## Cryptology ePrint Archive: Report 2014/274

Weak instances of composite order protocols

Sorina Ionica and Malika Izabach{\`e}ne

Abstract: In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number $N$. Boneh~etal~proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order $N$. Displaying such a curve as a public parameter implies revealing a square root of the complex multiplication discriminant $-D$ modulo $N$. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, by computing a square root $\lambda$ of $-D$ modulo one of its factors. Our attack is based on a generic discrete logarithm algorithm. We recommend that $\lambda$ should be chosen as a high entropy input parameter when running the Cocks-Pinch algorithm, in order to ensure protection from our attack.

Category / Keywords: composite order group, integer factorization, elliptic curve, endomorphism, Coppersmith's algorithm

Date: received 20 Apr 2014, last revised 22 Apr 2014

Contact author: sorina ionica at m4x org

Available format(s): PDF | BibTeX Citation

[ Cryptology ePrint archive ]