Pairing-based identification schemes

We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions. Each of the schemes is more efficient and/or more secure than any known pairing-based identification scheme

Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Fast generators for the Diffie-Hellman key agreement protocol and malicious standards

The Diffie-Hellman key agreement protocol is based on taking large powers of a generator of a prime-order cyclic group. Some generators allow faster exponentiation. We show that to a large extent, using the fast generators is as secure as using a randomly chosen generator. On the other hand, we show that if there is some case in which fast generators are less secure, then this could be used by a malicious authority to generate a standard for the Diffie-Hellman key agreement protocol which has a hidden trapdoor.Comment: Small update

A New Cryptosystem Based On Hidden Order Groups

Let $G_1$ be a cyclic multiplicative group of order $n$. It is known that the Diffie-Hellman problem is random self-reducible in $G_1$ with respect to a fixed generator $g$ if $\phi(n)$ is known. That is, given $g, g^x\in G_1$ and having oracle access to a `Diffie-Hellman Problem' solver with fixed generator $g$, it is possible to compute $g^{1/x} \in G_1$ in polynomial time (see theorem 3.2). On the other hand, it is not known if such a reduction exists when $\phi(n)$ is unknown (see conjuncture 3.1). We exploit this ``gap'' to construct a cryptosystem based on hidden order groups and present a practical implementation of a novel cryptographic primitive called an \emph{Oracle Strong Associative One-Way Function} (O-SAOWF). O-SAOWFs have applications in multiparty protocols. We demonstrate this by presenting a key agreement protocol for dynamic ad-hoc groups.Comment: removed examples for multiparty key agreement and join protocols, since they are redundan

Efficient algorithms for pairing-based cryptosystems

We describe fast new algorithms to implement recent cryptosystems based on the Tate pairing. In particular, our techniques improve pairing evaluation speed by a factor of about 55 compared to previously known methods in characteristic 3, and attain performance comparable to that of RSA in larger characteristics.We also propose faster algorithms for scalar multiplication in characteristic 3 and square root extraction over Fpm, the latter technique being also useful in contexts other than that of pairing-based cryptography

Easy decision-Diffie-Hellman groups

The decision-Diffie-Hellman problem (DDH) is a central computational problem in cryptography. It is known that the Weil and Tate pairings can be used to solve many DDH problems on elliptic curves. Distortion maps are an important tool for solving DDH problems using pairings and it is known that distortion maps exist for all supersingular elliptic curves. We present an algorithm to construct suitable distortion maps. The algorithm is efficient on the curves usable in practice, and hence all DDH problems on these curves are easy. We also discuss the issue of which DDH problems on ordinary curves are easy

Key agreement for heterogeneous mobile ad-hoc groups

Security of various group-oriented applications for mobile ad-hoc groups requires a group secret shared between all participants. Contributory Group Key Agreement (CGKA) protocols can be used in mobile ad-hoc scenarios due to the absence of any trusted central authority (group manager) that actively participates in the computation of the group key. Members of spontaneously formed mobile ad-hoc groups are usually equipped with different kinds of mobile devices with varying performance capabilities. This heterogeneity opens new ways for the design of CGKA protocols and states additional security requirements with regard to the trustworthiness of the devices. In this paper we propose a CGKA protocol for mobile ad hoc groups that fairly distributes the computation costs amongst mobile devices by taking into account their performance limitations and preventing possible cheating through Trusted Computing techniques

Still Wrong Use of Pairings in Cryptography

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too ine cient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/e ciency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings