Results 11  20
of
111
Efficient Selective Identitybased Encryption
 In Proc. of CRYPTO '88, LNCS 403
, 1990
"... We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity security reductions without random oracles in groups equipped with a bilinear map. Selectiveidentity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity security reductions without random oracles in groups equipped with a bilinear map. Selectiveidentity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in an adaptiveidentity attack the adversary is allowed to choose this identity adaptively. Our first system—BB1—is based on the well studied decisional bilinear DiffieHellman assumption, and extends naturally to systems with hierarchical identities, or HIBE. Our second system—BB2—is based on a stronger assumption which we call the Bilinear DiffieHellman Inversion assumption and provides another approach to building IBE systems. Our first system, BB1, is very versatile and well suited for practical applications: the basic hierarchical construction can be efficiently secured against chosenciphertext attacks, and further extended to support efficient noninteractive threshold decryption, among others, all without using random oracles. Both systems, BB1 and BB2, can be modified generically to provide “full ” IBE security (i.e., against adaptiveidentity attacks), either using random oracles, or in the standard model at the expense of a nonpolynomial but easytocompensate security reduction.
Compact ECash and Simulatable VRFs Revisited
"... Abstract. Efficient noninteractive zeroknowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent GrothSahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact ecash (Eurocrypt 2005) and simulatab ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Abstract. Efficient noninteractive zeroknowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent GrothSahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact ecash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact ecash scheme that does not rely on a random oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter). 1
Abelian varieties with prescribed embedding degree
"... Abstract. We present an algorithm that, on input of a CMfield K, an integer k ≥ 1, and a prime r ≡ 1 mod k, constructs a qWeil number π ∈ OK corresponding to an ordinary, simple abelian variety A over the field F of q elements that has an Frational point of order r and embedding degree k with res ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We present an algorithm that, on input of a CMfield K, an integer k ≥ 1, and a prime r ≡ 1 mod k, constructs a qWeil number π ∈ OK corresponding to an ordinary, simple abelian variety A over the field F of q elements that has an Frational point of order r and embedding degree k with respect to r. We then discuss how CMmethods over K can be used to explicitly construct A. 1
Constructing pairingfriendly genus 2 curves over prime fields with ordinary Jacobians
 IN: PROCEEDINGS OF PAIRING 2007, LNCS 4575
, 2007
"... We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large primeorder subgroups, and have small embedding degree. Our algorithm is modeled on the CocksPinch method for constructing pairingfriendly elliptic curves [5], and works for a ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large primeorder subgroups, and have small embedding degree. Our algorithm is modeled on the CocksPinch method for constructing pairingfriendly elliptic curves [5], and works for arbitrary embedding degrees k and prime subgroup orders r. The resulting abelian surfaces are defined over prime fields Fq with q ≈ r 4. We also provide an algorithm for constructing genus 2 curves over prime fields Fq with ordinary Jacobians J having the property that J[r] ⊂ J(Fq) or J[r] ⊂ J(F q k) for any even k.
Synchronized Aggregate Signatures: New Definitions, Constructions and Applications
 Proceedings of the Annual Conference on Computer and Communications Security (CCS
, 2010
"... An aggregate signature scheme is a digital signature scheme where anyone given n signatures on n messages from n users can aggregate all these signatures into a single short signature. Unfortunately, no “fully noninteractive ” aggregate signature schemes are known outside of the random oracle heuri ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
An aggregate signature scheme is a digital signature scheme where anyone given n signatures on n messages from n users can aggregate all these signatures into a single short signature. Unfortunately, no “fully noninteractive ” aggregate signature schemes are known outside of the random oracle heuristic; that is, signers must pass messages between themselves, sequentially or otherwise, to generate the signature. Interaction is too costly for some interesting applications. In this work, we consider the task of realizing aggregate signatures in the model of Gentry and Ramzan (PKC 2006) when all signers share a synchronized clock, but do not need to be aware of or interactive with one another. Each signer may issue at most one signature per time period and signatures aggregate only if they were created during the same time period. We call this synchronized aggregation. We present a practical synchronized aggregate signature scheme secure under the Computational DiffieHellman assumption in the standard model. Our construction is based on the stateful signatures of Hohenberger and Waters (Eurocrypt 2009). Those signatures do not aggregate since each signature includes unique randomness for a chameleon hash and those random values do not compress. To overcome this challenge, we remove the chameleon hash from their scheme and find an alternative method for moving from weak to full security that enables aggregation. We conclude by discussing applications of this construction to sensor networks and software authentication. 1
Constant size ciphertexts in threshold attributebased encryption
 in Proc. Public Key Cryptography’10, ser. LNCS
"... Abstract. Attributebased cryptography has emerged in the last years as a promising primitive for digital security. For instance, it provides good solutions to the problem of anonymous access control. In a ciphertextpolicy attributebased encryption scheme, the secret keys of the users depend on t ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. Attributebased cryptography has emerged in the last years as a promising primitive for digital security. For instance, it provides good solutions to the problem of anonymous access control. In a ciphertextpolicy attributebased encryption scheme, the secret keys of the users depend on their attributes. When encrypting a message, the sender chooses which subset of attributes must be held by a receiver in order to be able to decrypt. All current attributebased encryption schemes that admit reasonably expressive decryption policies produce ciphertexts whose size depends at least linearly on the number of attributes involved in the policy. In this paper we propose the first scheme whose ciphertexts have constant size. Our scheme works for the threshold case: users authorized to decrypt are those who hold at least t attributes among a certain universe of attributes, for some threshold t chosen by the sender. An extension to the case of weighted threshold decryption policies is possible. The security of the scheme against selective chosen plaintext attacks can be proven in the standard model by reduction to the augmented multisequence of exponents decisional DiffieHellman (aMSEDDH) problem.
Finding composite order ordinary elliptic curves using the CocksPinch method
, 2009
"... We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting. ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
We apply the CocksPinch method to obtain pairingfriendly composite order groups with prescribed embedding degree associated to ordinary elliptic curves, and we show that new security issues arise in the composite order setting.
Pairingfriendly Hyperelliptic Curves of type y 2 = x 5 + ax
 In 2008 Symposium on Cryptography and Information Security (SCIS 2008
, 2008
"... Abstract. An explicit construction of pairingfriendly hyperelliptic curves with ordinary Jacobians was firstly given by D. Freeman. In this paper, we give other explicit constructions of pairingfriendly hyperelliptic curves. Our methods are based on the closed formulae for the order of the Jacobia ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Abstract. An explicit construction of pairingfriendly hyperelliptic curves with ordinary Jacobians was firstly given by D. Freeman. In this paper, we give other explicit constructions of pairingfriendly hyperelliptic curves. Our methods are based on the closed formulae for the order of the Jacobian of a hyperelliptic curve of type y 2 = x 5 + ax over a finite prime field Fp which are given by E. Furukawa, M. Haneda, M. Kawazoe and T. Takahashi. We present two methods in this paper. One is an analogue of the CocksPinch method and the other is a cyclotomic method. Our methods construct a pairingfriendly hyperelliptic curve y 2 = x 5 + ax over Fp whose Jacobian has a prescribed embedding degree with respect to some prime number ℓ. Curves constructed by the analogue of the CocksPinch method satisfy p ≈ ℓ 2, whereas p ≈ ℓ 4 in Freeman’s construction. Moreover, for the case of embedding degree 24, we can construct a cyclotomic family with p ≈ ℓ 3/2.
A Family of ImplementationFriendly BN Elliptic Curves
"... Abstract. For the last decade, elliptic curve cryptography has gained increasing interest in industry and in the academic community. This is especially due to the high level of security it provides with relatively small keys and to its ability to create very efficient and multifunctional cryptograph ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. For the last decade, elliptic curve cryptography has gained increasing interest in industry and in the academic community. This is especially due to the high level of security it provides with relatively small keys and to its ability to create very efficient and multifunctional cryptographic schemes by means of bilinear pairings. Pairings require pairingfriendly elliptic curves and among the possible choices, BarretoNaehrig (BN) curves arguably constitute one of the most versatile families. In this paper, we further expand the potential of the BN curve family. We describe BN curves that are not only computationally very simple to generate, but also specially suitable for efficient implementation on a very broad range of scenarios. We also present implementation results of the optimal ate pairing using such a curve defined over a 254bit prime field. 1