Results 1 
6 of
6
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 560 (31 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Efficient algorithms for pairingbased cryptosystems
, 2002
"... Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in ..."
Abstract

Cited by 291 (23 self)
 Add to MetaCart
Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairingbased cryptography. 1
Towards hierarchical identitybased encryption
 In Proceedings of Asiacrypt 2002, LNCS 2501
, 2002
"... Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated w ..."
Abstract

Cited by 109 (0 self)
 Add to MetaCart
Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated with primitive IDs (PIDs) that are arbitrary strings. A user’s public key consists of their PID and their domain’s PID (in whole called an address). In a regular IBE (which corresponds to a 1HIBE) scheme, there is only one PKG that distributes private keys to each user (whose public keys are their PID). In a 2HIBE, users retrieve their private key from their domain PKG. Domain PKGs can compute the private key of any user in their domain, provided they have previously requested their domain secret key from the root PKG (who possesses a master secret). We can go beyond two levels by adding subdomains, subsubdomains, and so on. We present a twolevel system with total collusion resistance at the upper (domain) level and partial collusion resistance at the lower (user) level, which has chosenciphertext security in the randomoracle model. 1
Unique signatures and verifiable random functions from the DHDDH separation
 Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing ..."
Abstract

Cited by 48 (4 self)
 Add to MetaCart
Abstract. A unique signature scheme has the property that a signature σPK(m) is a (hardtocompute) function of the public key PK and message m, for all, even adversarially chosen, PK. Unique signatures, introduced by Goldwasser and Ostrovsky, have been shown to be a building block for constructing verifiable random functions. Another useful property of unique signatures is that they are stateless: the signer does not need to update his secret key after an invocation. The only previously known construction of a unique signature in the plain model was based on the RSA assumption. The only other previously known provably secure constructions of stateless signatures were based on the Strong RSA assumption. Here, we give a construction of a unique signature scheme based on a generalization of the DiffieHellman assumption in groups where decisional DiffieHellman is easy. Several recent results suggest plausibility of such groups. We also give a few related constructions of verifiable random functions (VRFs). VRFs, introduced by Micali, Rabin, and Vadhan, are objects that combine the properties of pseudorandom functions (i.e. indistinguishability from random even after querying) with the verifiability property. Prior to our work, VRFs were only known to exist under the RSA assumption.
Elliptic Curves Suitable for Pairing Based Cryptography
 Designs, Codes and Cryptography
, 2003
"... We give a method for constructing ordinary elliptic curves over finite prime field Fp with small security parameter k with respect to a prime l dividing the group order #E(Fp) such that p << l² ..."
Abstract

Cited by 46 (1 self)
 Add to MetaCart
We give a method for constructing ordinary elliptic curves over finite prime field Fp with small security parameter k with respect to a prime l dividing the group order #E(Fp) such that p << l²
On Small Characteristic Algebraic Tori in PairingBased Cryptography
, 2004
"... The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmet ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
The output of the Tate pairing on an elliptic curve over a nite eld is an element in the multiplicative group of an extension eld modulo a particular subgroup. One ordinarily powers this element to obtain a unique representative for the output coset, and performs any further necessary arithmetic in the extension eld. Rather than an obstruction, we show to the contrary that one can exploit this quotient group to eliminate the nal powering, to speed up exponentiations and to obtain a simple compression of pairing values which is useful during interactive identitybased cryptographic protocols. Speci cally we demonstrate that methods available for fast point multiplication on elliptic curves such as mixed addition, signed digit representations and Frobenius expansions, all transfer easily to the quotient group, and provide a signi cant improvement over the arithmetic of the extension eld.