Koray Karabina

Faster explicit formulas for computing pairings over ordinary curves

We describe efficient formulas for computing pairings on ordinary elliptic curves over prime fields. First, we generalize lazy reduction techniques, previously considered only for arithmetic in quadratic extensions, to the whole pairing computation, including towering and curve arithmetic. Second, we introduce a new compressed squaring formula for cyclotomic subgroups and a new technique to avoid performing an inversion in the final exponentiation when the curve is parameterized by a negative integer. The techniques are illustrated in the context of pairing computation over Barreto-Naehrig curves, where they have a particularly efficient realization, and are also combined with other important developments in the recent literature. The resulting formulas reduce the number of required operations and, consequently, execution time, improving on the state-of-the-art performance of cryptographic pairings by 28%-34% on several popular 64-bit computing platforms. In particular, our techniques allow to compute a pairing under 2 million cycles for the first time on such architectures.

Analyzing the Galbraith-Lin-Scott Point Multiplication Method for Elliptic Curves over Binary Fields

Galbraith, Lin, and Scott recently constructed efficiently computable endomorphisms for a large family of elliptic curves defined over IFq2 and showed, in the case where q is a prime, that the Gallant-Lambert-Vanstone point multiplication method for these curves is significantly faster than point multiplication for general elliptic curves over prime fields. In this paper, we investigate the potential benefits of using Galbraith-Lin-Scott elliptic curves in the case where q is a power of 2. The analysis differs from the q prime case because of several factors, including the availability of the point halving strategy for elliptic curves over binary fields. Our analysis and implementations show that Galbraith-Lin-Scott point multiplication method offers significant acceleration for curves over binary fields, in both doubling- and halving-based approaches. Experimentally, the acceleration surpasses that reported for prime fields (for the platform in common), a somewhat counterintuitive result given the relative costs of point addition and doubling in each case.

Squaring in cyclotomic subgroups

We propose new squaring formulae for cyclotomic subgroups of the multiplicative group of certain finite fields. Our formulae use a compressed representation of elements having the property that decompression can be performed at a very low cost. The squaring formulae lead to new exponentiation algorithms in cyclotomic subgroups which outperform the fastest previouslyknown exponentiation algorithms when the exponent has low Hamming weight. Our algorithms can be adapted to accelerate the final exponentiation step of pairing computations.

A New Double Point Multiplication Algorithm and Its Application to Binary Elliptic Curves with Endomorphisms

We present a new double point multiplication algorithm based on differential addition chains. Our proposed scheme has a uniform structure and has some degree of built-in resistance against side channel analysis attacks. We discuss deploying our scheme in a hardware implementation of single point multiplication on binary elliptic curves with efficiently computable endomorphisms. Based on operation counts, we expect to gain accelerations of 30% and 18% for computing single point multiplication with and without availability of parallel multipliers, respectively, and these results are verified in our implementations.

On prime-order elliptic curves with embedding degrees k = 3, 4, and 6

We further analyze the solutions to the Diophantine equationsfrom which prime-order elliptic curves of embedding degrees k =3, 4 or 6 (MNT curves) may be obtained.We give an explicit algorithm togenerate such curves. We derive a heuristic lower bound for the numberE(z) of MNT curves with k = 6 and discriminant D ≤ z, and comparethis lower bound with experimental data.

A New Protocol for the Nearby Friend Problem

The question of location privacy has gained a special significance in the context of location-based services for mobile devices. The challenge is to allow the users to benefit from location-based services without disclosing their private location information unless necessary and that too only to the party eligible to receive that information. In this work, we investigate the so-called nearby friend problem. The problem has emerged in the context of location-based services such as social networking and is closely related to the issue of location privacy. In particular, we are interested in the question of how Alice can efficiently determine whether a friend Bob is at a nearby location or not. This has to be achieved without a third party and where Alice neither reveals any information about her own location nor can she extract any information about Bobs actual location when they are not nearby. Similarly, no eavesdropper should be able to gain any information about their actual locations, whether they are actually nearby or not. The problem becomes more challenging as both Alice and Bob are restricted in computational power and communication bandwidth. Starting from an earlier work by Zhong et al., we formalize the protocol definition and the security model and then propose a new protocol that solves the problem in the proposed security model. An interesting feature of the protocol is that it does not depend on any other cryptographic primitive, thus providing a new approach to solve the nearby friend problem. Our basic protocol and its extensions compare favorably with the earlier solutions for this problem. The protocol might be of use in other privacy-preserving applications.

INVALID-CURVE ATTACKS ON (HYPER)ELLIPTIC CURVE CRYPTOSYSTEMS

We extend the notion of an invalid-curve attack from elliptic curves to genus 2 hyperelliptic curves. We also show that invalid singular (hyper)elliptic curves can be used in mounting invalid-curve attacks on (hyper)elliptic curve cryptosystems, and make quantitative estimates of the practicality of these attacks. We thereby show that proper key validation is necessary even in cryptosystems based on hyperelliptic curves. As a byproduct, we enumerate the isomorphism classes of genus g hyperelliptic curves over a finite field by a new counting argument that is simpler than the previous methods.

Fault Attacks on Pairing-Based Protocols Revisited

Several papers have studied fault attacks on computing a pairing value e(P,Q), where P is a public point and Q is a secret point. In this paper, we observe that these attacks are in fact effective only on a small number of pairing-based protocols, and that too only when the protocols are implemented with specific symmetric pairings. We demonstrate the effectiveness of the fault attacks on a public-key encryption scheme, an identity-based encryption scheme, and an oblivious transfer protocol when implemented with a symmetric pairing derived from a supersingular elliptic curve with embedding degree 2.

Factor-4 and 6 compression of cyclotomic subgroups of and

Abstract Bilinear pairings derived from supersingular elliptic curves of embedding degrees 4 and 6 over finite fields 𝔽2 m and 𝔽3 m, respectively, have been used to implement pairing-based cryptographic protocols. The pairing values lie in certain prime-order subgroups of the cyclotomic subgroups of orders 22m + 1 and 32m – 3 m + 1, respectively, of the multiplicative groups and . It was previously known how to compress the pairing values over characteristic two fields by a factor of 2, and the pairing values over characteristic three fields by a factor of 6. In this paper, we show how the pairing values over characteristic two fields can be compressed by a factor of 4. Moreover, we present and compare several algorithms for performing exponentiation in the prime-order subgroups using the compressed representations. In particular, in the case where the base is fixed, we expect to gain at least a 54% speed up over the fastest previously known exponentiation algorithm that uses factor-6 compressed representations.

Point Decomposition Problem in Binary Elliptic Curves

We analyze the point decomposition problem (PDP) in binary elliptic curves. It is known that PDP in an elliptic curve group can be reduced to solving a particular system of multivariate non-linear equations derived from the so called Semaev summation polynomials. We modify the underlying system of equations by introducing some auxiliary variables. We argue that the trade-off between lowering the degree of Semaev polynomials and increasing the number of variables provides a significant speed-up.