Abstract. Using a number field sieve, discrete logarithms modulo primes of special forms can be found faster than standard primes. This has raised concerns about trapdoors in discrete log cryptosystems, such as the Digital Signature Standard. This paper discusses the practical impact of these trapdoors, and how to avoid them. 1

We propose a practical non-interactive key distribution protocol based on pairings and de ne a notion of security for such a scheme. We prove the security of the system in this setting under the GDBH assumption, and present some possible realisations using Weil or Tate pairings on supersingular and ordinary elliptic curves.

Abstract. Recently an efficient solution to the discrete logarithm prob-lem on elliptic curves over F, with p points (p: prime), so-called anorna-lous curues, was independently discovered by Semaev [14], Smart [17], and Satoh and Araki [12]. Since the solution is very efficient, i.e., 0(lpl3), the Semaev-Smart-Satoh-Araki (SSSA) algorithm implies the possibil-ity of realizing a trapdoor for the discrete logarithm problem, and we have tried to utilize the SSSA algorithm for constructing a cryptographic scheme. One of our trials was to realize an identity-based cryptosystem (key-distribution) which has been proven to be as secure as a prim-itive problem, called the Diffie-Hellman problem on an elliptic curve over Z/nZ (n = pq, p and q are primes) where Ep and E, are anoma-lous curves (anomalous En-Diffie-Hellman problem). Unfortunately we have found that the anomalous En-Diffie-Hellman problem is not secure (namely, our scheme is not secure). First, this paper introduces our trial of realizing an identity-based cryptosystem based on the SSSA algorithm, and then shows why the anomalous En-Diffie-Hellman problem is not se-cure. In addition, we generalize the observation of our breaking algorithm and present reductions of factoring n to computing the order ’ of an el-liptic curve over Z/nZ. (These reductions roughly imply the equivalence of intractability between factoring and computing elliptic curve’s order.) The algorithm of breaking our identity-based cryptosystem is considered to be a special case of these reductions, and the essential reason why our system was broken can be clarified through these reductions: En in our system is a very specific curve such that the order of En (i.e., n) is trivially known.

Abstract. We present a new non-interactive public key distribution system based on the class group of a non-maximal imaginary quadratic order Cl(∆p). The main advantage of our system over earlier proposals based on (Z/nZ) ∗ [19,21] is that embedding id information into group elements in a cyclic subgroup of the class group is easy (straight-forward embedding into prime ideals suffices) and secure, since the entire class group is cyclic with very high probability. In order to compute discrete logarithms in the class group, the KGC needs to know the prime factorization of ∆p = ∆1p 2. We present an algorithm for computing discrete logarithms in Cl(∆p) by reducing the problem to computing discrete logarithms in Cl(∆1) and either F ∗ p or F ∗ p2. We prove that a similar reduction works for arbitrary non-maximal orders, and that it has polynomial complexity if the factorization of the conductor is known.

Abstract not found

At Eurocrypt'91, Chaum and van Heyst introduced the concept of group signature. In such a scheme, each group member is allowed to sign messages on behalf of a group anonymously. However, in case of later disputes, a designated group manager can open a group signature and identify the signer. In recent years, researchers have proposed a number of new group signature schemes and improvements with dierent levels of security. In this paper, we present a security analysis of ve group signature schemes proposed in [25, 27, 18, 30, 10]. By using the same method, we successfully identify several universally forging attacks on these schemes. In our attacks, anyone (not necessarily a group member) can forge valid group signatures on any messages such that the forged signatures cannot be opened by the group manager. We also discuss the linkability of these schemes, and further explain why and how we nd the attacks.

Abstract. A new identity-based key agreement protocol designed to operate on the network layer is presented. Endpoint addresses, namely IP and MAC addresses, are used as public keys to authenticate the communication devices involved in a key agreement, which allows us to piggyback much of the security overhead for key management to the existing network infrastructure. The proposed approach offers solutions to some of the open problems of identity-based key agreement schemes when applied to the network layer, namely multi-domain key generation, key distribution, multi-domain public parameter distribution, inter-domain key agreement and network address translation traversal. 1

In Sept. 1990, the present authors firstly discussed DLP over composite number and presented an ID-based Key Sharing Scheme referred to as MK1. In 1991, Maurer and Yacobi presented a scheme, referred to as MY, which is similar to our scheme, MK1. Unfortunately the schemes MK1 and MY are not secure. In Dec. 1990, the present authors presented a secure ID-based key sharing scheme referred to as MK2. With a rapid progress of computer power for the last 15 years, our proposed scheme would have more chance to be applied practically. Regrettably, it has not been widely known that (i) the schemes MY and MK1 are not secure, (ii) there exists a secure scheme, MK2. In this paper, we shall review MK2 and clarify the difference between MK2 and other schemes from the standpoint of security.

Abstract. This paper investigates the relationships between identity-based non-interactive key distribution (ID-NIKD) and identity-based encryption (IBE). It provides a new security model for ID-NIKD, and a generic construction that converts a secure ID-NIKD scheme into a secure IBE scheme. This conversion is used to explain the relationship between the ID-NIKD scheme of Sakai, Ohgishi and Kasahara and the IBE scheme of Boneh and Franklin. The paper then explores the construction of ID-NIKD and IBE schemes from general trapdoor discrete log groups. Two different concrete instantiations for such groups provide new, provably secure ID-NIKD and IBE schemes. These schemes are suited to applications in which the Trusted Authority is computationally well-resourced, but clients performing encryption/decryption are highly constrained. Keywords: Identity-based encryption; identity-based non-interactive key distribution; trapdoor discrete logs. 1

Abstract. In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of the non-abusive users. Our system provides a privacy-preserving analog of IP address banning, and is modeled after the well-known Nymble system [29,47,48]. However, while we solve the same problem as the original Nymble scheme, we eliminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third parties. Unlike other approaches that have been considered in the literature [10,44,45,46], we avoid the use of trusted hardware devices or unrealistic assumptions about offline credential issuing authorities who are responsible for ensuring that no user is able to obtain multiple credentials. Thus, our scheme combines the strong privacy guarantees of [10,44,45,46] with a simple infrastructure as in [29,47,48]. To prevent malicious third parties from trivially colluding to reveal the identities of anonymous users we make use of a number of standard zeroknowledge proofs, and to maintain efficiency we introduce a new cryptographic technique which we call verifier efficient restricted blind signatures, or VERBS. Our approach allows users to perform all privacy-sensitive computations locally, and then prove in zero-knowledge that the computations were performed correctly in order to obtain efficiently verifiable signatures on the output — all without revealing neither the result of the computation, nor any potentially identifying information, to the signature issuing authority. Signature verification in our proposed VERBS scheme is 1–2 orders of magnitude more efficient than verification in any known restricted blind signature scheme.