Results 1 - 10
of
59
ON CRYPTOGRAPHIC PROTOCOLS EMPLOYING ASYMMETRIC PAIRINGS – THE ROLE OF Ψ REVISITED
"... Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficiently-computable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for ..."
Abstract
-
Cited by 27 (3 self)
- Add to MetaCart
(Show Context)
Abstract. Asymmetric pairings e: G1 × G2 → GT for which an efficiently-computable isomorphism ψ: G2 → G1 is known are called Type 2 pairings; if such an isomorphism ψ is not known then e is called a Type 3 pairing. Many cryptographic protocols in the asymmetric setting rely on the existence of ψ for their security reduction while some use it in the protocol itself. For these reasons, it is believed that some of these protocols cannot be implemented with Type 3 pairings, while for some the security reductions either cannot be transformed to the Type 3 setting or else require a stronger complexity assumption. Contrary to these widely held beliefs, we argue that Type 2 pairings are merely inefficient implementations of Type 3 pairings, and appear to offer no benefit for protocols based on asymmetric pairings from the point of view of functionality, security, and performance. 1.
On the Practicality of Short Signature Batch Verification
"... Abstract. As pervasive communication becomes a reality, where everything from vehicles to heart monitors constantly communicate with their environments, system designers are facing a cryptographic puzzle on how to authenticate messages. These scenarios require that: (1) cryptographic overhead remain ..."
Abstract
-
Cited by 20 (1 self)
- Add to MetaCart
(Show Context)
Abstract. As pervasive communication becomes a reality, where everything from vehicles to heart monitors constantly communicate with their environments, system designers are facing a cryptographic puzzle on how to authenticate messages. These scenarios require that: (1) cryptographic overhead remain short, and yet (2) many messages from many different signers be verified very quickly. Pairingbased signatures have property (1) but not (2), whereas schemes like RSA have property (2) but not (1). As a solution to this dilemma, in Eurocrypt 2007, Camenisch, Hohenberger and Pedersen showed how to batch verify two pairing-based signatures so that the total number of pairing operations was independent of the number of signatures to verify. CHP left open the task of batching privacy-friendly authentication, which is desirable in many pervasive communication scenarios. In this work, we revisit this issue from a more practical standpoint and present the following results: 1. We describe a framework, consisting of general techniques, to help scheme and system designers understand how to securely and efficiently batch the verification of pairing equations. 2. We present a detailed study of when and how our framework can be applied to existing regular, identity-based, group, ring, and aggregate signature schemes. To our knowledge, these batch verifiers for group and ring signatures are the first proposals for batching privacy-friendly authentication, answering an open problem of Camenisch et al. 3. While prior work gave mostly asymptotic efficiency comparisons, we show that our framework is practical by implementing our techniques and giving detailed performance measurements. Additionally, we discuss how to deal with invalid signatures in a batch and our empirical results show that when ≤ 10 % of signatures are invalid, batching remains more efficient that individual verification. Indeed, our results show that batch verification for short signatures is an effective, efficient approach. 1
Blind identity-based encryption and simulatable oblivious transfer
- IN: ADVANCES IN CRYPOTOLOGY – ASIACRYPT 2007. LNCS
, 2007
"... In an identity-based encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fash ..."
Abstract
-
Cited by 15 (0 self)
- Add to MetaCart
In an identity-based encryption (IBE) scheme, there is a key extraction protocol where a user submits an identity string to a master authority who then returns the corresponding secret key for that identity. In this work, we describe how this protocol can be performed efficiently and in a blind fashion for several known IBE schemes; that is, a user can obtain a secret key for an identity without the master authority learning anything about this identity. We formalize this notion as blind IBE and discuss its many practical applications. In particular, we build upon the recent work of Camenisch, Neven, and shelat [CNS07] to construct oblivious transfer (OT) schemes which achieve full simulatability for both sender and receiver. OT constructions with comparable efficiency prior to Camenisch et al. were proven secure in the weaker half-simulation model. Our OT schemes are constructed from the blind IBE schemes we propose, which require only static complexity assumptions (e.g., DBDH) whereas prior comparable schemes require dynamic assumptions (e.g., q-PDDH).
Okamoto-Tanaka revisited: fully authenticated Diffie-Hellman with minimal overhead
- In
"... Abstract. The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resul ..."
Abstract
-
Cited by 14 (0 self)
- Add to MetaCart
(Show Context)
Abstract. The Diffie-Hellman protocol (DHP) is one of the most studied protocols in cryptography. Much work has been dedicated to armor the original protocol against active attacks while incurring a minimal performance overhead relative to the basic (unauthenticated) DHP. This line of work has resulted in some remarkable protocols, e.g., MQV, where the protocol’s communication cost is identical to that of the basic DHP and the computation overhead is small. Unfortunately, MQV and similar 2-message “implicitly authenticated ” protocols do not achieve full security against active attacks since they cannot provide forward secrecy (PFS), a major security goal of DHP, against active attackers. In this paper we investigate the question of whether one can push the limits of authenticated DHPs even further, namely, to achieve communication complexity as in the original DHP (two messages with a single group element per message), maintain low computational overhead, and yet achieve full PFS against active attackers in a provable way. We answer this question in the affirmative by resorting to an old and elegant key agreement protocol: the Okamoto-Tanaka protocol [32]. We present a variant of the protocol (denoted mOT) which achieves the above minimal communication, incurs a computational overhead relative to the basic DHP that is practically negligible, and yet achieves full provable key agreement security, including PFS, against active attackers. Moreover, due to the identity-based properties of mOT, even the sending of certificates (typical for authenticated DHPs) can be avoided in the protocol. As additional contributions, we apply our analysis to prove the security of a recent multi-domain extension of the Okamoto-Tanaka protocol by Schridde et al. and show how to adapt mOT to the (non id-based) certificate-based setting.
Comparing two pairing-based aggregate signature schemes
, 2009
"... In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provably-secure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairing-based aggregate signature scheme which has a security proof that does not make ..."
Abstract
-
Cited by 13 (4 self)
- Add to MetaCart
(Show Context)
In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provably-secure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairing-based aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from Barreto-Naehrig (BN) elliptic curves are employed.
On the Design and Implementation of an Efficient DAA Scheme
"... Direct Anonymous Attestation (DAA) is an anonymous digital signature scheme that aims to provide both signer authentication and privacy. One of the properties that makes DAA an attractive choice in practice is the split signer role. In short, a principal signer (a Trusted Platform Module (TPM)) sig ..."
Abstract
-
Cited by 9 (2 self)
- Add to MetaCart
Direct Anonymous Attestation (DAA) is an anonymous digital signature scheme that aims to provide both signer authentication and privacy. One of the properties that makes DAA an attractive choice in practice is the split signer role. In short, a principal signer (a Trusted Platform Module (TPM)) signs messages in collaboration with an assistant signer (the Host, a standard computing platform into which the TPM is embedded). This split aims to harness the high level of security offered by the TPM, and augment it using the high level of computational and storage ability offered by the Host. Our contribution in this paper is a modification to an existing pairing-based DAA scheme that significantly improves efficiency, and a comparison with the original RSA-based DAA scheme via a concrete implementation.
Certificateless Authenticated Two-Party Key Agreement Protocols
"... Certificateless public key cryptography (CL-PKC) was proposed to overcome the weaknesses of the public key infrastructure (PKI) and identity-based cryptography (ID-PKC). In PKI, certificates are used to provide the authenticity of public keys. However, a PKI faces many challenges in practice, such a ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
Certificateless public key cryptography (CL-PKC) was proposed to overcome the weaknesses of the public key infrastructure (PKI) and identity-based cryptography (ID-PKC). In PKI, certificates are used to provide the authenticity of public keys. However, a PKI faces many challenges in practice, such as the scalability of the infrastructure and certificate management (distribution, revocation, storage, and validation costs). ID-PKC does not use certificates, but employs a key generation center (KGC) that will know every user’s private key. Hence, the KGC will also be able to trace each user transaction and may cause loss of privacy if it’s not trusted. In CL-PKC, on the other hand, the KGC does not have this information. Thus, CL-PKC is often considered a cross between PKI and ID-PKC. In their seminal paper on CL-PKC, Al-Riyami and Paterson (AP) proposed a certificateless authenticated key agreement protocol. Key agreement protocols are one of the fundamental primitives of cryptography, and allow two or more parties to establish secret keys securely in the presence of an eavesdropping adversary. AP’s protocol, the only
Strongly Secure Certificateless Key Agreement
, 2009
"... We introduce a formal model for certificateless authenticated key exchange (CL-AKE) protocols. Contrary to what might be expected, we show that the natural combination of an ID-based AKE protocol with a public key based AKE protocol cannot provide strong security. We provide the first one-round CL-A ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
We introduce a formal model for certificateless authenticated key exchange (CL-AKE) protocols. Contrary to what might be expected, we show that the natural combination of an ID-based AKE protocol with a public key based AKE protocol cannot provide strong security. We provide the first one-round CL-AKE scheme proven secure in the random oracle model. We introduce two variants of the Diffie-Hellman trapdoor introduced by [CKS08]. The proposed key agreement scheme is secure as long as each party has at least one uncompromised secret. Thus, our scheme is secure even if the key generation centre learns the ephemeral secrets of both parties. 1
A DAA scheme requiring less TPM resources
- Information Security and Cryptology – INSCRYPT 2009
"... Abstract. Direct anonymous attestation (DAA) is a special digital signature primitive, which provides a balance between signer authentication and privacy. One of the most interesting properties that makes this primitive attractive in practice is its construction of signers. The signer role of DAA is ..."
Abstract
-
Cited by 8 (4 self)
- Add to MetaCart
(Show Context)
Abstract. Direct anonymous attestation (DAA) is a special digital signature primitive, which provides a balance between signer authentication and privacy. One of the most interesting properties that makes this primitive attractive in practice is its construction of signers. The signer role of DAA is split between two entities, a principal signer (a trusted platform module (TPM)) with limited computational capability and an assistant signer (a computer platform into which the TPM is embedded) with more computational power but less security tolerance. Our first contribution in this paper is a new DAA scheme that requires very few TPM resources. In fact the TPM has only to perform two exponentiations for the DAA Join algorithm and three exponentiations for the DAA Signing algorithm. We show that this new scheme has better performance than the existing DAA schemes and is provable secure based on the q-SDH problem and DDH problem under the random oracle model. Our second contribution is a modification of the DAA security model defined in [13] to cover the property of non-frameability.
Making the Diffie-Hellman Protocol Identity-Based
, 2010
"... This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [33]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known. The novelty of our ..."
Abstract
-
Cited by 7 (1 self)
- Add to MetaCart
(Show Context)
This paper presents a new identity based key agreement protocol. In id-based cryptography (introduced by Adi Shamir in [33]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known. The novelty of our protocol is that it can be implemented over any cyclic group of prime order, where the Diffie-Hellman problem is supposed to be hard. It does not require the computation of expensive bilinear maps, or additional assumptions such as factoring or RSA. The protocol is extremely efficient, requiring only twice the amount of bandwith and computation of the unauthenticated basic Diffie-Hellman protocol. The design of our protocol was inspired by MQV (the most efficient authenticated Diffie-Hellman based protocol in the public-key model) and indeed its performance is competitive with respect to MQV (especially when one includes the transmission and verification of certificates in the MQV protocol, which are not required in an id-based scheme). Our protocol requires a single round of communication in which each party sends only 2 group elements: a very short message, especially when the protocol is implemented over elliptic curves. We provide a full proof of security in the Canetti-Krawczyk security model for key exchange, including a proof that our protocol satisfies additional security properties such as forward secrecy, and resistance to reflection and key-compromise impersonation attacks.
