## Pairing-based Cryptography at High Security Levels (2005)

### Cached

### Download Links

- [eprint.iacr.org]
- [www.cacr.math.uwaterloo.ca]
- [cacr.uwaterloo.ca]
- DBLP

### Other Repositories/Bibliography

Venue: | Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS |

Citations: | 80 - 3 self |

### BibTeX

@INPROCEEDINGS{Koblitz05pairing-basedcryptography,

author = {Neal Koblitz and Alfred Menezes},

title = {Pairing-based Cryptography at High Security Levels},

booktitle = {Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS},

year = {2005},

pages = {13--36},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128-, 192-, or 256-bit AES keys. In this paper we examine the implications of heightened security needs for pairing-based cryptosystems. We first describe three different reasons why high-security users might have concerns about the long-term viability of these systems. However, in our view none of the risks inherent in pairing-based systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.

### Citations

2303 |
The art of computer programming
- Knuth
- 1969
(Show Context)
Citation Context ...nsion to 3 (rather than 4) multiplications in the smaller field; and the Toom–Cook method reduces a multiplication in a cubic extension to 5 (rather than 9) small field multiplications (see §4.3.3 of =-=[25]-=-). This means that we can expect to perform a field operation in F p k in time ν(k)m, where ν(k) = 3 i 5 j for k = 2 i 3 j , and m denotes the time to perform a multiplication in Fp. In what follows w... |

1218 | Identity-based encryption from the Weil pairing
- Boneh, Franklin
- 2009
(Show Context)
Citation Context ...ecent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin =-=[7]-=- of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of pr... |

961 |
A Course in Computational Algebraic Number Theory, GTM 138
- Cohen
- 1993
(Show Context)
Citation Context ... E over Fq, that is, a curve for which #E(Fq) = q + 1. (If q ≡ −1 (mod 4) or q ≡ −1 (mod 6), then the curve (4) or (5) in §7 has this property; more generally, see §7.6 and Exercise 2 in Chapter 7 of =-=[13]-=- for the primes6 NEAL KOBLITZ AND ALFRED MENEZES field case.) We then have the following theorem about the so-called class-VI supersingular curves, which can be viewed as curves of embedding degree k ... |

589 | Short Signatures from the Weil Pairing
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ... field) 1024 3072 8192 15360 γ = the ratio b p k/bn 6.4 12 21 1 3 Table 1. Minimum bitlengths of n and p k 4.1. Short signatures. One of the best known uses of pairings is to produce short signatures =-=[9]-=-. Without using pairing methods, the shortest signatures available are the ECDSA, where the length is roughly 2bn bits, and the Pintsov–Vanstone [41] and Naccache–Stern [39] schemes, where the length ... |

426 | Guide to Elliptic Curve Cryptography
- Hankerson, Menezes, et al.
- 2003
(Show Context)
Citation Context ...he denominators ℓ2 and v2 cancel in the Tate pairing). Such a procedure is called a “Miller operation” [37]. For this type of computation it is usually most efficient to use Jacobian coordinates (see =-=[20]-=-, §3.2.2). A point (X, Y, Z) in Jacobian coordinates corresponds to the point (x, y) in affine coordinates with x = X/Z 2 , y = X/Z 3 . In Jacobian coordinates the formula for doubling a point T = (X,... |

305 |
Reducing Elliptic Curves Logarithms to Logarithms in a Finite Field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... q modulo n; in other words, it is the smallest positive k such that n | q k − 1. The number k, which is called the embedding degree, has been of interest to cryptographers ever since it was shown in =-=[35]-=- how to use the Weil pairing to transfer the discrete log problem in the group 〈P 〉 ⊂ E(Fq) to the discrete log problem in the finite field F q k. In recent years, the Tate pairing (introduced to cryp... |

297 |
Elliptic Curve Public Key Cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...ach of which is isomorphic to the multiplicative group of Fq under the MOV embedding. This theorem is an immediate consequence of the classification of supersingular elliptic curves (see Table 5.2 in =-=[34]-=-). Notice that for a trace-zero curve E we have #E(Fq) = q + 1 = q + 1 − α − α with α 2 = −q, and hence #E(F q 2) = q 2 + 1 − α 2 − α 2 = q 2 + 1 + 2q. Thus, for the twist we have # � E(F q 2) = q 2 +... |

289 | Short group signature
- Boneh, Boyen, et al.
(Show Context)
Citation Context ...he price one has to pay for the extra functionality will increase sharply. It should be noted that in certain applications bandwidth can be a reason for using pairing-based systems (see, for example, =-=[5, 6, 8]-=-). We shall not consider bandwidth in this paper, except briefly in §4.1 for Boneh–Lynn– Shacham signatures. The other two concerns about pairing-based systems are more theoretical, and both relate to... |

286 |
Introduction to Elliptic Curves and Modular Forms, Grad
- Koblitz
- 1984
(Show Context)
Citation Context ..., where i corresponds to the map (x, y) ↦→ (−x, iy); modulo p the endomorphism i corresponds to the map (x, y) ↦→ (−x, Ay) (note that A is a squareroot of −1 in Fp). According to the theorem in §2 of =-=[27]-=-, the Frobenius endomorphism of E is the (unique up to complex conjugation) element α of Z[i] having norm p and satisfying the congruence α ≡ � � � � N N p (mod 2 + 2i), where p denotes the Legendre s... |

277 |
A one round protocol for tripartite Diffie-Hellman
- Joux
(Show Context)
Citation Context ...s for use in pairing-based systems, until now no one has seriously considered families with embedding degree k = 1. Most authors stipulate from the beginning that k ≥ 2. We know of only three papers (=-=[21, 23, 51]-=-) that briefly discuss curves E over Fp with #E(Fp) = p − 1. In [21], Joux points out that no efficient way is known to generate such curves with p − 1 divisible by n but not by n 2 , a condition that... |

246 | Efficient identity-based encryption without random oracles. volume 3494
- Waters
- 2005
(Show Context)
Citation Context ...ρ = log p/ log n is generally between 1 and 2. In the k = 1 case, to avoid the point multiplication by h one might want to use a different identity-based encryption scheme, such as the one in [42] or =-=[52]-=-, where Alice’s public key is an integer rather than a point. 9. Open Problems (1) Prove Verheul’s theorem for class-VI supersingular elliptic curves, which, as we saw at the end of §3, contain subgro... |

244 |
Factoring integers with elliptic curves
- Lenstra
- 1987
(Show Context)
Citation Context ...ger #E(Fq) to be the product of a roughly 512-bit prime and a 2048-bit cofactor made up of primes that are small enough to be factored out of #E(Fq) by the Lenstra elliptic curve factorization method =-=[31]-=-. This is not very likely; in fact, standard estimates from analytic number theory imply that the probability of a random 2048-bit integer being 2 150 -smooth is less than 2 −50 . Very recently, howev... |

207 |
A Course in Number Theory and Cryptography
- Koblitz
- 1991
(Show Context)
Citation Context ...ost popular examples, because of the simple form of the equation, the trivial determination of the group order, and the easy deterministic coding of integers as points (see Exercise 2 of Chapter 6 of =-=[26]-=-). For similar reasons, Boneh and Franklin used these curves as examples in [7]. On the other hand, authors who study implementation issues tend to shun supersingular curves, perhaps because of the su... |

201 |
A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves
- Frey, Rück
- 1994
(Show Context)
Citation Context ...iring to transfer the discrete log problem in the group 〈P 〉 ⊂ E(Fq) to the discrete log problem in the finite field F q k. In recent years, the Tate pairing (introduced to cryptographers by FreyRück =-=[16]-=-) and the Weil pairing have been used to construct a number of different cryptosystems. These systems were the first elliptic curve cryptosystems not constructed by analogy with earlier versions that ... |

177 | Hierarchical identity based encryption with constant size ciphertext
- Boneh, Boyen, et al.
(Show Context)
Citation Context ...he price one has to pay for the extra functionality will increase sharply. It should be noted that in certain applications bandwidth can be a reason for using pairing-based systems (see, for example, =-=[5, 6, 8]-=-). We shall not consider bandwidth in this paper, except briefly in §4.1 for Boneh–Lynn– Shacham signatures. The other two concerns about pairing-based systems are more theoretical, and both relate to... |

138 | Efficient pairing computation on supersingular abelian varieties
- Barreto, Galbraith, et al.
(Show Context)
Citation Context ... Very recently, however, techniques have been developed to speed up the pairing computations in the low-characteristic supersingular case to make them virtually independent of the bitlength of n (see =-=[3]-=-). A detailed analysis has not yet been done, so it is still unclear how these supersingular implementations compare with the nonsupersingular ones as the security level increases. In particular, the ... |

133 | Collusion resistant broadcast encryption with short ciphertexts and private keys - Boneh, Gentry, et al. - 2005 |

117 |
The Weil Pairing, and Its Efficient Calculation
- Miller
(Show Context)
Citation Context ...etter understand this speedup and its implications for the use of Solinas primes. 8. Efficiency Comparisons Let’s briefly recall the ingredients in pairing computations. According to Proposition 8 of =-=[37]-=- (see also [12]), the Weil pairing �e(P, Q) is given by the formula (−1) n FP (Q) , P �= Q, FQ(P ) in which FP and FQ are functions whose divisors are n(P ) − n(∞) and n(Q) − n(∞), respectively. Here ... |

103 | New explicit conditions of elliptic curve traces for FRreduction
- MIYAJI, NAKABAYASHI, et al.
- 2001
(Show Context)
Citation Context ...order to have short Boneh–Lynn–Shacham signatures, one must choose the parameters so that ρ = log p/ log n is close to 1 and hence k = γ/ρ is nearly equal to γ = b p k/bn (see Table 1). Starting with =-=[38]-=-, techniques have been developed to do this with nonsupersingular curves when k can be taken equal to 2, 3, 4, or 6. In those cases the k-th cyclotomic polynomial is linear or quadratic, and the resul... |

96 |
Fast evaluation of logarithms in fields of characteristic two
- Coppersmith
- 1984
(Show Context)
Citation Context ...at discrete logarithms cannot be feasibly found in the finite field F q k. In practice, q is either a prime or a power of 2 or 3, in which case the number field sieve [19, 43] or function field sieve =-=[14, 1, 44]-=- will find a discrete log in time of order L(1/3); this means that the bitlength of q k must be comparable to that of an RSA modulus offering the sames4 NEAL KOBLITZ AND ALFRED MENEZES security. In bo... |

84 | The XTR public key system
- Lenstra, Verheul
(Show Context)
Citation Context ...n. Verheul proved the following striking result. Let µn denote the n-th roots of unity in F p 6, where n|(p 2 − p + 1), and hence µn is not contained in a proper subfield; this is called an XTR group =-=[30]-=-. Suppose that an efficiently computable nontrivial homomorphism is found from µn to 〈P 〉 ⊂ E(F p 2), where E is an elliptic curve defined over F p 2 with #E(F p 2) = p 2 − p + 1. Here we are assuming... |

81 | Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems
- Verheul
- 2004
(Show Context)
Citation Context ...tone [35] embedding from 〈P 〉 ⊂ E(F q k) to the finite field given by X ↦→ �e(X, Q) for X ∈ 〈P 〉. This brings us to the third major concern with pairing-based cryptosystems, namely, Verheul’s theorem =-=[51]-=-. Even if one is willing to suppose that the Bilinear Diffie–Hellman Problem on a low-embedding-degree curve is equivalent to the DHP and the DLP on the curve, in practice one really considers the DHP... |

80 |
The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm
- Balasubramanian, Koblitz
- 1998
(Show Context)
Citation Context ...ual non-pairing-based elliptic curve cryptography (ECC). In ECC protocols one uses nonsupersingular curves having large embedding degree k. In fact, k is generally of size comparable to n itself (see =-=[2]-=-), in which case even the input to the Verheul inversion function would have exponential size. Thus, the danger posed by such a map — if it could be efficiently computed — applies only to small k. Rem... |

53 | Generalized mersenne numbers
- Solinas
- 1999
(Show Context)
Citation Context ...tant parameters of the system — the field size p and the prime order n of the basepoint P ∈ E(Fp). One can easily get n and p both to have optimal bitlengths and at the same time to be Solinas primes =-=[49]-=- (that is, the sum or difference of a small number of powers of 2). In earlier papers on parameter selection for pairing-based systems we have not found any discussion of the advantages and disadvanta... |

50 | ID based cryptosystems with pairing on elliptic curve
- Sakai, Kasahara
- 2003
(Show Context)
Citation Context ..., where ρ = log p/ log n is generally between 1 and 2. In the k = 1 case, to avoid the point multiplication by h one might want to use a different identity-based encryption scheme, such as the one in =-=[42]-=- or [52], where Alice’s public key is an integer rather than a point. 9. Open Problems (1) Prove Verheul’s theorem for class-VI supersingular elliptic curves, which, as we saw at the end of §3, contai... |

48 | On the selection of pairing-friendly groups
- Barreto, Lynn, et al.
(Show Context)
Citation Context ... of order n in E(Fp). In this case the Miller operation for computing FP (Q) in the Weil pairing is quicker than that for FQ(P ), and so has been dubbed “Miller lite” by Solinas [50]. In addition, in =-=[4]-=- it was pointed out that when the embedding degree k is even, the subgroup 〈Q〉 ⊂ E(F p k) can be chosen so that the x-coordinates of all of its points lie in the quadratic subextension F p k/2 and the... |

48 | Unbelievable security: Matching AES security using public key systems
- Lenstra
(Show Context)
Citation Context ... of an RSA modulus offering the sames4 NEAL KOBLITZ AND ALFRED MENEZES security. In both cases the bitlength should be, for example, at least 15360 to provide security equivalent to a 256-bit AES key =-=[29, 40]-=-. 1 As in the case of RSA, the loss of efficiency compared to non-pairing-based elliptic curve cryptography (ECC) increases steeply as the security level grows. Unlike RSA, pairing-based systems can a... |

47 |
Breaking RSA may not be equivalent to factoring
- BONEH, VENKATESAN
(Show Context)
Citation Context ...rovably equivalent to a standard problem that is thought to be hard unless both problems are easysPAIRING-BASED CRYPTOGRAPHY AT HIGH SECURITY LEVELS 7 — is analogous to a similar concern with RSA. In =-=[10]-=- Boneh and Venkatesan proved that an “algebraic” reduction from factoring to the RSA problem with small encryption exponent is not possible unless both problems are easy. 4. Parameter Sizes For the re... |

47 | Elliptic Curves Suitable for Pairing Based Cryptography
- Brezing, Weng
(Show Context)
Citation Context ...k-th cyclotomic polynomial is linear or quadratic, and the resulting Diophantine equations are computationally tractable. For larger k — notably, for k = 24 — the best results are due to Brezing–Weng =-=[11]-=-, who obtain ρ = 1.25. For example, at the 256-bit security level with 512-bit n they can produce 640-bit signatures, compared to 768 bits for Pintsov–Vanstone and Naccache–Stern and 1024 bits for ECD... |

42 | Compressed pairings. In
- SCOTT, BARRETO
- 2004
(Show Context)
Citation Context ...se the element that is raised to the (Φk(p)/n)-th power has norm 1 over any proper subfield of F p k. In particular, this element is “unitary” over the quadratic subextension F p k/2. As explained in =-=[47]-=-, this means that one need only keep track of the “real” part of powers of the element and can use Lucas sequences to process each bit of the exponent using only one squaring and one multiplication in... |

38 |
An elliptic curves implementation of the finite field digital signature algorithm
- Koblitz
- 1998
(Show Context)
Citation Context ...n to the MOV embedding would show that the problems on the curve and in the field are provably equivalent. Indeed, in special cases construction of such a homomorphism was posed as an open problem in =-=[28]-=- and [36]. However, in [51] Verheul dashed anyone’s hopes of ever strengthening one’s confidence in the security of pairing-based systems by constructing such a reduction. Verheul proved the following... |

34 |
Separating Decision Diffie-Hellman from Computational Diffie-Hellman in Cryptographic Groups
- Joux, Nguyen
(Show Context)
Citation Context ...s for use in pairing-based systems, until now no one has seriously considered families with embedding degree k = 1. Most authors stipulate from the beginning that k ≥ 2. We know of only three papers (=-=[21, 23, 51]-=-) that briefly discuss curves E over Fp with #E(Fp) = p − 1. In [21], Joux points out that no efficient way is known to generate such curves with p − 1 divisible by n but not by n 2 , a condition that... |

32 | Ordinary abelian varieties having small embedding degree - Galbraith, McKee, et al. - 2005 |

27 |
Discrete logarithms in GF (p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ... any pairing-based protocol is that discrete logarithms cannot be feasibly found in the finite field F q k. In practice, q is either a prime or a power of 2 or 3, in which case the number field sieve =-=[19, 43]-=- or function field sieve [14, 1, 44] will find a discrete log in time of order L(1/3); this means that the bitlength of q k must be comparable to that of an RSA modulus offering the sames4 NEAL KOBLIT... |

26 | The Diffie-Hellman protocol
- Maurer, Wolf
(Show Context)
Citation Context ...the more natural and more extensively studied Discrete Log Problem (DLP). That is why cryptographers were very pleased when a series of papers by den Boer, Maurer, Wolf, Boneh, Lipton and others (see =-=[33]-=- for a survey) developed strong evidence for the equivalence of the Diffie–Hellman and Discrete Log Problems on elliptic curves. But unfortunately, no such evidence has been found for hardness of the ... |

24 |
Function field sieve method for discrete logarithms over finite fields
- Adleman, Huang
- 1999
(Show Context)
Citation Context ...at discrete logarithms cannot be feasibly found in the finite field F q k. In practice, q is either a prime or a power of 2 or 3, in which case the number field sieve [19, 43] or function field sieve =-=[14, 1, 44]-=- will find a discrete log in time of order L(1/3); this means that the bitlength of q k must be comparable to that of an RSA modulus offering the sames4 NEAL KOBLITZ AND ALFRED MENEZES security. In bo... |

20 | Signing on a Postcard
- Naccache, Stern
- 1962
(Show Context)
Citation Context ...to produce short signatures [9]. Without using pairing methods, the shortest signatures available are the ECDSA, where the length is roughly 2bn bits, and the Pintsov–Vanstone [41] and Naccache–Stern =-=[39]-=- schemes, where the length is roughly 1.5bn. The pairing-based Boneh–Lynn–Shacham signatures have length approximately equal to the bitlength of p, which is ρbn, where ρ = log p/ log n. Thus, in order... |

17 |
Discrete logarithms and local units
- Schirokauer
- 1993
(Show Context)
Citation Context ... any pairing-based protocol is that discrete logarithms cannot be feasibly found in the finite field F q k. In practice, q is either a prime or a power of 2 or 3, in which case the number field sieve =-=[19, 43]-=- or function field sieve [14, 1, 44] will find a discrete log in time of order L(1/3); this means that the bitlength of q k must be comparable to that of an RSA modulus offering the sames4 NEAL KOBLIT... |

15 | Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method
- Joux, Lercier
- 2002
(Show Context)
Citation Context ...+ 1 = 2 15474 − 2 14954 + 2 14432 + 1 is prime. Remark 6. If p is of a certain special form, then discrete logarithms can be found using a special version of the number field sieve (see, for example, =-=[15, 22]-=-). Then the running time for 2b-bit primes is roughly comparable to the running time of the general number field sieve for b-bit primes. For this reason it is important to avoid the special number fie... |

12 | Postal revenue collection in the digital age
- Pintsov, Vanstone
- 2000
(Show Context)
Citation Context ...own uses of pairings is to produce short signatures [9]. Without using pairing methods, the shortest signatures available are the ECDSA, where the length is roughly 2bn bits, and the Pintsov–Vanstone =-=[41]-=- and Naccache–Stern [39] schemes, where the length is roughly 1.5bn. The pairing-based Boneh–Lynn–Shacham signatures have length approximately equal to the bitlength of p, which is ρbn, where ρ = log ... |

7 |
Discrete logarithms: the effectiveness of the index calculus method
- Denny
- 1996
(Show Context)
Citation Context ...+ 1 = 2 15474 − 2 14954 + 2 14432 + 1 is prime. Remark 6. If p is of a certain special form, then discrete logarithms can be found using a special version of the number field sieve (see, for example, =-=[15, 22]-=-). Then the running time for 2b-bit primes is roughly comparable to the running time of the general number field sieve for b-bit primes. For this reason it is important to avoid the special number fie... |

7 | On the relationship between squared pairings and plain pairings”, Cryptology ePrint Archive Report 2005/112, 2005. Available from http://eprint.iacr.org/2005/112
- Kang, Park
(Show Context)
Citation Context ... the advantage shifts to the Weil pairing is 28.8 for k = 6, 28.2 for k = 12, and 27.8 for k = 24. Thus, for those values of k we should switch to the Weil pairing at the 256-bit security level. 7 In =-=[24]-=- it was noted that the (1 − p k/2 )-th power of �e is the same as �e 2 ; this is because n | (p k/2 + 1), and so the (1 − p k/2 )-th power of an n-th root of unity is the same as the (1 − p k/2 + p k/... |

7 |
The special function field sieve
- Schirokauer
- 2003
(Show Context)
Citation Context ...at discrete logarithms cannot be feasibly found in the finite field F q k. In practice, q is either a prime or a power of 2 or 3, in which case the number field sieve [19, 43] or function field sieve =-=[14, 1, 44]-=- will find a discrete log in time of order L(1/3); this means that the bitlength of q k must be comparable to that of an RSA modulus offering the sames4 NEAL KOBLITZ AND ALFRED MENEZES security. In bo... |

6 |
ECSTR (XTR): Elliptic Curve Singular Trace Representation”, Rump Session of Crypto 2000
- Menezes, Vanstone
(Show Context)
Citation Context ...MOV embedding would show that the problems on the curve and in the field are provably equivalent. Indeed, in special cases construction of such a homomorphism was posed as an open problem in [28] and =-=[36]-=-. However, in [51] Verheul dashed anyone’s hopes of ever strengthening one’s confidence in the security of pairing-based systems by constructing such a reduction. Verheul proved the following striking... |

5 |
An Elementary Introduction to Elliptic Curves
- Charlap, Robbins
- 1988
(Show Context)
Citation Context ...d this speedup and its implications for the use of Solinas primes. 8. Efficiency Comparisons Let’s briefly recall the ingredients in pairing computations. According to Proposition 8 of [37] (see also =-=[12]-=-), the Weil pairing �e(P, Q) is given by the formula (−1) n FP (Q) , P �= Q, FQ(P ) in which FP and FQ are functions whose divisors are n(P ) − n(∞) and n(Q) − n(∞), respectively. Here FP and FQ must ... |

4 |
Computing the Tate pairing”, Topics
- Scott
- 2005
(Show Context)
Citation Context ...hough much depends on the implementation details, it appears that for nonsupersingular curves the choice k = 2 that is recommended bysPAIRING-BASED CRYPTOGRAPHY AT HIGH SECURITY LEVELS 3 some authors =-=[46]-=- is probably less efficient than higher values of k. We also find that for very high security levels, such as 192 or 256 bits, the Weil pairing computation is sometimes faster than the Tate pairing. E... |

2 |
The number field sieve for primes of low hamming weight, in preparation
- Schirokauer
(Show Context)
Citation Context ... a modification of the special number field sieve with running time somewhere between that of the general and the special number field sieves. An analysis of such a modification is currently underway =-=[45]-=-. The results should shed light on the question of whether the advantages of a given Solinas prime are offset by an increased vulnerability to the number field sieve.sPAIRING-BASED CRYPTOGRAPHY AT HIG... |

1 |
Generating more MNT elliptic curves, Designs, Codes and Cryptography, to appear
- Scott, Barreto
(Show Context)
Citation Context ...em to yield values of n (the prime order of the basepoint) and p (the size of the prime field) that are both Solinas primes. In the literature we have found one construction, due to Scott and Barreto =-=[48]-=-, that comes close to solving this problem at the 128-bit security level. Namely, one can apply their construction for k = 6 in §5 of [48] with x = 12Dz 2 +1, where D is a small power of 2 and z is a ... |

1 |
ID-based digital signature algorithms
- Solinas
(Show Context)
Citation Context ...is the unique subgroup of order n in E(Fp). In this case the Miller operation for computing FP (Q) in the Weil pairing is quicker than that for FQ(P ), and so has been dubbed “Miller lite” by Solinas =-=[50]-=-. In addition, in [4] it was pointed out that when the embedding degree k is even, the subgroup 〈Q〉 ⊂ E(F p k) can be chosen so that the x-coordinates of all of its points lie in the quadratic subexte... |