From the MOV attack to pairing-friendly curves

From the MOV attack topairing-friendly curves

Paula Cristina Valenca

[email protected]

Royal Holloway University of London

From the MOV attack to pairing-friendly curves – p. 1/13

Plan

� Elliptic Curves and the DLP

� Tate Pairing. The embedding degree

�

� The MOV attack

� Security conditions

� Constructing curves with a specific

�

� � �� MNT curves

� � � �� Status


Elliptic Curves

� � � � � � � � � � � � � � � � � � �

-4 -2 2 4

-6

-4

-2

2

4

6

� � � � � � � � ��

� � � � � � � � � � � � ��

� � � � � � � ��


Elliptic Curves

� � � � � � � � � � � � � � � � � � �

-4 -2 2 4

-6

-4

-2

2

4

6

P

Q

-R

R

O

� � � � � � � � ��

� � � � � � � � � � � � ��

� � � � � � � ��


The Discrete Logarithm Problem

Discrete Logarithm Problem

Given � and

in

� � , compute ! such that

� � "

Elliptic Curve Discrete Logarithm Problem

Given and in , compute such that

Best known attacks for ECDLP - exponential

Best known attacks for DLP - sub-exponential

EC bits DSA bits




Given � and

in


� � "


Given

#

and

$

in

� � � � �

, compute ! such that

$ � ! #

Best known attacks for ECDLP - exponential

Best known attacks for DLP - sub-exponential

EC bits DSA bits




Given � and

in


� � "


Given

#

and

$

in

� � � � �

, compute ! such that

$ � ! #

� Best known attacks for ECDLP - exponential

� Best known attacks for DLP - sub-exponential

EC� %&

bits

'� DSA

� & � (

bits


Embedding degree

The Tate Pairing

The Tate Pairing provides us with an isomorphism over� � � � �

and

� � �) #+* '� ,- . - / � �

in

� � � 0

where

#21 � ��

with order 3

� 4

is called the embedding degree

� 4

is the smallest integer s.t.

�� . � 5 � �


The MOV attack

� Presented by Menezes et al in 1993

� Generalized by Frey and Rück in 1994 ( thus alsocalled the FR-reduction attack)

Uses the Tate Pairing to reduce the DLP over toa DLP over

If is too small, say , MOV attack is better


The MOV attack

� Presented by Menezes et al in 1993

� Generalized by Frey and Rück in 1994 ( thus alsocalled the FR-reduction attack)

� Uses the Tate Pairing to reduce the DLP over

� � � � �

toa DLP over

� � �

� If

6

is too small, say

6 ) 7, MOV attack is better


Constructing curves

Problem : Can we construct curves with a desired embed-ding degree

6

?

supersingular, subject to MOV attack

resist MOV attack but has areasonable size - Pairing based cryptosystems

big


Constructing curves

Problem : Can we construct curves with a desired embed-ding degree

6

?

� 4 � 8:9 supersingular, subject to MOV attack

� 8 � 4 � ;< 9 resist MOV attack but

� � � has areasonable size - Pairing based cryptosystems

� 4

big


Status

� 4 � 8:9 MNT curves

� 8 � 4 � ;< 9 Open problem

� 6

big : Choose

=

small.


Status


4 > � � � ? @ � A B

C ? DFE � �HG I J C �K L even

M � � � � M �

( ? � �K L odd

M � � � � � M � �

7 ? � CK L oddM C � � � � M C �

C � � N � � � � � M 7 N � � N � M 7 N � �

( N � � N � � � NK N � � N � � � N � �K N � � �

7 ( N � � � � � M � N ( N � M � N � C


big : Choose small.


Status



� 6

big : Choose

=

small.


Status



� 6

big : Choose

=

small.

O � and= P C

,

6 P Q I R �

Q I R � = � � � � SK & ) S ) �� &


Cyclotomic Polynomials

� / � � �/

TVU �� - T�

W / � � � �XZY primitive

� � � - T�

where

- TK [ � �K\ \ \ K 3 are the 3 ] ^roots of unity.

�� . � 5 � � �_ ` 5

W_ � � �


Cyclotomic Polynomials (cont.)

a b c a d egf cih d

1 1 �kj �

2 1 � l �

3 2 � m l � l �

4 2 � m l �

5 4 � n l � o l � m l � l �6 2 � m j � l �

7 6 � p l � q l � n l � o l � m l � l �

8 4 � n l �9 6 � p l � o l �10 4 � n j � o l � m j � l �

11 10 � rs l � t l � u l � v l � p l � q l � n l � o l � m l � l �

12 4 � n j � m l �


General strategy

w biggest prime factor of

xy z{ � | } w ~� 5 z�� |. Otherwise, a

corresponding subgroup has embedding degree less than

�

.In particular, taking �� xy z { � | , � ~� 5 z � |

.

Example:

� � �

� �� and use ��

and

�� . Existence of integersolutions for the resulting equations gives the referred formulas.

Instead of , have and but


General strategy

w biggest prime factor of

xy z{ � | } w ~� 5 z�� |. Otherwise, a

corresponding subgroup has embedding degree less than

�

.In particular, taking �� xy z { � | , � ~� 5 z � |

.

Example:

� � �

� �� and use ��

and

�� . Existence of integersolutions for the resulting equations gives the referred formulas.

Instead of 3 . W 5 � � � , have 3 � \ L and L . W 5 � � � but3 D. W 5 � � �From the MOV attack to pairing-friendly curves – p. 11/13

What about ?

� Open problem

� W 5 � � � has degree* �

when

6 * 7

� . . . which implies solving, at least, a quartic(Diophantine) equation

� . . . typically, very few solutions, none of whichcryptographically significant or feasible

A few other strategies exist without using the above

. . . but in all of these


What about ?

� Open problem

� W 5 � � � has degree* �

when

6 * 7

� . . . which implies solving, at least, a quartic(Diophantine) equation

� . . . typically, very few solutions, none of whichcryptographically significant or feasible

� A few other strategies exist without using the above

� . . . but L ' � � � � in all of these


Questions

[email protected]


Education

From the MOV attack to pairing-friendly curves