1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
|
|
- Neal Curtis
- 5 years ago
- Views:
Transcription
1 Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, Abstract: Many identity-based digital signature schemes using bilinear airings have been roosed. But the relative comutation cost of the airing is aroximately twenty times higher than that of the scalar multilication over ellitic curve grou. In order to save the running time the size of the signature, we roose an identity based signature scheme without bilinear airings. With both the running time the size of the signature being saved greatly, our scheme is more ractical than the revious related schemes for ractical alication. Key words: Digital signature, Identity-based crytograhy, Bilinear airings, Ellitic curve 1. Introduction The concet of identity-based (ID-based) crytograhy was first formulated by Shamir [1]. In ID-based crytograhy, a user s unique identifier acts as the user s ublic key, the corresonding rivate key generated by a trusted Key Generation Center (KGC) acts as the user s imlicit certificate, thereby removing the requirement of ublic key certificate. In the first ID-based signature scheme, roosed by Shamir [1], the signature has 048 bits when one uses a 104-bit RSA modulus. In 1988, Guillou et al.[] imroved Shamir s scheme shortened the signature size to 1184 bits when one uses a 104-b RSA modulus a 160-b hash function, e.g., Secure Hash Stard. However, the comutation of modular exonentiation required by the above schemes make unavailable the alication of the schemes in some environment, such as mobile devices, where the comutation ability battery caacity of mobile devices are limited. Fortunately, Ellitic curve crytosystem (ECC) [3,4] has significant advantages like smaller key sizes, faster comutations comared with other ublic-key crytograhy. Many IBS schemes using the ellitic curve airings have been roosed [5-7]. In site of the significant imrovements in the comutation seed, the airing is still regarded as the most exensive crytograhy rimitive. The relative comutation cost of a airing is aroximately twenty times higher than that of the scalar multilication over ellitic curve grou [8]. Therefore, IBS schemes without bilinear airings would be more aealing in terms of efficiency. In this aer, we resent an IBS scheme without airings. The scheme rests on the ellitic curve discrete logarithm roblem (ECDLP).With the airing-free realization, the scheme s overhead is lower than that of revious schemes [5-7] in both comutation the size of signature.. Background of ellitic curve grou We will just give a simle introduction of ellitic curve defined on rime field F in this art, Corresonding author. hedebiao@163.com, Tel:
2 while the knowledge of ellitic curve defined on binary field can be found in [3,4]. Let the symbol E / F denote an ellitic curve E over a rime finite field by an equation with the discriminant y = x 3 + ax + b, a, b F (1) 3 Δ= 4a + 7b 0. () F, defined grou The oints on E / F together with an extra oint O called the oint at infinity form a G = {( x, y): x, y F, E( x, y) = 0} { O}. (3) Let the order of G be n. G is a cyclic additive grou under the oint addition + defined as follows: Let PQ, G, l be the line containing P Q (tangent line to E / F if P = Q ), R, the third oint of intersection of l with E / F. Let l be the line connecting R O. Then P + Q is the oint such that l intersects E / F at R O P + Q. Scalar multilication over E / F can be comuted as follows: tp = P + P + + P( t times) (4). The following roblems defined over G are assumed to be intractable within olynomial time. Elitic curve discrete logarithm roblem: For x Z P the generator of G, R n given Q = x P comute x. 3. Our scheme 3.1.Scheme descrition In this section, we resent an ID-based signature scheme without airing. Our scheme consists of four algorithms: Setu, Extract, Sign, Verify. Setu: This algorithm takes a security arameter k as inut, returns system arameters a master key. Given k, KGC does as follows. 1) Choose a k-bit rime determine the tule { F, E/ F, G, P } as defined in Secttion.
3 ) Choose the master rivate key x Z n comute the master ublic key Pub = x P. 3) Choose two crytograhic secure hash functions H :{0,1} 1 Zn H :{0,1} G Z. 4) Publish { F, E/ F, G, P, P, H1, H } as system arameters kee the master ub key x secretly. Extract: This algorithm takes system arameters, master key a user s identifier as inuts, returns the user s ID-based rivate key. With this algorithm, KGC works as follows for each user with identifier ID. 1) Choose a rom number r Z, comute R = r P h (, ) = H1 ID R. n ) Comute s = r + hx. s rivate key is the tule ( s, R ) is transmitted to via a secure out-of-b channel. can validate her rivate key by checking whether the equation s P= R + h Pub holds. The rivate key is valid if the equation holds vice versa. Sign: This algorithm takes system arameters, user s rivate key ( s, R ) a message m as inuts, returns a signature of the message m. The user does as the follows. 1) Choose a rom number l Z n to comute R = l P. ) Comute h= H ( m, R). 3) Verify whether the equation gcd( l+ h, n) = 1 holds. If the equation does not holds, return to ste 1). 4) Comute s= l+ h s n. mod 5) Outut the signature ( ID, R, R, s). Verify: To verify the signature ( ID, R, R, s) for message m, the verifier first comutes h (, ) = H1 ID R, h = H ( m, R) then checks whether s ( R+ h P) = R + h Pub
4 Accet if it is equal. Otherwise reject. Since R = l P s= l+ h s n, we have mod s R+ h P = l+ h s l P+ h P = l+ h s l+ h P= s P = R + h P ub Then the correctness of our scheme is roved. (5) 3..Security analysis We rove the security of our schemeσin the rom oracle model which treats H 1 H as two rom oracles [9] using the signature security model defined in [10]. As for the security of Σ, the following theorem is rovided. Theorem 1: Consider an adatively chosen message attack in the rom oracle model against Σ. If there is an attacker A that can break Σwith at most q H H -queries q S signature queries within time bound t robability ε 10( q + 1)( q + q ) / k, then the H H S ECDLP can be solved within running time t 3 q t/ ε with robability ε 1/9. H Proof: Suose that there is an attacker A for an adatively chosen message attack against Σ. Then, we show how to use the ability of A to construct an algorithm S solving the ECDLP. Suose S is challenged with a ECDLP instance ( PQ), is tasked to comute x Z n satisfying Q= x P. To do so, S sets { F, E/ F, G, P, Pub = Q, H1, H} as the system arameter answers A s queries as follows. Extract-query: A is allowed to query the extraction oracle for an identity ID. S simulates the oracle as follows. It chooses a, b Z at rom sets n R = a Pub + b P, s = b, h (, ) mod = H1 ID R a n (6) Note that ( s, R ) generated in this way satisfies the equation s P= R + h Pub in the extract algorithm. It is a valid secret key. S oututs ( s, R ) as the secret key of ID stores the value of ( s, R, H1( ID, R), ID ) in the H1 -table.
5 Signature-query: To answer A s signature query on m i (1 i qs ) an identity ID, S chooses at rom a, b Z. Then, it gets h (, ) = H1 ID R from H1 -table, i i n comutes Ri = ai R bi P+ ai h Pub, s = ai sets h (, ) i = H1 mi Ri bi adds ( mi, Ri, b i) to the H -list. If the air ( mi, R i) has been defined in the H -table. S oututs fail exits. Since b i is chosen at rom, the robability of fail is no more than 1/n is negligible. It is straightforward to verify that ( R, R, s ) is a erfect simulation. A will i i not be able to tell the difference between the simulation the reality if S does not abort. If A can forge a valid signature on message m with the robability ε 10( q + 1)( q + q ) / k, where m has not been queried to the signature oracle, then a H H S relay of S with the same rom tae but different choice of H will outut two valid signatures ( mr,, Ri, hi, s) i ( mr,, Ri, h i, s i ). Then we have s ( R+ h P) = R + h P, (7) i i ub s ( R+ h P) = R + h P. (8) i i ub Let R = r P, R = a Pub + b P, Pub = Q= x P, then we have then we have Hence, we have s ( r P+ h P) = a x P+ a P+ h x P, (9) i i s ( r P+ h P) = a x P+ a P+ h x P. (10) i i s s ( r P+ h P) = s a x P+ s a P+ s h x P, (11) i i i i i i s s ( r P+ h P) = s a x P+ s a P+ s h x P. (1) i i i i i i ( s a + s h s a s h ) x P= ( s s h s a s s h + s a ) P. (13) i i i i i i i i i i i i Let u = s a + s h s a s h n ( i i i i ) mod v= ( s s h s a s s h + s a )modn, then, we get x = uv mod n. i i i i i i i i
6 According to [10, Lemma 4], the ECDLP can be solved with robabilityε 1/9 time t 3 q t/ ε. H 4. Comarison with revious scheme In this section, we will comare the efficiency of our new scheme with Cha et al. s scheme [5], Yi s scheme [6] Hess s scheme [7]. In the comutation efficiency comarison, we obtain the running time for crytograhic oerations using MIRACAL [11], a stard crytograhic library. The hardware latform is a PIV 3-GHZ rocessor with 51-MB memory a Windows XP oeration system. For the airing-based scheme, to achieve the 104-bit RSA level security, we use the Tate airing defined over the suersingular ellitic curve 3 E F y x x / : = + with embedding degree, where q is a 160-bit Solinas rime q = a 51-bit rime satisfying + 1= 1qr. For the ECC-based schemes, to achieve the same security level, we emloyed the arameter sec160r1[1], recommended by the Certicom Cororation, where = 1. The running times are listed in Table 1 where sca.mul. sts for scalar multilication. Table 1. Crytograhic Oeration Time(in milliseconds) Pairing Pairing-based ECC-based Ma-to-oint sca.mul sca.mul. hash To evaluate the comutation efficiency of different schemes, we use the simle method from [13]. For examle, the sign algorithm of our scheme requires one ECC-based scale multilication; thus, the comutation time of the sign algorithm is.1 1 =.1 ms; the verify algorithm has to carry out three ECC-based scalar multilications, the resulting running time is.1 3 = 6.63 ms. As another examle, in Cha et al. s scheme[5], the sign algorithm should carry out two airing-based scalar multilications a ma-to-oint hash comutation; thus, the comutation time for a client is = 15.8 ms; the verify algorithm has to carry out one airing, the resulting running time is = 0.04 ms. The size of signature is evaluated by the overall size of the messages generated by the sign algorithm in a scheme. For examle, in our scheme, the generated message comrises an identity, two oints of ellitic curve a number in Z n. Assuming that the size of identity is 4B, the resulting signaling traffic is = 104 B. As another examle, in Cha et al. s scheme, the generated message comrises an identity two oints of ellitic curve, then the resulting signaling traffic is = 60 B. Table shows the results of the erformance comarison.
7 Table. Performance comarison of different schemes Running time Size of signature Sign Verify Cha et al. s 15.8 ms 0.04 ms 60 B scheme [5] Yi s scheme [6] ms ms 60B Hess s scheme 6.4 ms ms 13B [7] Our scheme.1 ms 6.63 ms 104 B According to Table, the running time of the sign algorithm of our scheme is 13.98% of Cha et al. s schemes, 11.54% of Yi s et al. s scheme 8.36% of Hess s scheme, the running time of the verify algorithm of our scheme is 33.08% of Cha et al. s schemes, 14.7% of Yi s et al. s scheme 16.54% of Hess s scheme, the size of signature of our scheme is 40% of Cha et al. s schemes, 40% of Yi s et al. s scheme 78.79% of Hess s scheme. Thus our scheme is more useful efficient than the revious schemes[5-7]. 5. Conclusion In this aer, we have roosed an efficient identity-based digital signature scheme. We also rove the security of the scheme under rom oracle. Comared with revious scheme, the new scheme reduces both the running time the size of signature. Therefore, our scheme is more ractical than the revious related schemes for ractical alication. 6. References [1]. A. Shamir, Identity-based crytosystems signature schemes, Proc. CRYPTO1984, LNCS, vol.196,.47 53, []. L. C. Guillou J. J. Quisquater, A aradoxical identity-based signature scheme resulting from zero-knowledge, in Proc. Cryto 88, Santa Barbara, CA, Aug. 1988, [3]. V.S. Miller, se of ellitic curves in crytograhy. In: Advances in crytology, roceedings of CRYPTO 85, vol. 18. LNCS, Sringer-Verlag; 1986: [4]. Koblitz N. Ellitic curve crytosystem. Mathematics of Comutation 1987, 48: [5]. J. C. Cha J. H. Cheon, An Identity-Based Signature from Ga Diffie-Hellman Grous, PKC 003, LNCS 567, , 003. [6]. X. Yi, An Identity-Based Signature Scheme From the Weil Pairing, IEEE COMMNICATIONS LETTERS, VOL. 7, NO., FEBRARY 003, [7]. Hess, F.: Efficient identity based signature schemes based on airings. In: Nyberg, K., Heys, H.M. (eds.) SAC 00. LNCS, vol. 595, Sringer, Heidelberg(003). [8]. L. Chen, Z. Cheng, N.P. Smart, Identity-based key agreement rotocols from airings, Int. J. Inf. Secur, no.6,.13 41, 007. [9]. M. Bellare P. Rogaway, Rom oracles are ractical: A aradigm for designing efficient schemes, in Proc. 1st ACM Conf. Comut. Commun. Security, 1993, [10]. P. David, S. Jacque,Security Arguments for Digital Signatures Blind Signatures, Journal
8 of Crytology, Vol. 13, No , 000. [11]. Shamus Software Ltd., Miracl library, htt:// ie/index.h?age=home. [1]. The Certicom Cororation, SEC : Recommended Ellitic Curve Domain Parameters, [13]. X. Cao, X. Zeng, W. Kou, L. Hu, Identity-based anonymous remote authentication for value-added services in mobile networks, IEEE Transactions on Vehicular Technology, vol.58, no.7, , 009.
Elliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationTanja Lange Technische Universiteit Eindhoven
Crytanalysis Course Part I Tanja Lange Technische Universiteit Eindhoven 28 Nov 2016 with some slides by Daniel J. Bernstein Main goal of this course: We are the attackers. We want to break ECC and RSA.
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationRandomness Extraction in finite fields F p
Randomness Extraction in finite fields F n Abdoul Aziz Ciss École doctorale de Mathématiques et d Informatique, Université Cheikh Anta Dio de Dakar, Sénégal BP: 5005, Dakar Fann abdoul.ciss@ucad.edu.sn,
More informationCryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationLattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More informationA New and Optimal Chosen-message Attack on RSA-type Cryptosystems
Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol. 1334 of Lecture Notes in Comer Science,. 30-313, Sringer-Verlag, 1997. A New and Otimal Chosen-message
More informationOn the Unpredictability of Bits of the Elliptic Curve Diffie Hellman Scheme
On the Unredictability of Bits of the Ellitic Curve Diffie Hellman Scheme Dan Boneh 1 and Igor E. Sharlinski 2 1 Deartment of Comuter Science, Stanford University, CA, USA dabo@cs.stanford.edu 2 Deartment
More informationEfficient Hardware Architecture of SEED S-box for Smart Cards
JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationVerifying Two Conjectures on Generalized Elite Primes
1 2 3 47 6 23 11 Journal of Integer Sequences, Vol. 12 (2009), Article 09.4.7 Verifying Two Conjectures on Generalized Elite Primes Xiaoqin Li 1 Mathematics Deartment Anhui Normal University Wuhu 241000,
More informationIdentity Based Proxy Signature from RSA without Pairings
International Journal of Network Security, Vol.19, No.2, PP.229-235, Mar. 2017 (DOI: 10.6633/IJNS.201703.19(2).07) 229 Identity Based Proxy Signature from RSA without Pairings Lunzhi Deng, Huawei Huang,
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationMulti-Operation Multi-Machine Scheduling
Multi-Oeration Multi-Machine Scheduling Weizhen Mao he College of William and Mary, Williamsburg VA 3185, USA Abstract. In the multi-oeration scheduling that arises in industrial engineering, each job
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationAn Efficient ID-based Digital Signature with Message Recovery Based on Pairing
An Efficient ID-based Digital Signature with Message Recovery Based on Pairing Raylin Tso, Chunxiang Gu, Takeshi Okamoto, and Eiji Okamoto Department of Risk Engineering Graduate School of Systems and
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationCS 6260 Some number theory. Groups
Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then
More informationA NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 119 131 A NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION JUNG HEE CHEON 1, YONGDAE KIM 2 AND HYO
More informationAn Investigation of Some Forward Security Properties for PEKS and IBE
An Investigation of Some Forward Security Proerties for PEKS and IBE Qiang Tang APSIA grou, SnT, University of Luxemourg 6, rue Richard Coudenhove-Kalergi, L-359 Luxemourg qiang.tang@uni.lu Astract. In
More informationAn Anonymous Authentication Scheme for Trusted Computing Platform
An Anonymous Authentication Scheme for Trusted Computing Platform He Ge Abstract. The Trusted Computing Platform is the industrial initiative to implement computer security. However, privacy protection
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationApproximating min-max k-clustering
Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost
More informationON LINEAR COMPLEXITY OF GENERALIZED SHRINKING-MULTIPLEXING GENERATOR
Journal of Basic and Alied Research International 4(1): 8 17, 015 O LIEAR COMPLEXITY OF GEERALIZED SHRIKIG-MULTIPLEXIG GEERATOR ZHAETA. TASHEVA 1* 1 Faculty of Artillery, AAD and CIS, ational Military
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationDynamic Countermeasure Against the Zero Power Analysis
Dynamic Countermeasure Against the Zero Power Analysis Jean-Luc Danger 1,2, Sylvain Guilley 1,2, Philie Hoogvorst 2, Cédric Murdica 1,2, and David Naccache 3 1 Secure-IC S.A.S., 80 avenue des Buttes de
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationMultiplicative group law on the folium of Descartes
Multilicative grou law on the folium of Descartes Steluţa Pricoie and Constantin Udrişte Abstract. The folium of Descartes is still studied and understood today. Not only did it rovide for the roof of
More informationAn Algebraic Framework for Pseudorandom Functions and Applications to Related-Key Security
An extended abstract of this aer aears in the Proceedings of the 35th Annual Crytology Conference (CRYPTO 2015), Part I, Rosario ennaro and Matthew Robshaw (Eds.), volume 9215 of Lecture Notes in Comuter
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationA new conic curve digital signature scheme with message recovery and without one-way hash functions
Annals of the University of Craiova, Mathematics and Computer Science Series Volume 40(2), 2013, Pages 148 153 ISSN: 1223-6934 A new conic curve digital signature scheme with message recovery and without
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationGalois Fields, Linear Feedback Shift Registers and their Applications
Galois Fields, Linear Feedback Shift Registers and their Alications With 85 illustrations as well as numerous tables, diagrams and examles by Ulrich Jetzek ISBN (Book): 978-3-446-45140-7 ISBN (E-Book):
More informationAuthor(s)Emura, Keita; Miyaji, Atsuko; Omote, International Conference on Availabi Reliability and Security, ARES 492
JAIST Reosi htts://dsacej Title A Dynamic Attribute-Based Grou Sign and its Alication in an Anonymous the Collection of Attribute Statisti Author(s)Emura, Keita; Miyaji, Atsuko; Omote, Citation International
More informationNew Approach for Selectively Convertible Undeniable Signature Schemes
New Approach for Selectively Convertible Undeniable Signature Schemes Kaoru Kurosawa 1 and Tsuyoshi Takagi 2 1 Ibaraki University, Japan, kurosawa@mx.ibaraki.ac.jp 2 Future University-Hakodate, Japan,
More informationSQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)
SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the
More informationConversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More information2 IEICE TRANS. FUNDAMENTALS, VOL.E82 A, NO.1 JANUARY 1999 exist another trace of ellitic curves which is reduced to at most 6, seriously low, degree e
IEICE TRANS. FUNDAMENTALS, VOL.E82 A, NO.1 JANUARY 1999 1 PAPER New exlicit conditions of ellitic curve traces for FR-reduction Atsuko MIYAJI y, Member, Masaki NAKABAYASHI y, and Shunzou TAKANO yy, Nonmembers
More informationHENSEL S LEMMA KEITH CONRAD
HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationECE 534 Information Theory - Midterm 2
ECE 534 Information Theory - Midterm Nov.4, 009. 3:30-4:45 in LH03. You will be given the full class time: 75 minutes. Use it wisely! Many of the roblems have short answers; try to find shortcuts. You
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationTight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys
Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,
More informationCorrelated Extra-Reductions Defeat Blinded Regular Exponentiation
Correlated Extra-Reductions Defeat Blinded Regular Exonentiation Margaux Dugardin 1,2(B), Sylvain Guilley 2,3, Jean-Luc Danger 2,3, Zakaria Najm 4, and Olivier Rioul 2,5 1 CESTI, Thales Communications
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationMODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL
Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationQUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES
0 th March 0. Vol. No. 00-0 JATIT & LLS. All rights reserved. ISSN: -86 www.jatit.org E-ISSN: 87- QUANTUM INFORMATION DELAY SCHEME USING ORTHOGONAL PRODUCT STATES XIAOYU LI, LIJU CHEN School of Information
More informationPredicate Privacy in Encryption Systems
Predicate Privacy in Encrytion Systems Emily Shen MIT eshen@csail.mit.edu Elaine Shi CMU/PARC eshi@arc.com December 24, 2008 Brent Waters UT Austin bwaters@cs.utexas.edu Abstract Predicate encrytion is
More informationx 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,
13. Quadratic Residues We now turn to the question of when a quadratic equation has a solution modulo m. The general quadratic equation looks like ax + bx + c 0 mod m. Assuming that m is odd or that b
More informationTransitive Signatures Based on Non-adaptive Standard Signatures
Transitive Signatures Based on Non-adaptive Standard Signatures Zhou Sujing Nanyang Technological University, Singapore, zhousujing@pmail.ntu.edu.sg Abstract. Transitive signature, motivated by signing
More informationBayesian System for Differential Cryptanalysis of DES
Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential
More informationThe Graph Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule
The Grah Accessibility Problem and the Universality of the Collision CRCW Conflict Resolution Rule STEFAN D. BRUDA Deartment of Comuter Science Bisho s University Lennoxville, Quebec J1M 1Z7 CANADA bruda@cs.ubishos.ca
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More informationThreshold Undeniable RSA Signature Scheme
Threshold Undeniable RSA Signature Scheme Guilin Wang 1, Sihan Qing 1, Mingsheng Wang 1, and Zhanfei Zhou 2 1 Engineering Research Center for Information Security Technology; State Key Laboratory of Information
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationOptimal Design of Truss Structures Using a Neutrosophic Number Optimization Model under an Indeterminate Environment
Neutrosohic Sets and Systems Vol 14 016 93 University of New Mexico Otimal Design of Truss Structures Using a Neutrosohic Number Otimization Model under an Indeterminate Environment Wenzhong Jiang & Jun
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationarxiv: v1 [cs.it] 27 May 2015
RELATIVE GENERALIZED HAMMING WEIGHTS OF CYCLIC CODES JUN ZHANG AND KEQIN FENG arxiv:1505.07277v1 [cs.it] 27 May 2015 Abstract. Relative generalized Hamming weights (RGHWs) of a linear code resect to a
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationBatch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco
Batch Verification of ECDSA Signatures AfricaCrypt 2012 Ifrane, Morocco Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, West Bengal, India. Outline Introduction
More informationLinear diophantine equations for discrete tomography
Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,
More informationA Direct Anonymous Attestation Scheme for Embedded Devices
A Direct Anonymous Attestation Scheme for Embedded Devices He Ge 1 and Stephen R. Tate 2 1 Microsoft Corporation, One Microsoft Way, Redmond 98005 hege@microsoft.com 2 Department of Computer Science and
More informationINTRODUCTION. Please write to us at if you have any comments or ideas. We love to hear from you.
Casio FX-570ES One-Page Wonder INTRODUCTION Welcome to the world of Casio s Natural Dislay scientific calculators. Our exeriences of working with eole have us understand more about obstacles eole face
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationDistributed Rule-Based Inference in the Presence of Redundant Information
istribution Statement : roved for ublic release; distribution is unlimited. istributed Rule-ased Inference in the Presence of Redundant Information June 8, 004 William J. Farrell III Lockheed Martin dvanced
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationRound-off Errors and Computer Arithmetic - (1.2)
Round-off Errors and Comuter Arithmetic - (.). Round-off Errors: Round-off errors is roduced when a calculator or comuter is used to erform real number calculations. That is because the arithmetic erformed
More informationarxiv: v1 [cs.cr] 2 Feb 2015
Randomness Extraction over Bilinear Character Sums Boudjou T. Hortense,Universite de Maroua-Cameroon ; Dr Abdoul Aziz Ciss, Ecole Polytechnique de Thies-Senegal Setember 7, 08 arxiv:50.00433v [cs.cr] Feb
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationLecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 14 More on Digital Signatures and Variants COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Setting the Stage We will cover in more depth some issues for
More informationConvex Optimization methods for Computing Channel Capacity
Convex Otimization methods for Comuting Channel Caacity Abhishek Sinha Laboratory for Information and Decision Systems (LIDS), MIT sinhaa@mit.edu May 15, 2014 We consider a classical comutational roblem
More information