The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. ex. Some numerals are expressed as "XNUMX".
Copyrights notice
The original paper is in English. Non-English content has been machine-translated and may contain typographical errors or mistranslations. Copyrights notice
La vérification de l’appartenance à un groupe est une opération importante pour mettre en œuvre en pratique et en toute sécurité une cryptographie basée sur un logarithme discret. Étant donné que cette vérification nécessite une opération coûteuse de multiplication scalaire ou d’exponentiation, plusieurs méthodes efficaces ont été étudiées. Dans le cas de la cryptographie basée sur l'appariement, il s'agit d'un domaine de recherche étendu de la cryptographie basée sur le logarithme discret, Barreto et al. (LATINCRYPT 2015) ont proposé un choix de paramètre appelé sous-groupe sécurisé courbes elliptiques. Ils ont également affirmé que, dans certains schémas, si une courbe elliptique est sécurisée pour les sous-groupes, une opération coûteuse de multiplication scalaire ou d'exponentiation peut être omise du contrôle d'appartenance aux groupes bilinéaires, ce qui aboutit à des schémas plus rapides que ceux d'origine. Ils ont également remarqué que certains systèmes ne maintiendraient pas la sécurité avec cette omission. Cependant, ils n’ont pas montré la condition explicite selon laquelle les systèmes deviennent non sécurisés en raison de l’omission. Dans cet article, nous montrons un exemple concret d'insécurité au sens de sécurité des sous-groupes pour aider les développeurs à comprendre ce qu'est la sécurité des sous-groupes et quelles propriétés sont préservées. Dans notre conclusion, nous recommandons aux développeurs d’utiliser le contrôle d’adhésion original car il s’agit d’une méthode générale et simple pour mettre en œuvre des programmes en toute sécurité. Si les développeurs souhaitent utiliser les courbes elliptiques sécurisées par sous-groupe et omettre l'opération coûteuse dans un schéma pour des raisons de performances, il est essentiel d'analyser soigneusement à nouveau que l'exactitude et la sécurité sont préservées avec l'omission.
Tadanori TERUYA
National Institute of Advanced Industrial Science and Technology
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copier
Tadanori TERUYA, "A Note on Subgroup Security in Discrete Logarithm-Based Cryptography" in IEICE TRANSACTIONS on Fundamentals,
vol. E104-A, no. 1, pp. 104-120, January 2021, doi: 10.1587/transfun.2020CIP0019.
Abstract: The membership check of a group is an important operation to implement discrete logarithm-based cryptography in practice securely. Since this check requires costly scalar multiplication or exponentiation operation, several efficient methods have been investigated. In the case of pairing-based cryptography, this is an extended research area of discrete logarithm-based cryptography, Barreto et al. (LATINCRYPT 2015) proposed a parameter choice called subgroup-secure elliptic curves. They also claimed that, in some schemes, if an elliptic curve is subgroup-secure, costly scalar multiplication or exponentiation operation can be omitted from the membership check of bilinear groups, which results in faster schemes than the original ones. They also noticed that some schemes would not maintain security with this omission. However, they did not show the explicit condition of what schemes become insecure with the omission. In this paper, we show a concrete example of insecurity in the sense of subgroup security to help developers understand what subgroup security is and what properties are preserved. In our conclusion, we recommend that the developers use the original membership check because it is a general and straightforward method to implement schemes securely. If the developers want to use the subgroup-secure elliptic curves and to omit the costly operation in a scheme for performance reasons, it is critical to carefully analyze again that correctness and security are preserved with the omission.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2020CIP0019/_p
Copier
@ARTICLE{e104-a_1_104,
author={Tadanori TERUYA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={A Note on Subgroup Security in Discrete Logarithm-Based Cryptography},
year={2021},
volume={E104-A},
number={1},
pages={104-120},
abstract={The membership check of a group is an important operation to implement discrete logarithm-based cryptography in practice securely. Since this check requires costly scalar multiplication or exponentiation operation, several efficient methods have been investigated. In the case of pairing-based cryptography, this is an extended research area of discrete logarithm-based cryptography, Barreto et al. (LATINCRYPT 2015) proposed a parameter choice called subgroup-secure elliptic curves. They also claimed that, in some schemes, if an elliptic curve is subgroup-secure, costly scalar multiplication or exponentiation operation can be omitted from the membership check of bilinear groups, which results in faster schemes than the original ones. They also noticed that some schemes would not maintain security with this omission. However, they did not show the explicit condition of what schemes become insecure with the omission. In this paper, we show a concrete example of insecurity in the sense of subgroup security to help developers understand what subgroup security is and what properties are preserved. In our conclusion, we recommend that the developers use the original membership check because it is a general and straightforward method to implement schemes securely. If the developers want to use the subgroup-secure elliptic curves and to omit the costly operation in a scheme for performance reasons, it is critical to carefully analyze again that correctness and security are preserved with the omission.},
keywords={},
doi={10.1587/transfun.2020CIP0019},
ISSN={1745-1337},
month={January},}
Copier
TY - JOUR
TI - A Note on Subgroup Security in Discrete Logarithm-Based Cryptography
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 104
EP - 120
AU - Tadanori TERUYA
PY - 2021
DO - 10.1587/transfun.2020CIP0019
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E104-A
IS - 1
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - January 2021
AB - The membership check of a group is an important operation to implement discrete logarithm-based cryptography in practice securely. Since this check requires costly scalar multiplication or exponentiation operation, several efficient methods have been investigated. In the case of pairing-based cryptography, this is an extended research area of discrete logarithm-based cryptography, Barreto et al. (LATINCRYPT 2015) proposed a parameter choice called subgroup-secure elliptic curves. They also claimed that, in some schemes, if an elliptic curve is subgroup-secure, costly scalar multiplication or exponentiation operation can be omitted from the membership check of bilinear groups, which results in faster schemes than the original ones. They also noticed that some schemes would not maintain security with this omission. However, they did not show the explicit condition of what schemes become insecure with the omission. In this paper, we show a concrete example of insecurity in the sense of subgroup security to help developers understand what subgroup security is and what properties are preserved. In our conclusion, we recommend that the developers use the original membership check because it is a general and straightforward method to implement schemes securely. If the developers want to use the subgroup-secure elliptic curves and to omit the costly operation in a scheme for performance reasons, it is critical to carefully analyze again that correctness and security are preserved with the omission.
ER -