Evidence that XTR Is More Secure than Supersingular
Elliptic Curve Cryptosystems

Verheul, Eric R.

doi:10.1007/s00145-004-0313-x

Cited by 79 publications

(16 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 2000 supersingular elliptic curves were still viewed as too weak for cryptography. Verheul took up the challenge of Menezes-Vanstone, and was able to prove a striking theorem [105,106]: If an efficiently computable isomorphism existed from the XTR group to the curve, then the Diffie-Hellman problem would be easy in both groups. Since that was unlikely, he concluded that the map goes only one way.…”

Section: Verheul's Theoremmentioning

confidence: 98%

Elliptic curve cryptography: The serpentine course of a paradigm shift

Koblitz¹,

Koblitz²,

Menezes³

2011

Journal of Number Theory

View full text Add to dashboard Cite

Text. Over a period of sixteen years elliptic curve cryptography went from being an approach that many people mistrusted or misunderstood to being a public key technology that enjoys almost unquestioned acceptance. We describe the sometimes surprising twists and turns in this paradigm shift, and compare this story with the commonly accepted Ideal Model of how research and development function in cryptography. We also discuss to what extent the ideas in the literature on "social construction of technology" can contribute to a better understanding of this history.Video. For a video summary of this paper, please visit http:// www.youtube.com/watch?v=HHFFvfDoTK4.

show abstract

Section: Verheul's Theoremmentioning

confidence: 98%

Elliptic curve cryptography: The serpentine course of a paradigm shift

Koblitz¹,

Koblitz²,

Menezes³

2011

Journal of Number Theory

View full text Add to dashboard Cite

show abstract

“…A modified version of the Tate or Weil pairing may be used with some of these groups to give the required map. This technique was first described in [32] and may be used for supersingular elliptic curves. Recently these groups have been used constructively to build identity-based cryptosystems [12,14,23,27,31].…”

Section: Signcryption With Non-interactive Non-repudiationmentioning

confidence: 99%

Signcryption with Non-interactive Non-repudiation

Malone-Lee

2005

Des Codes Crypt

View full text Add to dashboard Cite

Signcryption [33] is a public key primitive that achieves the functionality of both an encryption scheme and a signature scheme simultaneously. It does this more efficiently than a composition of public key encryption and public key signature. We present a model of security for signcryption schemes that offer non-interactive non-repudiation. This is non-repudiation in which the judge settling a repudiation dispute does not have to get involved in an interactive zero-knowledge proof. Our model applies to many existing schemes in the literature Bao and Deng,[4] He and Wu, [22] Peterson and Michels, [28]. We explain why the scheme proposed in Bao and Deng,[4] is insecure under any definition of privacy based on the idea of indistinguishable encryptions Goldwasser and Micali,[20]. We describe a modified scheme to overcome the problem. Proofs of security are given for the scheme in the random oracle model Bellare and Rogaway, [10].

show abstract

“…For simplicity, here we assume that their order is a prime l. We also assume the existence of a distortion map δ which is a feasibly computable group isomorphism from G 2 to G 1 . Verheul [24,Section 3] proved the following remarkable result. Let f be a group isomorphism from T to G 1 (such an isomorphism is now called the Verheul map).…”

Section: Introductionmentioning

confidence: 94%

“…In spite of the importance of cryptographic consequences of pairing inversion problems, there are few articles on the topic after Verheul [24]. Some attempts are the use of division polynomials for polynomial interpolation of the Verheul maps (Satoh [20]), polynomial interpolation of the Verheul map by the Eisenstein series (Satoh [21]), the eta pairing computation without the final exponentiation (Galbraith, Ó hÉigeartaigh and Sheedy [8]), inverting the ate pairing computation process (Galbraith, Hess and Vercauteren [7]).…”

Section: Introductionmentioning

confidence: 97%

Closed formulae for the Weil pairing inversion

Satoh

2008

Finite Fields and Their Applications

View full text Add to dashboard Cite

Using the Miller algorithm, we can efficiently compute the Weil pairing for two given points on an elliptic curve. On the other hand, security of pairing based cryptographic protocols depends on the converse problem: find a point on an elliptic curve whose Weil pairing with a given (fixed) point is equal to a given root of unity, which we call the Weil pairing inversion problem. In this article, we give closed formulae which give a solution to the problem. For supersingular elliptic curves over fields of characteristic two or three, these formulae take more simpler forms than those for other elliptic curves.

show abstract

Evidence that XTR Is More Secure than Supersingular Elliptic Curve Cryptosystems

Cited by 79 publications

References 19 publications

Elliptic curve cryptography: The serpentine course of a paradigm shift

Elliptic curve cryptography: The serpentine course of a paradigm shift

Signcryption with Non-interactive Non-repudiation

Closed formulae for the Weil pairing inversion

Contact Info

Product

Resources

About