Professional Documents
Culture Documents
RESEARCH PAPERS
.
SCIENCE CHINA
Information Sciences
doi: 10.1007/s11432-011-4293-9
c Science China Press and Springer-Verlag Berlin Heidelberg 2011 info.scichina.com www.springerlink.com
Zero-knowledge proofs of retrievability
ZHU Yan
1,2
, WANG HuaiXi
3
, HU ZeXing
1
, AHN Gail-Joon
4
& HU HongXin
4
1
Institute of Computer Science and Technology, Peking University, Beijing 100871, China;
2
Beijing Key Laboratory of Internet Security Technology, Peking University, Beijing 100871, China;
3
School of Mathematical Sciences, Peking University, Beijing 100871, China;
4
School of Computing, Informatics, and Decision Systems Engineering, Arizona State University,
Tempe, AZ 85287, USA
Received April 26, 2010; accepted December 14, 2010
Abstract Proof of retrievability (POR) is a technique for ensuring the integrity of data in outsourced storage
services. In this paper, we address the construction of POR protocol on the standard model of interactive proof
systems. We propose the rst interactive POR scheme to prevent the fraudulence of prover and the leakage of
veried data. We also give full proofs of soundness and zero-knowledge properties by constructing a polynomial-
time rewindable knowledge extractor under the computational Die-Hellman assumption. In particular, the
verication process of this scheme requires a low, constant amount of overhead, which minimizes communication
complexity.
Keywords cryptography, integrity of outsourced data, proofs of retrievability, interactive protocol, zero-
knowledge, soundness, rewindable knowledge extractor
Citation Zhu Y, Wang H X, Hu Z X, et al. Zero-knowledge proofs of retrievability. Sci China Inf Sci, 2011, 54:
doi: 10.1007/s11432-011-4293-9
1 Introduction
A proof of retrievability (POR) [1] is a cryptographic proof technique for a storage provider to prove that
clients data remain intact. In other words, the clients can fully retrieve their data and have condence
to use the recovered data. This highlights a strong need to seek an eective solution for checking whether
their data have been tampered with or deleted without downloading the latest version of data. This
technique is important for the storage-outsourced data, especially large les or achieves. For example,
with a wide spread of cloud computing, cloud storage service has become a new prot growth point
by providing a comparably low-cost, scalable, location-independent platform for managing clients data.
However, if such an important service is vulnerable to malicious attacks, it would bring irretrievable
losses to the clients since their data and archives are stored into an uncertain storage pool outside the
enterprises. Therefore, it is necessary for cloud service providers to make use of the POR technique to
provide a secure management of their storage services.
Since a formal model for the proof of retrievability was introduced by Juels and Kaliski [1], some
schemes [25] have been proposed in recent years. In these schemes, Shacham and Waters [6] proposed
the compact proofs of retrievability (CPOR) schemes, considered as a representative work with a general
0, 1
n
index by k /. We say that
algorithm / has advantage in breaking the collision-resistance of H if
Pr[/(k) = (m
0
, m
1
) : m
0
,= m
1
, H
k
(m
0
) = H
k
(m
1
)] ,
where the probability is over the random choice of k / and the random bits of /. This hash function
can be obtained from the hash function of BLS signatures [9].
Denition 1 (Collision-resistant hash). A hash family H is (t, )-collision-resistant if no t-time adver-
sary has advantage at least in breaking the collision-resistance of H.
We set up our systems using bilinear pairings proposed by Boneh and Franklin [11]. Let G and G
T
be two multiplicative groups using elliptic curve conventions with large prime order p. The function e
is a computable bilinear map e : G G G
T
with the following properties: for any G, H G and all
a, b Z
p
, we have 1) bilinearity: e(G
a
, H
b
) = e(G, H)
ab
; 2) non-degeneracy: e(G, H) ,= 1 unless G or
H = 1; and 3) computability: e(G, H) is eciently computable.
Denition 2 (Bilinear map group system). A bilinear map group system is a tuple S = p, G, G
T
, e)
composed of the objects as described above.
Shacham and Waters [6] proposed a general CPOR model as follows: Given a le F, the client splits F
into n blocks (m
1
, . . . , m
n
) and each block m
i
is further split into s sectors (m
i,1
, . . . , m
i,s
) Z
s
p
for some
suciently large p. Let e : G G G
T
be a bilinear map, g be a generator of G, and H : 0, 1
G
be the BLS hash. The secret key is sk = x
R
Z
p
and the public key is pk = (g, v = g
x
). The client
chooses s random u
1
, . . . , u
s
R
G as the verication information t = (Fn, u
1
, . . . , u
s
), where Fn is the
le name. For each i [1, n], the tag at the ith block is
i
= (H(Fn[[i)
s
j=1
u
mi,j
j
)
x
. On receiving
query Q = (i, v
i
)
iI
for an index set I, the server computes and sends back
(i,vi)Q
vi
i
and
= (
1
, . . . ,
s
), where
j
(i,vi)Q
v
i
m
i,j
. The verication equation is
e(
, g) = e
_
(i,vi)Q
H(Fn[[i)
vi
s
j=1
u
j
j
, v
_
.
This scheme is not secure for the leakage of le information as follows:
Attack 1. An adversary can get the le and tag information by running or wiretapping n times veri-
cation communication for a le with n s sectors.
Proof. Let s be the number of sectors in each block. After running or wiretapping n times queries, an ad-
versary can get n times challenges (Q
(1)
, . . . , Q
(n)
) and their the responses ((
(1)
,
(1)
), . . . , (
(n)
,
(n)
)),
where
(k)
= (
(k)
1
, . . . ,
(k)
s
) for k [1, n]. For each i [1, s], these responses can generate the equations
_
(1)
i
= v
(1)
1
m
1,i
+ +v
(1)
n
m
n,i
,
.
.
.
.
.
.
(n)
i
= v
(n)
1
m
1,i
+ +v
(n)
n
m
n,i
,
where Q
(k)
= (j, v
(k)
j
)
jI
are known and j , I, v
(k)
j
= 0 for k [1, n]. The adversary can compute
m
1,i
, . . . , m
n,i
by solving the equations i the coecient matrix v
(j)
i
nn
of equations is invertible.
4 Zhu Y, et al. Sci China Inf Sci
After s times solving these equations (i [1, s]), the adversary can obtain the whole le, F = m
i,j
i[1,n]
j[1,s]
.
Similarly, the adversary can get all tags
1
, . . . ,
n
by using
(1)
, . . . ,
(n)
. Denote the inverse matrix of
v
(j)
i
nn
by w
i,j
nn
, all the tags can be easily computed following the equations
j
=
n
i=1
(i)
wi,j
for j [1, n] .
3 Interactive proofs of retrievability
3.1 Denition
We present the denition of interactive proofs of retrievability (IPOR) based on interactive proof systems:
Dention 3 (Interactive-POR). An interactive proof of retrievability scheme o is a collection of two
algorithms and an interactive proof system, o = (/, T , T):
/eyGen(1
,
Pr[P
(F,
), V )(pk, ) = 1] 1/p
2
(); (2)
where p
1
() and p
2
() are two polynomials, and is a security parameter used in KeyGen(1
).
In this denition, the function 1/p
1
() is called completeness error, and the function 1/p
2
() is called
soundness error. For non-triviality, we require 1/p
1
() + 1/p
2
() 1 1/poly().
The soundness means that it is infeasible to fool the verier into accepting false statements. The
soundness can also be regarded as a stricter notion of unforgeability for the le tags. Thus, the above
Zhu Y, et al. Sci China Inf Sci 5
denition means that the prover cannot forge the le tags or tamper with the data if soundness property
holds.
In order to protect the condentiality of checked data, we are more concerned about the leakage of
private information in the verication process. It is easy to nd that data blocks and their tags could be
obtained by the verier in some existing schemes. To solve this problem, we introduce zero-knowledge
property into IPOR system, as follows:
Denition 5 (Zero-knowledge). An interactive proof of retrievability scheme is computational zero
knowledge if there exists a probabilistic polynomial-time algorithm S
Pr[D(pk, , S
(pk, )) = 1]
Pr[D(pk, , P(F, ), V
)(pk, )) = 1]
1/p(),
where S
(pk, ) denotes the output of simulator S on common input (pk, ) and P(F, ), V
)(pk, )
denotes the output of interactive protocol between V
): Let S = (p, G, G
T
, e) be a bilinear map group system with randomly selected generators
g, h
R
G, where G, G
T
are two groups of large prime order p, [p[ = O(). Generate a collision-resistant
hash function H
k
() and chooses two random ,
R
Z
p
and computes H
1
= h
and H
2
= h
G.
Thus, the secret key is sk = (, ) and the public key is pk = (g, h, H
1
, H
2
).
TagGen(sk, F): Splits the le F into ns sectors F = m
i,j
Z
ns
p
. Chooses s random
1
, . . . ,
s
Z
p
as the secret of this le and computes u
i
= g
i
G for i [1, s] and
(1)
= H
(Fn), where
=
s
i=1
i
and Fn is the le name. Builds an index table =
i
n
i=1
and lls out the item
i
in for
i [1, n], where the index table =
i
i[1,n]
can be used to support some dynamic data operations,
for example, we dene
i
= (B
i
[[V
i
[[R
i
) and initially set
i
= (B
i
= i, V
i
= 1, R
i
R
0, 1
), where B
i
is the sequence number of block, R
i
is the version number of updates for this block, and R
i
is a random
integer to avoid collision. Then calculates its tag as
i
(
(2)
i
)
s
j=1
jmi,j
G,
where
(2)
i
= H
(1) (
i
) and i [1, n]. Finally, sets u = (
(1)
, u
1
, . . . , u
s
) and outputs = (
1
, . . . ,
s
),
= (u, ) to a trusted third part (TTP), and = (
1
, . . . ,
n
) to a storage service provider (SSP).
Proof(P, V ): This is a 3-move protocol between Prover (SSP) and Verier (client) with the common
input (pk, ), which is stored in a TTP as follows:
Commitment (P V ): P chooses a random
R
Z
p
and s integers
j
R
Z
p
for j [1, s], and
sends theirs commitments C = (H
1
, ) to V , where H
1
= H
1
and e(
s
i=1
u
j
j
, H
2
) G
T
.
6 Zhu Y, et al. Sci China Inf Sci
Challenge (P V ): V chooses a random challenge set I of t indices along with t random coecients
v
i
Z
p
, where t = [I[. Let Q = (i, v
i
)
iI
be the set of challenge index coecient pairs. V sends Q to
P.
Response (P V ): P calculates the response and as
(i,vi)Q
vi
i
,
j
j
+
(i,vi)Q
v
i
m
i,j
,
where =
j
j[1,s]
. P sends = (
, ) to V .
Verication: Now the verier V can check whether or not the response was correctly formed by
e(
, h)
?
= e
_
(i,vi)Q
(
(2)
i
)
vi
, H
1
_
e
_
s
j=1
u
j
j
, H
2
_
. (3)
In order to prevent the leakage of the stored data and tags in the verication process, the secret data
m
i,j
are protected by a random
j
Z
p
and the tags
i
are randomized by a Z
p
. Moreover,
the values
j
and are protected by the simple commitment methods, i.e., H
1
and e(
s
i=1
u
j
j
, H
2
),
to avoid the adversary from gaining them.
5 Security proof of construction
Our scheme is an ecient interactive proof system with completeness and soundness properties as follows:
(1) Completeness: for every available tag TagGen(sk, F) and a random challenge Q = (i, v
i
)
iI
,
the completeness of protocol can be elaborated as follows:
e(
, h) = e(g, h)
s
j=1
jj
e
_
(i,vi)Q
(
(2)
i
)
vi
, h
_
e(g, h)
s
j=1
(j
(i,v
i
)Q
vimi,j)
= e(g, h)
s
j=1
jj
e
_
(i,vi)Q
(
(2)
i
)
vi
, h
_
e(g, h)
s
j=1
(jjjj)
= e
_
(i,vi)Q
(
(2)
i
)
vi
, h
j=1
e(u
j
j
, h
).
There exists a trivial solution when v
i
= 0 for all i I. In this case, the above equation could not
determine whether the processed le is available, because
= 1,
j
=
j
, and
j
= u
j
j
. Hence, the
completeness of protocol holds
Pr[P(F, ), V )(pk, ) = 1] 1 1/p
t
,
where t is the number of index coecient pairs in Q. In fact, we require v
i
R
Z
p
.
(2) Soundness: For every tag
R
G, output
G
ab
G. We have the following theorem:
Lemma 1. Our IPOR scheme has (t,
.
Proof. For some unavailable tags
that can pass verication with noticeable probability, that is, there exists a polynomial p()
and all suciently large s,
Pr[P
(F,
, we build a probabilistic algorithm / (called knowledge Extractor) that breaks the Computa-
tional Die-Hellman CDH problem in a cyclic group G S of order p. That is, given G, G
1
, G
2
R
G,
output G
ab
G, where G
1
= G
a
, G
2
= G
b
. The algorithm / is constructed by interacting with P
as
follows:
Setup: / chooses a random r
R
Z
p
and sets g = G, h = G
r
, H
1
= G
r
1
, H
2
= G
r
2
as the public key
pk = (g, h, H
1
, H
2
), which is sent to P
.
Learning: given a le F = m
i,j
i[1,n]
j[1,s]
, / rst chooses s random
i
R
Z
p
and u
i
= G
i
2
for i [1, s].
Secondly, / assigns the indices 1, . . . , n into two sets T = t
1
, . . . , t
n
2
and T
= t
1
, . . . , t
n
2
. Let
m
ti,j
,= m
t
i
,j
for all i [1, n/2] and j [1, s]. Then, / builds an index table and
(1)
in terms of the
original scheme and generates the tag of each block, as follows:
For each t
i
T, / chooses r
i
R
Z
p
and sets
(2)
ti
= H
(1) (
ti
) = G
ri
and
ti
= G
ri
1
G
s
j=1
jmt
i
,j
2
.
For each t
i
T
, / uses r
i
and two random r
i
,
i
R
Z
p
to sets
(2)
t
i
= H
(1) (
t
i
) = G
ri
G
r
i
2
and
i
= G
i
1
G
s
j=1
jm
t
i
,j
2
.
/ checks whether e(
t
i
, h)
?
= e(
(2)
t
i
, H
1
) e(
s
j=1
u
m
t
i
,j
j
, H
2
) for all t
i
T
i
)
1
, otherwise / sends (F,
=
i
n
i=1
) and = (
(1)
, u = u
i
, )
to P
.
Hash queries: At any time, P
(1) (
k
), / responds with
(2)
ti
or
(2)
t
i
while ensuring consistency, where k = t
i
or t
i
.
Output: / chooses an index set I [1,
n
2
] and two subsets I
1
and I
2
, where I = I
1
I
2
, [I
2
[ > 0. /
constructs the challenges v
i
iI
and all v
i
,= 0. Then / simulates V to run an interaction P
, /) as
follows:
Commitment. / receives (H
1
,
) from P
;
Challenge. / sends the challenge Q
1
= (t
i
, v
i
)
iI
to P
;
Response. / receives (
s
j=1
) from P
.
/ checks whether or not each response is an eective result by eq. (3). If it is true, then / completes
a rewindable access to the prover P
as follows:
Commitment. / receives (H
1
,
) from P
;
Challenge. / sends the following challenge to P
, Q
2
= (t
i
, v
i
)
iI1
(t
i
, v
i
)
iI2
;
Response. / receives (
s
j=1
) or a special halting-symbol from P
.
If the response is not a halting-symbol, then / checks whether the response is eective by eq. (3),
H
1
?
= H
1
, and
?
=
iI2
v
i
(m
t
i
,j
m
ti,j
)
for any j [1, s] and veries H
1
?
= H
1
to ensure this is an eective rewindable access. Finally, / outputs
G
ab
= G
a
2
=
_
G
(1)
iI
rivi
1
_ 1
iI
2
r
i
v
i
, (5)
where
=
iI1
s
j=1
j
m
ti,j
v
i
+
iI2
s
j=1
j
m
t
i
,j
v
i
iI
s
j=1
j
m
ti,j
v
i
and ,= 1.
It is obvious that we set = a and = b in the above construction. Since the tags
ti
are available
for any t
i
T, the response in the rst interaction satises the equation:
e(
, h) = e
_
iI
(
(2)
ti
)
vi
, H
1
_
e
_
s
j=1
u
j
j
, H
2
_
8 Zhu Y, et al. Sci China Inf Sci
= e(G
iI
rivi
, H
1
) e
_
s
j=1
u
j
j
, H
2
_
.
However, the values of
t
i
are unavailable for all t
i
T
, i.e., the chosen parameters are the same in two protocol executions [7, 13].
In above construction, this property ensures H
1
= H
1
,
j
=
iI
v
i
(m
t
i
,j
m
ti,j
) =
iI2
v
i
(m
t
i
,j
m
ti,j
).
By checking H
1
= H
1
for all computed from this equation, we can make sure of the consistence of
i
=
i
for i [1, s] in two executions. Thus, we have e(
s
j=1
u
j
j
, H
2
)
1
= e(G
2
, H
2
)
iI
s
j=1
jmt
i
,jvi
and
e
_
s
j=1
u
j
j
, H
2
_
1
= e(G
2
, H
2
)
iI
1
s
j=1
jmt
i
,jvi
e(G
2
, H
2
)
iI
2
s
j=1
jm
t
i
,j
vi
.
This means that e(
s
j=1
u
j
j
, H
2
)
1
= (e(
s
j=1
u
j
j
, H
2
)
1
)
, h) = e
_
iI1
(
(2)
ti
)
vi
iI2
(
(2)
t
i
)
vi
, H
1
_
e
_
s
j=1
u
j
j
, H
2
_
(
)
1
= e
_
iI1
(G
ri
)
vi
iI2
(G
ri
G
r
i
2
)
vi
, H
1
_
e
_
s
j=1
u
j
j
, H
2
_
1
= e
_
iI
G
rivi
, H
1
_
e
_
iI2
G
r
i
vi
2
, H
1
_
_
e
_
s
j=1
u
j
j
, H
2
_
1
_
= e
_
iI
G
rivi
, H
1
_
e
_
iI2
G
r
i
vi
2
, H
1
_
_
e
_
, h)
e(
iI
G
rivi
, H
1
_
_
= e(
, h) e(G
iI
2
r
i
vi
2
G
(1)
iI
rivi
, H
1
).
We have the equations e(
, h) = e(G
iI
2
r
i
vi
2
G
(1)
iI
rivi
, H
1
), H
1
= h
a
, and G
1
= G
a
,
thus eq. (5) holds. Furthermore, we have
Pr[/(CDH(G, G
a
, G
b
)) = G
ab
] Pr[P
(F,
), /)(pk, ) = 1] 1/p().
It follows that / can solve the given -CDH challenge with advantage at least , as required. This
completes the proof of Theorem.
Lemma 2. The verication protocol Proof(P, V ) is a computational zero-knowledge system in our
IPOR scheme.
Proof. For the protocol Proof(P, V ), we construct a machine S
R
G and computes e(
, h).
2. Chooses t random coecients v
i
iI
R
Z
t
p
and a random
R
Z
p
to compute H
1
H
1
and
A
1
e(
iI
H
(1) (
i
)
vi
, H
1
).
3. Chooses s random
i
R
Z
s
p
to A
2
e(
s
j=1
u
j
j
, H
2
).
4. Calculates A
1
A
2
e(
, h)
1
.
5. Outputs S
1
, ), (i, v
i
)
t
i=1
, (
, )).
It is obvious that the output of simulator S
1
, ), (i, v
i
)
t
i=1
, (
after interacting with the interactive machine P on common input (pk, ). In fact, every pair of variables
Zhu Y, et al. Sci China Inf Sci 9
Table 1 The storage/communication and computation overheads in our IPOR scheme
Algorithm Computation overheads Communication overheads
KeyGen 2[E] 2l
0
TagGen (2n + s)[E] nsl
0
+ nl
1
Protocol
Commitment [B] + (s + 1)[E] l
2
+ l
T
Challenge 2tl
0
Response t[E] sl
0
+ l
1
Verication 3[B] + (t + s)[E]
is identically distributed in two ensembles, for example, H
1
, (i, v
i
) and H
1
, (i, v
i
) are identically
distributed due to the fact that the variables , v
i
R
Z
p
, as well as (
, ) and (
, ) are identically
distributed since
R
G,
j
R
Z
p
and u
j
j
+
iI
v
i
m
i,j
for i [1, s]. Two variables, and
, are computational indistinguishable because the is identically distributed in terms of the random
choice of all
i
and the distribution of is decided on the randomized assignment of the above variables.
Hence, two ensembles, S
Pr[D(pk, , S
(pk, )) = 1]
Pr[D(pk, , P(F, ), V
)(pk, ))] = 1
1/p().
The fact that such simulators exist means that V
p
km
(we give here the denition from [15, 16]), where p
is a prime, m is a positive integer, and k is the embedding degree (or security multiplier). In this case, we
utilize asymmetric pairing e : G
1
G
2
G
T
to replace symmetric pairing in original schemes. Without
loss of generality, let the security parameter be 80-bits, we need the elliptic curve domain parameters
over F
p
with [p[ = 160-bits and m = 1 in our experiments. This means that the length of integer is
l
0
= 2 in Z
p
. Similarly, we have l
1
= 4 in G
1
, l
2
= 24 in G
2
, and l
T
= 24 in G
T
for the embedding
degree k = 6. Based on these denitions, we describe storage or communication cost in Table 1. For a 1M
bytes le and s = 200, the extra storage of tags is 250 40 = 10K bytes (n = 250) and the commitment
and response overheads are 240 + 240 = 480 bytes and 200 20 + 40 4K bytes, respectively. It is
obvious that the communication overhead has a constant size in the commitment and response steps of
verication protocol. Furthermore, given a le with sz = n s sectors and the probability of sector
corruption, the detection probability of our scheme has P 1(1)
sz
, where denotes the sampling
probability in the verication protocol.
10 Zhu Y, et al. Sci China Inf Sci
7 Conclusions
In this paper, we addressed the construction of POR scheme on interactive proof systems. Based on an
interactive zero-knowledge proof, we proposed an interactive POR (IPOR) scheme to support soundness
property and zero-knowledge property. Our analysis showed that our schemes require a small, constant
amount of overhead, which minimizes computation and communication complexity.
Acknowledgements
This work was supported by the National Natural Science Foundation of China (Grant No. 61003216), and the
US National Science Foundation (Grant Nos. NSF-IIS-0900970, NSF-CNS-0831360). The authors gave thanks
to the collaborators at Arizona State University: Dijiang Huang and Stephen S. Yau for discussing the research
direction and the method for proofs, also to the intern student, Kainan Liu, at Peking University for verifying
the scheme by C++ Language.
References
1 Juels A, Kaliski-Jr B S. Pors: Proofs of retrievability for large les. In: Proceedings of the 2007 ACM Conference on
Computer and Communications Security, CCS 2007. Alexandria: ACM, 2007. 584597
2 Ateniese G, Burns R C, Curtmola R, et al. Provable data possession at untrusted stores. In: Proceedings of the 2007
ACM Conference on Computer and Communications Security, CCS 2007. Alexandria: ACM, 2007. 598609
3 Bowers K D, Juels A, Oprea A. Proofs of retrievability: Theory and implementation. In: Proceedings of the 2009 ACM
Workshop on Cloud Computing Security, CCSW 2009. Chicago: ACM, 2009. 4354
4 Odis Y, Vadhan S P, Wichs D. Proofs of retrievability via hardness amplication. In: Reingold O, ed. Theory of
Cryptography, 6th Theory of Cryptography Conference, TCC 2009. Lecture Notes in Computer Science, vol. 5444. San
Francisco: Springer-Verlag, 2009. 109127
5 Wang Q, Wang C, Li J, et al. Enabling public veriability and data dynamics for storage security in cloud computing.
In: Proceedings of the 14th European Symposium on Research in Computer Security, ESORICS 2009. Saint-Malo:
Springer-Verlag, 2009. 355370
6 Shacham H, Waters B. Compact proofs of retrievability. In: Advances in Cryptology - ASIACRYPT 2008, 14th Interna-
tional Conference on the Theory and Application of Cryptology and Information Security. Melbourne: Springer-Verlag,
2008. 90107
7 Goldreich O. Foundations of Cryptography: Basic Tools. Volume Basic Tools. Cambridge: Cambridge University Press,
2001
8 Christopher Erway C, K up c u A, Papamanthou C, et al. Dynamic provable data possession. In: Proceedings of the 2009
ACM Conference on Computer and Communications Security, CCS 2009. Chicago: ACM, 2009. 213222
9 Boneh D, Boyen X, Shacham H. Short group signatures. In: Proceedings of CRYPTO 2004, LNCS series. Santa Barbara:
Springer-Verlag, 2004. 4155
10 Bowers K D, Juels A, Oprea A. Hail: A high-availability and integrity layer for cloud storage. In: ACM Conference on
Computer and Communications Security, CCS 2009. Chicago: ACM, 2009. 187198
11 Boneh D, Franklin M. Identity-based encryption from the weil pairing. In: Advances in Cryptology (CRYPTO2001),
vol. 2139 of LNCS. Santa Barbara: Springer-Verlag, 2001. 213229
12 Schnorr C P. Ecient signature generation by smart cards. J Cryptol, 1991, 4: 161174
13 Cramer R, Damgard I D, MacKenzie P D. Ecient zero-knowledge proofs of knowledge without intractability assump-
tions. In: Public Key Cryptography. Melbourne: Springer-Verlag, 2000. 354373
14 Barreto P S L M, Galbraith S D, OEigeartaigh C, et al. Ecient pairing computation on supersingular abelian varieties.
Des Codes Cryptogr, 2007, 42: 239271
15 Beuchat J L, Brisebarre N, Detrey J, et al. Arithmetic operators for pairing-based cryptography. In: Cryptographic
Hardware and Embedded Systems - CHES 2007, 9th International Workshop. Vienna: Springer-Verlag, 2007. 239255
16 Hu H G, Hu L, Feng D G. On a class of pseudorandom sequences from elliptic curves over nite elds. IEEE Trans Inf
Theory, 2007, 53: 25982605