Steven D. Galbraith

Implementing the Tate Pairing

The Tate pairing has found several new applications in cryptography. This paper provides methods to quickly compute the Tate pairing, and hence enables efficient implementation of these cryptosystems. We also give division-free formulae for point tripling on a family of elliptic curves in characteristic three. Examples of the running time for these methods are given.

Efficient pairing computation on supersingular Abelian varieties

We present a general technique for the efficient computation of pairings on Jacobians of supersingular curves. This formulation, which we call the eta pairing, generalizes results of Duursma and Lee for computing the Tate pairing on supersingular elliptic curves in characteristic 3. We then show how our general technique leads to a new algorithm which is about twice as fast as the Duursma–Lee method. These ideas are applied to elliptic and hyperelliptic curves in characteristic 2 with very efficient results. In particular, the hyperelliptic case is faster than all previously known pairing algorithms.

Supersingular Curves in Cryptography

Frey and Ruck gave a method to transform the discrete logarithm problem in the divisor class group of a curve over Fq into a discrete logarithm problem in some finite field extension Fqk. The discrete logarithm problem can therefore be solved using index calculus algorithms as long as k is small. In the elliptic curve case it was shown by Menezes, Okamoto and Vanstone that for supersingular curves one has k ≤ 6. In this paper curves of higher genus are studied. Bounds on the possible values for k in the case of supersingular curves are given which imply that supersingular curves are weaker than the general case for cryptography. Ways to ensure that a curve is not supersingular are also discussed. A constructive application of supersingular curves to cryptography is given, by generalising an identity-based cryptosystem due to Boneh and Franklin. The generalised scheme provides a significant reduction in bandwidth compared with the original scheme.

Mathematics of Public Key Cryptography

Public key cryptography is a major interdisciplinary subject with many real-world applications, such as digital signatures. A strong background in the mathematics underlying public key cryptography is essential for a deep understanding of the subject, and this book provides exactly that for students and researchers in mathematics, computer science and electrical engineering. Carefully written to communicate the major ideas and techniques of public key cryptography to a wide readership, this text is enlivened throughout with historical remarks and insightful perspectives on the development of the subject. Numerous examples, proofs and exercises make it suitable as a textbook for an advanced course, as well as for self-study. For more experienced researchers it serves as a convenient reference for many important topics: the Pollard algorithms, Maurer reduction, isogenies, algebraic tori, hyperelliptic curves and many more.

Invisibility and anonymity of undeniable and confirmer signatures

A proxy signature enables the original signer to delegate her signing capability to a proxy entity, who signs a message on behalf of the original signer. In this paper, we discuss the necessity of a secure channel in proxy signatures. Though establishing a secure channel has much influence on the efficiency of the scheme, to the best of our knowledge, this topic has not been discussed before. All known proxy signatures used a secure channel to deliver a signed warrant except one which used a 3-pass weak blind signature. However, the KPW scheme [2] appeared to be secure without the secure channel. We think that our result can contribute to designing more efficient proxy signature scheme.

Pairing-Based Cryptography – Pairing 2008

This book constitutes the thoroughly refereed proceedings of the Second International Conference on Pairing-Based Cryptography, Pairing 2008, held in London, UK, in September 2008. The 20 full papers, presented together with the contributions resulting from 3 invited talks, were carefully reviewed and selected from 50 submissions. The contents are organized in topical sections on cryptography, mathematics, constructing pairing-friendly curves, implementation of pairings, and hardware implementation.

Extending the GHS Weil Descent Attack

In this paper we extend the Weil descent attack due to Gaudry, Hess and Smart (GHS) to a much larger class of elliptic curves. This extended attack applies to fields of composite degree over F2. The principle behind the extended attack is to use isogenies to find an elliptic curve for which the GHS attack is effective. The discrete logarithm problem on the target curve can be transformed into a discrete logarithm problem on the isogenous curve.A further contribution of the paper is to give an improvement to an algorithm of Galbraith for constructing isogenies between elliptic curves, and this is of independent interest in elliptic curve cryptography. We show that a larger proportion than previously thought of elliptic curves over F2155 should be considered weak.

Ordinary abelian varieties having small embedding degree

Miyaji, Nakabayashi and Takano (MNT) gave families of group orders of ordinary elliptic curves with embedding degree suitable for pairing applications. In this paper we generalise their results by giving families corresponding to non-prime group orders. We also consider the case of ordinary abelian varieties of dimension 2. We give families of group orders with embedding degrees 5, 10 and 12.

A Cryptographic Application of Weil Descent

This paper gives some details about howWeil descent can be used to solve the discrete logarithm problem on elliptic curves which are defined over finite fields of small characteristic. The original ideas were first introduced into cryptography by Frey. We discuss whether these ideas are a threat to existing public key systems based on elliptic curves.

CONSTRUCTING ISOGENIES BETWEEN ELLIPTIC CURVES OVER FINITE FIELDS

Let E1 and E2 be ordinary elliptic curves over a finite field Fp such that #E1.Fp/ D #E2.Fp/. Tate’s isogeny theorem states that there is an isogeny fromE1 toE2 which is defined over Fp. The goal of this paper is to describe a probabilistic algorithm for constructing such an isogeny. The algorithm proposed in this paper has exponential complexity in the worst case. Nevertheless, it is efficient in certain situations (that is, when the class number of the endomorphism ring is small). The significance of these results to elliptic curve cryptography is discussed.