Steven D. Galbraith. Supersingular curves in cryptography. In Advances in cryptology--- ASIACRYPT 2001 (Gold Coast), volume 2248 of Lecture Notes in Comput. Sci., pages 495--513. Springer, Berlin, 2001.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....1.4 Implementation and Applications of CL PKC Our presentation of CL PKC schemes will be at a fairly abstract level, in terms of bilinear maps on groups. However, the concrete realization of these schemes using pairings on elliptic curves is now becoming comparatively routine, after the work of [2, 3, 6, 7, 9, 15, 17, 18] on implementation of pairings and selection of curves with suitable properties. All the schemes we present use a small number of pairing calculations for each cryptographic operation, and some of these can usually be eliminated when repeated operations involving the same identities take place. ....

....for any a, b Z q , we have e(aQ, bW ) e(Q, W ) ab = e(abQ, W ) etc. 2. The map e is non degenerate: e(P, P ) G 2 . 3. The map e is e#ciently computable. Typically, the map e will be derived from either the Weil or Tate pairing on an elliptic curve over a finite field. We refer to [2, 3, 6, 7, 9, 15, 17, 18] for a more comprehensive description of how these groups, pairings and other parameters should be selected in practice for e#ciency and security. We note that all our schemes can be adapted to the situation where two di#erent groups are involved on the left hand side of the pairing map. This ....

[Article contains additional citation context not shown here]

S.D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Proceedings of AsiaCrypt 2001.

....estimated theoretical results shows that genus 3 curves needed three times as many bit operations as elliptic curves. We want to point out that this publication used supersingular curves and curves of genus higher than 4 which today are believed to be insecure due to the attacks presented in [FR94,Gau00,Gal01]. In the following years further analyses of the complexity of HECC were published. A theoretical analysis of the computational eciency of the arithmetic on hyperelliptic curves is derived in [Eng99] In [SS00] the authors implemented hyperelliptic curve cryptosystems and analyzed the complexity ....

.... in [Eng99] In [SS00] the authors implemented hyperelliptic curve cryptosystems and analyzed the complexity of the group law on Jacobians JC (F p ) and JC (F 2 n ) Moreover, they veri ed their theoretical complexity estimates with a HECC implementation and with the theoretical analysis [Gal01] gives some arguments against using supersingular hyperelliptic curves in cryptographic applications. done by Enge in [Eng99] More recent papers present timings for HECC using explicit formulae and compared HECC to ECC [Lan02a] However, these comparisons were based on the implementation ....

S.D. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology | ASIACRYPT 2001, pages 495-517, 2001. LNCS 2248.

....eld operations for the execution of the group operations. As a result of this analysis, curves of the form y y = f(x) over extension elds of characteristic two turn out to be ideal. Unfortunately this kind of curve is supersingular and therefore not suited for use in cryptography [Gau00,Gal01,SZ02] Thus, we propose to use HEC of the form y xy = f(x) over F 2 n , which seem to be the best choice without any security limitations. With these curves, we can save 12 multiplications in the case of the group addition and 118 multiplications the for group doubling. The following ....

S.D. Galbraith. Supersingular Curves in Cryptography. In Advances in Cryptology | ASIACRYPT 2001, pages 495-517, 2001. LNCS 2248.

....estimated theoretical results shows that genus 3 curves needed three times as many bit operations as elliptic curves. We want to point out that this publication used supersingular curves and curves of genus higher than 4 which today are believed to be insecure due to the attacks presented in [FR94,Gau00a,Gal01]. Table 1. Speeding up group operations on hyperelliptic curves of genus two. field curve cost characteristic properties addition doubling Cantor [Nag00] general 3I 70M S 3I 76M S Nagao [Nag00] odd h(x) 0, f i Harley [Har00] odd h(x) 0 2I 27M S 2I 30M S Matsuo et al. MCT01] ....

....and compares HECC and ECC in terms of processor instructions, such as shift and XOR operations. Hence, this comparison is processor independent and can be adapted to any platform. HECC Implementations Since HEC cryptosystems were proposed, there have been several software implementations on [Gal01] gives some arguments against using supersingular hyperelliptic curves in cryptographic applications. mixed addition general purpose machines and, only recently, publications dealing with hardware implementations of HECC. To our knowledge there has not been any work dealing with the ....

[Article contains additional citation context not shown here]

S.D. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology --- ASIACRYPT 2001, pages 495--517, 2001. LNCS 2248.

....positive integer such that the Tare pairing can map JacFq(A) into q. We will call this ; the c bW cS of A( q) Since we want the security parameter to be the ratio between the length of the representation of an element of G2 and the length of the representation of an element of G1. Galbraith [22] and Rubin and Silverberg [46] studied the problem of finding an upper bound on the embedding degree of supersingular abelJan varieties. Precise upper bounds on the embedding degree of supersingular abelJan varieties were found in [46] and are given in Table 6.4 for all possible defining fields q ....

S. Galbraith. Supersingular Curves in Cryptography, Proceedings of Asi- acrypt 2001.

....in the quadratic extension eld, so the transformed point lies on the same curve de ned over F q 2 . Now consider the following bilinear mapping: e r [P; Q] e r [P; Q) where P and Q are points of order r on the curve, 2 F p 2 is of order r, and e r [P; Q] is the Tate Pairing [5]. We will refer to the function e r [P; Q] as the distorted Tate pairing. Under these circumstances the distorted Tate pairing will produce a non trivial result ( e r [P; Q] 6= 1) It can also be eciently calculated [1] This function has several interesting properties: Bilinearity) e r ....

....there is no known bilinear pairing between points in the same sub group that yields a non trivial result. This implies a setting where the conventional Tate pairing satis es e r [P; P ] 1 and where no distortion map exists. This will be the case for non supersingular curves where k 1. See [5] section 2.4. The rst step then is to nd a non supersingular elliptic curve with low k value, and for which no distortion map exists. We assume here that such a curve may be found using the methods of [12] or [2] Such curves provably do not 5 support a distortion map [14, theorem 4.1] In ....

S. Galbraith, \Supersingular curves in cryptography," Proceedings of Asiacrypt '2001, to appear.

....denotes a subgroup of the multiplicative group of a finite field. A pairing is a computable bilinear map between these two groups. Two pairings have been studied for cryptographic use. They are Weil pairing ref to [MOV93, Si94] and a modified version ref to [BF01] and Tate pairing ref to [FMR99, Ga01]. For the purposes of this paper, we let 8 denote a general bilinear map, i.e. 8: G x G G2, which can be either a modified Weil pairing or a Tate pairing. A Diffie Hellman (DH) tuple in G is (P, xP, yP, zP) G for some x, y, z q satisfying z = xy mod q. Computational Diffie Hellman (CDH) ....

Galbraith S.. Supersingular curves in cryptography. In Advances in Cryptology - Asiacrypt' el, LNCS 2248, pages 495-513, Springer-Verlag, 2001.

.... The correctness of these results is easily proved by multiplying a random divisor with the given group order and verifying that the result is principal, i.e. is the zero element in the Jacobian J e C (F q ) It is clear that the given curves are non supersingular, since the coecient a g is odd [11]. Furthermore, all curves withstand the MOV FR attack [10, 21] 22 83 the random hyperelliptic curve C 2 of genus 2 de ned by h0 = 7FF29B08993336B479CD2 h1 = 32C101713C722F8FB5BC9 h2 = 553E16B6A3BC6B2432CA8 f0 = 7AD44882C02B9743CD58B f1 = 327254FA330B44958262A f2 = ....

S. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 495-513, 2001.

....aQ for Q added to itself a times, also called scalar multiplication of Q by a. As a consequence of bi linearity, we have that, for any Q; W 2 G 1 and a; b 2 Z q : e(aQ; bW ) e(Q; W ) e(abQ; W ) a fact that will be used repeatedly in the sequel without comment. We refer to [2, 8, 9, 19, 20] for a more comprehensive description of how these groups, pairings and other parameters should be selected in practice for eciency and security. We simply assume in what follows that suitable groups G 1 and G 2 , a map e and an element P 2 G 1 have been chosen, and that elements of G 1 and G 2 ....

....DieHellmann problems in either G 1 or G 2 . The reverse relationship is not known. Typically then, one chooses parameters so that G 1 , a subgroup of the group of points on an elliptic curve, has around 2 160 elements and so that G 2 is a subgroup of F r where r has roughly 1024 bits. See [8, 19] for details. 3.3 Man in the Middle Attack on Joux s Protocol Just like the unauthenticated two party Die Hellmann protocol, Joux s protocol is subject to a classic man in the middle attack. Suppose an adversary D is capable of intercepting A s communications with B and C, impersonating A to ....

S.D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Proceedings of AsiaCrypt

.... have a non F q rational map # : E # E, then G = E(F q ) #] is a group admitting an e#ciently computable non degenerated bilinear map e : G G # F # q # , which is defined by e(P, Q) e(P, #(Q) e is called a modified Weil pairing in [BF01] The Tate pairing has similar properties (see [Gal01] for more details) DDHP in G can be solved using these pairings. In many cases, it is believed that CDHP is hard, i.e. G is a GDH group. We summarize well known classes of elliptic curves which may contain a GDH group in Table 1. Since the pairing computation becomes ine#cient as the exponent # ....

....a special form for supersingular elliptic curves. But certain curves are supersingular over almost half of primes (called a CM curve) We have two well known families that were suggested in [BF01] A detailed discussion on the curves in Table 1 except the first and the last ones can be found in [Gal01]. 4.2 Hash Functions We used cryptographic hash functions H 1 and H 2 in our scheme and viewed them as random oracles in the security proof. Though it is a debating issue if currentlyused cryptographic hash functions can be considered as random oracles, standard cryptographic hash functions onto ....

S. Galbraith, Supersingular curves in cryptography, Proc. of Asiacrypt '01, Lecture Nores in Computer Sciences, Vol. 2248, pp. 495-513, Springer-Verlag, 2001.

....protocol based on the Weil pairing on supersingular curves. Since Joux s paper a number of other applications have arisen, including an identity based encryption scheme [3] a general signature algorithm [4] The extension to higher genus curves has also recently been fully explored in [7]. This new work has resulted in a rekindling of cryptographic interest in supersingular elliptic curves. Although most of the literature discusses these schemes in terms of the Weil pairing, in turns out that it is far more efficient to use the Tate pairing as we shall explain. In [13] an identity ....

S. D. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology - ASIACRYPT

.... The recent discovery [8] of groups where the Decision Die Hellman (DDH) problem is easy while the Computational Die Hellman (CDH) problem is hard, and the subsequent de nition of a new class of problems variously called the Gap Die Hellman [8] Bilinear Die Hellman [2] or Tate Die Hellman [6] class, has given rise to the development of several new cryptosystems based on pairings: Boneh Lynn Shacham [3] BLS) short signatures. Boneh Franklin identity based encryption [2] Smart s identity based authenticated key agreement protocol [21] Identity based signatures schemes [17, ....

.... encryption [2] Smart s identity based authenticated key agreement protocol [21] Identity based signatures schemes [17, 19] The growing interest in this area, which relies on the use of supersingular elliptic curves, has led to new analyses of the associated security properties [6, 18], as well as to extensions to more general (e.g. hyperelliptic and superelliptic) algebraic curves [6] However, a central operation in these systems is computing a bilinear pairing (e.g. the Weil or the Tate pairing) which are computationally expensive. Moreover, it is often the case that ....

[Article contains additional citation context not shown here]

S. Galbraith, \Supersingular curves in cryptography," Proceedings of Asiacrypt '2001, to appear.

....points on an elliptic curve over a nite eld, G 2 will be a subgroup of the multiplicative group of a related nite eld and the map e will be derived from the Weil or Tate pairing on the elliptic curve. We also assume that an element P 2 G 1 satisfying e(P; P ) 6= 1G2 is known. We refer to [2, 6] for a fuller description of how these groups, maps and other parameters should be selected in practice for eciency and security. We let ID be a string denoting the identity of a user and H 1 , H 2 and H 3 be public cryptographic hash functions. We require H 1 : f0; 1g G 1 , H 2 : f0; 1g ....

S.D. Galbraith, \Supersingular curves in cryptography," in Proc. AsiaCrypt

....DiffieHellman protocol based on the Weil pairing on supersingular curves. Since Joux s paper a number of other applications have arisen, including an identity based encryption scheme [1] and a signature algorithm [2] The extension to higher genus curves has also recently been fully explored in [5]. 3. The AK and AKC Protocols Suppose we have a subgroup G of an elliptic curve for which the modified Weil pairing e maps into the finite field F q k . We assume that q k is large enough to make solving discrete logarithms in the finite field infeasible and we assume that the elliptic ....

S.D. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology - ASIACRYPT

....[1] and short signatures [2] it is important to have simple abelian varieties with security parameters that are neither too small nor too large. Simple supersingular abelian varieties are natural candidates for these applications. This paper gives improvements on the upper bounds of Galbraith [6] for the security parameters of simple supersingular abelian varieties, and constructs several families of curves whose jacobians achieve these upper bounds. 1. Introduction Abelian varieties are higher dimensional generalizations of elliptic curves (elliptic curves are the one dimensional ....

....of elliptic curves (elliptic curves are the one dimensional abelian varieties) Supersingular abelian varieties are a very special class of abelian varieties. Supersingular abelian varieties are bad for some purposes [9, 5, 4] However, for some recent interesting cryptographic applications [11, 7, 1, 2, 14, 6], supersingular abelian varieties turn out to be very good. This paper gives families of examples of the best supersingular abelian varieties to use in these cryptographic applications, and gives strong upper bounds on how good supersingular abelian varieties can be for use in cryptography. The ....

[Article contains additional citation context not shown here]

S. Galbraith, Supersingular curves in cryptography, in Advances in Cryptology --- Asiacrypt

....the assumption that no adversary (t; breaks the co Computational Die Hellman problem. The challenge, therefore, is to construct elliptic curves with larger values of , say = 10. It is currently an open problem to build a family of elliptic curves with security multiplier = 10. Galbraith [8] constructs supersingular curves of higher genus with a large security multiplier. For example, the supersingular curve y 2 y = x 5 x 3 has security multiplier 12 over F 2 l . Since a point on the Jacobian of this curve of genus two is characterized by two values in F 2 l (the two ....

S. Galbraith. Supersingular curves in cryptography. In Proceedings of Asiacrypt '2001, LNCS. Springer-Verlag, 2001.

....and Observations Tate pairing and other curves. Our IBE system has some exibility in terms of the curves being used and the de nition of the pairing. For example, one could use the curve y 2 = x 3 x with its endomorphism : x; y) x; iy) where i 2 = 1. As another example, Galbraith [15] suggests using special supersingular elliptic curves over a eld of small characteristic to reduce the ciphertext size in our system. We also note that both encryption and decryption in FullIdent can be made faster by using the Tate pairing on elliptic curves rather than the Weil pairing. In ....

S. Galbraith, \Supersingular curves in cryptography", in proc. of Asiacrypt '2001.

No context found.

S. D. Galbraith, Supersingular curves in cryptography, in C. Boyd (ed.) ASIACRYPT 2001, Springer LNCS 2248 (2001) 495-513.

....the smallest positive integer such that p 1 (mod l) In this paper we consider a non degenerate bilinear pairing e : G 1 G 2 G F where G 1 , G 2 and G are cyclic groups of order l. Such a pairing can be obtained from the Weil or Tate pairings on elliptic curves or abelian varieties [9, 10, 17, 18, 21 23, 28]. One implementation of such a pairing which has G 1 = G 2 (given by Verheul [28] is to take a supersingular elliptic curve E over F p such that lk#E(F p ) and such that E has a suitable distortion map (which is a non F p rational endomorphism on E) Let G 1 = G 2 be the unique subgroup of ....

S. D. Galbraith, `Supersingular curves in cryptography', Proc. Asiacrypt'

....of [11] The original elliptic curve E over F q g has PE (T ) T 2 aT q n (with jaj 2 p q g ) and so, by Proposition 3.1, the abelian variety A has char poly PA (T ) T 2g aT g q g . If E is non supersingular then a is coprime to q and so A is also non supersingular (see [7]) In the construction of [11] we have Jac(C) isogenous to A and so it has the same polynomial P (T ) This proves the following result. 5 Proposition 3.3. Let g 2 f2; 3g and let q be a power of 2. Then constructive Weil descent as in [11] produces at most 2 p q g isogeny classes of Jacobian ....

....model over F q with a single point at infinity then at least one of a 1 or a 2 is even. If all hyperelliptic models of C over F q have two points at infinity then both a 1 and a 2 are odd. Proof. Note that the method of proof of this Lemma is similar to that used in the proof of Lemma 9. 1 of [7]) Let C have equation y 2 h(x)y = f(x) where deg h(x) 3 and deg f(x) 6. Then for each point (x 0 ; y 0 ) on C there is the conjugate under the hyperelliptic involution given by (x 0 ; y 0 h(x 0 ) The fixed points of the hyperelliptic involution arise from the solutions to h(x) 0. The ....

S. D. Galbraith, Supersingular curves in cryptography, Preprint (2000)

No context found.

Steven D. Galbraith. Supersingular curves in cryptography. In Advances in cryptology--- ASIACRYPT 2001 (Gold Coast), volume 2248 of Lecture Notes in Comput. Sci., pages 495--513. Springer, Berlin, 2001.

No context found.

S. D. Galbraith. Supersingular curves in cryptography. In ASIACRYPT, vol. 2248 of LNCS, pp. 495--513, 2001.

No context found.

Steven D. Galbraith. Supersingular curves in cryptography. In Colin Boyd, editor, Advances in Cryptology -- ASIACRYPT '01, volume 2248 of LNCS, pages 495--513, 2001.

No context found.

Steven D. Galbraith. Supersingular curves in cryptography. Lecture Notes in Computer Science, 2248:495-513, 2001.

No context found.

S. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology -- Asiacrypt' 01 , LNCS 2248, pp. 495-513, Springer-Verlag, 2001.

No context found.

S. G. Galbraith, Supersingular Curves in Cryptography, Advances in Cryptology -- ASIACRYPT

No context found.

S. Galbraith, Supersingular curves in Cryptography, in C. Boyd (ed.) ASIACRYPT 2001, Springer LNCS 2248 (2001) 495--513.

No context found.

S. Galbraith. Supersingular curves in cryptography, in Advances in Cryptology Asiacrypt 2001.

No context found.

S. Galbraith, \Supersingular curves in cryptography," Proceedings of Asiacrypt'2001, to appear.

No context found.

S. D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Advances in Cryptology, Proceedings Asiacrypt 2001.

No context found.

S. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology -- ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pp. 495--513, 2001.

No context found.

S. D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Advances in Cryptology, Proceedings Asiacrypt 2001.

No context found.

S. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 495--513, 2001.

No context found.

S.D. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Proceedings of AsiaCrypt 2001.

No context found.

S.D. Galbraith. Supersingular curves in cryptography. In Advances in Cryptography -- AsiaCrypt - 2001, Springer-Verlag LNCS 2248, 495--513, 2001.

No context found.

S. Galbraith, Supersingular curves in cryptography, in Advances in Cryptology | Asiacrypt

No context found.

S. Galbraith. Supersingular Curves in Cryptography. In Advances in Cryptology (ASIACRYPT 2001), Springer LNCS 2248, 495-513, 2001.

No context found.

S. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Proceedings of Asiacrypt '2001.

No context found.

S. Galbraith. Supersingular curves in cryptography. In C. Boyd, editor, Advances in Cryptology - ASIACRYPT 2001, volume 2248 of Lecture Notes in Computer Science, pages 495-513, 2001.

No context found.

S. Galbraith. Supersingular Curves in Cryptography. In C. Boyd, editor, Proceedings of Asiacrypt 2001.

No context found.

S. D. Galbraith. Supersingular curves in cryptography. In Advances in Cryptology - ASIACRYPT 2001, Springer-Verlag LNCS 2248, 495-513, 2001.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC