Results 11  20
of
71
Another look at nonstandard discrete log and DiffieHellman problems
 J. Math. Cryptology
"... Abstract. We examine several versions of the onemorediscretelog and onemoreDiffieHellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associ ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We examine several versions of the onemorediscretelog and onemoreDiffieHellman problems. In attempting to evaluate their intractability, we find conflicting evidence of the relative hardness of the different problems. Much of this evidence comes from natural families of groups associated with curves of genus 2, 3, 4, 5, and 6. This leads to questions about how to interpret reductionist security arguments that rely on these nonstandard problems. 1.
Aspects of Pairing Inversion
"... We discuss some applications of the pairing inversion problem and outline some potential approaches for solving it. Our analysis of these approaches gives further evidence that pairing inversion is a hard problem. ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
We discuss some applications of the pairing inversion problem and outline some potential approaches for solving it. Our analysis of these approaches gives further evidence that pairing inversion is a hard problem.
Enhanced privacy ID from bilinear pairing
, 2009
"... Enhanced Privacy ID (EPID) is a cryptographic scheme that enables the remote authentication of a hardware device while preserving the privacy of the device. EPID can be seen as a direct anonymous attestation scheme with enhanced revocation capabilities. In EPID, a device can be revoked if the privat ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Enhanced Privacy ID (EPID) is a cryptographic scheme that enables the remote authentication of a hardware device while preserving the privacy of the device. EPID can be seen as a direct anonymous attestation scheme with enhanced revocation capabilities. In EPID, a device can be revoked if the private key embedded in the hardware device has been extracted and published widely so that the revocation manager finds the corrupted private key. In addition, the revocation manager can revoke a device based on the signatures the device has signed, if the private key of the device is not known. In this paper, we introduce a new security notion of EPID including the formal definitions of anonymity and unforgeability with revocation. We also give a construction of an EPID scheme from bilinear pairing. Our EPID scheme is efficient and provably secure in the random oracle model under the strong DiffieHellman assumption and the decisional DiffieHellman assumption.
Towards BlackBox Accountable Authority IBE with Short Ciphertexts and Private Keys
, 2008
"... Abstract. At Crypto’07, Goyal introduced the concept of Accountable Authority IdentityBased Encryption as a convenient tool to reduce the amount of trust in authorities in IdentityBased Encryption. In this model, if the Private Key Generator (PKG) maliciously redistributes users’ decryption keys, ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. At Crypto’07, Goyal introduced the concept of Accountable Authority IdentityBased Encryption as a convenient tool to reduce the amount of trust in authorities in IdentityBased Encryption. In this model, if the Private Key Generator (PKG) maliciously redistributes users’ decryption keys, it runs the risk of being caught and prosecuted. Goyal proposed two constructions: the first one is efficient but can only trace wellformed decryption keys to their source; the second one allows tracing obfuscated decryption boxes in a model (called weak blackbox model) where cheating authorities have no decryption oracle. The latter scheme is unfortunately far less efficient in terms of decryption cost and ciphertext size. In this work, we propose a new construction that combines the efficiency of Goyal’s first proposal with a very simple weak blackbox tracing mechanism. Our scheme is described in the selectiveID model but readily extends to meet all security properties in the adaptiveID sense, which is not known to be true for prior blackbox schemes. Keywords. Identitybased encryption, traceability, efficiency. 1
IdentityBased Proxy Signature from Pairings
"... Abstract. A proxy signature scheme allows an entity to delegate its signing capability to another entity (proxy) in such a way that the proxy can sign messages on behalf of the delegator. Proxy signatures have found numerous practical applications such as distributed systems, mobile agent applicatio ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. A proxy signature scheme allows an entity to delegate its signing capability to another entity (proxy) in such a way that the proxy can sign messages on behalf of the delegator. Proxy signatures have found numerous practical applications such as distributed systems, mobile agent applications, etc. Recently, Xu, Zhang and Feng proposed the first formal models of identity based proxy signature. Unfortunately, their model does not capture the notion of adaptively chosen message and chosen identity attacker in identity based system. In this paper, we redefine the security models of identity based proxy signature to capture the most stringent attacks against adaptively chosen message and chosen identity attacker. We also propose a new provably secure identity basad proxy signature scheme whose security is based on the hardness of Computational DiffieHellman problem in the random oracle model. 1
A tapestry of identitybased encryption: practical frameworks compared
 INT. J. APPLIED CRYPTOGRAPHY
, 2008
"... This paper surveys the practical benefits and drawbacks of several identitybased encryption schemes based on bilinear pairings. After providing some background on identitybased cryptography, we classify the known constructions into a handful of general approaches. We then describe efficient and ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
This paper surveys the practical benefits and drawbacks of several identitybased encryption schemes based on bilinear pairings. After providing some background on identitybased cryptography, we classify the known constructions into a handful of general approaches. We then describe efficient and fullysecure IBE and IBKEM instantiations of each approach, with reducibility to practice as the main design parameter. Finally, we catalogue the strengths and weaknesses of each construction according to a few theoretical and many applied comparison criteria.
BonehBoyen signatures and the Strong DiffieHellman problem
 PairingBased Cryptography — Pairing 2009, Lecture Notes in Computer Science
"... Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalen ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The BonehBoyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the qStrong DiffieHellman assumption. In this paper, we prove the converse of this statement, and show that forging BonehBoyen signatures is actually equivalent to solving the qStrong DiffieHellman problem. Using this equivalence, we exhibit an algorithm which, on the vast majority of pairingfriendly curves, recovers BonehBoyen private keys in O(p 2 5 +ε) time, using O(p 1 5 +ε) signature queries. We present implementation results comparing the performance of our algorithm and traditional discrete logarithm algorithms such as Pollard’s lambda algorithm and Pollard’s rho algorithm. We also discuss some possible countermeasures and strategies for mitigating the impact of these findings. 1
Universal designated verifier signatures without random oracles or nonblack box assumptions
 IN SCN06, VOLUME 4116 OF LNCS
, 2006
"... Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld et al. to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
(Show Context)
Universal designated verifier signatures (UDVS) were introduced in 2003 by Steinfeld et al. to allow signature holders to monitor the verification of a given signature in the sense that any plain signature can be publicly turned into a signature which is only verifiable by some specific designated verifier. Privacy issues, like nondissemination of digital certificates, are the main motivations to study such primitives. In this paper, we propose two fairly efficient UDVS schemes which are secure (in terms of unforgeability and anonymity) in the standard model (i.e. without random oracles). Their security relies on algorithmic assumptions which are much more classical than assumptions involved in the two only known UDVS schemes in standard model to date. The latter schemes, put forth by Zhang et al. in 2005 and Vergnaud in 2006, rely on the Strong DiffieHellman assumption and the strangelooking knowledge of exponent assumption (KEA). Our schemes are obtained from Waters’s signature and they do not need the KEA assumption. They are also the first random oraclefree constructions with the anonymity property.
A PairingBased DAA Scheme Further Reducing TPM Resources
 In TRUST’10: 3rd International Conference on Trust and Trustworthy Computing, volume 6101 of LNCS
, 2010
"... Direct Anonymous Attestation (DAA) is an anonymous signature scheme designed for anonymous attestation of a Trusted Platform Module (TPM) while preserving the privacy of the device owner. Since TPM has limited bandwidth and computational capability, one interesting feature of DAA is to split the sig ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Direct Anonymous Attestation (DAA) is an anonymous signature scheme designed for anonymous attestation of a Trusted Platform Module (TPM) while preserving the privacy of the device owner. Since TPM has limited bandwidth and computational capability, one interesting feature of DAA is to split the signer role between two entities: a TPM and a host platform where the TPM is attached. Recently, Chen proposed a new DAA scheme that is more efficient than previous DAA schemes. In this paper, we construct a new DAA scheme requiring even fewer TPM resources. Our DAA scheme is about 5 times more efficient than Chen’s scheme for the TPM implementation using the BarretoNaehrig curves. In addition, our scheme requires much smaller size of software code that needs to be implemented in the TPM. This makes our DAA scheme ideal for the TPM implementation. Our DAA scheme is efficient and provably secure in the random oracle model under the strong DiffieHellman assumption and the decisional DiffieHellman assumption. 1
Vector Commitments and their Applications
"... Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Abstract. We put forward the study of a new primitive that we call Vector Commitment (VC, for short). Informally, VCs allow to commit to an ordered sequence of q values (m1,..., mq) in such a way that one can later open the commitment at specific positions (e.g., prove that mi is the ith committed message). For security, Vector Commitments are required to satisfy a notion that we call position binding which states that an adversary should not be able to open a commitment to two different values at the same position. Moreover, what makes our primitive interesting is that we require VCs to be concise, i.e. the size of the commitment string and of its openings has to be independent of the vector length. We show two realizations of VCs based on standard and well established assumptions, such as RSA, and Computational DiffieHellman (in bilinear groups). Next, we turn our attention to applications and we show that Vector Commitments are useful in a variety of contexts, as they allow for compact and efficient solutions which significantly improve previous works either in terms of efficiency of the resulting solutions, or in terms of ”quality ” of the underlying assumption, or both. These applications