Advertisement

Updating Key Size Estimations for Pairings

  • Razvan BarbulescuEmail author
  • Sylvain Duquesne
Article

Abstract

Recent progress on NFS imposed a new estimation of the security of pairings. In this work we study the best attacks against some of the most popular pairings and propose new key sizes using an analysis which is more precise than the analysis in a recent article of Menezes, Sarkar and Singh. We also select pairing-friendly curves for standard security levels.

Keywords

Pairing-based cryptology Number field sieve Discrete logarithm 

References

  1. 1.
    G. Adj, I. Canales-Martínez, N. C. Cortés, A. Menezes, T. Oliveira, L. Rivera-Zamarripa, F. Rodríguez-Henríquez, Computing discrete logarithms in cryptographically-interesting characteristic-three finite fields. Cryptology ePrint Archive, Report 2016/914 (2016)Google Scholar
  2. 2.
    L.M. Adleman, The function field sieve, in Algorithmic Number Theory Symposium—ANTS I. Lecture Notes in Computer Science, vol. 877 (1994), pp. 108–121Google Scholar
  3. 3.
    D.F. Aranha, L. Fuentes-Castañeda, E. Knapp, A. Menezes, F. Rodríguez-Henríquez, Implementing pairings at the 192-bit security level, in Pairing-based cryptography—PAIRING 2012. Lecture Notes in Computer Science, vol. 7708 (2013)Google Scholar
  4. 4.
    K. Aoki, J. Franke, T. Kleinjung, A. Lenstra, D.A. Osvik, A kilobit special number field sieve factorization. in Advances in Cryptology—ASIACRYPT 2007. Lecture notes in computer science, vol. 4833 (2007), pp. 1–12Google Scholar
  5. 5.
    L.M. Adleman, M.D.A. Huang, Function field sieve method for discrete logarithms over finite fields. Inf. Comput. 151(1), 5–16 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  6. 6.
    D. Aranha, K. Karabina, P. Longa, C. H. Gebotys, J López, Faster explicit formulas for computing pairings over ordinary curves, in Advances in Cryptology EUROCRYPT 2011. Lecture Notes in Computer Science, vol. 6632 (2011), pp. 48–68Google Scholar
  7. 7.
    G. Adj, A. Menezes, T. Oliveira, F. Rodriguez-Henriquez, Weakness of \({\mathbb{F}} _{3^{6\cdot 1429}}\) and \({\mathbb{F}} _{2^{4\cdot 3041}}\) for discrete logarithm cryptography. Finite Fields Their Appl. 32, 148–170 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    P.S.L.M. Barreto, C. Costello, R. Misoczki, M. Naehrig, G.C.C.F. Pereira, G. Zanon, Subgroup security in pairing-based cryptography, in K. Lauter, F. Rodríguez-Henríquez, editors, Progress in Cryptology – LATINCRYPT 2015: 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23–26, 2015, Proceedings (Springer International Publishing, Cham, 2015), pp. 245–265Google Scholar
  9. 9.
    R. Barbulescu, S. Duquesne, Online supplement for “updating keysizes of pairings” (2017). Downloadable from https://webusers.imj-prg.fr/~razvan.barbaud/Pairings/Pairings.html.
  10. 10.
    D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in Advances in Cryptology—CRYPTO 2001. Lecture notes in computer science, vol. 2139 (2001), pp. 213–229Google Scholar
  11. 11.
    R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain, Discrete logarithms in GF(\(p^2\))—160 digits (2014). Announcement available at the NMBRTHRY archives, item 004706Google Scholar
  12. 12.
    R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain, Improving NFS for the discrete logarithm problem in non-prime finite fields, in Advances in Cryptology—EUROCRYPT 2015. Lecture Notes in Computer Science, vol. 9056 (2015), pp. 129–155Google Scholar
  13. 13.
    R. Barbulescu, P. Gaudry, A. Guillevic, F. Morain, New record in \({\mathbb{F}}_{p^3}\), (2015). Available online at https://webusers.imj-prg.fr/~razvan.barbaud/p3dd52.pdf
  14. 14.
    C. Bouvier, P. Gaudry, L. Imbert, H. Jeljeli, E. Thomé, Discrete logarithms in GF(p)—180 digits, (2014). Announcement available at the NMBRTHRY archives, item 004703Google Scholar
  15. 15.
    R. Barbulescu, P. Gaudry, A. Joux, E. Thomé, A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic, in Advances in Cryptology—EUROCRYPT 2014. Lecture Notes in Computer Science, vol. 8441 (2014), pp. 1–16Google Scholar
  16. 16.
    R. Barbulescu, P. Gaudry, T. Kleinjung, The tower number field sieve, in Advances in Cryptology—ASIACRYPT 2015. Lecture Notes in Computer Science, vol. 9453 (2015), pp. 31–55Google Scholar
  17. 17.
    D. Boneh, C. Gentry, B. Waters, Collusion resistant broadcast encryption with short ciphertexts and private keys, in Advances in Cryptology—CRYPTO 2005. Lecture Notes in Computer Science, vol. 3621 (2005), pp. 258–275Google Scholar
  18. 18.
    J. Bos, M. Kaihara, T. Kleinjung, A. Lenstra, P. Montgomery, On the security of 1024-bit RSA and 160-bit elliptic curve cryptography. Cryptology ePrint Archive, Report 2009/389Google Scholar
  19. 19.
    R. Barbulescu, A. Lachand, Some mathematical remarks on the polynomial selection in NFS. Math. Comput. 86(303), 397–418 (2017)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    J. P. Buhler, H. Lenstra Jr., C. Pomerance, Factoring integers with the number field sieve, in The Development of the Number Field Sieve. Lecture Notes in Mathematics, vol. 1554 (Springer, 1993), pp. 50–94Google Scholar
  21. 21.
    P. Barreto, B. Lynn, M. Scott, Constructing elliptic curves with prescribed embedding degrees, in Security in Communication Networks. Lecture Notes in Computer Science, vol. 2576 (2003), pp. 257–267Google Scholar
  22. 22.
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  23. 23.
    P. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order. in Selected Areas in Cryptography–SAC 2005. Lecture Notes in Computer Science, vol. 3006 (2005), pp. 319–331Google Scholar
  24. 24.
    R. Barbulescu, C. Pierrot, The multiple number field sieve for medium- and high-characteristic finite fields. LMS J. Comput. Math. 17, 230–246 (2014). The published version contains an error which is corrected in version 2 available at https://hal.inria.fr/hal-00952610.
  25. 25.
    E. R. Canfield, P. Erdös, C. Pomerance, On a problem of Oppenheim concerning factorisatio numerorum. J. Number Theory 17(1), 1–28 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  26. 26.
    S. Cavallar Hedwig, On the number field sieve integer factorisation algorithm. PhD thesis, Universiteit Leiden (2002)Google Scholar
  27. 27.
    D. Coppersmith, Fast evaluation of logarithms in fields of characteristic two. IEEE Trans. Inf. Theory 30(4), 587–594 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    D. Coppersmith, Solving linear equations over GF(2): block Lanczos algorithm. Linear Algebra Appl. 192, 33–60 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    D. Coppersmith, Solving homogeneous linear equations over GF(2) via block Wiedemann algorithm. Math. Comput. 62(205), 333–350 (1994)MathSciNetzbMATHGoogle Scholar
  30. 30.
    A. Commeine, I. Semaev, An algorithm to solve the discrete logarithm problem with the number field sieve, in Public Key Cryptography—PKC 2006. Lecture Notes in Computer Science, vol. 3958 (2006), pp. 174–190Google Scholar
  31. 31.
    R. Cheung, S.Duquesne, J. Fan, N. Guillermin, I. Verbauwhede, G. X. Yao, FPGA implementation of pairings using residue number system and lazy reduction, in Cryptographic Hardware and Embedded Systems—CHES 2011. Lecture Notes in Computer Science, vol. 6917 (2011), pp. 421–441Google Scholar
  32. 32.
    J. Detrey, FFS factory: Adapting Coppersmith’s “factorization factory” to the function field sieve. Cryptology ePrint Archive, Report 2014/419 (2014)Google Scholar
  33. 33.
    S. Duquesne, N. El Mrabet, S. Haloui, F. Rondepierre, Choosing and generating parameters for low level pairing implementation on BN curves. Cryptology ePrint Archive, Report 2015/1212 (2015)Google Scholar
  34. 34.
    A. J. Devegili, M. Scott, R. Dahab, Implementing cryptographic pairings over Barreto–Naehrig curve, in Pairing-Based Cryptography—Pairing 2007. Lecture Notes in Computer Science, vol. 4575 (2007), pp. 197–207Google Scholar
  35. 35.
    N. El Mrabet, M. Joye, Guide to Pairing-Based Cryptography. Chapman & Hall/CRC Cryptography and Network Security Series (CRC Press, 2017)Google Scholar
  36. 36.
    J. Fried, P. Gaudry, N. Heninger, E. Thomé, A kilobit hidden SNFS discrete logarithm computation, in Annual International Conference on the Theory and Applications of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 10210 (2017), pp. 202–231Google Scholar
  37. 37.
    L. Fuentes-Castañeda, E. Knapp, F. Rdríuez-Henríquez, Faster hashing to \({\mathbb{G}}_{2}\), in Selected Areas in Cryptography—SAC 2011. Lecture Notes in Computer Science, vol. 7118 (2011), pp. 412–430Google Scholar
  38. 38.
    D. Freeman, M. Scott, E. Teske, A taxonomy of pairing-friendly elliptic curves. J. Cryptol. 23(2), 224–280 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    G. Grewal, R. Azarderakhsh, P. Longa, S. Hu, D. Jao, Efficient implementation of bilinear pairings on ARM processors, in Selected Areas in Cryptography. Lecture Notes in Computer Science, vol. 7707 (2013), pp. 149–165Google Scholar
  40. 40.
    L. Ghammam, E. Fouotsa, Adequate elliptic curves for computing the product of n pairings, in Arithmetic of Finite Fields—WAIFI 2016. Lecture Notes in Computer Science, vol. 10064 (2016), pp. 36–352Google Scholar
  41. 41.
    L. Grémy, A. Guillevic, F. Morain, E. Thomé, Computing discrete logarithms in GF(\(p^6\)), in Selected Areas in Cryptography—SAC 2017. Lecture notes in computer science (2017)Google Scholar
  42. 42.
    F. Göloğlu, R. Granger, G. McGuire, J. Zumbrägel, On the function field sieve and the impact of higher splitting probabilities: application to discrete logarithms in \({\mathbb{F}}_{2^{1971}}\) (2013), Cryptology ePrint Archive, Report 2013/074Google Scholar
  43. 43.
    F. Göloğlu, R. Granger, G. McGuire, J. Zumbrägel, Solving a 6120-bit DLP on a desktop computer, in Selected Areas in Cryptography—SAC. Lecture Notes in Computer Science, vol. 8282 (2013), pp. 136–152Google Scholar
  44. 44.
    P. Gaudry, L. Grémy, M. Videau, Collecting relations in the number field sieve in GF(\(p^6\)). LMS J. Comput. Math. 19(A), 332–350 (2016)Google Scholar
  45. 45.
    R. Granger, T. Kleinjung, J. Zumbrägel, Breaking 128-bit secure supersingular binary curves, in Advances in Cryptology—CRYPTO 2014. Lecture Notes in Computer Science, vol. 8617 (2014), pp. 126–145Google Scholar
  46. 46.
    R. Granger, T. Kleinjung, J. Zumbrägel, On the powers of 2. Cryptology ePrint Archive, Report 2014/300 (2014)Google Scholar
  47. 47.
    R. Granger, T. Kleinjung, and J. Zumbrägel, On the discrete logarithm problem in finite fields of fixed characteristic. Trans. Am. Math. Soc. (2017)Google Scholar
  48. 48.
    A. Guillevic, F. Morain, E. Thomé, Solving discrete logarithms on a 170-bit MNT curve by pairing reduction, in Selected Areas in Cryptography—SAC 2016. Lecture Notes of Computer Science, vol. 10532 (2016)Google Scholar
  49. 49.
    D. Gordon, Discrete logarithms in GF(\(p\)) using the number field sieve. SIAM J. Discret. Math. 6(1), 124–138 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  50. 50.
    R. Granger, M. Scott, Faster squaring in the cyclotomic subgroup of sixth degree extensions. in Public Key Cryptography—PKC 2010. Lecture Notes in Computer Science, vol. 6056 (2010), pp. 209–223Google Scholar
  51. 51.
    C.C.F. Pereira Geovandro, M.A. Simplıcio Jr., M. Naehrig, P. Barreto, A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)Google Scholar
  52. 52.
    K. Hayasaka, K. Aoki, T. Kobayashi, T. Takagi, A construction of 3-dimensional lattice sieve for number field sieve over GF(\(p^n\)). Cryptology ePrint Archive, Report 2015/1179 (2015) http://eprint.iacr.org/2014/300
  53. 53.
    T. Hayashi, T. Shimoyama, N. Shinohara, T. Takagi, Breaking pairing-based cryptosystems using \(\eta _t\) pairing over GF(\(3^{97}\)), in Advances in cryptology—ASIACRYPT 2012. Lecture Notes in Computer Science, vol. 7658 (2012), pp. 43–60Google Scholar
  54. 54.
    F. Hess, N. Smart, F. Vercauteren, The Eta pairing revisited. IEEE Trans. Inf. Theory 52(10), 4595–4602 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  55. 55.
    T. Hayashi, N. Shinohara, L. Wang, S. Matsuo, M. Shirase, T. Takagi, Solving a 676-bit discrete logarithm problem in GF(\(3^{6n}\)), in Public Key Cryptography—PKC 2010. Lecture Notes in Computer Science, vol. 6056 (2010), pp. 351–367Google Scholar
  56. 56.
    IEEE, 1363.3-2013—IEEE standard for identity-based cryptographic techniques using pairings (2017). Can be purchased online at http://ieeexplore.ieee.org/document/6662370/
  57. 57.
    ISO, Iso/iec 18033-5:2015 (2015). Can be purchased online at https://www.iso.org/obp/ui/#iso:std:59948:en
  58. 58.
    J. Jeong, T. Kim, Extended tower number field sieve with application to finite fields of arbitrary composite extension degree. Cryptology ePrint Archive, Report 2016/526 (2016). http://eprint.iacr.org/2016/526
  59. 59.
    A. Joux, R. Lercier, The function field sieve is quite special, in Algorithmic Number Theory Symposium—ANTS V. Lecture notes in computer science, vol. 2369 (2002), pp. 431–445Google Scholar
  60. 60.
    A. Joux, R. Lercier, Improvements to the general number field for discrete logarithms in prime fields. Math. Comput. 72(242), 953–967 (2003)CrossRefzbMATHGoogle Scholar
  61. 61.
    A. Joux, R. Lercier, The function field sieve in the medium prime case, in Advances in Cryptology—EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4005 (2006), pp. 254–270Google Scholar
  62. 62.
    A. Joux, R. Lercier, N. Smart, F. Vercauteren, The number field sieve in the medium prime case, in Advances in Cryptology—CRYPTO 2006. Lecture Notes in Computer Science, vol. 4117 (2006), pp. 326–344Google Scholar
  63. 63.
    A. Joux, Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields, in Advances in cryptology—EUROCRYPT 2013. Lecture Notes in Computer Science, vol. 7881 (2013), pp. 177–193Google Scholar
  64. 64.
    A. Joux, C. Pierrot, The special number field sieve in \({\mathbb{F}}_{p^n}\)—application to pairing-friendly constructions, in Pairing-Based Cryptography—Pairing 2013. Lecture Notes in Computer Science, vol. 8365 (2013), pp. 45–61Google Scholar
  65. 65.
    A. Joux, C. Pierrot, Improving the polynomial time precomputation of Frobenius representation discrete logarithm algorithms, in Advances in Cryptology—ASIACRYPT 2014. Lecture Notes in Computer Science, vol. 8873 (2014), pp. 378–397Google Scholar
  66. 66.
    K. Karabina, Squaring in cyclotomic subgroups. Math. Comput. 82(281) (2013)Google Scholar
  67. 67.
    T. Kim, R. Barbulescu, The extended tower number field sieve: A new complexity for the medium prime case, in Advances in Cryptology—CRYPTO 2016. Lecture Notes in Computer Science, vol. 9814 (2016), pp. 543–571Google Scholar
  68. 68.
    T. Kleinjung, J. Bos, A. Lenstra, Mersenne factorization factory, in International Conference on the Theory and Application of Cryptology and Information Security. Lecture Notes in Computer Science, vol. 8873 (2014), pp. 358–377Google Scholar
  69. 69.
    T. Kleinjung, C. Diem, A. Lenstra, C. Priplata, C. Stahlke, Discrete logarithms in GF(p)—768 bits (2016). Announcement available at the NMBRTHRY archives, item 004917Google Scholar
  70. 70.
    E.J. Kachisa, E.F. Schaefer, M. Scott, Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field, in Pairing-Based Cryptography—Pairing 2008. Lecture Notes in Computer Science, vol. 5209 (2008), pp. 126–135Google Scholar
  71. 71.
    C. Lanczos, Solution of systems of linear equations by minimized iterations. J. Res. Nat. Bur. Standards 49(1), 33–53 (1952)MathSciNetCrossRefGoogle Scholar
  72. 72.
    A. Lenstra, Unbelievable security matching AES security using public key systems, in International Conference on the Theory and Application of Cryptology and Information Security. Lecture Notes in Computer Science, vol. 2188 (2001), pp. 67–86Google Scholar
  73. 73.
    A. Lenstra, Unbelievable security: Matching AES security using public key systems, in Advances in cryptology—ASIACRYPT 2001. Lecture Notes in Computer Science, vol. 2248 (2001), pp. 67–86Google Scholar
  74. 74.
    C.H. Lim, P.J. Lee, A key recovery attack on discrete log-based schemes using a prime order subgroup, in Advances in Cryptology—CRYPTO ’97. Lecture Notes in Computer Science, vol. 1294 (1997), pp. 249–263Google Scholar
  75. 75.
    A. Lenstra, H. Lenstra Jr., M. Manasse, J. Pollard, The number field sieve, in Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing. ACM (1990), pp. 564–572Google Scholar
  76. 76.
    R. Lidl, H. Niederreiter, Finite Fields. (Cambridge University Press, 1997)Google Scholar
  77. 77.
    B. LaMacchia, A. Odlyzko, Solving large sparse linear systems over finite fields, in Advances in Cryptology—CRYPTO 1990. Lecture Notes in Computer Science, vol. 537 (1990), pp. 109–133Google Scholar
  78. 78.
    D. Matyukhin, Effective version of the number field sieve for discrete logarithms in the field GF\((p^k)\) (in Russian). Trudy po Discretnoi Matematike 9, 121–151 (2006)Google Scholar
  79. 79.
    V. Miller, The Weil pairing and its efficient calculation. J. Cryptol. 17(4), 235–261 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  80. 80.
    P. Montgomery, A block Lanczos algorithm for finding dependencies over GF(2), in Advances in Cryptology—EUROCRYPT 1995. vol. 921 (Springer, 1995), pp. 106–120Google Scholar
  81. 81.
    D. Moody, R.C. Peralta, R.A. Perlner, A.R. Regenscheid, A.L. Roginsky, L. Chen, Report on pairing-based cryptography-2015. Can be freely downloaded from http://nvlpubs.nist.gov/nistpubs/jres/120/jres.120.002.pdf
  82. 82.
    A. Menezes, P. Sarkar, S. Singh, Challenges with assessing the impact of NFS advances on the security of pairing-based cryptography, in Paradigms in Cryptology—Mycrypt 2016. Lecture Notes in Computer Science, vol. 10311 (2016)Google Scholar
  83. 83.
    B. Murphy, Modelling the yield of number field sieve polynomials, in Algorithmic Number Theory Symposium—ANTS III. Lecture Notes in Computer Science, vol. 1423 (1998), pp. 137–150Google Scholar
  84. 84.
    European Network and Information Security Agency, Algorithms, key sizes and parameters report—2013 (2013)Google Scholar
  85. 85.
    M. Naehrig, R. Niederhagen, P. Schwabe, New software speed records for cryptographic pairings, in Progress in Cryptology—LATINCRYPT 2010. Lecture Notes in Computer Science, vol. 6212 (2010), pp. 109–123Google Scholar
  86. 86.
    National Institute of Standards and Technology (NIST), NIST special publication 800-57 part 1 (revised): recommendation for key management, part 1: General (revised), (July 2012). Publication available online at http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf
  87. 87.
    C. Pierrot, The multiple number field sieve with conjugation and generalized Joux-Lercier methods, in Advances in Cryptology—EUROCRYPT 2015. Lecture Notes in Computer Science, vol. 9056 (2015), pp. 156–170Google Scholar
  88. 88.
    M. Scott, N. Benger, M. Charlemagne, L.J. Dominguez Perez, E.J. Kachisa, On the final exponentiation for calculating pairings on ordinary elliptic curves, in Pairing-Based Cryptography—PAIRING 2009. Lecture Notes in Computer Science, , vol. 5671 (2009), pp. 78–88Google Scholar
  89. 89.
    O. Schirokauer, Discrete logarithms and local units. Philos. Trans. R. Soc. Lond. A Math. Phys. Eng. Sci. 345(1676), 409–423 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  90. 90.
    O. Schirokauer, Using number fields to compute logarithms in finite fields. Math. Comput. 69(231), 1267–1283 (2000)MathSciNetCrossRefzbMATHGoogle Scholar
  91. 91.
    O. Schirokauer, The number field sieve for integers of low weight. Math. Comput. 79(269), 583–602 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  92. 92.
    I. Semaev, Special prime numbers and discrete logs in finite prime fields. Math. Comput. 71(237), 363–377 (2002)MathSciNetCrossRefzbMATHGoogle Scholar
  93. 93.
    N. Smart, ECRYPT II yearly report on algorithms and key sizes (2011-2012). (2012)Google Scholar
  94. 94.
    P. Sarkar, S. Singh, Fine tuning the function field sieve algorithm for the medium prime case. IEEE Trans. Inf. Theory 62(4), 2233–2253 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  95. 95.
    P. Sarkar, S. Singh, A generalisation of the conjugation method for polynomial selection for the extended tower number field sieve algorithm. Cryptology ePrint Archive, Report 2016/537 (2016)Google Scholar
  96. 96.
    P. Sarkar, S. Singh, New complexity trade-offs for the (multiple) number field sieve algorithm in non-prime fields, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (2016), pp. 429–458Google Scholar
  97. 97.
    P. Sarkar, S. Singh, Tower number field sieve variant of a recent polynomial selection method. Cryptology ePrint Archive, Report 2016/401 (2016)Google Scholar
  98. 98.
    T. Unterluggauer, E. Wenger, Efficient pairings and ECC for embedded systems, in Cryptographic Hardware and Embedded Systems—CHES 2014. Lecture Notes in Computer Science, vol. 8731 (2014), pp. 298–315Google Scholar
  99. 99.
    F. Vercauteren, Optimal pairings. IEEE Trans. Inf. Theory 56, 455–461 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  100. 100.
    F. Valette, R. Lercier, P.-A. Fouque, D. Réal, Fault attack on elliptic curve Montgomery ladder implementation, in 5th Workshop on Fault Diagnosis and Tolerance in Cryptography. IEEE (2008), pp. 92–98Google Scholar
  101. 101.
    D. Wiedemann, Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  102. 102.
    P. Zajac, On the use of the lattice sieve in the 3D NFS. Tatra Mountains Mathematical Publications 45(1), 161–172 (2010)MathSciNetCrossRefzbMATHGoogle Scholar
  103. 103.
    X. Zhang, D. Lin, Analysis of optimum pairing products at high security levels, in Progress in Cryptology—INDOCRYPT 2012. Lecture Notes in Computer Science, vol. 7668 (2012), pp. 412–430Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.IMJ-PRG, UMR CNRS 7586Univ Paris 6, Univ Paris 7ParisFrance
  2. 2.IRMAR, UMR CNRS 6625Univ Rennes 1RennesFrance

Personalised recommendations