## Security of an Identity-Based Cryptosystem and the Related Reductions (1998)

Venue: | In Advances in Cryptology, Eurocrypt'98, LNCS 1403 |

Citations: | 6 - 0 self |

### BibTeX

@INPROCEEDINGS{Okamoto98securityof,

author = {Tatsuaki Okamoto and Shigenori Uchiyama},

title = {Security of an Identity-Based Cryptosystem and the Related Reductions},

booktitle = {In Advances in Cryptology, Eurocrypt'98, LNCS 1403},

year = {1998},

pages = {546--560},

publisher = {Springer Verlag}

}

### OpenURL

### Abstract

Abstract. Recently an efficient solution to the discrete logarithm prob-lem on elliptic curves over F, with p points (p: prime), so-called anorna-lous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibil-ity of realizing a trapdoor for the discrete logarithm problem, and we have tried to utilize the SSSA algorithm for constructing a cryptographic scheme. One of our trials was to realize an identity-based cryptosystem (key-distribution) which has been proven to be as secure as a prim-itive problem, called the Diffie-Hellman problem on an elliptic curve over Z/nZ (n = pq, p and q are primes) where Ep and E, are anoma-lous curves (anomalous En-Diffie-Hellman problem). Unfortunately we have found that the anomalous En-Diffie-Hellman problem is not secure (namely, our scheme is not secure). First, this paper introduces our trial of realizing an identity-based cryptosystem based on the SSSA algorithm, and then shows why the anomalous En-Diffie-Hellman problem is not se-cure. In addition, we generalize the observation of our breaking algorithm and present reductions of factoring n to computing the order ’ of an el-liptic curve over Z/nZ. (These reductions roughly imply the equivalence of intractability between factoring and computing elliptic curve’s order.) The algorithm of breaking our identity-based cryptosystem is considered to be a special case of these reductions, and the essential reason why our system was broken can be clarified through these reductions: En in our system is a very specific curve such that the order of En (i.e., n) is trivially known.

### Citations

2966 | Hellman: New Directions in Cryptography
- Diffie, Martin
- 1976
(Show Context)
Citation Context ...an elliptic curve, En, over Z/nZ [5]. Hence our Reduction 2 corresponds to the KK reduction. In addition Reduction 1 corresponds to the reduction as a variant of the KK reduction described in Remarks =-=(3)-=-, in [5]. Both the KK reduction and our Reduction 2 work for non-negligible fractions of #En. The difference between these reductions are the failure cases of reduction. The KK reduction does not work... |

884 | How to Prove Yourself: Practical Solutions of Identification and Signature Problems - Fiat, Shamir - 1987 |

799 |
Identity-based cryptosystems and signature schemes
- Shamir
- 1985
(Show Context)
Citation Context ...ealize an identity-based cryptosystem (key-distribution). In 1984, Shamir proposed a new concept, identity-based cryptosystem, to solve the authentication problem of standard public-key cryptosystems =-=[15]-=-. Here the authentication problem is: a public-key file managed by a trusted authority or authority’s certificates of public-keys should be employed in order to check the validity of public-keys (i.e.... |

250 | Optimal asymmetric encryption
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ..., while it is easy by using a secret key (trapdoor key). One of the possible candidates to solve the problem is: a pair of primes, (p, q), is a secret key, and n = pq is the corresponding public-key. =-=(1)-=- the discrete * This is an updated version. The original version accepted to the conference had a security weakness. * We define the order of an elliptic curve, En, over Z/nZ by lcm(#E,,#E,), where n ... |

225 | Riemann’s hypothesis and test for primality - Miller - 1976 |

184 |
Elliptic curves over finite fields and the computation of square roots mod p
- Schoof
- 1985
(Show Context)
Citation Context ... knowing (p,q)), which, given (En, n, k), computes @(En) with non-negligible probability. M obtains elliptic curves Ep and E, such that En = [EP,Eq]. M computes #Ep, #E, with using Schoof’s algorithm =-=[13]-=-, whose running time is of the order of polynomial. So, MAdv can compute @(En) = Icm(#E,,#E,) with non-negligible probability. (If) Let assume that the elliptic curve order problem is not intractable.... |

171 | A New Public-Key Cryptosystem as Secure as Factoring - Okamoto, Uchiyama - 1998 |

93 | The Discrete Logarithm Problem on Elliptic Curves of Trace one
- Smart
- 1999
(Show Context)
Citation Context .... Recently an efficient solution to the discrete logarithm problem on elliptic curves over F, with p points (p: prime), so-called anornalous curues, was independently discovered by Semaev [14], Smart =-=[17]-=-, and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibility of realizing a trapdoor for the discrete logarith... |

79 |
Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves
- Satoh, Araki
- 1998
(Show Context)
Citation Context ...lution to the discrete logarithm problem on elliptic curves over F, with p points (p: prime), so-called anornalous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki =-=[12]-=-. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibility of realizing a trapdoor for the discrete logarithm problem, and we have tri... |

44 | Non-interective public-key cryptography - Maurer, Yacobi - 1992 |

37 |
A new elliptic curve based analogue of RSA
- Demytko
(Show Context)
Citation Context ...- 1) * y) = ( p - l)Ap E Epz(Z/p2Z). 3. Compute XEpZ(a) as follows: 2.3 Addition Formula with 2-coordinates Here we show an addition formula only with 2-coordinates, based on the division polynomials =-=[2]-=-. For E(F,) ((up,bp) be the parameters of E(Fp)), P = (xp,yp), and (i*z,,i* yp) = iP, if i * yp $0 (mod p), then ((i * x ~ - ) up)2 ~ - 8bp(i * 'cp) 2i*xp = mod p. 4((i * XP)3 + ap(i * XP) + bp) In ad... |

31 | A non-interactive public-key distribution system - Maurer, Yacobi - 1996 |

12 |
Evaluation of discrete logarithms on some elliptic curves
- Semaev
(Show Context)
Citation Context ....jp Abstract. Recently an efficient solution to the discrete logarithm problem on elliptic curves over F, with p points (p: prime), so-called anornalous curues, was independently discovered by Semaev =-=[14]-=-, Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibility of realizing a trapdoor for the discr... |

6 | Random equivalence of factorization and computation of orders, Princeton - Long - 1981 |

4 | Elliptic curves over F p suitable for cryptosystems - Miyaji - 1993 |

3 |
Equivalent of Counting the Number of Points on Elliptic Curve over the Ring Zn and Factoring n
- Kunihiro, Koyama
- 1998
(Show Context)
Citation Context ... the Euler function 4(n) [9, 61. Kunihiro and Koyama have recently presented the reduction (say the “KK reduction”) of the factoring problem to computing the order of an elliptic curve, En, over Z/nZ =-=[5]-=-. Hence our Reduction 2 corresponds to the KK reduction. In addition Reduction 1 corresponds to the reduction as a variant of the KK reduction described in Remarks (3), in [5]. Both the KK reduction a... |

1 |
The Arithmetic of Elliptic Curves, GTMlO6
- Silverman
- 1986
(Show Context)
Citation Context ...ns (2, y) E Ii' x K to the equation E : y2=z3+az+b (a,bEIi,4a3+27b2#O), together with a special point O,, called the point at infinity. The set forms a finite Abelian group, and the group law formula =-=[16]-=-(usually we call it the addition, and use the notation +) is defined over the points on I<. Let p be a prime (p > 5), and F, be a finite field with p elements. Now, let #E(F,) be the number of points ... |