Results 11  20
of
367
CertificateBased Encryption and the Certificate Revocation Problem
, 2003
"... We introduce the notion of certificatebased encryption. In this model, a certificate  or, more generally, a signature  acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an uptodate certificate from its CA (or a sig ..."
Abstract

Cited by 88 (0 self)
 Add to MetaCart
(Show Context)
We introduce the notion of certificatebased encryption. In this model, a certificate  or, more generally, a signature  acts not only as a certificate but also as a decryption key. To decrypt a message, a keyholder needs both its secret key and an uptodate certificate from its CA (or a signature from an authorizer). Certificatebased encryption combines the best aspects of identitybased encryption (implicit certification) and public key encryption (no escrow). We demonstrate how certificatebased encryption can be used to construct an e#cient PKI requiring less infrastructure than previous proposals, including Micali's Novomodo, NaorNissim and AielloLodhaOstrovsky.
Efficient implementation of pairingbased cryptosystems
 Journal of Cryptology
, 2004
"... ii ..."
(Show Context)
An efficient signature scheme from bilinear pairings and its applications
 PKC 2004
, 2004
"... ... a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6, 1, 8]. This hash function is probabilistic and ..."
Abstract

Cited by 76 (12 self)
 Add to MetaCart
(Show Context)
... a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6, 1, 8]. This hash function is probabilistic and generally inefficient. In this paper, we propose a new short signature scheme from the bilinear pairings that unlike BLS, uses general cryptographic hash functions such as SHA1 or MD5, and does not require special hash functions. Furthermore, the scheme requires less pairing operations than BLS scheme and so is more efficient than BLS scheme. We use this signature scheme to construct a ring signature scheme and a new method for delegation. We give the security proofs for the new signature scheme and the ring signature scheme in the random oracle model.
Multipurpose IdentityBased Signcryption  A Swiss Army Knife for IdentityBased Cryptography
 In Proc. CRYPTO 2003
, 2003
"... IdentityBased (IB) cryptography is a rapidly emerging approach to publickey cryptography that does not require principals to precompute key pairs and obtain certi cates for their public keysinstead, public keys can be arbitrary identi ers such as email addresses, while private keys are deri ..."
Abstract

Cited by 72 (2 self)
 Add to MetaCart
(Show Context)
IdentityBased (IB) cryptography is a rapidly emerging approach to publickey cryptography that does not require principals to precompute key pairs and obtain certi cates for their public keysinstead, public keys can be arbitrary identi ers such as email addresses, while private keys are derived at any time by a trusted private key generator upon request by the designated principals. Despite the urry of recent results on IB encryption and signature, some questions regarding the security and eciency of practicing IB encryption (IBE) and signature (IBS) as a joint IB signature/encryption (IBSE) scheme with a common set of parameters and keys, remain unanswered.
Locationbased compromisetolerant security mechanisms for wireless sensor networks
 IEEE J. Sel. Areas Commun
, 2006
"... Abstract Node compromise is a serious threat to wireless sensor networks deployed in unattended and hostile environments. To mitigate the impact of compromised nodes, we propose a suite of locationbased compromisetolerant security mechanisms. Based on a new cryptographic concept called pairing, ..."
Abstract

Cited by 63 (10 self)
 Add to MetaCart
(Show Context)
Abstract Node compromise is a serious threat to wireless sensor networks deployed in unattended and hostile environments. To mitigate the impact of compromised nodes, we propose a suite of locationbased compromisetolerant security mechanisms. Based on a new cryptographic concept called pairing, we propose the notion of locationbased keys (LBKs) by binding private keys of individual nodes to both their IDs and geographic locations. We then develop an LBKbased neighborhood authentication scheme to localize the impact of compromised nodes to their vicinity. We also present efcient approaches to establish a shared key between any two network nodes. In contrast to previous key establishment solutions, our approaches feature nearly perfect resilience to node compromise, low communication and computation overhead, low memory requirements, and high network scalability. Moreover, we demonstrate the efcacy of LBKs in counteracting several notorious attacks against sensor networks. Finally, we propose a locationbased thresholdendorsement scheme, called LTE, to thwart the infamous bogus data injection attack, in which adversaries inject lots of bogus data into the network. The utility of LTE in achieving remarkable energy savings is validated by detailed performance evaluation. Index Terms Wireless sensor networks, security, compromise tolerance, location, pairing.
An efficient signaturebased scheme for securing network coding against pollution attacks
 In Proceedings of INFOCOM 08
, 2008
"... Abstract — Network coding provides the possibility to maximize network throughput and receives various applications in traditional computer networks, wireless sensor networks and peertopeer systems. However, the applications built on top of network coding are vulnerable to pollution attacks, in w ..."
Abstract

Cited by 63 (1 self)
 Add to MetaCart
Abstract — Network coding provides the possibility to maximize network throughput and receives various applications in traditional computer networks, wireless sensor networks and peertopeer systems. However, the applications built on top of network coding are vulnerable to pollution attacks, in which the compromised forwarders can inject polluted or forged messages into networks. Existing schemes addressing pollution attacks either require an extra secure channel or incur high computation overhead. In this paper, we propose an efficient signaturebased scheme to detect and filter pollution attacks for the applications adopting linear network coding techniques. Our scheme exploits a novel homomorphic signature function to enable the source to delegate its signing authority to forwarders, that is, the forwarders can generate the signatures for their output messages without contacting the source. This nice property allows the forwarders to verify the received messages, but prohibit them from creating the valid signatures for polluted or forged ones. Our scheme does not need any extra secure channels, and can provide source authentication and batch verification. Experimental results show that it can improve computation efficiency up to ten times compared to some existing one. In addition, we present an alternate lightweight scheme based on a much simpler linear signature function. This alternate scheme provides a tradeoff between computation efficiency and security. I.
Constructing Elliptic Curves with Prescribed Embedding Degrees
, 2002
"... Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but smal ..."
Abstract

Cited by 62 (17 self)
 Add to MetaCart
(Show Context)
Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
On the Selection of PairingFriendly Groups
, 2003
"... We propose a simple algorithm to select group generators suitable for pairingbased cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and very efficient, with an observed performance about 2 to 10 times better than prev ..."
Abstract

Cited by 56 (13 self)
 Add to MetaCart
(Show Context)
We propose a simple algorithm to select group generators suitable for pairingbased cryptosystems. The selected parameters are shown to favor implementations of the Tate pairing that are at once conceptually simple and very efficient, with an observed performance about 2 to 10 times better than previously reported implementations.
Efficient and generalized pairing computation on Abelian varieties
, 2008
"... In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the Rate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the Rate pairing, the loop length in ..."
Abstract

Cited by 54 (3 self)
 Add to MetaCart
In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the Rate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the Rate pairing, the loop length in Miller’s algorithm can be as small as log(r 1/φ(k) ) for some pairingfriendly elliptic curves which have not reached this lower bound. Therefore we obtain from 29 % to 69 % savings in overall costs compared to the Atei pairing. On supersingular hyperelliptic curves of genus 2, we show that this approach makes the loop length in Miller’s algorithm shorter than that of the Ate pairing.
Secret Handshakes from CAOblivious Encryption
, 2004
"... Secret handshake protocols were recently introduced [1] to allow members of the same group to authenticate each other secretly, in the sense that someone who is not a group member cannot tell, by engaging some party in the handshake protocol, whether that party is a member of this group. On the o ..."
Abstract

Cited by 54 (6 self)
 Add to MetaCart
(Show Context)
Secret handshake protocols were recently introduced [1] to allow members of the same group to authenticate each other secretly, in the sense that someone who is not a group member cannot tell, by engaging some party in the handshake protocol, whether that party is a member of this group. On the other hand, any two parties who are members of the same group will recognize each other as members. Thus, a secret handshake protocol can be used in any scenario where group members need to identify each other without revealing their group a#liations to outsiders.