Results 1  10
of
34
Pairings for Cryptographers
 IN PREPARATION
, 2006
"... Many research papers in pairing based cryptography treat pairings as a "black box". These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pai ..."
Abstract

Cited by 104 (7 self)
 Add to MetaCart
(Show Context)
Many research papers in pairing based cryptography treat pairings as a "black box". These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pairings. The cryptographic schemes developed may not be realizable in practice, or may not be as e#cient as the authors assume.
Identitybased Key Agreement Protocols from Pairings
, 2006
"... In recent years, a large number of identitybased key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reve ..."
Abstract

Cited by 59 (5 self)
 Add to MetaCart
In recent years, a large number of identitybased key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a builtin decisional function in this type of protocols.
Efficient and provablysecure identitybased signatures and signcryption from bilinear maps
 Advances in cryptology –ASIACRYPT’05, Lecture Notes in Computer Science 3778
, 2005
"... ..."
Direct chosenciphertext secure identitybased key encapsulation without random oracles
 In ACISP 2006
, 2006
"... We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furt ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
(Show Context)
We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1
ON CRYPTOGRAPHIC PROTOCOLS EMPLOYING ASYMMETRIC PAIRINGS – THE ROLE OF Ψ REVISITED
"... Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficientlycomputable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.
On constructing certificateless cryptosystems from identity based encryption
 In PKC 2006
, 2006
"... Abstract. Certificateless cryptography (CLPKC) is a concept that aims at enjoying the advantages of identity based cryptography without suffering from its inherent key escrow. Several methods were recently suggested to generically construct a certificateless encryption (CLE) scheme by combining ide ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Certificateless cryptography (CLPKC) is a concept that aims at enjoying the advantages of identity based cryptography without suffering from its inherent key escrow. Several methods were recently suggested to generically construct a certificateless encryption (CLE) scheme by combining identity based schemes with ordinary public key cryptosystems. Whilst the security of one of these generic compositions was proved in a relaxed security model, we show that all them are insecure against chosenciphertext attacks in the strongest model of AlRiyami and Paterson. We show how to easily fix these problems and give a method to achieve generic CLE constructions which are provably CCAsecure in the random oracle model. We finally propose a new efficient pairingbased scheme that performs better than previous proposals without precomputation. We also prove its security in the random oracle model.
Efficient Selective Identitybased Encryption
 In Proc. of CRYPTO '88, LNCS 403
, 1990
"... We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity security reductions without random oracles in groups equipped with a bilinear map. Selectiveidentity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity security reductions without random oracles in groups equipped with a bilinear map. Selectiveidentity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in an adaptiveidentity attack the adversary is allowed to choose this identity adaptively. Our first system—BB1—is based on the well studied decisional bilinear DiffieHellman assumption, and extends naturally to systems with hierarchical identities, or HIBE. Our second system—BB2—is based on a stronger assumption which we call the Bilinear DiffieHellman Inversion assumption and provides another approach to building IBE systems. Our first system, BB1, is very versatile and well suited for practical applications: the basic hierarchical construction can be efficiently secured against chosenciphertext attacks, and further extended to support efficient noninteractive threshold decryption, among others, all without using random oracles. Both systems, BB1 and BB2, can be modified generically to provide “full ” IBE security (i.e., against adaptiveidentity attacks), either using random oracles, or in the standard model at the expense of a nonpolynomial but easytocompensate security reduction.
An Efficient IDKEM Based On The SakaiKasahara Key Construction
 IEE Proceedings of Information Security
, 2006
"... Abstract. Sakai et. al in 2000 produced a method of construction identity based public/private key pairs using pairings on elliptic curves. In 2001, using the same key construction as Sakai et. al., Boneh and Franklin presented the first efficient and provably secure identitybased encryption scheme ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Sakai et. al in 2000 produced a method of construction identity based public/private key pairs using pairings on elliptic curves. In 2001, using the same key construction as Sakai et. al., Boneh and Franklin presented the first efficient and provably secure identitybased encryption scheme. In 2003 Sakai and Kasahara proposed another method of constructing identity based keys, also using pairings, which has the potential to improve performance. Later, Chen and Cheng gave a provably secure identity based scheme using this second construction. Both the Boneh–Franklin scheme and the scheme based on the second construction are not true hybrid encryption schemes in the traditional of the public key KEM/DEM approach. To address this issue, Bentahar et. al. extended the idea of key encapsulation mechanism to the identity based setting and presented three constructions in line with the original Sakai et. al. method of constructing identity based keys. In this paper we present another IDKEM based on the second method of constructing identity based keys and prove its security. The new scheme has a number of advantages over all previous IDbased encryption schemes. 1
On Security Proof of McCullaghBarreto's Key Agreement Protocol and its Variants
 International Journal of Security and Networks
, 2005
"... McCullagh and Barreto presented an identitybased authenticated key agreement protocol in CTRSA 2005. Their protocol was found to be vulnerable to a keycompromise impersonation attack. In order to recover the weakness, McCullagh and Barreto, and Xie proposed two variants of the protocol respec ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
McCullagh and Barreto presented an identitybased authenticated key agreement protocol in CTRSA 2005. Their protocol was found to be vulnerable to a keycompromise impersonation attack. In order to recover the weakness, McCullagh and Barreto, and Xie proposed two variants of the protocol respectively. In each of these works, a security proof of the proposed protocol was presented. In this paper, we revisit these three security proofs and show that all the reductions in these proofs are invalid, because the property of indistinguishability between their simulation and the real world was not held. As a replacement, we present a new reduction for the McCullagh and Barreto modified protocol in the weaker BellareRogaway key agreement model. Our reduction is based on a new assumption, which is at least as weak as some wellexplored assumptions in the literature.
Another Look at Tightness
 Proceedings of Selected Areas in Cryptography (SAC’11), LNCS. 7118
, 2012
"... Abstract. We examine a natural, but nontight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multiuser setting. If security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction, then the MAC scheme is s ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We examine a natural, but nontight, reductionist security proof for deterministic message authentication code (MAC) schemes in the multiuser setting. If security parameters for the MAC scheme are selected without accounting for the nontightness in the reduction, then the MAC scheme is shown to provide a level of security that is less than desirable in the multiuser setting. We find similar deficiencies in the security assurances provided by nontight proofs when we analyze some protocols intheliteratureincludingonesfor networkauthentication and aggregate MACs. Our observations call into question the practical value of nontight reductionist security proofs. We also exhibit attacks on authenticated encryption schemes, disk encryption schemes, and stream ciphers in the multiuser setting. 1