Results 1 
6 of
6
Evidence that XTR is more secure than supersingular elliptic curve cryptosystems
 J. Cryptology
, 2001
"... Abstract. We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p 2) of a particular type of supersingular elliptic curve is at least as hard as solving the DiffieHellman problem in the XTR subgroup. This provides strong evidenc ..."
Abstract

Cited by 82 (4 self)
 Add to MetaCart
Abstract. We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p 2) of a particular type of supersingular elliptic curve is at least as hard as solving the DiffieHellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by S. Vanstone and A. Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision DiffieHellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision DiffieHellman problem is simple, while the DiffieHellman and discrete logarithm problem are presumably not. The cryptanalytical tools we use also lead to cryptographic applications of independent interest. These applications are an improvement of Joux’s one round protocol for tripartite DiffieHellman key exchange and a non refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields. 1
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 80 (3 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
Separating Decision DiffieHellman from DiffieHellman in cryptographic groups
, 2001
"... In many cases, the security of a cryptographic scheme based on DiffieHellman does in fact rely on the hardness of... ..."
Abstract

Cited by 69 (0 self)
 Add to MetaCart
In many cases, the security of a cryptographic scheme based on DiffieHellman does in fact rely on the hardness of...
An Overview of the XTR Public Key System
 IN PUBLICKEY CRYPTOGRAPHY AND COMPUTATIONAL NUMBER THEORY, VERLAGES WALTER DE GRUYTER
, 2000
"... XTR is a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security. This paper describes and explains the techn ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
XTR is a new method to represent elements of a subgroup of a multiplicative group of a finite field. Application of XTR in cryptographic protocols leads to substantial savings both in communication and computational overhead without compromising security. This paper describes and explains the techniques and properties that are relevant for the XTR cryptosystem and its implementation. It is based on the material from [10,?,?,?].
The DiffieHellman problem and generalization of Verheul’s theorem
, 2009
"... Bilinear pairings on elliptic curves have been of much interest in cryptography recently. Most of the protocols involving pairings rely on the hardness of the bilinear DiffieHellman problem. In contrast to the discrete log (or DiffieHellman) problem in a finite field, the difficulty of this proble ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Bilinear pairings on elliptic curves have been of much interest in cryptography recently. Most of the protocols involving pairings rely on the hardness of the bilinear DiffieHellman problem. In contrast to the discrete log (or DiffieHellman) problem in a finite field, the difficulty of this problem has not yet been much studied. In 2001, Verheul [66] proved that on a certain class of curves, the discrete log and DiffieHellman problems are unlikely to be provably equivalent to the same problems in a corresponding finite field unless both DiffieHellman problems are easy. In this paper we generalize Verheul’s theorem and discuss the implications on the security of pairing based systems. We also include a large table of distortion maps. 1
GENERALIZATIONS OF VERHEUL’S THEOREM TO ASYMMETRIC PAIRINGS
"... Abstract. For symmetric pairings e: G×G → GT, Verheul proved that the existence of an efficientlycomputable isomorphism φ: GT → G implies that the DiffieHellman problems in G and GT can be efficiently solved. In this paper, we explore the implications of the existence of efficientlycomputable iso ..."
Abstract
 Add to MetaCart
Abstract. For symmetric pairings e: G×G → GT, Verheul proved that the existence of an efficientlycomputable isomorphism φ: GT → G implies that the DiffieHellman problems in G and GT can be efficiently solved. In this paper, we explore the implications of the existence of efficientlycomputable isomorphisms φ1: GT → G1 and φ2: GT → G2 for asymmetric pairings e: G1 ×G2 → GT. We also give a simplified proof of Verheul’s theorem. 1.