2006 Conferences
ECC 2006
Speaker
Daniel J. Bernstein
Title
Elliptic vs. hyperelliptic, part 1
Abstract
Last year's speed records for Diffie-Hellman software were set with
a Montgomery-form elliptic curve. Is it possible to achieve even
better scalar-multiplication speeds with a Gaudry-form hyperelliptic
curve? Exactly how fast is arithmetic modulo 2127-1,
compared to arithmetic modulo 2255-19?
Speaker
Xavier Boyen
Title
Practical aspects of identity-based encryption.
Abstract
In this talk, I will discuss practical uses of pairing-based cryptography,
and identity-based encryption in particular. The talk will cover a number
of issues, ranging from basic security requirements and the threats being
addressed, to the selection of efficient algorithms, their instantiation,
parameterization, implementation, and deployment. Time-permitting, I will
also review some recent algorithmic developments of interest.
Speaker
Reinier Bröker
Title
Constructing elliptic curves for cryptography
Abstract
We present an algorithm that easily constructs elliptic curves that
can readily be used for cryptography, and we explain why it should
be expected to do so.
The algorithm makes use of auxiliary polynomials, called class polynomials.
The classical approach for computing these polynomials uses the modular
j-function. We explain how to use ``smaller functions'' instead of
j to gain a constant factor in the size of the coefficients of the
polynomials. The factor gained depends on the function used. Using
results on gonality of modular curves we give upper bounds on the
factor that we can gain.
Speaker
Isabelle Déchène
Title
Generalized Jacobians: Natural candidates for DL-based cryptography
Abstract
Generalized Jacobians are natural candidates to use in discrete
logarithm (DL) based cryptography. Indeed, the ElGamal, Elliptic and
Hyperelliptic Curve Cryptosystems as well as XTR, LUC and CEILIDH can
all be interpreted in terms of generalized Jacobians. However, usual
Jacobians and algebraic tori are currently the only generalized
Jacobians used in cryptography.
These observations thus motivate the study of the simplest nontrivial
generalized Jacobians of an elliptic curve, since they are in fact
semi-abelian varieties. In this talk, we will see that this family
satisfies the four basic requirements for a group to be suitable for
DL-based cryptography. Namely, that the group elements can be
represented in a compact form, that the group operation can be
performed efficiently, that the discrete logarithm problem is
believed to be intractable, and that the group order can be
efficiently computed. This thus shows the existence of a family
of generalized Jacobians, which are neither Jacobians nor tori,
that are applicable in cryptography.
Speaker
Claus Diem
Title
An index calculus algorithm for non-singular plane curves of high genus
Abstract
We present an index calculus algorithm for the discrete logarithm
problem in degree 0 class groups of non-singular plane curves of
high genus over finite fields. A heuristic analysis of the algorithm
gives rise to the following heuristic result: Let us consider the
discrete logarithm problem in degree 0 class groups of non-singular
plane curves over a fixed finite field. Then "essentially all"
instances of this DLP can be solved in an expected time of
L[1/3 + \epsilon] for any \epsilon > 0.
Speaker
Andreas Enge
Title
An L(1/3+\epsilon) algorithm for the discrete logarithm problem
in low degree curves
Abstract
Starting with the work by Adleman, DeMarrais and Huang more than ten years
ago, it has been well-established that the discrete logarithm problem in
Jacobians of curves of high genus over finite fields is easier to solve
than in elliptic curves of the same size. Letting L(\alpha, c) =
e^{(c + o (1)) (g \log q)^\alpha (\log (g \log q))^{1 - \alpha}}
denote the subexponential function with respect to the curve genus
g and the cardinality of the finite field
q, the algorithms for computing discrete
logarithms in high genus curves have a complexity of
L(1/2,c). This is in contrast on one hand to elliptic curves, for which so
far only
exponential algorithms are known except for some rare special cases, but also
to the computation of discrete logarithms in finite prime fields, for which
the number field sieve yields a more efficient algorithm in L(1/3,c).
We present the first subexponential algorithm with an exponent \alpha < 1/2
to attack the discrete logarithm problem in a class of algebraic curves. The
curves are characterised by their total degree being relatively low with
respect to their genus. The algorithm has a complexity of L(1/3,c) for
computing the group structure. The discrete logarithm problem itself is solved
in time L(1/3 + \epsilon, 0).
This is joint work with Pierrick Gaudry.
Speaker
David Freeman
Title
Methods for constructing pairing-friendly elliptic curves
Abstract
The practicality of pairing-based cryptography depends on our ability to
generate pairing-friendly elliptic curves with various embedding degrees.
In this talk, we present and compare the known methods for constructing
pairing-friendly elliptic curves of cryptographic size. We describe three
general strategies for constructing such curves. One succeeds in producing
curves of prime order, but with restricted embedding degree, while the
other two produce curves with arbitrary embedding degree, but having a
smaller prime-order subgroup.
Speaker
Tanja Lange
Title
Elliptic vs. hyperelliptic, part 2
Abstract
There's more to the world than software for large-characteristic
scalar multiplication on particular curves. How fast are hyperelliptic
curves in general? How fast are they in characteristic 2? How fast are
they for pairings? When are hyperelliptic curves better than elliptic
curves?
Speaker
Kristin Lauter
Title
Cryptographic hash functions from expander graphs
Abstract
In this talk we propose constructing provable collision resistant hash
functions from expander graphs. As examples, we investigate two specific
families of optimal expander graphs for provable hash function
constructions: the families of Ramanujan graphs constructed by
Lubotzky-Phillips-Sarnak and Pizer respectively. When the hash function is
constructed from one of Pizer's Ramanujan graphs, (the set of supersingular
elliptic curves in characteristic p with l-isogenies,
l a prime different from p), then collision resistance
follows from the hardness of computing
isogenies between supersingular elliptic curves. This is joint work with
Denis Charles and Eyal Goren.
Speaker
Laurie Law
Title
Finding invalid signatures in pairing-based batches
Abstract
Batch verification techniques can speed up the process of verifying
large sets of digital signatures. When a batch verification fails,
it is often necessary to quickly identify the bad signatures in the
batch. This talk will present improved techniques for identifying
these invalid signatures that work particularly well with certain
pairing-based signatures schemes.
Speaker
Dan Page
Title
Compilers in (elliptic curve) cryptography
Abstract
The increasing ubiquity of mobile computing devices has presented
programmers with a problem. On one hand mobile devices are required
to be as compact and low-power as possible; on the other hand they
are increasingly required to perform complex computational tasks.
This dichotomy is further complicated by the issue of (physical)
security which represents a significant problem within many mobile
applications. We present results from our initial work on using
compiler techniques to assist programmers in this context. Specifically
we look at automatic specialisation of field arithmetic, language level
support for cryptography, and problems arising from dynamic compilation.
Speaker
Jan Pelzl
Title
Cost estimates for ECC attacks with special-purpose hardware
Abstract
The utilization of Elliptic Curves (EC) in cryptography
is very promising because of their resistance against powerful
index-calculus attacks. Providing a similar level of security as RSA,
ECC allows for efficient implementation due to a significantly smaller
bit size of the operands. It is widely accepted that the only feasible
way to attack actual cryptosystems, if at all, is the application of
dedicated hardware. In times of continuous technological improvements
and increasing computing power, the question of the security of ECC
against attacks based on special-purpose hardware arises.
This talk presents an overview of hardware-based attacks against
(generic) ECC over binary and prime fields. An architecture and the
corresponding FPGA implementation of an attack against ECC over
prime fields will be discussed in detail. The multi-processing
hardware architecture is based on the Pollard-Rho method which is,
to our knowledge, currently the most efficient attack against ECC.
With a proof-of-concept implementation on an FPGA, a fairly accurate
estimate about the cost of a hardware-based attack against ECC with
current bit lengths can be given.
Speaker
Oliver Schirokauer
Title
Extending the special number field sieve
Abstract
We define the weight of an integer N to be the smallest
w such that N can be represented as
$\sum_{i=1}^w \epsilon_i 2^{c_i}$, with
$\epsilon_1, \ldots, \epsilon_w \in \{1,-1\}$. Since arithmetic modulo a
prime of low weight is particularly efficient, it is tempting to use
such primes in cryptographic protocols. In this talk, I will describe
an extension of the special number field sieve which can be used to
compute logarithms in finite fields having low-weight characteristic
and will consider the security implications for systems which depend
on the difficulty of this problem. In addition, I will briefly
discuss an idea to speed up the method which may also be of use in the
case that the characteristic is of the form f(c) where
f has small coefficients and c is large.
Speaker
Michael Scott
Title
Implementing cryptographic pairings
Abstract
In this talk we attempt to review the state-of-the-art in pairing
implementation. Starting with a basic Miller algorithm for the Tate
pairing we show how to successively apply a series of optimizations
and tricks to improve performance. We will concentrate on the case
of non-supersingular prime characteristic elliptic curves, although
many of the optimizations equally apply to the cases of supersingular
elliptic and hyperelliptic curves. We also discuss optimal implementation
of extension field arithmetic.
Speaker
Igor Shparlinski
Title
Distribution of elliptic curves for pairing-based cryptography
Abstract
We present some theoretic and heuristic estimates for the number of
elliptic curves with low embedding which is essential for their
applicability in pairing based cryptography. We also give estimates
for the number of fields over which such curves may exist. The main
ideas behind the proofs will be explained as well. Finally, we give
a heuristic analysis of the so-called MNT algorithm and show that it
produces a rather "thin" sequence of curves.
Speaker
Alice Silverberg
Title
Using primitive subgroups in cryptography
Abstract
We discuss a general mathematical framework for understanding cryptography
over non-prime extension fields for multiplicative groups, elliptic curves,
abelian varieties, and other commutative algebraic groups. In this
framework, the primitive subgroups of the restriction of scalars can be
viewed as twists of a power of the original group variety, or as tensor
products of the variety with suitable modules over a commutative ring (see
the recent preprint of Mazur, Rubin, and Silverberg). We express the
characteristic polynomial of Frobenius acting on a primitive subgroup in
terms of that of the original variety, and discuss possible implications for
the problem of finding pairing-friendly abelian varieties.
Speaker
Nigel Smart
Title
ID-based key agreement
Abstract
I will discuss ID based key agreement protocols based on pairings.
The discussion will focus on which protocols can be implemented in
which situations, and what security gaurantees one has. It turns
out that the choice of pairing parameters has a great influence on
what can be achieved.
Speaker
Nicolas Thériault
Title
Towards an exact cost analysis of index-calculus algorithms
Abstract
When we talk about the security of elliptic curves, We often state
that the best known generic attack takes $O(\sqrt{group order})$
group operations. What we really mean is that Pollard Rho has an
expected running time of $\sqrt{\pi/2} \times \sqrt{group order}$
group operations (replacing $\sqrt{\pi/2}$ with $(\sqrt{\pi})/2$ if we
take advantage of the involution). Even if we use the O-notation, we
know the exact value of the constant multiple hidden in the O( ).
When it comes to the security of hyperelliptic curves and the various index
calculus algorithms, we again have the O-notation, but this time it is
much less clear what the constant multiple actually is. Could it be
1000, 7.23, or .002 ? Although the asymptotic form of the attack does
not depend on the constant, the security impact is quite different.
Can we really have a fair comparison between curves of different genus
(or even between the different versions of index calculus) if we don't
know the constant multiple hidden in the O( )?
In this talk, we will narrow in on the constant and show that we can obtain
a fair comparison between elliptic and hyperelliptic curves of small genus.
