Fast Bilinear Maps from the Tate-Lichtenbaum Pairing on Hyperelliptic Curves

Pairings on elliptic curves recently obtained a lot of attention not only as a means to attack curve based cryptography but also as a building block for cryptosystems with special properties like short signatures or identity based encryption. In this paper we consider the Tate pairing on hyperelliptic curves of genus g. We give mathematically sound arguments why it is possible to use particular representatives of the involved residue classes in the second argument that allow to compute the pairing much faster, where the speed-up grows with the size of g. Since the curve arithmetic takes about the same time for small g and constant group size, this implies that g>1 offers advantages for implementations. We give two examples of how to apply the modified setting in pairing based protocols such that all parties profit from the idea. We stress that our results apply also to non-supersingular curves, e. g. those constructed by complex multiplication, and do not need distortion maps. They are also applicable if the co-factor is nontrivial.

[1]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[2]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[3]  Kristin E. Lauter,et al.  Improved Weil and Tate Pairings for Elliptic and Hyperelliptic Curves , 2004, ANTS.

[4]  Ian F. Blake,et al.  Refinements of Miller's algorithm for computing the Weil/Tate pairing , 2006, J. Algorithms.

[5]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[6]  Christof Paar,et al.  Cryptographic Hardware and Embedded Systems - CHES 2003 , 2003, Lecture Notes in Computer Science.

[7]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[8]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[9]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[10]  Paulo S. L. M. Barreto,et al.  Pairing-Friendly Elliptic Curves of Prime Order , 2005, Selected Areas in Cryptography.

[11]  Tanja Lange,et al.  MATHEMATICAL BACKGROUND OF PUBLIC KEY CRYPTOGRAPHY , 2005 .

[12]  D. Cantor Computing in the Jacobian of a hyperelliptic curve , 1987 .

[13]  Marc Joye,et al.  Topics in Cryptology — CT-RSA 2003 , 2003 .

[14]  Jongin Lim,et al.  Information Security and Cryptology - ICISC 2003 , 2003, Lecture Notes in Computer Science.

[15]  Henning Stichtenoth,et al.  Algebraic function fields and codes , 1993, Universitext.

[16]  Arto Salomaa,et al.  Public-Key Cryptography , 1991, EATCS Monographs on Theoretical Computer Science.

[17]  Christof Paar,et al.  Hyperelliptic Curve Cryptosystems: Closing the Performance Gap to Elliptic Curves , 2003, CHES.

[18]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[19]  Tanja Lange,et al.  Formulae for Arithmetic on Genus 2 Hyperelliptic Curves , 2005, Applicable Algebra in Engineering, Communication and Computing.

[20]  Tsuyoshi Takagi,et al.  Novel Efficient Implementations of Hyperelliptic Curve Cryptosystems Using Degenerate Divisors , 2004, WISA.

[21]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[22]  Nicolas Thériault,et al.  A double large prime variation for small genus hyperelliptic index calculus , 2004, Math. Comput..

[23]  Chae Hoon Lim,et al.  Information Security and Cryptology — ICISC 2002 , 2003, Lecture Notes in Computer Science.

[24]  Tsuyoshi Takagi,et al.  Efficient Computations of the Tate Pairingfor the Large MOV Degrees , 2002, ICISC.

[25]  Kristin E. Lauter,et al.  Fast Elliptic Curve Arithmetic and Improved Weil Pairing Evaluation , 2003, CT-RSA.

[26]  Neal Koblitz,et al.  Hyperelliptic cryptosystems , 1989, Journal of Cryptology.

[27]  Thomas Wollinger,et al.  Software and hardware implementation of hyperelliptic curve cryptosystems , 2004 .

[28]  Nigel P. Smart,et al.  Advances in Elliptic Curve Cryptography (London Mathematical Society Lecture Note Series) , 2005 .

[29]  Dino J. Lorenzini An Invitation to Arithmetic Geometry , 1996 .

[30]  Antoine Joux A One Round Protocol for Tripartite Diffie-Hellman , 2000, ANTS.

[31]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[32]  Andreas Enge,et al.  Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields , 2004, Journal of Cryptology.

[33]  Colin Stahlke Point Compression on Jacobians of Hyperelliptic Curves over Fq , 2004, IACR Cryptol. ePrint Arch..

[34]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[35]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[36]  Hans-Georg Rück,et al.  On the discrete logarithm in the divisor class group of curves , 1999, Math. Comput..

[37]  Gerhard Frey,et al.  The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems , 1999, IEEE Trans. Inf. Theory.

[38]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[39]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[40]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[41]  Gadiel Seroussi,et al.  Two Topics in Hyperelliptic Cryptography , 2001, Selected Areas in Cryptography.

[42]  YoungJu Choie,et al.  Implementation of Tate Pairing on Hyperelliptic Curves of Genus 2 , 2003, ICISC.

[43]  Iwan M. Duursma,et al.  Tate-pairing implementations for tripartite key agreement , 2003, IACR Cryptol. ePrint Arch..

[44]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[45]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.