International Association for Cryptologic Research

International Association
for Cryptologic Research


Sorina Ionica


Time-Memory Analysis of Parallel Collision Search Algorithms 📺
Parallel versions of collision search algorithms require a significant amount of memory to store a proportion of the points computed by the pseudo-random walks. Implementations available in the literature use a hash table to store these points and allow fast memory access. We provide theoretical evidence that memory is an important factor in determining the runtime of this method. We propose to replace the traditional hash table by a simple structure, inspired by radix trees, which saves space and provides fast look-up and insertion. In the case of many-collision search algorithms, our variant has a constant-factor improved runtime. We give benchmarks that show the linear parallel performance of the attack on elliptic curves discrete logarithms and improved running times for meet-in-the-middle applications.
Pairing computation on curves with efficiently computable endomorphism and small embedding degree
Sorina Ionica Antoine Joux
Scott uses an efficiently computable isomorphism in order to optimize pairing computation on a particular class of curves with embedding degree 2. He pointed out that pairing implementation becomes thus faster on these curves than on their supersingular equivalent, originally recommended by Boneh and Franklin for Identity Based Encryption. We extend Scott's method to other classes of curves with small embedding degree and efficiently computable endomorphism. In particular, we optimize pairing computation on a class of curves with embedding degree 4 and discriminant 1, which are interesting for pairing based cryptography because they have a very efficient arithmetic.
Another approach to pairing computation in Edwards coordinates
Sorina Ionica Antoine Joux
The recent introduction of Edwards curves has significantly reduced the cost of addition on elliptic curves. This paper presents new explicit formulae for pairing implementation in Edwards coordinates. We prove our method gives performances similar to those of Miller's algorithm in Jacobian coordinates and is thus of cryptographic interest when one chooses Edwards curve implementations of protocols in elliptic curve cryptography. The method is faster than the recent proposal of Das and Sarkar for computing pairings on supersingular curves using Edwards coordinates.

Program Committees

Crypto 2019
Crypto 2017
Crypto 2016