117 research outputs found
Faster computation of the Tate pairing
This paper proposes new explicit formulas for the doubling and addition step
in Miller's algorithm to compute the Tate pairing. For Edwards curves the
formulas come from a new way of seeing the arithmetic. We state the first
geometric interpretation of the group law on Edwards curves by presenting the
functions which arise in the addition and doubling. Computing the coefficients
of the functions and the sum or double of the points is faster than with all
previously proposed formulas for pairings on Edwards curves. They are even
competitive with all published formulas for pairing computation on Weierstrass
curves. We also speed up pairing computation on Weierstrass curves in Jacobian
coordinates. Finally, we present several examples of pairing-friendly Edwards
curves.Comment: 15 pages, 2 figures. Final version accepted for publication in
Journal of Number Theor
Toward an RSU-unavailable lightweight certificateless key agreement scheme for VANETs
Vehicle ad-hoc networks have developed rapidly these years, whose security and privacy issues are always concerned widely. In spite of a remarkable research on their security solutions, but in which there still lacks considerations on how to secure vehicle-to-vehicle communications, particularly when infrastructure is unavailable. In this paper, we propose a lightweight certificateless and one-round key agreement scheme without pairing, and further prove the security of the proposed scheme in the random oracle model. The proposed scheme is expected to not only resist known attacks with less computation cost, but also as an efficient way to relieve the workload of vehicle-to-vehicle authentication, especially in no available infrastructure circumstance. A comprehensive evaluation, including security analysis, efficiency analysis and simulation evaluation, is presented to confirm the security and feasibility of the proposed scheme
Adequate Elliptic Curve for Computing the Product of n Pairings
Many pairing-based protocols require the computation of the product
and/or of a quotient of n pairings where n > 1 is a natural integer.
Zhang et al.[1] recently showed that the Kachisa-Schafer and Scott family
of elliptic curves with embedding degree 16 denoted KSS16 at the 192-bit
security level is suitable for such protocols comparatively to the Baretto-
Lynn and Scott family of elliptic curves of embedding degree 12 (BLS12).
In this work, we provide important corrections and improvements to their
work based on the computation of the optimal Ate pairing. We focus on
the computation of the nal exponentiation which represent an important
part of the overall computation of this pairing. Our results improve by
864 multiplications in Fp the computations of Zhang et al.[1]. We prove
that for computing the product or the quotient of 2 pairings, BLS12 curves
are the best solution. In other cases, specially when n > 2 as mentioned in
[1], KSS16 curves are recommended for computing product of n pairings.
Furthermore, we prove that the curve presented by Zhang et al.[1] is not
resistant against small subgroup attacks. We provide an example of KSS16
curve protected against such attacks
Fast Privacy-Preserving Punch Cards
Loyalty programs in the form of punch cards that can be redeemed for benefits
have long been a ubiquitous element of the consumer landscape. However, their
increasingly popular digital equivalents, while providing more convenience and
better bookkeeping, pose a considerable privacy risk. This paper introduces a
privacy-preserving punch card protocol that allows firms to digitize their
loyalty programs without forcing customers to submit to corporate surveillance.
We also present a number of extensions that allow our scheme to provide other
privacy-preserving customer loyalty features.
Compared to the best prior work, we achieve a reduction in the
computation and a reduction in the communication required to perform
a "hole punch," a reduction in the communication required to redeem
a punch card, and a reduction in the computation time required to
redeem a card. Much of our performance improvement can be attributed to
removing the reliance on pairings or range proofs present in prior work, which
has only addressed this problem in the context of more general loyalty systems.
By tailoring our scheme to punch cards and related loyalty systems, we
demonstrate that we can reduce communication and computation costs by orders of
magnitude
Compact E-Cash and Simulatable VRFs Revisited
Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a random oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter).
On the Computation of the Optimal Ate Pairing at the 192-bit Security Level
Barreto, Lynn and Scott elliptic curves of embedding degree
12 denoted BLS12 have been proven to present fastest results on the
implementation of pairings at the 192-bit security level [1]. The computation
of pairings in general involves the execution of the Miller algorithm
and the final exponentiation. In this paper, we improve the complexity
of these two steps up to 8% by searching an appropriate parameter. We
compute the optimal ate pairing on BLS curves of embedding degree 12
and we also extend the same analysis to BLS curves with embedding degree
24. Furthermore, as many pairing based protocols are implemented
on memory constrained devices such as SIM or smart cards, we describe
an efficient algorithm for the computation of the final exponentiation less
memory intensive with an improvement up to 25% with respect to the
previous work
Ciphertext-Policy Attribute-Based Broadcast Encryption with Small Keys
Broadcasting is a very efficient way to securely transmit information to a large set of geographically scattered receivers, and in practice, it is often the case that these receivers can be grouped in sets sharing common characteristics (or attributes). We describe in this paper an efficient ciphertext-policy attribute-based broadcast encryption scheme (CP-ABBE) supporting negative attributes and able to handle access policies in conjunctive normal form (CNF). Essentially, our scheme is a combination of the Boneh-Gentry-Waters broadcast encryption and of the Lewko-Sahai-Waters revocation schemes; the former is used to express attribute-based access policies while the latter is dedicated to the revocation of individual receivers. Our scheme is the first one that involves a public key and private keys having a size that is independent of the number of receivers registered in the system. Its selective security is proven with respect to the Generalized Diffie-Hellman Exponent (GDHE) problem on bilinear groups
- …