## CryptoDB

### Michael Scott

#### Publications

Year
Venue
Title
2015
EPRINT
2015
PKC
2011
JOFC
2010
PKC
2010
JOFC
2009
EPRINT
In this paper we show an efficient implementation if the Tate, ate, and R-ate pairings in magma. This will be demostrated by using the KSS curves with embedding degree k=18
2009
EUROCRYPT
2008
EPRINT
We present efficiently computable homomorphisms of the groups $G_2$ and $G_T$ for pairings $G_1 \times G_2 \rightarrow G_T$. This allows exponentiation in $G_2$ and $G_T$ to be accelerated using the Gallant-Lambert-Vanstone method.
2008
EPRINT
Efficiently computable homomorphisms allow elliptic curve point multiplication to be accelerated using the Gallant-Lambert-Vanstone (GLV) method. We extend results of Iijima, Matsuo, Chao and Tsujii which give such homomorphisms for a large class of elliptic curves by working over quadratic extensions and demonstrate that these results can be applied to the GLV method. Our implementation runs in between 0.70 and 0.84 the time of the previous best methods for elliptic curve point multiplication on curves without small class number complex multiplication. Further speedups are possible when using more special curves.
2008
EPRINT
When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order $r$ involved in the pairing. Of these $G_1$ is a group of points on the base field $E(\F_p)$ and $G_2$ is instantiated as a group of points with coordinates on some extension field, over a twisted curve $E'(\F_{p^d})$, where $d$ divides the embedding degree $k$. While hashing to $G_1$ is relatively easy, hashing to $G_2$ has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on $G_2$ which exploits an efficiently computable homomorphism.
2007
EPRINT
Recently the major performance chip manufacturers have turned to multi-core technology as a more cost effective alternative to ever increasing clock speeds. IBM have introduced the Cell Broadband Engine (Cell) as their next generation CPU to feed the insatiable appetite modern multimedia and number crunching applications have for processing power. The Cell is the technology at the heart of Sonys Playstation 3. The Cell contains a number of specialist synergistic processor units (SPUs) optimised for multimedia processing and offer a rich programming interface to applications that can make use of the vector processing capabilities. Multiprecision number manipulation for use in cryptography is one such application. This paper explores the implementation and performance gains when using these capabilities for SSL.
2007
EPRINT
The irreducible polynomials recommended for use by multiple standards documents are in fact far from optimal on many platforms. Specifically they are suboptimal in terms of performance, for the computation of field square roots and in the application of the almost inverse'' field inversion algorithm. In this paper we question the need for the standardisation of irreducible polynomials in the first place, and derive the best'' polynomials to use depending on the underlying processor architecture. Surprisingly it turns out that a trinomial polynomial is in many cases not necessarily the best choice. Finally we make some specific recommendations for some particular types of architecture.
2007
EPRINT
In this paper we recall the hybrid method of Gura et al. for multi-precision multiplication which is an improvement on the basic Comba method and which exploits the increased number of registers available on modern architectures in order to avoid duplicated loads from memory. We then show how to improve and generalise the method for application across a wide range of processor types, setting some new records in the process.
2007
EPRINT
In this paper we describe an efficient implementation of the Tate and Ate pairings using Barreto-Naehrig pairing-friendly curves, on both a standard 32-bit PC and on a 32-bit smartcard. First we introduce a sub-family of such curves with a particularly simple representation. Next we consider the issues that arise in the efficient implementation of field arithmetic in $\F_{p^{12}}$, which is crucial to good performance. Various optimisations are suggested, including a novel approach to the final exponentiation', which is faster and requires less memory than the methods previously recommended.
2007
EPRINT
We describe a new method for constructing Brezing-Weng-like pairing-friendly elliptic curves. The new construction uses the minimal polynomials of elements in a cyclotomic field. Using this new construction we present new `record breaking'' families of pairing-friendly curves with embedding degrees of $k \in \{16,18,36,40\}$, and some interesting new constructions for the cases $k \in \{8,32\}$
2006
CHES
2006
EPRINT
In this paper we describe how to efficiently implement pairing calculation on supersingular genus~2 curves over prime fields. We find that pairing calculation on supersingular genus~2 curves over prime fields is efficient and a viable candidate for practical implementation. We also show how to eliminate divisions in an efficient manner when computing the Tate pairing, and how this algorithm is useful for curves of genus greater than one.
2006
EPRINT
Pairings on elliptic curves are fast coming of age as cryptographic primitives for deployment in new security applications, particularly in the context of implementations of Identity-Based Encryption (IBE). In this paper we describe the implementation of various pairings on a contemporary 32-bit smart-card, the Philips Hi{P}er{S}mart\texttrademark , an instantiation of the MIPS-32 based Smart{MIPS}\texttrademark architecture. Three types of pairing are considered, first the standard Tate pairing on a nonsupersingular curve $E(\F_p)$, second the Ate pairing, also on a nonsupersingular curve $E(\F_p)$, and finally the $\eta_T$ pairing on a supersingular curve $E(\F_{2^m})$. We demonstrate that pairings can be calculated as efficiently as classic cryptographic primitives on this architecture, with a calculation time of as little as 0.15 seconds.
2006
EPRINT
We present an investigation into the security of three practical pairing algorithms; the Tate, Eta and Ate pairing, in terms of side channel vulnerability. These three algorithms have recently shown to be efficiently computable on the resource constrained smart card, yet no in depth side channel analysis has yet appeared in the literature. Since the secret parameter input to the pairing can potentially be entered in either of the two possible positions, there exist two avenues of attack, i.e. e(P,Q) or e(Q,P) where P is public and Q is private. We analyse the core operations fundamental to pairings and not only highlight how each implementation may potentially succumb to a side channel attack, but also show how one path is more susceptible than the other in Tate and Ate. For those who wish to deploy pairing based systems we make a simple suggestion to improve resistance to side channel attacks.
2006
EPRINT
Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairing-based cryptographic systems. Such "pairing-friendly" curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.
2006
EPRINT
Pairing-friendly fields are finite fields that are suitable for the implementation of cryptographic bilinear pairings. In this paper we review multiplication and squaring methods for pairing-friendly fields $\fpk$ with $k \in \{2,3,4,6\}$. For composite $k$, we consider every possible towering construction. We compare the methods to determine which is most efficient based on the number of basic $\fp$ operations, as well as the best constructions for these finite extension fields. We also present experimental results for every method.
2005
EPRINT
In this paper we describe a simple protocol for securely delegating elliptic-curve pairings. A computationally limited device (typically a smart-card) will delegate the computation of the pairing e(A,B) to a more powerful device (for example a PC), in such a way that: 1. the powerful device learns nothing about the points being paired (A and B), nor about the pairing?s result e(A,B), 2. and the limited device is able to detect when the powerful device is cheating. We also describe more efficient variants of our protocol when one of the points or both are already known, and further efficiency gains when constant points are used.
2005
EPRINT
The $\eta$ pairing is an efficient computation technique based on a generalization of the Duursma Lee method for calculating the Tate pairing. The pairing can be computed very efficiently on genus 2 hyperelliptic curves. In this paper it is demonstrated that this pairing operation is well suited to a dedicated parallel hardware implementation. An $\eta$ pairing processor is described in detail and the architectures required for such a system are discussed. Prototype implementation results are presented over a base field of $\mathbb{F}_{2^{103}}$ and the advantages of implementing the pairing on the dedicated processor are discussed.
2005
EPRINT
In number theoretic cryptography there is always the problem of scaling-up security to a higher level. This usually means increasing the size of the modulus, from, say 1024 bits to 2048 bits. In pairing-based cryptography however another option is available, keeping the modulus constant and increasing instead the embedding degree. This has a big potential advantage in smart-card and embedded applications -- security can be scaled up while continuing to use the same sized calculations. For example a cryptographic co-processor which does 512-bit modular multiplications can be directly re-used in the higher security setting. Here we investigate the scaling-up issue in the context of prime characteristic non-supersingular elliptic curves. We also confirm the observation that at higher levels of security a slightly modified Weil pairing becomes more efficient than the Tate pairing.
2005
EPRINT
The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly the Identity-Based Encryption (IBE) protocol of Boneh and Franklin. In their paper \cite{boneh-franklin} they give details of how their scheme might be implemented in practise on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special non-supersingular curves for the same level of security. An obvious question to be answered is -- which is most efficient? Motivated by the work of Gallant, Lambert and Vanstone \cite{gallant-lambert-vanstone} we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves of prime characteristic) for contemporary levels of security. We also point out that many of the non-supersingular families of curves recently discovered and proposed for use in pairing-based cryptography can also benefit (to an extent) from the same technique.
2005
EPRINT
In a recent letter, Cui, Duan and Chan propose a generalisation of the Scott-Barreto method to build a larger family of MNT curves, and they claim that their proposal is also applicable to other curve construction methods. Here we show that the Cui-Duan-Chan technique is irrecoverably flawed.
2004
CRYPTO
2004
EPRINT
In a paper recently published in the ACM Operating Systems Review, Kim, Lee and Yoo \cite{kim-lee-yoo} describe two ID-based password authentication schemes for logging onto a remote network server using smart cards, passwords and fingerprints. Various claims are made regarding the security of the schemes, but no proof is offered. Here we show how a passive eavesdropper, without access to any smart card, password or fingerprint, and after passively eavesdropping only one legitimate log-on, can subsequently log-on to the server claiming any identity.
2004
EPRINT
Pairing-based cryptosystems rely on bilinear non-degenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.
2004
EPRINT
In their seminal paper, Miyaji, Nakabayashi and Takano~\cite{miyaji-nakabayashi-takano} describe a simple method for the creation of elliptic curves of prime order with embedding degree 3, 4, or 6. Such curves are important for the realisation of pairing-based cryptosystems on ordinary (non-supersingular) elliptic curves. We provide an alternative derivation of their results, and extend them to allow for the generation of many more suitable curves.
2004
EPRINT
We present a general technique for the efficient computation of pairings on supersingular Abelian varieties. This formulation, which we call the eta pairing, generalises results of Duursma and Lee for computing the Tate pairing on supersingular elliptic curves in characteristic three. We then show how our general technique leads to a new algorithm which is about twice as fast as the Duursma-Lee method. These ideas are then used for elliptic and hyperelliptic curves in characteristic 2 with very efficient results. In particular, the hyperelliptic case is faster than all previously known pairing algorithms.
2004
JOFC
2003
EPRINT
On January 8th 2003, Eric Filiol published on the eprint a paper (eprint.iacr.org/2003/003/) in which he claims that AES can be broken by a very simple and very fast ciphertext-only attack. If such an attack existed, it would be the biggest discovery in code-breaking since some 10 or more years. Unfortunately the result is very hard to believe. In this paper we present the results of computer simulations done by several independent people, with independently written code. Nobody has confirmed a single anomaly in AES, even for much weaker versions of the bias claimed by the author. We also studied the source code provided by the author to realize that the first version had various issues and bugs, and the latest version still does not confirm the claimed result on AES.
2003
EPRINT
We propose a simple algorithm to select group generators suitable for pairing-based cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and efficient, with an observed performance about 2 to 10 times better than previously reported implementations, depending on the embedding degree. Our algorithm has beneficial side effects: various non-pairing operations become faster, and bandwidth may be saved.
2002
CRYPTO
2002
EPRINT
We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over $\GF{p^m}$, the latter technique being also useful in contexts other than that of pairing-based cryptography.
2002
EPRINT
Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree $k \leqslant 6$. In this note, we examine criteria for curves with larger $k$ that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
2002
EPRINT
Authenticated Key exchange algorithms tend to be either token-based or password based. Token-based schemes are often based on expensive (and irreplaceable) smart-card tokens, while password-only schemes require that a unique password is shared with every correspondent. The magnetic strip swipe card and associated PIN number is a familiar and convenient format that motivates a combined approach. Finally we suggest an extension of the scheme for use in a client-server scenario.

Eurocrypt 2011