Scaling security in pairing-based protocols

In number theoretic cryptography there is always the problem of scaling-up security to a higher level. This usually means increasing the size of the modulus, from, say 1024 bits to 2048 bits. In pairing-based cryptography however another option is available, keeping the modulus constant and increasing instead the embedding degree. This has a big potential advantage in smart-card and embedded applications – security can be scaled up while continuing to use the same sized calculations. For example a cryptographic co-processor which does 512-bit modular multiplications can be directly re-used in the higher security setting. Here we investigate the scaling-up issue in the context of prime characteristic non-supersingular elliptic curves. We also confirm that under certain circumstances at higher levels of security a slightly modified Weil pairing may become more efficient than the Tate pairing.

[1]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[2]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[3]  Peter J. Smith,et al.  LUC: A New Public Key System , 1993, SEC.

[4]  M. Jason Hinek,et al.  On Some Attacks on Multi-prime RSA , 2002, Selected Areas in Cryptography.

[5]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[6]  Kristin E. Lauter,et al.  Fast Elliptic Curve Arithmetic and Improved Weil Pairing Evaluation , 2003, CT-RSA.

[7]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[8]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[9]  Arjen K. Lenstra,et al.  The XTR Public Key System , 2000, CRYPTO.

[10]  Paulo S. L. M. Barreto,et al.  Generating More MNT Elliptic Curves , 2006, Des. Codes Cryptogr..

[11]  Michael Scott,et al.  Faster Pairings Using an Elliptic Curve with an Efficient Endomorphism , 2005, INDOCRYPT.

[12]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[13]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[14]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[15]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[16]  Annegret Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[17]  Paulo S. L. M. Barreto,et al.  Compressed Pairings , 2004, CRYPTO.

[18]  Roberto Maria Avanzi,et al.  On multi-exponentiation in cryptography , 2002, IACR Cryptol. ePrint Arch..

[19]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[20]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[21]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[22]  David Mandell Freeman,et al.  Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 , 2006, ANTS.

[23]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[24]  Alice Silverberg,et al.  Supersingular Abelian Varieties in Cryptology , 2002, CRYPTO.

[25]  J. Pollard,et al.  Monte Carlo methods for index computation () , 1978 .

[26]  Y. Nogami A Fast Implementation of Elliptic Curve Cryptosystem with Prime Order Defined over F(p8) , 2003 .

[27]  Michael Scott,et al.  Computing the Tate Pairing , 2005, CT-RSA.

[28]  Andreas Enge,et al.  Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields , 2004, Journal of Cryptology.