International Association for Cryptologic Research

International Association
for Cryptologic Research

IACR News item: 21 April 2014

Sorina Ionica, Malika Izabachène
ePrint Report ePrint Report
In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number N. Boneh et al. proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order N. Displaying such a curve as a public parameter implies revealing a square root of the complex multiplication discriminant -D modulo N. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, by computing a square root \\lambda of -D modulo one of its factors. Our attack is based on a generic discrete logarithm algorithm. We recommend that \\lambda should be chosen as a high entropy input parameter when running the Cocks-Pinch algorithm, in order to ensure protection from our attack.

Expand

Additional news items may be found on the IACR news page.