## Applications of Multilinear Forms to Cryptography (2002)

### Cached

### Download Links

Venue: | Contemporary Mathematics |

Citations: | 51 - 7 self |

### BibTeX

@ARTICLE{Boneh02applicationsof,

author = {Dan Boneh and Alice Silverberg},

title = {Applications of Multilinear Forms to Cryptography},

journal = {Contemporary Mathematics},

year = {2002},

volume = {324},

pages = {71--90}

}

### Years of Citing Articles

### OpenURL

### Abstract

We study the problem of finding efficiently computable non-degenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such maps, and give some reasons to believe that finding examples with n > 2 may be difficult.

### Citations

1332 | Random Oracles are Practical: A Paradigm for Designing Efficient Protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... most secure signature schemes there are many valid signatures for a given message). Unique signature schemes were known to exist in the common random string model [11] and in the random oracle model =-=[-=-1], but until the results of Micali et al. [19] there were no constructions for such schemes in the standard model dened below. Unique signatures are used to construct Veriable Pseudo Random Functions... |

832 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...M; S 2 ; VK) = yes ) S 1 = S 2 : Security for a unique signature scheme is dened as for standard signatures and is called security against existential forgery under an adaptive chosen message attack [=-=10-=-]. This notion is dened by the following game between a challenger and an attacker A: 7 Step 1. The challenger runs algorithm KeyGen(t) to generate a key pair (VK;SK). It gives VK to the attacker and ... |

559 | Short signatures from the weil pairing
- Lynn, Shacham
- 2001
(Show Context)
Citation Context ...ptic curves, or more generally on supersingular abelian varieties [25]. These applications include one-round three-party key exchange [14], identity-based encryption [3], and short digital signatures =-=[4]-=- (see also [26]). We show that multilinear generalizations of Weil or Tate pairings would have far-reaching consequences in cryptography. Section 3 describes the desired properties for a multilinear f... |

285 |
Reducing elliptic curve logarithms to logarithms in a finite field
- Menezes, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...m in G 1 to the discrete log problem in G 2 . Hence, if discrete log in G 1 is hard then discrete log in G 2 must also be hard. This reduction is a straightforward generalization of the MOV reduction =-=[1-=-8]. Let g; h 2 G 1 such that h = g . Computing given g and h is a discrete log problem in G 1 . To reduce this to a discrete log problem in G 2 compute the following two values: x = e(g; g; : : : ; ... |

284 |
Elliptic curve public key cryptosystems
- Menezes
- 1993
(Show Context)
Citation Context ... the group of N-th roots of unity. A principal polarization then induces a map e N : A[N ] A[N ] ! N . When A is a supersingular Jacobian variety, Miller's algorithm [20] (see also Section 5.1 of [1=-=7-=-] for the case of elliptic curves) gives an ecient way to compute the pairing. If P 2 A(F ) is a point of prime order `, and ' 2 End(A) sends P to an independent point of order `, then the modied Weil... |

283 |
La conjecture de Weil
- Deligne
- 1974
(Show Context)
Citation Context ... Frobenius acting on M i . Let T be thesnite set T = fq 1 n : i 2 S i g Q : By Proposition 2.2 of [21], j i j = q m i =2 (this follows from the Weil Conjectures, proved by Deligne in [7]). Thus, j 1 2 n j = q (m 1 ++mn )=2 . Suppose m 1 + +m n 6= 2. Then 0 = 2 T . Therefore there are onlysnitely many prime ideals of the ring Z of algebraic integers that divide e... |

249 | Broadcast encryption
- Fiat, Naor
- 1993
(Show Context)
Citation Context ...eudo Random Functions (VRF). Hence, the construction using n-multilinear maps also gives a simple construction for VRF's. 6 Broadcast Encryption with Short Keys and Transmissions Broadcast encryption =-=[8]-=- appears to be the most interesting application to date for n-multilinear maps. We begin by describing the broadcast encryption problem, survey some of the existing work, and then describe a solution ... |

217 |
Identity based encryption from the Weil pairing
- Boneh, Franklin
- 2003
(Show Context)
Citation Context ...ate pairings on supersingular elliptic curves, or more generally on supersingular abelian varieties [25]. These applications include one-round three-party key exchange [14], identity-based encryption =-=[3]-=-, and short digital signatures [4] (see also [26]). We show that multilinear generalizations of Weil or Tate pairings would have far-reaching consequences in cryptography. Section 3 describes the desi... |

196 | The decision Diffie-Hellman problem - Boneh - 1998 |

189 | A remark concerning m-divisibility and the discrete logarithm problem in the divisor class group of curves - Frey, Rück - 1994 |

174 | Revocation and tracing schemes for stateless receivers
- Naor, Naor, et al.
(Show Context)
Citation Context ...t encryption scheme where the size of the header Hdr is independent of n, but the size of each private key d i is exponential in n. These are two extremes of the spectrum. Recently Naor-NaorLotspiech =-=[22]-=- gave an elegant construction where each private key consists of O((log n) 2 ) encryption keys for a symmetric encryption scheme. The header consists of O(n jSj) encryptions of a message key using the... |

174 |
Cryptosystems based on pairing
- Sakai, Ohgishi, et al.
- 2000
(Show Context)
Citation Context ...r more generally on supersingular abelian varieties [25]. These applications include one-round three-party key exchange [14], identity-based encryption [3], and short digital signatures [4] (see also =-=[26]-=-). We show that multilinear generalizations of Weil or Tate pairings would have far-reaching consequences in cryptography. Section 3 describes the desired properties for a multilinear form. Sections 4... |

89 | The LSD broadcast encryption scheme
- Halevy, Shamir
(Show Context)
Citation Context ...ic encryption scheme. When the size of the symmetric encryption key is k-bits the system has the following parameters: private-key-size = O(k(log n) 2 ) ; header-size = O(k(n jSj)): Halevi and Shamir =-=[12]-=- showed that the private key size can be reduced to approximately O(k log n). This broadcast system is designed to broadcast to large sets S, i.e., when the size of S is close to n, so that n jSj is s... |

52 | Verifiable Random Functions
- Micali, Rabin, et al.
- 1999
(Show Context)
Citation Context ...ecret encryption key [2]. 5 Unique Signatures and Proofs for the n-way Die-Hellman Relation Our next application is useful for building unique signatures and veriable pseudo random functions (VRF's) [=-=19-=-]. Let G 1 be a group of prime order ` with a generator g. Denition 5.1. We say that (g; g 1 ; : : : ; g n ; h) 2 G n+2 1 is an n-way Die-Hellman tuple if g generatessG 1 and there exist integers a 1 ... |

45 | Supersingular abelian varieties in cryptology
- Rubin, Silverberg
- 2002
(Show Context)
Citation Context ...bra and cryptography. Interesting problems in cryptography have recently been solved using Weil or Tate pairings on supersingular elliptic curves, or more generally on supersingular abelian varieties =-=[25]-=-. These applications include one-round three-party key exchange [14], identity-based encryption [3], and short digital signatures [4] (see also [26]). We show that multilinear generalizations of Weil ... |

41 |
A one round protocol for tripartite Di e-Hellman
- Joux
- 2000
(Show Context)
Citation Context ...ntly been solved using Weil or Tate pairings on supersingular elliptic curves, or more generally on supersingular abelian varieties [25]. These applications include one-round three-party key exchange =-=[14]-=-, identity-based encryption [3], and short digital signatures [4] (see also [26]). We show that multilinear generalizations of Weil or Tate pairings would have far-reaching consequences in cryptograph... |

40 | Applications of arithmetical geometry to cryptographic constructions
- Frey
- 1999
(Show Context)
Citation Context ... If ` is replaced by Z=`Z, then m = 0. If ` is replaced by Hom( ` ; Z=`Z), then (m; n) = ( 2; 1) or ( 1; 2). 7.5 Tate pairings We end with a brief discussion of Tate pairings (see Section 3.3 of [9] for more information). Suppose that F = F q , that K = F q m , that ` is a prime divisor of q m 1, and that J is the Jacobian of a curve of genus 1 dened over F . Then the Tate (or Tate-Lichtenbau... |

38 |
The Decision Die-Hellman Problem
- Boneh
- 1998
(Show Context)
Citation Context ...e, but this would require many invocations of the key exchange protocol above. This issue is analogous to the issue that comes up when using the standard Die-Hellman secret as a secret encryption key =-=[2-=-]. 5 Unique Signatures and Proofs for the n-way Die-Hellman Relation Our next application is useful for building unique signatures and veriable pseudo random functions (VRF's) [19]. Let G 1 be a group... |

36 |
Reingold.Number-theoretic construc-tions of efficient pseudo-random functions
- Naor, O
- 2004
(Show Context)
Citation Context ...negligible. We give a simple construction for unique signatures. The construction is similar to a Pseudo Random Function (PRF) based on the Decision Die-Hellman problem (DDH) due to Naor and Reingold =-=[23]-=-. Our construction is based on a recent result due to Lysyanskaya [16]. Let G be a multilinear map generator. The following unique signature scheme is used to sign n-bit messages: KeyGen(t): 1. Run al... |

33 | Classical Motives
- Scholl
- 1991
(Show Context)
Citation Context ...nd therefore Galois-equivariant. Very roughly speaking, a motive over aseld is something whose \realizations" behave as if they were the cohomology groups associated to a variety. According to 3.=-=1 of [27], \on-=-e reason for Grothendieck's introduction of motives was to serve as analogues of the Jacobian of a curve in higher dimensions." See [13] for a treatment of motives oversniteselds. We believe that... |

30 |
Flexible access control with master keys
- CHICK, TAVARES
- 1989
(Show Context)
Citation Context ...can build a secure broadcast encryption scheme where both the size of the header and the size of each private key d i depend at most logarithmically on n. We note that Fiat-Naor [8] and Chick-Tavaras =-=[6]-=- gave constructions based on RSA that meet this requirements. However, these constructions either do not resist collusion of users [8] outside the set S, or the construction can only handle a small nu... |

28 |
Di e-hellman key distribution extended to groups
- Steiner, Tsudik, et al.
- 1996
(Show Context)
Citation Context ...ion of the Die-Hellman protocol to n+ 1 parties (Die-Hellman is designed for two parties). Solutions to this problem are useful in reducing the number of round trips in group key management protocols =-=[28]-=-. This is a long-standing open problem. More precisely, a one-round n-way conference key exchange scheme consists of the following three randomized polynomial time algorithms: Setup(t; n): Takes a sec... |

22 |
Seperating decision Di#e-Hellman from Di#e-Hellman in cryptographic groups", J. Cryptology Online First, available from http://eprint.iacr.org/2001/003
- Joux, Nguyen
(Show Context)
Citation Context ...s yes if and only if I is an n-way Die-Hellman tuple? We call this the nway decision Die-Hellman problem. For n = 2 one obtains the standard Decision Die-Hellman problem [2]. Recently Joux and Nguyen =-=[15]-=- showed that the group of points on a supersingular elliptic curve over asniteseld is an example of a group where discrete log is (presumably) hard, but the standard (2-way) Decision Die-Hellman probl... |

18 | Invariant signatures and noninteractive zeroknowledge proofs are equivalent
- Goldwasser, Ostrovsky
- 1992
(Show Context)
Citation Context ...riable Pseudo Random Functions Using Algorithm 5.2 we give a simple construction for a unique signature scheme and Veriable Pseudo Random Functions. Wesrst recall the denition of unique signatures [11=-=]-=-. Intuitively, a unique signature scheme is a digital signature scheme where every message has a unique digital signature (in most secure signature schemes there are many valid signatures for a given ... |

10 |
An improved algorithm for computing discrete logarithms over GF(p) and its cryptographic significance
- POHLIG, HELLMAN
- 1978
(Show Context)
Citation Context ...= , where 2 Z and 1 `. The discrete log problem in G 1 is to compute the discrete log function in G 1 . We are mostly interested in groups where this problem is intractable. It is well known [24] that computing discrete log in G 1 is reducible to computing discrete log in all prime order subgroups of G 1 . Therefore, we can and will restrict our attention to groups G 1 ; G 2 of prime order `.... |

6 |
Short Programs for Functions on Curves," unpublished manuscript
- Miller
- 1986
(Show Context)
Citation Context ...al abelian variety, and N is the group of N-th roots of unity. A principal polarization then induces a map e N : A[N ] A[N ] ! N . When A is a supersingular Jacobian variety, Miller's algorithm [20=-=]-=- (see also Section 5.1 of [17] for the case of elliptic curves) gives an ecient way to compute the pairing. If P 2 A(F ) is a point of prime order `, and ' 2 End(A) sends P to an independent point of ... |

5 |
Unique signatures and veri random functions from the DH-DDH separation
- Lysyanskaya
- 2002
(Show Context)
Citation Context ...onstruction is similar to a Pseudo Random Function (PRF) based on the Decision Die-Hellman problem (DDH) due to Naor and Reingold [23]. Our construction is based on a recent result due to Lysyanskaya =-=[16]-=-. Let G be a multilinear map generator. The following unique signature scheme is used to sign n-bit messages: KeyGen(t): 1. Run algorithm G(t; n) to generate (; g; `). 2. Pick random a 1;0 ; a 1;1 ; :... |

1 |
Motives over
- Milne
(Show Context)
Citation Context ...dentity isomorphism ` ! ` gives trivial 1-multilinear maps of weight 2 motives. Weil or Tate pairings on abelian varieties give rise to 2-multilinear maps of weight 1 motives. Note (Remark 2.7 of [2=-=1]-=-) that the category of motives oversniteselds is generated by Artin motives (which have weight 0) and abelian varieties (which have weight 1). Corollary 7.7 provides evidence that the desired forms wi... |