynomial time algorithm, due to Barbulescu, Gaudry, Joux and Thomé. Using these developments, Adj, Menezes, Oliveira and RodŕıguezHenŕıquez analysed the concrete security of the DLP, as it arises from pairings on (the Jacobians of) various genus one and two supersingular curves in the literature, which were originally thought to be 128bit secure. In particular, they suggested that the new algorithms have no impact on the security of a genus one curve over F21223, and reduce the security of a genus two curve over F2367 to 94.6 bits. In this paper we propose a new field representation and efficient general descent principles which together make the new techniques far more practical. Indeed, at the ‘128bit security level ’ our analysis shows that the aforementioned genus one curve has approximately 59 bits of security, and we report a total break of the genus two curve.
Hardware acceleration of the Tate pairing in characteristic three
, 2005
"... Although identity based cryptography offers many functional advantages over conventional public key alternatives, the computational costs are significantly greater. The core computational task is evaluation of a bilinear map, or pairing, over elliptic curves. In this paper we prototype and evaluate ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
Although identity based cryptography offers many functional advantages over conventional public key alternatives, the computational costs are significantly greater. The core computational task is evaluation of a bilinear map, or pairing, over elliptic curves. In this paper we prototype and evaluate polynomial and normal basis field arithmetic on an FPGA device and use it to construct a hardware accelerator for pairings over fields of characteristic three. The performance of our prototype improves roughly tenfold on previous known hardware implementations and orders of magnitude on the fastest known software implementation. As a result we reason that even on constrained devices one can usefully evaluate the pairing, a fact that gives credence to the idea that identity based cryptography is an ideal partner for identity aware smartcards.
FPGA Accelerated Tate Pairing Based Cryptosystems over Binary Fields
 IN CRYPTOLOGY EPRINT ARCHIVE, REPORT 2006/179
, 2006
"... Though the implementation of the Tate pairing is commonly believed to be computationally more intensive than other cryptographic operations, such as ECC point multiplication, there has been a substantial progress in speeding up the Tate pairing computations. Because of their inherent parallelism, ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Though the implementation of the Tate pairing is commonly believed to be computationally more intensive than other cryptographic operations, such as ECC point multiplication, there has been a substantial progress in speeding up the Tate pairing computations. Because of their inherent parallelism, the existing Tate pairing algorithms are very suitable for hardware implementation aimed at achieving a high operation speed. Supersingular elliptic curves over binary fields are good candidates for hardware implementation due to their simple underlying algorithms and binary arithmetic. In this paper we propose e#cient Tate pairing implementations over binary fields F 2 239 and F 2 283 via FPGA. Though our field sizes are larger than those used in earlier architectures with the same security strength based on cubic elliptic curves or binary hyperelliptic curves, fewer multiplications in the underlying field are required, so that the computational latency for one pairing can be reduced. As a result, our pairing accelerators implemented via FPGA can run 15to25 times faster than other FPGA realizations at the same level of security strength, and at the same time achieve lower product of latency by area.
WEAKNESS OF F36·509 FOR DISCRETE LOGARITHM CRYPTOGRAPHY
"... new algorithms for computing discrete logarithms in finite fields of small and medium characteristic. We show that these new algorithms render the finite field F36·509 = F33054 weak for discrete logarithm cryptography in the sense that discrete logarithms in this field can be computed significantly ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
new algorithms for computing discrete logarithms in finite fields of small and medium characteristic. We show that these new algorithms render the finite field F36·509 = F33054 weak for discrete logarithm cryptography in the sense that discrete logarithms in this field can be computed significantly faster than with the previous fastest algorithms. Our concrete analysis shows that the supersingular elliptic curve over F3509 with embedding degree 6 that had been considered for implementing pairingbased cryptosystems at the 128bit security level in fact provides only a significantly lower level of security. Our work provides a convenient framework and tools for performing a concrete analysis of the new discrete logarithm algorithms and their variants. 1.
Breaking pairingbased cryptosystems using ηT pairing over GF (3 97)
"... Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptogr ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptography. The most essential numbertheoretic problem in pairingbased cryptosystems is the discrete logarithm problem (DLP) because pairingbased cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923bit) of GF (3 6·97) is substantially larger than the previous world record (676bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairingbased cryptosystems with the ηT pairing.
Some Efficient Algorithms for the Final Exponentiation of η_T Pairing Masaaki Shirase
 IN CRYPTOLOGY EPRINT ARCHIVE, REPORT 2006/431
, 2006
"... Recently Tate pairing and its variations are attracted in cryptography. Their operations consist of a main iteration loop and a final exponentiation. The final exponentiation is necessary for generating a unique value of the bilinear pairing in the extension fields. The speed of the main loop has be ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Recently Tate pairing and its variations are attracted in cryptography. Their operations consist of a main iteration loop and a final exponentiation. The final exponentiation is necessary for generating a unique value of the bilinear pairing in the extension fields. The speed of the main loop has become fast by the recent improvements, e.g., the DuursmaLee algorithm and #T pairing. In this paper we discuss how to enhance the speed of the final exponentiation of the #T pairing in the extension field F 3 6n . Indeed, we propose some efficient algorithms using the torus T2 (F 3 3n) that can efficiently compute an inversion and a powering by 3 +1. Consequently, the total processing cost of computing the #T pairing can be reduced by 17% for n = 97.
Software multiplication using gaussian normal bases
 IEEE Trans. Comput
, 2006
"... ..."
(Show Context)
Efficient multiplication using type 2 optimal normal bases
"... Abstract. In this paper we propose a new structure for multiplication using optimal normal bases of type 2. The multiplier uses an efficient linear transformation to convert the normal basis representations of elements of Fqn to suitable polynomials of degree at most n over Fq. These polynomials ar ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we propose a new structure for multiplication using optimal normal bases of type 2. The multiplier uses an efficient linear transformation to convert the normal basis representations of elements of Fqn to suitable polynomials of degree at most n over Fq. These polynomials are multiplied using any method which is suitable for the implementation platform, then the product is converted back to the normal basis using the inverse of the above transformation. The efficiency of the transformation arises from a special factorization of its matrix into sparse matrices. This factorization — which resembles the FFT factorization of the DFT matrix — allows to compute the transformation and its inverse using O(n log n) operations in Fq, rather than O(n 2) operations needed for a general change of basis. Using this technique we can reduce the asymptotic cost of multiplication in optimal normal bases of type 2 from 2M(n) + O(n) reported by Gao et al. (2000) to M(n) + O(n log n) operations in Fq, where M(n) is the number of Fqoperations to multiply two polynomials of degree n − 1 over Fq. We show that this cost is also smaller than other proposed multipliers for n> 160, values which are used in elliptic curve cryptography.
Computing discrete logarithms in F36·137 and F36·163 using Magma”, available at http://eprint.iacr.org/2014/057
"... Abstract. We show that a Magma implementation of Joux’s new L[1/4] algorithm can be used to compute discrete logarithms in the 1303bit finite field F36·137 and the 1551bit finite field F36·163 with very modest computational resources. Our F36·137 implementation was the first to illustrate the effe ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We show that a Magma implementation of Joux’s new L[1/4] algorithm can be used to compute discrete logarithms in the 1303bit finite field F36·137 and the 1551bit finite field F36·163 with very modest computational resources. Our F36·137 implementation was the first to illustrate the effectiveness of Joux’s algorithm for computing discrete logarithms in smallcharacteristic finite fields that are not Kummer or twistedKummer extensions. 1.