Paper 2012/657

Fixed Argument Pairing Inversion on Elliptic Curves

Sungwook Kim and Jung Hee Cheon

Abstract

Let $E$ be an elliptic curve over a finite field ${\mathbb F}_q$ with a power of prime $q$, $r$ a prime dividing $\#E({\mathbb F}_q)$, and $k$ the smallest positive integer satisfying $r | \Phi_k(p)$, called embedding degree. Then a bilinear map $t: E({\mathbb F}_q)[r] \times E({\mathbb F}_{q^k})/rE({\mathbb F}_{q^k}) \rightarrow {\mathbb F}_{q^k}^*$ is defined, called the Tate pairing. And the Ate pairing and other variants are obtained by reducing the domain for each argument and raising it to some power. In this paper we consider the {\em Fixed Argument Pairing Inversion (FAPI)} problem for the Tate pairing and its variants. In 2012, considering FAPI for the Ate$_i$ pairing, Kanayama and Okamoto formulated the {\em Exponentiation Inversion (EI)} problem. However the definition gives a somewhat vague description of the hardness of EI. We point out that the described EI can be easily solved, and hence clarify the description so that the problem does contain the actual hardness connection with the prescribed domain for given pairings. Next we show that inverting the Ate pairing (including other variants of the Tate pairing) defined on the smaller domain is neither easier nor harder than inverting the Tate pairing defined on the lager domain. This is very interesting because it is commonly believed that the structure of the Ate pairing is so simple and good (that is, the Miller length is short, the solution domain is small and has an algebraic structure induced from the Frobenius map) that it may leak some information, thus there would be a chance for attackers to find further approach to solve FAPI for the Ate pairing, differently from the Tate pairing.

Metadata
Available format(s)
PDF
Category
Public-key cryptography
Publication info
Published elsewhere. Unknown where it was published
Keywords
Pairing InverisionFixed Argument Pairing InversionExponentiation InversionTate PairingAte pairing.
Contact author(s)
avell7 @ snu ac kr
History
2012-11-26: received
Short URL
https://ia.cr/2012/657
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/657,
      author = {Sungwook Kim and Jung Hee Cheon},
      title = {Fixed Argument Pairing Inversion on Elliptic Curves},
      howpublished = {Cryptology ePrint Archive, Paper 2012/657},
      year = {2012},
      note = {\url{https://eprint.iacr.org/2012/657}},
      url = {https://eprint.iacr.org/2012/657}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.