Bonn-Aachen International Center
for Information Technology





city life
cosec >students >Teaching >Winter 2012/2013 

Topics in theoretical cryptography: Pairing-based cryptography
Advanced cryptography: Pairing-based cryptography

This course is listed in Aachen Campus as Advanced Cryptography: pairing-based cryptography, in Bonn Basis as Advanced cryptography: Pairing-based cryptography and as MA-INF 1313 - Topics in Theoretical Cryptography: Pairing-based Cryptography with Exercises.


Prof. Dr. Joachim von zur Gathen


Michael Nüsken


Daniel Loebenberger

Time & Place

First meeting: Tuesday, 23 October 2012.

All times subject to agreement in class.


The screen notes (PDF) contain all handwritten stuff (last updated 30 January 2013, 16:35).



Basic knowledge in cryptography is required.


Elliptic curve cryptography is important for a long time now.

But only recently pairings start to play an important role in the design of cryptosystems. They allow to build much more efficient cryptosystems than earlier construction. And these systems usually come with security reductions to mathematical problems that seem to be reasonably difficult. However, they also require the use of very special curves which may open new attack threats.

The course will study examples of cryptosystems using the new techniques. We will explain the basic techniques, algortihms, security reductions, and discuss consequences and dangers.


Guided by Paterson (2005 PDF), also Paterson (2002 PS).

  1. Basics
    1. First examples
      1. Three party key exchange
      2. ID based NI key distribution (Sakai, Ohgishi & Kasahara 2000)
      3. Short signatures (Boneh, Lynn & Shacham 2001/2003)
      4. ID based encryption (Boneh & Franklin 2003)
      5. First discussion of security
    2. Elliptic curves (as half transparent boxes Wink) [see Nüsken 2010, ECC PDF.]
    3. Pairings (as black boxes)
    4. Miller's algorithm (pairings as half transparent boxes)
      • Nüsken (2010) PDF.
    5. Security notions
    6. ID based versus public key
      • Paterson & Price (2003) DOC.
    All further sections shall describe a system and analyze its security.
  2. Three party key exchange
  3. Key distribution (ID based...)
  4. Encryption (ID based...)
  5. Certificateless public key encryption and key encapsulation.
    • Al-Riyami & Paterson (2003). Certificateless public key cryptography. Eprint 2003/126.
      • Zhang & Feng (2005). On the Security of a Certificateless Public-Key Encryption. @CiteSeer.
      • Au, Chen, Liu, Mu, Wong & Yang (2006). Malicious KGC Attack in Certificateless Cryptography. @CiteSeer.
      • Gorantla, Gangishetti, Das & Saxena (2005). An effective certificateless signature scheme based on bilinear pairings. @CiteSeer.
      • Huang & Wong (2007). Generic Certificateless Encryption in the Standard Model. @CiteSeer.
      • Shi, Li & Shi (2006). Constructing Efficient Certificateless Public Key Encryption with Pairing. @CiteSeer.
      • Sun & Zhang (2008). Secure Certificateless Public Key Encryption without Redundancy. @CiteSeer.
      • Dent (2008). A survey of certi cateless encryption schemes and security models. International Journal of Information Security 7(5), 349-377. eprint 2006/211.
    • Lippold, Boyd & Nieto (2009). Efficient Certificateless KEM in the Standard Model. @CiteSeer.
    • Lippold & Nieto (2010). Certificateless Key Agreement in the Standard Model. AISC 2010. PDF. Preprint PDF.
  6. End of course / does not fit any more:
    • Short signatures (Pairing based...)
      • Boneh, Lynn & Shacham (2001) PS.
      • ...
    • Lee, Boyd, Dawson, Kim, Yang & Yoo (2004). Secure Key Issuing in ID-based Cryptography. @CiteSeer.
    • Waters (2009). Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. Eprint 2009/385.
    • Hierarchical ID based crypto
    • ...
    • Pereira, Simplício, Barreto (2011). A Family of Implementation-Friendly BN Elliptic Curves. @CiteSeer.




4+2 SWS, 8 ECTS credits. Optionally, 3+2 SWS, 6 ECTS credits.

Successful completion of the course yields 8 credit points. For students who only want 6 credit points, a breakpoint at about 3/4 of the teaching time will be defined, and only the course material up to that point will be relevant for their exams and grades.

Imprint, webmaster & more