Abstract. An asymmetric pairing e : G2 × G1 → GT is considered such that G1 = E(Fp) [r] and G2 =Ẽ(, where k is the embedding degree of the elliptic curve E/Fp, r is a large prime divisor of #E(Fp), andẼ is the degree-d twist of E overHashing to G1 is considered easy, while hashing to G2 is done by selecting a random point Q inẼ(F p k/d ) and computing the hash value cQ, where c · r is the order ofẼ(F p k/d ). We show that for a large class of curves, one can hash to G2 in O(1/ϕ(k) log c) time, as compared with the previously fastestknown O(log p). In the case of BN curves, we are able to double the speed of hashing to G2. For higher-embedding-degree curves, the results can be more dramatic. We also show how to reduce the cost of the finalexponentiation step in a pairing calculation by a fixed number of field multiplications.
Abstract. We implement asymmetric pairings derived from KachisaSchaefer-Scott (KSS), Barreto-Naehrig (BN), and Barreto-Lynn-Scott (BLS) elliptic curves at the 192-bit security level. Somewhat surprisingly, we find pairings derived from BLS curves with embedding degree 12 to be the fastest for our serial as well as our parallel implementations. Our serial implementations provide a factor-3 speedup over the previous state-of-the-art, demonstrating that pairing computation at the 192-bit security level is not as expensive as previously thought. We also present a general framework for deriving a Weil-type pairing that is well-suited for computing a single pairing on a multi-processor machine.
Waters signatures (Eurocrypt 2005) can be shown existentially unforgeable under chosen-message attacks under the assumption that the computational Diffie-Hellman problem in the underlying (pairingfriendly) group is hard. The corresponding security proof has a reduction loss of O( · q), where is the bitlength of messages, and q is the number of adversarial signature queries. The original reduction could meanwhile be improved to O( √ · q) (Hofheinz and Kiltz, Crypto 2008); however, it is currently unknown whether a better reduction exists. We answer this question as follows:(a) We give a simple modification of Waters signatures, where messages are encoded such that each two encoded messages have a suitably large Hamming distance. Somewhat surprisingly, this simple modification suffices to prove security under the CDH assumption with a reduction loss of O(q).(b) We also show that any black-box security proof for a signature scheme with re-randomizable signatures must have a reduction loss of at least Ω(q), or the underlying hardness assumption is false. Since both Waters signatures and our variant from (a) are re-randomizable, this proves our reduction from (a) optimal up to a constant factor.Understanding and optimizing the security loss of a cryptosystem is important to derive concrete parameters, such as the size of the underlying group. We provide a complete picture for Waters-like signatures: there is an inherent lower bound for the security loss, and we show how to achieve it.
Abstract. In 2003, Boneh, Gentry, Lynn and Shacham (BGLS) devised the first provably-secure aggregate signature scheme. Their scheme uses bilinear pairings and their security proof is in the random oracle model. The first pairing-based aggregate signature scheme which has a security proof that does not make the random oracle assumption was proposed in 2006 by Lu, Ostrovsky, Sahai, Shacham and Waters (LOSSW). In this paper, we compare the security and efficiency of the BGLS and LOSSW schemes when asymmetric pairings derived from Barreto-Naehrig (BN) elliptic curves are employed.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.