Paper 2014/274

A note on the construction of pairing-friendly elliptic curves for composite order protocols

Sorina Ionica and Malika Izabachène

Abstract

In pairing-based cryptography, the security of protocols using composite order groups relies on the difficulty of factoring a composite number N. Boneh~\etal~proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order N. Displaying such a curve as a public parameter implies revealing a square root s of the complex multiplication discriminant D modulo N. We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, under certain conditions. Our conclusion is that the values of s modulo each prime in the factorization of should be chosen as high entropy input parameters when running the Cocks-Pinch algorithm.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Minor revision. Balkan Cryptsec 2018
Keywords
composite order groupinteger factorizationelliptic curveendomorphismCoppersmith's algorithm
Contact author(s)
sorina ionica @ m4x org
History
2019-08-11: last of 4 revisions
2014-04-21: received
See all versions
Short URL
https://ia.cr/2014/274
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2014/274,
      author = {Sorina Ionica and Malika Izabachène},
      title = {A note on the construction of pairing-friendly elliptic curves for composite order protocols},
      howpublished = {Cryptology {ePrint} Archive, Paper 2014/274},
      year = {2014},
      url = {https://eprint.iacr.org/2014/274}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.