Efficient Implementation of Pairing-Based Cryptosystems

Abstract Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computable maps (called pairings) over certain groups. Currently, all such pairings used in practice are related to the Tate pairing on elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. In this paper we describe how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and show how to compute the Tate pairing on these groups efficiently.

[1]  Joseph H. Silverman,et al.  The arithmetic of elliptic curves , 1986, Graduate texts in mathematics.

[2]  S. J. Abbott,et al.  A classical introduction to modern number theory (2nd edition) , by Kenneth Ireland and Michael Rosen. Pp 394. DM 98. 1990. ISBN 3-540-97329-X (Springer) , 1992, The Mathematical Gazette.

[3]  Paulo S. L. M. Barreto,et al.  Efficient pairing computation on supersingular Abelian varieties , 2007, IACR Cryptol. ePrint Arch..

[4]  Antoine Joux,et al.  A One Round Protocol for Tripartite Diffie–Hellman , 2000, Journal of Cryptology.

[5]  Clifford C. Cocks An Identity Based Encryption Scheme Based on Quadratic Residues , 2001, IMACC.

[6]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[7]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[8]  Paulo S. L. M. Barreto,et al.  Generating More MNT Elliptic Curves , 2006, Des. Codes Cryptogr..

[9]  Atsuko Miyaji,et al.  Efficient Elliptic Curve Exponentiation Using Mixed Coordinates , 1998, ASIACRYPT.

[10]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[11]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[12]  Nikos Tzanakis,et al.  Solving Elliptic Diophantine Equations by estimating Linear Forms in Elliptic Logarithms. The case o , 1994 .

[13]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[14]  Paulo S. L. M. Barreto,et al.  On the Selection of Pairing-Friendly Groups , 2003, Selected Areas in Cryptography.

[15]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[16]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[17]  J. V. Armitage,et al.  Introduction to Number Theory , 1966 .

[18]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[19]  Ben Lynn,et al.  Toward Hierarchical Identity-Based Encryption , 2002, EUROCRYPT.

[20]  Ben Lynn,et al.  Authenticated Identity-Based Encryption , 2002, IACR Cryptol. ePrint Arch..

[21]  Annegret Weng,et al.  Elliptic Curves Suitable for Pairing Based Cryptography , 2005, Des. Codes Cryptogr..

[22]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[23]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[24]  Iwan M. Duursma,et al.  Tate Pairing Implementation for Hyperelliptic Curves y2 = xp-x + d , 2003, ASIACRYPT.

[25]  Alice Silverberg,et al.  Supersingular Abelian Varieties in Cryptology , 2002, CRYPTO.

[26]  C. Diem The GHS-attack in odd characteristic , 2003 .

[27]  Douglas R. Stinson Some baby-step giant-step algorithms for the low hamming weight discrete logarithm problem , 2002, Math. Comput..

[28]  A. Miyaji,et al.  New Explicit Conditions of Elliptic Curve Traces for FR-Reduction , 2001 .

[29]  Eric R. Verheul,et al.  Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems , 2001, Journal of Cryptology.

[30]  Nigel P. Smart,et al.  High Security Pairing-Based Cryptography Revisited , 2006, ANTS.

[31]  Yael Tauman Kalai,et al.  How to Leak a Secret: Theory and Applications of Ring Signatures , 2001, Essays in Memory of Shimon Even.

[32]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[33]  Steven D. Galbraith,et al.  A Cryptographic Application of Weil Descent , 1999, IMACC.

[34]  Paulo S. L. M. Barreto,et al.  Constructing Elliptic Curves with Prescribed Embedding Degrees , 2002, SCN.

[35]  Michael Rosen,et al.  A classical introduction to modern number theory , 1982, Graduate texts in mathematics.

[36]  R. Balasubramanian,et al.  The Improbability That an Elliptic Curve Has Subexponential Discrete Log Problem under the Menezes—Okamoto—Vanstone Algorithm , 1998, Journal of Cryptology.

[37]  Steven D. Galbraith,et al.  Supersingular Curves in Cryptography , 2001, ASIACRYPT.

[38]  Nigel P. Smart,et al.  The Algorithmic Resolution of Diophantine Equations: Introduction , 1998 .

[39]  William H. Press,et al.  Numerical recipes in C , 2002 .

[40]  Alfred Menezes,et al.  Pairing-Based Cryptography at High Security Levels , 2005, IMACC.

[41]  Andreas Enge,et al.  Building Curves with Arbitrary Small MOV Degree over Finite Prime Fields , 2004, Journal of Cryptology.

[42]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[43]  Don Coppersmith,et al.  Fast evaluation of logarithms in fields of characteristic two , 1984, IEEE Trans. Inf. Theory.

[44]  David Mandell Freeman,et al.  Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10 , 2006, ANTS.

[45]  H. Niederreiter,et al.  Finite Fields: Encyclopedia of Mathematics and Its Applications. , 1997 .

[46]  Henri Cohen,et al.  A course in computational algebraic number theory , 1993, Graduate texts in mathematics.

[47]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[48]  Paulo S. L. M. Barreto,et al.  Compressed Pairings , 2004, CRYPTO.

[49]  Steven D. Galbraith,et al.  Implementing the Tate Pairing , 2002, ANTS.

[50]  Gerhard Frey,et al.  The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems , 1999, IEEE Trans. Inf. Theory.

[51]  Victor S. Miller,et al.  The Weil Pairing, and Its Efficient Calculation , 2004, Journal of Cryptology.

[52]  G. Frey,et al.  A remark concerning m -divisibility and the discrete logarithm in the divisor class group of curves , 1994 .

[53]  Antoine Joux,et al.  Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups , 2001, IACR Cryptology ePrint Archive.

[54]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[55]  Arjen K. Lenstra,et al.  The XTR Public Key System , 2000, CRYPTO.

[56]  Nigel P. Smart,et al.  Constructive and destructive facets of Weil descent on elliptic curves , 2002, Journal of Cryptology.

[57]  Paulo S. L. M. Barreto,et al.  Efficient Algorithms for Pairing-Based Cryptosystems , 2002, CRYPTO.

[58]  Frederik Vercauteren,et al.  A comparison of MNT curves and supersingular curves , 2006, Applicable Algebra in Engineering, Communication and Computing.

[59]  Alfred Menezes,et al.  Reducing elliptic curve logarithms to logarithms in a finite field , 1991, STOC '91.

[60]  Antoine Joux,et al.  The Weil and Tate Pairings as Building Blocks for Public Key Cryptosystems , 2002, ANTS.

[61]  Oliver Schirokauer,et al.  Discrete Logarithms: The Effectiveness of the Index Calculus Method , 1996, ANTS.

[62]  Dan Boneh,et al.  Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles , 2004, IACR Cryptol. ePrint Arch..

[63]  Frederik Vercauteren,et al.  The Eta Pairing Revisited , 2006, IEEE Transactions on Information Theory.

[64]  H. Coxeter,et al.  The Real Projective Plane , 1992 .