Presentation for Information Security PhD students, 2003.
Short survey on how something that was first used to attack elliptic curve cryptography protocols gave birth to a popular new area, Identity-based cryptography.
(Note: since then, the open problem referred as been solved by Barreto/Naerigh and Freeman)
1. From the MOV attack to
pairing-friendly curves
Paula Cristina Valenca
¸
P.Valenca@rhul.ac.uk
Royal Holloway University of London
From the MOV attack to pairing-friendly curves – p. 1/1
2. Plan
Elliptic Curves and the DLP
Tate Pairing. The embedding degree
¡
The MOV attack
Security conditions
Constructing curves with a specific
¡
MNT curves
¡
¤¢
£
Status
¡
¤¢
¥
£
From the MOV attack to pairing-friendly curves – p. 2/1
5. The Discrete Logarithm Problem
Discrete Logarithm Problem
Given and in , compute such that
2
2
4
1
3
1
0
From the MOV attack to pairing-friendly curves – p. 4/1
6. The Discrete Logarithm Problem
Discrete Logarithm Problem
Given and in , compute such that
2
2
4
1
3
1
0
Elliptic Curve Discrete Logarithm Problem
Given and in , compute such that
!
6
6
5
)
5
3
3
0
From the MOV attack to pairing-friendly curves – p. 4/1
7. The Discrete Logarithm Problem
Discrete Logarithm Problem
Given and in , compute such that
2
2
4
1
3
1
0
Elliptic Curve Discrete Logarithm Problem
Given and in , compute such that
!
6
6
5
)
5
3
3
0
Best known attacks for ECDLP - exponential
Best known attacks for DLP - sub-exponential
EC bits DSA bits
87
@
8
%
9
From the MOV attack to pairing-friendly curves – p. 4/1
8. Embedding degree
The Tate Pairing
The Tate Pairing provides us with an isomorphism over
and
!
)
0
0
in
ED
F
H
G
E
C5
9
A
B
0
where with order
!
P5
)
I
Q
0
is called the embedding degree
R
is the smallest integer s.t.
S
!
F
R
)(
#
$
0
From the MOV attack to pairing-friendly curves – p. 5/1
9. The MOV attack
Presented by Menezes et al in 1993
Generalized by Frey and Rück in 1994 ( thus also
called the FR-reduction attack)
From the MOV attack to pairing-friendly curves – p. 6/1
10. The MOV attack
Presented by Menezes et al in 1993
Generalized by Frey and Rück in 1994 ( thus also
called the FR-reduction attack)
Uses the Tate Pairing to reduce the DLP over to
!
)
0
a DLP over
0
If is too small, say , MOV attack is better
T
T
U
A
From the MOV attack to pairing-friendly curves – p. 6/1
11. Constructing curves
Problem : Can we construct curves with a desired embed-
ding degree ?
T
From the MOV attack to pairing-friendly curves – p. 7/1
12. Constructing curves
Problem : Can we construct curves with a desired embed-
ding degree ?
T
supersingular, subject to MOV attack
R
XV
'
W
resist MOV attack but has a
R
V
Y`
'
'
W
0
reasonable size - Pairing based cryptosystems
big
R
From the MOV attack to pairing-friendly curves – p. 7/1
13. Status
MNT curves
R
XV
'
W
Open problem
R
V
Y`
'
'
W
big : Choose small.
T
a
From the MOV attack to pairing-friendly curves – p. 8/1
14.
U @ g U @ g R
V R
' c '
Status
R i ph W XV
' c c
x q r
Y` § b
@
W x % #
§ ¨ x u g u % s
§
x t
¨ v v
$ g
¨ u ! c
d
!
v
odd
odd
MNT curves
even
Open problem
$ $ $
u x w w
w
x e
w w g %
¨ # # #
% U
x x
x
§
# #
@ ¨ % #
x x
§ % § ¨ ¨
x ¨
w
¨ w
% w w f
x u % U w
x
¨ x
§ ¨ g %
g # # #
¨
From the MOV attack to pairing-friendly curves – p. 8/1
15. Status
MNT curves
R
XV
'
W
Open problem
R
V
Y`
'
'
W
big : Choose small.
T
a
From the MOV attack to pairing-friendly curves – p. 8/1
16. Status
MNT curves
R
XV
'
W
Open problem
R
V
Y`
'
'
W
big : Choose small. and ,
T
y
g
€
a
a
#
‚
s
#
T
8
€
A
A
u ƒ
ƒ
$
!
8
a
‚
s
$
From the MOV attack to pairing-friendly curves – p. 8/1
17. Cyclotomic Polynomials
G
„ !
G
$ E
$
†„
…
!
„ !
$ E
‡
G
primitive
‰ ˆ
where are the roots of unity.
”
“
E
‘
Q
Q
„
u
u’
’
’
u
S
!
F
!
)(
‡
#
#
•
$
0
–
•
S
From the MOV attack to pairing-friendly curves – p. 9/1
18. 9
8
7
6
5
4
3
2
1
12
11
10
—
˜™
4
4
6
4
6
2
4
2
2
1
1
10
—d
0 0 0 0 0 0 0 0 0 0 0 kj0 f ge
j n rs j n p n p j m n m m
l h i™
l l l l l l
0 l 0 0 0 0 0 0
m 0 o o q o d
t l l
l l l l l
l 0 0 0
0 j m n m
u
l l
l 0 0 0
0 o
v l l
l
l 0
0 m
p
l
l 0
0
q l
l
0
n
l
0
o
l
0
m
l
0
Cyclotomic Polynomials (cont.)
l
From the MOV attack to pairing-friendly curves – p. 10/1
19. General strategy
biggest prime factor of . Otherwise, a
|
z
|
yx
z{
~
}
w
w
€
S
0
corresponding subgroup has embedding degree less than .
‚
In particular, taking , .
|
€ z
|
yx
z{
~
ƒ
ƒ„
S
0
Example:
„ ‚
…
‡ˆ§
†
Š
‰
€
€
ƒ„
and use and . Existence of integer
§
€ Ž
Š
Œ
‹
‹
‰
€
ƒ„
‡
solutions for the resulting equations gives the referred formulas.
From the MOV attack to pairing-friendly curves – p. 11/1
20. General strategy
biggest prime factor of . Otherwise, a
|
z
|
yx
z{
~
}
w
w
€
S
0
corresponding subgroup has embedding degree less than .
‚
In particular, taking , .
|
€ z
|
yx
z{
~
ƒ
ƒ„
S
0
Example:
„ ‚
…
‡ˆ§
†
Š
‰
€
€
ƒ„
and use and . Existence of integer
§
€ Ž
Š
Œ
‹
‹
‰
€
ƒ„
‡
solutions for the resulting equations gives the referred formulas.
Instead of , have and but
F
!
F
!
2
‡
‡
Q
#
Q
v
v
#
S
S
’
hF
!
‡
Q
#
S
From the MOV attack to pairing-friendly curves – p. 11/1
21. What about ?
Open problem
has degree when
!
BT
‡
%
U
B
#
S
. . . which implies solving, at least, a quartic
(Diophantine) equation
. . . typically, very few solutions, none of which
cryptographically significant or feasible
From the MOV attack to pairing-friendly curves – p. 12/1
22. What about ?
Open problem
has degree when
!
BT
‡
%
U
B
#
S
. . . which implies solving, at least, a quartic
(Diophantine) equation
. . . typically, very few solutions, none of which
cryptographically significant or feasible
A few other strategies exist without using the above
. . . but in all of these
!
v
#
9
From the MOV attack to pairing-friendly curves – p. 12/1
23. Questions
P.Valenca@rhul.ac.uk
From the MOV attack to pairing-friendly curves – p. 13/1