Aspects of Pairing Inversion

Galbraith, Steven D.; Heß, Florian; Vercauteren, Fréderik

doi:10.1109/tit.2008.2006431

Cited by 47 publications

(49 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…If we provide an NIZK proof for the equation {e(σ, v i g H(vk sots) )/e(σ, v j g H(vk sots ) )} = c in the Groth-Sahai proof, we need to findg,ĝ ∈ G such that c = e(g,ĝ). However, decomposing a pairing element is difficult because of the pairing inversion problem [22]. In contrast, in the proposed scheme, all witnesses are base group elements in our construction.…”

Section: The Proposed Schemementioning

confidence: 99%

See 1 more Smart Citation

Group Signature with Deniability: How to Disavow a Signature

Ishida

Emura

Hanaoka³

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not be the signer of the given signature, and hence, the identity of the actual signer will be exposed.Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.

show abstract

Section: The Proposed Schemementioning

confidence: 99%

“…Also, as mentioned above, if a witness is a target group element, it needs to be decomposed into base group elements to apply the Groth-Sahai proof. However, it is hard because of the the pairing inversion problem [22].…”

Section: Non-interactive Proof For a Relationmentioning

confidence: 99%

Group Signature with Deniability: How to Disavow a Signature

Ishida

Emura

Hanaoka³

et al. 2016

Cryptology and Network Security

View full text Add to dashboard Cite

show abstract

“…Moreover, pairings help to secure useful technologies such as WSNs [129]. Ever since pairings were proposed to be used for IBE, cryptanalysis of pairings and pairing-based schemes became an active field of research, e.g., [7,72,183].…”

Section: Bilinear Pairingsmentioning

confidence: 99%

“…Definition 2.14 (FAPI-1). Given a point P ∈ G 1 and a value α ∈ G T , both chosen at random, the fixed argument pairing inversion problem (FAPI-1) is to find Q ∈ G 2 such that e(P, Q) = α [72].…”

Section: Definition 213 (Miller Function)mentioning

confidence: 99%

See 1 more Smart Citation

Why Cryptography Should Not Rely on Physical Attack Complexity

Krämer

2015

T-Labs Series in Telecommunication Services

View full text Add to dashboard Cite

Ich versichere an Eides statt, dass ich diese Dissertation selbständig verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe. Datum Für meine Eltern AbstractEver since the first side channel attacks and fault attacks on cryptographic devices were introduced in the mid-nineties, new possibilities of physical attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For physical attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.This thesis presents two practical physical attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, we introduce the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its first realization, it has not been taken seriously. We show both simple and differential photonic side channel analyses. Then, we present a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has also not been taken seriously. We show how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these physical attacks. We present countermeasures on the software and the hardware level, which help to prevent these attacks in the future.Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.

show abstract

Security Analysis of SM9 Key Agreement and Encryption

Cheng

2019

Information Security and Cryptology

View full text Add to dashboard Cite

Aspects of Pairing Inversion

Abstract: Abstract-We discuss some applications of the pairing inversion problem and outline some potential approaches for solving it. Our analysis of these approaches gives further evidence that pairing inversion is a hard problem. 1

Cited by 47 publications

References 19 publications

Group Signature with Deniability: How to Disavow a Signature

Group Signature with Deniability: How to Disavow a Signature

Why Cryptography Should Not Rely on Physical Attack Complexity

Security Analysis of SM9 Key Agreement and Encryption

Contact Info

Product

Resources

About