Abstract
In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [8] of the problem of efficient identity-based encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128-, 192-, or 256-bit AES keys. In this paper we examine the implications of heightened security needs for pairing-based cryptosystems. We first describe three different reasons why high-security users might have concerns about the long-term viability of these systems. However, in our view none of the risks inherent in pairing-based systems are sufficiently serious to warrant pulling them from the shelves.
We next discuss two families of elliptic curves E for use in pairing-based cryptosystems. The first has the property that the pairing takes values in the prime field \(\mathbb{F}_p\) over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Adleman, L., Huang, M.: Function field sieve methods for discrete logarithms over finite fields. Information and Computation 151, 5–16 (1999)
Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes–Okamoto–Vanstone algorithm. J. Cryptology 11, 141–145 (1998)
Barreto, P., Galbraith, S., ÓhÉigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties, http://eprint.iacr.org/2004/375/
Barreto, P., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Selected Areas in Cryptography – SAC 2003. LNCS, vol. 3006, pp. 17–25 (2003)
Barreto, P., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006), http://eprint.iacr.org/2005/133/
Boneh, D., Boyen, X., Goh, E.–J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)
Boneh, D., Venkatesan, R.: Breaking RSA may not be equivalent to factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 59–71. Springer, Heidelberg (1998)
Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Designs, Codes and Cryptography 37, 133–141 (2005)
Charlap, L., Coley, R.: An Elementary Introduction to Elliptic Curves II, CCR Expository Report 34 (1990), available from http://www.idaccr.org/reports/reports.html
Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Heidelberg (1993)
Coppersmith, D.: Fast evaluation of logarithms in fields of characteristic two. IEEE Transactions on Information Theory 30, 587–594 (1984)
Denny, T., Schirokauer, O., Weber, D.: Discrete logarithms: the effectiveness of the index calculus method. In: Cohen, H. (ed.) ANTS 1996. LNCS, vol. 1122, pp. 337–361. Springer, Heidelberg (1996)
Frey, G., Rück, H.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp. 62, 865–874 (1994)
Galbraith, S.: Pairings. In: Blake, I.F., Seroussi, G., Smart, N.P. (eds.) Advances in Elliptic Curve Cryptography, vol. 2, Cambridge University Press, Cambridge (2005)
Galbraith, S., McKee, J., Valença, P.: Ordinary abelian varieties having small embedding degree, http://eprint.iacr.org/2004/365/
Gordon, D.: Discrete logarithms in GF(p) using the number field sieve. SIAM J. Discrete Math. 6, 124–138 (1993)
Granger, R., Vercauteren, F.: On the discrete logarithm problem on algebraic tori. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 66–85. Springer, Heidelberg (2005)
Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer, Heidelberg (2004)
Joux, A.: A one round protocol for tripartite Diffie–Hellman. J. Cryptology 17, 263–276 (2004)
Joux, A., Lercier, R.: Improvements to the general number field sieve for discrete logarithms in prime fields. Math. Comp. 72, 953–967 (2003)
Joux, A., Nguyen, K.: Separating Decision Diffie–Hellman from Computational Diffie–Hellman in cryptographic groups. J. Cryptology 16, 239–247 (2003)
Kang, B., Park, J.: On the relationship between squared pairings and plain pairings, http://eprint.iacr.org/2005/112/
Knuth, D.: The Art of Computer Programming, 3rd edn., vol. 2. Addison-Wesley, Reading (1997)
Koblitz, N.: A Course in Number Theory and Cryptography. Springer, Heidelberg (1987)
Koblitz, N.: Introduction to Elliptic Curves and Modular Forms, 2nd edn. Springer, Heidelberg (1993)
Koblitz, N.: An elliptic curve implementation of the finite field digital signature algorithm. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 327–337. Springer, Heidelberg (1998)
Lenstra, A.: Unbelievable security: matching AES security using public key systems. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 67–86. Springer, Heidelberg (2001)
Lenstra, A., Verheul, E.: The XTR public key system. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 1–19. Springer, Heidelberg (2000)
Lenstra Jr., H.W.: Factoring integers with elliptic curves. Annals Math. 126, 649–673 (1987)
Lidl, R., Niederreiter, H.: Finite Fields, 2nd edn. Cambridge University Press, Cambridge (1997)
Maurer, U., Wolf, S.: The Diffie–Hellman protocol. Designs, Codes and Cryptography 19, 147–171 (2000)
Menezes, A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Dordrecht (1993)
Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory IT-39, 1639–1646 (1993)
Menezes, A., Vanstone, S.: ECSTR (XTR): Elliptic Curve Singular Trace Representation. Rump Session of Crypto (2000)
Miller, V.: The Weil pairing and its efficient calculation. J. Cryptology 17, 235–261 (2004)
Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundamentals, E84-A (5) (2001)
Naccache, D., Stern, J.: Signing on a postcard. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 121–135. Springer, Heidelberg (2001)
National Institute of Standards and Technology, Special Publication 800-56: Recommendation for pair-wise key establishment schemes using discrete logarithm cryptography, Draft (2005)
Pintsov, L., Vanstone, S.: Postal revenue collection in the digital age. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 105–120. Springer, Heidelberg (2001)
Sakai, R., Kasahara, M.: ID based cryptosystems with pairing on elliptic curve, http://eprint.iacr.org/2003/054/
Schirokauer, O.: Discrete logarithms and local units. Phil. Trans. Royal Soc. London A 345, 409–423 (1993)
Schirokauer, O.: The special function field sieve. SIAM J. Discrete Math. 16, 81–98 (2002)
Schirokauer, O.: The number field sieve for integers of low weight (2005) (preprint)
Scott, M.: Computing the Tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 300–312. Springer, Heidelberg (2005)
Scott, M., Barreto, P.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004)
Scott, M., Barreto, P.: Generating more MNT elliptic curves, Designs, Codes and Cryptography, http://eprint.iacr.org/2004/058/ (to appear)
Solinas, J.: Generalized Mersenne numbers, Technical Report CORR 99-39, University of Waterloo (1999), http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-39.pdf
Solinas, J.: ID-based digital signature algorithms (2003), http://www.cacr.math.uwaterloo.ca/conferences/2003/ecc2003/solinas.pdf
Verheul, E.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptology 17, 277–296 (2004)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Koblitz, N., Menezes, A. (2005). Pairing-Based Cryptography at High Security Levels. In: Smart, N.P. (eds) Cryptography and Coding. Cryptography and Coding 2005. Lecture Notes in Computer Science, vol 3796. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11586821_2
Download citation
DOI: https://doi.org/10.1007/11586821_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30276-6
Online ISBN: 978-3-540-32418-8
eBook Packages: Computer ScienceComputer Science (R0)