The security of pairing-based cryptosystems is determined by the difficulty of solving the discrete logarithm problem (DLP) over certain types of finite fields. One of the most efficient algorithms for computing a pairing is the ηT pairing over supersingular curves on finite fields of characteristic 3. Indeed many high-speed implementations of this pairing have been reported, and it is an attractive candidate for practical deployment of pairing-based cryptosystems. Since the embedding degree of the ηT pairing is 6, we deal with the difficulty of solving a DLP over the finite field GF(36n), where the function field sieve (FFS) is known as the asymptotically fastest algorithm of solving it. Moreover, several efficient algorithms are employed for implementation of the FFS, such as the large prime variation. In this paper, we estimate the time complexity of solving the DLP for the extension degrees n=97, 163, 193, 239, 313, 353, and 509, when we use the improved FFS. To accomplish our aim, we present several new computable estimation formulas to compute the explicit number of special polynomials used in the improved FFS. Our estimation contributes to the evaluation for the key length of pairing-based cryptosystems using the ηT pairing.

In this paper, we examine additive homomorphic encryptions in the discrete logarithm setting. Recently, Wang et al. proposed an additive homomorphic encryption scheme by modifying the ElGamal encryption scheme [Information Sciences 181(2011) 3308-3322]. We show that their scheme allows only limited number of additions among encrypted messages, which is different from what they claimed.

Pairings on elliptic curves over finite fields are crucial for constructing various cryptographic schemes. The ηT pairing on supersingular curves over GF(3n) is particularly popular since it is efficiently implementable. Taking into account the Menezes-Okamoto-Vanstone attack, the discrete logarithm problem (DLP) in GF(36n) becomes a concern for the security of cryptosystems using ηT pairings in this case. In 2006, Joux and Lercier proposed a new variant of the function field sieve in the medium prime case, named JL06-FFS. We have, however, not yet found any practical implementations on JL06-FFS over GF(36n). Therefore, we first fulfill such an implementation and we successfully set a new record for solving the DLP in GF(36n), the DLP in GF(36·71) of 676-bit size. In addition, we also compare JL06-FFS and an earlier version, named JL02-FFS, with practical experiments. Our results confirm that the former is several times faster than the latter under certain conditions.

By modifying the private key and the public key setting in Boneh-Lynn-Shacham's short signature shcheme, a variation of BLS' short signature scheme is proposed. Based on this variation, we present a very efficient threshold signature scheme where the number of pairing computation for the signaure share verification reduces to half.

A new simply implemented collusion-attack free identity-based non-interactive key sharing scheme (ID-NIKS) has been proposed. A common-key can be shared by executing only once a modular exponentiation which is equivalent to RSA deciphering, and the security depends on the difficulty of factoring and the discrete logarithm problem. Each user's secret information can be generated by solving two simple discrete logarithm problems and synthsizing their solutions by linear combination. The detail comparison with the Maurer-Yacobi's scheme including its modified versions shows that the computational complexity to generate each user's secret information is much smaller and the freedom to select system parameters is much greater than that of the Maurer-Yacobi's scheme. Then our proposed scheme can be implemented very easily and hence it is suitable for practical use.

Elliptic curves offer interesting possibilities for alternative cryptosystems, especially in constrained environments like smartcards. However, cryptographic routines running on such lightweight devices can be attacked with the help of "side channel information"; power consumption, for instance. Elliptic curve cryptosystems are not an exception: if no precaution is taken, power traces can help attackers to reveal secret information stored in tamper-resistant devices. Okeya-Takagi scheme (OT scheme) is an efficient countermeasure against such attacks on elliptic curve cryptosystems, which has the unique feature to allow any size for the pre-computed table: depending on how much memory is available, users can flexibly change the table size to fit their needs. Since the nature of OT scheme is different from other side-channel attack countermeasures, it is necessary to deeply investigate its security. In this paper, we present a comprehensive security analysis of OT scheme, and show that based on information leaked by power consumption traces, attackers can slightly enhance standard attacks. Then, we explain how to prevent such information leakage with simple and efficient modifications.

To the authors' knowledge, there are not many cryptosystems proven to be as difficult as or more difficult than the discrete logarithm problem. Concerning problems related to the discrete logarithm problem, there are problems called the double discrete logarithm problem and the e-th root of the discrete logarithm problem. These two problems are likely to be difficult and they have been utilized in cryptographic protocols such as verifiable secret sharing scheme and group signature scheme. However, their exact complexity has not been clarified, yet. Related to the e-th root of the discrete logarithm problem, we can consider a square root of the discrete logarithm problem. Again, the exact complexity of this problem has not been clarified, yet. The security of cryptosystems using these underlying problems deeply depends on the difficulty of these underlying problems. Hence it is important to clarify their difficulty. In this paper we prove reductions among these fundamental problems and show that under certain conditions, these problems are as difficult as or more difficult than the discrete logarithm problem modulo a prime.

To examine the computational complexity of cryptographic primitives such as the discrete logarithm problem, the factoring problem and the Diffie-Hellman problem, we define a new problem called square-root exponent, which is a problem to compute a value whose discrete logarithm is a square root of the discrete logarithm of a given value. We analyze reduction between the discrete logarithm problem modulo a prime and the factoring problem through the square-root exponent. We also examine reductions among the computational version and the decisional version of the square-root exponent and the Diffie-Hellman problem and show that the gap between the computational square-root exponent and the decisional square-root exponent partially overlaps with the gap between the computational Diffie-Hellman and the decisional Diffie-Hellman under some condition.

The certified discrete logarithm problem modulo p prime is a discrete logarithm problem under the conditions that the complete factorization of p-1 is given and by which the base g is certified to be a primitive root mod p. For the cryptosystems based on the intractability of certified discrete logarithm problem, Sakurai-Shizuya showed that breaking the Diffie-Hellman key exchange scheme reduces to breaking the Shamir 3-pass key transmission scheme with respect to the expected polynomial-time Turing reducibility. In this paper, we show that we can remove randomness from the reduction above, and replace the reducibility with the polynomial-time many-one. Since the converse reduction is known to hold with respect to the polynomial-time many-one reducibility, our result gives a stronger evidence for that the two schemes are completely equivalent as certified discrete log cryptosystems.

In recent years, the study of the security of Elliptic Curve Cryptosystems (ECCs) have been received much attention. The MOV algorithm, which reduces the elliptic curve discrete log problem (ECDLP) to the discrete log problem in finite fields with the Weil pairing, is a representative attack on ECCs. Recently Kanayama et al. observed a realization of the MOV algorithm for non-supersingular elliptic curves under the weakest condition. Shikata et al. independently considered a realization of the MOV algorithm for non-supersingular elliptic curves and proposed a generalization of the MOV algorithm. This short note explicitly shows that, under a usual cryptographical condition, we can apply the MOV algorithm to non-supersingular elliptic curves by using the multiplication by constant maps as in the case of supersingular. Namely, it is explicitly showed that we don't need such a generalization in order to realize the MOV algorithm for non-supersingular elliptic curves under a usual cryptographical condition.

In this paper, first, we propose two of the high rate methods based on Morii-Kasahara cryptosystem. Method A-I is based on Schalkwijk algorithm. Method A-II is based on the extended Schalkwijk algorithm, which is proposed in this paper. We then show that these proposed methods can yield a higher rate compared with ElGamal cryptosystem. Next, we also propose two methods for a fast encryption by dividing the message vector into several pieces. Regarding each of the divided vectors as an index, we can realize a fast transformation of the index into a limited weight vector. In Method B-I, Schalkwijk algorithm is used for the fast transformation. In Method B-II, the fast transformation is realized with the method of table-lookup. These methods can realize a faster encryption than Method A-I, Method A-II and Morii-Kasahara cryptosystem. The security of these proposed methods are based on the security of Morii-Kasahara cryptosystem.

We study how to generalize a key agreement and password authentication protocol on the basis of the well known hard problems such as a discrete logarithm problem and a Diffie-Hellman problem. The key agreement and password authentication protocol is necessary for networked or internetworked environments to provide the user knowledge-based authentication and to establish a new cryptographic key for the further secure session. The generalized protocol implies in this paper to require only weak constraints and to be generalized easily in any other cyclic groups which preserve two hard problems. The low entropy of password has made it difficult to design such a protocol and to prove its security soundness. In this paper, we devise a protocol which is easy to be generalized and show its security soundness in the random oracle model. The proposed protocol reduces the constraints extremely only to avoiding a smooth prime modulus. Our main contribution is in solving the password's low entropy problem in the multiplicative group for the generalization.

The problem we consider in this paper is whether the Menezes-Okamoto-Vanstone (MOV) reduction for attacking elliptic curve cryptosystems can be realized for genera elliptic curves. In realizing the MOV reduction, the base field Fq is extended so that the reduction to the discrete logarithm problem in a finite field is possible. Recent results by Balasubramanian and Koblitz suggest that, if l q-1, such a minimum extension degree is the minimum k such that l|qk-1, which is equivalent to the condition under which the Frey-Ruck (FR) reduction can be applied, where l is the order of the group in the elliptic curve discrete logarithm problem. Our point is that the problem of finding an l-torsion point required in evaluating the Weil pairing should be considered as well from an algorithmic point of view. In this paper, we actually propose a method which leads to a solution of the problem. In addition, our contribution allows us to draw the conclusion that the MOV reduction is indeed as powerful as the FR reduction under l q-1 not only from the viewpoint of the minimum extension degrees but also from that of the effectiveness of algorithms.

Super-anomalous elliptic curves over a ring Z/nZ ;(n=Πi=1k piei) are defined by extending anomalous elliptic curves over a prime filed Fp. They have n points over a ring Z/nZ and pi points over Fpi for all pi. We generalize Satoh-Araki-Smart algorithm and Ruck algorithm, which solve a discrete logarithm problem over anomalous elliptic curves. We prove that a "discrete logarithm problem over super-anomalous elliptic curves" can be solved in deterministic polynomial time without knowing prime factors of n.

The MOV and FR algorithms, which are representative attacks on elliptic curve cryptosystems, reduce the elliptic curve discrete logarithm problem (ECDLP) to the discrete logarithm problem in a finite field. This paper studies these algorithms and introduces the following three results. First, we show an explicit condition under which the MOV algorithm can be applied to non-supersingular elliptic curves. Next, by comparing the effectiveness of the MOV algorithm to that of the FR algorithm, it is explicitly shown that the condition needed for the MOV algorithm to be subexponential is the same as that for the FR algorithm except for elliptic curves of trace two. Finally, a new explicit reduction algorithm is proposed for the ECDLP over elliptic curves of trace two. This algorithm differs from a simple realization of the FR algorithm. Furthermore, we show, by experimental results, that the running time of the proposed algorithm is shorter than that of the original FR algorithm.

In Adleman's Function Field Sieve algorithm solving the discrete logarithm problem in a finite field, it is assumed that a random bivariate polynomial in the certain class is absolutely irreducible with high probability. In this letter we point out that if we use Cab type random polynomials then we always get absolutely irreducible polynomials. We can also simplify the calculation of a product of many rational functions on a curve that belongs to the field of definition by the use of a Cab curve.

In this paper, we propose a new conference key distribution scheme and the supervision of a conference when users are in a level-based hierarchy. In a conference key distribution system, one message is transmitted to the participants from a chairman, a legitimate member can decrypt it and reveal the common session key. The proposed scheme can be implemented without using any tamper-proof hardware. For users in a level-based hierarchy, by applying the key distribution scheme, the higher priority users can derive the conference key and supervise the lower level users' communications. Further, the users in the same level who are not members of the conference or in lower levels can not expose the conference key. To break the common session key, a malicious user has to suffer from the difficulty of factorization and discrete logarithm problems.