scispace - formally typeset
Search or ask a question
Book ChapterDOI

Short Signatures from the Weil Pairing

09 Dec 2001-pp 514-532
TL;DR: A short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyperelliptic curves is introduced, designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel.
Abstract: We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel.

Content maybe subject to copyright    Report

Citations
More filters
Book ChapterDOI
19 Aug 2001
TL;DR: This work proposes a fully functional identity-based encryption scheme (IBE) based on the Weil pairing that has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem.
Abstract: We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem. Our system is based on the Weil pairing. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.

7,083 citations

Journal ArticleDOI
TL;DR: This work proposes a fully functional identity-based encryption (IBE) scheme based on bilinear maps between groups and gives precise definitions for secure IBE schemes and gives several applications for such systems.
Abstract: We propose a fully functional identity-based encryption (IBE) scheme. The scheme has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie--Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure IBE schemes and give several applications for such systems.

5,110 citations


Cites methods from "Short Signatures from the Weil Pair..."

  • ...We note that the signature scheme derived from our IBE system has some interesting properties [6]....

    [...]

Book
01 Jan 2004
TL;DR: This guide explains the basic mathematics, describes state-of-the-art implementation methods, and presents standardized protocols for public-key encryption, digital signatures, and key establishment, as well as side-channel attacks and countermeasures.
Abstract: After two decades of research and development, elliptic curve cryptography now has widespread exposure and acceptance. Industry, banking, and government standards are in place to facilitate extensive deployment of this efficient public-key mechanism. Anchored by a comprehensive treatment of the practical aspects of elliptic curve cryptography (ECC), this guide explains the basic mathematics, describes state-of-the-art implementation methods, and presents standardized protocols for public-key encryption, digital signatures, and key establishment. In addition, the book addresses some issues that arise in software and hardware implementation, as well as side-channel attacks and countermeasures. Readers receive the theoretical fundamentals as an underpinning for a wealth of practical and accessible knowledge about efficient application. Features & Benefits: * Breadth of coverage and unified, integrated approach to elliptic curve cryptosystems * Describes important industry and government protocols, such as the FIPS 186-2 standard from the U.S. National Institute for Standards and Technology * Provides full exposition on techniques for efficiently implementing finite-field and elliptic curve arithmetic* Distills complex mathematics and algorithms for easy understanding* Includes useful literature references, a list of algorithms, and appendices on sample parameters, ECC standards, and software toolsThis comprehensive, highly focused reference is a useful and indispensable resource for practitioners, professionals, or researchers in computer science, computer engineering, network design, and network data security.

2,893 citations


Cites methods from "Short Signatures from the Weil Pair..."

  • ...Constructive applications of supersingular curves (and bilinear maps in general) include the three-party one-round Diffie-Hellman protocol of Joux [227], the identity-based public-key encryption scheme of Boneh and Franklin [58, 59], the hierarchical identity-based encryption and signature schemes of Horwitz and Lynn [199] and Gentry and Silverberg [170], the short signature scheme of Boneh, Lynn and Shacham [62], the aggregate signature scheme of Boneh, Gentry, Lynn and Shacham [60], the self-blindable certificate scheme of Verheul [472], and the efficient provably secure signature scheme of Boneh, Mironov and Shoup [63]....

    [...]

Book ChapterDOI
Brent Waters1
22 May 2005
TL;DR: This work first presents their IBE construction and reduces the security of the scheme to the decisional Bilinear Diffie-Hellman (BDH) problem, and shows that their techniques can be used to build a new signature scheme that is secure under the computational Diffie -Hellman assumption without random oracles.
Abstract: We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles We first present our IBE construction and reduce the security of our scheme to the decisional Bilinear Diffie-Hellman (BDH) problem Additionally, we show that our techniques can be used to build a new signature scheme that is secure under the computational Diffie-Hellman assumption without random oracles

2,188 citations


Cites methods from "Short Signatures from the Weil Pair..."

  • ...For example, the signatures in the scheme of Boneh, Lynn, Shacham [7] correspond to private keys of the Boneh-Franklin IBE system....

    [...]

Book ChapterDOI
04 May 2003
TL;DR: In this article, Boneh, Lynn, and Shacham introduced the concept of an aggregate signature, presented security models for such signatures, and gave several applications for aggregate signatures.
Abstract: An aggregate signature scheme is a digital signature that supports aggregation: Given n signatures on n distinct messages from n distinct users, it is possible to aggregate all these signatures into a single short signature. This single signature (and the n original messages) will convince the verifier that the n users did indeed sign the n original messages (i.e., user i signed message Mi for i = 1, . . . , n). In this paper we introduce the concept of an aggregate signature, present security models for such signatures, and give several applications for aggregate signatures. We construct an efficient aggregate signature from a recent short signature scheme based on bilinear maps due to Boneh, Lynn, and Shacham. Aggregate signatures are useful for reducing the size of certificate chains (by aggregating all signatures in the chain) and for reducing message size in secure routing protocols such as SBGP. We also show that aggregate signatures give rise to verifiably encrypted signatures. Such signatures enable the verifier to test that a given ciphertext C is the encryption of a signature on a given message M. Verifiably encrypted signatures are used in contract-signing protocols. Finally, we show that similar ideas can be used to extend the short signature scheme to give simple ring signatures.

1,859 citations

References
More filters
Book
01 Jan 1996
TL;DR: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols.
Abstract: From the Publisher: A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.

13,597 citations


"Short Signatures from the Weil Pair..." refers methods in this paper

  • ...Using standard secret sharing techniques [41], our signature scheme gives a robust t-out-of-n threshold signature [10]....

    [...]

  • ...Generic: Generic discrete log algorithms such as Baby-Step-Giant-Step and Pollard’s Rho method [41] have a running time proportional to √ p log p....

    [...]

Proceedings ArticleDOI
Mihir Bellare1, Phillip Rogaway1
01 Dec 1993
TL;DR: It is argued that the random oracles model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice, and yields protocols much more efficient than standard ones while retaining many of the advantages of provable security.
Abstract: We argue that the random oracle model—where all parties have access to a public random oracle—provides a bridge between cryptographic theory and cryptographic practice. In the paradigm we suggest, a practical protocol P is produced by first devising and proving correct a protocol PR for the random oracle model, and then replacing oracle accesses by the computation of an “appropriately chosen” function h. This paradigm yields protocols much more efficient than standard ones while retaining many of the advantages of provable security. We illustrate these gains for problems including encryption, signatures, and zero-knowledge proofs.

5,313 citations


Additional excerpts

  • ...The security analysis views H as a random oracle [7, 8]....

    [...]

Journal ArticleDOI
TL;DR: This work proposes a fully functional identity-based encryption (IBE) scheme based on bilinear maps between groups and gives precise definitions for secure IBE schemes and gives several applications for such systems.
Abstract: We propose a fully functional identity-based encryption (IBE) scheme. The scheme has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie--Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure IBE schemes and give several applications for such systems.

5,110 citations


"Short Signatures from the Weil Pair..." refers background or methods in this paper

  • ...See [40, 11] for a definition of the Weil pairing and a description of the algorithm for computing it....

    [...]

  • ...The first example of such groups was given in [34] and was used in [33, 11]....

    [...]

Book
01 Jan 1986
TL;DR: It is shown here how Elliptic Curves over Finite Fields, Local Fields, and Global Fields affect the geometry of the elliptic curves.
Abstract: Algebraic Varieties.- Algebraic Curves.- The Geometry of Elliptic Curves.- The Formal Group of Elliptic Curves.- Elliptic Curves over Finite Fields.- Elliptic Curves over C.- Elliptic Curves over Local Fields.- Elliptic Curves over Global Fields.- Integral Points on Elliptic Curves.-Computing the Mordell Weil Group.- Appendix A: Elliptic Curves in Characteristics.-Appendix B: Group Cohomology (H0 and H1).

4,680 citations

Journal ArticleDOI
TL;DR: A digital signature scheme based on the computational difficulty of integer factorization possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice cannot later forge the signature of even a single additional message.
Abstract: We present a digital signature scheme based on the computational difficulty of integer factorization. The scheme possesses the novel property of being robust against an adaptive chosen-message attack: an adversary who receives signatures for messages of his choice (where each message may be chosen in a way that depends on the signatures of previously chosen messages) cannot later forge the signature of even a single additional message. This may be somewhat surprising, since in the folklore the properties of having forgery being equivalent to factoring and being invulnerable to an adaptive chosen-message attack were considered to be contradictory. More generally, we show how to construct a signature scheme with such properties based on the existence of a "claw-free" pair of permutations--a potentially weaker assumption than the intractibility of integer factorization. The new scheme is potentially practical: signing and verifying signatures are reasonably fast, and signatures are compact.

3,150 citations


"Short Signatures from the Weil Pair..." refers background in this paper

  • ...Existential unforgeability under a chosen message attack [31] for a signature scheme (KeyGen, Sign, and Verify) is defined using the following game between a challenger and an adversary A:...

    [...]