Skip to main content
SpringerLink
Log in

Subgroup Security in Pairing-Based Cryptography

  • Conference paper
  • First Online:
Progress in Cryptology -- LATINCRYPT 2015 (LATINCRYPT 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9230))

Abstract

Pairings are typically implemented using ordinary pairing-friendly elliptic curves. The two input groups of the pairing function are groups of elliptic curve points, while the target group lies in the multiplicative group of a large finite field. At moderate levels of security, at least two of the three pairing groups are necessarily proper subgroups of a much larger composite-order group, which makes pairing implementations potentially susceptible to small-subgroup attacks.

To minimize the chances of such attacks, or the effort required to thwart them, we put forward a property for ordinary pairing-friendly curves called subgroup security. We point out that existing curves in the literature and in publicly available pairing libraries fail to achieve this notion, and propose a list of replacement curves that do offer subgroup security. These curves were chosen to drop into existing libraries with minimal code change, and to sustain state-of-the-art performance numbers. In fact, there are scenarios in which the replacement curves could facilitate faster implementations of protocols because they can remove the need for expensive group exponentiations that test subgroup membership.

Paulo S. L. M. Barreto, Rafael Misoczki, Geovandro C. C. F. Pereira—Supported by Intel Research grant “Energy-efficient Security for SoC Devices” 2012.

Paulo S. L. M. Barreto—Supported by CNPq research productivity grant 306935/2012-0.

Gustavo Zanon—Supported by the São Paulo Research Foundation (FAPESP) grant 2014/09200-5.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We warn the reader that BLS is commonly used to abbreviate two different authorships in the context of pairing-based cryptography: BLS signatures [10] and BLS curves [4].

  2. 2.

    Our definition of subgroup security incorporates \(\mathbb {G}_1\) for completeness, since for curves from the most popular families of pairing-friendly curves the index of \(\mathbb {G}_1\) in \(E(\mathbb {F}_p)\) is both greater than one and much less than the size of \(\mathbb {G}_1\), thereby necessarily containing small subgroups. The only exceptions are the prime order families like the MNT [38], Freeman [19], and BN [6] curve families, for which this index is 1.

  3. 3.

    Here \({\varPhi _k}\) denotes the k-th cyclotomic polynomial.

  4. 4.

    We tweaked the parameters according to http://www.loria.fr/~zimmerma/records/ecm/params.html, until enough factors were found.

  5. 5.

    We note that Scott [49, Sect. 9] hinted at this “negative impact” when discussing a \(\mathbb {G}_T\)-strong curve.

  6. 6.

    Menezes and Chatterjee recently pointed out another interesting example of this [15].

References

  1. Aranha, D.F., Fuentes-Castañeda, L., Knapp, E., Menezes, A., Rodríguez-Henríquez, F.: Implementing pairings at the 192-bit security level. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 177–195. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  2. Aranha, D.F., Karabina, K., Longa, P., Gebotys, C.H., López, J.: Faster explicit formulas for computing pairings over ordinary curves. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 48–68. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  3. Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  4. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  5. Barreto, P.S.L.M., Lynn, B., Scott, M.: Efficient implementation of pairing-based cryptosystems. J. Cryptol. 17(4), 321–334 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  6. Barreto, P.S.L.M., Naehrig, M.: Pairing-Friendly Elliptic Curves of Prime Order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  7. Benger, N., Scott, M.: Constructing tower extensions of finite fields for implementation of pairing-based cryptography. In: Hasan, M.A., Helleseth, T. (eds.) WAIFI 2010. LNCS, vol. 6087, pp. 180–195. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  8. Blake, I.F., Seroussi, G., Smart, N.: Elliptic Curves in Cryptography, vol. 265. Cambridge University Press, Cambridge (1999)

    Book  Google Scholar 

  9. Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y. (ed.) PKC 2003. Lecture Notes in Computer Science, vol. 2567, pp. 31–46. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  10. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, p. 514. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  11. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  12. Bos, J.W., Costello, C., Naehrig, M.: Exponentiating in pairing groups. In: Lange, T., Lauter, K., Lisoněk, P. (eds.) SAC 2013. LNCS, vol. 8282, pp. 438–455. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  13. Bosma, W., Cannon, J., Playoust, C.: The magma algebra system I: the user language. J. Symbolic Comput. 24(3–4), 235–265 (1997). Computational algebra and number theory (London, 1993)

    Article  MathSciNet  MATH  Google Scholar 

  14. Chatterjee, S., Hankerson, D., Knapp, E., Menezes, A.: Comparing two pairing-based aggregate signature schemes. Des. Codes Crypt. 55(2–3), 141–167 (2010)

    Article  MathSciNet  Google Scholar 

  15. Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. Cryptology ePrint Archive, Report 2014/635 (2014). http://eprint.iacr.org/

  16. Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Sec. 6(4), 213–241 (2007)

    Article  Google Scholar 

  17. Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D.J., Chatterjee, S. (eds.) INDOCRYPT 2011. LNCS, vol. 7107, pp. 320–342. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  18. Edwards, H.M.: A normal form for elliptic curves. Bull. Am. Math. Soc. 44(3), 393–422 (2007)

    Article  MATH  Google Scholar 

  19. Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Crypt. 23(2), 224–280 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  21. Fuentes-Castañeda, L., Knapp, E., Rodríguez-Henríquez, F.: Faster hashing to \({\mathbb{G}}_2\). In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 412–430. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  22. Galbraith, S.D., Harrison, K., Soldera, D.: Implementing the tate pairing. In: Fieker, C., Kohel, D.R. (eds.) ANTS 2002. LNCS, vol. 2369, p. 324. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  23. Galbraith, S.D., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. J. Crypt. 24(3), 446–469 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  24. Galbraith, S.D., Paterson, K.G. (eds.): Pairing 2008. Lecture Notes in Computer Science, vol. 5209. Springer, Heidelberg (2008)

    MATH  Google Scholar 

  25. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  26. Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 211–224. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  27. Gallant, R.P., Lambert, R.J., Vanstone, S.A.: Faster point multiplication on elliptic curves with efficient endomorphisms. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 190–200. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  28. Granger, R., Scott, M.: Faster squaring in the cyclotomic subgroup of sixth degree extensions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 209–223. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  29. Hess, F., Smart, N.P., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Inf. Theo. 52(10), 4595–4602 (2006)

    Article  MathSciNet  MATH  Google Scholar 

  30. IEEE P1363 Working Group. Standard Specifications for Public-Key Cryptography - IEEE Std 1363–2000 (2000)

    Google Scholar 

  31. Joux, A.: A one round protocol for tripartite Diffie-Hellman. J. Crypt. 17(4), 263–276 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  32. Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  33. Kilian, J. (ed.): CRYPTO 2001. Lecture Notes in Computer Science, vol. 2139. Springer, Heidelberg (2001)

    Google Scholar 

  34. Lenstra Jr., H.W.: Factoring integers with elliptic curves. Ann. Math. 126, 649–673 (1987)

    Google Scholar 

  35. Li, N., Du, W., Boneh, D.: Oblivious signature-based envelope. In: Borowsky, E., Rajsbaum, S. (eds.) PODC 2003, pp. 182–189. ACM, New York (2003)

    Chapter  Google Scholar 

  36. Lim, C.H., Lee, P.J.: A key recovery attack on discrete log-based schemes using a prime order subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  37. Menezes, A.: Asymmetric pairings. Talk at ECC 2009. Slides at http://math.ucalgary.ca/ecc/files/ecc/u5/Menezes_ECC2009.pdf

  38. Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 84(5), 1234–1243 (2001)

    Google Scholar 

  39. Montgomery, P.L.: Speeding the pollard and elliptic curve methods of factorization. Math. Comput. 48(177), 243–264 (1987)

    Article  Google Scholar 

  40. Naehrig, M.: Constructive and computational aspects of cryptographic pairings. Ph.D. thesis, Eindhoven University of Technology, May 2009

    Google Scholar 

  41. Naehrig, M., Niederhagen, R., Schwabe, P.: New software speed records for cryptographic pairings. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 109–123. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  42. Nogami, Y., Akane, M., Sakemi, Y., Katou, H., Morikawa, Y.: Integer variable chi-based ate pairing. In: Galbraith and Paterson [24], pp. 178–191

    Google Scholar 

  43. Page, D., Smart, N.P., Vercauteren, F.: A comparison of MNT curves and supersingular curves. IACR Cryptology ePrint Archive, vol. 2004, p. 165 (2004)

    Google Scholar 

  44. Pereira, G.C.C.F., Simplício Jr., M.A., Naehrig, M., Barreto, P.S.L.M.: A family of implementation-friendly BN elliptic curves. J. Syst. Softw. 84(8), 1319–1326 (2011)

    Google Scholar 

  45. Pohlig, S.C., Hellman, M.E.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Trans. Inf. Theo. 24(1), 106–110 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  46. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan, pp. 135–148 (2000)

    Google Scholar 

  47. Scott, M.: Computing the tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 293–304. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  48. Scott, M.: On the efficient implementation of pairing-based protocols. In: Chen, L. (ed.) IMACC 2011. LNCS, vol. 7089, pp. 296–308. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  49. Scott, M.: Unbalancing pairing-based key exchange protocols. Cryptology ePrint Archive, Report 2013/688 (2013). http://eprint.iacr.org/2013/688

  50. Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: Fast hashing to G \(_{2}\) on pairing-friendly curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 102–113. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  51. Scott, M., Benger, N., Charlemagne, M., Dominguez Perez, L.J., Kachisa, E.J.: On the final exponentiation for calculating pairings on ordinary elliptic curves. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 78–88. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  52. Vaudenay, S.: Hidden collisions on DSS. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 83–88. Springer, Heidelberg (1996)

    Google Scholar 

  53. Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theo. 56(1), 455–461 (2010)

    Article  MathSciNet  Google Scholar 

  54. Zavattoni, aE., Dominguez Perez, L.J., Mitsunari, S., Sánchez-Ramírez, A.H., Teruya, T., Rodríguez-Henríquez, F.: Software implementation of an attribute-based encryption scheme (2015)

    Google Scholar 

Download references

Acknowledgements

We are grateful to Melissa Chase and Greg Zaverucha for their interest in this work, and for their help pointing out implications for pairing-based protocols. We also thank Francisco Rodríguez-Henríquez for his suggestions to improve the paper.

Author information

Authors and Affiliations

  1. Escola Politécnica, University of São Paulo, São Paulo, Brazil

    Paulo S. L. M. Barreto, Rafael Misoczki, Geovandro C. C. F. Pereira & Gustavo Zanon

  2. Microsoft Research, Redmond, WA, USA

    Craig Costello & Michael Naehrig

Authors
  1. Paulo S. L. M. Barreto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Craig Costello
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rafael Misoczki
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Michael Naehrig
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Geovandro C. C. F. Pereira
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Gustavo Zanon
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Craig Costello .

Editor information

Editors and Affiliations

  1. Microsoft Research, Redmond, Washington, USA

    Kristin Lauter

  2. CINVESTAV-IPN, Mexico City, Distrito Federal, Mexico

    Francisco Rodríguez-Henríquez

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Barreto, P.S.L.M., Costello, C., Misoczki, R., Naehrig, M., Pereira, G.C.C.F., Zanon, G. (2015). Subgroup Security in Pairing-Based Cryptography. In: Lauter, K., Rodríguez-Henríquez, F. (eds) Progress in Cryptology -- LATINCRYPT 2015. LATINCRYPT 2015. Lecture Notes in Computer Science(), vol 9230. Springer, Cham. https://doi.org/10.1007/978-3-319-22174-8_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-22174-8_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-22173-1

  • Online ISBN: 978-3-319-22174-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation