Subgroup Security in Pairing-Based Cryptography

  • Paulo S. L. M. Barreto
  • Craig Costello
  • Rafael Misoczki
  • Michael Naehrig
  • Geovandro C. C. F. Pereira
  • Gustavo Zanon
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9230)

Abstract

Pairings are typically implemented using ordinary pairing-friendly elliptic curves. The two input groups of the pairing function are groups of elliptic curve points, while the target group lies in the multiplicative group of a large finite field. At moderate levels of security, at least two of the three pairing groups are necessarily proper subgroups of a much larger composite-order group, which makes pairing implementations potentially susceptible to small-subgroup attacks.

To minimize the chances of such attacks, or the effort required to thwart them, we put forward a property for ordinary pairing-friendly curves called subgroup security. We point out that existing curves in the literature and in publicly available pairing libraries fail to achieve this notion, and propose a list of replacement curves that do offer subgroup security. These curves were chosen to drop into existing libraries with minimal code change, and to sustain state-of-the-art performance numbers. In fact, there are scenarios in which the replacement curves could facilitate faster implementations of protocols because they can remove the need for expensive group exponentiations that test subgroup membership.

Keywords

Pairing-based cryptography Elliptic-curve cryptography Pairing-friendly curves Subgroup membership Small-subgroup attacks 

References

  1. 1.
    Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  2. 2.
    Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  3. 3.
    Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  4. 4.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  5. 5.
    Barreto, P.S.L.M., Lynn, B., Scott, M.: Efficient implementation of pairing-based cryptosystems. J. Cryptol. 17(4), 321–334 (2004)MathSciNetCrossRefMATHGoogle Scholar
  6. 6.
    Barreto, P.S.L.M., Naehrig, M.: Pairing-Friendly Elliptic Curves of Prime Order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  7. 7.
    Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  8. 8.
    Blake, I.F., Seroussi, G., Smart, N.: Elliptic Curves in Cryptography, vol. 265. Cambridge University Press, Cambridge (1999) CrossRefGoogle Scholar
  9. 9.
    Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y. (ed.) PKC 2003. Lecture Notes in Computer Science, vol. 2567, pp. 31–46. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  10. 10.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 514. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  11. 11.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  12. 12.
    Bos, J.W., Costello, C., Naehrig, M.: Exponentiating in pairing groups. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 438–455. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  13. 13.
    Bosma, W., Cannon, J., Playoust, C.: The magma algebra system I: the user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993)MathSciNetCrossRefMATHGoogle Scholar
  14. 14.
    Chatterjee, S., Hankerson, D., Knapp, E., Menezes, A.: Comparing two pairing-based aggregate signature schemes. Des. Codes Crypt. 55(2–3), 141–167 (2010)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. Cryptology ePrint Archive, Report 2014/635 (2014). http://eprint.iacr.org/
  16. 16.
    Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Sec. 6(4), 213–241 (2007)CrossRefGoogle Scholar
  17. 17.
    Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  18. 18.
    Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(3), 393–422 (2007)CrossRefMATHGoogle Scholar
  19. 19.
    Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  20. 20.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Crypt. 23(2), 224–280 (2010)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Fuentes-Castañeda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  22. 22.
    Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, p. 324. Springer, Heidelberg (2002) CrossRefGoogle Scholar
  23. 23.
    Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Crypt. 24(3), 446–469 (2011)MathSciNetCrossRefMATHGoogle Scholar
  24. 24.
    Galbraith, S.D., Paterson, K.G. (eds.): Pairing 2008. Lecture Notes in Computer Science, vol. 5209. Springer, Heidelberg (2008)MATHGoogle Scholar
  25. 25.
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)MathSciNetCrossRefMATHGoogle Scholar
  26. 26.
    Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 211–224. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  27. 27.
    Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  28. 28.
    Granger, R., Scott, M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 209–223. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  29. 29.
    Hess, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theo. 52(10), 4595–4602 (2006)MathSciNetCrossRefMATHGoogle Scholar
  30. 30.
    IEEE P1363 Working Group. Standard Specifications for Public-Key Cryptography - IEEE Std 1363–2000 (2000)Google Scholar
  31. 31.
    Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Crypt. 17(4), 263–276 (2004)MathSciNetCrossRefMATHGoogle Scholar
  32. 32.
    Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  33. 33.
    Kilian, J. (ed.): CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139. Springer, Heidelberg (2001) Google Scholar
  34. 34.
    Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987)Google Scholar
  35. 35.
    Li, N., Du, W., Boneh, D.: Oblivious signature-based envelope. In: Borowsky, E., Rajsbaum, S. (eds.) PODC 2003, pp. 182–189. ACM, New York (2003) CrossRefGoogle Scholar
  36. 36.
    Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997) CrossRefGoogle Scholar
  37. 37.
    Menezes, A.: Asymmetric pairings. Talk at ECC 2009. Slides at http://math.ucalgary.ca/ecc/files/ecc/u5/Menezes_ECC2009.pdf
  38. 38.
    Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(5), 1234–1243 (2001)Google Scholar
  39. 39.
    Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)CrossRefGoogle Scholar
  40. 40.
    Naehrig, M.: Constructive and computational aspects of cryptographic pairings. Ph.D. thesis, Eindhoven University of Technology, May 2009Google Scholar
  41. 41.
    Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  42. 42.
    Nogami, Y., Akane, M., Sakemi, Y., Katou, H., Morikawa, Y.: Integer variable chi-based ate pairing. In: Galbraith and Paterson [24], pp. 178–191Google Scholar
  43. 43.
    Page, D., Smart, N.P., Vercauteren, F.: A comparison of MNT curves and supersingular curves. IACR Cryptology ePrint Archive, vol. 2004, p. 165 (2004)Google Scholar
  44. 44.
    Pereira, G.C.C.F., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)Google Scholar
  45. 45.
    Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theo. 24(1), 106–110 (1978)MathSciNetCrossRefMATHGoogle Scholar
  46. 46.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, pp. 135–148 (2000)Google Scholar
  47. 47.
    Scott, M.: Computing the tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 293–304. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  48. 48.
    Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  49. 49.
    Scott, M.: Unbalancing pairing-based key exchange protocols. Cryptology ePrint Archive, Report 2013/688 (2013). http://eprint.iacr.org/2013/688
  50. 50.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: Fast hashing to G \(_{2}\) on pairing-friendly curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 102–113. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  51. 51.
    Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  52. 52.
    Vaudenay, S.: Hidden collisions on DSS. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 83–88. Springer, Heidelberg (1996) Google Scholar
  53. 53.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theo. 56(1), 455–461 (2010)MathSciNetCrossRefGoogle Scholar
  54. 54.
    Zavattoni, aE., Dominguez Perez, L.J., Mitsunari, S., Sánchez-Ramírez, A.H., Teruya, T., Rodríguez-Henríquez, F.: Software implementation of an attribute-based encryption scheme (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Paulo S. L. M. Barreto
    • 1
  • Craig Costello
    • 2
  • Rafael Misoczki
    • 1
  • Michael Naehrig
    • 2
  • Geovandro C. C. F. Pereira
    • 1
  • Gustavo Zanon
    • 1
  1. 1.Escola PolitécnicaUniversity of São PauloSão PauloBrazil
  2. 2.Microsoft ResearchRedmondUSA

Personalised recommendations