Upload
paula-valenca
View
796
Download
0
Embed Size (px)
DESCRIPTION
Presentation for Information Security PhD students, 2003. Short survey on how something that was first used to attack elliptic curve cryptography protocols gave birth to a popular new area, Identity-based cryptography. (Note: since then, the open problem referred as been solved by Barreto/Naerigh and Freeman)
Citation preview
From the MOV attack topairing-friendly curves
Paula Cristina Valenca
Royal Holloway University of London
From the MOV attack to pairing-friendly curves – p. 1/13
Plan
� Elliptic Curves and the DLP
� Tate Pairing. The embedding degree
�
� The MOV attack
� Security conditions
� Constructing curves with a specific
�
� � ��� MNT curves
� � � ��� Status
From the MOV attack to pairing-friendly curves – p. 2/13
Elliptic Curves
� � � � � � � � � � � � � � � � � � �
-4 -2 2 4
-6
-4
-2
2
4
6
� � � � � � � � �� � �
� � � � � � � � � � � � �� � � �
� � � � � � � �� � � � � � � � � � � �
From the MOV attack to pairing-friendly curves – p. 3/13
Elliptic Curves
� � � � � � � � � � � � � � � � � � �
-4 -2 2 4
-6
-4
-2
2
4
6
P
Q
-R
R
O
� � � � � � � � �� � �
� � � � � � � � � � � � �� � � �
� � � � � � � �� � � � � � � � � � � �
From the MOV attack to pairing-friendly curves – p. 3/13
The Discrete Logarithm Problem
Discrete Logarithm Problem
Given � and
in
� � , compute ! such that
� � "
Elliptic Curve Discrete Logarithm Problem
Given and in , compute such that
Best known attacks for ECDLP - exponential
Best known attacks for DLP - sub-exponential
EC bits DSA bits
From the MOV attack to pairing-friendly curves – p. 4/13
The Discrete Logarithm Problem
Discrete Logarithm Problem
Given � and
in
� � , compute ! such that
� � "
Elliptic Curve Discrete Logarithm Problem
Given
#
and
$
in
� � � � �
, compute ! such that
$ � ! #
Best known attacks for ECDLP - exponential
Best known attacks for DLP - sub-exponential
EC bits DSA bits
From the MOV attack to pairing-friendly curves – p. 4/13
The Discrete Logarithm Problem
Discrete Logarithm Problem
Given � and
in
� � , compute ! such that
� � "
Elliptic Curve Discrete Logarithm Problem
Given
#
and
$
in
� � � � �
, compute ! such that
$ � ! #
� Best known attacks for ECDLP - exponential
� Best known attacks for DLP - sub-exponential
EC� %&
bits
'� DSA
� & � (
bits
From the MOV attack to pairing-friendly curves – p. 4/13
Embedding degree
The Tate Pairing
The Tate Pairing provides us with an isomorphism over� � � � �
and
� � �) #+* '� ,- . - / � �
in
� � � 0
where
#21 � �� � �
with order 3
� 4
is called the embedding degree
� 4
is the smallest integer s.t.
�� � � � � . � 5 � �
From the MOV attack to pairing-friendly curves – p. 5/13
The MOV attack
� Presented by Menezes et al in 1993
� Generalized by Frey and Rück in 1994 ( thus alsocalled the FR-reduction attack)
Uses the Tate Pairing to reduce the DLP over toa DLP over
If is too small, say , MOV attack is better
From the MOV attack to pairing-friendly curves – p. 6/13
The MOV attack
� Presented by Menezes et al in 1993
� Generalized by Frey and Rück in 1994 ( thus alsocalled the FR-reduction attack)
� Uses the Tate Pairing to reduce the DLP over
� � � � �
toa DLP over
� � �
� If
6
is too small, say
6 ) 7, MOV attack is better
From the MOV attack to pairing-friendly curves – p. 6/13
Constructing curves
Problem : Can we construct curves with a desired embed-ding degree
6
?
supersingular, subject to MOV attack
resist MOV attack but has areasonable size - Pairing based cryptosystems
big
From the MOV attack to pairing-friendly curves – p. 7/13
Constructing curves
Problem : Can we construct curves with a desired embed-ding degree
6
?
� 4 � 8:9 supersingular, subject to MOV attack
� 8 � 4 � ;< 9 resist MOV attack but
� � � has areasonable size - Pairing based cryptosystems
� 4
big
From the MOV attack to pairing-friendly curves – p. 7/13
Status
� 4 � 8:9 MNT curves
� 8 � 4 � ;< 9 Open problem
� 6
big : Choose
=
small.
From the MOV attack to pairing-friendly curves – p. 8/13
Status
� 4 � 8:9 MNT curves
4 > � � � ? @ � A B
C ? DFE � �HG I J C �K L even
M � � � � M �
( ? � �K L odd
M � � � � � M � �
7 ? � CK L oddM C � � � � M C �
C � � N � � � � � M 7 N � � N � M 7 N � �
( N � � N � � � NK N � � N � � � N � �K N � � �
7 ( N � � � � � M � N ( N � M � N � C
� 8 � 4 � ;< 9 Open problem
big : Choose small.
From the MOV attack to pairing-friendly curves – p. 8/13
Status
� 4 � 8:9 MNT curves
� 8 � 4 � ;< 9 Open problem
� 6
big : Choose
=
small.
From the MOV attack to pairing-friendly curves – p. 8/13
Status
� 4 � 8:9 MNT curves
� 8 � 4 � ;< 9 Open problem
� 6
big : Choose
=
small.
O � and= P C
,
6 P Q I R �
Q I R � = � � � � SK & ) S ) �� &
From the MOV attack to pairing-friendly curves – p. 8/13
Cyclotomic Polynomials
� / � � �/
TVU �� � � - T�
W / � � � �XZY primitive
� � � - T�
where
- TK [ � �K\ \ \ K 3 are the 3 ] ^roots of unity.
�� �� � � . � 5 � � �_ ` 5
W_ � � �
From the MOV attack to pairing-friendly curves – p. 9/13
Cyclotomic Polynomials (cont.)
a b c a d egf cih d
1 1 �kj �
2 1 � l �
3 2 � m l � l �
4 2 � m l �
5 4 � n l � o l � m l � l �6 2 � m j � l �
7 6 � p l � q l � n l � o l � m l � l �
8 4 � n l �9 6 � p l � o l �10 4 � n j � o l � m j � l �
11 10 � rs l � t l � u l � v l � p l � q l � n l � o l � m l � l �
12 4 � n j � m l �
From the MOV attack to pairing-friendly curves – p. 10/13
General strategy
w biggest prime factor of
xy z{ � | } w ~� 5 z�� |. Otherwise, a
corresponding subgroup has embedding degree less than
�
.In particular, taking �� xy z { � | , � ~� 5 z � |
.
Example:
� � �
� �� � ��� � � �and use �� � � � � �
and
�� � � � �� . Existence of integersolutions for the resulting equations gives the referred formulas.
Instead of , have and but
From the MOV attack to pairing-friendly curves – p. 11/13
General strategy
w biggest prime factor of
xy z{ � | } w ~� 5 z�� |. Otherwise, a
corresponding subgroup has embedding degree less than
�
.In particular, taking �� xy z { � | , � ~� 5 z � |
.
Example:
� � �
� �� � ��� � � �and use �� � � � � �
and
�� � � � �� . Existence of integersolutions for the resulting equations gives the referred formulas.
Instead of 3 . W 5 � � � , have 3 � \ L and L . W 5 � � � but3 D. W 5 � � �From the MOV attack to pairing-friendly curves – p. 11/13
What about ?
� Open problem
� W 5 � � � has degree* �
when
6 * 7
� . . . which implies solving, at least, a quartic(Diophantine) equation
� . . . typically, very few solutions, none of whichcryptographically significant or feasible
A few other strategies exist without using the above
. . . but in all of these
From the MOV attack to pairing-friendly curves – p. 12/13
What about ?
� Open problem
� W 5 � � � has degree* �
when
6 * 7
� . . . which implies solving, at least, a quartic(Diophantine) equation
� . . . typically, very few solutions, none of whichcryptographically significant or feasible
� A few other strategies exist without using the above
� . . . but L ' � � � � in all of these
From the MOV attack to pairing-friendly curves – p. 12/13