Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings

To: STDS-P1363-DISCUSS@xxxxxxxxxxxxxxxxx
Subject: Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings
From: Nigel Smart <nigel@xxxxxxxxxxxxx>
Date: Wed, 2 Jul 2008 08:06:05 +0100
Delivered-to: mhonarc@xxxxxxxxxxxxxxxx
In-reply-to: <FBF06720F7D8E7448839CBD10B2D92A33108A9@xxxxxxxxxxxxxxxx>
List-help: <http://listserv.ieee.org/cgi-bin/wa?LIST=STDS-P1363-DISCUSS>, <mailto:LISTSERV@LISTSERV.IEEE.ORG?body=INFO%20STDS-P1363-DISCUSS>
List-owner: <mailto:STDS-P1363-DISCUSS-request@LISTSERV.IEEE.ORG>
List-subscribe: <mailto:STDS-P1363-DISCUSS-subscribe-request@LISTSERV.IEEE.ORG>
List-unsubscribe: <mailto:STDS-P1363-DISCUSS-unsubscribe-request@LISTSERV.IEEE.ORG>
References: <FBF06720F7D8E7448839CBD10B2D92A33108A9@xxxxxxxxxxxxxxxx>
Reply-to: Nigel Smart <nigel@xxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.10 (X11/20070221)


* Does it make sense for all schemes?

Yes

* Does it make sense for some schemes only?


Maybe, not sure about the more esoteric schemes in the standard.

But some academic schemes are NOT secure if instantiated with
a symmetric pairing, or an asymmetric pairing with homomorphism.
  - Myself and some others are about to propose a pairing based
    DAA scheme with these properties.
  - To see this think of the pairing based CL signature scheme in
    the various settings, and notice that if 2XDDH (i.e. XDDH in
    both groups) holds then the scheme can be made much more efficient,
    but if 2XDDH does not hold then the efficiency improvements will
    make the scheme insecure.

* Is it too early in the use of IBE to start standardizing
different pairings, and should we focus on a singleinteroperable specification?


The exact opposite. It is so early you don't want to exclude something.

For example currently Ate/sextic twists are best at "proper" security
levels (i.e. equivalent to 128-bit AES/256-bit ECC/3000-bit RSA)
as opposed to "academic" security levels (80-bit Block cipher, 160-bit ECC,
1024-bit RSA). It might be that someone finds a really really good way of
making  supersingular curves work at these levels, so you dont want to
exclude them (you will still die on bandwidth for ss-curves, but maybe in
some apps you dont care about that).

Nigel
--
Prof. Nigel P. Smart               | Phone: +44 (0)117 954 5163
Computer Science Department,       | Fax:   +44 (0)117 954 5208
Woodland Road,                     | Email: nigel@xxxxxxxxxxxxx
University of Bristol, BS8 1UB, UK | URL:   http://www.cs.bris.ac.uk/~nigel/

______________________________________________________________________
To unsubscribe, mail LISTSERV@xxxxxxxxxxxxxxxxx with
the body of the message containing: SIGNOFF STDS-P1363-DISCUSS
Send any concerns to STDS-P1363-DISCUSS-request@xxxxxxxxxxxxxxxxx,
or manage subscriptions at http://listserv.ieee.org/cgi-bin/wa
Visit IEEE P1363 on the web at: http://grouper.ieee.org/groups/1363
______________________________________________________________________

Follow-Ups:
- Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings
  - From: Paulo S. L. M. Barreto

References:
- [P1363:] 1363.3: Using generalized schemes / choice of pairings
  - From: Whyte, William

Prev by Date: Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings
Next by Date: Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings
Previous by thread: Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings
Next by thread: Re: [P1363:] 1363.3: Using generalized schemes / choice of pairings
Index(es):
- Date
- Thread