Optimization of finite field arithmetic is important for the deployment of public key cryptograph... more Optimization of finite field arithmetic is important for the deployment of public key cryptography, particularly in the context of elliptic curve cryptography. Until now the primary concern has been operations over the prime field Fp, where p is a prime. With the advent of pairing-based cryptography there arises a need to also look at optimal arithmetic over extension fields Fpn for small values of n. Here we focus on the determination of quadratic residuosity and the calculation of inverses and square roots over these fields, operations often carried out in conjunction with one another. We demonstrate with a minor improvement in a hash-to-curve algorithm, and a major speed-up in the calculation of square roots in quadratic extensions.
This chapter describes and compares the software implementation of popular elliptic curve pairing... more This chapter describes and compares the software implementation of popular elliptic curve pairings on two architectures, of which the Intel Pentium 4 and Core2 are representatives.
In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime \(... more In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime \(2^{521} - 1\). Using this approach, on an Intel Haswell Core i7-4770, constant-time variable-base scalar multiplication on NIST’s (and SECG’s) curve P-521 requires 1,108,000 cycles, while on the recently proposed Edwards curve E-521 it requires just 943,000 cycles. As a comparison, on the same architecture openSSL’s ECDH speed test for curve P-521 requires 1,319,000 cycles. Furthermore, our code was written entirely in C and so is robust across different platforms. The basic observation behind these speedups is that the form of the modulus allows one to multiply residues with as few word-by-word multiplications as is needed for squaring, while incurring very little overhead from extra additions, in contrast to the usual Karatsuba methods.
We present efficiently computable homomorphisms of the groups G2 and GT for pairings G 1 × G 2 → ... more We present efficiently computable homomorphisms of the groups G2 and GT for pairings G 1 × G 2 → G T. This allows exponentiation in G 2 and G T to be accelerated using the Gallant-Lambert-Vanstone method.
A cryptographic pairing evaluates as an element of a finite extension field, and the evaluation i... more A cryptographic pairing evaluates as an element of a finite extension field, and the evaluation itself involves a considerable amount of extension field arithmetic. It is recognised that organising the extension field as a "tower" of subfield extensions has many advantages. Here we consider criteria that apply when choosing the best towering construction, and the associated choice of irreducible polynomials for the implementation of pairing-based cryptosystems. We introduce a method for automatically constructing efficient towers for more classes of finite fields than previous methods, some of which allow faster arithmetic. We also show that for some families of pairing-friendly elliptic curves defined over Fp there are a large number of instances for which an efficient tower extension F p k is given immediately if the parameter defining the prime characteristic of the field satisfies a few easily checked equivalences.
Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computa... more Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computable maps (called pairings) over certain groups. Currently, all such pairings used in practice are related to the Tate pairing on elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. In this paper we describe how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and show how to compute the Tate pairing on these groups efficiently.
We present a general technique for the efficient computation of pairings on supersingular Abelian... more We present a general technique for the efficient computation of pairings on supersingular Abelian varieties. This formulation, which we call the eta pairing, generalises results of Duursma and Lee for computing the Tate pairing on supersingular elliptic curves in characteristic three. We then show how our general technique leads to a new algorithm which is about twice as fast as the Duursma-Lee method. These ideas are then used for elliptic and hyperelliptic curves in characteristic 2 with very efficient results. In particular, the hyperelliptic case is faster than all previously known pairing algorithms.
Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman p... more Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree for most elliptic curves is enormous, and the few previously known suitable elliptic curves have embedding degree k 6. In this paper, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures. Co-sponsored by Scopus Tecnologia S. A.
When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-base... more When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order r involved in the pairing. Of these G1 is a group of points on the base field E(F p) and G 2 is instantiated as a group of points with coordinates on some extension field, over a twisted curve E (F p d), where d divides the embedding degree k. While hashing to G 1 is relatively easy, hashing to G 2 has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on G2 which exploits an efficiently computable homomorphism.
Abstract. In a recent letter, Cui, Duan and Chan propose a generalisation of the Scott-Barreto me... more Abstract. In a recent letter, Cui, Duan and Chan propose a generalisation of the Scott-Barreto method to build a larger family of MNT curves, and they claim that their proposal is also applicable to other curve construction methods. Here we show that the Cui-Duan-Chan technique is irrecoverably flawed.
Abstract. What would be the ideal attributes of a client-server authentication scheme? One might ... more Abstract. What would be the ideal attributes of a client-server authentication scheme? One might like an identity based scheme not requiring PKI, plus support for multi-factor authentication based on a token, a PIN number, and optionally a biometric. The former might hold a high-entropy secret, and the latter may be represented as relatively lowentropy parameters. However it would be preferred if the token could be in the form of a relatively inexpensive USB stick rather than a Smart-Card. The user should be at complete liberty to ...
It is basically a solved problem for a server to authenticate itself to a client using standard m... more It is basically a solved problem for a server to authenticate itself to a client using standard methods of Public Key cryptography. The Public Key Infrastructure (PKI) supports the SSL protocol which in turn enables this functionality. The single-point-of-failure in PKI, and hence the focus of attacks, is the Certication Authority. However this entity is commonly o-line, well defended, and not easily got at. For a client to authenticate itself to the server is much more problematical. The simplest and most common mechanism is Username/Password. Although not at all satisfactory, the only onus on the client is to generate and remember a password and the reality is that we cannot expect a client to be suciently sophisticated or well organised to protect larger secrets. However Username/Password as a mechanism is breaking down. So-called zero-day attacks on servers commonly recover les containing information related to passwords, and unless the passwords are of suciently high entropy they will be found. The commonly applied patch is to insist that clients adopt long, complex, hard-to-remember passwords. This is essentially a second line of defence imposed on the client to protect them in the (increasingly likely) event that the authentication server will be successfully hacked. Note that in an ideal world a client should be able to use a low entropy password, as a server can limit the number of attempts the client can make to authenticate itself. The often proposed alternative is the adoption of multifactor authentication. In the simplest case the client must demonstrate possession of both a token and a password. The banks have been to the forefront of adopting such methods, but the token is invariably a physical device of some kind. Cryptography's embarrassing secret is that to date no completely satisfactory means has been discovered to implement two-factor authentication entirely in software. In this paper we propose such a scheme.
Pairing-based cryptosystems rely on bilinear non-degenerate maps called pairings, such as the Tat... more Pairing-based cryptosystems rely on bilinear non-degenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.
The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly th... more The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly the Identity-Based Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practice on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special nonsupersingular curves for the same level of security. An obvious question to be answered is-which is most efficient? Motivated by the work of Gallant, Lambert and Vanstone [14] we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves over fields of prime characteristic) for contemporary levels of security, albeit on a rather particular class of curves. We also point out that many of the non-supersingular families of curves recently discovered and proposed for use in pairingbased cryptography can also benefit (to an extent) from the same technique.
In this paper we describe how to efficiently implement pairing calculation on supersingular genus... more In this paper we describe how to efficiently implement pairing calculation on supersingular genus 2 curves over prime fields. We find that, contrary to the results reported in [8], pairing calculation on supersingular genus 2 curves over prime fields is efficient and a viable candidate for the practical implementation of pairing-based cryptosystems. We also show how to eliminate divisions in an efficient manner when computing the Tate pairing, and how this algorithm is useful for curves of genus greater than one.
In this paper we describe a simple protocol for secure delegation of the elliptic-curve pairing. ... more In this paper we describe a simple protocol for secure delegation of the elliptic-curve pairing. A computationally limited device (typically a smart-card) will delegate the computation of the pairing e(A, B) to a more powerful device (for example a PC), in such a way that 1) the powerful device learns nothing about the points A and B, and 2) the limited device is able to detect when the powerful device is cheating.
We describe a new method for constructing Brezing-Wenglike pairing-friendly elliptic curves. The ... more We describe a new method for constructing Brezing-Wenglike pairing-friendly elliptic curves. The new construction uses the minimal polynomials of elements in a cyclotomic field. Using this new construction we present new "record breaking" families of pairing-friendly curves with embedding degrees of k ∈ {16, 18, 36, 40}, and some interesting new constructions for the cases k ∈ {8, 32}.
We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In p... more We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm , the latter technique being also useful in contexts other than that of pairing-based cryptography.
We propose a simple algorithm to select group generators suitable for pairing-based cryptosystems... more We propose a simple algorithm to select group generators suitable for pairing-based cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and efficient, with an observed performance about 2 to 10 times better than previously reported implementations, depending on the embedding degree. Our algorithm has beneficial side effects: various non-pairing operations become faster, and bandwidth may be saved.
By using Elliptic Curve Cryptography (ECC), it has been recently shown that Public-Key Cryptograp... more By using Elliptic Curve Cryptography (ECC), it has been recently shown that Public-Key Cryptography (PKC) is indeed feasible on resource-constrained nodes. This feasibility, however, does not necessarily mean attractiveness, as the obtained results are still not satisfactory enough. In this paper, we present results on implementing ECC, as well as the related emerging field of Pairing-Based Cryptography (PBC), on two of the most popular sensor nodes. By doing that, we show that PKC is not only viable, but in fact attractive for WSNs. As far as we know pairing computations presented in this paper are the most efficient results on the MICA2 (8-bit/7.3828-MHz ATmega128L) and Tmote Sky (16-bit/8.192-MHz MSP-430) nodes.
Optimization of finite field arithmetic is important for the deployment of public key cryptograph... more Optimization of finite field arithmetic is important for the deployment of public key cryptography, particularly in the context of elliptic curve cryptography. Until now the primary concern has been operations over the prime field Fp, where p is a prime. With the advent of pairing-based cryptography there arises a need to also look at optimal arithmetic over extension fields Fpn for small values of n. Here we focus on the determination of quadratic residuosity and the calculation of inverses and square roots over these fields, operations often carried out in conjunction with one another. We demonstrate with a minor improvement in a hash-to-curve algorithm, and a major speed-up in the calculation of square roots in quadratic extensions.
This chapter describes and compares the software implementation of popular elliptic curve pairing... more This chapter describes and compares the software implementation of popular elliptic curve pairings on two architectures, of which the Intel Pentium 4 and Core2 are representatives.
In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime \(... more In this paper we present a new multiplication algorithm for residues modulo the Mersenne prime \(2^{521} - 1\). Using this approach, on an Intel Haswell Core i7-4770, constant-time variable-base scalar multiplication on NIST’s (and SECG’s) curve P-521 requires 1,108,000 cycles, while on the recently proposed Edwards curve E-521 it requires just 943,000 cycles. As a comparison, on the same architecture openSSL’s ECDH speed test for curve P-521 requires 1,319,000 cycles. Furthermore, our code was written entirely in C and so is robust across different platforms. The basic observation behind these speedups is that the form of the modulus allows one to multiply residues with as few word-by-word multiplications as is needed for squaring, while incurring very little overhead from extra additions, in contrast to the usual Karatsuba methods.
We present efficiently computable homomorphisms of the groups G2 and GT for pairings G 1 × G 2 → ... more We present efficiently computable homomorphisms of the groups G2 and GT for pairings G 1 × G 2 → G T. This allows exponentiation in G 2 and G T to be accelerated using the Gallant-Lambert-Vanstone method.
A cryptographic pairing evaluates as an element of a finite extension field, and the evaluation i... more A cryptographic pairing evaluates as an element of a finite extension field, and the evaluation itself involves a considerable amount of extension field arithmetic. It is recognised that organising the extension field as a "tower" of subfield extensions has many advantages. Here we consider criteria that apply when choosing the best towering construction, and the associated choice of irreducible polynomials for the implementation of pairing-based cryptosystems. We introduce a method for automatically constructing efficient towers for more classes of finite fields than previous methods, some of which allow faster arithmetic. We also show that for some families of pairing-friendly elliptic curves defined over Fp there are a large number of instances for which an efficient tower extension F p k is given immediately if the parameter defining the prime characteristic of the field satisfies a few easily checked equivalences.
Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computa... more Pairing-based cryptosystems rely on the existence of bilinear, nondegenerate, efficiently computable maps (called pairings) over certain groups. Currently, all such pairings used in practice are related to the Tate pairing on elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. In this paper we describe how to construct ordinary (non-supersingular) elliptic curves containing groups with arbitrary embedding degree, and show how to compute the Tate pairing on these groups efficiently.
We present a general technique for the efficient computation of pairings on supersingular Abelian... more We present a general technique for the efficient computation of pairings on supersingular Abelian varieties. This formulation, which we call the eta pairing, generalises results of Duursma and Lee for computing the Tate pairing on supersingular elliptic curves in characteristic three. We then show how our general technique leads to a new algorithm which is about twice as fast as the Duursma-Lee method. These ideas are then used for elliptic and hyperelliptic curves in characteristic 2 with very efficient results. In particular, the hyperelliptic case is faster than all previously known pairing algorithms.
Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman p... more Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree for most elliptic curves is enormous, and the few previously known suitable elliptic curves have embedding degree k 6. In this paper, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures. Co-sponsored by Scopus Tecnologia S. A.
When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-base... more When using pairing-friendly ordinary elliptic curves over prime fields to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups of prime order r involved in the pairing. Of these G1 is a group of points on the base field E(F p) and G 2 is instantiated as a group of points with coordinates on some extension field, over a twisted curve E (F p d), where d divides the embedding degree k. While hashing to G 1 is relatively easy, hashing to G 2 has been less considered, and is regarded as likely to be more expensive as it appears to require a multiplication by a large cofactor. In this paper we introduce a fast method for this cofactor multiplication on G2 which exploits an efficiently computable homomorphism.
Abstract. In a recent letter, Cui, Duan and Chan propose a generalisation of the Scott-Barreto me... more Abstract. In a recent letter, Cui, Duan and Chan propose a generalisation of the Scott-Barreto method to build a larger family of MNT curves, and they claim that their proposal is also applicable to other curve construction methods. Here we show that the Cui-Duan-Chan technique is irrecoverably flawed.
Abstract. What would be the ideal attributes of a client-server authentication scheme? One might ... more Abstract. What would be the ideal attributes of a client-server authentication scheme? One might like an identity based scheme not requiring PKI, plus support for multi-factor authentication based on a token, a PIN number, and optionally a biometric. The former might hold a high-entropy secret, and the latter may be represented as relatively lowentropy parameters. However it would be preferred if the token could be in the form of a relatively inexpensive USB stick rather than a Smart-Card. The user should be at complete liberty to ...
It is basically a solved problem for a server to authenticate itself to a client using standard m... more It is basically a solved problem for a server to authenticate itself to a client using standard methods of Public Key cryptography. The Public Key Infrastructure (PKI) supports the SSL protocol which in turn enables this functionality. The single-point-of-failure in PKI, and hence the focus of attacks, is the Certication Authority. However this entity is commonly o-line, well defended, and not easily got at. For a client to authenticate itself to the server is much more problematical. The simplest and most common mechanism is Username/Password. Although not at all satisfactory, the only onus on the client is to generate and remember a password and the reality is that we cannot expect a client to be suciently sophisticated or well organised to protect larger secrets. However Username/Password as a mechanism is breaking down. So-called zero-day attacks on servers commonly recover les containing information related to passwords, and unless the passwords are of suciently high entropy they will be found. The commonly applied patch is to insist that clients adopt long, complex, hard-to-remember passwords. This is essentially a second line of defence imposed on the client to protect them in the (increasingly likely) event that the authentication server will be successfully hacked. Note that in an ideal world a client should be able to use a low entropy password, as a server can limit the number of attempts the client can make to authenticate itself. The often proposed alternative is the adoption of multifactor authentication. In the simplest case the client must demonstrate possession of both a token and a password. The banks have been to the forefront of adopting such methods, but the token is invariably a physical device of some kind. Cryptography's embarrassing secret is that to date no completely satisfactory means has been discovered to implement two-factor authentication entirely in software. In this paper we propose such a scheme.
Pairing-based cryptosystems rely on bilinear non-degenerate maps called pairings, such as the Tat... more Pairing-based cryptosystems rely on bilinear non-degenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.
The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly th... more The most significant pairing-based cryptographic protocol to be proposed so far is undoubtedly the Identity-Based Encryption (IBE) protocol of Boneh and Franklin. In their paper [6] they give details of how their scheme might be implemented in practice on certain supersingular elliptic curves of prime characteristic. They also point out that the scheme could as easily be implemented on certain special nonsupersingular curves for the same level of security. An obvious question to be answered is-which is most efficient? Motivated by the work of Gallant, Lambert and Vanstone [14] we demonstrate that, perhaps counter to intuition, certain ordinary curves closely related to the supersingular curves originally recommended by Boneh and Franklin, provide better performance. We illustrate our technique by implementing the fastest pairing algorithm to date (on elliptic curves over fields of prime characteristic) for contemporary levels of security, albeit on a rather particular class of curves. We also point out that many of the non-supersingular families of curves recently discovered and proposed for use in pairingbased cryptography can also benefit (to an extent) from the same technique.
In this paper we describe how to efficiently implement pairing calculation on supersingular genus... more In this paper we describe how to efficiently implement pairing calculation on supersingular genus 2 curves over prime fields. We find that, contrary to the results reported in [8], pairing calculation on supersingular genus 2 curves over prime fields is efficient and a viable candidate for the practical implementation of pairing-based cryptosystems. We also show how to eliminate divisions in an efficient manner when computing the Tate pairing, and how this algorithm is useful for curves of genus greater than one.
In this paper we describe a simple protocol for secure delegation of the elliptic-curve pairing. ... more In this paper we describe a simple protocol for secure delegation of the elliptic-curve pairing. A computationally limited device (typically a smart-card) will delegate the computation of the pairing e(A, B) to a more powerful device (for example a PC), in such a way that 1) the powerful device learns nothing about the points A and B, and 2) the limited device is able to detect when the powerful device is cheating.
We describe a new method for constructing Brezing-Wenglike pairing-friendly elliptic curves. The ... more We describe a new method for constructing Brezing-Wenglike pairing-friendly elliptic curves. The new construction uses the minimal polynomials of elements in a cyclotomic field. Using this new construction we present new "record breaking" families of pairing-friendly curves with embedding degrees of k ∈ {16, 18, 36, 40}, and some interesting new constructions for the cases k ∈ {8, 32}.
We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In p... more We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm , the latter technique being also useful in contexts other than that of pairing-based cryptography.
We propose a simple algorithm to select group generators suitable for pairing-based cryptosystems... more We propose a simple algorithm to select group generators suitable for pairing-based cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and efficient, with an observed performance about 2 to 10 times better than previously reported implementations, depending on the embedding degree. Our algorithm has beneficial side effects: various non-pairing operations become faster, and bandwidth may be saved.
By using Elliptic Curve Cryptography (ECC), it has been recently shown that Public-Key Cryptograp... more By using Elliptic Curve Cryptography (ECC), it has been recently shown that Public-Key Cryptography (PKC) is indeed feasible on resource-constrained nodes. This feasibility, however, does not necessarily mean attractiveness, as the obtained results are still not satisfactory enough. In this paper, we present results on implementing ECC, as well as the related emerging field of Pairing-Based Cryptography (PBC), on two of the most popular sensor nodes. By doing that, we show that PKC is not only viable, but in fact attractive for WSNs. As far as we know pairing computations presented in this paper are the most efficient results on the MICA2 (8-bit/7.3828-MHz ATmega128L) and Tmote Sky (16-bit/8.192-MHz MSP-430) nodes.
Techniques are described to speed up the calculation of modular products, which are required at t... more Techniques are described to speed up the calculation of modular products, which are required at the heart of software implementations of many cryptographic protocols such as the well-known RSA Public Key algorithm. By combining ideas from Comba [1] and Dusse and Kaliski [2], and exploiting Montgomery's method [5] for modular reduction, very efficient machine code routines can be generated. The method is illustrated for the popular 80386/80486/Pentium Family of processors, but uses only a very small subset of the instruction set, and so can easily be adapted to many other conventional processors with a word length of 16 bits or more.
A new key exchange algorithm is presented which integrates a low-entropy password into the well-e... more A new key exchange algorithm is presented which integrates a low-entropy password into the well-established Diffie-Hellman key exchange. The proposed method has some advantages with respect to existing techniques such as SPEKE and PAK.
A new key exchange algorithm is presented which integrates a low-entropy password into the well-e... more A new key exchange algorithm is presented which integrates a low-entropy password into the well-established Diffie-Hellman key exchange. The proposed method has some advantages with respect to existing techniques such as SPEKE and PAK.
Uploads
Papers by Michael Scott