Results 1  10
of
78
The Eta Pairing Revisited
 IEEE Transactions on Information Theory
, 2006
"... Abstract. In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto et al., to ordinary curves. Furthermore, we show that by swapping the arguments of the Eta pairing, one obtains a very efficient algorithm resulting in a speedup o ..."
Abstract

Cited by 90 (8 self)
 Add to MetaCart
Abstract. In this paper we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto et al., to ordinary curves. Furthermore, we show that by swapping the arguments of the Eta pairing, one obtains a very efficient algorithm resulting in a speedup of a factor of around six over the usual Tate pairing, in the case of curves which have large security parameters, complex multiplication by an order of Q ( √ −3), and when the trace of Frobenius is chosen to be suitably small. Other, more minor savings are obtained for 1 2 more general curves. 1
A taxonomy of pairingfriendly elliptic curves
, 2006
"... Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all ..."
Abstract

Cited by 78 (10 self)
 Add to MetaCart
Elliptic curves with small embedding degree and large primeorder subgroup are key ingredients for implementing pairingbased cryptographic systems. Such “pairingfriendly” curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairingfriendly elliptic curves currently existing in the literature. We also include new constructions of pairingfriendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairingfriendly curves to choose to best satisfy a variety of performance and security requirements.
Security analysis of the strong DiffieHellman problem
, 2006
"... Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are pr ..."
Abstract

Cited by 51 (2 self)
 Add to MetaCart
Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( √ p/d + d)) group operations using O(max { √ p/d, √ d}) memory. This implies that the strong DiffieHellman problem and its related problems have computational complexity reduced by O ( √ d) from that of the discrete logarithm problem for such primes. Further we apply this algorithm to the schemes based on the DiffieHellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from O ( √ p) to O ( √ p/d) for Boldyreva’s blind signature and the original ElGamal scheme when p − 1 (resp. p + 1) has a divisor d ≤ p 1/2 (resp. d ≤ p 1/3) and d signature or decryption queries are allowed.
Efficient and generalized pairing computation on Abelian varieties
, 2008
"... In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the Rate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the Rate pairing, the loop length in ..."
Abstract

Cited by 42 (2 self)
 Add to MetaCart
In this paper, we propose a new method for constructing a bilinear pairing over (hyper)elliptic curves, which we call the Rate pairing. This pairing is a generalization of the Ate and Atei pairing, and also improves efficiency of the pairing computation. Using the Rate pairing, the loop length in Miller’s algorithm can be as small as log(r 1/φ(k) ) for some pairingfriendly elliptic curves which have not reached this lower bound. Therefore we obtain from 29 % to 69 % savings in overall costs compared to the Atei pairing. On supersingular hyperelliptic curves of genus 2, we show that this approach makes the loop length in Miller’s algorithm shorter than that of the Ate pairing.
Sequential aggregate signatures and multisignatures without random oracles
 In EUROCRYPT, 2006. (Cited on
, 2006
"... Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature schem ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature scheme are sequentially constructed, but knowledge of the order in which messages were signed is not necessary for verification. The aggregate signatures obtained are shorter than Lysyanskaya et al. sequential aggregates and can be verified more efficiently than Boneh et al. aggregates. We also consider applications to secure routing and proxy signatures. 1
High Security PairingBased Cryptography Revisited
 In Algorithmic Number Theory Symposium – ANTS VII, SpringerVerlag LNCS XXXX, XXXX–XXXX
, 2006
"... The security and performance of pairing based cryptography has provoked a large volume of research, in part because of the exciting new cryptographic schemes that it underpins. We reexamine how one should implement pairings over ordinary elliptic curves for various practical levels of security. ..."
Abstract

Cited by 28 (5 self)
 Add to MetaCart
The security and performance of pairing based cryptography has provoked a large volume of research, in part because of the exciting new cryptographic schemes that it underpins. We reexamine how one should implement pairings over ordinary elliptic curves for various practical levels of security. We conclude, contrary to prior work, that the Tate pairing is more e#cient than the Weil pairing for all such security levels. This is achieved by using e#cient exponentiation techniques in the cyclotomic subgroup backed by e#cient squaring routines within the same subgroup.
A cramershoup encryption scheme from the linear assumption and from progressively weaker linear variants
, 2007
"... We describe a CCAsecure publickey encryption scheme, in the CramerShoup paradigm, based on the Linear assumption of Boneh, Boyen, and Shacham. Through a comparison to the Kiltz tagencryption scheme from TCC 2006, our scheme gives evidence that the CramerShoup paradigm yields CCA encryption with ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
We describe a CCAsecure publickey encryption scheme, in the CramerShoup paradigm, based on the Linear assumption of Boneh, Boyen, and Shacham. Through a comparison to the Kiltz tagencryption scheme from TCC 2006, our scheme gives evidence that the CramerShoup paradigm yields CCA encryption with shorter ciphertexts than the CanettiHaleviKatz paradigm. We present a generalization of the Linear assumption into a family of progressively weaker assumptions and show how to instantiate our Linear CramerShoup encryption using the progressively weaker members of this family.
Batch verification of short signatures
 In Proceedings of Eurocrypt 2007
, 2007
"... With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, a frequent requirement is that the communication overhea ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
With computer networks spreading into a variety of new environments, the need to authenticate and secure communication grows. Many of these new environments have particular requirements on the applicable cryptographic primitives. For instance, a frequent requirement is that the communication overhead inflicted be small and that many messages be processable at the same time. In this paper, we consider the suitability of public key signatures in the latter scenario. That is, we consider signatures that are 1) short and 2) where many signatures from (possibly) different signers on (possibly) different messages can be verified quickly. Prior work focused almost exclusively on batching signatures from the same signer. We propose the first batch verifier for messages from many (certified) signers without random oracles and with a verification time where the dominant operation is independent of the number of signatures to verify. We further propose a new signature scheme with very short signatures, for which batch verification for many signers is also highly efficient. Combining our new signatures with the best known techniques for batching certificates from the same authority, we get a fast batch verifier for certificates and messages combined. Although our new signature scheme has some restrictions, it is very efficient and still practical for some communication applications. 1
Highspeed software implementation of the optimal ate pairing over Barreto–Naehrig curves
 PAIRINGBASED CRYPTOGRAPHY–PAIRING 2010. LECTURE NOTES IN COMPUTER SCIENCE
, 2010
"... This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
This paper describes the design of a fast software library for the computation of the optimal ate pairing on a Barreto–Naehrig elliptic curve. Our library is able to compute the optimal ate pairing over a 254bit prime field Fp, injust2.33 million of clock cycles on a single core of an Intel Core i7 2.8GHz processor, which implies that the pairing computation takes 0.832msec. We are able to achieve this performance by a careful implementation of the base field arithmetic through the usage of the customary Montgomery multiplier for prime fields. The prime field is constructed via the Barreto–Naehrig polynomial parametrization of the prime p given as, p =36t 4 +36t 3 +24t 2 +6t +1, with t =2 62 − 2 54 +2 44. This selection of t allows us to obtain important savings for both the Miller loop as well as the final exponentiation steps of the optimal ate pairing.
Optimised Versions of the Ate and Twisted Ate Pairings
 the Eleventh IMA International Conference on Cryptography and Coding
, 2007
"... Abstract. We observe a natural generalisation of the ate and twisted ate pairings, which allow for performance improvements in non standard applications of pairings to cryptography like composite group orders. We also give a performance comparison of our pairings and the Tate, ate and twisted ate pa ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. We observe a natural generalisation of the ate and twisted ate pairings, which allow for performance improvements in non standard applications of pairings to cryptography like composite group orders. We also give a performance comparison of our pairings and the Tate, ate and twisted ate pairings for certain polynomial families based on operation count estimations and on an implementation, showing that our pairings can achieve a speedup of a factor of up to two over the other pairings. 1