Results 1 
3 of
3
Identity Based Authenticated Key Agreement Protocols from Pairings
 In: Proc. 16th IEEE Security Foundations Workshop
, 2002
"... We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private k ..."
Abstract

Cited by 48 (2 self)
 Add to MetaCart
We investigate a number of issues related to identity based authenticated key agreement protocols in the DiffieHellman family enabled by the Weil or Tate pairings. These issues include how to make protocols efficient; to avoid key escrow by a Trust Authority (TA) who issues identity based private keys for users, and to allow users to use different TAs. We describe a few authenticated key agreement (AK) protocols and AK with key confirmation (AKC) protocols by modifying Smart's AK protocol [Sm02]. We discuss the security of these protocols heuristically and give formal proofs of security for our AK and AKC protocols (using a security model based on the model defined in [BJM97]). We also prove that our AK protocol has the key compromise impersonation property. We also show that our second protocol has the TA forward secrecy property (which we define to mean that the compromise of the TA's private key will not compromise previously established session keys), and we note that this also implies that it has the perfect forward secrecy property.
Computing pairings using xcoordinates only
 Designs, Codes and Cryptography
"... Abstract. To reduce bandwidth in elliptic curve cryptography one can transmit only xcoordinates of points (or xcoordinates together with an extra bit). For further computation using the points one can either recover the ycoordinates by taking square roots or one can use point multiplication formu ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Abstract. To reduce bandwidth in elliptic curve cryptography one can transmit only xcoordinates of points (or xcoordinates together with an extra bit). For further computation using the points one can either recover the ycoordinates by taking square roots or one can use point multiplication formulae which use xcoordinates only. We consider how to efficiently use point compression in pairingbased cryptography. We give a method to compute compressed Weil pairings using xcoordinates only. We also show how to compute the compressed Tate and ate pairings using only one ycoordinate. Our methods are more efficient than taking square roots when the embedding degree is small. We implemented the algorithms in the case of embedding degree 2 curves over Fp where p ≡ 3 (mod 4) and found that our methods are 10 − 15% faster than the analogous methods using square roots.
Hardness of Computing Individual Bits for Oneway Functions on Elliptic Curves
"... Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway functi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. We prove that if one can predict any of the bits of the input to an elliptic curve based oneway function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairingbased oneway function with nonnegligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI1/FAPI2). The latter has implications on the security of various pairingbased schemes such as the identitybased encryption scheme of Boneh– Franklin, Hess ’ identitybased signature scheme, as well as Joux’s threeparty oneround key agreement protocol. Moreover, if one can solve FAPI1 and FAPI2 in polynomial time then one can solve the Computational Diffie–Hellman problem (CDH) in polynomial time. Our result implies that all the bits of the functions defined above are hardtocompute assuming these functions are oneway. The argument is based on a listdecoding technique via discrete Fourier transforms due to Akavia–Goldwasser–Safra as well as an idea due to Boneh–Shparlinski. Keywords: Oneway function, hardtocompute bits, bilinear pairings, elliptic curves, fixed argument pairing inversion problem, Fourier transform, list decoding. 1