Security analysis of elliptic curves with embedding degree 1 proposed in PLOS ONE 2016

Wang et al. proposed a method for obtaining elliptic curves with embedding degree 1 for securing critical infrastructures, and presented several elliptic curves generated by their method with torsion points of 160 bits and 189 bits orders. They also presented some experimental results and claimed that their implementation of an elliptic curve generated with their method is faster than an implementation for embedded devices presented by Bertoni et al. In this paper, we point out that the security and efficiency claims given by Wang et al. are flawed. Specifically, we show that it is possible to solve finite field discrete logarithm problems defined over their elliptic curves in practice. On the elliptic curves with torsion points of 160 bits orders generated by Wang et al., their instances of finite field discrete logarithm problems are solved in around 4 hours by using a standard desktop PC. On the torsion points of 189 bits orders, their instances are solved in around 10 days by using two standard desktop PCs. The hardness of the finite field discrete logarithm problems is one of the most important bases of security; therefore, their elliptic curves should not be used for cryptographic purposes.


Introduction
Since 2000, many researchers have proposed efficient and useful cryptographic schemes for securing systems using a pairing, which is a bilinear map defined over an elliptic curve. For example, Sakai et al. proposed a non-interactive key-exchange scheme [1], Joux proposed a tripartite key-exchange scheme [2], Boneh and Franklin proposed an identity-based encryption scheme [3], Boneh et al. proposed a short digital signature scheme [4], and Groth and Sahai proposed efficient non-interactive zero-knowledge proof systems [5]. This research field is called pairing-based cryptography because a pairing is used as a building block. As mentioned above, the pairings allow us to implement many efficient and useful cryptographic schemes, and pairing-based cryptography is currently one of the major fields of cryptographic research [6,7]. PLOS  For security requirements, it is necessary for any implementation of a pairing-based cryptographic scheme to appropriately select an elliptic curve. Its efficiency should then be improved for practical performance requirements. Since the computational costs of pairings and group operations defined over elliptic curves are expensive, investigation of fast algorithms and implementations is an important research topic, and there have been many studies on the mathematical foundation for algorithms [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26], and efficient implementations [27][28][29][30][31][32][33][34]. A comprehensive survey was presented by [7].
Thanks to these studies, the development of pairing-based cryptosystems has progressed in not only theory but also practice. However, implementation is still difficult. The most difficult problem is the selection of appropriate parameters to instantiate the schemes securely and efficiently. This is because all algorithms correctly work, even if a selected parameter is vulnerable. It is necessary to carefully evaluate whether the selected parameters are robust against cryptanalysis.
Recently, Wang et al. [35] proposed a method for obtaining elliptic curves with embedding degree 1 in order to instantiate pairing-based cryptographic schemes for securing critical infrastructures. They presented some experimental results and claimed that their pairing implementation of an elliptic curve generated with their method is faster than another secure and efficient implementation presented by Bertoni et al. [36,37]. The aim of Bertoni et al. [36,37] is to develop efficient implementation of pairings for embedded devices.
In this paper, we point out that there is a serious issue with the security and efficiency claims given by Wang et al. [35]. In short, their elliptic curves are insecure and should not be used for cryptographic purposes. Wang et al. [35] presented several elliptic curves generated by their method. The bit lengths of orders of these curves are 160 bits and 189 bits, and these elliptic curves are described in the files [38,39] of their supporting information. According to [25,40,41], these bit lengths are large enough to guarantee security in practice. However, we demonstrate that finite field discrete logarithm problems defined on these elliptic curves are solvable in practice by using standard desktop PCs. The hardness of finite field discrete logarithm problems is one of the most important bases of security; therefore, their elliptic curves should not be used for cryptographic purposes. In addition, we present security and efficiency analyses of the method of Wang et al. [35]. Based on these analyses, we conclude that the claims of security and efficiency given by Wang et al. [35] are flawed.
Recently, Chatterjee et al. [24] proposed proper constructions of pairing-based cryptographic schemes on elliptic curves with embedding degree 1. Their considerations and analyses of security and efficiency of their constructions are comprehensively discussed based on state-of-the-art results; therefore, we do not discuss how to repair the method of Wang et al. [35] in this paper. We strongly recommend that the readers refer to the study by Chatterjee et al. [24].
The rest of this paper is organized as follows. We introduce preliminaries of pairing-based cryptography. Next, we also introduce finite field discrete logarithm problems and elliptic curve discrete logarithm problems in pairing-based cryptography. We show how to produce finite field discrete logarithm problems from elliptic curves generated by Wang et al. [35], and then we show that they are solvable by using standard desktop PCs. Then we explain why their claims are flawed. Finally, we conclude the paper.

Mathematical preliminaries of pairings
In this section, we introduce the notations and terminology of pairings defined over elliptic curves [6,7].
Let S be a finite set, then we denote the number of elements in S by #S. Let p be a prime number, and k be a positive integer. We denote by F p a finite field whose field order is p, by F p k its k-th extension field, and by F � p k the multiplicative group of F p k . For F p k , its characteristic and extension degree are p and k, respectively. We assume that p > 3, and an elliptic curve E defined over F p is defined by the Weierstrass equation where X and Y are two variables, and a; b 2 F p with 4a 3 + 27b 2 6 ¼ 0. We define the F p -rational points of E as where 1 is the point at infinity. Note that EðF p Þ and its group operation, which is denoted by addition symbol "+" in this paper, forms an abelian group whose unit element is 1 and inverse operation is −(x, y) ≔ (x, −y). Let P 2 EðF p Þ and let a be an integer. We denote the scalar multiplication of P by a as We say that P is order n if n is the smallest positive integer such that [n]P = 1. We also denote an additive cyclic group generated by P as and a multiplicative cyclic group generated by x as hxi ≔ fy j there exists a 2 Z such that y ¼ x a g: ð5Þ We call P and x are generators of hPi and hxi, respectively. We also call the number of elements of a group the group order.
Let r be a prime number with r 6 ¼ p. Then we define the r-torsion points as where � F p is the algebraic closure of F p , and we call r the order of E[r]. The embedding degree k of E with respect to r is the smallest positive integer such that rj(p k − 1), and this property ensures m r � F � p k and E½r� � EðF p k Þ, where m r ≔ fx 2 F � p k j x r ¼ 1g is the r-th roots of unity [42]. Note that μ r = hxi for all Third, it is efficiently computable, i.e., its computational time complexity is in the polynomial of log r (see [8,9]).

Discrete logarithm problems of pairing-based cryptography
Every pairing-based cryptographic scheme requires the hardness of underlying mathematical problems in order to guarantee security in practice. In this section, we introduce two discrete logarithm problems which are important underlying mathematical problems for pairing-based cryptographic schemes.
Let E be an elliptic curve defined over a finite field F p , let r be a prime number with r 6 ¼ p, and let k be the embedding degree of E with respect to r. We define the following two discrete logarithm problems of E: where x is a randomly chosen integer from {1, . . ., r − 1}, find x. We call a pair of P and Q an instance of ECDLP, and denote its solution by x = log P Q.
• Finite field discrete logarithm problem in m r � F � p k (FFDLP): Given g 2 μ r \{1} and h = g y , where y is a randomly chosen integer from {1, . . ., r − 1}, find y. We call a pair of g and h an instance of FFDLP, and denote its solution by y = log g h.
In general, the hardness of solving ECDLP is determined by the robustness against the best solving algorithm for ECDLP. The computational time complexity of the algorithm strongly depends on the bit length of order r, and the larger the bit length of r is, the harder ECDLP becomes. On the other hand, the hardness of solving FFDLP is also determined by the robustness against the best solving algorithm for FFDLP. Also, the computational time complexity of the algorithm strongly depends on the bit length of field order p k , and the larger the bit length of p k is, the harder FFDLP becomes.
Note that Menezes et al. [43], and Frey and Rück [44] pointed out that ECDLP is reduced to FFDLP by using the Weil pairing or the (reduced) Tate pairing. We call this reduction the pairing reduction. For example, given an instance of ECDLP P and Q = [x]P as above, one can choose an arbitrary element T 2 E[r] with t(P, T) 6 ¼ 1 then construct an FFDLP instance g ≔ t(P, T) and h ≔ t(Q, T) = t([x]P, T) = t(P, T) x ; thus, log P Q = log g h. As mentioned above, every cryptographic scheme requires the hardness of ECDLP and FFDLP. Here it is important to note that the overall hardness of every cryptographic scheme is determined by the weakest underlying problem. Hence, developers of pairing-based cryptosystems should use appropriate elliptic curves such that both ECDLP and FFDLP are intractable simultaneously.
As mentioned above, the longer the bit lengths of r and p k are, the harder ECDLP and FFDLP, respectively, become and imply stronger robustness against cryptanalysis. However, the longer bit lengths of r and p k cause significant efficiency loss. Hence, it is a very important task to find an elliptic curve which has r and p k achieving reasonable robustness (i.e., security) and efficiency simultaneously. Since we focus on solving FFDLP reduced from ECDLP of elliptic curves generated by Wang et al. [35], finding appropriate elliptic curves is out of scope of this paper, and we refer the reader to [25,40,45,46] for the details.

Elliptic curves with embedding degree 1 proposed in PLOS ONE 2016
Wang et al. [35] presented two types of elliptic curves with embedding degree 1 generated by their method. These are described in the files [38,39] of their supporting information. For each type, there are 10 elliptic curves. Hence, there are 20 elliptic curves in total.
In this paper, we denote these two types of elliptic curves [38] and [39] as W160 and W189, respectively. In W160, each elliptic curve E is defined over a finite field F p 1 with E½r 1 � � EðF p 1 Þ, where p 1 and r 1 are two distinct prime numbers. The bit lengths of r 1 and p 1 are 160 bits and 319 bits, respectively. In W189, each elliptic curve E is defined over a finite field F p 2 with E½r 2 � � EðF p 2 Þ, where p 2 and r 2 are two distinct prime numbers. The bit lengths of r 2 and p 2 are 189 bits and 377 bits, respectively.

Results
In this section, we demonstrate that the FFDLP instances reduced from ECDLP instances of elliptic curves generated by Wang et al. [35] are easily solvable. Wang et al. [35] claimed that implementations of pairings defined over these elliptic curves are more efficient than an implementation of Bertoni et al. [36,37]. To the best of our knowledge, ECDLP and FFDLP of an elliptic curve implemented by Bertoni et al. [36,37] are intractable, so that we naturally expected that ECDLP and FFDLP of the elliptic curves implemented by Wang et al. [35] are also intractable. However, this is not the case, and hence, the security claim given by Wang et al. [35] is clearly flawed, and the efficiency claim is also flawed because FFDLP instances reduced from ECDLP instances of their elliptic curves are solvable in practice.

Problem instance generation
In this section, we explain how we generate the FFDLP instances reduced from ECDLP instances, which we solve.
To demonstrate that FFDLP instances are easily solvable in the W160 and W189 elliptic curves, the FFDLP instances should be generated without knowing their solutions. However, recall that the definition of FFDLP is that its solution is randomly chosen by an instance generator, and this means that the instance generator knows the solution. To generate FFDLP instances without knowing their solutions, we use well-known methodology [47][48][49][50] and the pairing reduction [43,44].
Concretely, we generate h, which is a part of FFDLP instances, by using the ratio π of a circle's circumference to its diameter. For an elliptic curve E defined over an finite field F p , we compute h ≔ (bπ � 2 ℓ c) c mod p, where ℓ is the largest integer such that bπ � 2 ℓ c < p, and c = (p − 1)/r. Note that h 2 μ r . For the W160 and W189 elliptic curves, we find the following two largest integers bπ � 2 316 c and bπ � 2 374 c, respectively, that are less than p 1 and p 2 , respectively. We use h 1 ≔ ðbp � 2 316 cÞ c 1 mod p 1 and h 2 ≔ ðbp � 2 374 cÞ c 2 mod p 2 for W160 and W189, respectively, where c 1 = (p 1 − 1)/r 1 and c 2 = (p 2 − 1)/r 2 , respectively. The integer values of bπ � 2 316 c, h 1 , bπ � 2 374 c, and h 2 are described in files S1 and S2 Files of our supporting information.
Next, Wang et al. [35] provided elements P, Q 2 E[r] for all the elliptic curves, so there are 20 pairs of P, Q. We use them to generate 20 elements g = t(P, Q) for the remaining part of FFDLP instances. Note that, to compute t(P, Q), we use a function of the reduced Tate pairing implemented in Sage [51].

Equipment
We explain our equipment to solve FFDLP instances. To solve FFDLP instances reduced from ECDLP instances of the W160 elliptic curves, we use one desktop PC with a Core i7-6700 (3.4) CPU. For the W189 elliptic curves, we use two desktop PCs with Core i7-6700 (3.4) and Core i7-4770 (3.4) CPUs. In these PCs, the size of equipped random access memories is 32, and the operating system is Ubuntu 16.04. We use the mathematics software system Sage [51]

Solutions and calculation times of finite field discrete logarithm problems
We solve the FFDLP instances defined above. For the W160 and W189 elliptic curves, calculation times to obtain solutions are around 3 hours 45 minutes and 240 hours 4 minutes, respectively. Lists of FFDLP instances and their solutions are shown in S1 and S2 Files of our supporting information. Additionally, we present a verification script in S3 File.
According to the results of our demonstration, we conclude that the security and efficiency claims given by Wang et al. [35] are flawed, and all the elliptic curves described in the files [38,39] of their supporting information should not be used for cryptographic purposes.

Discussion
We have already shown that the FFDLP instances reduced from ECDLP instances of all the elliptic curves generated by Wang et al. [35] are practically solvable. In this section, we discuss why the security and efficiency claims given by Wang et al. [35] are flawed.
Wang et al. [35] presented the performance comparison of the reduced Tate pairing between their implementation of a W160 elliptic curve [38] and an implementation presented by Bertoni et al. [36]. Wang et al. [35] claimed that their implementation is faster than the latter. To revisit this comparison, we briefly introduce the implementation for embedded devices presented by Bertoni et al. [36]. Bertoni et al. [36,37] implemented a pairing defined over another elliptic curve whose embedding degree is 2, and this elliptic curve is defined over F p , where the bit length of p is 512 bits. We denote this elliptic curve as B160. Now, we show the bit lengths of orders r and field orders p k of the W160, W189, and B160 elliptic curves in Table 1.
We consider the hardness of ECDLP and FFDLP of these elliptic curves based on state-ofthe-art reports of hardness evaluation.
For ECDLP, Bernstein et al. [41] gave a state-of-the-art report on December 2nd 2016. They solved an ECDLP instance, where the bit length of order r is 117.35 bits. In general, the hardness of ECDLP strongly depends on the bit length of r. Therefore, solving ECDLP instances should be considered feasible if the bit length of r is less than 117.35 bits.
On the other hand, according to Grémy and Guillevic [53], state-of-the-art reports for solving FFDLP were given by Adrian et al. [54], Kleinjung et al. [50], Fried et al. [55], and Barbulescu et al. [49] on May 20th 2015, June 16th 2016, October 10th 2016, and April 29th 2015, respectively, and they solved FFDLP instances over finite fields F � p and F � p 2 , where the bit lengths of their field orders are 512 bits, 768 bits, 1024 bits, and 595 bits, respectively. In general, the hardness of FFDLP strongly depends on the bit length of p k . Fried et al. [55] solved the largest bit length of FFDLP; however, their technique to solve FFDLP is only applicable to certain finite fields that have a special property, and thus this result is not relevant for the discussion of the hardness of W160, W189, and B160 elliptic curves (and to the best of our knowledge, it seems to be not satisfied by these curves). Therefore, for embedding degrees k = 1 and 2, solving FFDLP instances should be considered feasible if the bit length of p k is less than 768 bits. It is clear that FFDLP instances of the W160 and W189 elliptic curves [38,39] are practically solvable, but instances of B160 are not. In fact, we solved the FFDLP instances of the W160 and W189 elliptic curves [38,39], and this immediately implies that the performance comparison given by Wang et al. [35] is definitely unfair. For a fair comparison, both ECDLP and FFDLP should be intractable, and the hardness of both ECDLP and FFDLP should ideally be equal. To the best of our knowledge, using the method of Wang et al. [35] to achieve the same hardness with B160, the bit lengths of r and p should be greater than or equal to at least 160 bits and 1023 bits, respectively, and the resulting elliptic curve should have almost the same hardness of FFDLP as a B160 elliptic curve [36,37]. However, their method seems to output an elliptic curve, where the bit length of the resulting p is twice that of the resulting r. Therefore, the bit length of r should be around 512 bits, and this is larger than for the B160 elliptic curve [36,37]. Both ECDLP and FFDLP defined over these elliptic curves should be intractable, and the hardness of FFDLP is almost the same because the bit length of p k is almost the same. However, the resulting elliptic curve is defined over F p , where the bit length of p is around 1023 bits and this is larger than that of B160 (recall that the B160 elliptic curve is defined over F p , where the bit length of p is 512 bits, because its embedding degree is 2). In fact, larger bit lengths of p and r generally cause efficiency loss. Therefore, in the same security level, the implementation of B160 [36,37] should be faster than implementations of elliptic curves generate by the method of Wang et al. [35].
From the discussions and considerations above, we conclude that there is no merit of the method proposed by Wang et al. [35].

Conclusion
In this paper, we demonstrated that instances of finite field discrete logarithm problems derived from elliptic curves [38,39] are solvable in practice. These elliptic curves are generated by the method of Wang et al. [35]. In our demonstration, the instances were generated without knowing their solutions, and they were solved by using standard desktop PCs in reasonable time. The hardness of discrete logarithm problems is one of the most important bases of security; therefore, the elliptic curves described in [35,38,39] should not be used for cryptographic purposes. We also pointed out that the efficiency evaluation given by Wang et al. [35] is unfair. From our demonstrations and discussions, it is clear that the security and efficiency claims given by Wang et al. [35] are flawed.
Finally, we recommend that the readers refer to the paper by Chatterjee et al. [24]. They presented careful and comprehensive discussions and proper constructions of pairing-based cryptographic schemes on elliptic curves whose embedding degree is 1, based on state-of-theart results.

S1 File. List of inputs and solutions of FFDLP instances of 160 bits (W160) elliptic curves.
This file contains five integers r 1 , p 1 , ℓ 1 , s 1 , and h 1 , and ten sets of values b, P, Q, g, and y, and these symbols are defined as follows: • r 1 is the order of each E½r 1 � � EðF p 1 Þ.
• p 1 is the field order of defining the finite field F p 1 of each E.
• s 1 ¼ bp � 2 ' 1 c, where π is the ratio of a circle's circumference to its diameter.
• b is a coefficient of each Weierstrass equation, which defines each E.
• P and Q are contained in each E[r 1 ].
Note that all p 1 , r 1 , b, P, and Q are generated by Wang et al. [35] and are described in the file [38]. (TXT)

S2 File. List of inputs and solutions of FFDLP instances of 189 bits (W189) elliptic curves.
This file contains five integers r 2 , p 2 , ℓ 2 , s 2 , and h 2 , and ten sets of values b, P, Q, g, and y, and these symbols are defined as follows: • r 2 is the order of each E½r 2 � � EðF p 2 Þ.
• p 2 is the field order of defining the finite field F p 2 of each E.
• s 2 ¼ bp � 2 ' 2 c, where π is the ratio of a circle's circumference to its diameter.
• b is a coefficient of each Weierstrass equation, which defines each E.
• P and Q are contained in each E[r 2 ].
Note that all p 2 , r 2 , b, P, and Q are generated by Wang et al. [35] and are described in the file [39].
(TXT) S3 File. Sage script for verification. This Sage script verifies our results described in S1 and S2 Files. (SAGE)