Abstract:Abstract-We discuss some applications of the pairing inversion problem and outline some potential approaches for solving it. Our analysis of these approaches gives further evidence that pairing inversion is a hard problem. 1
“…If we provide an NIZK proof for the equation {e(σ, v i g H(vk sots) )/e(σ, v j g H(vk sots ) )} = c in the Groth-Sahai proof, we need to findg,ĝ ∈ G such that c = e(g,ĝ). However, decomposing a pairing element is difficult because of the pairing inversion problem [22]. In contrast, in the proposed scheme, all witnesses are base group elements in our construction.…”
Section: The Proposed Schemementioning
confidence: 99%
“…Also, as mentioned above, if a witness is a target group element, it needs to be decomposed into base group elements to apply the Groth-Sahai proof. However, it is hard because of the the pairing inversion problem [22].…”
Section: Non-interactive Proof For a Relationmentioning
Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not be the signer of the given signature, and hence, the identity of the actual signer will be exposed.Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.
“…If we provide an NIZK proof for the equation {e(σ, v i g H(vk sots) )/e(σ, v j g H(vk sots ) )} = c in the Groth-Sahai proof, we need to findg,ĝ ∈ G such that c = e(g,ĝ). However, decomposing a pairing element is difficult because of the pairing inversion problem [22]. In contrast, in the proposed scheme, all witnesses are base group elements in our construction.…”
Section: The Proposed Schemementioning
confidence: 99%
“…Also, as mentioned above, if a witness is a target group element, it needs to be decomposed into base group elements to apply the Groth-Sahai proof. However, it is hard because of the the pairing inversion problem [22].…”
Section: Non-interactive Proof For a Relationmentioning
Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not be the signer of the given signature, and hence, the identity of the actual signer will be exposed.Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.
“…Moreover, pairings help to secure useful technologies such as WSNs [129]. Ever since pairings were proposed to be used for IBE, cryptanalysis of pairings and pairing-based schemes became an active field of research, e.g., [7,72,183].…”
Section: Bilinear Pairingsmentioning
confidence: 99%
“…Definition 2.14 (FAPI-1). Given a point P ∈ G 1 and a value α ∈ G T , both chosen at random, the fixed argument pairing inversion problem (FAPI-1) is to find Q ∈ G 2 such that e(P, Q) = α [72].…”
“…However, analogous to the two steps of the pairing calculation, i.e., Miller Algorithm and final exponentiation, the pairing inversion can also be treated as a two-step process [97]. Hence, FAPI-1 is usually split into two parts in the literature: the exponentiation inversion [44] and the Miller inversion [72].…”
Ich versichere an Eides statt, dass ich diese Dissertation selbständig verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe.
Datum
Für meine Eltern
AbstractEver since the first side channel attacks and fault attacks on cryptographic devices were introduced in the mid-nineties, new possibilities of physical attacks have been consistently explored. The risk that these attacks pose is reduced by reacting to known attacks and by developing and implementing countermeasures against them. For physical attacks whose theory is known but which have not been conducted yet, however, the situation is different. Attacks whose physical realization is assumed to be very complex are taken less seriously. The trust that these attacks will not be realized due to their physical complexity means that no countermeasures are developed at all. This leads to unprotected devices once the assessment of the complexity turns out to be wrong.This thesis presents two practical physical attacks whose theory is known for several years. Since neither attack has previously been successfully implemented in practice, however, they were not considered a serious threat. Their physical attack complexity has been overestimated and the implied security threat has been underestimated. First, we introduce the photonic side channel, which offers not only temporal resolution, but also the highest possible spatial resolution. Due to the high cost of its first realization, it has not been taken seriously. We show both simple and differential photonic side channel analyses. Then, we present a fault attack against pairing-based cryptography. Due to the need for at least two independent precise faults in a single pairing computation, it has also not been taken seriously. We show how attackers can reveal the secret key of symmetric as well as asymmetric cryptographic algorithms based on these physical attacks. We present countermeasures on the software and the hardware level, which help to prevent these attacks in the future.Based on these two presented attacks, this thesis shows that the assessment of physical attack complexity is error-prone. Hence, cryptography should not rely on it. Cryptographic technologies have to be protected against all physical attacks, have they already been realized or not. The development of countermeasures does not require the successful execution of an attack but can already be carried out as soon as the principle of a side channel or a fault attack is understood.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.