Generalized Mersenne Numbers in Pairing-Based Cryptography
01 Jan 2006-
TL;DR: The author’s home country, the United States, and some of the characters from the film adaptation are fictitious.
Abstract: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Chapter
Citations
More filters
01 Jun 1986
40 citations
References
More filters
Patent•
02 Oct 1992
TL;DR: In this article, the authors proposed an elliptic curve cryptosystem that uses elliptic curves defined over finite fields comprised of special classes of numbers to optimize the modulo arithmetic required in the enciphering and deciphering process.
Abstract: The present invention is an elliptic curve cryptosystem that uses elliptic curves defined over finite fields comprised of special classes of numbers. Special fast classes of numbers are used to optimize the modulo arithmetic required in the enciphering and deciphering process. The class of numbers used in the present invention is generally described by the form 2 q -C where C is an odd number and is relatively small, for example, no longer than the length of a computer word (16-32 bits). When a number is of this form, modulo arithmetic can be accomplished using shifts and adds only, eliminating the need for costly divisions. One subset of this fast class of numbers is known as "Mersenne" primes, and are of the form 2 q -1. Another class of numbers that can be used with the present invention are known as "Fermat" numbers of the form 2 q +1. The present invention system whose level of security is tunable. q acts as an encryption bit depth parameter, such that larger values of q provide increased security. Inversion operations normally require an elliptic curve algebra can be avoided by selecting an inversionless parameterization of the elliptic curve. Fast Fourier transform for an FFT multiply mod operations optimized for efficient Mersenne arithmetic, allow the calculations of very large q to proceed more quickly than with other schemes.
180 citations
TL;DR: This paper describes how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and shows how to compute the Tate pairing on these groups efficiently.
Abstract: Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computable maps (called pairings) over certain groups. Currently, all such pairings used in practice are related to the Tate pairing on elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. In this paper we describe how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and show how to compute the Tate pairing on these groups efficiently.
179 citations
01 Mar 2000
TL;DR: A brief survey of the current state of the art in discrete logs is presented.
Abstract: The first practical public key cryptosystem to be published, the Diffie–Hellman key exchange algorithm, was based on the assumption that discrete logarithms are hard to compute. This intractability hypothesis is also the foundation for the presumed security of a variety of other public key schemes. While there have been substantial advances in discrete log algorithms in the last two decades, in general the discrete log still appears to be hard, especially for some groups, such as those from elliptic curves. Unfortunately no proofs of hardness are available in this area, so it is necessary to rely on experience and intuition in judging what parameters to use for cryptosystems. This paper presents a brief survey of the current state of the art in discrete logs.
173 citations
02 Nov 1994
TL;DR: A simple new method of parallelizing collision searches that greatly extends the reach of practical attacks and ideas from Pollard's rho and lambda methods for index computation are combined to allow efficient parallel implementation using the new method.
Abstract: Current techniques for collision search with feasible memory requirements involve pseudo-random walks through some space where one must wait for the result of the current step before the next step can begin. These techniques are serial in nature, and direct parallelization is inefficient. We present a simple new method of parallelizing collision searches that greatly extends the reach of practical attacks. The new method is illustrated with applications to hash functions and discrete logarithms in cyclic groups. In the case of hash functions, we begin with two messages; the first is a message that we want our target to digitally sign, and the second is a message that the target is willing to sign. Using collision search adapted for hashing collisions, one can find slightly altered versions of these messages such that the two new messages give the same hash result. As a particular example, a $10 million custom machine for applying parallel collision search to the MD5 hash function could complete an attack with an expected run time of 24 days. This machine would be specific to MD5, but could be used for any pair of messages. For discrete logarithms in cyclic groups, ideas from Pollard's rho and lambda methods for index computation are combined to allow efficient parallel implementation using the new method. As a concrete example, we consider an elliptic curve cryptosystem over GF(2155) with the order of the curve having largest prime factor of approximate size 1036. A $10 million machine custom built for this finite field could compute a discrete logarithm with an expected run time of 36 days.
159 citations
18 Aug 1996
TL;DR: Several new conditions for the polynomial-time equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms in G are derived which extend former results by den Boer and Maurer.
Abstract: This paper consists of three parts. First, various types of Diffie-Hellman oracles for a cyclic group G and subgroups of G are defined and their equivalence is proved. In particular, the security of using a subgroup of G instead of G in the Diffie-Hellman protocol is investigated. Second, we derive several new conditions for the polynomial-time equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms in G which extend former results by den Boer and Maurer. Finally, efficient constructions of Diffie-Hellman groups with provable equivalence are described.
146 citations