Results 1  10
of
65
IdentityBased Encryption from the Weil Pairing
, 2001
"... We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic ..."
Abstract

Cited by 1123 (24 self)
 Add to MetaCart
We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
Selecting Cryptographic Key Sizes
 TO APPEAR IN THE JOURNAL OF CRYPTOLOGY, SPRINGERVERLAG
, 2001
"... In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter ..."
Abstract

Cited by 253 (6 self)
 Add to MetaCart
In this article we offer guidelines for the determination of key sizes for symmetric cryptosystems, RSA, and discrete logarithm based cryptosystems both over finite fields and over groups of elliptic curves over prime fields. Our recommendations are based on a set of explicitly formulated parameter settings, combined with existing data points about the cryptosystems.
Towards hierarchical identitybased encryption
 In Proceedings of Asiacrypt 2002, LNCS 2501
, 2002
"... Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated w ..."
Abstract

Cited by 109 (0 self)
 Add to MetaCart
Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated with primitive IDs (PIDs) that are arbitrary strings. A user’s public key consists of their PID and their domain’s PID (in whole called an address). In a regular IBE (which corresponds to a 1HIBE) scheme, there is only one PKG that distributes private keys to each user (whose public keys are their PID). In a 2HIBE, users retrieve their private key from their domain PKG. Domain PKGs can compute the private key of any user in their domain, provided they have previously requested their domain secret key from the root PKG (who possesses a master secret). We can go beyond two levels by adding subdomains, subsubdomains, and so on. We present a twolevel system with total collusion resistance at the upper (domain) level and partial collusion resistance at the lower (user) level, which has chosenciphertext security in the randomoracle model. 1
Supersingular curves in cryptography
, 2001
"... Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic ..."
Abstract

Cited by 88 (9 self)
 Add to MetaCart
Frey and Rück gave a method to map the discrete logarithm problem in the divisor class group of a curve over ¢¡ into a finite field discrete logarithm problem in some extension. The discrete logarithm problem in the divisor class group can therefore be solved as long ¥ as is small. In the elliptic curve case it is known that for supersingular curves one ¥§¦© ¨ has. In this paper curves of higher genus are studied. Bounds on the possible values ¥ for in the case of supersingular curves are given. Ways to ensure that a curve is not supersingular are also given. 1.
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 77 (2 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
Efficient noninteractive proof systems for bilinear groups
 In EUROCRYPT 2008, volume 4965 of LNCS
, 2008
"... Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknow ..."
Abstract

Cited by 70 (5 self)
 Add to MetaCart
Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknowledge proofs have been constructed for general NPcomplete languages such as Circuit Satisfiability, causing an expensive blowup in the size of the statement when reducing it to a circuit. The contribution of this paper is a general methodology for constructing very simple and efficient noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs that work directly for groups with a bilinear map, without needing a reduction to Circuit Satisfiability. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This paper provides noninteractive witnessindistinguishable proofs and noninteractive zeroknowledge proofs that can be used in connection with these protocols. Our goal is to spread the use of noninteractive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.
Identity Based Authenticated Key Agreement Protocols from Pairings
 In: Proc. 16th IEEE Security Foundations Workshop
, 2002
"... We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private k ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol [Sm02]. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the model defined in [BJM97]). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property.
A New TwoParty IdentityBased Authenticated Key Agreement
 In proceedings of CTRSA 2005, LNCS 3376
, 2004
"... We present a new twoparty identitybased key agreement that is more e#cient than previously proposed schemes. It is inspired on a new identitybased key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mo ..."
Abstract

Cited by 48 (0 self)
 Add to MetaCart
We present a new twoparty identitybased key agreement that is more e#cient than previously proposed schemes. It is inspired on a new identitybased key pair derivation algorithm first proposed by Sakai and Kasahara. We show how this key agreement can be used in either escrowed or escrowless mode. We also describe conditions under which users of di#erent Key Generation Centres can agree on a shared secret key. We give an overview of existing twoparty key agreement protocols, and compare our new scheme with existing ones in terms of computational cost and storage requirements.
Selfblindable credential certificates from the weil pairing
, 2001
"... Abstract. We describe two simple, efficient and effective credential pseudonymous certificate systems, which also support anonymity without the need for a trusted third party. The second system provides cryptographic protection against the forgery and transfer of credentials. Both systems are based ..."
Abstract

Cited by 47 (0 self)
 Add to MetaCart
Abstract. We describe two simple, efficient and effective credential pseudonymous certificate systems, which also support anonymity without the need for a trusted third party. The second system provides cryptographic protection against the forgery and transfer of credentials. Both systems are based on a new paradigm, called selfblindable certificates. Such certificates can be constructed using the Weil pairing in supersingular elliptic curves. 1
Authenticated IDbased key exchange and remote login with insecure token and PIN number. Cryptology ePrint Archive, Report 2002/164
, 2002
"... Abstract. Authenticated key exchange protocols tend to be either token based or password based. Token based schemes are often based on expensive (and irreplaceable) smartcard tokens, while passwordonly schemes require that a unique password is shared between every pair of correspondents. The magne ..."
Abstract

Cited by 44 (1 self)
 Add to MetaCart
Abstract. Authenticated key exchange protocols tend to be either token based or password based. Token based schemes are often based on expensive (and irreplaceable) smartcard tokens, while passwordonly schemes require that a unique password is shared between every pair of correspondents. The magnetic strip swipe card and associated PIN number is a familiar and convenient format that motivates a combined “twofactor ” approach. Finally we suggest an extension of the scheme for use in a clientserver scenario.