# Search Results

arithmetic on Hessian curves Public Key Cryptography – PKC 2010 Paris 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 243 260 9 D. Freeman, M. Scott and E. Teske, A taxonomy of pairing-friendly elliptic curves, J. Cryptology 23 (2010), 2, 224–280. Freeman D. Scott M. Teske E. A taxonomy of pairing-friendly elliptic curves J. Cryptology 23 2010 2 224 280 10 G. Frey, M. Müller and H. Rück, The tate pairing and the discrete logarithm applied to elliptic curve cryptosystems, IEEE Trans. Inform. Theory 45 (1999), 5, 1717–1719. Frey G. Müller M. Rück H. The tate

. Scott M. Faster squaring in the cyclotomic subgroup of sixth degree extensions Public Key Cryptography PKC 2010 Lecture Notes in Comput. Sci. 6056 Springer Berlin 2010 209 223 11 L. Hu, J. Dong and D. Pei, Implementation of cryptosystems based on Tate pairing, J. Comput. Sci. Tech. 20 (2005), 2, 264–269. Hu L. Dong J. Pei D. Implementation of cryptosystems based on Tate pairing J. Comput. Sci. Tech. 20 2005 2 264 269 12 M. Joye and J. J. Quisquater, Efficient computation of full Lucas sequences, Electron. Lett. 36 (1996), 6, 537–538. Joye M. Quisquater J. J

projective, 1 Néron, see height, see theorem of Néron, Tate Néron–Tate pairing, 124 Nagell, see theorem of Nagell, Lutz, and Cassels, see theorem of Nagell, Lutz non-split multiplicative reduction, see reduction nonsingular, 4 O, 93 one-way function, 82 ordinary, 65 Index 367 parametrization, 41 period, 33, 52, 54 period parallelogram, 33 plane algebraic curve, 2 affine, 2 projective, 2 Pohlig-Hellmann reduction of DLP, 83 point at infinity, 2, 3 Pollard, 84 primality test, Goldwasser, Kilian, 27 projective n-space, see n-space public key, see cryptosystem purely

.37), respectively, are related by OhD.P / D 3 Oh.P /. A very important property of the canonical height is that, by means of it, a positive- definite quadratic form is defined as follows: First, one defines the so-called Néron– Tate (or Weil) pairing by hP ,Qi D Oh.P CQ/ Oh.P / Oh.Q/. The following important properties for the canonical height and the Néron–Tate pair- ing hold (see [45, Theorem 9.3]): The Néron–Tate pairing is bilinear. For any P 2 E with PE 2 E.Q/ and anym 2 Z, Oh.mP / D m2 Oh.P /; in particular, Oh.P / D Oh.P /. Oh.P / 0 and Oh.P / D 0 if and only if PE

(K)→ R 〈P,Q〉 = ĥ(P +Q)− ĥ(P )− ĥ(Q) is symmetric and bilinear. This pairing is called Néron–Tate pairing. (Sometimes a factor 12 is placed in front of the right-hand side. This has the advantage that then ĥ(P ) = 〈P, P 〉.) Proof. a) As we have seen in Theorem 5.13, one has 2h(P )+ 2h(Q)− c1 ≤ h(P +Q)+ h(P −Q) ≤ 2h(P )+ 2h(Q)+ c2 for all P,Q ∈ E(K) with constants c1 and c2. Replacing P and Q by 2nP and 2nQ, and dividing the equation by 22n, one gets the equation 2 h(2nP ) 22n + 2h(2 nQ) 22n − c1 22n ≤ h(2 n(P +Q)) 22n + h(2 n(P −Q)) 22n ≤ 2h(2 nP ) 22n + 2h(2 nQ) 22

-to-Point. Map-to-Point is an algorithm for converting an arbitrary bit string into an elliptic curve point. Firstly, the string has to be converted into an integer and then a mapping is required from that integer onto an elliptic curve point. There are fast algorithms for computation of scalar multiplication of point and map- to-point operation [15]. 2.2 Bilinear pairings A bilinear pairing is a function that takes as input two groups and outputs an element of a multiplicative group [6, 19]. The Weil pairing and the Tate pairing are the two most commonly used bilinear

-based cryptography and its security analysis 47 4.1 Pairing In this paper we deal with Tate pairing using the supersingular curves over finite fields of characteristic three, which have been used for efficient implementation of pairing [4, 15, 24]. Let GF.3n/ be the finite field of characteristic three and extension degree n. For b D ˙1 the supersingular elliptic curve Eb3 .n/ over GF.3n/ is defined by Eb3 .n/ D ¹.x; y/ 2 GF.3n/ GF.3n/ jy2 D x3 x C bº [ ¹1º: We usually choose n as a prime number in cryptography. The order of Eb3 .n/ is #Eb3 .n/ D 3n C 1C b 3 n 3.nC1/=2; where

strategy 313 statistical frequency attack 32 stream cipher 20 – software generation 24 stream ciphers 22 strong pseudoprime 119 subalgebra membership problem 327 subgroup 184 – conjugate 186 substitution cipher 20 substitution-permutation network 21 subword 317 successful attack 40 summit set 269 SVP 354 syllable length 209 symmetric group 189 symmetric key cryptography 4, 19, 126 symmetry group 188 system of generators 318 syzygy module 329 – computation 333 Tate pairing 171 term 297, 329 term ordering 297 – component elimination 331 –degree reverse lexicographic 298

+ 1−|E(ℤp)|. Then the following hold: (1) E([n]) ≅ (ℤn1 , +) × (ℤn2 , +) for some n1, n2 ∈ ℕ if n ∈ ℕ and p does not divide n E([pr]) ≅ {O} if p|t, that is, E(ℤp) is super singular and E([pr]) ≅ (ℤpr , +) if p does not divide t. (2) The map ℤ → End(E(ℤp)) given by k → [k] is an injective ring homomorphism. We call this the Tate pairing. (3) ϕ 2 − [t]ϕ + [p] = [0] in End(E(ℤp). Proof. Here End(E(ℤp)) is the ring of endomorphisms of (E(ℤp)) via k + l → [k + l] where [k + l](P) = [k](P) + [l](P) forP ∈ (E(ℤp)) and kl → k∘lwhere [k∘l](P) = [k]([l](P)) for P ∈ (E