sign in sign up
<<
Home , ElGamal signature scheme

Elliptic Curves

Guilhem Castagnos

September – December 2020

last updated: August 29, 2020

Contents

I The Problem 1 1 Bibliography ...... 1 2 Asymmetric and Symmetric ...... 1 3 The Discrete Logarithm Problem ...... 2 3.1 Definitions ...... 2 3.2 Algorithms for Computing Discrete Logarithms ...... 3

II First Cryptographic Applications 9 1 Diffie-Hellman (76) ...... 9 2 Elgamal (84) ...... 9 3 ...... 10 3.1 Definition ...... 10 3.2 Elgamal Signature (84) ...... 10 4 Elliptic Curve Cryptography ...... 11 4.1 ECDSA...... 11 4.2 EC-Schnorr ...... 12 4.3 How to generate an elliptic curve suitable for cryptography ...... 12

III Pairings for Cryptography 15 1 Weil and Tate Pairings ...... 15 2 MOV Attack ...... 17 3 Pairing Friendly curves ...... 18

IV Some Pairing-based Cryptographic Protocols 19

– iii – CONTENTS

– iv – Chapter I

The Discrete Logarithm Problem

1. Bibliography

• In French: Courbes elliptiques - Une présentation élémentaire pour la cryptographie, Philippe Guillot, Édi- tions Hermes-Lavoisier, (2010)

• Elliptic Curves and Their Applications to Cryptography — An Introduction, Andreas Enge, Kluwer Aca- demic Publishers (1999), Bilinear pairings on elliptic curves, Andreas Enge, L’Enseignement Mathéma- tique, https://hal.inria.fr/hal-00767404/ (2015)

• Handbook of Elliptic and Hyperelliptic Curve Cryptography, Henri Cohen, Gerhard Frey, Chapman & Hall/CRC (2006)

• ThearithmeticofEllipticCurves, Joseph H. Silverman, Springer, 2nd Edition (2009), in particular chap- ter XI, Algorithmic Aspects of Elliptic Curves

• Mathematics of Public Cryptography, Steven Galbraith, Cambridge University Press (2012), in par- ticular Part II Algebraic Groups and Part V Cryptography Related to Discrete Logarithms

2. Asymmetric and Symmetric Cryptography

In cryptography, Elliptic Curves are mainly used for asymmetric cryptography. Differences between Symmetric and Asymmetric Cryptography: For example, encryption Schemes : to protect confidentiality between Alice and Bob.

– 1 – Chapitre I : The Discrete Logarithm Problem

Symmetric Encryption Scheme

Oscar

Alice Bob 푠푘 푠푘

Encrypt Decrypt 푠푘(푚A) = 푐A 푠푘(푐A) = 푚A

Encrypt Decrypt 푠푘(푚B) = 푐B 푠푘(푐B) = 푚B

푚A, 푚B: plaintexts (messages clairs), 푐A, 푐B: (messages chiffrés), Encrypt : encryption scheme (Algorithme de chiffrement), Decrypt : decryption scheme (Algorithme de déchiffrement), 푠푘: secret or private key

Asymmetric Encryption Scheme

Bob Alice 푝푘, 푠푘

Encrypt (푚) = 푐 Decrypt 푝푘 푠푘(푐) = 푚

푝푘: public key, 푠푘: private key

Symmetric vs Asymmetric Symmetric cryptography: security is based on the size of the key (only attack must be exhaustive search: 푘 bits key, 2푘 operations), Fast, Encryption (e.g. AES), MAC (for integrity and authentication), Hash Functions (for integrity, e.g. the SHA family),… Asymmetric cryptography: security is based on the difficulty of on algorithmic problem. is chosen in order to make this problem intractable. Slower than symmetric cryptography, (e.g. Diffie-Hellman), Encryption (e.g. RSA), Digital Signature (e.g. DSA, for integrity, authentication and non repudiation). Security of based on elliptic curves mostly rely on algorithmic problems related to the discrete logarithm problem.

3. The Discrete Logarithm Problem

3.1. Definitions 2 3 푛 We consider a cyclic group of order 푛, (G, ×) generated by 푔 ∈ G, i.e., ⟨푔⟩ = {푔, 푔 , 푔 , … , 푔 = 1} = G. In general, 푛 will be a (cf. Pohlig–Hellman Algorithm).

– 2 – 3. The Discrete Logarithm Problem

Examples × × For example a subgroup of (Z/푝Z) with 푝 prime. (Z/푝Z) is cyclic of order 푝 − 1. If 푛 divides 푝 − 1, there × 푑 × exists 푔 ∈ (Z/푝Z) of order 푛. More generally, a subgroup of a finite field F푞 (푞 = 푝 ) as (F푞) is cyclic of order 푞 − 1. The group of points of an Elliptic Curve. Order is by Hasse: |E(F푞) − (푞 + 1)| ⩽ 2√푞, then we consider a subgroup of prime order 푛. In this case, we will use additive notations: (G, +) with G = {P, 2P, 3P, … , 푛P = O}.

The Discrete Logarithm Problem Let ℎ ∈ 푔. Weknow that ℎ = 푔푥 for some 푥. Finding 푥 is solving the Discrete Logarithm Problem. Wewill denote 푥 = log푔(ℎ). We can define 푥 modulo 푛: Let us consider the group morphism 푒푥푝푔 ∶ (Z/푛Z, +) → 푎 푎 푏 (G, ×), 푎 ↦ 푔 . It is well-defined: if 푎 = 푏 + 푘푛, 푒푥푝푔(푎) = 푔 = 푔 = 푒푥푝푔(푏). It is a morphism : 푒푥푝푔(푎 + 푏) = 푒푥푝푔(푎) × 푒푥푝푔(푏). It is an isomorphism (a bijective morphism): same number of elements and injective: 푒푥푝푔(푎) = 1, 푛 ∣ 푎, so 푎 = 0. The discrete logarithm is the inverse function, so it is a morphism from (G, ×) to (Z/푛Z, +).

Properties If 푔 and 푔′ are two generators then 푔′ = 푔푎 with 푎 invertible modulo 푛: indeed, there exits also 푏 such that 푏 푔 = 푔′ = 푔푎푏, so 푎푏 ≡ 1 mod 푛. Conversely, if ℎ = 푔푎 with 푎 invertible then ℎ is a generator: if ℎ푏 = 1 then 푔푎푏 = 1 so 푎푏 ≡ 0 and 푏 ≡ 0.

′ 푎 ′푏 Change of generator: If 푔, 푔 are two generators, ℎ = 푔 et ℎ = 푔 , i.e., log푔(ℎ) = 푎 and log푔′ (ℎ) = 푏. We ′ ′ 푐 푏푐 푎 ′ denote 푐 = log푔 푔 . Then 푔 = 푔 so ℎ = 푔 = 푔 and 푎 ≡ 푏푐. As a result, log푔(푔) = log푔′ (ℎ) × log푔 푔 , or ′−1 ′ log푔′ (ℎ) ≡ log푔(푔) log푔 푔 where this last term is invertible because 푔 is a generator. As a result, if we know how to compute discrete logarithms in basis 푔 then we can do it in basis 푔′. The difficulty of computing discrete logarithms only depends on the group and not on the generator chosen.

Remark that the discrete logarithm problem can be easy: For example in G = (Z/푛Z, +). 푔 is a generator if and only if gcd(푔, 푛) = 1. Indeed, we know that 1 is a generator as G = {1, 2, 3, … , 푛 = 0} = {1, 2 × 1, 3 × 1, 푛 × 1 = 0}. From what we saw, the others generators are the 푎 × 1 with 푎 invertible modulo 푛. Then −1 (Z/푛Z, +) = G = 푔, 2푔, 3푔, … 푛푔 = 0. If ℎ ∈ Z/푛Z, ℎ ≡ 푥푔, 푥 ≡ ℎ푔 computable in polynomial time with a simple extended Euclidean algorithm.

3.2. Algorithms for Computing Discrete Logarithms First we see some generic algorithms that work for all cyclic group G of order 푛: the naive algorithm, The Baby Step Giant Step method , the ρ method of Pollard, and the Pohlig–Hellman algorithm that reduce computing discrete logarithm in a group of order 푛 to computing logarithm in subgroups of order 푝 where 푝 is prime and 푝 divides 푛. By a theorem of Shoup (97), an algorithm that solve the discrete logarithm in G must do at least 풪 (√푛) operations in G.

The Naive Algorithm ℎ = 푔푥, 푥?

Compute 푔, 푔2, 푔3,… . Complexity, 풪 (푛) multiplications in G

With memory: We pre-compute all the (푔푖, 푖) and store them in a list, sorted we respect to the 푔푖 (by using a binary representation of the elements of G for instance). Complexity: 풪 (푛) multiplications in G, 풪 (푛) elements of G in memory, sorting algorithm complexity : 풪 (푛 log(푛)) Then to compute 푥 s.t. ℎ = 푔푥, we look for ℎ in the list: complexity: 풪 (log(푛))

– 3 – Chapitre I : The Discrete Logarithm Problem

Baby Step/Giant Step Usually credited to Shanks 1971. Time-memory trade-off.

ℎ = 푔푥 푥?

푥 푚 푗 푖 −1 푖 푚 푗 Let 푚 = ⌈√푛⌉ and 푥 = 푖 + 푚푗 with 0 ⩽ 푖, 푗 < 푚. We have ℎ = 푔 = (푔 ) 푔 . So ℎ(푔 ) = (푔 ) .

푚 푗 Pre-computations: a list of ((푔 ) , 푗) with 푗 < 푚 sorted with respect to the first coordinate: 풪 (√푛) memory, and 풪 (√푛 log(푛)) for the sorting algorithm.

−1 −1 2 Then we compute ℎ, ℎ푔 , ℎ(푔 ) , ... and look for this element in the list. Worst case: 풪 (√푛) multipli- cations and complexity for 풪 (√푛 log(푛)) the searches.

Pollard ρ Pollard 1978

Same time complexity but quasi no memory. Probabilistic Algorithm: Sometimes no result is found.

′ ′ ′ ′ We look for integers modulo 푛 s.t. 푔푖ℎ푗 = 푔푖 ℎ푗 . Then 푔푖−푖 = ℎ푗 −푗. So 푖 − 푖′ ≡ 푥(푗′ − 푗) and if (푗′ − 푗) is invertible modulo 푛, we find 푥. To find these integers, one can store all the tuples (푔푖ℎ푗, 푖, 푗) sorted with respect to the first coordinates, with random 푖 and 푗. If one finds two times the same element of G (a collision), the discrete logarithm can be extracted as above.

By the birthday paradox with a good probability,there will be a collision for around √푛 random choices. Wedraw uniformly 푘 elements in a set of 푛 elements. Let 푝(푘) the probability that there is a collision. The probability that all the elements are different is

1 2 푘 − 1 푘−1 푖 1 − 푝(푘) = ￶1 −  ￶1 −  … ￶1 −  = ゚ ￶1 −  푛 푛 푛 푖=1 푛

−푥 ∏푘−1 −푖/푛 −푘(푘−1)/2푛 −(푘−1)2/2푛 As 1 − 푥 ⩽ 푒 for all 푥 ∈ R, 1 − 푝(푘) ⩽ 푖=1 푒 = 푒 ⩽ 푒 . As a result, there is a collision −(푘−1)2/2푛 with probability at least 푓(푘) ∶= 1 − 푒 . For 푘0 = 1 + √−2푛 log(1 − A), one has A = 푓(푘0). So for 푘 ⩾ 푘0, one has 푝(푘) ⩾ 푓(푘) ⩾ 푓(푘0) = A. As a result, for the probability to be at least 1/2, one must draw 1 + √2푛 log 2 ≈ 1.177√푛 elements (for a probability greater than 0.99, this gives 3.03√푛 elements). For the classical birthday problem, 푛 = 365, and we have a probability 1/2 of having two people with the same birthday for a set of 1 + √2 × 365 log 2 ≈ 23.49 people (In fact 23 is sufficient). More generally, one can show that the expected number of elements to be drawn until a collision is found is less than √π푛/2 + 2 ≈ 1.253√푛.

As a consequence, this method gives a priori no gain with respect to Baby Step/Giant Step which gives a deterministic method with the same memory and a slightly better time complexity.

To get rid of the need of storage, one can make an iteration of a function 푓 ∶ G → G that « looks like » a random function. That function must satisfy the following property: given X ∈ G and 푖, 푗 s.t. X = 푔푖ℎ푗, ′ ′ on can efficiently compute 푓(X) and 푖′, 푗′ s.t. 푓(X) = 푔푖 ℎ푗 . Such a function can be obtained as follows. First, one makes a partition of G in sets S1,…,S푛. Then 푓 is defined on each S푘 with the previous property on the power of 푔 and ℎ. For example, the initial proposal 2 of Pollard consists in partitioning G with three sets S0,S1,S2, and setting 푓(X) = X if X ∈ S0, 푓(X) = ℎX 푖 푗 2 2푖 2푗 if X ∈ S1 and 푓(X) = 푔X if X ∈ S2. For example, in the case S0, if X = 푔 ℎ , than 푓(X) = X = 푔 ℎ . In practice, a larger number of sets (10 to 20) gives better results.

– 4 – 3. The Discrete Logarithm Problem

With that function, we start with a random X0 ∈ G, then we define X푚 = 푓(X푚−1) pour 푚 > 0 and we search for a collision. The graph formed by the values in the sequence gives the ρ shape that gives its name to the method. To find the collision, a cycle-finding algorithm such as the Floyd method is used. That method, also known as the method of «the tortoise and the hare algorithm » is as follows. One iteratively compute the position of the tortoise and the hare: (X푚,X2푚) = (푓(X푚−1), 푓 ∘ 푓(X2(푚−1))). For that only the two previous positions are needed, so a few memory is needed. Then we stop when the tortoise and the hare are in the same position, where we obtain the collision.

What is the complexity? Let ℓ be the index of the first element of the cycle and 푐 the period, i.e, the length of the cycle. As a result, X0,…,Xℓ−1,Xℓ,…,Xℓ+푐−1 are all distinct and X푚+푐 = X푚 for 푚 ⩾ ℓ. With the Floyd method, we find the smallest 푢 s.t. X푢 = X2푢 where 푢 ⩾ ℓ et 2푢 − 푢 = 푢. As a result 푢 is a multiple of the period 푐. So 푢 can be defined as the smallest multiple of 푐 greatest than ℓ. We denote ℓ = 푞푐 + 푟 the Euclidean division of ℓ by 푐. If 푟 = 0 then 푢 = 푞푐 = ℓ. If 푟 > 0 then 푢 = (푞 + 1)푐. And 푢 = (푞 + 1)푐 ⩽ (푞 + 1)푐 + 푟 = 푞푐 + 푟 + 푐 = ℓ + 푐. So the position 푢 is before 푐 + ℓ where the first collision takes place. And we hope that 푐 + ℓ is a 풪 (√푛) (This would be the case if 푓 was really a random function). As a result, with the Floyd method we should find the collision with 풪 (√푛) iterations, and a few storage.

A variant of this method (the λ method) gives a parallel algorithm.

To sum up we have first a subfunction: Function iteration: input: (X, 푖, 푗): s.t. X = 푔푖ℎ푗 ′ ′ output: F(X), 푖′, 푗′: s.t. F(X) = 푔푖 ℎ푗

Then the main algorithm:

input: 푛, 푔 and ℎ output: 푥 s.t. ℎ = 푔푥 Set 푖푥, 푗푥 uniformly at random from Z/푛Z X = 푔푖푥 ℎ푗푥 (X, 푖푥, 푗푥) = iteration(X, 푖푥, 푗푥) (Y, 푖푦, 푗푦) = iteration(X, 푖푥, 푗푥) While X ≠ Y : (X, 푖푥, 푗푥) = iteration(X, 푖푥, 푗푥) (Y, 푖푦, 푗푦) = iteration(Y, 푖푦, 푗푦) (Y, 푖푦, 푗푦) = iteration(Y, 푖푦, 푗푦) If 푗푦 − 푗푥 non invertible modulo 푛 then the algorithm fails −1 Else return (푖푥 − 푖푦)(푗푦 − 푗푥) (mod 푛)

Pohlig–Hellman The Pohlig–Hellman method reduces the computation of discrete logarithms in a group of order 푛 to computing logarithm in subgroups of order 푝 where 푝 is prime and 푝 divides 푛.

푒1 푒푟 푥 푒푖 We denote 푛 = 푝1 … 푝푟 and ℎ = 푔 Then we compute the discrete logarithm modulo the 푝푖 and the value modulo 푛 is computed by the Chinese Remainder Theorem. 푒 푒 푒−1 Sowehavetocompute 푥 modulo 푝 . Wedenote 푥 mod 푝 = 푎0+푎1푝+⋯+푎푒−1푝 , where 0 ⩽ 푎푖 ⩽ 푝−1. 푥 푛/푝 푛/푝 푎0 푛/푝 Then from ℎ = 푔 , we have ℎ = (푔 ) and 푔 as order 푝 (푔 is a generator). So we can compute 푎0 2 2 푛/푝 푛/푝 푎0+푎1푝 mod 푝 = 푎0 by an algorithm that computes discrete logarithm modulo 푝. Then ℎ = (푔 ) , 2 2 2 푎0 푛/푝 푛/푝 푎0+푎1푝−푎0 푛/푝 푎1푝 푛/푝 푎1 so (ℎ/푔 ) = (푔 ) = (푔 ) = (푔 ) . So we can find 푎1 by another computation of a discrete logarithm modulo 푝. Byiteratingthismethod, onefinds 푥 mod 푝푒 with 푒 computations of discrete logarithms mod 푝.

This gives the following algorithm: Input : 푛 and its factorization: (푝1, … , 푝푟), (푒1, … , 푒푟), 푔 and ℎ

– 5 – Chapitre I : The Discrete Logarithm Problem

Output : 푥 s.t. ℎ = 푔푥. For 푖 = 1 to 푟 : ̃ 푛/푝푖 ̃ ̃푛/푝푖 ̃ Denote 푔 = 푔 ; ℎ = ℎ ; 푎0 = log푔̃(ℎ); 푓 = 1 ; 푥푖 = 푎0 For 푗 = 1 to 푒 − 1 : 푗−1 푎 푝 푗+1 푓 = 푓푔 푗−1 푖 ; ℎ̃ = (ℎ푓−1)푛/푝푖 ̃ Set 푎푗 = log푔̃(ℎ) 푗 푥푖 = 푥푖 + 푎푗푝푖 푒푖 Return 푥 (mod 푛) s.t. 푥 ≡ 푥푖 (mod 푝푖 ) for 푖 = 1, … , 푟.

In practice, for cryptographic applications, one always (almost) takes 푛 prime, otherwise if its factor- ization is tractable, one can reduce to smaller computation of discrete logarithm modulo 푝|푛.

Index Calculus Algorithms

Wesuppose 푛 tobeprime. Thisisnotagenericalgorithm: wesupposethatthereexists S = {푝1, 푝2, … , 푝푡} ⊂ G a factor basis s.t. a large proportion of elements of G can be written efficiently as a product of the 푝푖’s.

Pre-computation : Wepre-compute the log푔(푝푖): we take randoms 푘 in Z/푛Z and for a large proportion 푘 푒푖 we can write 푔 = ∏ 푝푖 (easily parallelizable) ∑ By applying the log : 푘 = 푒푖 log푔(푝푖). With at least 푡 independant linear equations, we can resolve a linear system that gives the log푔(푝푖).

Then, in an active phase, if ℎ = 푔푥, we compute ℎ푔푘 with random 푘. If we can factor in S, by applying ∑ the log, we have 푥 + 푘 = 푒푖 log푔(푝푖).

Trade-off on 푡 : small, we need a small system of 푡 equations. Big, there is a better probability that the random elements can be factored in S. So we make less random choices.

α 1−α Sub exponential complexity: L푛(α, 푐) = 풪 (푒푥푝(푐(log 푛) (log log 푛) )). L(0, 푐) = (log 푛)푐 : polynomial complexity (in the size of 푛) and L(1, 푐) = 푛푐 exponential complexity.

In Z/푝Z with S = {primes < B} one obtains an algorithm in L푝(1/2, √2) (Kraitchik, 1922, rediscovered at the end of the 70’s). The number field sieve (NFS, 1993) and the function field sieve (FFS, 1994) are im- provement of this idea, they search respectively for smooth elements in function fields and number fields. For computing discrete logarithms in finite fields F푞, these algorithms have an expected time complexity of L푞(1/3, 푐) for some 푐 > 0, FFS being dedicated to small characteristic and NFS to large characteristic. Starting from 2013, they have been lots of improvements on algorithms to compute discrete logarithm in finite fields F푝푛 , depending on the size and the form of 푝 and 푛. When 푛 = 1, i.e., in Z/푝Z, the best algorithm remains the number field sieve. The record is for a 768 bits 푝, June 2016 (with huge computing power: more than a year, approximately 6600 core years). For small characteristic, there exists algorithms in L푞(1/4, 푐) with 푐 > 0 and quasi polynomial for very small 푝, especially when the extension degree 푛 is composite. As a result the finite fields F2푛 must not be used for cryptography, especially pairing-based cryptography with elliptic curve over F2푛 . Records: In F230750 July 2019 (2907 core years) In the others cases, there exists many variants of the number field sieve, that improve the asymptotic 푛 complexity (still L푞(1/3, 푐) but with a better 푐): for example, when 푝 as a special form, or/and when 푞 = 푝 and 푛 composite with relatively prime factors (Kim-Barbulescu, 2016). This has an important impact on 푛 pairing-based cryptography, for which the discrete logarithm problem has to be hard in F푝 and a popular choice is 푛 = 6 or 푛 = 12. For records, cf. http://en.wikipedia.org/wiki/Discrete_logarithm_records

– 6 – 3. The Discrete Logarithm Problem

Conclusion × 128 In (Z/푝Z) for instance, to have 128 bits security (i.e, the best attack have a complexity of 2 operations), we take 푝 of at least 3072 bits (for NFS) and we work in a subgroup of order 푞, a prime dividing 푝 − 1 with 푞 of order 256 bits to avoid attacks with BS/BG and Pollard.

Security level bitsize of 푝 80 1024 112 2048 128 3072 192 7680 256 15360

For most of elliptic curves, the index calculus methods can not be applied. So only the exponential generic algorithms can be applied (we will see the situation of pairing friendly curve later). As a result elliptic curves can be used to define groups where the discrete logarithm problem is in- tractable with smaller parameters : Z/푝Z, E(Z/푝Z) may define a cyclic group of prime order, with order of roughly the same size of 푝. With 푝 of 2푘 bits we obtain a 푘 bit security, e.g. 256 bits 푝 for 128 bit security.

56 For elliptic curve With F푝 of 112 bits (so the order of 2 computations) in 2009 with a parallelized Pollard ρ and 200 PlayStation 3 in 6 months. Records over binary fields of roughly the same sizes.

– 7 – Chapitre I : The Discrete Logarithm Problem

– 8 – Chapter II

First Cryptographic Applications

Let (G, 푥) be a cyclic group, G = ⟨푔⟩ of prime order 푛.

1. Diffie-Hellman (76) Key exchange. With this protocol, Alice and Bob jointly establish a secret quantity over a public channel. This quantity can be used later to derive a secret key used for symmetric encryption. 푎 Alice takes a random 푎 ∈ Z/푛Z, computes X = 푔 and sends X to Bob. Bob takes a random 푏 ∈ Z/푛Z, computes Y = 푔푏 and sends Y to Alice. Alice and Bob can compute Z = 푔푎푏 = Y 푎 = X 푏. An eavesdropper can retrieve X and Y. Computing Z = 푔푎푏 from X = 푔푎 and Y = 푔푏, is called the Computational Diffie Hellman Problem (CDH), and the triplet (X = 푔푎, Y = 푔푏, Z = 푔푎푏) is called a Diffie-Hellman triplet. Distinguishing Z from a random element of G, knowing X and Y, is called the Decisional Diffie– Hellman (DDH). In general, the only known way to resolve these problem is by computing one of the discrete logarithm (e.g., to compute 푎 from X, and retrieve Z = Y 푎).

2. Elgamal Encryption (84) Asymmetric encryption scheme. Can be viewed as a Diffie-Hellman key exchange, followed by a one time pad in G: the symmetric encryption scheme, that encrypts 푚 ∈ G as 푚푧 where 푧 is a secret key used only once. The element Y is viewed as Bob’s public key: 푝푘 = Y = 푔푏. To encrypt 푚 ∈ G for Bob, Alice sends X = 푔푎 and 푚Y 푎 = 푚Z. Bob can decrypts thanks to 푏, which is his secret key: from 푏 and X he can compute Z and recover 푚. More precisely, with a little change of notations, the Elgamal encryption scheme can be described as follows:

푥 • 푝푘 = ℎ = 푔 , where 푥 is random in Z/푛Z and 푠푘 = 푥. 푟 푟 • Encryption of 푚 ∈ G with the public key ℎ = 푝푘: takesarandom 푟 ∈ Z/푛Z and 푐 = (푐1, 푐2) = (푔 , 푚ℎ ). 푥 −1 • Decryption of 푐 = (푐1, 푐2) with the private key 푥 = 푠푘: Compute 푐2(푐1) 푟 푟 푥 −1 푟 푟푥 −1 푟푥 푟푥 −1 The scheme is correct as if (푐1, 푐2) = (푔 , 푚ℎ ) then 푐2(푐1) = 푚ℎ × (푔 ) = 푚푔 × (푔 ) = 푚. Note that it is a probabilistic encryption scheme.

Itiseasytoseethatrecoveringthesecretkeyfrom thepublickeyisanhardproblem ifthediscreteloga- rithm problem is hard in G. Onecanalsoprovethatrecovering 푚 from 푐 and 푝푘 (breaking the One-Wayness

– 9 – Chapitre II : First Cryptographic Applications of encryption) is hard if the CDH problem is hard and moreover that finding any partial information of 푚 from 푐 and 푝푘 (breaking semantic security) is hard if the DDH is hard.

3. Digital Signature

3.1. Definition Digital Signatures are roughly equivalent to handwritten signatures on paper documents. More precisely, a digital signature scheme works as follows:

• Alice has 푝푘 a public key (for verification) and 푠푘 a private key (for signing).

• With a message 푚 and her private key 푠푘, Alice executes a signing algorithm to get σ the signature.

• With a message 푚, the signature σ of 푚 by Alice, and 푝푘 the public key of Alice, Bob executes a verification algorithm to verify if the signature is valid.

In general, the signing algorithm uses first a cryptographic hash function H applied on the message. This is a function H from {0, 1}∗ → A where A is a finite set, for instance A = {0, 1}푛. Moreover H has several property (one-way, collision resistance,…). The hash function makes digital signature more practical (can be applied to any digital files), and also provides security. The main features of a digital signature scheme are:

• the signed message can not be modified (or otherwise the signature is invalid): notion of integrity.

• Notion of non repudiation: someone that has signed some information can not deny having signed it (only the person that knows the private key can have produce the signature, it can not be forged). As a result, it is a way to authenticate the authors of a message.

• The signature can be verified by anyone with the public key.

3.2. Elgamal Signature (84) We give here a generalization of the signature scheme of Elgamal in a cyclic group G (original scheme in × (Z/푝Z) ). ∗ A message 푚, is mapped to M = H(푚) ∈ Z/푛Z where H is an hash function H ∶ {0, 1} → Z/푛Z. A first idea (not working) is to use the same setup as in the Elgamal encryption scheme: The public key 푥 is ℎ = 푔 and the private key is 푥 ∈ Z/푛Z. We try to build a signature of 푚 from a Diffie-Hellman triplet that involves M. Wethus consider an Elgamal encryption of 푔M : (푔푟, ℎ푟푔M) = (푔푟, 푔푥푟+M) with 푟 random in 푟 푟 푥푟+M 푠 Z/푛Z. Let 푠 = 푥푟 + M ∈ Z/푛Z and 푓 = 푔 , we then have (푔 , 푔 ) = (푓, 푔 ). The signature of 푚 could be σ = (푓, 푠), and the verification could consists in verifying if (ℎ, 푓, 푔푠/푔M) = (푔푥, 푔푟, 푔푥푟) is a Diffie-Hellman triplet.

Issues: The only (generic) known to test if this is a Diffie-Hellman Triplet, is by knowing one of the discrete logarithms (푟 or 푥 but this is the secret key). Knowing 푟, the scheme is trivially insecure: from −1 푟, 푠, 푚 one can compute 푥 as 푥 = 푟 (푠 − M) ∈ Z/푛Z if 푟 is invertible (푟 ≠ 0 as 푛 is prime).

Solution: We will see later that with elliptic curve pairings it is possible to distinguish if we have a Diffie-Hellman Triplet or not, without knowing individual discrete logarithm. For now, without pairings, thesolutionusedbyElgamalistouse H(푓) instead of using 푟 to compute 푠, andinsteadofhaving 푔푠 = 푔푥푟+M, he defines 푠 such that 푓푠 = 푔푥H(푓)+M. As a result, the equation for the exponent is 푟푠 = 푥H(푓) + M.

To summarize, the protocol is as follows:

∗ • G of order 푛 and H a hash function {0, 1} → Z/푛Z.

– 10 – 4. Elliptic Curve Cryptography

• 푝푘 = ℎ = 푔푥 with a random 푥, 푠푘 = 푥

• Signing a message 푚 with the key 푥: 푟 a random invertible element modulo 푛, 푓 = 푔푟, 푠 ≡ 푟−1(푥H(푓)+ H(푚)) (mod 푛). σ = (푓, 푠).

푠 H(푓) H(푚) • Verifying a signature σ = (푓, 푠) of 푚 with the public key ℎ: 푣1 = 푓 , 푣2 = ℎ 푔 , ok if 푣1 = 푣2.

푠 푟푠 푥H(푓)+H(푚) H(푓) H(푚) 푥H(푓)+H(푚) The scheme is correct has 푣1 = 푓 = 푔 = 푔 and 푣2 = ℎ 푔 = 푔 . DSA: Digital Signature Algorithm (NIST 91) is a variant of the Elgamal signature in a subgroup of × prime order 푞 of (Z/푝Z) .

4. Elliptic Curve Cryptography Elliptic curve are mostly used in cryptography for

• key exchange: ECDH which is an adaptation of the Diffie-Hellman key exchange in the group of points of an Elliptic curve

• Signature: ECDSA, an adaptation of the Elgamal signature, see details below.

There are lots of others applications that use pairings of elliptic curves. ECDH and ECDSA are stan- dardized. They can be used to secure communications over a computer network with Transport Layer Security (TLS), since version 1.0 (1999). There are more and more used (see Google certificate for in- stance). Indeed, the common alternatives to these two protocols are respectively the Diffie-Hellman key exchange in finite fields and the RSA signature scheme which is based on the hardness of factoring integers. Nowadays, both protocols need key sizes of at least 2048 bits and 3072 bits is recommended. For elliptic curve, one can work with smaller key sizes. An elliptic curve defined on a finite field of size around 200 to 256 bits is recommended. As we saw in the previous chapter, the best algorithm to com- pute discrete logarithm for elliptic curve (the ρ method) is exponential, and the best algorithm to compute discrete logarithm for finite fields and factoring integers (the number field sieve) is sub-exponential. As a result, with the increasing power of computers, elliptic curves become more and more interesting, espe- cially for embedded systems such as smart cards, where it is crucial to work with small data.

4.1. ECDSA This is a variant of the Elgamal signature, with some changes and optimization to handle the representation of the group elements, i.e., the points of an elliptic curve.

• We work in a cyclic subgroup ⟨P⟩ of prime order 푛 of the groups of points of an elliptic curve. Let H be an hash function {0, 1}∗ with values in {1, … , 푛 − 1}. In practice, the function SHA2 is used with a truncation of the output to get ℓ bits where ℓ is the number of bits of 푛

• 푝푘 = Q = 푥P with 푥 random 0 < 푥 < 푛, 푠푘 = 푥

• Signing a message 푚 with the key 푥: 푟 random, 0 < 푟 < 푛, R = (푥R, 푦R) = 푟P, If 푥R mod 푛 = 0, −1 choose an other 푟. 푠 ≡ 푟 (푥(푥R푚표푑푛) + H(푚)) (mod 푛). If 푠 ≡ 0 choose an other 푟. The signature is σ = (σ1, σ2) = (푥R mod 푛, 푠).

• Verifying a signature (σ1, σ2). Verify that Q is on the curve, and that Q has order 푛 and that 1 < −1 −1 σ푖 < 푛, for 푖 = 1, 2. Then compute 푢1 ≡ H(푚)σ2 (mod 푛) and 푢2 ≡ σ1σ2 (mod 푛), and then (푥1, 푦1) = 푢1P + 푢2Q. ok if σ1 ≡ 푥1 mod 푛.

−1 −1 −1 The scheme is correct as 푢1P + 푢2Q = (푢1 + 푢2푥)P = (H(푚)푠 + (푥R푚표푑푛)푠 푥)P = 푠 (H(푚) + −1 (푥R푚표푑푛)푥)P = 푟(H(푚) + 푥(푥R푚표푑푛)) (H(푚) + (푥R푚표푑푛)푥)P = 푟P. The differences with Elgamal signature scheme, is that only 푥R is given in the signature, instead of 푟P, and that this point is not hashed, 푥R is used instead.

– 11 – Chapitre II : First Cryptographic Applications

Note that 푟 must be random. If two signatures are issued with the same 푟: σ, σ′ of 푚 and 푚′. Then, ′ −1 ′ −1 σ2 −σ2 = 푟 (H(푚)−H(푚 )). So 푟 can be recovered. Then as σ2 = 푟 (푥(푥R푚표푑푛)+H(푚)) one can deduce 푥. This textbook attack was surprisingly used real life. An attack against the PlayStation 3 in 2010 allows to recover the key used to sign the files that the PlayStation could execute (푟 was constant, 푟 = 4), Another attack on a digital wallet for Bitcoins on Android was done in 2013. The application was using a weak random number generator (ECDSA is used in the Bitcoin protocol to prove the property of Bitcoins). As a consequence, some bitcoins were stolen.

4.2. EC-Schnorr is built from an identification protocol proposed by Schnorr in 1989, related to a proof of knowledge of a discrete logarithm. Its adaptation in elliptic curves provides a signature scheme whose security is more understood than ECDSA. Furthermore, the implementation is less intricate than the implementation of ECDSA. However, this signature scheme did not became “the” standard of digital signatures as it was covered by an US patent (now expired). Furthermore, they are multiple standardised version of this scheme for elliptic curve. Below we give a general description using a cyclic group G = ⟨푔⟩ of prime order 푛.

• 푝푘 = ℎ = 푔푥 with 푥 random 0 < 푥 < 푛, 푠푘 = 푥

푟 • Signing a message 푚 with the key 푥: 푟 random, 0 < 푟 < 푛, σ1 = 푔 , 푘 = H(푚||σ1) and σ2 = 푟 + 푥푘 mod 푛. The signature is σ = (σ1, σ2).

σ2 H(푚||σ1) • Verifying a signature (σ1, σ2) of 푚: Test whether 푔 = σ1푝푘

4.3. How to generate an elliptic curve suitable for cryptography FIPS 186-4: 2013, 4th revision, US standard describes ECDSA cf. http://nvlpubs.nist.gov/nistpubs/ FIPS/NIST.FIPS.186-4.pdf FIPS gives also some standardized curves and a standardized way to generate a random elliptic curve.

Standard Elliptic Curves

Curve over F푝, 푝 odd prime. We will work with G = ⟨P⟩ where P = (푥P, 푦P) has order 푛 and 푛 is prime. Let ℎ such that Card E = 푛ℎ. This co factor ℎ must be small, to improve efficiency: 푛 will be of roughly the same bit size than 푝. The NIST gives several standard curve over F푝: e.g., P − 192, P − 224, P − 256, P − 384, P − 521, where the number is the bit size of 푝. The co factor ℎ = 1 for these curves (the group of points are cyclic of prime order). The curve equations are 푦2 = 푥3–3푥 + 푏 mod 푝. Note: 푎 = −3 for efficiency, only 푎 is used in the classic formulae for the group law. The chosen 푝 have a sparse binary representation in order to speedup computations modulo 푝.

There are also curves standardized over F2푑 :

• 3 Koblitz curves, K − 163, K − 233, K − 283, K − 409, K − 571 where the number is the degree 푑. Equations 푦2 + 푥푦 = 푥3 + 푎푥2 + 1 where 푎 = 0, 1. For these curves, ℎ = 2 if 푎 = 1 and ℎ = 4 if 푎 = 0. For these curves, one can explicitly compute the number of points, and there is an algorithm to compute exponentiations without doubling operations.

2 3 2 • 3 standard curves of equations 푦 + 푥푦 = 푥 + 푥 + 푏 with 푏 ∈ F2푑 , for which ℎ = 2. B − 163, B − 233B − 283, B − 409, B − 571.

Random curves Modulo 푝 > 3 one wants an equation 푦2 = 푥3 + 푎푥 + 푏 with Δ = −16(4푎3 + 27푏2) ≠ 0 (mod 푝). To generate 푎 and 푏, one choses a random seed and apply (several times) an hash function to come up with an integer 푐. As the hash function is one-way (pre-image can not be computed), this procedure is

– 12 – 4. Elliptic Curve Cryptography meant to ensure the users of the generated curve that this curve has been truly generated randomly, and it does not contains an hidden weakness or a trapdoor that could be used to recover the private keys… Then 푎 and 푏 are chosen such that 푐푏2 ≡ 푎3 (mod 푝) (e.g., 푎 = 푐, 푏 = 푐 but one can take a small 푎 to speed up computations). This is to generate isomorphism classes of elliptic curve (two elliptic curves of parameters 푎, 푏 and 푎′, 푏′ over a finite field with characteristic at least 5 are isomorphic if and only if 푢4푎′ = 푎 et 푢6푏′ = 푏. As a result, the value of 푐 = 푎3/푏2 = 푎′3/푏′2 is fixed inside a class. Note that Δ ≠ 0 ⇔ 4푎3 + 27푏2 ≠ 0 ⇔ −4푎3/27푏2 ≠ 1 ⇔ −4푐 ≠ 27 ⇔ 4푐 + 27 ≠ 0. Then one verifies if the order is suitable, i.e, if it has a large prime factor (for that, one can compute the order with an early abort strategy if it is divisible by to much small primes). If it is not the case another seed is taken. There are more advanced criteria to generate a safe curve (e.g., see https://safecurves. cr.yp.to). Another way to generate a curve is to use the complex-multiplication (CM) method. The order is selected first, then an elliptic curve and a finite field is found that meet that order. Over F푝, this method is faster than the algorithms to compute the number of points.

– 13 – Chapitre II : First Cryptographic Applications

– 14 – Chapter III

Pairings for Cryptography

1. Weil and Tate Pairings

A cryptographic bilinear pairing is defined as follows. Let (G1, +), (G2, +), (G푡, ×) be three cyclic groups of prime order ℓ. Let P and Q be respective generators of G1 and G2. A cryptographic bilinear pairing is 푒 ∶ G1 × G2 → G푡, such that, 푎푏 • 푒 is a bilinear application : 푒(푎P, 푏Q) = 푒(P, Q) for all 푎, 푏 ∈ Z/ℓZ ; • 푒 is non degenerate : 푒(P, Q) ≠ 1 ; • 푒 is computable efficiently : there exists a polynomial algorithm in the size of ℓ that evaluates 푒. This definition matches the standard definition of bilinearity and non degeneracy in the special case of a cyclic group of prime order.

We will see in the following how a cryptographic bilinear pairing is defined in practice from the Weil pairing and the Tate pairing. These two pairings are defined over the ℓ-torsion of on elliptic curve. We first recall some properties of the ℓ-torsion.

Let ℓ be an integer. Let us denote E[ℓ] the ℓ-torsion of an elliptic curve E defined over a finite field F푞: E[ℓ] = {P ∈ E(F푞), ℓP = 0}.

We denote also by μℓ the subgroup of F푞 of ℓ-th roots of unity:

ℓ μℓ = {푥 ∈ F푞, 푥 = 1} . For cryptographic applications, ℓ will be a prime number, and we will suppose that ℓ ≠ 푝 where 푝 is the characteristic of F푞. For a cryptographic pairing, 푒 ∶ G1 × G2 → G푡 with groups of prime orders ℓ, the groups G1 and G2 will be subgroups of E[ℓ] and G푡 = μℓ.

Let F푞 be a finite field and ℓ an integer. The embedding degree of ℓ in F푞 is the smallest integer 푘 × × 푘 × ℓ such that (F푞푘 ) contains the ℓ−th roots of unity. As (F푞푘 ) is cyclic of order 푞 −1, if 푥 ∈ (F푞푘 ) with 푥 = 1 this means that ℓ divides 푞푘 − 1. So one can equivalently defined 푘 as the smallest integer s.t. ℓ|(푞푘 − 1). This means that 푘 is the order of 푞 modulo ℓ.

We have supposed that ℓ ≠ 푝 where 푝 is the characteristic of F푞. As ℓ and 푝 are prime numbers, this means that gcd(ℓ, 푝) = 1. Inthiscase, thegroupof ℓ torsion points of an elliptic curve E, E[ℓ] is isomorphic to Z/ℓZ × Z/ℓZ.

– 15 – Chapitre III : Pairings for Cryptography

We will suppose moreover in the following that ℓ does not divide 푞 − 1 (this means that 푘 > 1). Then, one can prove that E[ℓ] is a subset of E(F푞푘 ) where 푘 is the embedding degree of ℓ in F푞. 2 Note that if ℓ divides 푞 − 1 then E[ℓ] is a subgroup of E(F푞) only in rare cases even if ℓ divides the number of points of E(F푞). In practice, ℓ will be a prime divisor of Card(E(F푞)). By Cauchy’s theorem, there exists a point P ∈ E(F푞) of order ℓ. So one of the component of the ℓ torsion is ⟨P⟩ and we have E[ℓ] ∩ E(F푞) = ⟨P⟩ : when proving that E[ℓ] is a subset of E(F푞푘 ), one actually proves that the other component of the ℓ torsion is ⟨T⟩ where T ∈ E(F푞푘 ). Then, cryptographic pairings are often defined from the Weil and the Tate pairing.

The Weil pairing, 푒푤,ℓ ∶ E[ℓ]푥E[ℓ] → μℓ. Its properties are:

• bilinearity: 푒푤,ℓ(S1 + S2, T) = 푒푤,ℓ(S1, T)푒푤,ℓ(S2, T), 푒푤,ℓ(S, T1 + T2) = 푒푤,ℓ(S, T1)푒푤,ℓ(S, T2) −1 • 푒푤,ℓ(T, T) = 1, so 푒푤,ℓ(S+T, S+T) = 푒푤,ℓ(S, S)푒푤,ℓ(S, T)푒푤,ℓ(T, S)푒푤,ℓ(T, T) gives 푒푤,ℓ(T, S) = 푒푤,ℓ(S, T) (alternation)

• non degeneracy: if 푒푤,ℓ(S, T) = 1 for all S ∈ E[ℓ] then T = OE

• Invariant by Galois: ϕ(푒푤,ℓ(S, T)) = 푒푤,ℓ(ϕ(S), ϕ(T)) for all ϕ in the Galois group Gal(K/K)

Note that as 푒푤,ℓ(T, T) = 1 for all T, if S and T are elements of the same cyclic group, generated by P, 푎푏 we will have 푒푤,ℓ(S, T) = 푒푤,ℓ(푎P, 푏P) = 푒푤,ℓ(P, P) = 1.

In practice, one computes 푒푤,ℓ(S, T) by applying twice Miller’s algorithm.

The Tate Pairing is defined as follows:

× × ℓ 푒푡,ℓ ∶ E[ℓ] × E(L)/ℓE(L) → L /(L ) 푘 where L is an extension of the base field such that E[ℓ] ⊂ E(L). In practice L = F푞, where 푘 is the embedding degree. It can be compute by applying one time the algorithm of Miller, so it is a priori twice as efficient to compute than the Weil pairing. The Tate pairing has also the properties of bilinearity and non degeneracy (but it is trivial if every element is a ℓ−th power, for example if L = K). But there is no alternation: if one computes 푒푡,ℓ(P, Q), 푒푡,ℓ(Q, P) will in general not be defined. Furthermore one can have 푒푡,ℓ(P, P) = 1, but not for every P.

Quotients groups are not pratical for cryptographic applications. For example, to check for equality, one wants to work with unique representatives. Let us see how to solve this for the target group L×/(L×)ℓ. 푘 Suppose that L = F푞푘 , so that ℓ|(푞 − 1). Then we have an isomorphism

푞푘−1 × × ℓ L /(L ) → μℓ, 푥 ↦ 푥 ℓ .

As a result to use the Tate pairing for cryptographic applications, one add this final exponentiation 푞푘−1 to the power . This exponentiation has non negligible cost, especially when 푘 is large, but even with ℓ this exponentiation, the Tate pairing can still be computed more efficiently than the Weil pairing. So it is preferred for cryptographic applications.

For the second group of the definition of the Tate Pairing, E(L)/ℓE(L), it can be replaced by E[ℓ] under good conditions, (for example if gcd(푐푎푟푑E(L)/ℓ2, ℓ) = 1), that will be always satisfied in cryptographic applications where ℓ will be a large prime number.

Eventually, we can define if gcd(푐푎푟푑E(L)/ℓ2, ℓ) = 1

푞푘−1 푒̂푡,ℓ ∶ E[ℓ] × E[ℓ] → μℓ, (P, Q) = 푒푡,ℓ(P, Q) ℓ ,

– 16 – 2. MOV Attack which defines a pairing (sometimes called the reduced Tate pairing or the modified Tate pairing) that inherits the properties of the Tate pairing.

Some others pairings has been devised for cryptography (the η pairing, the ate pairing, the Twisted ate pairing,…). They generally are modifications or special cases of the Tate pairing in order to make it more efficient by shortening the number of iterations in Miller’s algorithm.

2. MOV Attack Menezes, Okamoto and Vanstone, 1993. The first application of pairings in cryptography has been for . Let E be an elliptic curve over F푞. Let P be a point of order ℓ where ℓ is prime and G = ⟨P⟩. Let Q ∈ G. We look for 푥 = logP(Q) such that Q = 푥P. Let 푘 be the embedding degree of ℓ over F푞. We suppose as above that ℓ does not divide 푞 − 1 (this means that 푘 > 1), moreover we suppose that 푔푐푑(ℓ, 푝) = 1 where 푝 is the characteristic of F푞, i.e., ℓ ≠ 푝 as ℓ and 푝 are prime numbers. Then it is possible to reduce in polynomial time the computation of 푥 to a computation of a discrete × logarithm in the finite field (F푞푘 ) . 푘 Let T ∈ E(F푞) be such that P and T generate the ℓ−torsion of E. Let 푒푤,ℓ be the Weil pairing: 푘 × E[ℓ]푥E[ℓ] → μℓ with E[ℓ] ⊂ E(F푞) and μℓ ⊂ (F푞푘 ) . One has 푒푤,ℓ(P, T) of order 1 or ℓ as ℓ is prime and μℓ has order ℓ. It is easy to see that 푒푤,ℓ(P, T) ≠ 1. 푎 푏 Otherwise, let U ∈ E[ℓ], U = 푎P + 푏T and 푒푤,ℓ(P, U) = 푒푤,ℓ(P, P) 푒푤,ℓ(P, T) = 1, as 푒푤,ℓ(P, P) = 1. This will mean that 푒푤,ℓ(P, U) = 1 for all U. As 푒푤,ℓ is non degenerate, P = OE, this leads to a contradiction. × As a result, 푒푤,ℓ(P, T) is of order ℓ and generates μℓ ⊂ (F푞푘 ) .

푥 We have Q = 푥P. So 푒푤,ℓ(Q, T) = 푒푤,ℓ(푥P, T) = 푒푤,ℓ(P, T) and the computation of the discrete loga- 푘 × rithm of 푒푤,ℓ(Q, T) in basis 푒푤,ℓ(P, T) in (F푞) gives 푥. Note that we can work directly with P : as Q ∈ ⟨P⟩, 푥 푒푤,ℓ(Q, P) = 푒푤,ℓ(P, P) = 1.

How can we find T ? We look for T by taking a random point R in E(F푞푘 ) (not with coordinates in F푞, 2 as E[ℓ] ∩ E(F푞) = ⟨P⟩). If E(F푞푘 ) has A points we compute (A/ℓ )R with R a random point in E(F푞푘 ), until we find a non zero point (and not in E(F푞)), this means that we have a point of order exactly ℓ. Indeed, E(F푞푘 ) contains E[ℓ] which is non cyclic so E(F푞푘 ) is also non cyclic (otherwise every subgroup is cyclic). Let P1 and P2 be two generators of E(F푞푘 ) where P푖 is of order 푑푖 and 푑2 ∣ 푑1. We thus have A = 푑1푑2. For the same reasons, E[ℓ] is not contains in either ⟨P1⟩ nor ⟨P2⟩. So points of ℓ torsion are ′ 2 2 ′ ′ contains in both subgroups. In particular, ℓ ∣ 푑푖. Let 푑푖 = ℓ푑푖 . Then A/ℓ = 푑1푑2/ℓ = 푑1푑2. One 2 ′ ′ ′ ′ 2 has R = 푟1P1 + 푟2P2. So (A/ℓ )R = 푟1푑1푑2P1 + 푟2푑1푑2P2. So if this point is non zero, then ℓ(A/ℓ )R = ′ ′ 푟1푑1푑2P1 + 푟2푑1푑2P2 = OE so it is indeed a point of ℓ torsion.

If one wants to use the MOV reduction to compute discrete logarithms in elliptic curves over F푞 in sub exponential time in log 푞 by using the sub exponential algorithm in F푞푘 then 푘, the embedding degree must be small. One can prove the 푘 must be smaller than (log 푞)2. When 푝 = 푞 and Card(E) is prime then Balasubramanian and Koblitz have shown that for a random curve the probability that 푘 < (log 푝)2 is very small : less than < 1/푝. We have also seen that is the order × 2 of 푞 in (Z/ℓZ) , si a divisor of φ(ℓ) = ℓ − 1 if ℓ is prime. In general, 푘 ≃ ℓ ≃ 푞 >> (log 푞) . So the discrete logarithm problem in F푞푘 will be way more difficult than in E(F푞).

However, 푘 can be very small. Let E defined over F푞 of characteristic 푝. Wecan have either

푟 • E[푝 ] = 0 for all 푟. In this case E is said supersingular and we have Card(E(F푞)) = 1 (mod 푝). 푟 푟 • or E[푝 ] = Z/푝 Z and E is said ordinary.

– 17 – Chapitre III : Pairings for Cryptography

If 푞 = 푝 > 3 then E defined over F푝 is supersingular if and only E(F푝) has order 푝 + 1. For example, for 2 3 푝 > 3 the curve 푦 = 푥 + 1 over F푝 is supersingular if and only if 푝 ≡ 2 (mod 3).

In the supersingular case, one can prove that 푘 ⩽ 2 if 푝 ⩾ 5 (푘 ⩽ 4 if 푝 = 2, and 푘 ⩽ 6 if 푝 = 3). As a result we may use a curve over F푝 with a 256 bits 푝 to have a security of 128 bits. But if this curve is supersingular, 푘 = 2, and discrete logarithms can be computed in F푝2 . The current record: On 25 June 2014, Razvan Barbulescu, Pierrick Gaudry, Aurore Guillevic, and François Morain have computed a discrete logarithm in F푝2 with 푝 of 265 bits in the equivalent of less of 70 days on a single core. .

3. Pairing Friendly curves After the MOV attack, in the early 2000s, pairings have been proposed to design new cryptographic protocols. The security of these applications relies on the difficulty of the discrete logarithm problem. As a result, it must be hard in the group E(F푝) and in F푝푘 where 푘 is the embedding degree. 160 In E(F푝), we saw that in order to have a security of 80 bits (resp. 128 bits), we must select 푝 ≈ 2 , (resp. 푝 ≈ 2256). Then the discrete logarithm problem must be hard in F푝푘 . If was previously assumed (see below) that ′ 푘 ′ this problem in prime fields F푝 is as hard as in F푝푘 with 푘 log2(푝) = log2(푝 ). So we select the size of 푝 as we did for prime fields in order to counteract the NFS algorithm. For 80 bits of security, 푘 log2 푝 must be 1024 and 3072 for 128 bits. As a result, supersingular curves that have 푘 = 2 are not optimal. In order to have 128 bits of security, we must start from an elliptic curve over F푝 with 푝 of 1536 bits. We loose the advantage of having short parameters.

A more favorable setting is to have 푘 ⩽ 6 or 푘 ⩽ 12. Indeed, for 80 bits of security, if log2 푝 = 160, we want 푘 log2 푝 = 1024 and 1024/160 = 6.4. For 128 bits, if log2 푝 = 256, we want 푘 log2 푝 = 3072 and 3072/256 = 12. There exists constructions of families of elliptic curves with such values of 푘. For example, the Barreto- Naehrig constructions gives 푘 = 12.

However, to have efficient pairing computations we often want to use tower extension field arithmetic (so 푘 is composite, like 12), and use special 푝 to accelerate modular reduction modulo 푝. These two settings actually helps attacks. In 2016, Kim and Barbulescu have proposed new variants of NFS to compute discrete logarithms in F푝푘 , faster if 푘 is composite and/or if 푝 has a special form. So the assumption made earlier on the difficulty of the discrete logarithm problm in F푝푘 is not true anymore. For example, for Barreto-Naehrig curves : a 256 bits 푝 (so a 3072 푝12) offers only 100 bits of security and not 128. In fact a 462 bits 푝 (so a 5535 bits 푝12) might be needed to have around 128 bits security. With higher levels of security, one needs roughly to double the size of 푝.

– 18 – Chapter IV

Some Pairing-based Cryptographic Protocols

– 19 –