Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairing-based cryptography. 1

In this paper we propose an identity(ID)-based signature scheme using gap Diffie-Hellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model.

Pairing-based cryptosystems depend on the existence of groups where the Decision Diffie-Hellman problem is easy to solve, but the Computational Diffie-Hellman problem is hard. Such is the case of elliptic curve groups whose embedding degree is large enough to maintain a good security level, but small enough for arithmetic operations to be feasible. However, the embedding degree is usually enormous, and the scarce previously known suitable elliptic groups had embedding degree k <= 6. In this note, we examine criteria for curves with larger k that generalize prior work by Miyaji et al. based on the properties of cyclotomic polynomials, and propose efficient representations for the underlying algebraic structures.

We present a fast algorithm for building ordinary elliptic curves over finite prime fields having arbitrary small MOV degree. The elliptic curves are obtained using complex multiplication by any desired discriminant.

This paper takes the pairing-based tripartite key agreement protocol of Joux and develops it to produce three-party key agreement protocols offering additional security properties. We present a number of tripartite, one round, authenticated protocols related to the MTI and MQV protocols. We also present pass-optimal authenticated and key confirmed tripartite protocols that generalise the station-to-station protocol.

With various applications of Weil pairing (Tate pairing) to cryptography, ID-based encryption schemes, digital signature schemes, blind signature scheme, two-party authenticated key agreement schemes, and tripartite key agreement scheme were proposed recently, all of them using bilinear pairing (Weil or Tate pairing). In this paper, we propose an ID-based one round authenticated tripartite key agreement protocol.

We propose a practical non-interactive key distribution protocol based on pairings and de ne a notion of security for such a scheme. We prove the security of the system in this setting under the GDBH assumption, and present some possible realisations using Weil or Tate pairings on supersingular and ordinary elliptic curves.

We give a closed formula for the Tate-pairing on the hyperelliptic curve y x + d in characteristic p. This improves recent implementations by Barreto et.al. and by Galbraith et.al. for the special case p = 3. As an application, we propose a n-round key agreement protocol for up to participants by extending Joux's pairing-based protocol to n rounds.

We present an examination of a design feature named "plausible deniability" which has been widely adopted in key exchange protocols, in particular, in IKEv2 and in signature-based modes of IKE. We expose an authentication flaw in these modes of IKE and IKEv2 which is due in part to the presence of this plausible deniability feature. The flaw is also present in the protocols SIGMA [18] and #0 , #1 [6] from which IKEv2 and parts of IKE have evolved. Although minor, the flaw opens up the possibility of more serious denial of service attacks on IKE and IKEv2. We show how the flaw can very easily be removed from all these protocols. We then introduce new notions of deniability that are stronger than those possessed by today's key exchange protocols and show how these levels of deniability can be attained by using identitybased techniques. As a corollary, we demonstrate several more methods for fixing the authentication flaw in IKE and IKEv2 while at the same time actually improving the deniability properties of the protocols.

In this paper we propose a universal forgery attack of Hess's second ID-based signature scheme against the known-message attack.