## Comparing two pairing-based aggregate signature schemes”, Designs, Codes and Cryptography

### Cached

### Download Links

Citations: | 9 - 4 self |

### BibTeX

@MISC{Chatterjee_comparingtwo,

author = {Sanjit Chatterjee and Darrel Hankerson and Edward Knapp and Alfred Menezes},

title = {Comparing two pairing-based aggregate signature schemes”, Designs, Codes and Cryptography},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provably-secure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairing-based aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from Barreto-Naehrig (BN) elliptic curves are employed. 1.

### Citations

597 | Short signature from the Weil pairing
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ... be called Type 2 pairings, while asymmetric pairings for which no efficientlycomputable isomorphism is known either from G1 to G2 or from G2 to G1 are called Type 3 pairings. Boneh, Lynn and Shacham =-=[9]-=- were the first to observe that an efficiently-computable isomorphism ψ from G2 to G1 can be essential to the security of a protocol. They showed that their short-signature scheme is insecure if imple... |

439 | Guide to Elliptic Curve Cryptography - Hankerson, Menezes, et al. - 2004 |

292 | Short group signatures
- Boneh, Boyen, et al.
(Show Context)
Citation Context ...LPG2 than of DLPG ′ , and consequently more confidence in hardness of co-DHP* than of 2 co-DHP. One should also note that the Decisional DHP is easy in G ′ 2 , but not known to be easy in G1 or in G2 =-=[6]-=-. Thus, the existing evidence does not indicate any weakness in Type 3 pairings relative to Type 2 pairings, but rather that Type 3 pairings are at least as secure as Type 2 pairings. 2.4. Representat... |

284 |
A one round protocol for tripartite diffie-hellman. Algorithmic Number Theory
- Joux
- 2000
(Show Context)
Citation Context ...pare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from Barreto-Naehrig (BN) elliptic curves are employed. 1. Introduction Beginning with the work of Joux =-=[27]-=- in 2000, bilinear pairings have been extensively used to design cryptographic protocols. Bilinear pairings come in two flavours – symmetric and asymmetric. If n is prime, and G and GT are two groups ... |

251 | Efficient identity-based encryption without random oracles
- Waters
- 2005
(Show Context)
Citation Context ...airings, and by using the known reductionist security arguments to guide the protocol specification and parameter selection. We show that the BGLS and LOSSW schemes, as well as the BLS [9] and Waters =-=[41]-=- signature schemes upon which they are based, can all be described using Type 3 pairings (and that the Waters and LOSSW schemes can be described using Type 2 pairings). 1 We explain how some of these ... |

250 | Aggregate and verifiably encrypted signatures from bilinear maps
- Boneh, Gentry, et al.
- 2003
(Show Context)
Citation Context ...pe 2 pairings instead of Type 3 pairings. In this paper we compare the security and efficiency of two provably-secure pairing-based signature schemes — those of Boneh, Gentry, Lynn and Shacham (BGLS) =-=[7]-=- and Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW) [29]. The BGLS scheme was originally described using the setting of a Type 2 pairing, and its security proof is in the random oracle model (ROM). ... |

250 |
Monte Carlo methods for index computation mod p
- Pollard
- 1978
(Show Context)
Citation Context ... GT is the order-n subgroup of F∗ p12. BN curves are especially well suited for the 128-bit security level because if p is a 256-bit prime (whence n is also a 256-bit prime) then Pollard’s rho method =-=[34]-=- for computing discrete logarithms in G1, G2, G ′ 2 or GT has running time at least 2128 , as does the number field sieve algorithm for computing discrete logarithms in the extension field Fp12 [19, 3... |

164 | Pairing-friendly elliptic curves of prime order
- Barreto, Naehrig
- 2006
(Show Context)
Citation Context ...as Type 2 pairings when used to implement the four signature schemes under consideration. Furthermore, we compare Type 2 and Type 3 pairings derived from a certain Barreto-Naehrig (BN) elliptic curve =-=[2]-=- offering 128 bits of security. We show that the elements of the group G2 in Type 2 pairings can always be represented so that operations in G2 have significantly lower cost than suggested by the high... |

139 | Efficient pairing computation on supersingular abelian varieties. Cryptology ePrint Archive: Report 2004/375, 2004. Availalble from http://eprint.iacr.org/2004/375
- Barreto, Galbraith, et al.
(Show Context)
Citation Context ...faster than LOSSW-3a for ℓ ≤ 12, and faster than LOSSW-3b for ℓ ≤ 10. In particular, if ℓ = 10 then BGLS-3 verification costs 59,325m. It would appear that the evaluation of a product of eta pairings =-=[1]-=- (for supersingular elliptic curves with embedding degrees k = 4 and k = 6) cannot be accelerated in the same manner as was done for the product of R-ate pairings in §2.1. Thus, LOSSW signature verifi... |

96 | The eta pairing revisited
- Hess, Smart, et al.
(Show Context)
Citation Context ...Let G1 = E(Fp), and let GT denote the unique order-n subgroup of F ∗ p 12. Now, E has a sextic twist over F p 2, namely ˜ E/F p 2 : Y 2 = X 3 + b ′ , such that n | # ˜ E(F p 2) and n 2 ∤ # ˜ E(F p 2) =-=[24]-=-. Let ˜ T ∈ ˜ E(F p 2) be a point of order n, and define ˜ G2 = 〈 ˜ T 〉. Then there is an efficientlycomputable monomorphism φ : ˜ E(F p 2) → E(F p 12). Letting T = φ( ˜ T) and G2 = 〈T 〉, we have G2 ̸... |

79 |
Black box fields and their application to cryptography
- Boneh, Lipton
(Show Context)
Citation Context ...that DLPG ≤ DHPG. For example, den Boer [5] proved that DLPG ≤ DHPG if the group order n has the property that n − 1 is smooth. Furthermore, den Boer’s result was extended by Boneh, Lipton and Maurer =-=[8, 30]-=- to the case where an elliptic curve over Zn of smooth order is known. Consequently, concerns that DHPG might be easier than DLPG can be alleviated by selecting an order-n group G for which the approp... |

75 | Faster point multiplication on elliptic curves with efficient endomorphisms
- Gallant, Lambert, et al.
- 2001
(Show Context)
Citation Context ...elliptic curve point and A is the cost of adding two elliptic curve points (see [23, Algorithm 3.36]). However, faster exponentiation can be achieved using the Gallant-Lambert-Vanstone (GLV) strategy =-=[18]-=-. Let β ∈ Fp be an element of order 3 in Fp. Then λ : (x, y) ↦→ (βx, y) is an efficiently-computable endomorphism of E defined over Fp. The GLV strategy computes kQ as k1Q + k2λ(Q) where k1 and k2 are... |

70 | Towards the equivalence of breaking the Diffie-Hellman protocol and computing discrete logarithms - Maurer - 1994 |

68 | Discrete logarithms in GF(p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...d [34] for computing discrete logarithms in G1, G2, G ′ 2 or GT has running time at least 2128 , as does the number field sieve algorithm for computing discrete logarithms in the extension field Fp12 =-=[19, 35, 36]-=-. Schirokauer [37] has shown that there are cases where discrete logarithms in prime fields Fp and degree-two extensions Fp2 of prime fields can be computed significantly faster than standard versions... |

63 | Pairings for cryptographers
- Galbraith, Paterson, et al.
(Show Context)
Citation Context ...mmetric. If n is prime, and G and GT are two groups of order n, then a symmetric pairing on (G, GT) is a function e : G ×G → GT that is bilinear, non-degenerate, and efficiently computable. Following =-=[17]-=-, we will refer to these pairings as Type 1 pairings. On the other hand, if G1, G2 and GT are three groups of order n with G1 ̸= G2, then an asymmetric pairing on (G1, G2, GT) is a function e : G1 × G... |

45 | Identity-based key agreement protocols from pairings
- Chen, Cheng, et al.
(Show Context)
Citation Context ...always be represented so that operations in G2 have significantly lower cost than suggested by the high-level estimates of Galbraith, Paterson and Smart [17] and the analysis of Chen, Cheng and Smart =-=[12]-=-. Despite these improvements, we conclude that Type 2 pairings offer no performance benefits over Type 3 pairings. Finally, we demonstrate that the BGLS scheme outperforms the LOSSW scheme in every re... |

44 | Efficient and generalized pairing computations on abelian varieties
- Lee, Lee, et al.
(Show Context)
Citation Context ... the Tate pairing because the number of iterations in the Miller operation is determined by the bitlength of t − 1 ≈ √ n. The R-ate pairing Rn : G1 × G2 → GT, introduced recently by Lee, Lee and Park =-=[28]-=-, further decreases the number of iterations of the Miller operation. It is defined by Rn(P, Q) = ( f · (f · ℓaQ,Q(P)) p · ℓ π(aQ+Q),aQ(P) ) (p 12 −1)/n , where a = 6z + 2, f = fa,Q(P), and ℓA,B denot... |

40 | Sequential aggregate signatures and multisignatures without random oracles
- Lu, Ostrovsky, et al.
(Show Context)
Citation Context ...e compare the security and efficiency of two provably-secure pairing-based signature schemes — those of Boneh, Gentry, Lynn and Shacham (BGLS) [7] and Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW) =-=[29]-=-. The BGLS scheme was originally described using the setting of a Type 2 pairing, and its security proof is in the random oracle model (ROM). The LOSSW scheme, on the other hand, was described in the ... |

32 | Aggregated path authentication for efficient bgp security
- Zhao, Nicol
- 2005
(Show Context)
Citation Context ...one can compute a single signature σ which can be used by a verifier to confirm the authenticity of M1, M2, . . . , Mℓ. Aggregate signature schemes have found applications in secure routing protocols =-=[42, 43]-=-, storing ballots on voting machines [4], and micropayment systems [10]. 5.1. BGLS aggregate signature scheme. BGLS, which is based on the BLS signature scheme, was originally described in the setting... |

31 | Secure and practical identity-based encryption. Cryptology ePrint Archive, Report 2005/369
- Naccache
- 2005
(Show Context)
Citation Context ... the Katz-Wang trick does not appear to be applicable to the Waters and LOSSW schemes, whose reductionist security proofs are not tight. (2) We did not utilize the Chatterjee-Sarkar/Naccache strategy =-=[11, 32]-=- to reduce the size of the hash function parameters in the Waters-2a, Waters-3a, LOSSW-3a and LOSSW-3b signature schemes. However, the possible reduction in the size of hash function parameters may re... |

30 |
Trading Time for Space: Towards an Efficient IBE Scheme with
- Chatterjee, Sarkar
- 2005
(Show Context)
Citation Context ... the Katz-Wang trick does not appear to be applicable to the Waters and LOSSW schemes, whose reductionist security proofs are not tight. (2) We did not utilize the Chatterjee-Sarkar/Naccache strategy =-=[11, 32]-=- to reduce the size of the hash function parameters in the Waters-2a, Waters-3a, LOSSW-3a and LOSSW-3b signature schemes. However, the possible reduction in the size of hash function parameters may re... |

27 |
Discrete logarithms in GF (p) using the number field sieve
- Gordon
- 1993
(Show Context)
Citation Context ...od [34] for computing discrete logarithms in G1, G2, G ′ 2 or GT has running time at least 2128, as does the number field sieve algorithm for computing discrete logarithms in the extension field Fp12 =-=[19, 35, 36]-=-. Schirokauer [37] has shown that there are cases where discrete logarithms in prime fields Fp and degree-two extensions Fp2 of prime fields can be computed significantly faster than standard versions... |

26 |
Diffie-Hellman is as strong as discrete log for certain primes
- Boer
- 1990
(Show Context)
Citation Context ...hether DLPG1 ≤ co-DHP*, or DLPG2 ≤ co-DHP*, or DLPG ′ ≤ co-DHP. This is 2 unlike the case of the DHP in an order-n group G, where there is substantial evidence that DLPG ≤ DHPG. For example, den Boer =-=[5]-=- proved that DLPG ≤ DHPG if the group order n has the property that n − 1 is smooth. Furthermore, den Boer’s result was extended by Boneh, Lipton and Maurer [8, 30] to the case where an elliptic curve... |

25 | Efficiency improvements for signature schemes with tight security reductions
- Katz, Wang
(Show Context)
Citation Context ... of tightness in the reductionist security proofs. This is not a concern for the BLS and BGLS schemes, as tight reductions can be achieved for slight variants obtained by applying the Katz-Wang trick =-=[26]-=- (see also [3]). However, the Katz-Wang trick does not appear to be applicable to the Waters and LOSSW schemes, whose reductionist security proofs are not tight. (2) We did not utilize the Chatterjee-... |

24 |
Software implementation of pairings
- Hankerson, Menezes, et al.
(Show Context)
Citation Context ...ble group isomorphism φ : ˜ G2 → G2. The group G2 is called the trace-0 subgroup of 1 Type 1 pairings are currently viewed as being significantly slower than their Type 2 and Type 3 counterparts (see =-=[22]-=-) at the 128-bit security level, and therefore we will restrict our attention in this paper to Type 2 and Type 3 pairings. 2 Smart and Vercauteren [40] analyzed the security of the BLS signature schem... |

23 | Implementing cryptographic pairings over Barreto-Naehrig curves
- Devegili, Scott, et al.
- 2007
(Show Context)
Citation Context ...of E[n] different from G1 and G2. 3. A particular BN curve For the remainder of this paper, we will work with the BN curve E/Fp : Y 2 = X 3 + 3 with BN parameter z = 6000000000001F2D (in hexadecimal) =-=[14]-=-. For this choice of BN parameter, p is a 256-bit prime of Hamming weight 87, n = #E(Fp) is a 256-bit prime of Hamming weight 91, t − 1 = 6z 2 is a 128-bit integer of Hamming weight 28, and the R-ate ... |

19 |
Discrete logarithms and local units
- Schirokauer
- 1993
(Show Context)
Citation Context ...d [34] for computing discrete logarithms in G1, G2, G ′ 2 or GT has running time at least 2128 , as does the number field sieve algorithm for computing discrete logarithms in the extension field Fp12 =-=[19, 35, 36]-=-. Schirokauer [37] has shown that there are cases where discrete logarithms in prime fields Fp and degree-two extensions Fp2 of prime fields can be computed significantly faster than standard versions... |

15 |
Exponentiation in pairing-friendly groups using homomorphisms, Pairing 2008
- Galbraith, Scott
- 2008
(Show Context)
Citation Context ...each represented in width-w NAF, then the expected cost of exponentiation in G1 is approximately 2 ( 1D + (2 w−2 − 1)A ) + ℓ ℓ A + w + 1 2 D. Taking w = 5 yields a cost of 1,533m. Galbraith and Scott =-=[16]-=- presented a 4-dimensional GLV strategy for exponentiation in G2. If interleaving is used to compute the four exponentiations, and the quarter-length exponents are represented in width-w NAF, then the... |

14 |
On computing products of pairings”, Cryptology ePrint Archive Report 2006/172, 2006. Available from http://eprint.iacr.org/2006/172
- Granger, Smart
(Show Context)
Citation Context ...If the product of ℓ R-ate pairings is desired, then the steps of the individual pairing computations can be interleaved, with the product of the partial results being stored in a common accumulator f =-=[38, 21]-=-. In that case, the expensive operation f ←f 2 in step 3.2 of Algorithm 2 and the final exponentiation in step 5 can be shared by all ℓ pairing computations. It follows that the cost of computing the ... |

13 | Unrestricted aggregate signatures
- Bellare, Namprempre, et al.
(Show Context)
Citation Context ...ows because e(σ, g ′ 2) = e( ∏ σi, g ′ 2) = ∏ e(σi, g ′ 2) = ∏ e(hi, Xi). 5 The requirement that the messages Mi be pairwise distinct can be removed by hashing the public key Xi together with Mi; see =-=[3]-=-.16 SANJIT CHATTERJEE, DARREL HANKERSON, EDWARD KNAPP, AND ALFRED MENEZES An aggregate signature scheme is said to be secure [7] if no computationally bounded adversary is successful in the following... |

13 | Using number fields to compute logarithms in finite fields
- Schirokauer
(Show Context)
Citation Context ...d [34] for computing discrete logarithms in G1, G2, G ′ 2 or GT has running time at least 2128 , as does the number field sieve algorithm for computing discrete logarithms in the extension field Fp12 =-=[19, 35, 36]-=-. Schirokauer [37] has shown that there are cases where discrete logarithms in prime fields Fp and degree-two extensions Fp2 of prime fields can be computed significantly faster than standard versions... |

12 | Cryptographic Methods for Storing Ballots on a Voting Machine
- Bethencourt, Boneh, et al.
- 2007
(Show Context)
Citation Context ...n be used by a verifier to confirm the authenticity of M1, M2, . . . , Mℓ. Aggregate signature schemes have found applications in secure routing protocols [42, 43], storing ballots on voting machines =-=[4]-=-, and micropayment systems [10]. 5.1. BGLS aggregate signature scheme. BGLS, which is based on the BLS signature scheme, was originally described in the setting of a Type 2 pairing [7]. We present BGL... |

12 | Asymmetric squaring formulae
- Chung, Hasan
(Show Context)
Citation Context ...ltiplication in a cubic extension to 6 (rather than 9) multiplications in the smaller field. Hence a multiplication in Fp6 costs 18m. Squaring in Fp6 costs 2 ˜m + 3˜s = 12m via the following formulae =-=[13]-=-: if β = b0 + b1v + b2v2 ∈ Fp6 where bi ∈ Fp2, then β2 = (A + Dξ) + (B + Eξ)v + (B + C + D − A − E)v2 where A = b2 0, B = 2b0b1, C = (b0 − b1 + b2) 2 , D = 2b1b2, and E = b2 2 . Finally, as shown in [... |

10 |
The performance impact of BGP security
- Zhao, Smith, et al.
(Show Context)
Citation Context ...one can compute a single signature σ which can be used by a verifier to confirm the authenticity of M1, M2, . . . , Mℓ. Aggregate signature schemes have found applications in secure routing protocols =-=[42, 43]-=-, storing ballots on voting machines [4], and micropayment systems [10]. 5.1. BGLS aggregate signature scheme. BGLS, which is based on the BLS signature scheme, was originally described in the setting... |

7 | On the relationship between squared pairings and plain pairings”, Cryptology ePrint Archive Report 2005/112, 2005. Available from http://eprint.iacr.org/2005/112
- Kang, Park
(Show Context)
Citation Context ...dinates that are in F p 12 and not in any proper subfield. However, the following shows that the task of computing en(P, Q) is easily reduced to the task of computing an R-ate pairing value. Lemma 1 (=-=[25]-=-). Let P ∈ G1 and Q ∈ G ′ 2. Then en(P, Q) = Rn(P, ˆ Q), where ˆ Q = Q − π 6 (Q). Proof. First note that ˆ Q ̸= ∞ since Q ̸∈ E(F p 6). Moreover, Tr( ˆ Q) = Tr(Q) − Tr(π 6 (Q)) = ∞, and hence ˆQ ∈ G2. ... |

7 | The equivalence between the DHP and DLP for elliptic curves used in practical applications
- Muzereau, Smart, et al.
(Show Context)
Citation Context ...r Zn of smooth order is known. Consequently, concerns that DHPG might be easier than DLPG can be alleviated by selecting an order-n group G for which the appropriate elliptic curves over Zn are known =-=[31]-=-. The techniques of den Boer, Boneh, Lipton and Maurer do not appear to extend to the case of co-DHP and co-DHP*, and consequently there is presently no evidence (in the form of a reduction) that thes... |

5 | Chapter IX of I - Galbraith, “Pairings” - 2005 |

5 |
Integer variable χ-based ate pairing
- Nogami, Akane, et al.
- 2008
(Show Context)
Citation Context ...ht by a factor of 2 64 . (3) The concrete estimates in Tables 3 and 4 are for a specific BN curve. Other well-chosen BN curves, such as the one with BN parameter z = 4080000000000001 (in hexadecimal) =-=[33]-=- may have different performance characteristics. Nonetheless, we expect that our conclusions about the relative performance of the various signature schemes will not drastically change for well-chosen... |

4 |
Computing the Tate pairing”, Topics
- Scott
- 2005
(Show Context)
Citation Context ...If the product of ℓ R-ate pairings is desired, then the steps of the individual pairing computations can be interleaved, with the product of the partial results being stored in a common accumulator f =-=[38, 21]-=-. In that case, the expensive operation f ←f 2 in step 3.2 of Algorithm 2 and the final exponentiation in step 5 can be shared by all ℓ pairing computations. It follows that the cost of computing the ... |

4 | On computable isomorphisms in efficient asymmetric pairing based systems. Cryptology ePrint Archive: Report 2005/116, Available from: http://eprint.iacr.org/2005/116
- Smart, Vercauteren
(Show Context)
Citation Context ...r than their Type 2 and Type 3 counterparts (see [22]) at the 128-bit security level, and therefore we will restrict our attention in this paper to Type 2 and Type 3 pairings. 2 Smart and Vercauteren =-=[40]-=- analyzed the security of the BLS signature scheme in the Type 3 setting. Their security reduction makes a relativized assumption whereby the adversary is given oracle access to ψ. Our analysis avoids... |

3 | A P2P market place based on aggregate signatures
- Catalano, Ruffo, et al.
(Show Context)
Citation Context ...firm the authenticity of M1, M2, . . . , Mℓ. Aggregate signature schemes have found applications in secure routing protocols [42, 43], storing ballots on voting machines [4], and micropayment systems =-=[10]-=-. 5.1. BGLS aggregate signature scheme. BGLS, which is based on the BLS signature scheme, was originally described in the setting of a Type 2 pairing [7]. We present BGLS-2 in §5.1.1, and then describ... |

3 |
Implementing cryptographic pairings”, Pairing-Based Cryptography – Pairing 2007
- Scott
- 2007
(Show Context)
Citation Context ...by x ∈ Fp2 plus a sign bit of y ∈ Fp2. The full y-coordinate y = ± √ x3 + 3/ξ can be recovered at a cost of 2 square roots in Fp plus i + m + 2s using Scott’s method for computing square roots in Fp2 =-=[39]-=-. The overall cost is 674m. As noted in §2.4, a point Q = (x, y) ∈ G ′ 2 can be represented by the pair of points D(Q) = (Q1, Q2) ∈ H ′ 2 , where Q1 = 1 12 Tr(Q) and Q2 = Q − Q1. Now, πi (Q) for 1 ≤ i... |

2 |
A comparison of CEILIDH and XTR”, Algorithmic Number Theory
- Granger, Page, et al.
(Show Context)
Citation Context ... Point addition and doubling can be done component-wise, at a cost of 41m and 24m, respectively. Lastly, elements in GT can be compressed from 3072 bits to 1024 bits using the techniques described in =-=[20]-=-. We will ignore the GT compression and decompression costs in our performance analysis of signature schemes as they are a negligible portion of overall costs. 3.3.2. Exponentiation in G1, G2 and G ′ ... |

1 |
The number field sieve for integers of low hamming weight”, Cryptology ePrint Archive Report 2006/107, 2006. Available from http://eprint.iacr.org/2006/107
- Schirokauer
(Show Context)
Citation Context ...ete logarithms in G1, G2, G ′ 2 or GT has running time at least 2128 , as does the number field sieve algorithm for computing discrete logarithms in the extension field Fp12 [19, 35, 36]. Schirokauer =-=[37]-=- has shown that there are cases where discrete logarithms in prime fields Fp and degree-two extensions Fp2 of prime fields can be computed significantly faster than standard versions of the number fie... |