
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

A Note on Subgroup Security in Discrete LogarithmBased Cryptography
Tadanori TERUYA
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E104A
No.1
pp.104120 Publication Date: 2021/01/01 Online ISSN: 17451337
DOI: 10.1587/transfun.2020CIP0019 Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security) Category: Keyword: discrete logarithmbased cryptography, ElGamal encryption, membership check, pairingbased cryptography, subgroup security,
Full Text: PDF(626.1KB)>>
Summary:
The membership check of a group is an important operation to implement discrete logarithmbased cryptography in practice securely. Since this check requires costly scalar multiplication or exponentiation operation, several efficient methods have been investigated. In the case of pairingbased cryptography, this is an extended research area of discrete logarithmbased cryptography, Barreto et al. (LATINCRYPT 2015) proposed a parameter choice called subgroupsecure elliptic curves. They also claimed that, in some schemes, if an elliptic curve is subgroupsecure, costly scalar multiplication or exponentiation operation can be omitted from the membership check of bilinear groups, which results in faster schemes than the original ones. They also noticed that some schemes would not maintain security with this omission. However, they did not show the explicit condition of what schemes become insecure with the omission. In this paper, we show a concrete example of insecurity in the sense of subgroup security to help developers understand what subgroup security is and what properties are preserved. In our conclusion, we recommend that the developers use the original membership check because it is a general and straightforward method to implement schemes securely. If the developers want to use the subgroupsecure elliptic curves and to omit the costly operation in a scheme for performance reasons, it is critical to carefully analyze again that correctness and security are preserved with the omission.

