Edlyn Teske - Academia.edu (original) (raw)

Papers by Edlyn Teske

IACR Cryptology ePrint Archive, 2006

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients fo... more Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairingbased cryptographic systems. Such "pairing-friendly" curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptogra... more We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.

For integers a and b we define the Shanks chain p1 ; p2 ; : : : ; pk of length k to be a sequence... more For integers a and b we define the Shanks chain p1 ; p2 ; : : : ; pk of length k to be a sequence of k primes such that p i+1 = ap i 2 \Gamma b for i = 1; 2; : : : ; k \Gamma 1. While for Cunningham chains it is conjectured that arbitrarily long chains exist, this is, in general, not true for Shanks chains. In fact, with s = ab we show that for all but 56 values of s 1000 any corresponding Shanks chain must have bounded length. For this, we study certain properties of functional digraphs of quadratic functions over prime fields, both in theory and practice. We give efficient algorithms to investigate these properties and present a selection of our experimental results.

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients fo... more Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairing-friendly ” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions currently existing in the literature. We also include new constructions of pairing-friendly elliptic curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

A finite field K is said to be weak for elliptic curve cryptography if all instances of the discr... more A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields F q 5 are weak. In this paper, we examine characteristic two finite fields Fq n for weakness under Hess' generalization of the GHS attack. We show that the fields F q 7 are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over F q 7 , namely those curves E for which #E(F q 7) is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields F q 3 are partially weak, that the fields F q 6 are potentially weak, and that the fields F q 8 are po...

Abstract. We consider Pollard’s rho method for discrete logarithm computation. Usually, in the an... more Abstract. We consider Pollard’s rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard’s rho method for prime group orders about 20 % faster than before. 1.

Selected Areas in Cryptography, 2003

Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage t... more Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage that the private key computations can be speeded up using Chinese remaindering. At the same time, with a proper choice of parameters, one does not have to work with a larger modulus to achieve the same level of security in terms of the difficulty of the integer factorization problem. However, numerous attacks on specific instances on the RSA cryptosystem are known that apply if, for example, the decryption or encryption exponent are chosen too small, or if partial knowledge of the private key is available. Little work is known on how such attacks perform in the multi-prime case. It turns out that for most of these attacks it is crucial that the modulus contains exactly two primes. They become much less effective, or fail, when the modulus factors into more than two distinct primes.

Algorithmic Number Theory, 2000

Algorithmic Number Theory Symposium, 1998

In Pollard's rho method, an iterating function f is used to de ne a sequence (y i) by y i+1 = f (... more In Pollard's rho method, an iterating function f is used to de ne a sequence (y i) by y i+1 = f (y i) for i = 0; 1; 2; : : : , with some starting value y 0. In this paper, we de ne and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly de ned functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. Pollard's algorithm 12] is generic in the sense that it can be applied to any group for which the following is satis ed. Given any two group elements g and h we can compute the product g h. Given any two group elements g and h we can check whether g = h.

We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the r... more We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings proposed to date, and develop a unifying framework. We discuss the techniques used to optimize the pairing computation on hyperelliptic curves, and present many directions for further research.

Mathematics of Computation, 2001

We show how to use the parallelized kangaroo method for computing invariants in real quadratic fu... more We show how to use the parallelized kangaroo method for computing invariants in real quadratic function fields. Specifically, we show how to apply the kangaroo method to the infrastructure in these fields. We also show how to speed up the computation by using heuristics on the distribution of the divisor class number, and by using the relatively inexpensive baby steps in the real quadratic model of a hyperelliptic function field. Furthermore, we provide examples for regulators and class numbers of hyperelliptic function fields of genus 3 that are larger than those ever reported before.

Mathematics of Computation, 2001

In this paper, we provide sharp estimates for the divisor class number of hyperelliptic function ... more In this paper, we provide sharp estimates for the divisor class number of hyperelliptic function elds. We extend the existing methods to any hyperelliptic function eld and improve the previous bounds by a factor with the help of new results. We thus obtain a faster method of computing regulators and class numbers. Furthermore, we provide heuristics on the distribution of the class number within the bounds on the class number. These heuristics suggest that, although the bounds are sharp, the approximation is in general far better.

Journal of Symbolic Computation, 1999

We present a new algorithm that extends the techniques of the Pohlig-Hellman algorithm for discre... more We present a new algorithm that extends the techniques of the Pohlig-Hellman algorithm for discrete logarithm computation to the following situation: Given a nite abelian group and group elements h, g1

Journal of Cryptology, 2006

Mathematics of Computation - Math. Comput., 2005

We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve ov... more We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve over a finite field. If the underlying field is a prime field F p , the algorithm has complexity O(√ p).

Experimental Mathematics, 1999

IACR Cryptology ePrint Archive, 2006

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients fo... more Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairingbased cryptographic systems. Such "pairing-friendly" curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptogra... more We demonstrate that some finite fields, including F 2 210 , are weak for elliptic curve cryptography in the sense that any instance of the elliptic curve discrete logarithm problem for any elliptic curve over these fields can be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We discuss the implications of our observations to elliptic curve cryptography, and list some open problems.

For integers a and b we define the Shanks chain p1 ; p2 ; : : : ; pk of length k to be a sequence... more For integers a and b we define the Shanks chain p1 ; p2 ; : : : ; pk of length k to be a sequence of k primes such that p i+1 = ap i 2 \Gamma b for i = 1; 2; : : : ; k \Gamma 1. While for Cunningham chains it is conjectured that arbitrarily long chains exist, this is, in general, not true for Shanks chains. In fact, with s = ab we show that for all but 56 values of s 1000 any corresponding Shanks chain must have bounded length. For this, we study certain properties of functional digraphs of quadratic functions over prime fields, both in theory and practice. We give efficient algorithms to investigate these properties and present a selection of our experimental results.

Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients fo... more Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairing-friendly ” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions currently existing in the literature. We also include new constructions of pairing-friendly elliptic curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

A finite field K is said to be weak for elliptic curve cryptography if all instances of the discr... more A finite field K is said to be weak for elliptic curve cryptography if all instances of the discrete logarithm problem for all elliptic curves over K can be solved in significantly less time than it takes Pollard 's rho method to solve the hardest instances. By considering the GHS Weil descent attack, it was previously shown that characteristic two finite fields F q 5 are weak. In this paper, we examine characteristic two finite fields Fq n for weakness under Hess' generalization of the GHS attack. We show that the fields F q 7 are potentially partially weak in the sense that any instance of the discrete logarithm problem for half of all elliptic curves over F q 7 , namely those curves E for which #E(F q 7) is divisible by 4, can likely be solved in significantly less time than it takes Pollard's rho method to solve the hardest instances. We also show that the fields F q 3 are partially weak, that the fields F q 6 are potentially weak, and that the fields F q 8 are po...

Abstract. We consider Pollard’s rho method for discrete logarithm computation. Usually, in the an... more Abstract. We consider Pollard’s rho method for discrete logarithm computation. Usually, in the analysis of its running time the assumption is made that a random walk in the underlying group is simulated. We show that this assumption does not hold for the walk originally suggested by Pollard: its performance is worse than in the random case. We study alternative walks that can be efficiently applied to compute discrete logarithms. We introduce a class of walks that lead to the same performance as expected in the random case. We show that this holds for arbitrarily large prime group orders, thus making Pollard’s rho method for prime group orders about 20 % faster than before. 1.

Selected Areas in Cryptography, 2003

Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage t... more Using more than two factors in the modulus of the RSA cryptosystem has the arithmetic advantage that the private key computations can be speeded up using Chinese remaindering. At the same time, with a proper choice of parameters, one does not have to work with a larger modulus to achieve the same level of security in terms of the difficulty of the integer factorization problem. However, numerous attacks on specific instances on the RSA cryptosystem are known that apply if, for example, the decryption or encryption exponent are chosen too small, or if partial knowledge of the private key is available. Little work is known on how such attacks perform in the multi-prime case. It turns out that for most of these attacks it is crucial that the modulus contains exactly two primes. They become much less effective, or fail, when the modulus factors into more than two distinct primes.

Algorithmic Number Theory, 2000

Algorithmic Number Theory Symposium, 1998

In Pollard's rho method, an iterating function f is used to de ne a sequence (y i) by y i+1 = f (... more In Pollard's rho method, an iterating function f is used to de ne a sequence (y i) by y i+1 = f (y i) for i = 0; 1; 2; : : : , with some starting value y 0. In this paper, we de ne and discuss new iterating functions for computing discrete logarithms with the rho method. We compare their performances in experiments with elliptic curve groups. Our experiments show that one of our newly de ned functions is expected to reduce the number of steps by a factor of approximately 0:8, in comparison with Pollard's originally used function, and we show that this holds independently of the size of the group order. For group orders large enough such that the run time for precomputation can be neglected, this means a real-time speed-up of more than 1:2. Pollard's algorithm 12] is generic in the sense that it can be applied to any group for which the following is satis ed. Given any two group elements g and h we can compute the product g h. Given any two group elements g and h we can check whether g = h.

We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the r... more We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings proposed to date, and develop a unifying framework. We discuss the techniques used to optimize the pairing computation on hyperelliptic curves, and present many directions for further research.

Mathematics of Computation, 2001

We show how to use the parallelized kangaroo method for computing invariants in real quadratic fu... more We show how to use the parallelized kangaroo method for computing invariants in real quadratic function fields. Specifically, we show how to apply the kangaroo method to the infrastructure in these fields. We also show how to speed up the computation by using heuristics on the distribution of the divisor class number, and by using the relatively inexpensive baby steps in the real quadratic model of a hyperelliptic function field. Furthermore, we provide examples for regulators and class numbers of hyperelliptic function fields of genus 3 that are larger than those ever reported before.

Mathematics of Computation, 2001

In this paper, we provide sharp estimates for the divisor class number of hyperelliptic function ... more In this paper, we provide sharp estimates for the divisor class number of hyperelliptic function elds. We extend the existing methods to any hyperelliptic function eld and improve the previous bounds by a factor with the help of new results. We thus obtain a faster method of computing regulators and class numbers. Furthermore, we provide heuristics on the distribution of the class number within the bounds on the class number. These heuristics suggest that, although the bounds are sharp, the approximation is in general far better.

Journal of Symbolic Computation, 1999

We present a new algorithm that extends the techniques of the Pohlig-Hellman algorithm for discre... more We present a new algorithm that extends the techniques of the Pohlig-Hellman algorithm for discrete logarithm computation to the following situation: Given a nite abelian group and group elements h, g1

Journal of Cryptology, 2006

Mathematics of Computation - Math. Comput., 2005

We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve ov... more We present an algorithm for computing the cardinality of the Jacobian of a random Picard curve over a finite field. If the underlying field is a prime field F p , the algorithm has complexity O(√ p).

Experimental Mathematics, 1999