Pairings for cryptographers

Galbraith, Steven D.; Paterson, Kenneth G.; Smart, Nigel P.

doi:10.1016/j.dam.2007.12.010

Cited by 569 publications

(263 citation statements)

References 7 publications

Supporting

Mentioning

238

Contrasting

Order By: Relevance

“…More specifically, one may use Type-2 pairings, where there is an efficiently computable group isomorphism ψ : G 2 → G 1 mapping g 2 ∈ G 2 to g 1 ∈ G 1 , or Type-3 pairings, where there is no known efficiently computable group isomorphism ψ : G 2 → G 2 mapping g 2 to g 1 . We refer readers to [18] for the details of these three types of pairings.…”

Section: The N-bdh Assumptionmentioning

confidence: 99%

The n-Diffie-Hellman Problem and Its Applications

Chen

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The main contributions of this paper are twofold. On the one hand, the twin Diffie-Hellman (twin DH) problem proposed by Cash, Kiltz and Shoup is extended to the n-Diffie-Hellman (n-DH) problem for an arbitrary integer n, and this new problem is shown to be at least as hard as the ordinary DH problem. Like the twin DH problem, the n-DH problem remains hard even in the presence of a decision oracle that recognizes solution to the problem. On the other hand, observe that the double-size key in the Cash et al. twin DH based encryption scheme can be replaced by two separated keys each for one entity, that results in a 2-party encryption scheme which holds the same security feature as the original scheme but removes the key redundancy. This idea is further extended to an n-party case, which is also known as n-out-of-n encryption. As examples, a variant of ElGamal encryption and a variant of Boneh-Franklin IBE have been presented; both of them have proved to be CCA secure under the computational DH assumption and the computational bilinear Diffie-Hellman (BDH) assumption respectively, in the random oracle model. The two schemes are efficient, due partially to the size of their ciphertext, which is independent to the value n.

show abstract

Section: The N-bdh Assumptionmentioning

confidence: 99%

The n-Diffie-Hellman Problem and Its Applications

Chen

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In this section, we separate these two capabilities in Mtaes 2 , making use of a so-called Type-2 or Type-3 pairing-friendly structure [13]. It consists in a tuple (G 1 , G 2 , G T , q, e, g 1 , g 2 ) where e is an admissible bilinear map [6], g 1 , g 2 and G = e (g 1 , g 2 ) are generators of G 1 , G 2 and G T respectively (and additionally there exists an e ciently computable isomorphism ψ : G 2 → G 1 in the case of Type-2 structure).…”

Section: Two-level Scheme Mtaesmentioning

confidence: 99%

“…The rst one does not split the roles of the issuer and the opener and can be applied in any group where the DDH assumption holds while the second scheme makes use of (Type-2 or Type-3 [13]) pairing-friendly groups, with asymmetric pairing where the XDH and the (asymmetric 1 ) DBDH assumptions hold, to separate the two authority roles (and then achieve the second above property). The two rst schemes lead to ciphertexts that are linear in the number of registered users.…”

Section: Introductionmentioning

confidence: 99%

Mediated Traceable Anonymous Encryption

Izabachène

Pointcheval

Vergnaud

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. The notion of key privacy for asymmetric encryption schemes was formally de ned by Bellare, Boldyreva, Desai and Pointcheval in 2001: it states that an eavesdropper in possession of a ciphertext is not able to tell which speci c key, out of a set of known public keys, is the one under which the ciphertext was created. Since anonymity can be misused by dishonest users, some situations could require a tracing authority capable of revoking key privacy when illegal behavior is detected. Prior works on traceable anonymous encryption miss a critical point: an encryption scheme may produce a covert channel which malicious users can use to communicate illegally using ciphertexts that trace back to nobody or, even worse, to some honest user. In this paper, we examine subliminal channels in the context of traceable anonymous encryption and we introduce a new primitive termed mediated traceable anonymous encryption that provides con dentiality and anonymity while preventing malicious users to embed subliminal messages in ciphertexts. In our model, all ciphertexts pass through a mediator (or possibly several successive mediators) and our goal is to design protocols where the absence of covert channels is guaranteed as long as the mediator is honest, while semantic security and key privacy hold even if the mediator is dishonest. We give security de nitions for this new primitive and constructions meeting the formalized requirements. Our generic construction is fairly e cient, with ciphertexts that have logarithmic size in the number of group members, while preventing collusions. The security analysis requires classical complexity assumptions in the standard model.

show abstract

“…Galbraith, Paterson and Smart [17] classify bilinear groups into three types according to the efficient morphisms that exist between the source groups G 1 and G 2 . Type I pairings have G 1 = G 2 and G = H, i.e., ψ is the identity function (or equivalently, it is an efficiently computable and efficiently invertible isomorphism).…”

Section: Bilinear Groupsmentioning

confidence: 99%

“…Galbraith, Paterson and Smart [17] classify pairings e : G 1 × G 2 → G T into three types depending on whether G 1 = G 2 (Type I), or there is an efficiently computable homomorphism ψ : G 2 → G 1 (Type II), or there is no efficiently Table 1. Most efficient structure-preserving signatures schemes for all three types of pairings, in terms of signature size, verification key size and number of verification equations.…”

Section: Introductionmentioning

confidence: 99%

Structure-Preserving Signatures from Type II Pairings

Abe

Groth

Ohkubo³

et al. 2014

Advances in Cryptology – CRYPTO 2014

View full text Add to dashboard Cite

Abstract. We investigate structure-preserving signatures in asymmetric bilinear groups with an efficiently computable homomorphism from one source group to the other, i.e., the Type II setting. It has been shown that in the Type I and Type III settings (with maximal symmetry and maximal asymmetry respectively), structure-preserving signatures need at least 2 verification equations and 3 group elements. It is therefore natural to conjecture that this would also be required in the intermediate Type II setting, but surprisingly this turns out not to be the case. We construct structure-preserving signatures in the Type II setting that only require a single verification equation and consist of only 2 group elements. This shows that the Type II setting with partial asymmetry is different from the other two settings in a way that permits the construction of cryptographic schemes with unique properties. We also investigate lower bounds on the size of the public verification key in the Type II setting. Previous work in structure-preserving signatures has explored lower bounds on the number of verification equations and the number of group elements in a signature but the size of the verification key has not been investigated before. We show that in the Type II setting it is necessary to have at least 2 group elements in the public verification key in a signature scheme with a single verification equation. Our constructions match the lower bounds so they are optimal with respect to verification complexity, signature sizes and verification key sizes. In fact, in terms of verification complexity, they are the most efficient structure preserving signature schemes to date. Depending on the context in which a scheme is deployed it is sometimes desirable to have strong existential unforgeability, and in other cases full randomizability. We give two structure-preserving signature schemes with a single verification equation where both the signatures and the public verification keys consist of two group elements each. One signature scheme is strongly existentially unforgeable, the other is fully randomizable. Having such simple and elegant structure-preserving signatures may make the Type II setting the easiest to use when designing new structure-preserving cryptographic schemes, and lead to schemes with the greatest conceptual simplicity.

show abstract

Pairings for cryptographers

Cited by 569 publications

References 7 publications

The n-Diffie-Hellman Problem and Its Applications

The n-Diffie-Hellman Problem and Its Applications

Mediated Traceable Anonymous Encryption

Structure-Preserving Signatures from Type II Pairings

Contact Info

Product

Resources

About