Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficiently-computable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.

Abstract. At Eurocrypt 2005, Waters proposed an efficient identity-based encryption (IBE) scheme and its extension to a hierarchical IBE (HIBE). We describe a (H)IBE scheme which improves upon Waters scheme by significantly reducing the size of the public parameters. The reduction is based on two ideas. The first idea involves partitioning n-bit identities into l-bit blocks while the second idea involves reusing public parameters over different levels of a HIBE. The basic HIBE scheme is CPA-secure and yields a (hierarchical identity-based) signature scheme. Modification of the basic HIBE scheme using ideas from the work of Boyen, Mei and Waters yields a CCA-secure hybrid HIBE scheme. Further, by appropriately using symmetric key authentication, we are able to eliminate costly pairing operations from the decryption algorithm. The protocols and the security arguments are recast in the most efficient pairing setting, i.e., the Type 3 setting. Using the asymmetric pairing setting leads to several variants of the basic protocol with associated trade-off in the ciphertext overhead and public parameter size. We also incorporate with a small improvement the probabilty analysis that was recently put forth by Bellare and Ristenpart to remove the need of “artificial abort ” in the original security argument of Waters IBE. For 80-bit or 128-bit security levels, the variants of the (H)IBE schemes that we obtain are currently the most efficient and practical among all other schemes which achieve similar security under a static assumption such as the hardness of decisional bilinear

Abstract. We focus on the implementation and security aspects of cryptographic protocols that use Type 1 and Type 4 pairings. On the implementation front, we report improved timings for Type 1 pairings derived from supersingular elliptic curves in characteristic 2 and 3 and the first timings for supersingular genus-2 curves in characteristic 2 at the 128-bit security level. In the case of Type 4 pairings, our main contribution is a new method for hashing into G2 which makes the Type 4 setting almost as efficient as Type 3. On the security front, for some well-known protocols we discuss to what extent the security arguments are tenable when one moves to genus-2 curves in the Type 1 case. In Type 4, we observe that the Boneh-Shacham group signature scheme, the very first protocol for which the Type 4 setting was introduced in the literature, is trivially insecure, and we describe a small modification that appears to restore its security. 1