Results 1 
3 of
3
Converting PairingBased Cryptosystems from CompositeOrder Groups to PrimeOrder Groups
"... Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In p ..."
Abstract

Cited by 28 (0 self)
 Add to MetaCart
Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision DiffieHellman assumption, the decision linear assumption, and/or related assumptions in primeorder groups. We apply our framework and our primeorder group constructions to create more efficient versions of cryptosystems that originally required compositeorder groups. Specifically, we consider the BonehGohNissim encryption scheme, the BonehSahaiWaters traitor tracing system, and the KatzSahaiWaters attributebased encryption scheme. We give a security theorem for the primeorder group instantiation of each system, using assumptions of comparable complexity to those used in the compositeorder setting. Our conversion of the last two systems to primeorder groups answers a problem posed by Groth and Sahai.
Fixed Argument Pairing Inversion on Elliptic Curves
"... Abstract. Let E be an elliptic curve over a finite field Fq with a power of prime q, r a prime dividing #E(Fq), and k the smallest positive integer satisfying rΦk(p), called embedding degree. Then a bilinear map t: E(Fq)[r] × E(Fqk)/rE(Fqk) → F ∗ qk is defined, called the Tate pairing. And the At ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Abstract. Let E be an elliptic curve over a finite field Fq with a power of prime q, r a prime dividing #E(Fq), and k the smallest positive integer satisfying rΦk(p), called embedding degree. Then a bilinear map t: E(Fq)[r] × E(Fqk)/rE(Fqk) → F ∗ qk is defined, called the Tate pairing. And the Ate pairing and other variants are obtained by reducing the domain for each argument and raising it to some power. In this paper we consider the Fixed Argument Pairing Inversion (FAPI) problem for the Tate pairing and its variants. In 2012, considering FAPI for the Atei pairing, Kanayama and Okamoto formulated the Exponentiation Inversion (EI) problem. However the definition gives a somewhat vague description of the hardness of EI. We point out that the described EI can be easily solved, and hence clarify the description so that the problem does contain the actual hardness connection with the prescribed domain for given pairings. Next we show that inverting the Ate pairing (including other variants of the Tate pairing) defined on the smaller domain is neither easier nor harder than inverting the Tate pairing defined on the lager domain. This is very interesting because it is commonly believed that the structure of the Ate pairing is so simple and good (that is, the Miller length is short, the solution domain is small and has an algebraic structure induced from the Frobenius map) that it may leak some information, thus there would be a chance for attackers to find further approach to solve FAPI for the Ate pairing, differently from the Tate pairing.