From the MOV attack to pairing-friendly curves

From the MOV attack to
pairing-friendly curves
Paula Cristina Valenca
¸
P.Valenca@rhul.ac.uk

Royal Holloway University of London

From the MOV attack to pairing-friendly curves – p. 1/1

Plan

Elliptic Curves and the DLP

Tate Pairing. The embedding degree

¡

The MOV attack

Security conditions

Constructing curves with a speciﬁc

¡

MNT curves
¡

¤¢

£

Status
¡

¤¢
¥

£


Elliptic Curves

§

§
¨

¨

©¨

©¨

¨
¦

©

¦
©

¦

©

§

6

4
§

!

¨

¨
¦

©

2
§

§

!

¨

¨

¨
¦

¦

©

§
-4 -2 2 4
-2

-4

-6
!
)(

%

%

'

'
¨

¨

¨
#

#

#

#
$

0


Elliptic Curves

§

§
¨

¨

©¨

©¨

¨
¦

©

¦
©

¦

©

§

6 O

4 -R
§

!

¨

¨
¦

©

2
Q
§

§

!

¨

¨

¨
¦

¦

©

§
-4 -2 2 4
-2

P -4 R

-6
!
)(

%

%

'

'
¨

¨

¨
#

#

#

#
$

0


The Discrete Logarithm Problem
Discrete Logarithm Problem
Given and in , compute such that

2

2

4
1

3

1

0



2

2

4
1

3

1

0
Elliptic Curve Discrete Logarithm Problem
!
6

6

5

)

5
3

3

0



2

2

4
1

3

1

0
Elliptic Curve Discrete Logarithm Problem
!
6

6

5

)

5
3

3

0

Best known attacks for ECDLP - exponential

Best known attacks for DLP - sub-exponential

EC bits DSA bits
87

@

8
%
9


Embedding degree
The Tate Pairing

The Tate Pairing provides us with an isomorphism over
and
!

)

0

0

in
ED
F

H
G
E

C5

9
A

B

0
where with order
!

P5

)
I

Q
0

is called the embedding degree
R

is the smallest integer s.t.

S
!
F
R

)(

#

$
0


The MOV attack
Presented by Menezes et al in 1993

Generalized by Frey and Rück in 1994 ( thus also

called the FR-reduction attack)


The MOV attack
Presented by Menezes et al in 1993

Generalized by Frey and Rück in 1994 ( thus also

called the FR-reduction attack)
Uses the Tate Pairing to reduce the DLP over to

!

)

0
a DLP over

0

If is too small, say , MOV attack is better
T

T

U

A


Constructing curves

Problem : Can we construct curves with a desired embed-
ding degree ?
T


Constructing curves

Problem : Can we construct curves with a desired embed-
ding degree ?
T

supersingular, subject to MOV attack
R

XV
'

W

resist MOV attack but has a
R

V

Y`
'

'

W

0
reasonable size - Pairing based cryptosystems
big
R


Status
MNT curves
R

XV
'

W

Open problem
R
V

Y`
'

'

W

big : Choose small.
T

a


U @ g U @ g R
V R
' c '
Status
R i ph W XV

' c c
x q r
Y` § b
@
W x % #
§ ¨ x u g u % s
§
x t
¨ v v
$ g
¨ u ! c
d
!
v

odd
odd
MNT curves

even

Open problem
$ $ $
u x w w
w
x e
w w g %
¨ # # #
% U
x x

x
§
# #
@ ¨ % #
x x
§ % § ¨ ¨
x ¨
w
¨ w
% w w f
x u % U w
x
¨ x
§ ¨ g %
g # # #
¨


Status
MNT curves
R

XV
'

W

Open problem
R
V

Y`
'

'

W

big : Choose small. and ,
T

y

g
€
a

a

#

‚
s

#
T

8
€

A

A
u ƒ

ƒ
$

!

8
a
‚
s

$


Cyclotomic Polynomials

G

„ !
G

$ E

$

†„

…

!

„ !
$ E
‡

G

primitive
‰ ˆ
where are the roots of unity.
”
“
E

‘

Q

Q

„
u

u’
’
’
u

S
!
F

!
)(

‡

#

#

•
$
0

–
•

S


9
8
7
6
5
4
3
2
1

12
11
10
—

˜™

4
4
6
4
6
2
4
2
2
1
1

10
—d

0 0 0 0 0 0 0 0 0 0 0 kj0 f ge
j n rs j n p n p j m n m m
l h i™
l l l l l l
0 l 0 0 0 0 0 0
m 0 o o q o d
t l l
l l l l l
l 0 0 0
0 j m n m
u
l l
l 0 0 0
0 o
v l l
l
l 0
0 m
p
l
l 0
0
q l
l
0
n
l
0
o
l
0
m
l
0
Cyclotomic Polynomials (cont.)

l


General strategy
biggest prime factor of . Otherwise, a

|

z
|
yx

z{

~
}
w

w

€
S
0
corresponding subgroup has embedding degree less than .

‚
In particular, taking , .

|

€ z
|
yx

z{

~
ƒ
ƒ„

S
0
Example:
„ ‚

…

‡ˆ§
†

Š
‰
€

€
ƒ„

and use and . Existence of integer
§

€ Ž
Š

Œ
‹

‹
‰
€
ƒ„

‡

solutions for the resulting equations gives the referred formulas.


General strategy
biggest prime factor of . Otherwise, a

|

z
|
yx

z{

~
}
w

w

€
S
0
corresponding subgroup has embedding degree less than .

‚
In particular, taking , .

|

€ z
|
yx

z{

~
ƒ
ƒ„

S
0
Example:
„ ‚

…

‡ˆ§
†

Š
‰
€

€
ƒ„

and use and . Existence of integer
§

€ Ž
Š

Œ
‹

‹
‰
€
ƒ„

‡

solutions for the resulting equations gives the referred formulas.

Instead of , have and but
F

!

F

!
2
‡

‡
Q

#

Q

v

v

#

S

S
’
hF

!
‡
Q

#
S


What about ?
Open problem

has degree when

!

BT
‡

%

U

B
#
S

. . . which implies solving, at least, a quartic

(Diophantine) equation
. . . typically, very few solutions, none of which

cryptographically signiﬁcant or feasible


What about ?
Open problem

has degree when

!

BT
‡

%

U

B
#
S

. . . which implies solving, at least, a quartic

(Diophantine) equation
. . . typically, very few solutions, none of which

cryptographically signiﬁcant or feasible
A few other strategies exist without using the above

. . . but in all of these

!

v

#
9


Questions

P.Valenca@rhul.ac.uk


From the MOV attack to pairing-friendly curves

Related slideshows

More Related Content

From the MOV attack to pairing-friendly curves