Supersingular Abelian Varieties in Cryptology
CRYPTO '02 Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology
Supersingular Curves in Cryptography
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Short Signatures from the Weil Pairing
Journal of Cryptology
The number field sieve in the medium prime case
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Reducing elliptic curve logarithms to logarithms in a finite field
IEEE Transactions on Information Theory
A Generalized Brezing-Weng Algorithm for Constructing Pairing-Friendly Ordinary Abelian Varieties
Pairing '08 Proceedings of the 2nd international conference on Pairing-Based Cryptography
Generating Genus Two Hyperelliptic Curves over Large Characteristic Finite Fields
EUROCRYPT '09 Proceedings of the 28th Annual International Conference on Advances in Cryptology: the Theory and Applications of Cryptographic Techniques
On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields
Pairing '09 Proceedings of the 3rd International Conference Palo Alto on Pairing-Based Cryptography
Elliptic curves with a pre-determined embedding degree
ISIT'09 Proceedings of the 2009 IEEE international conference on Symposium on Information Theory - Volume 4
Closed formulae for the Weil pairing inversion
Finite Fields and Their Applications
On efficient pairings on elliptic curves over extension fields
Pairing'12 Proceedings of the 5th international conference on Pairing-Based Cryptography
Simple and exact formula for minimum loop length in Atei pairing based on Brezing---Weng curves
Designs, Codes and Cryptography
Hi-index | 0.00 |
Let C be a curve of genus g, defined over a finite field Fq, where q = pm for a prime p. Let N be a large integer coprime to p, dividing the order of the Jacobian variety associated to C. Pairings can transport the discrete logarithm problem (DLP) from the curve to a finite field where there are more efficient methods for solving the discrete logarithm. The embedding degree is defined to be the smallest positive integer k such that N divides qk -1. We show that the minimal embedding field is not necessarily Fqk, as is traditionally understood, but rather is FpordNp = FqordNp/m, which can be a field of significantly smaller size. This fact reveals that attacks on the DLP can be dramatically faster than otherwise expected, so a parameter separate from the embedding degree k needs to be used to indicate security.