Still Wrong Use of Pairings in Cryptography

Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too inefficient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/efficiency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings.Comment: 25 page

Construction of Arithmetic Secret Sharing Schemes by Using Torsion Limits

Recent results of Cascudo, Cramer, and Xing on the construction of arithmetic secret sharing schemes are improved by using some new bounds on the torsion limits of algebraic function fields. Furthermore, new bounds on the torsion limits of certain towers of function fields are given

Still Wrong Use of Pairings in Cryptography

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Several pairing-based cryptographic protocols are recently proposed with a wide variety of new novel applications including the ones in emerging technologies like cloud computing, internet of things (IoT), e-health systems and wearable technologies. There have been however a wide range of incorrect use of these primitives. The paper of Galbraith, Paterson, and Smart (2006) pointed out most of the issues related to the incorrect use of pairing-based cryptography. However, we noticed that some recently proposed applications still do not use these primitives correctly. This leads to unrealizable, insecure or too ine cient designs of pairing-based protocols. We observed that one reason is not being aware of the recent advancements on solving the discrete logarithm problems in some groups. The main purpose of this article is to give an understandable, informative, and the most up-to-date criteria for the correct use of pairing-based cryptography. We thereby deliberately avoid most of the technical details and rather give special emphasis on the importance of the correct use of bilinear maps by realizing secure cryptographic protocols. We list a collection of some recent papers having wrong security assumptions or realizability/e ciency issues. Finally, we give a compact and an up-to-date recipe of the correct use of pairings

Secure Delegation of Isogeny Computations and Cryptographic Applications

We address the problem of speeding up isogeny computation for supersingular elliptic curves over finite fields using untrusted computational resources like third party servers or cloud service providers (CSPs). We first propose new, efficient and secure delegation schemes. This especially enables resource-constrained devices (e.g. smart cards, RFID tags, tiny sensor nodes) to effectively deploy post-quantum isogeny-based cryptographic protocols. To the best of our knowledge, these new schemes are the first attempt to generalize the classical secure delegation schemes for group exponentiations and pairing computation to an isogeny-based post-quantum setting. Then, we apply these secure delegation subroutines to improve the performance of supersingular isogeny-based zero-knowledge proofs of identity. Our experimental results show that, at the 128−bit quantum-security level, the proving party only needs about 3% of the original protocol cost, while the verifying party’s effort is fully reduced to comparison operations. Lastly, we also apply our delegation schemes to decrease the computational cost of the decryption step for the NIST postquantum standardization candidate SIKE

Fully Verifiable Secure Delegation of Pairing Computation: Cryptanalysis and An Efficient Construction

We address the problem of secure and verifiable delegation of general pairing computation. We first analyze some recently proposed pairing delegation schemes and present several attacks on their security and/or verifiability properties. In particular, we show that none of these achieve the claimed security and verifiability properties simultaneously. We then provide a fully verifiable secure delegation scheme ${\sf VerPair}$ under one-malicious version of a two-untrusted-program model (OMTUP). ${\sf VerPair}$ not only significantly improves the efficiency of all the previous schemes, such as fully verifiable schemes of Chevallier-Mames et al. and Canard et al. by eliminating the impractical exponentiation- and scalar-multiplication-consuming steps, but also offers for the first time the desired full verifiability property unlike other practical schemes. Furthermore, we give a more efficient and less memory consuming invocation of the subroutine ${\sf Rand}$ for ${\sf VerPair}$ by eliminating the requirement of offline computations of modular exponentiations and scalar-multiplications. In particular, ${\sf Rand}$ includes a fully verifiable partial delegation under the OMTUP assumption. The partial delegation of ${\sf Rand}$ distinguishes ${\sf VerPair}$ as a useful lightweight delegation scheme when the delegator is resource-constrained (e.g. RFID tags, smart cards or sensor nodes)

An Efficient ID-Based Message Recoverable Privacy-Preserving Auditing Scheme

One of the most important benefits of public cloud storage is outsourcing of management and maintenance with easy accessibility and retrievability over the internet. However, outsourcing data on the cloud brings new challenges such as integrity verification and privacy of data. More concretely, once the users outsource their data on the cloud they have no longer physical control over the data and this leads to the integrity protection issue. Hence, it is crucial to guarantee proof of data storage and integrity of the outsourced data. Several pairing-based au- diting solutions have been proposed utilizing the Boneh-Lynn-Shacham (BLS) short signatures. They basically provide a desirable and efficient property of non-repudiation protocols. In this work, we propose the first ID-based privacy-preserving public auditing scheme with message recov- erable signatures. Because of message recoverable auditing scheme, the message itself is implicitly included during the verification step that was not possible in previously proposed auditing schemes. Furthermore, we point out that the algorithm suites of existing schemes is either insecure or very inefficient due to the choice of the underlying bilinear map and its baseline parameter selections. We show that our scheme is more ef- ficient than the recently proposed auditing schemes based on BLS like short signatures

Efficient and Verifiable Algorithms for Secure Outsourcing of Cryptographic Computations

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Reducing computational cost of cryptographic computations for resource-constrained devices is an active research area. One of the practical solutions is to securely outsource the computations to an external and more powerful cloud server. Modular exponentiations are the most expensive computation from the cryptographic point of view. Therefore, outsourcing modular exponentiations to a single, external and potentially untrusted cloud server while ensuring the security and privacy provide an efficient solution. In this paper, we propose new efficient outsourcing algorithms for modular exponentiations using only one untrusted cloud server. These algorithms cover public-base & private-exponent, private-base & public-exponent, private-base & privateexponent, and more generally private-base & private-exponents simultaneous modular exponentiations. Our algorithms are the most efficient solutions utilizing only one single untrusted server with best checkability probabilities. Furthermore, unlike existing schemes, which have fixed checkability probability, our algorithms provide adjustable predetermined checkability parameters. Finally, we apply our algorithms to outsource Oblivious Transfer Protocols and Blind Signatures which are expensive primitives in modern cryptography

On the construction of algebraic curves with complex multiplication

Es seien $k$ ein imagin"ar quadratischer Zahlk"orper und $\mathcal{O}_{t}$ die Ordnung von $k$ mit dem F"uhrer $t$ und der Diskriminante $D_{t}$. Mit Hilfe der Theorie der komplexen Multiplikation zeigen wir, dass der singul"are Wert des Quotienten gewisser Thetafunktionen den Ringklassenk"orper $\Omega_{t}$ modulo $t$ "uber $k$ erzeugt. Dieses erm"oglicht eine schnellere Konstruktion der Klassenpolynome der Ringklassenk"orper als die Konstruktion mittels der klassischen Quotienten der Dedekindschen $\eta-$Funktion. Ferner beweisen wir, dass die verallgemeinerten $\eta-$Quotienten mittels der Quotienten der Thetanullwerte darstellbar sind. Diese Darstellungen lassen sich auch zur schnelleren Konstruktion der Klassenpolynome verwenden. Im Falle, dass $D_{t}$ gewissen Kongruenzbedingungen gen"ugt, beweisen wir, dass diese singul"aren Werte Einheiten in den entsprechenden Ringklassenk"orpern sind. Diese Eigenschaft wird benutzt, um die Einheitengruppen solcher Ringklassenk"orper mittels der in der Konstruktion des Klassenpolynoms explizit bestimmten Nullstellen zu berechnen. Es sei $(A,E)$ eine einfache hauptpolarisierte abelsche Fl"ache vom primitiven CM-Typ $(K,\Phi)$ mit [K:\Q]=4. Wir erweitern die CM-Konstruktion hyperelliptischer Kurven vom Geschlecht zwei "uber endlichen K"orpern mittels einer Bedingung an die Steinitzklasse auf alle primitiven CM-K"orper. Mit Hilfe des zwei-dimensionalen Reziprozit"atsgesetzes von Shimura, der Theorie der komplexen Multiplikation abelscher Variet"aten, und einer Arithmetik der Siegelschen Modulfunktionen $g$ der Stufe $(2N,4N)$, \mbox{ggT}(2,N)=1, verallgemeinern wir das Verfahren, welches im Falle der elliptischen Kurven "uberpr"uft, ob ein singul"arer Wert einer arithmetischen Modulfunktion $g(\tau)$ ein Erzeuger des Ringklassenk"orpers $\Omega_{t}$ ist. Damit erhalten wir ein Verfahren, welches "uberpr"uft, ob ein System der Werte der Siegelschen Modulfunktionen $g_{1}(\tau),\ g_{2}(\tau)$ und $g_{3}(\tau)$ der Stufe $(2N,4N)$ mit $\tau\in\mathbb{H}_{2}$ den "uber dem Reflexivk"orper $K^{r}$ von $K$ unverzweigten Klassenk"orper nach dem ersten Hauptsatz der Theorie der komplexen Multiplikation erzeugt. Den Abschluss bilden einige Beispiele der Klassenpolynome nebst den Untergruppen der Einheitengruppen entsprechender Ringklassenk"orper, die wir mittels der singul"aren Werte der Quotienten der Thetanullwerte berechnen.Let $k$ be an imaginary quadratic number field and $\mathcal{O}_{t}$ be the order with the conductor $t$ and the discriminant $D_{t}$. We show by means of the theory of complex multiplication that the singular values of quotients of some theta functions generate the ring class field $\Omega_{t}$ modulo $t$ over $k$. This enables more efficient computation of the class polynomials of these rings class fields than the construction of class polynomials by means of quotients of values of Dedekind $\eta-$function. Furthermore, we prove that the generalised $\eta-$ quotients can be represented by quotients of Thetanullwerte. Also these representations allow us to compute the class polynomials more efficiently. In the case that $D_{t}$ satisfies certain congruence conditions, we prove that these singular values are units in the corresponding ring class fields. This property is used to compute the unit group of those ring class fields with the help of explicitely given roots of the class polynomials, which are predetermined during the construction of such polynomials. Let $(A,E)$ be a simple principally polarised abelian surface of primitive CM-type $(K,\Phi)$ with [K:\Q]=4. We generalise the CM-construction of hyperelliptic curves of genus two over finite fields using a condition on the Steinitz class to all primitive CM-fields. We extend the methode of elliptic curves that tests whether a singular value of an aritmetical modular function $g(\tau)$ is a generator of rings class field $\Omega_{t}$ to simple abelian varieties by using the two-dimensional reciprocity law of Shimura, the theory of complex multiplication of abelian varieties and an arithmetic of Siegel modular functions $g$ of level $(2N,4N)$, \mbox{gcd}(2,N)=1. This enables to introduce an algorithm, which tests whether a system of values of Siegel modular functions $g_{1}(\tau),\ g_{2}(\tau)$ and $g_{3}(\tau)$ of level $(2N,4N)$ with $\tau\in\mathbb{H}_{2}$ generate the unramified abelian extension of the reflex field $K^{r}$ of $K$ by the first main theorem of complex multiplication. At the end, the examples of some class polynomials are given together with the subgroups of the unit group of the corresponding ring class fields, which we compute with the help of singular values of the quotients of Thetanullwerte