Results 1  10
of
79
Efficient algorithms for pairingbased cryptosystems
, 2002
"... We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger ch ..."
Abstract

Cited by 367 (24 self)
 Add to MetaCart
We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairingbased cryptography.
Implementing Tate Pairing
 IN ALGORITHMIC NUMBER THEORY SYMPOSIUM
, 2002
"... The Weil and Tate pairings have found several new applications in cryptography. To efficiently implement these cryptosystems it is necessary to optimise the computation time for the Tate pairing. This paper provides methods to achieve fast computation of the Tate pairing. We also give divisionfre ..."
Abstract

Cited by 171 (5 self)
 Add to MetaCart
(Show Context)
The Weil and Tate pairings have found several new applications in cryptography. To efficiently implement these cryptosystems it is necessary to optimise the computation time for the Tate pairing. This paper provides methods to achieve fast computation of the Tate pairing. We also give divisionfree formulae for point tripling on a family of elliptic curves in characteristic three. Examples of the running time for these methods are given.
Tate Pairing Implementation for Hyperelliptic Curves y2 xp xþ d
 Advances in Cryptology— Proc. ASIACRYPT ’03
, 2003
"... Abstract. The Weil and Tate pairings have been used recently to build new schemes in cryptography. It is known that the Weil pairing takes longer than twice the running time of the Tate pairing. Hence it is necessary to develop more efficient implementations of the Tate pairing for the practical ap ..."
Abstract

Cited by 98 (5 self)
 Add to MetaCart
(Show Context)
Abstract. The Weil and Tate pairings have been used recently to build new schemes in cryptography. It is known that the Weil pairing takes longer than twice the running time of the Tate pairing. Hence it is necessary to develop more efficient implementations of the Tate pairing for the practical application of pairing based cryptosystems. In 2002, Barreto et al. and Galbraith et al. provided new algorithms for the fast computation of the Tate pairing in characteristic three. In this paper, we give a closed formula for the Tate pairing on the hyperelliptic curve y2 = xp−x+d in characteristic p. This result improves the implementations in [BKLS02], [GHS02] for the special case p = 3. 1
An efficient signature scheme from bilinear pairings and its applications
 PKC 2004
, 2004
"... ... a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6, 1, 8]. This hash function is probabilistic and ..."
Abstract

Cited by 76 (12 self)
 Add to MetaCart
... a short signature scheme (BLS scheme) using bilinear pairing on certain elliptic and hyperelliptic curves. Subsequently numerous cryptographic schemes based on BLS signature scheme were proposed. BLS short signature needs a special hash function [6, 1, 8]. This hash function is probabilistic and generally inefficient. In this paper, we propose a new short signature scheme from the bilinear pairings that unlike BLS, uses general cryptographic hash functions such as SHA1 or MD5, and does not require special hash functions. Furthermore, the scheme requires less pairing operations than BLS scheme and so is more efficient than BLS scheme. We use this signature scheme to construct a ring signature scheme and a new method for delegation. We give the security proofs for the new signature scheme and the ring signature scheme in the random oracle model.
Multipurpose IdentityBased Signcryption  A Swiss Army Knife for IdentityBased Cryptography
 In Proc. CRYPTO 2003
, 2003
"... IdentityBased (IB) cryptography is a rapidly emerging approach to publickey cryptography that does not require principals to precompute key pairs and obtain certi cates for their public keysinstead, public keys can be arbitrary identi ers such as email addresses, while private keys are deri ..."
Abstract

Cited by 72 (2 self)
 Add to MetaCart
(Show Context)
IdentityBased (IB) cryptography is a rapidly emerging approach to publickey cryptography that does not require principals to precompute key pairs and obtain certi cates for their public keysinstead, public keys can be arbitrary identi ers such as email addresses, while private keys are derived at any time by a trusted private key generator upon request by the designated principals. Despite the urry of recent results on IB encryption and signature, some questions regarding the security and eciency of practicing IB encryption (IBE) and signature (IBS) as a joint IB signature/encryption (IBSE) scheme with a common set of parameters and keys, remain unanswered.
Identity Based Authenticated Key Agreement Protocols from Pairings
 In: Proc. 16th IEEE Security Foundations Workshop
, 2002
"... We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private k ..."
Abstract

Cited by 67 (2 self)
 Add to MetaCart
(Show Context)
We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol [Sm02]. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the model defined in [BJM97]). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property.
Constructing Elliptic Curves with Prescribed Embedding Degrees
, 2002
"... Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but smal ..."
Abstract

Cited by 62 (17 self)
 Add to MetaCart
(Show Context)
Pairingbased cryptosystems depend on the existence of groups where the Decision DiffieHellman problem is easy to solve, but the Computational DiffieHellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.
A New TwoParty IdentityBased Authenticated Key Agreement
 In proceedings of CTRSA 2005, LNCS 3376
, 2004
"... We present a new twoparty identitybased key agreement that is more e#cient than previously proposed schemes. It is inspired on a new identitybased key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mo ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
(Show Context)
We present a new twoparty identitybased key agreement that is more e#cient than previously proposed schemes. It is inspired on a new identitybased key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mode. We also describe conditions under which users of di#erent Key Generation Centres can agree on a shared secret key. We give an overview of existing twoparty key agreement protocols, and compare our new scheme with existing ones in terms of computational cost and storage requirements.
Identitybased Key Agreement Protocols from Pairings
, 2006
"... In recent years, a large number of identitybased key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reve ..."
Abstract

Cited by 59 (5 self)
 Add to MetaCart
In recent years, a large number of identitybased key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a builtin decisional function in this type of protocols.
Compressed Pairings
 In Advances in cryptology – Crypto’2004
, 2004
"... Pairingbased cryptosystems rely on bilinear nondegenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit f ..."
Abstract

Cited by 45 (9 self)
 Add to MetaCart
Pairingbased cryptosystems rely on bilinear nondegenerate maps called pairings, such as the Tate and Weil pairings defined over certain elliptic curve groups. In this paper we show how to compress pairing values, how to couple this technique with that of point compression, and how to benefit from the compressed representation to speed up exponentiations involving pairing values, as required in many pairing based protocols.