Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

Verheul, Eric R.

doi:10.1007/3-540-44987-6_13

Cited by 128 publications

(95 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the other hand, in contrast to ordinary curves with embedding degree k > 1, supersingular curves have the added advantage that they have distortion maps (in the sense of Verheul [85]), which is a desirable feature in some pairing-based applications. See Section 7.2 or [21] for further details.…”

Section: Supersingular Curvesmentioning

confidence: 99%

“…One way of getting around this conflict is to use a distortion map, which is an efficiently computable endomorphism φ such that φ(P ) ∈ P . A distortion map exists for a curve E with embedding degree k > 1 if and only if E is supersingular [37,85]. For the k = 1 case, see Charles' paper [20] for a thorough discussion, and Section 6.3 above for an example.…”

Section: Implementation Considerationsmentioning

confidence: 99%

See 1 more Smart Citation

A Taxonomy of Pairing-Friendly Elliptic Curves

2009

View full text Add to dashboard Cite

Abstract. Elliptic curves with small embedding degree and large prime-order subgroup are key ingredients for implementing pairingbased cryptographic systems. Such "pairing-friendly" curves are rare and thus require specific constructions. In this paper we give a single coherent framework that encompasses all of the constructions of pairing-friendly elliptic curves currently existing in the literature. We also include new constructions of pairing-friendly curves that improve on the previously known constructions for certain embedding degrees. Finally, for all embedding degrees up to 50, we provide recommendations as to which pairing-friendly curves to choose to best satisfy a variety of performance and security requirements.

show abstract

Section: Supersingular Curvesmentioning

confidence: 99%

Section: Implementation Considerationsmentioning

confidence: 99%

A Taxonomy of Pairing-Friendly Elliptic Curves

2009

View full text Add to dashboard Cite

show abstract

“…For such pairings, e(P, Q) = e(Q, P ) for any P, Q ∈ G. The modified Weil pairing over elliptic curve groups [44] is an example of a symmetric bilinear pairing. In the rest of the paper, all bilinear pairings are symmetric.…”

Section: Computabilitymentioning

confidence: 99%

Distributed Private-Key Generators for Identity-Based Cryptography

Kate

Goldberg

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Identity-based cryptography can greatly reduce the complexity of sending encrypted messages over the Internet. However, it necessarily requires a private-key generator (PKG), which can create private keys for clients, and so can passively eavesdrop on all encrypted communications. Although a distributed private-key generator has been suggested as a way to mitigate this problem, to date there have been no practical implementations provided for one. This paper presents the first realistic architecture and an implementation for a distributed private-key generator for use over the Internet.We improve the adversary model in the proactive verifiable secret sharing scheme by Herzberg et al. and define master-key modification and secret share recovery protocols in our new model. Our periodic master-key modification achieves forward secrecy of the master key; this feature has been missing in other proactive security schemes, but is of great importance in identity-based applications. Recognizing the utility of modifying the set of nodes and the security threshold in a distributed PKG, we present protocols for these operations. We also compare our architecture to other verifiable secret sharing architectures for the Internet and demonstrate that ours has both better message efficiency as well as a more complete feature set. Finally, with a geographically distributed installation of our application, we verify its efficiency and practicality.

show abstract

“…For supersingular elliptic curves of cryptographic interest, we may obtain such a pairing from the Tate pairing twisted by an endomorphism ψ called a distortion map [11,12]. For example, if the Tate pairing is used then we define…”

Section: Pairingsmentioning

confidence: 99%

“…Verheul [11,12] considered the problem of computing a group homomorphism from µ r to E(F q ) [r]. He showed a number of striking consequences of being able to compute such a homomorphism, for example the fact that the Diffie-Hellman problem would become easy for a number of finite fields.…”

Section: Inverting Pairingsmentioning

confidence: 99%

Simplified pairing computation and security implications

Galbraith¹,

hÉigeartaigh²,

Sheedy³

2007

Journal of Mathematical Cryptology

View full text Add to dashboard Cite

Abstract. Recent progress on pairing implementation has made certain pairings extremely simple and fast to compute. Hence, it is natural to examine if there are consequences for the security of pairing-based cryptography. This paper gives a method to compute eta pairings in a way which avoids the requirement for a final exponentiation. The method does not lead to any improvement in the speed of pairing implementation. However, it seems appropriate to re-evaluate the security of pairing based cryptography in light of these new ideas. A multivariate attack on the pairing inversion problem is proposed and analysed. Our findings support the belief that pairing inversion is a hard computational problem.

show abstract

Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

Cited by 128 publications

References 14 publications

A Taxonomy of Pairing-Friendly Elliptic Curves

A Taxonomy of Pairing-Friendly Elliptic Curves

Distributed Private-Key Generators for Identity-Based Cryptography

Simplified pairing computation and security implications

Contact Info

Product

Resources

About