Tetsutaro Kobayashi

Fast elliptic curve algorithm combining Frobenius map and table reference to adapt to higher characteristic

A new elliptic curve scalar multiplication algorithm is proposed. The algorithm offers about twice the troughput of some conventional OEF-base algorithms because it combines the Frobenius map with the table reference method based on base-φ expansion. Furthermore, since this algorithm suits conventional computational units such as 16, 32 and 64 bits, its base field Fpm is expected to enhance elliptic curve operation efficiency more than Fq (q is a prime) or F2n.

Elliptic Curve Arithmetic Using SIMD

Focusing on servers that process many signatures or ciphertexts, this paper proposes two techniques for parallel computing with SIMD, which significantly enhances the speed of elliptic curve scalar multiplication. We also evaluate one of them based on a real implementation on a Pentium III, which incorporates the SIMD architecture. The results show that the proposed method is about 4.4 times faster than the conventional method.

Efficient Algorithms for Tate Pairing

This paper presents new algorithms for the Tate pairing on a prime field. Recently, many pairing-based cryptographic schemes have been proposed. However, computing pairings incurs a high computational cost and represents the bottleneck to using pairings in actual protocols. This paper shows that the proposed algorithms reduce the cost of multiplication and inversion on an extension field, and reduce the number of calculations of the extended finite field. This paper also discusses the optimal algorithm to be used for each pairing parameter and shows that the total computational cost is reduced by 50% if k = 6 and 57% if k = 8.

An improvement of key generation algorithm for Gentry's homomorphic encryption scheme

One way of improving efficiency of Gentrys fully homomorphic encryption is controlling the number of operations, but our recollection is that any scheme which controls the bound has not proposed. In this paper, we propose a key generation algorithm for Gentrys homomorphic encryption scheme that controls the bound of the circuit depth by using the relation between the circuit depth and the eigenvalues of a basis of a lattice. We present experimental results that show that the proposed algorithm is practical. We discuss security of the basis of the lattices generated by the algorithm for practical use.

Lenient/Strict Batch Verification in Several Groups

Batch verification is a useful tool in verifying a large number of cryptographic items all at one time. It is especially effective in verifying predicates based on modular exponentiation. In some cases, however, the items can be incorrect although they pass batch verification together. Such leniency can be eliminated by checking the domain of each item in advance. With this in mind, we investigate if the strict batch verification can remain more effective than separate verification. In this paper, we estimate the efficiency of such strict batch verification in several types of groups, a prime subgroup of ZZp with special/random prime p and prime subgroups defined on elliptic curves over Fp, F2m and Fpm, which are often used in DL-based cryptographic primitives. Our analysis concludes that the efficiency differs greatly depending on the choice of the group and parameters determined by the verifying predicate. Furthermore, we even show that there are some cases where batch verification, regardless of strictness, loses its computational advantage.

Candidate One-Way Functions on Non-Supersingular Elliptic Curves*A preliminary version was presented at ISEC2003 [22].

This paper proposes new candidate one-way functions constructed with a certain type of endomorphisms on non-supersingular elliptic curves. We can show that the one-wayness of our proposed functions is equivalent to some special cases of the co-Diffie-Hellman assumption. Also a digital signature scheme is explicitly described using our proposed functions.

A Cyclic Window Algorithm for ECC Defined over Extension Fields

This paper presents a new sliding window algorithm that is well-suited to an elliptic curve defined over an extension field for which the Frobenius map can be computed quickly, e.g., optimal extension field. The algorithm reduces elliptic curve group operations by approximately 15% for scalar multiplications for a practically used curve in comparison with Lim-Hwangs results presented at PKC2000, the fastest previously reported. The algorithm was implemented on computers. As a result, scalar multiplication can be accomplished in 573µs, 595µs, and 254µs on Pentium II (450 MHz), 21164A (500 MHz), and 21264 (500 MHz) computers, respectively.

Constructing Symmetric Pairings over Supersingular Elliptic Curves with Embedding Degree Three

In the present paper, we propose constructing symmetric pairings by applying the Ate pairing to supersingular elliptic curves over finite fields that have large characteristics with embedding degree three. We also propose an efficient algorithm of the Ate pairing on these curves. To construct the algorithm, we apply the denominator elimination technique and the signed-binary approach to the Millers algorithm, and improve the final exponentiation. We then show the efficiency of the proposed method through an experimental implementation.

Self-correctors for cryptographic modules

A self-corrector for a function f is an efficient machine that computes f correctly using any untrusted black-box that computes f correctly only with a certain probability. The design of self-correctors for non-verifiable functions, typically decryption functions of public-key cryptographies, was investigated. We present a design method for self-correctors that works even when the black-box returns correct output with probability of less than 1/2. For a practical demonstration of the method, we also present examples of self-correctors for the decryption functions of public-key cryptosystems, such as the ElGamal, the Pailler, and the GHV cryptosystems, and for hidden pairings with trapdoors.

An Experiment of Number Field Sieve for Discrete Logarithm Problem over GF(p 12)

The security of pairing-based cryptography is based on the hardness of the discrete logarithm problem (DLP) over finite field GF(p n ). For example, the security of the optimal Ate pairing using BN curves, which is one of the most efficient algorithms for computing paring, is based on the hardness of DLP over GF(p 12). Joux et al. proposed the number field sieve over GF(p n ) as an extension of the number field sieve that can efficiently solve the DLP over prime field GF(p). Two implementations of the number field sieve over GF(p 3) and GF(p 6) have been proposed, but there is no report on that over GF(p 12) of extension degree 12. In the sieving step of the number field sieve over GF(p) we perform the sieving of two dimensions, but we have to deal with more than two dimensions in the case of number field sieves over GF(p 12). In this paper we construct a lattice sieve of more than two dimensions, and discuss its parameter sizes such as the dimension of sieving and the size of sieving region from some experiments of the multi-dimensional sieving. Using the parameters suitable for efficient implementation of the number field sieve, we have solved the DLP over GF(p 12) of 203 bits in about 43 hours using a PC of 16 CPU cores.