Duc-Phong Le

A variant of Miller's formula and algorithm

Millers algorithm is at the heart of all pairing-based cryptosystems since it is used in the computation of pairing such as that of Weil or Tate and their variants. Most of the optimizations of this algorithm involve elliptic curves of particular forms, or curves with even embedding degree, or having an equation of a special form. Other improvements involve a reduction of the number of iterations. In this article, we propose a variant of Millers formula which gives rise to a generically faster algorithm for any pairing friendly curve. Concretely, it provides an improvement in cases little studied until now, in particular when denominator elimination is not available. It allows for instance the use of elliptic curve with embedding degree not of the form 2i3j, and is suitable for the computation of optimal pairings. We also present a version with denominator elimination for even embedding degree. In our implementations, our variant saves between 10% and 40% in running time in comparison with the usual version of Millers algorithm without any optimization.

Multisignatures as Secure as the Diffie-Hellman Problem in the Plain Public-Key Model

A multisignature scheme allows a group of signers to cooperate to generate a compact signature on a common document. The length of the multisignature depends only on the security parameters of the signature schemes and not on the number of signers involved. The existing state-of-the-art multisignature schemes suffer either from impractical key setup assumptions, from loose security reductions, or from inefficient signature verification. In this paper, we present two new multisignature schemes that address all of these issues, i.e., they have efficient signature verification, they are provably secure in the plain public-key model, and their security is tightly related to the computation and decisional Diffie-Hellman problems in the random oracle model. Our construction derives from variants of EDL signatures.

Refinements of Miller's Algorithm over Weierstrass Curves Revisited

In 1986, Victor Miller described an algorithm for computing the Weil pairing in his unpublished manuscript. This algorithm has then become the core of all pairing-based cryptosystems. Many improvements of the algorithm have been presented. Most of them involve a choice of elliptic curves of a special form to exploit a possible twist during Tate pairing computation. Other improvements involve a reduction of the number of iterations in the Millers algorithm. For the generic case, Blake, Murty and Xu proposed three refinements to Millers algorithm over Weierstrass curves. Though their refinements, which only reduce the total number of vertical lines in Millers algorithm, did not give an efficient computation as other optimizations, they can be applied for computing both Weil and Tate pairings on all pairing-friendly elliptic curves. In this paper, we extend the Blake–Murty–Xus method and show how to perform an elimination of all vertical lines in Millers algorithm during computation of Weil/Tate pairings, on general elliptic curves. Experimental results show that our algorithm is faster by ~25% in comparison with the original Millers algorithm.

On Double Exponentiation for Securing RSA against Fault Analysis

At CT-RSA 2009, a new principle to secure RSA (and modular/group exponentiation) against fault-analysis has been introduced by Rivain. The idea is to perform a so-called double exponentiation to compute a pair (m d , m ϕ(N) − d ) and then check that the output pair satisfies the consistency relation: \(m^d \cdot m^{\varphi(N)-d} \equiv 1 \bmod N\). The author then proposed an efficient heuristic to derive an addition chain for the pair (d, ϕ(N) − d). In this paper, we revisit this idea and propose faster methods to perform a double exponentiation. On the one hand, we present new heuristics for generating shorter double addition chains. On the other hand, we present an efficient double exponentiation algorithm based on a right-to-left sliding window approach.

Speeding up ate pairing computation in affine coordinates

At Pairing 2010, Lauter et als analysis showed that Ate pairing computation in affine coordinates may be much faster than projective coordinates at high security levels. In this paper, we further investigate techniques to speed up Ate pairing computation in affine coordinates. We first analyze Ate pairing computation using 4-ary Miller algorithm in affine coordinates. This technique allows us to trade one multiplication in the full extension field and one field inversion for several multiplications in a smaller field. Then, we focus on pairing computations over elliptic curves admitting a twist of degree 3. We propose new fast explicit formulas for Miller function that are comparable to formulas over even twisted curves. We further analyze pairing computation on cubic twisted curves by proposing efficient subfamilies of pairing-friendly elliptic curves with embedding degrees k=9, and 15. These subfamilies allow us not only to obtain a very simple form of curve, but also lead to an efficient arithmetic and final exponentiation.

Randomizing the Montgomery Powering Ladder

In this paper, we present novel randomized techniques to enhance Montgomery powering ladder. The proposed techniques increase the resistance against side-channel attacks and especially recently published correlation collision attacks in the horizontal setting. The first of these operates by randomly changing state such that the difference between registers varies, unpredictably, between two states. The second algorithm takes a random walk, albeit tightly bounded, along the possible addition chains required to compute an exponentiation. We also generalize the Montgomery powering ladder and present randomized both left-to-right and right-to-left m-ary exponentiation algorithms.

Improved Miller’s Algorithm for Computing Pairings on Edwards Curves

Since Edwards curves were introduced to elliptic curve cryptography by Bernstein and Lange in 2007, they have received a lot of attention due to their very fast group law operation. Pairing computation on such curves is slightly slower than on Weierstrass curves. However, in some pairing-based cryptosystems, they might require a number of scalar multiplications which is time-consuming operation and this can be advantageous to use Edwards in this scenario. In this paper, we present a variant of Millers algorithm for pairing computation on Edwards curves. Our approach is generic, it is able to compute both Weil and Tate pairings on pairing-friendly Edwards curves of any embedding degree. Our analysis shows that the new algorithm is faster than the previous algorithms for odd embedding degree and as fast as for even embedding degree. Hence, the new algorithm is suitable for computing optimal pairings and in situations where the denominators elimination technique is not possible.

Signtiming scheme based on aggregate signature

Timestamping is a cryptographic technique providing us with a proof-of-existence of a digital document at a given time. Combining both digital signature and provable time-stamping guarantees authentication, integrity and non-repudiation of electronic documents. In this paper, we introduce such a service, so called signtiming. Our scheme is based on an ID-based aggregate signature and is secure in the random oracle model.

A Secure Round-Based Timestamping Scheme with Absolute Timestamps (Short Paper)

The aim of timestamping systems is to provide a proof-of-existence of a digital document at a given time. Such systems are important to ensure integrity and non-repudiation of digital data over time. Most of the existing timestamping schemes use the notions of round (a period of time) and round token (a single value aggregating the timestamping requests received during one round). Such schemes have the following drawbacks: (i) Clients who have submitted a timestamping request must wait for the end of the round before receiving their timestamping certificate (ii) TimeStamping Authorities (TSA) based on such schemes are discrete-time systems and provide relative temporal authentication only, i.e. all the documents submitted during the same round are timestamped with the same date and time. (iii) the TSA can tamper timestamps before the round token is published in a widely distributed media. In this paper, we define a new timestamping scheme which overcomes these drawbacks.

Breaking an ID-based encryption based on discrete logarithm and factorization problems

We cryptanalyse the new ID-based encryption scheme proposed by Meshram.We find a method to factorize N, where N is the parameter proposed by Meshram.We also give a method to recover the secret master key of Meshrams ID-based encryption scheme.We also pointed out the flaws in the security proof in Theorem 5.1 of Meshrams paper in Section 4 of revised paper. Identity-based (ID-based) cryptography is very useful as it can simplify the certificate management in public key cryptosystem. Since 2001, researchers have introduced various practical and efficient ID-based encryption schemes. Most of them are based on pairings, under the Diffie-Hellman assumptions. Recently, Meshram 1 proposed a new ID-based encryption scheme which was not based on pairing-based cryptography. He proved that his scheme was secure against adaptive chosen plaintext attack, as its security was based on the difficulty of discrete logarithm and integer factorization problems. However, in this paper, we show that this new ID-based encryption scheme is insecure by presenting a method to recover the secret master key.