Results 1 
5 of
5
Identity Based Authenticated Key Agreement Protocols from Pairings
 In: Proc. 16th IEEE Security Foundations Workshop
, 2002
"... We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private k ..."
Abstract

Cited by 50 (2 self)
 Add to MetaCart
(Show Context)
We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol [Sm02]. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the model defined in [BJM97]). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property.
Hardness of Computing Individual Bits for Oneway Functions on Elliptic Curves
"... Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway functi ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway function with nonnegligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI1/FAPI2). The latter has implications on the security of various pairingbased schemes such as the identitybased encryption scheme of Boneh– Franklin, Hess ’ identitybased signature scheme, as well as Joux’s threeparty oneround key agreement protocol. Moreover, if one can solve FAPI1 and FAPI2 in polynomial time then one can solve the Computational Diffie–Hellman problem (CDH) in polynomial time. Our result implies that all the bits of the functions defined above are hardtocompute assuming these functions are oneway. The argument is based on a listdecoding technique via discrete Fourier transforms due to Akavia–Goldwasser–Safra as well as an idea due to Boneh–Shparlinski. Keywords: Oneway function, hardtocompute bits, bilinear pairings, elliptic curves, fixed argument pairing inversion problem, Fourier transform, list decoding. 1
Computing pairings using xcoordinates only
 Designs, Codes and Cryptography
"... Abstract. To reduce bandwidth in elliptic curve cryptography one can transmit only xcoordinates of points (or xcoordinates together with an extra bit). For further computation using the points one can either recover the ycoordinates by taking square roots or one can use point multiplication formu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. To reduce bandwidth in elliptic curve cryptography one can transmit only xcoordinates of points (or xcoordinates together with an extra bit). For further computation using the points one can either recover the ycoordinates by taking square roots or one can use point multiplication formulae which use xcoordinates only. We consider how to efficiently use point compression in pairingbased cryptography. We give a method to compute compressed Weil pairings using xcoordinates only. We also show how to compute the compressed Tate and ate pairings using only one ycoordinate. Our methods are more efficient than taking square roots when the embedding degree is small. We implemented the algorithms in the case of embedding degree 2 curves over Fp where p ≡ 3 (mod 4) and found that our methods are 10 − 15% faster than the analogous methods using square roots.
On the Bits of Elliptic Curve
"... Abstract. We study the security of elliptic curve DiffieHellman secret keys in the presence of oracles that provide partial information on the value of the key. Unlike the corresponding problem for finite fields, little is known about this problem, and in the case of elliptic curves the difficulty ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We study the security of elliptic curve DiffieHellman secret keys in the presence of oracles that provide partial information on the value of the key. Unlike the corresponding problem for finite fields, little is known about this problem, and in the case of elliptic curves the difficulty of representing large point multiplications in an algebraic manner leads to new obstacles that are not present in the case of finite fields. To circumvent this obstruction, we introduce a small multiplier version of the hidden number problem, and we use its properties to analyze the security of certain DiffieHellman bits. We suggest new character sum conjectures that guarantee the uniqueness of solutions to the hidden number problem, and provide some evidence in support of the conjectures by showing that the ones we need hold on average. We also present a Gröbner basis algorithm for solving the hidden number problem and recovering the DiffieHellman secret key when the elliptic curve is defined over a constant degree extension field and the oracle is a coordinate function in the polynomial basis. 1
Polynomial approximation of BilinearDiffieHellman maps
"... The problem of computing BilinearDiffieHellman maps is considered. It is shown that the problem of computing the map is equivalent to computing a diagonal version of it. Various lower bounds on the degree of any polynomial that interpolates this diagonal version of the map are found that shows tha ..."
Abstract
 Add to MetaCart
(Show Context)
The problem of computing BilinearDiffieHellman maps is considered. It is shown that the problem of computing the map is equivalent to computing a diagonal version of it. Various lower bounds on the degree of any polynomial that interpolates this diagonal version of the map are found that shows that such an interpolation will involve a polynomial of large degree, relative to the size of the set on which it interpolates.