Showing papers by "Nigel P. Smart published in 2006"
TL;DR: In this paper, the authors simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto, to ordinary curves and obtain a speedup of a factor of around six over the usual Tate pairing, in the case of curves that have large security parameters.
Abstract: In this paper, we simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto , to ordinary curves. Furthermore, we show that by swapping the arguments of the Eta pairing, one obtains a very efficient algorithm resulting in a speed-up of a factor of around six over the usual Tate pairing, in the case of curves that have large security parameters, complex multiplication by an order of Qopf (radic-3), and when the trace of Frobenius is chosen to be suitably small. Other, more minor savings are obtained for more general curves
464 citations
Posted Content•
TL;DR: This paper presents a method incorporating a built-in decisional function into the protocols, and discusses the resulting efficiency of the schemes and the relevant security reductions, in the random oracle model, inThe context of different pairings one can use.
Abstract: In recent years, a large number of identity-based key agreement protocols from pairings have been proposed. Some of them are elegant and practical. However, the security of this type of protocols has been surprisingly hard to prove. The main issue is that a simulator is not able to deal with reveal queries, because it requires solving either a computational problem or a decisional problem, both of which are generally believed to be hard (i.e., computationally infeasible). The best solution of security proof published so far uses the gap assumption, which means assuming that the existence of a decisional oracle does not change the hardness of the corresponding computational problem. The disadvantage of using this solution to prove the security for this type of protocols is that such decisional oracles, on which the security proof relies, cannot be performed by any polynomial time algorithm in the real world, because of the hardness of the decisional problem. In this paper we present a method incorporating a built-in decisional function in this type of protocols. The function transfers a hard decisional problem in the proof to an easy decisional problem. We then discuss the resulting efficiency of the schemes and the relevant security reductions in the context of different pairings one can use. We pay particular attention, unlike most other papers in the area, to the issues which arise when using asymmetric pairings.
360 citations
20 Aug 2006
TL;DR: It is deduced that computing discrete logarithms have heuristic complexity $L_{p^n}(1/3)$ in all finite fields.
Abstract: In this paper, we study several variations of the number field sieve to compute discrete logarithms in finite fields of the form ${\mathbb F}_{p^n}$, with p a medium to large prime. We show that when n is not too large, this yields a $L_{p^n}(1/3)$ algorithm with efficiency similar to that of the regular number field sieve over prime fields. This approach complements the recent results of Joux and Lercier on the function field sieve. Combining both results, we deduce that computing discrete logarithms have heuristic complexity $L_{p^n}(1/3)$ in all finite fields. To illustrate the efficiency of our algorithm, we computed discrete logarithms in a 120-digit finite field ${\mathbb F}_{p^3}$.
132 citations
10 Jul 2006
TL;DR: In this article, the concept of identity based encryption with wildcards (WIBE) was introduced, which allows the encryption of messages to multiple parties with common fields in their identity strings.
Abstract: In this paper we introduce the notion of identity based encryption with wildcards, or WIBE for short. This allows the encryption of messages to multiple parties with common fields in their identity strings, for example email groups in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion in the standard model and in the random oracle model
109 citations
Journal Article•
TL;DR: The notion of identity based encryption with wildcards, or WIBE for short, is introduced and efficient implementations meeting this notion in the standard model and in the random oracle model are given.
Abstract: In this paper we introduce the notion of identity based encryption with wildcards, or WIBE for short. This allows the encryption of messages to multiple parties with common fields in their identity strings, for example email groups in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion in the standard model and in the random oracle model.
95 citations
TL;DR: This paper compares both the security and performance issues related to the choice of MNT curves against supersingular curves in characteristic three, for pairing based systems using the BLS signature scheme and the Boneh–Franklin encryption scheme.
Abstract: We compare both the security and performance issues related to the choice of MNT curves against supersingular curves in characteristic three, for pairing based systems. We pay particular attention to equating the relevant security levels and comparing not only computational performance and bandwidth performance. The paper focuses on the BLS signature scheme and the Boneh–Franklin encryption scheme, but a similar analysis can be applied to many other pairing based schemes.
93 citations
23 Jul 2006
TL;DR: In this article, the Tate pairing is shown to be more efficient than the Weil pairing for all such security levels of the security level of the Tate-Weil pairings, using efficient exponentiation techniques in the cyclotomic subgroup.
Abstract: The security and performance of pairing based cryptography has provoked a large volume of research, in part because of the exciting new cryptographic schemes that it underpins. We re-examine how one should implement pairings over ordinary elliptic curves for various practical levels of security. We conclude, contrary to prior work, that the Tate pairing is more efficient than the Weil pairing for all such security levels. This is achieved by using efficient exponentiation techniques in the cyclotomic subgroup backed by efficient squaring routines within the same subgroup.
89 citations
Posted Content•
70 citations
Posted Content•
TL;DR: In this paper, the authors outline the basic choices that are available when using pairings in cryptography and summarize the main properties and efficiency issues for each choice, in as simple a fashion as possible.
Abstract: Many research papers in pairing-based cryptography treat pairings as a ''black box''. These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pairings. The cryptographic schemes developed may not be realizable in practice, or may not be as efficient as the authors assume. The aim of this paper is to outline, in as simple a fashion as possible, the basic choices that are available when using pairings in cryptography. For each choice, the main properties and efficiency issues are summarized. The paper is intended to be of use to non-specialists who are interested in using pairings to design cryptographic schemes.
69 citations
03 Apr 2006
TL;DR: In this article, an identity-based key encapsulation mechanism (ID-KEM) was proposed to build a secure identity based encryption scheme using the techniques of Bentahar et al. The resulting encryption scheme has a number of performance advantages over existing methods.
Abstract: This work presented an identity-based key encapsulation mechanism (ID-KEM). It is possible to use this ID-KEM to build a secure identity based encryption scheme using the techniques of Bentahar et al. The resulting encryption scheme has a number of performance advantages over existing methods. The proposed algorithm has been used in the industry (for example by Identum Ltd.) and is included in the IEEE P1363.3 standard draft.
56 citations
TL;DR: In this paper, Boneh and Franklin proposed an identity-based encryption (IBE) scheme that is escrow free in that no credentialissuing authority (or colluding set of credential-issuing authorities) is able to decrypt ciphertexts itself, provided the users' public keys are properly certified.
Abstract: Since Boneh and Franklin published their seminal paper on identity based encryption (IBE) using the Weil pairing, there has been a great deal of interest in cryptographic primitives based on elliptic-curve pairings. One particularly interesting application has been to control access to data, via possibly complex policies. In this paper we continue the research in this vein. We present an encryption scheme such that the receiver of an encrypted message can only decrypt if it satisfies a particular policy chosen by the sender at the time of encryption. Unlike standard IBE, our encryption scheme is escrow free in that no credential-issuing authority (or colluding set of credential-issuing authorities) is able to decrypt ciphertexts itself, providing the users' public keys are properly certified. In addition we describe a security model for the scenario in question and provide proofs of security for our scheme (in the random oracle model).
Posted Content•
Posted Content•
TL;DR: In this article, the authors simplify and extend the Eta pairing, originally discovered in the setting of supersingular curves by Barreto et al., to ordinary curves, and show that by swapping the argu- ments of the ETA pairing, one obtains a very efficient algorithm resulting in a speedup of a factor of around six over the usual Tate pairing, in the case of curves which have large security parameters, complex mul- tiplication by an order of Q( p 3), and when the trace of Frobenius is chosen to be suitably small
Abstract: In this paper we simplify and extend the Eta pairing, origi- nally discovered in the setting of supersingular curves by Barreto et al., to ordinary curves. Furthermore, we show that by swapping the argu- ments of the Eta pairing, one obtains a very ecient algorithm resulting in a speed-up of a factor of around six over the usual Tate pairing, in the case of curves which have large security parameters, complex mul- tiplication by an order of Q( p 3), and when the trace of Frobenius is chosen to be suitably small. Other, more minor savings are obtained for more general curves. 1 2
Posted Content•
TL;DR: In this article, the Tate pairing is shown to be more efficient than the Weil pairing for all such security levels of the security level of the Tate-Weil pairings, using efficient exponentiation techniques in the cyclotomic subgroup.
Abstract: The security and performance of pairing based cryptography has provoked a large volume of research, in part because of the exciting new cryptographic schemes that it underpins. We re-examine how one should implement pairings over ordinary elliptic curves for various practical levels of security. We conclude, contrary to prior work, that the Tate pairing is more efficient than the Weil pairing for all such security levels. This is achieved by using efficient exponentiation techniques in the cyclotomic subgroup backed by efficient squaring routines within the same subgroup.
Posted Content•
TL;DR: In this paper, identity-based encryption with wildcards (WIBE) is proposed to encrypt messages to a whole range of users simultaneously whose identities match a certain pattern, where any string can take the place of a wildcard in a matching identity.
Abstract: In this paper we introduce a new primitive called identity-based encryption with wildcards, or WIBE for short. It allows to encrypt messages to a whole range of users simultaneously whose identities match a certain pattern. This pattern is defined through a sequence of fixed strings and wildcards, where any string can take the place of a wildcard in a matching identity. Our primitive can be applied to provide an intuitive way to send encrypted email to groups of users in a corporate hierarchy. We propose a full security notion and give efficient implementations meeting this notion under different pairing-related assumptions, both in the random oracle model and in the standard model.