## Short signatures from the Weil pairing (2001)

### Cached

### Download Links

- [www.iacr.org]
- [www.stanford.edu]
- [crypto.stanford.edu]
- [crypto.stanford.edu]
- [theory.stanford.edu]
- [rooster.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 562 - 29 self |

### BibTeX

@INPROCEEDINGS{Boneh01shortsignatures,

author = {Dan Boneh and Ben Lynn and Hovav Shacham},

title = {Short signatures from the Weil pairing},

booktitle = {},

year = {2001},

pages = {514--532},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyper-elliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel. 1

### Citations

2477 | Handbook of Applied Cryptography
- Menezes, Oorschot, et al.
- 1996
(Show Context)
Citation Context ...up of F∗ plα. Therefore, to ensure that discrete log is hard in 〈P 〉 we want curves with large α. 2. Generic: Generic discrete log algorithms such as the Baby-Step-Giant-Step and Pollard’s Rho method =-=[16]-=- have a running time proportional to √ q. Therefore, we must ensure that q is sufficiently large. Decision Diffie-Hellman on elliptic curves: Let P ∈ E/F p l be a point of prime order q. Suppose the s... |

1138 | Identity-based encryption from the Weil pairing
- Boneh, Franklin
(Show Context)
Citation Context ...s. Our signature scheme uses groups where the CDH problem is hard, but the Decision Diffie-Hellman problem (DDH) is easy. The first example of such groups was given in [12] and was previously used in =-=[11, 4]-=-. We call such groups Gap Diffie-Hellman groups, or GDH groups for short. Okamoto and Pointcheval [20] commented that a Gap Diffie-Hellman group gives rise to a signature scheme. However, most Gap Dif... |

835 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ... Security We prove the security of the Signature Scheme against existential forgery under a chosen-message attacks in the random oracle model. Existential unforgeability under a chosen message attack =-=[24-=-] for a signature scheme (KeyGen, Sign, and Verify) is dened using the following game between a challenger and an adversary A: Setup. The challenger runs algorithm KeyGen to obtain a public key PK and... |

330 | The exact security of digital signatures - how to sign with rsa and rabin
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...tity of G. The signature scheme comprises three algorithms, KeyGen, Sign, and Verify. It makes use of a full-domain hash function h : {0, 1} ∗ → G ∗ . The security analysis views h as a random oracle =-=[3]-=-. In Section 3.3 we weaken the requirement on the full-domain hash. Key Generation Pick random x R ← Z ∗ p, and compute v ← g x . The public key is v. The secret key is x. Signing Given a secret key x... |

301 |
Wallet Databases with Observers
- Chaum, Pedersen
- 1993
(Show Context)
Citation Context ... Gap Diffie-Hellman group. As mentioned above, this scheme is described implicitly by Okamoto and Pointcheval [20]. The scheme resembles the undeniable signature scheme proposed by Chaum and Pederson =-=[5]-=-. In the next section we show how this signature scheme gives rise to very short signatures.s518 Dan Boneh, Ben Lynn, and Hovav Shacham 2.1 Gap Diffie-Hellman Groups (GDH groups) Consider a (multiplic... |

294 | Efficient algorithms for pairingbased cryptosystems - Barreto, Kim, et al. - 2002 |

285 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ... q with security multiplier α. We briefly discuss two standard ways for computing discrete-log in 〈P 〉. 1. MOV: Use an efficiently computable homomorphism, as in the MenezesOkamoto-Vanstone reduction =-=[15]-=-, to map the discrete log problem in 〈P 〉 to a discrete log problem in some extension of Fpl, say Fpli. We require that the image of 〈P 〉 under this homomorphism is a subgroup of F∗ pli of order q. Th... |

284 |
Elliptic curve public key cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ...hen R = O. 4. Computable: for all R 1 ; R 2 2 E[p], the pairing e(R 1 ; R 2 ) is computable in polynomial time [34]. Note that e(R 1 ; R 2 ) = 1 if and only if R 1 and R 2 are linearly dependent. See =-=[31, 10-=-] for a denition of the Weil pairing and a description of the algorithm for computing it. The Tate pairing [18] is another useful bilinear map on E[p]. It has properties similar to those of the Weil p... |

262 |
A one round protocol for tripartite Diffie-Hellman
- Joux
(Show Context)
Citation Context ...s. Our signature scheme uses groups where the CDH problem is hard, but the Decision Diffie-Hellman problem (DDH) is easy. The first example of such groups was given in [12] and was previously used in =-=[11, 4]-=-. We call such groups Gap Diffie-Hellman groups, or GDH groups for short. Okamoto and Pointcheval [20] commented that a Gap Diffie-Hellman group gives rise to a signature scheme. However, most Gap Dif... |

237 | Aggregate and verifiably encrypted signatures from bilinear maps - Boneh, Gentry, et al. - 2003 |

158 | Threshold Signatures, Multisignatures and Blind Signatures Based on the GapDiffie-Hellman-Group Signature Scheme
- Boldyreva
- 2003
(Show Context)
Citation Context ...res generated by dierent people on dierent messages can be aggregated into a single signature [11]. The signature also supports standard extensions such as threshold signatures and blind signatures [9=-=-=-]. Notation. We use E=F q to denote an elliptic curve y 2 = x 3 + ax + b with coecients a; b 2 F q . For r 1, we use E(F q r ) to denote the group of points on E in F q r . We use jE(F q r )j to deno... |

143 |
Implementing the Tate pairing
- Galbraith, Harrison, et al.
- 2002
(Show Context)
Citation Context ...ks [21, 22], except for ` = 121. It has recently been shown that certain Weil-descent attacks are not eective for this case [17], suggesting that it may be safe to use. Performance. Galbraith et al. [=-=20-=-] and Baretto et al. [4] show that the Frobenius map on the curves E + ; E can be used to speed the computation of the Weil and Tate pairings on these curves. This results in a signicant speed-up to t... |

140 | Constructive and destructive facets of Weil descent
- Gaudry, Hess, et al.
(Show Context)
Citation Context ... l defined by y 2 = x 3 +2x±1. Some useful instantiations of these curves are presented in Table 1. Note that we restrict these instantiations to those where l is prime, to avoid Weil-descent attacks =-=[9, 10]-=-. As explained in Section 3.3, we use MapToGroup h ′ to map arbitrary bit strings to points of order q on E, using a hash function h ′ from arbitrary strings to elements of F p l and an extra bit. cur... |

132 | Secure Distributed Key Generation for Discrete-Log Based Cryptosystems
- Gennaro, Jarecki, et al.
(Show Context)
Citation Context ... for a trusted third party to generate shares of the private key. The n users can generate shares of the private key without the help of a trusted third party using the protocol due to Gennaro et al. =-=[23]-=-. 16 6 Conclusions We presented a short signature based on bilinear maps on elliptic curves. A signature is only one element in asniteseld. Standard signatures based on discrete log such as DSA requir... |

132 | Fast batch verification for modular exponentiation and digital signatures - Bellare, Garay, et al. - 1998 |

123 | Pointcheval D.: The Gap–Problems: A new class of problems for the security of cryptographic schemes
- Okamoto
- 1992
(Show Context)
Citation Context ...m (DDH) is easy. The first example of such groups was given in [12] and was previously used in [11, 4]. We call such groups Gap Diffie-Hellman groups, or GDH groups for short. Okamoto and Pointcheval =-=[20]-=- commented that a Gap Diffie-Hellman group gives rise to a signature scheme. However, most Gap Diffie-Hellman groups are relatively long and do not lead to short signatures. We prove the security of s... |

119 | On the exact security of full domain hash
- Coron
- 2000
(Show Context)
Citation Context ...curity. 4 Proof of Security Theorem We prove, in the random oracle model, that GDH signatures are secure in GDH groups. The proof is similar to that given for full-domain hash RSA signatures by Coron =-=[6]-=-, but the presentation is different. The point of this method is that the break-probability ɛ for the signature scheme does not depend on the number of hash queries a forger makes, but only depends on... |

112 |
Elliptic functions
- Lang
- 1973
(Show Context)
Citation Context ...ilding Gap-Diffie-Hellman groups with small representations Using the Weil pairing, certain elliptic curves may be used as GDH groups. We recall some necessary facts about elliptic curves (see, e.g., =-=[14, 22]-=-), and then show how to use certain curves for GDH signatures. In particular, we describe the curves y 2 = x 3 + 2x ± 1 over F 3 ℓ. �s520 Dan Boneh, Ben Lynn, and Hovav Shacham 3.1 Elliptic Curves and... |

108 |
The arithmetic of elliptic curves, volume 106 of Graduate Texts in Mathematics
- Silverman
- 1986
(Show Context)
Citation Context ...ilding Gap-Diffie-Hellman groups with small representations Using the Weil pairing, certain elliptic curves may be used as GDH groups. We recall some necessary facts about elliptic curves (see, e.g., =-=[14, 22]-=-), and then show how to use certain curves for GDH signatures. In particular, we describe the curves y 2 = x 3 + 2x ± 1 over F 3 ℓ. �s520 Dan Boneh, Ben Lynn, and Hovav Shacham 3.1 Elliptic Curves and... |

100 | New explicit condition of elliptic curve trace for FRreduction
- Miyaji, Nakabayashi, et al.
- 2001
(Show Context)
Citation Context ...r . In the next two sections we show curves with security multiplier, = 6. We begin by describing a family of non-supersingular elliptic curves with = 6. This family is outlined by Miyaji et al. [36=-=-=-]. We call these MNT curves. The idea is as follows: Suppose q = (2`) 2 + 1 and p = (2`) 2 2` + 1 for some ` 2 Z. Then it can be veried that p divides q 6 1, but does not divide q i 1 for 0s6. So, whe... |

94 |
Abelian varieties over finite fields
- WATERHOUSE
- 1969
(Show Context)
Citation Context ...ll values of l to obtain short signatures, but the security is dependent on a discrete log problem in a large finite field. We use two simple lemmas to describe the behavior of these curves (see also =-=[23, 13]-=-). Lemma 1. The curve E + defined by y2 = x3 + 2x + 1 over F3l satisfies #E + /F 3l � 3 = l + 1 + √ 3 · 3l when l = ±1 mod 12, and 3l + 1 − √ 3 · 3l when l = ±5 mod 12 The curve E− defined by y2 = x3 ... |

87 | Supersingular curves in cryptography
- Galbraith
- 2001
(Show Context)
Citation Context ...llenge, therefore, is to construct elliptic curves with larger values of α, say α = 10. It is currently an open problem to build a family of elliptic curves with security multiplier α = 10. Galbraith =-=[8]-=- constructs supersingular curves of higher genus with a “large” security multiplier. For example, the supersingular curve y 2 + y = x 5 + x 3 has security multiplier 12 over F 2 l. Since a point on th... |

87 |
An improved algorithm for arithmetic on a family of elliptic curves
- Solinas
- 1997
(Show Context)
Citation Context ...ation in F 3 6l , Miller's algorithm, and multiplication of a point on the curve. Point multiplication can be sped up further by using signed sliding windows, or better still, using the Frobenius map =-=[29, 17]-=-, and taking advantage of the fact that some points aresxed for the whole system. An optimization that remains to be implemented is choosing one of the random points involved in Miller's algorithm to ... |

85 |
Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem
- Nyberg, Rueppel
- 1995
(Show Context)
Citation Context ...imilar length and gives a concrete security analysis of the construction (in the random oracle model). Another technique proposed for reducing DSA signature length is signatures with message recovery =-=[38, 41-=-]. In such systems one encodes a part of the message into the signature thus This is the full version of a paper that appeared in Asiacrypt '01 [12]. y Supported by NSF and the Packard Foundation. 1 ... |

75 |
The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm
- Balasubramanian, Koblitz
- 1998
(Show Context)
Citation Context ...sion Diffie-Hellman on elliptic curves: Let P ∈ E/F p l be a point of prime order q. Suppose the subgroup 〈P 〉 has security multiplier α. We assume q ∤ p l −1. A result of Balasubramanian and Koblitz =-=[2]-=- shows that E/F p lα contains a point Q that is linearly independent of P . Such a point Q ∈ E/F p lα can be efficiently found. Note that linear independence of P and Q can be verified via the Weil pa... |

65 | Separating Decision Diffie-Hellman from Diffie-Hellman in cryptographic groups
- Joux, Nguyen
- 2003
(Show Context)
Citation Context ...rter than standard DSA signatures. Our signature scheme uses groups where the CDH problem is hard, but the Decision Diffie-Hellman problem (DDH) is easy. The first example of such groups was given in =-=[12]-=- and was previously used in [11, 4]. We call such groups Gap Diffie-Hellman groups, or GDH groups for short. Okamoto and Pointcheval [20] commented that a Gap Diffie-Hellman group gives rise to a sign... |

61 |
Short programs for functions on curves”, unpublished manuscript
- Miller
(Show Context)
Citation Context ...bR2) = e(R1, R2) ab . 3. Non-degenerate: if for R ∈ E[q] we have e(R, R ′ ) = 1 for all R ′ ∈ E[q], then R = O. 4. Computable: for all R1, R2 ∈ E[q], the pairing e(R1, R2) can be computed efficiently =-=[17]-=-. Note that e(R1, R2) = 1 if and only if R1 and R2 are linearly dependent. For the linearly independent points P and Q, both of order q, the Weil pairing allows us to determine whether the tuple (P, a... |

54 | The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems
- Frey, Müller, et al.
- 1999
(Show Context)
Citation Context ...ent of F36l using the obvious injection: a is represented by a polynomial of degree l with coefficients in F3, and we simply view it as a polynomial with coefficients in F36l. We use the Tate pairing =-=[7]-=- instead of the Weil pairing, since it has similar properties and is easier to compute: the Weil pairing requires two iterations of Miller’s algorithm [17] and one division while the Tate pairing need... |

52 | Constructing elliptic curves with prescribed embedding degrees
- Barreto, Lynn, et al.
- 2003
(Show Context)
Citation Context ...security). Let q be a large prime power, say, q > 2 160 . It is currently an open problem to construct an elliptic curve E=F q such that E(F q ) has = 10 and E(F q ) has prime order. Baretto et al. [=-=5-=-] show how to build elliptic curves E such that E(F q ) has a given security multipliers . However, the largest prime order subgroup of E(F q ) is much smaller than q. Consequently, these curves canno... |

49 | Optimal security proofs for PSS and other signature schemes
- Coron
- 2002
(Show Context)
Citation Context ...heorem 3.2. The analysis used in the proof of Theorem 3.2 resembles Coron's analysis of the Full Domain Hash (FDH) signature scheme [15]. We note that Probabilisitc Full Domain Hash (PFDH) signatures =-=[16]-=- have a tighter security reduction than FDH signatures. The same improvement to the security reduction can be applied to our signature scheme. However, randomizing our signature scheme as in PFDH woul... |

46 | Supersingular abelian varieties in cryptology
- Rubin, Silverberg
- 2002
(Show Context)
Citation Context ...acteristic 2 and consequently one must take Coppersmith's discrete log algorithm [14] into account, as discussed at the end of Section 4.4. To obtain larger security multipliers, Rubin and Silverberg =-=[42-=-] propose certain Abelian varieties. Supercially, they show that signatures produced using the curve of Section 4.4 can be shortened by 20%. The result is an n-bit signature where the pairing reduces ... |

46 | Self-blindable credential certificates from the Weil pairing - Verheul |

41 |
A one round protocol for tripartite Di e-Hellman
- Joux
- 2000
(Show Context)
Citation Context ...atures. Our signature scheme uses groups where the CDH problem is hard, but the Decision Die-Hellman problem (DDH) is easy. Thesrst example of such groups was given in [12] and was previously used in =-=[11, 4]-=-. We call such groups Gap Die-Hellman groups, or GDH groups for short. Okamoto and Pointcheval [20] commented that a Gap Die-Hellman group gives rise to a signature scheme. However, most Gap Die-Hellm... |

37 | A cryptographic application of Weil descent
- Galbraith, Smart
- 1999
(Show Context)
Citation Context ... l defined by y 2 = x 3 +2x±1. Some useful instantiations of these curves are presented in Table 1. Note that we restrict these instantiations to those where l is prime, to avoid Weil-descent attacks =-=[9, 10]-=-. As explained in Section 3.3, we use MapToGroup h ′ to map arbitrary bit strings to points of order q on E, using a hash function h ′ from arbitrary strings to elements of F p l and an extra bit. cur... |

37 |
The algorithmic resolution of Diophantine equations, volume 41. Cambridge Univ Pr
- Smart
- 1998
(Show Context)
Citation Context ...an verify that we get a curve E(F q ) with security multiplier = 6. Finding integer solutions `; y to an equation of type (3) is done by reducing it to Pell's equation, whose solution is well known [=-=45]-=-. Table 1 gives some values of D that lead to suitable curves for our signature scheme. For example, we get a curve E=F q where q is a 168-bit prime. Signatures using this curve are 168-bits while the... |

36 | Abelian varieties over finite - Waterhouse - 1969 |

35 |
An elliptic curve implementation of the finite field digital signature algorithm
- Koblitz
- 1998
(Show Context)
Citation Context ...ll values of l to obtain short signatures, but the security is dependent on a discrete log problem in a large finite field. We use two simple lemmas to describe the behavior of these curves (see also =-=[23, 13]-=-). Lemma 1. The curve E + defined by y2 = x3 + 2x + 1 over F3l satisfies #E + /F 3l � 3 = l + 1 + √ 3 · 3l when l = ±1 mod 12, and 3l + 1 − √ 3 · 3l when l = ±5 mod 12 The curve E− defined by y2 = x3 ... |

24 | Discrete logarithms: The effectiveness of the index calculus method - Schirokauer, Weber, et al. - 1996 |

22 |
Seperating decision Di#e-Hellman from Di#e-Hellman in cryptographic groups", J. Cryptology Online First, available from http://eprint.iacr.org/2001/003
- Joux, Nguyen
(Show Context)
Citation Context ...y shorter than standard DSA signatures. Our signature scheme uses groups where the CDH problem is hard, but the Decision Die-Hellman problem (DDH) is easy. Thesrst example of such groups was given in =-=[12]-=- and was previously used in [11, 4]. We call such groups Gap Die-Hellman groups, or GDH groups for short. Okamoto and Pointcheval [20] commented that a Gap Die-Hellman group gives rise to a signature ... |

21 |
E#cient algorithms for pairing-based cryptosystems
- Barreto, Kim, et al.
- 2002
(Show Context)
Citation Context ...` = 121. It has recently been shown that certain Weil-descent attacks are not eective for this case [17], suggesting that it may be safe to use. Performance. Galbraith et al. [20] and Baretto et al. [=-=-=-4] show that the Frobenius map on the curves E + ; E can be used to speed the computation of the Weil and Tate pairings on these curves. This results in a signicant speed-up to the signature-vericatio... |

20 | Signing on a Postcard
- Naccache, Stern
- 2000
(Show Context)
Citation Context ... provided on a CD label. More generally, short signatures are needed in low-bandwidth communication environments. For example, short signatures are needed when printing a signature on a postage stamp =-=[21, 19]-=-. Currently, the two most frequently used signatures schemes, RSA and DSA, provide relatively long signatures compared to the security they provide. For example, when one uses a 1024-bit modulus, RSA ... |

18 |
Quartz, 128-bit long digital signature
- Courtois, Goubin, et al.
(Show Context)
Citation Context ...ver short the message. When the message is not transmitted along with the signature, DSA signatures with message recovery are just as long as standard DSA signatures. We also note that Patarin et al. =-=[40]-=- construct short signatures whose security depends on the Hidden Field Equation (HFE) problem. Our signature scheme uses groups where the CDH problem is hard, but the Decision DieHellman problem (DDH)... |

14 | The Elliptic Curve Digital Signature Algorithm (ECDSA - 62 - 1999 |

12 | Postal revenue collection in the digital age
- Pintsov, Vanstone
- 2000
(Show Context)
Citation Context ... provided on a CD label. More generally, short signatures are needed in low-bandwidth communication environments. For example, short signatures are needed when printing a signature on a postage stamp =-=[21, 19]-=-. Currently, the two most frequently used signatures schemes, RSA and DSA, provide relatively long signatures compared to the security they provide. For example, when one uses a 1024-bit modulus, RSA ... |

8 |
Fast batch veri for modular exponentiation and digital signatures
- Bellare, Garay, et al.
- 1998
(Show Context)
Citation Context .... We obtain n signatures 1 ; : : : ; n . We show that these n signatures can be veried as a batch much faster than verifying them one by one. A similar property holds for other signature schemes [6]. Let (G 1 ; G 2 ) be a co-GDH group pair of prime order p. Suppose user i's private key is x i 2 Z p and his public key is v i = g x i 2 2 G 2 . Signature i is i = H(M) x i 2 G 1 . To verify the ... |

8 |
Towards the equivalence of breaking the Di e-Hellman protocol and computing discrete logarithms
- Maurer
- 1994
(Show Context)
Citation Context ...o-CDH on (G 1 ; G 2 ) is to compute discrete-log in G 1 . In fact, the discrete-log and CDH problems in G 1 are known to be computationally equivalent given some extra information about the group G 1 =-=[30-=-]. Therefore, it suces to consider necessary conditions for making the discrete-log problem on E(F q ) intractable. Let hP i be a subgroup of E(F q ) of order p with security multiplier . We brie y di... |

6 |
Self-Blindable Credential Certi from the Weil Pairing
- Verheul
- 2001
(Show Context)
Citation Context ...on. Surprisingly, signatures from distinct people on distinct messages can be aggregated into a single convincing signature. We brie y survey these extensions here and refer to Boldyreva [9], Verheul =-=[46-=-], and Boneh et al. [11] for a full description and proofs of security. 5.1 Aggregate signatures Common environments require managing many signatures by dierent parties on distinct messages. For examp... |

5 |
Discrete logarithms: The e#ectiveness of the index calculus method
- Schirokauer, Weber, et al.
- 1996
(Show Context)
Citation Context ...[32], to map the discrete log problem in hP i to a discrete log problem in some extension of F q , say F q i . We then solve the discrete log problem in F q i using the Number Field Sieve algorithm [43]. The image of hP i under this homomorphism must be a subgroup of F q i of order p. Thus we have pj(q i 1), which by the denition of implies that i . Hence, the MOV method can, at best, reduce... |

4 |
Aggregate and Veri Encrypted Signature from Bilinear Maps
- Boneh, Gentry, et al.
- 2003
(Show Context)
Citation Context ...n [13]. Our signature scheme has several useful properties, described in Section 5. For example, signatures generated by dierent people on dierent messages can be aggregated into a single signature [1=-=1]-=-. The signature also supports standard extensions such as threshold signatures and blind signatures [9]. Notation. We use E=F q to denote an elliptic curve y 2 = x 3 + ax + b with coecients a; b 2 F q... |

4 |
The GHS-attack in odd characteristic
- Diem
(Show Context)
Citation Context ...these instantiations to those where ` is prime, to avoid Weil-descent attacks [21, 22], except for ` = 121. It has recently been shown that certain Weil-descent attacks are not eective for this case [=-=17]-=-, suggesting that it may be safe to use. Performance. Galbraith et al. [20] and Baretto et al. [4] show that the Frobenius map on the curves E + ; E can be used to speed the computation of the Weil an... |