Results 1  10
of
40
IdentityBased Encryption from the Weil Pairing
, 2001
"... We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic ..."
Abstract

Cited by 1138 (22 self)
 Add to MetaCart
We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 562 (29 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Selecting Cryptographic Key Sizes
 TO APPEAR IN THE JOURNAL OF CRYPTOLOGY, SPRINGERVERLAG
, 2001
"... In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter ..."
Abstract

Cited by 257 (6 self)
 Add to MetaCart
In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter settings, combined with existing data points about the cryptosystems.
Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
, 2002
"... An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verif ..."
Abstract

Cited by 237 (14 self)
 Add to MetaCart
An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message M i for i = 1; : : : ; n). In this paper we introduce the concept of an aggregate signature scheme, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M . Verifiably encrypted signatures are used in contractsigning protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.
Hierarchical IDBased Cryptography
, 2002
"... We present hierarchical identitybased encryption schemes and signature schemes that have total collusion resistance on an arbitrary number of levels and that have chosen ciphertext security in the random oracle model assuming the difficulty of the Bilinear DiffieHellman problem. ..."
Abstract

Cited by 187 (3 self)
 Add to MetaCart
We present hierarchical identitybased encryption schemes and signature schemes that have total collusion resistance on an arbitrary number of levels and that have chosen ciphertext security in the random oracle model assuming the difficulty of the Bilinear DiffieHellman problem.
Towards hierarchical identitybased encryption
 In Proceedings of Asiacrypt 2002, LNCS 2501
, 2002
"... Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated w ..."
Abstract

Cited by 110 (0 self)
 Add to MetaCart
Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated with primitive IDs (PIDs) that are arbitrary strings. A user’s public key consists of their PID and their domain’s PID (in whole called an address). In a regular IBE (which corresponds to a 1HIBE) scheme, there is only one PKG that distributes private keys to each user (whose public keys are their PID). In a 2HIBE, users retrieve their private key from their domain PKG. Domain PKGs can compute the private key of any user in their domain, provided they have previously requested their domain secret key from the root PKG (who possesses a master secret). We can go beyond two levels by adding subdomains, subsubdomains, and so on. We present a twolevel system with total collusion resistance at the upper (domain) level and partial collusion resistance at the lower (user) level, which has chosenciphertext security in the randomoracle model. 1
Efficient SelectiveID Secure Identity Based Encryption without Random Oracles
 Proceedings of Eurocrypt 2004, volume 3027 of LNCS
, 2004
"... We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to ..."
Abstract

Cited by 68 (9 self)
 Add to MetaCart
We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.
Separating Decision DiffieHellman from DiffieHellman in cryptographic groups
, 2001
"... In many cases, the security of a cryptographic scheme based on DiffieHellman does in fact rely on the hardness of... ..."
Abstract

Cited by 65 (0 self)
 Add to MetaCart
In many cases, the security of a cryptographic scheme based on DiffieHellman does in fact rely on the hardness of...
An Identity Based Authenticated Key Agreement Protocol Based on the Weil Pairing
 Electronics Letters
, 2001
"... We describe an ID based authenticated two pass key agreement protocol which makes use of the Weil pairing. The protocol is described and its properties are discussed including the ability to add key confirmation. ..."
Abstract

Cited by 61 (2 self)
 Add to MetaCart
We describe an ID based authenticated two pass key agreement protocol which makes use of the Weil pairing. The protocol is described and its properties are discussed including the ability to add key confirmation.
Applications of Multilinear Forms to Cryptography
 Contemporary Mathematics
, 2002
"... We study the problem of finding efficiently computable nondegenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such ..."
Abstract

Cited by 51 (7 self)
 Add to MetaCart
We study the problem of finding efficiently computable nondegenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such maps, and give some reasons to believe that finding examples with n > 2 may be difficult.