The final exponentiation affects the efficiency of pairing computations especially on pairing-friendly curves with high embedding degree. We propose an efficient method for computing the hard part of the final exponentiation on the KSS18 curve at the 192-bit security level. Implementations indicate that the computation of the final exponentiation is 8.74% faster than the previously fastest result.

Two new authenticated key agreement protocols in the certificateless setting are presented in this paper. Both are proved secure in the extended Canetti-Krawczyk model, under the BDH assumption. The first one is more efficient than the Lippold et al.'s (LBG) protocol, and is proved secure in the same security model. The second protocol is proved secure under the Swanson et al.'s security model, a weaker model. As far as we know, our second proposed protocol is the first one proved secure in the Swanson et al.'s security model. If no pre-computations are done, the first protocol is about 26% faster than LBG, and the second protocol is about 49% faster than LBG, and about 31% faster than the first one. If pre-computations of some operations are done, our two protocols remain faster.

The concept of dual pairing vector spaces (DPVS) was introduced by Okamoto and Takashima in 2009, and it has been employed in various applications, functional encryption (FE) including attribute-based encryption (ABE) and inner-product encryption (IPE) as well as attribute-based signatures (ABS), generic conversion from composite-order group based schemes to prime-order group based ones and public-key watermarking. In this paper, we show the concept of DPVS, the major applications to FE and the key techniques employed in these applications. This paper presents them with placing more emphasis on plain and intuitive descriptions than formal preciseness.

In anonymous reputation systems, where after an interaction between anonymous users, one of the users evaluates the peer by giving a rating. Ratings for a user are accumulated, which becomes the reputation of the user. By using the reputation, we can know the reliability of an anonymous user. Previously, anonymous reputation systems have been proposed, using an anonymous e-cash scheme. However, in the e-cash-based systems, the bank grasps the accumulated reputations for all users, and the fluctuation of reputations. These are private information for users. Furthermore, the timing attack using the deposit times is possible, which makes the anonymity weak. In this paper, we propose an anonymous reputation system, where the reputations of users are secret for even the reputation manager such as the bank. Our approach is to adopt an anonymous credential certifying the accumulated reputation of a user. Initially a user registers with the reputation manager, and is issued an initial certificate. After each interaction with a rater, the user as the ratee obtains an updated certificate certifying the previous reputation summed up by the current rating. The update protocol is based on the zero-knowledge proofs, and thus the reputations are secret for the reputation manager. On the other hand, due to the certificate, the user cannot maliciously alter his reputation.

Broadcast encryption scheme with personalized messages (BEPM) is a new primitive that allows a broadcaster to encrypt both a common message and individual messages. BEPM is necessary in applications where individual messages include information related to user's privacy. Recently, Fujii et al. suggested a BEPM that is extended from a public key broadcast encryption (PKBE) scheme by Boneh, Gentry, and Waters. In this paper, we point out that 1) Conditional Access System using Fujii et al.'s BEPM should be revised in a way that decryption algorithm takes as input public key as well, and 2) performance analysis of Fujii et al.'s BEPM should be done depending on whether the public key is transmitted along with ciphertext or stored into user's device. Finally, we propose a new BEPM that is transmission-efficient, while preserving O(1) user storage cost. Our construction is based on a PKBE scheme suggested by Park, Kim, Sung, and Lee, which is also considered as being one of the best PKBE schemes.

To reduce the damage of key exposures, forward-secure group signature schemes have been first proposed by Song. In the forward-secure schemes, a secret key of a group member is updated by a one-way function every interval and the previous secret key is erased. Thus, even if a secret key is exposed, the signatures produced by the secret keys of previous intervals remain secure. Since the previous forward-secure group signature schemes are based on the strong RSA assumption, the signatures are longer than pairing-based group signatures. In addition, the complexity of the key update or signing/verification is O(T), where T is the total number of intervals. In this paper, a forward-secure group signature scheme from pairings is proposed. The complexity of our key update and signing/verification is O(log T).

Lots of revocable group signature schemes have been proposed so far. In one type of revocable schemes, signing and/or verifying algorithms have O(N) or O(R) complexity, where N is the group size and R is the number of revoked members. On the other hand, in Camenisch-Lysyanskaya scheme and the followers, signing and verifying algorithms have O(1) complexity. However, before signing, the updates of the secret key are required. The complexity is O(R) in the worst case. In this paper, we propose a revocable scheme with signing and verifying of O(1) complexity, where any update of secret key is not required. The compensation is the long public key of O(N). In addition, we extend it to the scheme with O()-size public key, where signing and verifying have constant extra costs.

In a proxy multi-signature scheme, a designated proxy signer can generate the signature on behalf of a group of original signers. Recently, Wang and Cao proposed an identity based proxy multi-signature scheme along with a security model. Although they proved that their scheme is secure under this model, we disprove their claim and show that their scheme is not secure.

Pairing based cryptography has been researched intensively due to its beneficial properties. In 2005, Wu et al. [3] proposed an identity-based key agreement for peer group communication from pairings. In this letter, we propose attacks on their scheme, by which the group fails to agree upon a common communication key.

Web metering is an effective means of measuring the number of visits from clients to Web servers during a specific time frame. Naor and Pinkas, in 1998, first introduced metering schemes to evaluate the popularity of Web servers. Ogata and Kurosawa proposed two schemes that improve on the Naor-Pinkas metering schemes. This study presents a Web metering scheme which is based on the bilinear pairings and built on the GDH group. The proposed scheme can resist fraud attempts by malicious Web servers and disruptive attacks by malicious clients.

This paper proposes new candidate one-way functions constructed with a certain type of endomorphisms on non-supersingular elliptic curves. We can show that the one-wayness of our proposed functions is equivalent to some special cases of the co-Diffie-Hellman assumption. Also a digital signature scheme is explicitly described using our proposed functions.

This paper provides methods for construction of pairing-based cryptosystems based on non-supersingular elliptic curves.