Results 1  10
of
19
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 77 (2 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
The function field sieve in the medium prime case
 Advances in Cryptology – EUROCRYPT 2006, LNCS 4004 (2006
"... Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logar ..."
Abstract

Cited by 27 (8 self)
 Add to MetaCart
Abstract. In this paper, we study the application of the function field sieve algorithm for computing discrete logarithms over finite fields of the form Fqn when q is a mediumsized prime power. This approach is an alternative to a recent paper of Granger and Vercauteren for computing discrete logarithms in tori, using efficient torus representations. We show that when q is not too large, a very efficient L(1/3) variation of the function field sieve can be used. Surprisingly, using this algorithm, discrete logarithms computations over some of these fields are even easier than computations in the prime field and characteristic two field cases. We also show that this new algorithm has security implications on some existing cryptosystems, such as torus based cryptography in T30, short signature schemes in characteristic 3 and cryptosystems based on supersingular abelian varieties. On the other hand, cryptosystems involving larger basefields and smaller extension degrees, typically of degree at most 6, such as LUC, XTR or T6 torus cryptography, are not affected. 1
An introduction to pairingbased cryptography. Notes from lectures given in
, 2005
"... Abstract. Bilinear pairings have been used to design ingenious protocols for such tasks as oneround threeparty key agreement, identitybased encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Abstract. Bilinear pairings have been used to design ingenious protocols for such tasks as oneround threeparty key agreement, identitybased encryption, and aggregate signatures. Suitable bilinear pairings can be constructed from
Improving the complexity of index calculus algorithms in elliptic curves over binary fields,” Accepted at EUROCRYPT2012
, 2012
"... Abstract. The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chos ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. The goal of this paper is to further study the index calculus method that was first introduced by Semaev for solving the ECDLP and later developed by Gaudry and Diem. In particular, we focus on the step which consists in decomposing points of the curve with respect to an appropriately chosen factor basis. This part can be nicely reformulated as a purely algebraic problem consisting in finding solutions to a multivariate polynomial f(x1,...,xm) =0 such that x1,...,xm all belong to some vector subspace of F2n/F2. Our main contribution is the identification of particular structures inherent to such polynomial systems and a dedicated method for tackling this problem. We solve it by means of Gröbner basis techniques and analyze its complexity using the multihomogeneous structure of the equations. A direct consequence of our results is an index calculus algorithm solving ECDLP over any binary field F2n in time O(2ω t),witht≈n/2 (provided that a certain heuristic assumption holds). This has to be compared with Diem’s [14]
Function Field Sieve in Characteristic Three
, 2004
"... In this paper we investigate the e#ciency of the function field sieve to compute discrete logarithms in the finite fields F3 n . Motivated by attacks on identity based encryption systems using supersingular elliptic curves, we pay special attention to the case where n is composite. This allows ..."
Abstract

Cited by 8 (4 self)
 Add to MetaCart
In this paper we investigate the e#ciency of the function field sieve to compute discrete logarithms in the finite fields F3 n . Motivated by attacks on identity based encryption systems using supersingular elliptic curves, we pay special attention to the case where n is composite. This allows
A Comparison of CEILIDH and XTR
 IN ALGORITHMIC NUMBER THEORY SYMPOSIUM (ANTS), SPRINGERVERLAG LNCS 3076
, 2004
"... We give a comparison of the performance of the recently proposed torusbased public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus T6(Fp). However, while they both attain the same discrete logarithm security and each achieve ..."
Abstract

Cited by 7 (6 self)
 Add to MetaCart
We give a comparison of the performance of the recently proposed torusbased public key cryptosystem CEILIDH, and XTR. Underpinning both systems is the mathematics of the two dimensional algebraic torus T6(Fp). However, while they both attain the same discrete logarithm security and each achieve a compression factor of three for all data transmissions, the arithmetic performed in each is fundamentally different. In its inception, the designers of CEILIDH were reluctant to claim it offers any particular advantages over XTR other than its exact compression and decompression technique. From both an algorithmic and arithmetic perspective, we develop an e#cientversion of CEILIDH and show that while it seems bound to be inherently slower than XTR, the difference in performance is much smaller than what one might infer from the original description. Also, thanks to CEILIDH's simple group law, it provides a greater flexibility for applications, and maythus be considered a worthwhile alternative to XTR.
On the function field sieve and the impact of higher splitting probabilities: Application to discrete logarithms in f 2
, 1971
"... Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms o ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. In this paper we propose a binary field variant of the JouxLercier mediumsized Function Field Sieve, which results not only in complexities as low as Lqn(1/3, 2/3) for computing arbitrary logarithms, but also in an heuristic polynomial time algorithm for finding the discrete logarithms of degree one elements. To illustrate the efficiency of the method, we have successfully solved the DLP in the finite field with 2 1971 elements. 1
Faster index calculus for the medium prime case. application to 1175bit and 1425bit finite fields. Cryptology ePrint Archive, Report 2012/720, 2012. http: //eprint.iacr.org
"... Abstract. Many index calculus algorithms generate multiplicative relations between smoothness basis elements by using a process called Sieving. This process allows to filter potential candidate relations very quickly, without spending too much time to consider bad candidates. However, from an asympt ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. Many index calculus algorithms generate multiplicative relations between smoothness basis elements by using a process called Sieving. This process allows to filter potential candidate relations very quickly, without spending too much time to consider bad candidates. However, from an asymptotic point of view, there is not much difference between sieving and straightforward testing of candidates. The reason is that even when sieving, some small amount time is spend for each bad candidates. Thus, asymptotically, the total number of candidates contributes to the complexity. In this paper, we introduce a new technique: Pinpointing, which allows us to construct multiplicate relations much faster, thus reducing the asymptotic complexity of relations ’ construction. Unfortunately, we only know how to implement this technique for finite fields which contain a mediumsized subfield. When applicable, this method improves the asymptotic complexity of the index calculus algorithm in the cases where the sieving phase dominates. In practice, it gives a very interesting boost to the performance of stateoftheart algorithms. We illustrate the feasability of the method with a discrete logarithm record in medium prime finite fields of sizes 1175 bits and 1425 bits. 1
An L(1/3) Discrete Logarithm Algorithm for Low Degree Curves, 2009, http://hal.inria.fr/inria00383941/en/, Accepted for publication in Journal of Cryptology
"... We present an algorithm for solving the discrete logarithm problem in Jacobians of families of plane curves whose degrees in X and Y are low with respect to their genera. The finite base fields Fq are arbitrary, but their sizes should not grow too fast compared to the genus. For such families, the g ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We present an algorithm for solving the discrete logarithm problem in Jacobians of families of plane curves whose degrees in X and Y are low with respect to their genera. The finite base fields Fq are arbitrary, but their sizes should not grow too fast compared to the genus. For such families, the group structure and discrete logarithms can be computed in subexponential time of Lqg(1/3, O(1)). The runtime bounds rely on heuristics similar to the ones used in the number field sieve or the function field sieve. 1
Breaking pairingbased cryptosystems using ηT pairing over GF (3 97)
"... Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptogr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Abstract. There are many useful cryptographic schemes, such as IDbased encryption, short signature, keyword searchable encryption, attributebased encryption, functional encryption, that use a bilinear pairing. It is important to estimate the security of such pairingbased cryptosystems in cryptography. The most essential numbertheoretic problem in pairingbased cryptosystems is the discrete logarithm problem (DLP) because pairingbased cryptosystems are no longer secure once the underlining DLP is broken. One efficient bilinear pairing is the ηT pairing defined over a supersingular elliptic curve E on the finite field GF (3 n) for a positive integer n. The embedding degree of the ηT pairing is 6; thus, we can reduce the DLP over E on GF (3 n) to that over the finite field GF (3 6n). In this paper, for breaking the ηT pairing over GF (3 n), we discuss solving the DLP over GF (3 6n) by using the function field sieve (FFS), which is the asymptotically fastest algorithm for solving a DLP over finite fields of small characteristics. We chose the extension degree n = 97 because it has been intensively used in benchmarking tests for the implementation of the ηT pairing, and the order (923bit) of GF (3 6·97) is substantially larger than the previous world record (676bit) of solving the DLP by using the FFS. We implemented the FFS for the medium prime case (JL06FFS), and propose several improvements of the FFS, for example, the lattice sieve for JL06FFS and the filtering adjusted to the Galois action. Finally, we succeeded in solving the DLP over GF (3 6·97). The entire computational time of our improved FFS requires about 148.2 days using 252 CPU cores. Our computational results contribute to the secure use of pairingbased cryptosystems with the ηT pairing.