Weak instances of composite order protocols

In pairing-based cryptography, the security of protocols using composite order groups relies on the di culty of factoring a composite number N . Boneh et al proposed the Cocks-Pinch method to construct ordinary pairing-friendly elliptic curves having a subgroup of composite order N . Displaying such a curve as a public parameter implies revealing a square root of the complex multiplication discriminant −D modulo N . We exploit this information leak and the structure of the endomorphism ring of the curve to factor the RSA modulus, by computing a square root λ of −D modulo one of its factors. Our attack is based on a generic discrete logarithm algorithm. We recommend that λ should be chosen as a high entropy input parameter when running the Cocks-Pinch algorithm, in order to ensure protection from our attack.