Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.
{"title":"Memory-saving computation of the pairing final exponentiation on BN curves","authors":"S. Duquesne, Loubna Ghammam","doi":"10.1515/gcc-2016-0006","DOIUrl":"https://doi.org/10.1515/gcc-2016-0006","url":null,"abstract":"Abstract Tate pairing computation is made of two steps. The first one, the Miller loop, is an exponentiation in the group of points of an elliptic curve. The second one, the final exponentiation, is an exponentiation in the multiplicative group of a large finite field extension. In this paper, we describe and improve efficient methods for computing the hardest part of this second step for the most popular curves in pairing-based cryptography, namely Barreto–Naehrig curves. We present the methods given in the literature and their complexities. However, the necessary memory resources are not always given whereas it is an important constraint in restricted environments for practical implementations. Therefore, we determine the memory resources required by these known methods and we present new variants which require less memory resources (up to 37 %). Moreover, some of these new variants are providing algorithms which are also more efficient than the original ones.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"27 1","pages":"75 - 90"},"PeriodicalIF":0.0,"publicationDate":"2016-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77759698","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We describe a practical algorithm to compute the automorphism group of a finitely generated virtually abelian group. As application, we describe the automorphism groups of some small-dimensional crystallographic groups.
{"title":"The automorphism group of a finitely generated virtually abelian group","authors":"B. Eick","doi":"10.1515/gcc-2016-0007","DOIUrl":"https://doi.org/10.1515/gcc-2016-0007","url":null,"abstract":"Abstract We describe a practical algorithm to compute the automorphism group of a finitely generated virtually abelian group. As application, we describe the automorphism groups of some small-dimensional crystallographic groups.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"100 1","pages":"35 - 45"},"PeriodicalIF":0.0,"publicationDate":"2016-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79297509","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Equations over linearly ordered semilattices are studied. For any equation t ( X ) = s ( X ) ${t(X)=s(X)}$ we find irreducible components of its solution set and compute the average number of irreducible components of all equations in n variables.
{"title":"On irreducible algebraic sets over linearly ordered semilattices","authors":"A. Shevlyakov","doi":"10.1515/gcc-2016-0014","DOIUrl":"https://doi.org/10.1515/gcc-2016-0014","url":null,"abstract":"Abstract Equations over linearly ordered semilattices are studied. For any equation t ( X ) = s ( X ) ${t(X)=s(X)}$ we find irreducible components of its solution set and compute the average number of irreducible components of all equations in n variables.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"1 1","pages":"187 - 195"},"PeriodicalIF":0.0,"publicationDate":"2016-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77206902","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We examine the Anshel–Anshel–Goldfeld key exchange protocol with a generalized Heisenberg group, Hm, as a platform. We show that subgroup-restricted simultaneous conjugacy search problem in Hm can be solved in quasi-quintic time, which allows the computation of the private keys of the parties.
{"title":"A PTIME solution to the restricted conjugacy problem in generalized Heisenberg groups","authors":"Kenneth R. Blaney, Andrey Nikolaev","doi":"10.1515/gcc-2016-0003","DOIUrl":"https://doi.org/10.1515/gcc-2016-0003","url":null,"abstract":"Abstract We examine the Anshel–Anshel–Goldfeld key exchange protocol with a generalized Heisenberg group, Hm, as a platform. We show that subgroup-restricted simultaneous conjugacy search problem in Hm can be solved in quasi-quintic time, which allows the computation of the private keys of the parties.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"32 1","pages":"69 - 74"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73798441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract This paper revisits the computation of pairings on a model of elliptic curve called Selmer curves. We extend the work of Zhang, Wang, Wang and Ye [17] to the computation of other variants of the Tate pairing on this curve. Especially, we show that the Selmer model of an elliptic curve presents faster formulas for the computation of the Ate and optimal Ate pairings with respect to Weierstrass elliptic curves. We show how to parallelise the computation of these pairings and we obtained very fast results. We also present an example of optimal pairing on a pairing-friendly Selmer curve of embedding degree k = 12.
{"title":"Faster Ate pairing computation on Selmer's model of elliptic curves","authors":"Emmanuel Fouotsa, Abdoul Aziz Ciss","doi":"10.1515/gcc-2016-0005","DOIUrl":"https://doi.org/10.1515/gcc-2016-0005","url":null,"abstract":"Abstract This paper revisits the computation of pairings on a model of elliptic curve called Selmer curves. We extend the work of Zhang, Wang, Wang and Ye [17] to the computation of other variants of the Tate pairing on this curve. Especially, we show that the Selmer model of an elliptic curve presents faster formulas for the computation of the Ate and optimal Ate pairings with respect to Weierstrass elliptic curves. We show how to parallelise the computation of these pairings and we obtained very fast results. We also present an example of optimal pairing on a pairing-friendly Selmer curve of embedding degree k = 12.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"48 1","pages":"55 - 67"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80606506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The Anshel–Anshel–Goldfeld (AAG) key exchange protocol is based upon the multiple conjugacy problem for a finitely-presented group. The hardness in breaking this protocol relies on the supposed difficulty in solving the corresponding equations for the conjugating element in the group. Two such protocols based on polycyclic groups as a platform were recently proposed and were shown to be resistant to length-based attack. In this article we propose a parallel evolutionary approach which runs on multicore high-performance architectures. The approach is shown to be more efficient than previous attempts to break these protocols, and also more successful. Comprehensive data of experiments run with a GAP implementation are provided and compared to the results of earlier length-based attacks. These demonstrate that the proposed platform is not as secure as first thought and also show that existing measures of cryptographic complexity are not optimal. A more accurate alternative measure is suggested. Finally, a linear algebra attack for one of the protocols is introduced.
{"title":"A parallel evolutionary approach to solving systems of equations in polycyclic groups","authors":"M. J. Craven, D. Robertz","doi":"10.1515/gcc-2016-0012","DOIUrl":"https://doi.org/10.1515/gcc-2016-0012","url":null,"abstract":"Abstract The Anshel–Anshel–Goldfeld (AAG) key exchange protocol is based upon the multiple conjugacy problem for a finitely-presented group. The hardness in breaking this protocol relies on the supposed difficulty in solving the corresponding equations for the conjugating element in the group. Two such protocols based on polycyclic groups as a platform were recently proposed and were shown to be resistant to length-based attack. In this article we propose a parallel evolutionary approach which runs on multicore high-performance architectures. The approach is shown to be more efficient than previous attempts to break these protocols, and also more successful. Comprehensive data of experiments run with a GAP implementation are provided and compared to the results of earlier length-based attacks. These demonstrate that the proposed platform is not as secure as first thought and also show that existing measures of cryptographic complexity are not optimal. A more accurate alternative measure is suggested. Finally, a linear algebra attack for one of the protocols is introduced.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"44 1","pages":"109 - 125"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75099513","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We study the factorization of a balanced multi-power RSA moduli N = prq when the unknown primes p and q share t least or most significant bits. We show that if t ≥ 1/(1+r)log p, then it is possible to compute the prime decomposition of N in polynomial time in log N. This result can be used to mount attacks against several cryptographic protocols that are based on the moduli N.
{"title":"Factoring multi-power RSA moduli with primes sharing least or most significant bits","authors":"Omar Akchiche, O. Khadir","doi":"10.1515/gcc-2016-0002","DOIUrl":"https://doi.org/10.1515/gcc-2016-0002","url":null,"abstract":"Abstract We study the factorization of a balanced multi-power RSA moduli N = prq when the unknown primes p and q share t least or most significant bits. We show that if t ≥ 1/(1+r)log p, then it is possible to compute the prime decomposition of N in polynomial time in log N. This result can be used to mount attacks against several cryptographic protocols that are based on the moduli N.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"27 1","pages":"47 - 54"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74168414","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Given a computational model with registers of unlimited size that is equipped with the set { + , - , × , ÷ , & } = : 𝖮𝖯 ${{+,-,times,div,&}=:mathsf{OP}}$ of unit cost operations, and given a safe prime number q, we present the first explicit algorithm that computes discrete logarithms in ℤ q * ${mathbb{Z}^{*}_{q}}$ to a base g using only 𝒪 ( ( log q ) 2 ) ${mathcal{O}((log q)^{2})}$ operations from 𝖮𝖯 ${mathsf{OP}}$ . For a random n-bit prime number q, the algorithm is successful as long as the subgroup of ℤ q * ${mathbb{Z}^{*}_{q}}$ generated by g and the subgroup generated by the element p = 2 ⌊ log 2 ( q ) ⌋ ${p=2^{lfloorlog_{2}(q)rfloor}}$ share a subgroup of size at least 2 ( 1 - 𝒪 ( log n / n ) ) n ${2^{(1-mathcal{O}(log n/n))n}}$ .
{"title":"Computing discrete logarithms using 𝒪((log q)2) operations from {+,-,×,÷,&}","authors":"C. Schridde","doi":"10.1515/gcc-2016-0009","DOIUrl":"https://doi.org/10.1515/gcc-2016-0009","url":null,"abstract":"Abstract Given a computational model with registers of unlimited size that is equipped with the set { + , - , × , ÷ , & } = : 𝖮𝖯 ${{+,-,times,div,&}=:mathsf{OP}}$ of unit cost operations, and given a safe prime number q, we present the first explicit algorithm that computes discrete logarithms in ℤ q * ${mathbb{Z}^{*}_{q}}$ to a base g using only 𝒪 ( ( log q ) 2 ) ${mathcal{O}((log q)^{2})}$ operations from 𝖮𝖯 ${mathsf{OP}}$ . For a random n-bit prime number q, the algorithm is successful as long as the subgroup of ℤ q * ${mathbb{Z}^{*}_{q}}$ generated by g and the subgroup generated by the element p = 2 ⌊ log 2 ( q ) ⌋ ${p=2^{lfloorlog_{2}(q)rfloor}}$ share a subgroup of size at least 2 ( 1 - 𝒪 ( log n / n ) ) n ${2^{(1-mathcal{O}(log n/n))n}}$ .","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"1 1","pages":"107 - 91"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76714815","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The original commutator key agreement (CKA) protocol is a two party anonymous key agreement protocol invented by I. Anshel, M. Anshel and D. Goldfeld. In this paper we propose a modification of the CKA protocol with mutual authentication without introducing any additional computational assumptions. In addition, we propose a new zero-knowledge Feige–Fiat–Shamir-type authentication protocol.
{"title":"Authenticated commutator key agreement protocol","authors":"A. Ushakov","doi":"10.1515/gcc-2016-0011","DOIUrl":"https://doi.org/10.1515/gcc-2016-0011","url":null,"abstract":"Abstract The original commutator key agreement (CKA) protocol is a two party anonymous key agreement protocol invented by I. Anshel, M. Anshel and D. Goldfeld. In this paper we propose a modification of the CKA protocol with mutual authentication without introducing any additional computational assumptions. In addition, we propose a new zero-knowledge Feige–Fiat–Shamir-type authentication protocol.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"89 1","pages":"127 - 133"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"79392315","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract The edge test is a partial algorithm for the Graph Isomorphism Problem based on comparison the number of edges. We perform a probabilistic analysis of the efficiency of the edge test. With the binomial distribution B(n,p) on the set of inputs, we estimate the asymptotic failure probability of the edge test depending on the rate of decay of parameter p. In particular, if p ≤ 1/2, np → λ > 0, then the asymptotic failure probability is nonzero, so that the edge test does not solve generically the Graph Isomorphism Problem. On the other hand, if p ≤ 1/2, np → ∞, then the failure set is negligible and the edge test generically solves the Graph Isomorphism Problem in polynomial time.
{"title":"Generic case complexity of the Graph Isomorphism Problem","authors":"G. A. Noskov, A. Rybalov","doi":"10.1515/gcc-2016-0008","DOIUrl":"https://doi.org/10.1515/gcc-2016-0008","url":null,"abstract":"Abstract The edge test is a partial algorithm for the Graph Isomorphism Problem based on comparison the number of edges. We perform a probabilistic analysis of the efficiency of the edge test. With the binomial distribution B(n,p) on the set of inputs, we estimate the asymptotic failure probability of the edge test depending on the rate of decay of parameter p. In particular, if p ≤ 1/2, np → λ > 0, then the asymptotic failure probability is nonzero, so that the edge test does not solve generically the Graph Isomorphism Problem. On the other hand, if p ≤ 1/2, np → ∞, then the failure set is negligible and the edge test generically solves the Graph Isomorphism Problem in polynomial time.","PeriodicalId":41862,"journal":{"name":"Groups Complexity Cryptology","volume":"4 1","pages":"20 - 9"},"PeriodicalIF":0.0,"publicationDate":"2016-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80330258","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: