Pairing-based cryptography Research Papers - Academia.edu (original) (raw)
In crittografia i pairing sono stati inizialmente utilizzati nell’analisi crittografica per attaccare alcuni sistemi basati sul problema del logaritmo discreto. Negli ultimi anni, però, sono stati impiegati anche per progettare nuovi... more
In crittografia i pairing sono stati inizialmente
utilizzati nell’analisi crittografica per attaccare alcuni sistemi
basati sul problema del logaritmo discreto. Negli ultimi anni,
però, sono stati impiegati anche per progettare nuovi potenti
sistemi crittografici come i protocolli per il one-round three-party
key agreement e gli schemi di identity-based encryption.
La sicurezza dei pairing-based cryptosystems è basata in gran
parte sull’intrattabilità del Bilinear Diffie-Hellman problem in
determinati gruppi.
Nel presente lavoro, dopo un’introduzione alle curve ellittiche,
vengono trattati i pairing più diffusi, ossia il Weil pairing e
il Tate pairing. Infine sono presentati alcuni protocolli per lo
scambio delle chiavi basati sui pairing.
We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings proposed to... more
We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings proposed to date, and develop a unifying framework. We discuss the techniques used to optimize the pairing computation on hyperelliptic curves, and present many directions for further research.
In recent years, more and more applications based on bilinear pairing computation have been constructed. The very first issue is to pick up a pairingfriendly elliptic curve, which is efficient and secure. Many schemes have been published... more
In recent years, more and more applications based on bilinear pairing computation have been constructed. The very first issue is to pick up a pairingfriendly elliptic curve, which is efficient and secure. Many schemes have been published to generate secure curves. However, when it comes to implementation, the performance is a major concern. We estimate the cost of computing the reduced Tate pairing on the elliptic curves of short Weierstrass form with curve parameters, including the field size q, the subgroup order r, and the embedding degree k. From a large amount of curves, we can simply determine the curve on which the pairing computation is much efficient. We also generate some types of curves to perform pairing computation on SageMath and measure the real time cost. The result shows our estimation is accurate.
We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large prime-order subgroups, and have small embedding degree. Our algorithm is modeled on the Cocks-Pinch method for... more
We provide the first explicit construction of genus 2 curves over finite fields whose Jacobians are ordinary, have large prime-order subgroups, and have small embedding degree. Our algorithm is modeled on the Cocks-Pinch method for constructing pairing-friendly elliptic ...
Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove... more
Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove that distortion maps always exist for supersingular curves of genus g>1 and we construct distortion maps in genus 2 (for
Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove... more
Distortion maps are a useful tool for pairing based cryptography. Compared with elliptic curves, the case of hyperelliptic curves of genus g > 1 is more complicated since the full torsion subgroup has rank 2g. In this paper we prove that distortion maps always exist for supersingular curves of genus g>1 and we construct distortion maps in genus 2 (for
Although identity-based cryptography offers a number of functional advantages over conventional public key methods, the computational costs are significantly greater. The dominant part of this cost is the Tate pairing, which, in... more
Although identity-based cryptography offers a number of functional advantages over conventional public key methods, the computational costs are significantly greater. The dominant part of this cost is the Tate pairing, which, in characteristic three, is best computed using the algorithm of Duursma and Lee. However, in hardware and constrained environments, this algorithm is unattractive since it requires online computation of cube roots or enough storage space to precompute required results. We examine the use of normal basis arithmetic in characteristic three in an attempt to get the best of both worlds: an efficient method for computing the Tate pairing that requires no precomputation and that may also be implemented in hardware to accelerate devices such as smart-cards.
Group signatures allow a group member to sign anonymously on behalf of a group. In the dynamic case, a group manager can add and revoke group members. An opening manager can revoke the anonymity of a signature and trace it back to the... more
Group signatures allow a group member to sign anonymously on behalf of a group. In the dynamic case, a group manager can add and revoke group members. An opening manager can revoke the anonymity of a signature and trace it back to the original group member. We introduce limited-linkable group signatures: two signatures on identical messages by the same group member can be efficiently linked. Furthermore, we show how to distribute the opening manager, so that no trusted third party is required to guarantee anonymity. Our system generates short and efficient signatures, and is provably secure in the random oracle model.
Abstract. We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings... more
Abstract. We assemble and reorganize the recent work in the area of hyperelliptic pairings: We survey the research on constructing hyperelliptic curves suitable for pairing-based cryptography. We also showcase the hyperelliptic pairings proposed to date, and develop ...
In 2008, Groth and Sahai proposed a general methodology for constructing non-interactive zero-knowledge (and witness-indistinguishable) proofs in bilinear groups. While avoiding expensive NP-reductions, these proof systems are still... more
In 2008, Groth and Sahai proposed a general methodology for constructing non-interactive zero-knowledge (and witness-indistinguishable) proofs in bilinear groups. While avoiding expensive NP-reductions, these proof systems are still inefficient due to a number of pairing computations required for verification. We apply recent techniques of batch verification to the Groth-Sahai proof systems and manage to improve significantly the complexity of proof verification. We give explicit batch verification formulas for generic Groth-Sahai equations (whose cost is less than a tenth of the original) and also for specific popular protocols relying on their methodology (namely Groth's group signatures and Belenkiy-Chase-Kohlweiss-Lysyanskaya's P-signatures).
One-round tripartite Diffie-Hellman, identity based encryption, and short digital signatures are some problems for which good solutions have recently been found, making critical use of pairings on supersingular abelian varieties over a... more
One-round tripartite Diffie-Hellman, identity based encryption, and short digital signatures are some problems for which good solutions have recently been found, making critical use of pairings on supersingular abelian varieties over a finite field k. The cryptographic exponent cA of a ...
Initially, the use of pairings did not involve any secret entry. However in an Identity Based Cryptographic protocol, one of the two entries of the pairing is secret, so fault attack can be applied to Pairing Based Cryptography to find... more
Initially, the use of pairings did not involve any secret entry. However in an Identity Based Cryptographic protocol, one of the two entries of the pairing is secret, so fault attack can be applied to Pairing Based Cryptography to find it. In [18], the author shows that Pairing Based Cryptography in Weierstrass coordinates is vulnerable to a fault attack. The addition law in Edwards coordinates is such that the exponentiation in Edwards coordinates is naturally protected to Side Channel attacks. We study here if this property protects Pairing Based Cryptography in Edwards coordinates against fault attacks.