Results 1  10
of
215
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 562 (29 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Guide to Elliptic Curve Cryptography
, 2004
"... Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves ..."
Abstract

Cited by 382 (17 self)
 Add to MetaCart
Elliptic curves have been intensively studied in number theory and algebraic geometry for over 100 years and there is an enormous amount of literature on the subject. To quote the mathematician Serge Lang: It is possible to write endlessly on elliptic curves. (This is not a threat.) Elliptic curves also figured prominently in the recent proof of Fermat's Last Theorem by Andrew Wiles. Originally pursued for purely aesthetic reasons, elliptic curves have recently been utilized in devising algorithms for factoring integers, primality proving, and in publickey cryptography. In this article, we aim to give the reader an introduction to elliptic curve cryptosystems, and to demonstrate why these systems provide relatively small block sizes, highspeed software and hardware implementations, and offer the highest strengthperkeybit of any known publickey scheme.
Efficient algorithms for pairingbased cryptosystems
, 2002
"... Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in ..."
Abstract

Cited by 294 (23 self)
 Add to MetaCart
Abstract. We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics. We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairingbased cryptography. 1
Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems
, 1999
"... Differential Power Analysis, first introduced by Kocher et al. in [14], is a powerful technique allowing to recover secret smart card information by monitoring power signals. In [14] a specific DPA attack against smartcards running the DES algorithm was described. As few as 1000 encryptions were su ..."
Abstract

Cited by 162 (2 self)
 Add to MetaCart
Differential Power Analysis, first introduced by Kocher et al. in [14], is a powerful technique allowing to recover secret smart card information by monitoring power signals. In [14] a specific DPA attack against smartcards running the DES algorithm was described. As few as 1000 encryptions were sufficient to recover the secret key. In this paper we generalize DPA attack to elliptic curve (EC) cryptosystems and describe a DPA on EC DiffieHellman key exchange and EC ElGamal type encryption. Those attacks enable to recover the private key stored inside the smartcard. Moreover, we suggest countermeasures that thwart our attack.
A Survey of Fast Exponentiation Methods
 JOURNAL OF ALGORITHMS
, 1998
"... Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation de ..."
Abstract

Cited by 155 (0 self)
 Add to MetaCart
Publickey cryptographic systems often involve raising elements of some group (e.g. GF(2 n), Z/NZ, or elliptic curves) to large powers. An important question is how fast this exponentiation can be done, which often determines whether a given system is practical. The best method for exponentiation depends strongly on the group being used, the hardware the system is implemented on, and whether one element is being raised repeatedly to different powers, different elements are raised to a fixed power, or both powers and group elements vary. This problem has received much attention, but the results are scattered through the literature. In this paper we survey the known methods for fast exponentiation, examining their relative strengths and weaknesses.
An IdentityBased Signature from Gap DiffieHellman Groups
 Public Key Cryptography  PKC 2003, LNCS 2139
, 2002
"... In this paper we propose an identity(ID)based signature scheme using gap DiffieHellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model. ..."
Abstract

Cited by 145 (4 self)
 Add to MetaCart
In this paper we propose an identity(ID)based signature scheme using gap DiffieHellman (GDH) groups. Our scheme is proved secure against existential forgery on adaptively chosen message and ID attack under the random oracle model.
The Elliptic Curve Digital Signature Algorithm (ECDSA)
, 1999
"... The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideratio ..."
Abstract

Cited by 104 (5 self)
 Add to MetaCart
The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA). It was accepted in 1999 as an ANSI standard, and was accepted in 2000 as IEEE and NIST standards. It was also accepted in 1998 as an ISO standard, and is under consideration for inclusion in some other ISO standards. Unlike the ordinary discrete logarithm problem and the integer factorization problem, no subexponentialtime algorithm is known for the elliptic curve discrete logarithm problem. For this reason, the strengthperkeybit is substantially greater in an algorithm that uses elliptic curves. This paper describes the ANSI X9.62 ECDSA, and discusses related security, implementation, and interoperability issues. Keywords: Signature schemes, elliptic curve cryptography, DSA, ECDSA.
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 78 (2 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
Evidence that XTR is more secure than supersingular elliptic curve cryptosystems
 J. Cryptology
, 2001
"... Abstract. We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p 2) of a particular type of supersingular elliptic curve is at least as hard as solving the DiffieHellman problem in the XTR subgroup. This provides strong evidenc ..."
Abstract

Cited by 76 (4 self)
 Add to MetaCart
Abstract. We show that finding an efficiently computable injective homomorphism from the XTR subgroup into the group of points over GF(p 2) of a particular type of supersingular elliptic curve is at least as hard as solving the DiffieHellman problem in the XTR subgroup. This provides strong evidence for a negative answer to the question posed by S. Vanstone and A. Menezes at the Crypto 2000 Rump Session on the possibility of efficiently inverting the MOV embedding into the XTR subgroup. As a side result we show that the Decision DiffieHellman problem in the group of points on this type of supersingular elliptic curves is efficiently computable, which provides an example of a group where the Decision DiffieHellman problem is simple, while the DiffieHellman and discrete logarithm problem are presumably not. The cryptanalytical tools we use also lead to cryptographic applications of independent interest. These applications are an improvement of Joux’s one round protocol for tripartite DiffieHellman key exchange and a non refutable digital signature scheme that supports escrowable encryption. We also discuss the applicability of our methods to general elliptic curves defined over finite fields. 1
Towards the Equivalence of Breaking the DiffieHellman Protocol and Computing Discrete Logarithms
, 1994
"... Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
Let G be an arbitrary cyclic group with generator g and order jGj with known factorization. G could be the subgroup generated by g within a larger group H. Based on an assumption about the existence of smooth numbers in short intervals, we prove that breaking the DiffieHellman protocol for G and base g is equivalent to computing discrete logarithms in G to the base g when a certain side information string S of length 2 log jGj is given, where S depends only on jGj but not on the definition of G and appears to be of no help for computing discrete logarithms in G. If every prime factor p of jGj is such that one of a list of expressions in p, including p \Gamma 1 and p + 1, is smooth for an appropriate smoothness bound, then S can efficiently be constructed and therefore breaking the DiffieHellman protocol is equivalent to computing discrete logarithms.