On Finding Secure Domain Parameters Resistant to Cheon's Algorithm

Abstract

In the literature, many cryptosystems have been proposed to be secure under the Strong Diffie-Hellman (SDH) and related problems. For example, there is a cryptosystem that is based on the SDH/related problem or allows the Diffie-Hellman oracle. If the cryptosystem employs general domain parameters, this leads to a significant security loss caused by Cheon's algorithm [14], [15]. However, all elliptic curve domain parameters explicitly recommended in the standards (e.g., ANSI X9.62/63 [1], [2], FIPS PUB 186-4 [43], SEC 2 [50], [51]) are susceptible to Cheon's algorithm [14], [15]. In this paper, we first prove that (q-1)(q+1) is always divisible by 24 for any prime order q>3. Based on this result and depending on small divisors d₁,d₂≤(log q)², we classify primes q>3, such that both (q-1)/d₁ and (q+1)/d₂ are primes, into Perfect, Semiperfect, SEC1v2 and Acceptable. Then, we describe algorithmic procedures and show their simulation results of secure elliptic curve domain parameters over prime/character 2 finite fields resistant to Cheon's algorithm [14], [15]. Also, several examples of the secure elliptic curve domain parameters (including Perfect or Semiperfect prime q) are followed.