Abstract
Recent efficient pairings such as Ate pairing use two efficient subgroups of rational point such that \(\pi (P)=P\) and \(\pi (Q)=[p]Q\), where \(\pi \), \(p\), \(P\), and \(Q\) are the Frobenius map for rational point, the characteristic of definition field, and torsion points for pairing, respectively. This relation accelerates not only pairing but also pairing–related operations such as scalar multiplications. It holds in the case that the embedding degree \(k\) divides \(r-1\), where \(r\) is the order of torsion rational points. Thus, such a case has been well studied. Alternatively, this paper focuses on the case that the degree divides \(r+1\) but not \(r-1\). First, this paper shows a transitive representation for \(r\)–torsion points based on the fact that the characteristic polynomial \(f(\pi )\) becomes irreducible over \(\mathbb {F}_{r}\) for which \(\pi \) also plays a role of variable. In other words, this paper proposes an elliptic curve discrete logarithm on such a torsion group. After that, together with some example parameters, it is shown how to prepare such pairing–friendly elliptic curves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
It is noted that skew Frobenius map such as \(\hat{\pi }{d}\) is available for both \(E(\mathbb {F}_{p})\) and \(E_d(\mathbb {F}_{p})\) because they are twisted to and from each other.
- 2.
There will be some other cases such that \(n=r\).
References
Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)
Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005)
Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006)
Boneh, D., Rabin, K., Silverberg, A.: Finding composite order ordinary elliptic curves using the cocks-pinch method. In: Cryptology ePrint Archive, Report 2009/533 (2009)
Castagnos, G., Laguillaumie, F.: Homomorphic encryption for multiplications and pairing evaluation. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 374–392. Springer, Heidelberg (2012)
Charles, D.: On the existence of distortion maps on ordinary elliptic curves. In: Cryptology ePrint Archive, Report 2006/128 (2006)
Cohen, H., Frey, G.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications. Chapman & Hall CRC, Boca Raton (2005)
Dickson, L.E.: The analytic representation of substitutions on a power of a prime number of letters with a discussion of the linear group. Ann. Math. 11, 161–183 (1897)
Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 211–224. Springer, Heidelberg (2008)
GNU MP. http://gmplib.org/
Hankerson, D., Vanstone, S., Menezes, A.: Guide to Elliptic Curves Cryptography. Springer, New York (2004)
Hitt, L.: On the minimal embedding field. In: Cryptology ePrint Archive, Report 2006/415 (2006)
Itoh, T., Tsujii, S.: A fast algorithm for computing multiplicative inverses in GF\((2^m)\) using normal bases. Inf. Comp. 78, 171–177 (1988)
Izuta, T., Takeuchi, S., Nishii, K., Nogami, Y., Morikawa, Y.: GLV subgroups on non-supersingular pairing-friendly curves of embedding degree 1. In: Computer Security Symposium 2010, pp. 249–254 (2010)
Joux, A.: A one round protocol for tripartite diffie-hellman. J. Cryptol. 17(4), 263–276 (2004)
Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005)
Morain, F.: Primality proving using elliptic curves: an update. In: Buhler, J.P. (ed.) ANTS 1998. LNCS, vol. 1423, pp. 111–127. Springer, Heidelberg (1998)
Nakanishi, T., Funabiki, N.: Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 533–548. Springer, Heidelberg (2005)
Nogami, Y., Akane, M., Sakemi, Y., Kato, H., Morikawa, Y.: Integer variable \(\chi \)–based ate pairing. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 178–191. Springer, Heidelberg (2008)
Ohta, K., Shiota, K.: Construction of CM Curves Suitable for Cryptosystem from the Weil Pairing. Memoirs of the Faculty of Science, Kochi Univ., Vol. 27, No. 1 (2007)
Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: SCIS 2000 (2000)
Sakemi, Y., Nogami, Y., Okeya, K., Kato, H., Morikawa, Y.: Skew frobenius map and efficient scalar multiplication for pairing–based cryptography. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 226–239. Springer, Heidelberg (2008)
Smart, N., Blake, I.F., Seroussi, G.: Elliptic Curves in Cryptography. LMS Lecture Note Series. Cambridge University Press, New York (1999)
Yoshida, M., Mitsunari, S., Fujiwara, T.: The vector decomposition problem. IEICE Trans. Fundamentals E93–A(1), 188–193 (2010)
Acknowledgment
This work was partially supported by JSPS KAKENHI Grant Number 25280047.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Torsion Structure When \(n\mid (r+1)\)
As introduced in this paper, when \(d\) or \(n\) divides \(r+1\), the characteristic polynomial \(f_d({\hat{\pi }}_d)\) or \(f(\pi )\) becomes irreducible over \(\mathbb {F}_{r}\). Thus, \(\pi \) does not correspond to any scalar multiplications in \(E(\mathbb {F}_{p^{n}})[r]\). In other words, let \(P\) be a rational point of order \(r\) that belongs to a cyclic group \(_{P}\) in \(E(\mathbb {F}_{p^{n}})[r]\), then \(\pi (P)\) has the same order \(r\) but it does not belong to \(_{P}\). Thus, \(\pi (P)\) needs to belong to another cyclic group \(_{\pi (P)}\not =_{P}\) and accordingly \(E(\mathbb {F}_{p^{n}})[r]\) needs to have a torsion structure of rank \(2\). In the case of \(E_d(\mathbb {F}_{p})\) with twist degree \(d\), it is shown in the same way.
B \(r\mid (p^l-1)\), \(l=1\) or \(2\)
Let \(l\) be the minimal positive integer such that
According to Fermat’s little theorem, \(l\mid (r-1)\). According to the property of pairing, \(r\mid (p^d-1)\). Thus,
On the other hand, \(d\) needs to satisfy \(d\mid (r+1)\) in this paper. Therefore,
If \(r\) is an odd prime number, \(\gcd (r-1,r+1)=2\) and thus it is shown that \(l\) is equal to \(1\) or \(2\). Moreover, if \(d\) is odd such as \(3\), \(l=1\) from Eq. (35). It is found that \(l\) corresponds to the extension degree of the minimal embedding field \(\mathbb {F}_{p^{l}}\). In the case of \(E(\mathbb {F}_{p^{n}})\) with extension degree \(n\), it is shown in the same way. Note here that \(l=1\) in the same when \(n\) is odd.
C Proof of \(t_d\equiv -1\pmod {r}\)
According to Morain’s report [17], in the case of \(d=3\), \(t_d\) that is the Frobenius trace of \(E_d(\mathbb {F}_{p})\) is given as
Since \(p\equiv 1\pmod {r}\) and \(t\equiv 2\pmod {r}\) in this paper, the following relation is obtained.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Nogami, Y., Seo, H. (2015). Discrete Logarithms for Torsion Points on Elliptic Curve of Embedding Degree \(1\) . In: Lee, J., Kim, J. (eds) Information Security and Cryptology - ICISC 2014. ICISC 2014. Lecture Notes in Computer Science(), vol 8949. Springer, Cham. https://doi.org/10.1007/978-3-319-15943-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-15943-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15942-3
Online ISBN: 978-3-319-15943-0
eBook Packages: Computer ScienceComputer Science (R0)