Results 1  10
of
142
Short signatures from the Weil pairing
, 2001
"... Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signa ..."
Abstract

Cited by 712 (28 self)
 Add to MetaCart
Abstract. We introduce a short signature scheme based on the Computational DiffieHellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a lowbandwidth channel. 1
Evaluating 2dnf formulas on ciphertexts
 In proceedings of TCC ’05, LNCS series
, 2005
"... Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create th ..."
Abstract

Cited by 222 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Let ψ be a 2DNF formula on boolean variables x1,..., xn ∈ {0, 1}. We present a homomorphic public key encryption scheme that allows the public evaluation of ψ given an encryption of the variables x1,..., xn. In other words, given the encryption of the bits x1,..., xn, anyone can create the encryption of ψ(x1,..., xn). More generally, we can evaluate quadratic multivariate polynomials on ciphertexts provided the resulting value falls within a small set. We present a number of applications of the system: 1. In a database of size n, the total communication in the basic step of the KushilevitzOstrovsky PIR protocol is reduced from √ n to 3 √ n. 2. An efficient election system based on homomorphic encryption where voters do not need to include noninteractive zero knowledge proofs that their ballots are valid. The election system is proved secure without random oracles but still efficient. 3. A protocol for universally verifiable computation. 1
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 92 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
Direct Chosen Ciphertext Security from IdentityBased Techniques
 In ACM Conference on Computer and Communications Security
, 2005
"... We describe a new encryption technique that is secure in the standard model against adaptive chosen ciphertext (CCA2) attacks. We base our method on two very e#cient IdentityBased Encryption (IBE) schemes without random oracles due to Boneh and Boyen, and Waters. ..."
Abstract

Cited by 83 (7 self)
 Add to MetaCart
We describe a new encryption technique that is secure in the standard model against adaptive chosen ciphertext (CCA2) attacks. We base our method on two very e#cient IdentityBased Encryption (IBE) schemes without random oracles due to Boneh and Boyen, and Waters.
Efficient and generalized pairing computation on Abelian varieties
, 2008
"... In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the Rate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the Rate pairing, the loop length in ..."
Abstract

Cited by 52 (3 self)
 Add to MetaCart
In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the Rate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the Rate pairing, the loop length in Miller’s algorithm can be as small as log(r 1/φ(k) ) for some pairingfriendly elliptic curves which have not reached this lower bound. Therefore we obtain from 29 % to 69 % savings in overall costs compared to the Atei pairing. On supersingular hyperelliptic curves of genus 2, we show that this approach makes the loop length in Miller’s algorithm shorter than that of the Ate pairing.
Optimal Pairings
"... Abstract. In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with r the order of the groups involved and k the embedding degree. We describe an algorithm to construct optimal ate pairings on all parametri ..."
Abstract

Cited by 49 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we introduce the concept of an optimal pairing, which by definition can be computed using only log 2 r/ϕ(k) basic Miller iterations, with r the order of the groups involved and k the embedding degree. We describe an algorithm to construct optimal ate pairings on all parametrized families of pairing friendly elliptic curves. Finally, we conjecture that any nondegenerate pairing on an elliptic curve without efficiently computable endomorphisms different from powers of Frobenius requires at least log 2 r/ϕ(k) basic Miller iterations.
A cramershoup encryption scheme from the linear assumption and from progressively weaker linear variants
, 2007
"... We describe a CCAsecure publickey encryption scheme, in the CramerShoup paradigm, based on the Linear assumption of Boneh, Boyen, and Shacham. Through a comparison to the Kiltz tagencryption scheme from TCC 2006, our scheme gives evidence that the CramerShoup paradigm yields CCA encryption with ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
(Show Context)
We describe a CCAsecure publickey encryption scheme, in the CramerShoup paradigm, based on the Linear assumption of Boneh, Boyen, and Shacham. Through a comparison to the Kiltz tagencryption scheme from TCC 2006, our scheme gives evidence that the CramerShoup paradigm yields CCA encryption with shorter ciphertexts than the CanettiHaleviKatz paradigm. We present a generalization of the Linear assumption into a family of progressively weaker assumptions and show how to instantiate our Linear CramerShoup encryption using the progressively weaker members of this family.
Aggregated path authentication for efficient bgp security
 In ACM Conferernce on Computer and Communication Security (CCS
, 2005
"... The Border Gateway Protocol (BGP) controls interdomain routing in the Internet. BGP is vulnerable to many attacks, since routers rely on hearsay information from neighbors. Secure BGP (SBGP) uses DSA to provide route authentication and mitigate many of these risks. However, many performance and de ..."
Abstract

Cited by 38 (1 self)
 Add to MetaCart
(Show Context)
The Border Gateway Protocol (BGP) controls interdomain routing in the Internet. BGP is vulnerable to many attacks, since routers rely on hearsay information from neighbors. Secure BGP (SBGP) uses DSA to provide route authentication and mitigate many of these risks. However, many performance and deployment issues prevent SBGP’s realworld deployment. Previous work has explored improving SBGP processing latencies, but space problems, such as increased message size and memory cost, remain the major obstacles. In this paper, we design aggregated path authentication schemes by combining two efficient cryptographic techniques— signature amortization and aggregate signatures. We propose six constructions for aggregated path authentication that substantially improve efficiency of SBGP’s path authentication on both speed and space criteria. Our performance evaluation shows that the new schemes achieve such an efficiency that they may overcome the space obstacles and provide a realworld practical solution for BGP security. Categories and Subject Descriptors C.2.0 [Computercommunication networks]: Generalsecurity and
Implementing cryptographic pairings over BarretoNaehrig curves
 PairingBased Cryptography  Pairing 2007, First International Conference, volume 4575 of Lecture
"... Abstract. In this paper we describe an efficient implementation of the Tate and Ate pairings using BarretoNaehrig pairingfriendly curves, on both a standard 32bit PC and on a 32bit smartcard. First we introduce a subfamily of such curves with a particularly simple representation. Next we consid ..."
Abstract

Cited by 32 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we describe an efficient implementation of the Tate and Ate pairings using BarretoNaehrig pairingfriendly curves, on both a standard 32bit PC and on a 32bit smartcard. First we introduce a subfamily of such curves with a particularly simple representation. Next we consider the issues that arise in the efficient implementation of field arithmetic in F p 12, which is crucial to good performance. Various optimisations are suggested, including a novel approach to the ‘final exponentiation’, which is faster and requires less memory than the methods previously recommended. 1
Direct chosenciphertext secure identitybased key encapsulation without random oracles
 In ACISP 2006
, 2006
"... We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furt ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
(Show Context)
We describe a practical identitybased encryption scheme that is secure in the standard model against chosenciphertext attacks. Our construction applies “direct chosenciphertext techniques ” to Waters ’ chosenplaintext secure scheme and is not based on hierarchical identitybased encryption. Furthermore, we give an improved concrete security analysis for Waters ’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements. 1