Implementation of Boneh - Lynn - Shacham short digital signature scheme using Weil bilinear pairing based on supersingular elliptic curves
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (1.14 MB, 7 trang )
MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE
DOI: 10.31276/VJSTE.64(4).03-09
Implementation of Boneh - Lynn - Shacham short digital signature scheme
using Weil bilinear pairing based on supersingular elliptic curves
Nhu-Quynh Luc*, Quang-Trung Do, Manh-Hung Le
Academy of Cryptography Techniques
Received 4 May 2022; accepted 14 July 2022
Abstract:
One option for a digital signature solution for devices with low memory and low bandwidth transmission over
channels uses a short digital signature scheme based on Weil bilinear pairing aimed at short processing times,
fast computation, and convenient deployment on applications. The computational technique of non-degenerate
bilinear pairings uses supersingular elliptic curves over a finite field Fpl (where p is a sufficiently large prime
number) and has the advantage of being able to avoid Weil-descent, Menezes-Okamoto-Vanstone (MOV)
attacks, and attacks by the Number Field Sieve algorithm. Compared to Elliptic Curve Digital Signature
Algorithm (ECDSA) digital signature schemes, generating a digital signature for a Boneh-Lynn-Shacham
(BLS) scheme using Weil bilinear pairing on a supersingular elliptic curve is simple. In this study, the authors
replace non-degenerate bilinear pairing calculations on a supersingular elliptic curve with a Weil pairing
with PϵE(Fp ), QϵE(Fp1) and a higher security multiplier α=12 in the BLS short digital signature scheme. The
execution time of the BLS short digital signature program showed improvement compared to the commercial
ECDSA digital signature scheme.
Keywords: digital signature, ECDSA, elliptic curve cryptography, tate pairing, Weil pairing.
Classification number: 1.2
Introduction
Information exchange between devices and applications
requires security and authentication with high reliability per the
demanding strict standards of this digital era. New requirements
for digital signature solutions such as short digital signatures, fast
processing speeds, message authentication without transmissions,
and digital signature on short message and low bandwidth channel
transmissions are essential for today’s applications [1-5]. To date,
short digital signature solutions and signature authentication using the
calculation of an elliptic curve, such as ECDSA, Elliptic Curve-based
Schnorr Digital Signature Algorithm (ECSDSA), or Edwards-Curve
Digital Signature Algorithm (EdDSA) have been applied widely in
commercial products [1, 2, 6-9]. Among these, the digital signature
solution with a short digital signature using the calculation of Weil
and Tate bilinear pairing of the authors Boneh, Lynn, Schacham
(2001) (denoted by the BLS short digital signature scheme) proves to
meet the requirements [2, 10].
The BLS scheme uses a special supersingular curve with p=3,
which raises the security level of the BLS scheme to be equivalent to
the Digital Signature Algorithm (DSA) using a 1024-bit prime number
[11-13]. The BLS short digital signature scheme is secure against
attack with selected messages (according to a random oracle model),
given that “Computational Diffie-Hellman based on an elliptic curve
over finite field Fpl (where p is a sufficiently large prime number)
being difficult to solve” [1, 2]. The advantage of the BLS scheme
when generating a digital signature is its simplicity as both the digital
signature and signature verification processes use a non-degenerate
bilinear pairing (Weil and Tate bilinear pairings) on the elliptic curve
[2, 6, 10, 14-18]. Since this non-degenerate bilinear pairing calculus
technique uses a supersingular elliptic curve over finite field Fp, such
that both generic discrete log algorithm in E(Fp ) and the Number
Field Sieve in Fpl * are intractable, it is resistant to some Weil descent
and MOV attacks [11, 12], as well as attacks by the Number Field
Sieve algorithm [19-21]. Several publications have shown that
elliptic curve cryptography (ECC) built on non-degenerate bilinear
pairing could be a secure cryptosystem for today’s applications with
one particular development being the supersingular isogeny DiffieHellman (SIDH) [7, 22, 23].
This solution aims towards short processing time, fast
computation, and convenient deployment on applications, making it
fit for devices with low memory and transmission over low bandwidth
channels. The authors have used computational techniques of Weil
non-degenerate bilinear pairing (with a higher security multiplier
α=12) in building a BLS short digital signature scheme based on a
supersingular elliptic curve with functions for key generation, digital
signature, and signature verification.
Corresponding author: Email:
*
DECEMBER 2022 • VOLUME 64 NUMBER 4
3
development being the supersingular isogeny Diffie-Hellman
21]. Several publications have shown that elliptic curve cryptography (ECC) built on
non-degenerate bilinear pairing could be a secure cryptosystem for today’s applications
towards short processing time,
and convenient
withfast
onecomputation,
particular development
being the supersingular isogeny Diffie-Hellman
tions, making it fit for devices
with low
memory
(SIDH)
[7, 22,
23]. and transmission
annels. The authors have
used computational
techniques
of Weil SCIENCE | COMPUTER SCIENCE
MATHEMATICS
AND
COMPUTER
This solution aims towards short processing time, fast computation, and convenient
r pairing (with a higher security multiplier α=12) in building a
deployment on applications, making it fit for devices with low memory and transmission
blications
havebased
shown
elliptic curve
cryptography
nature scheme
on that
a supersingular
elliptic
curve with(ECC) built on
over low bandwidth channels. The authors have used computational
techniques
Draw the vertical
lineofn2Weil
, which is the line connecting R1 and the point∞. The line n2
bilinear
pairing
could
be signature
a works
secure verification.
cryptosystem
for today’s
applications
ration,
digital
signature,
and
line connecting
R1 and the point ∞. The line n2 intersects E at the third
Related
on the
BLSpairing
short
digital
signatures
schemeα=12) in building
non-degenerate
bilinear
(with
a higher
security intersects
multiplier
E at the third point,a which is R2 (𝑅𝑅 = 𝑃𝑃 + 𝑄𝑄). The lines n1 and n2 are functions
point, which is R2 (R22=P+Q). The lines n1 and n2 are functions on E
cular
being
the scheme
supersingular
isogeny
Diffie-Hellman
he
BLSdevelopment
short digital signatures
BLS short
digital
signature
scheme
a supersingular
elliptic curve with
Mathematical
basis
of Weil
andbased
Tateon pairing
on Ebased
and haveona main
divisor
and
have[2]:
a main divisor [2]:
23].
Supersingular
Elliptic
curves digital
functions
generation,
is of Weil and Tate pairing
based for
on key
Supersingular
Ellipticsignature, and signature verification.
𝑑𝑑𝑑𝑑𝑑𝑑(𝑛𝑛1 ) = [𝑃𝑃] + [𝑄𝑄] + [𝑅𝑅1 ] − 3[∞]
{
points
important
in the
calculations
of Weil
on aims towards short Torsion
processing
time,play
fast
computation,
and
convenient
Related
works
on an
the
BLS shortrole
digital
signatures
scheme
𝑑𝑑𝑑𝑑𝑑𝑑(𝑛𝑛2 ) = [𝑅𝑅1 ] + [𝑅𝑅2 ] − 2[∞]
and Tate bilinear pairings on elliptic curves and usually torsion points
applications,
it fit
forMathematical
devices
memory
and Tate
transmission
y an importantmaking
role in the
calculations
of with
Weil low
and Tate
bilinear
of Weil
and
pairing based Divisor
on Supersingular
[𝑄𝑄′] − [𝑆𝑆]Elliptic
will
be equivalent
𝐷𝐷𝑄𝑄 be
= [𝑄𝑄]
− [∞], sotoSDisQ=[Q]-[∞],
chosen at random.
Divisor
[Q']-[S]towill
equivalent
so S is chosen
are points of
finite orderbasis
[1, 7].
width
channels.
The authors
have
used
techniques of Weil
ves and
usually torsion
points
are
points
of computational
finite order [1, 7].
curves
at random. Calculate gD at D , where at each step in the algorithm
𝑔𝑔𝐷𝐷𝑃𝑃 aat DQ, where at each step in theP algorithm
T1 is the point obtained by
Q
Definition 1: Given an elliptic curve E over a Calculate
field K and
integer
is the point obtained by computing mP where m is an
higher
security
multiplier
α=12)
in building
a computing
1m is an integer represented in binary of the binary expansion of n.
Torsion
important
role
in the
calculations
of Weil
andwhere
TateTbilinear
nbilinear
an ellipticpairing
curve E(with
over aafield
K and
an.points
positive
integer
n.of
Then,
positive
integer
Then,play
theanset
n-torsion
points
is defined
asmP
the
represented in binary of the binary expansion of n. Calculate f to
1
pairings
elliptic
curves
and usually
points
are Calculate
points of finite
[1, value
7]. at [𝑄𝑄′] − [𝑆𝑆] of the function f satisfying𝑚𝑚([𝑃𝑃] − [∞]) =
ital
scheme
based
a supersingular
elliptictorsion
curve
with
set
nts issignature
defined as the
set 𝐸𝐸[𝑛𝑛]
= {𝑃𝑃 on
∈on𝐸𝐸(𝐾𝐾)|𝑛𝑛𝑛𝑛
= ∞} [1].
[1].
f1 toorder
be the
be the value
at [Q']-[S] of the function f satisfying m([P]-[∞])=[T1]y generation,
and
signature
verification.
Definition
1:𝑥𝑥 𝑛𝑛Given
anofelliptic
curve
E over a field
a positive
integer[∞]+div(f).
n.At
Then,
of the algorithm
the value=reaches
=∞,f
]−
[∞] + 𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓).
the endAt
ofthe
theend
algorithm
the value reaches𝑇𝑇
∞, 𝑓𝑓 =T𝑔𝑔𝐷𝐷
. =gD .
ristic
of K is not digital
divisiblesignature,
by n, the
equation
= 1 does
not
Since
the
characteristic
K ishave
not divisible
by Kn,[𝑇𝑇and
the
equation
1
1
1
1
𝑃𝑃
1
P
𝑔𝑔(𝑃𝑃+𝑆𝑆)
n = {𝑃𝑃 ∈ in
n that f1 is
It=
follows
[Q']-[S]𝑔𝑔𝐷𝐷
of the
function gDP satisfying
the
ofcyclic
n-torsion
is defined
thehas
set n
𝐸𝐸[𝑛𝑛]
𝐸𝐸(𝐾𝐾)|𝑛𝑛𝑛𝑛
=
[1].
does
have
multiple
solutions,
but
solutions
and
μn∞}
x𝐾𝐾n=1
For
𝑆𝑆notsignatures
𝐸𝐸[𝑛𝑛],
𝑃𝑃points
∈of𝐸𝐸[𝐾𝐾],
g(P+S)
= f(n(P+S))
=
f(nP)
g(P)
. Thus
It follows
that
f1 is
the
value
at [𝑄𝑄′] −the
[𝑆𝑆] value
of∈theatfunction
−
solutions
in[𝑅𝑅]).
and
𝜇𝜇𝑛𝑛 set
is
a∈
group
order
n.then
Anas
𝑃𝑃 satisfying 𝑚𝑚([𝑃𝑃]
s has
on nthe
BLS short
digital
scheme
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃)
n
n
k
m([P]-[∞])=div(gD
)
as
required
by
the
definition
of the Tate pairing.
is
a
cyclic
group
of
order
n.
An
element
ζ∈μ
satisfies
ζ
=1
if
and
only
𝑅𝑅]).
For
𝑆𝑆
∈
𝐸𝐸[𝑛𝑛],
𝑃𝑃
∈
𝐸𝐸[𝐾𝐾],
then
g(P+S)
=
f(n(P+S))
=
f(nP)
=
g(P)
.
Thus
∈
P
𝑛𝑛
n
[∞])
= 𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔𝐷𝐷
)
as
required
by
the
definition
of
the
Tate
pairing.
For
𝑃𝑃
∈
𝐸𝐸(𝐹𝐹
),
𝑄𝑄
∈
es 𝜁𝜁 𝑘𝑘 = 1 if and only if n is divisible
bycharacteristic
K, then 𝜁𝜁 isofcalled
a divisible
Since
the
K
is
not
by
n,
the
equation
𝑥𝑥
=
1
does
not
have
𝑃𝑃
𝑔𝑔(𝑃𝑃)𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
For P∈E(F
),Q∈E(Fpl) the Tate pairing is calculated𝑝𝑝 according to
cal basis of Weil
pairing
based
Elliptic
ifand
nand
is Tate
divisible
by K,
then
ζonis Supersingular
called
a primitive
rootWeil
of degree
n [1].is 𝑒𝑒 (𝑆𝑆,
p
𝜇𝜇
do
not
depend
on
P.
Hence,
the
pairing
𝑇𝑇)
=
.
𝑛𝑛
𝑛𝑛
e n [1]. 𝑔𝑔(𝑃𝑃+𝑆𝑆)
Tate
calculated
according
formula ⟨𝑃𝑃,
𝑄𝑄⟩𝑛𝑛 and the modified
multiple
a cyclic
group
of pairing
order
An
𝑙𝑙 ), the
𝑔𝑔(𝑃𝑃) solutions, but has n solutions in 𝐾𝐾 and 𝜇𝜇𝑛𝑛 is 𝐸𝐸(𝐹𝐹
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
then.isformula
〈P,Q〉
and to
thethemodified
Tate-Lichtenbaum
pairing is
n
depend2:on
P.there
Hence,
the Weil pairing is 𝑒𝑒𝑛𝑛𝑝𝑝(𝑆𝑆,n 𝑇𝑇)
= calculated
.
l
𝑛𝑛 and 𝑔𝑔(𝑃𝑃) do not
Definition
Let
be
be
an
𝑘𝑘an elliptic curve E over K and
by
formula
(1)
with
powers
(p
-1)/n
[1,
3,
7].
𝑔𝑔(𝑃𝑃)
𝑙𝑙
element
𝜁𝜁 =
1 if and only if n is divisible
by K, then 𝜁𝜁 is
called isa calculated by formula (1) with powers (𝑝𝑝 − 1)/𝑛𝑛 [1, 3,
here be an elliptic curve E over
K and𝜁𝜁n∈be𝜇𝜇𝑛𝑛ansatisfies
integer not
divisible
Tate-Lichtenbaum
pairing
integer
not
divisible
by Let
the of
characteristic
of Kbilinear
such and
that 𝐸𝐸/𝐹𝐹
E[n]⊆E[K].
Definition
3 [2]:
p[1].
be
a prime
𝑝𝑝 an elliptic curve with m points
ints
play
an𝐸𝐸[𝑛𝑛]
important
in the
theWeil
calculations
Weil
and Tatepower,
primitive
root
of
degreeisnthe
K such
that
⊆ 𝐸𝐸[𝐾𝐾].role
Then,
pairing
mapping
7].[2].
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
Algorithm
1: Miller’s algorithm for computation with Tate
the
Weil
pairing
is𝐸𝐸[𝐾𝐾],
the power,
mapping
en:E[n]×E[n]→μ
nnn𝐸𝐸/𝐹𝐹 an elliptic
Definition [𝑅𝑅]).
3Then,
[2]:For
Let
ppoints
be
a𝑃𝑃are
and
curve
n=
𝑝𝑝
[𝑅𝑅]).
For
For
𝑆𝑆𝑆𝑆𝑆𝑆Let
∈∈∈
𝐸𝐸[𝑛𝑛],
𝐸𝐸[𝑛𝑛],
𝐸𝐸[𝑛𝑛],
𝑃𝑃𝑃𝑃prime
∈∈𝐸𝐸/𝐹𝐹
∈points
𝐸𝐸[𝐾𝐾],
𝐸𝐸[𝐾𝐾],
then
then
then
g(P+S)
g(P+S)
g(P+S)
===
f(n(P+S))
f(n(P+S))
f(n(P+S))
=
=f(nP)
f(nP)
f(nP)
==
=where
g(P)
g(P)
g(P)nn.n.with
Thus
.Thus
Thus
∈∈∈ say that the
2 ̸ m points
ptic
torsion
of
finite
order
[1,
7].
[2]. curves and usually
in[𝑅𝑅]).
𝐸𝐸(𝐹𝐹
).
P
in
be
a
point
of
primer
order
q
𝑞𝑞
|
𝑚𝑚.
We
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
Definition
2:
Let
there
be
an
elliptic
curve
E
over
K
and
n
be
an
integer
not
divisible
bilinear
pairings
[2, 7]
𝑝𝑝
𝑝𝑝
Algorithm
1:
Miller's
algorithm
for
computation with Tate bilinear pairings [2, 7]
Given T∈E[n], there exists a function f such that div(f)=n[T]-n[∞].
2 pairing
̸
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
by
the
characteristic
of
K
such
that
𝐸𝐸[𝑛𝑛]
⊆
𝐸𝐸[𝐾𝐾].
Then,
the
Weil
is
the
mapping
nhere
P𝜇𝜇𝜇𝜇𝜇𝜇curve
in
𝐸𝐸/𝐹𝐹
be
anot=
of
primer
order
q pairing
where
|(𝑆𝑆,
𝑚𝑚.
We
the
∗ E over the field F . Two points P and
exists
a Let
function
f and
such
𝑛𝑛[𝑇𝑇]
𝑛𝑛[∞].
Then
𝑝𝑝 ).
𝑝𝑝 𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓)
Input:
Let
the of
elliptic
1: 𝐸𝐸(𝐹𝐹
Given
an
elliptic
Ethat
over
ahas
field
K
and−
aon
positive
integer
n.Weil
Then,
2depend
⟨𝑃𝑃⟩
and
do
do
do
not
not
depend
on
on
P.
P.
P.there
Hence,
Hence,
Hence,
the
the
the
pairing
pairing
is
isis𝑞𝑞𝑒𝑒𝑒𝑒𝑛𝑛𝑒𝑒𝑛𝑛Let
(𝑆𝑆,
(𝑆𝑆,𝑇𝑇)
𝑇𝑇)
𝑇𝑇)
=
=
= 0,say
..the
.that
subgroup
apoint
security
multiplier
α,Weil
for
some
integer
𝛼𝛼
>
ifcurve
order
in curve
𝐹𝐹
the
elliptic
E over
the pfield
𝐹𝐹𝑞𝑞𝑝𝑝 . Two
points P and Q pon E are points
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
Then
T'∈E[n
]depend
with
nT'=T,
exists
gWeil
such
that Input:
div(g)=∑
𝑛𝑛𝑛𝑛𝑛𝑛and
𝑛𝑛
n choose
n f(nP) = g(P)
n
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
R∈E[n]
+S))
. f(nP)
Thus
∈→
P+S)=
= f(n(P+S)) =
=𝑔𝑔(𝑃𝑃)
g(P)
. Thus
∈
𝑒𝑒
:
𝐸𝐸[𝑛𝑛]
×
𝐸𝐸[𝑛𝑛]
𝜇𝜇
[2].
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑛𝑛
𝑛𝑛
Q
on
E
are
points
of
order
n.
n −
n
𝑔𝑔(𝑃𝑃)
∑𝑅𝑅∈𝐸𝐸[𝑛𝑛]
n
n
hion
𝑛𝑛𝑛𝑛′points
= 𝑇𝑇, there
exists
g
such
that
𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔)
=
([𝑇𝑇′
+
𝑅𝑅]
∗
[𝑅𝑅]).
For
𝑆𝑆
∈
𝐸𝐸[𝑛𝑛],
𝑃𝑃
∈
𝐸𝐸[𝐾𝐾],
then
g(P+S)
=
f(n(P+S))
=
f(nP)
=
g(P)
.
Thus
∈
([T'+R]-[R]).
For
S∈E[n],
P∈E[
],
then
g(P+S)
=f[n(P+S)]=f(nP)=g(P)
.
is defined aassecurity
the set 𝐸𝐸[𝑛𝑛]
=n {𝑃𝑃𝑔𝑔(𝑃𝑃+𝑆𝑆)
∈ 𝐸𝐸(𝐾𝐾)|𝑛𝑛𝑛𝑛
= ∞} [1].
ubgroup
α,∈ for∈ some
integer 𝛼𝛼 >
0, if n.the order
𝑔𝑔(𝑃𝑃+𝑆𝑆)
of order
𝑔𝑔(𝑃𝑃) of p in 𝐹𝐹𝑞𝑞
n
nmultiplier
n ⟨𝑃𝑃 ⟩ has
is= α.
In
other
S)
= f(n(P+S))
f(nP)
= g(P)
. Thus
g(P+S)
= f(n(P+S))
=𝑔𝑔(𝑃𝑃+𝑆𝑆)
f(nP)
=words:
. Thus
𝑔𝑔(𝑃𝑃+𝑆𝑆)
Output:
The value f1 satisfies the definition of a Tate pairing
𝑔𝑔(𝑃𝑃)
∈
𝐸𝐸[𝑛𝑛],
a function
fand
such
that
𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓)
= 𝑛𝑛[𝑇𝑇]
− 𝑛𝑛[∞].
Then
𝑔𝑔(𝑃𝑃)
Definition
Definition
Definition
3g(P)
3𝑇𝑇)
3n[2]:
[2]:
[2]:
Let
Let
pthere
ppbe
be
be
aprime
prime
prime
power,
power,
power,and
and
𝐸𝐸/𝐹𝐹
𝐸𝐸/𝐹𝐹
𝐸𝐸/𝐹𝐹
an
an
an
elliptic
elliptic
elliptic
curve
curve
curve
with
with
with
mm
mpoints
points
points
airing
𝑒𝑒𝑛𝑛 (𝑆𝑆,
𝑇𝑇)
=
.∈μ
Thus
and
do
not
depend
on
P.
Hence,
the
Weil
nce,
theisWeil
pairing
is𝑔𝑔(𝑃𝑃)
𝑒𝑒Given𝑇𝑇
=Let
.aaexists
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑛𝑛 (𝑆𝑆,
The value f1 satisfies the definition of a Tate pairing (Theorem 2).
𝑛𝑛 the Weil pairing is 𝑒𝑒 Output:
𝑔𝑔(𝑃𝑃)
𝜇𝜇of
do not depend
on
P. Hence,
haracteristic
K
is not
by
n,
the
equation
𝑥𝑥𝑇𝑇,
=
1 does
not
have
𝑛𝑛 and
𝑛𝑛 (𝑆𝑆, 𝑇𝑇) = 𝑔𝑔(𝑃𝑃) .
(Theorem
2).
2𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑔𝑔(𝑃𝑃+𝑆𝑆)
se,
α.
In
other
words:
𝑔𝑔(𝑃𝑃)divisible
∑
choose
𝑇𝑇′
∈
𝐸𝐸[𝑛𝑛
]
with
𝑛𝑛𝑛𝑛′
=
there
exists
g
such
that
𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔)
=
([𝑇𝑇′
+
𝑅𝑅]
−
𝛼𝛼 𝑇𝑇)
the Weil
pairing
𝑒𝑒𝑛𝑛 (𝑆𝑆,
̸𝑝𝑝. 𝑘𝑘be
pairing
Hence,
the Weil
pairing
is
(𝑆𝑆,
𝑇𝑇)
=
̸𝑅𝑅∈𝐸𝐸[𝑛𝑛]
𝑞𝑞|𝑝𝑝
−
1=
and
𝑞𝑞|
−.. aa1apoint
for all
𝑘𝑘primer
= 1,2,
. . . q,qq𝛼𝛼where
−1.1.Randomly
𝑛𝑛
select
∈ 𝐸𝐸(𝐹𝐹
𝑄𝑄′ =F 𝑄𝑄l) +
𝑆𝑆 ∈calculate
𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 ). Q'=Q+S∈E(F l).
𝑔𝑔(𝑃𝑃)
in
ininis
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
).
).).𝑒𝑒Let
Let
Let
PPpoints
P
in
inin
𝐸𝐸/𝐹𝐹
𝐸𝐸/𝐹𝐹
𝐸𝐸/𝐹𝐹
be
be
point
point
of
ofofprimer
primer
order
order
order
where
where
𝑞𝑞𝑞𝑞𝑞𝑞22|2|̸𝑚𝑚.
|̸𝑚𝑚.
𝑚𝑚.We
We
We
say
say
say𝑆𝑆that
that
that
the
the
the𝑝𝑝𝑙𝑙 ) and calculate
𝑔𝑔(𝑃𝑃)
and
1.
Randomly
select S∈E(
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
/𝐹𝐹
an
elliptic
curve
with
m
power,
and
𝐸𝐸/𝐹𝐹
an
elliptic
curve
with
m
points
p
p
𝑝𝑝
ons,𝑝𝑝 but has n solutions
in3𝐾𝐾[2]:
and
𝜇𝜇𝑛𝑛p is
group of
n.anAn
Definition
Let
be aapcyclic
prime
power,
andorder
𝐸𝐸/𝐹𝐹
elliptic
curvecurve
with m points
𝑝𝑝 E/F
Definition
3
[2]:
Let
be
a
prime
power,
and
an
elliptic
𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝛼𝛼
𝑘𝑘
n
n
2.pinin
Let
l=[log (n)]-1,T1=P,f1=1
̸𝑝𝑝then
p
2.
Let
𝑙𝑙ifif=
[𝑙𝑙𝑙𝑙𝑙𝑙
−
1,
𝑇𝑇
For 𝑆𝑆
∈
𝐸𝐸[𝑛𝑛],
𝑃𝑃
∈
𝐸𝐸[𝐾𝐾],
g(P+S)
=
f(n(P+S))
= f(nP)
=
g(P)
. Thus
∈
𝑞𝑞|𝑝𝑝
−
1
and
𝑞𝑞|
−
1
for
all
𝑘𝑘
=
1,2,
.
.
.
,
𝛼𝛼
−
1.
2
2 ( 𝑛𝑛)]
1∗∗∗= 𝑃𝑃, 𝑓𝑓12 = 1
ower,
and
𝐸𝐸/𝐹𝐹
an
elliptic
curve
with
m
points
2
⟨𝑃𝑃⟩
⟨𝑃𝑃⟩
⟨𝑃𝑃⟩
̸
subgroup
subgroup
subgroup
has
has
has
a
a
a
security
security
security
multiplier
multiplier
multiplier
α,
α,
α,
for
for
for
some
some
some
integer
integer
integer
𝛼𝛼
𝛼𝛼
𝛼𝛼
>
>
>
0,
0,
0,
if
the
the
the
order
order
order
of
of
of
p
p
in
𝐹𝐹
𝐹𝐹
𝐹𝐹
𝑘𝑘
̸
𝑔𝑔(𝑃𝑃)
𝑝𝑝
power,
and
𝐸𝐸/𝐹𝐹
an
elliptic
curve
with
m
points
rme
q
where
𝑞𝑞
|
𝑚𝑚.
We
say
that
the
𝑞𝑞
𝑞𝑞
𝑞𝑞
of
primer
order
q
where
𝑞𝑞
|
𝑚𝑚.
We
say
that
the
The
security
multiplier
)be
security
prime order
satisfies 𝜁𝜁 in=𝐸𝐸(𝐹𝐹
1 with
if 𝑝𝑝and
if nin isE(F
divisible
then
𝜁𝜁isis
called
m only
points
). Let by
P of
inK,𝐸𝐸(𝐹𝐹
E/F
athe
point
ofa primer
q of
̸𝑚𝑚. order
where
𝑞𝑞2 |multiplier
We say
thatthe
thelargest
p𝑝𝑝 order q𝑔𝑔(𝑃𝑃+𝑆𝑆)
𝑝𝑝 ). Let P in 𝐸𝐸/𝐹𝐹𝑝𝑝 be pa point of primer
3. While l≥1 do
𝑔𝑔(𝑃𝑃+𝑆𝑆)
3.multiplier
While 𝑙𝑙 ≥ 1 do
2 ̸ Hence,
dprimer
do
not
depend
on𝑞𝑞P.
the
pairing
is 𝑒𝑒∗𝑛𝑛 (𝑆𝑆,
𝑇𝑇)has
= a security
.
∗Weil
2We
order
q
where
|
𝑚𝑚.
We
say
that
the
.
say
that
the
subgroup
〈P〉
where
̸
teger
𝛼𝛼
>
0,
if
the
order
of
p
in
𝐹𝐹
𝑔𝑔(𝑃𝑃)
𝑔𝑔(𝑃𝑃)
is
is
is
α.
α.
α.
In
In
In
other
other
other
words:
words:
words:
α,
for
some
integer
𝛼𝛼
>
0,
if
the
order
of
p
in
𝐹𝐹
nt
of
primer
order
q
where
𝑞𝑞
|
𝑚𝑚.
We
say
that
the
∗
f degree
[1].
𝑞𝑞multiplier α, for 𝑞𝑞some integer 𝛼𝛼 > 0, if the order of p in 𝐹𝐹 - Write equations for the lines n and n with the multiplication
⟨𝑃𝑃⟩ hasin
subgroup
a security
subgroup
𝐸𝐸(𝐹𝐹
).α>0,
The nsecurity
of𝑝𝑝𝐸𝐸(𝐹𝐹
theorder
security
of the
largest
prime
𝑞𝑞
1
2 of T .
𝑝𝑝 )ifisthe
- words:
Write
equations
for order
the lines n1 and n2 with the multiplication
1
α,𝛼𝛼pmultiplier
for
some
integer
of p inmultiplier
Fq* with
is α.mInpoints
other
∗
∗elliptic curve
for α,
some
integer
>
if 0,
the
order
of
p of
in
𝐹𝐹𝑞𝑞𝑝𝑝in
efinition
3some
[2]: Let
be 0,
a prime
power,
and
𝐸𝐸/𝐹𝐹
an
of T1.
lier
for
integer
𝛼𝛼
>
if
the
order
p
𝐹𝐹
𝑞𝑞
other words:
𝛼𝛼𝛼𝛼𝛼𝛼
𝑘𝑘
𝑘𝑘
𝑘𝑘
2
2: Let there is
beα.anInelliptic
curve
E
over
K
and
n
be
an
integer
not
divisible
̸
̸
̸
Calculate
𝑇𝑇
=
2𝑇𝑇
,
𝑓𝑓
=
𝑓𝑓
((𝑛𝑛
(𝑄𝑄′)𝑛𝑛
(𝑆𝑆))/(𝑛𝑛
(𝑄𝑄′)𝑛𝑛
(𝑆𝑆))
𝑞𝑞|𝑝𝑝
𝑞𝑞|𝑝𝑝
𝑞𝑞|𝑝𝑝
−
−
−
1
1
1
and
and
and
𝑞𝑞|
𝑞𝑞|
𝑞𝑞|
𝑝𝑝
𝑝𝑝
𝑝𝑝
−
−
−
1
1
1
for
for
for
all
all
all
𝑘𝑘
𝑘𝑘
𝑘𝑘
=
=
=
1,2,
1,2,
1,2,
.
.
.
.
.
.
,
.
,
𝛼𝛼
,
𝛼𝛼
𝛼𝛼
−
−
−
1.
1.
1.
2
1
1
1
1
2
2
1
1
ubgroup
in 𝐸𝐸(𝐹𝐹 ).Theorem
=2T1n,f1be
=f1 ((n1(Q')n2(S))/(n2(Q')n1(S))
Calculate
𝐹𝐹
a point of1primer
q where
|̸𝑚𝑚.an
We
say that
the defined over a
[2, 7, order
17, 24]:
Let E𝑞𝑞2be
elliptic
curve
field 𝐹𝐹𝑝𝑝T. 1Let
𝑝𝑝 ). Let P in 𝐸𝐸/𝐹𝐹𝑝𝑝𝑝𝑝be
=1.
1,2,of. .K. ,such
𝛼𝛼 −that
1. 𝛼𝛼𝐸𝐸[𝑛𝑛]
istic
𝐸𝐸[𝐾𝐾].
theall
Weil
pairing
the
mappingmultiplier
𝑞𝑞|𝑝𝑝
−multiplier
1⊆
and
𝑞𝑞|̸𝑝𝑝α,𝑘𝑘Then,
−
1some
for
𝑘𝑘of=E(F
1,2,
.is
, the
𝛼𝛼if
−
1.
thenlth bit of n is 1, then
). .is0,
security
ofthe
thelth bit of n is
security
multiplier
- If1,the
oup ⟨𝑃𝑃⟩ has a security The
for
integer
𝛼𝛼 p>
the
order of p in 𝐹𝐹𝑞𝑞∗- If
The
The
Thesecurity
security
security
multiplier
multiplier
multiplier
of
ofof1).
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)𝑝𝑝))isisisthe
the
thesecurity
security
securitymultiplier
multiplier
multiplier
ofof
the
the
the
largest
largest
prime
prime
primeorder
order
order
𝑝𝑝𝑝𝑝The
integer
so
that
𝑛𝑛|(𝑞𝑞
−
of
𝐸𝐸(𝐹𝐹𝑝𝑝over
)of
of
nalargest
are
denoted
by
𝐸𝐸(𝐹𝐹n𝑝𝑝1 )[𝑛𝑛]
1,2,
. , [2].
𝛼𝛼 .−
largest
order
subgroup
in E(F
). elements
1an
[2,
7, prime
17,
24]:
Let
be
an
elliptic
curve
defined
field
𝐹𝐹𝑝𝑝 . Let
nequations
be
]𝑘𝑘the
→
𝜇𝜇.1,2,
write
the
n1 and nof2 with
write
equations
for
the
lines
andfor
n2in
withlines
the addition
pointsthe
of addition
T1 and P.of
=.Theorem
. of
. ,1.
𝛼𝛼the
−
1.
n
other
𝑛𝑛 words:
multiplier
largest
prime
order
p
security
multiplier
of
the
largest
prime
order
The
security
multiplier
ofE𝐸𝐸(𝐹𝐹
security
multiplier
of the largest
prime
order
𝑝𝑝 ) is the
subgroup
subgroup
subgroup
in
in
in
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
).
).
).
2
𝑛𝑛
points
of
T
and
P.
𝑝𝑝𝑝𝑝𝑝𝑝and
𝑘𝑘dividing
Calculate
𝑇𝑇1 = 𝑇𝑇1 + 𝑃𝑃,an
= 1𝑓𝑓1 ((𝑛𝑛1 (𝑄𝑄′)𝑛𝑛
he
security
multiplier
of𝐸𝐸(𝐹𝐹
the
prime
order
𝜇𝜇1.
=
𝐹𝐹𝑝𝑝𝑛𝑛[∞].
|𝑥𝑥 ) =
1}.
Assume
𝐸𝐸(𝐹𝐹aby
of 2 (𝑆𝑆))/(𝑛𝑛2 (𝑄𝑄′)𝑛𝑛1 (𝑆𝑆))
Theorem
1 [2,
7,
24]:
E𝑛𝑛[𝑇𝑇]
be∈an
elliptic
curve
defined
over
1 element
|𝑝𝑝
−
1 and
𝑞𝑞|̸𝑝𝑝that
−
for
allorder,
𝑘𝑘largest
=
1,2,
. . 17,
. ,let
𝛼𝛼
−
subgroup
in
).
𝑝𝑝 ) contains
-𝑛𝑛 Let
Decrease
l.
𝐸𝐸[𝑛𝑛],
there
exists
a 1function
fthe
such
that
𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓)
= {𝑥𝑥
−
Then
𝑝𝑝
n) 𝛼𝛼isinteger
so
𝑛𝑛|(𝑞𝑞
−
1).
The
elements
of
𝐸𝐸(𝐹𝐹
n are
denoted
𝐸𝐸(𝐹𝐹𝑝𝑝Calculate
)[𝑛𝑛] 𝑓𝑓in
the
security
multiplier
of
largest
prime
order
𝑝𝑝
𝑝𝑝 of
T1=T1+P,f1=f12((n1(Q')n2(S))/(n2(Q')n1(S))
.
Let
n
be
an
integer
so
that
n|(q-1).
The
elements
of
E(F
)
of
field
F
2 security multiplier of
p
p aaafield
𝐸𝐸(𝐹𝐹
is
the
security
multiplier
ofan
the
largest
prime
order over
𝑝𝑝 ) g
Theorem
Theorem
Theorem
11such
117,
[2,
[2,
[2,
7,
7,
7,17,
17,
17,
24]:
24]:
24]:
Let
Let
EEE∑be
be
an
elliptic
elliptic
elliptic
curve
curve
defined
defined
over
𝐹𝐹𝑝𝑝.𝑝𝑝.be
Let
.Let
Let
nbe
be
be
4.
fbe
𝑛𝑛he
with
𝑛𝑛𝑛𝑛′ curve
= 𝑇𝑇,
there
exists
that
𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔)
=
([𝑇𝑇′
+curve
𝑅𝑅]
− defined
1an
order
n.
there
exists
aLet
non-degenerate
bilinear
𝑛𝑛
Theorem
1Then,
[2,
24]:
Let
EReturn
an
curve
overmapping:
a over
field
𝐹𝐹𝑝𝑝field
.field
Let𝐹𝐹𝐹𝐹𝑝𝑝n
𝑅𝑅∈𝐸𝐸[𝑛𝑛]
ve
over
aare
field
𝐹𝐹
. 7,
Let
n
be
- nnDecrease
an] defined
elliptic
defined
a
field
. be
Let
be
𝑝𝑝
ividing
order,
let
𝜇𝜇over
=
{𝑥𝑥
∈
𝐹𝐹𝐹𝐹
|𝑥𝑥
=nelliptic
1}.
Assume
𝐸𝐸(𝐹𝐹
an
element
of l.
nand
denoted
E(F
)[n]
dividing
order,
anddefined
let
μn={x∈F
|xn=1}.
𝑛𝑛 by
𝑝𝑝𝑝𝑝in
𝑝𝑝 ) contains
p
p
oup in 𝐸𝐸(𝐹𝐹𝑝𝑝 ).
4.
Return
n) elliptic
curve
defined
over
a𝑝𝑝that
𝐹𝐹
. Let
nelements
be
an
integer
that
𝑛𝑛|(𝑞𝑞
−𝑛𝑛|(𝑞𝑞
1).
The
𝐸𝐸(𝐹𝐹of
) 𝐸𝐸(𝐹𝐹
of
n𝑝𝑝𝑝𝑝)𝑝𝑝)are
by ×
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
𝑝𝑝by
Assume
E(F
)field
contains
element
of an
order
n.
Then,
exists
a by
an
aninteger
integer
integer
so
so
so
that
that
𝑛𝑛|(𝑞𝑞
−
−−an
1).
1).
1).
The
The
The
elements
elements
elements
ofof
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)curve
of
ofofdenoted
nthere
nnare
are
are
denoted
denoted
by
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
)[𝑛𝑛]in
inin f1 curve E over the field
ofann of
are
denoted
byare
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
in
𝑝𝑝
𝑝𝑝by
ments
𝐸𝐸(𝐹𝐹
)an
of
nso
denoted
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
in
𝑝𝑝supersingular
𝑝𝑝)[𝑛𝑛]
×
input
is
elliptic
Edenoted
chosen
as
a𝑛𝑛𝑝𝑝in
𝑝𝑝
p
E
be
elliptic
curve
defined
over
a𝑛𝑛|(𝑞𝑞
field
n be
𝑝𝑝
⟨. 𝐹𝐹,The
. .⟩𝑛𝑛Let
:𝑝𝑝𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
×
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
→
𝐹𝐹
/(𝐹𝐹
)
heorem
1Then,
[2, 7, 17,
24]: Let
E beaan
elliptic
curve
defined
over
a
field
𝐹𝐹
.
Let
n
be
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
rder
n.
there
exists
non-degenerate
bilinear
mapping:
𝑝𝑝
bilinear
mapping:
nts
𝐸𝐸(𝐹𝐹)Assume
)contains
of non-degenerate
n are
denoted
{𝐹𝐹letan
dividing
order,
and
letby
𝜇𝜇𝑛𝑛𝐸𝐸(𝐹𝐹
=
{𝑥𝑥)[𝑛𝑛]
|𝑥𝑥 𝑛𝑛 =of
1}.
𝐸𝐸(𝐹𝐹𝑝𝑝 ) contains an element of
𝑛𝑛 of
𝑛𝑛𝑛𝑛𝑛𝑛Assume
𝑝𝑝in
The
is an elliptic curve
chosen Eas a supersingular curve
ume
𝐸𝐸(𝐹𝐹
an
of
𝑥𝑥
=so
1}.
𝐸𝐸(𝐹𝐹
)element
contains
element
𝑝𝑝of𝑝𝑝 𝐸𝐸(𝐹𝐹
>
3{𝑥𝑥
curve
EAssume
over
the
𝐹𝐹𝑝𝑝 isan
said
to input
be
if theE curve
dividing
order,
order,
and
and
and
let
let
𝜇𝜇,𝑛𝑛𝐸𝐸(𝐹𝐹
𝜇𝜇𝑝𝑝
𝜇𝜇𝑛𝑛:𝑛𝑛𝑛𝑛∈
=
==𝐹𝐹)[𝑛𝑛]
{𝑥𝑥
{𝑥𝑥
∈(the
∈
𝐹𝐹are
𝐹𝐹𝑝𝑝𝐹𝐹𝑝𝑝|𝑥𝑥
|𝑥𝑥
===1}.
1}.
1}.
Assume
Assume
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)𝑝𝑝)𝜇𝜇)contains
contains
contains
an
an
element
element
element
of
ofof supersingular
𝑝𝑝order,
elements
)dividing
of
are
denoted
by
in
𝑝𝑝
𝜏𝜏𝑝𝑝𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
×
𝐸𝐸(𝐹𝐹
)𝐸𝐸(𝐹𝐹
→𝑝𝑝𝑝𝑝field
𝑝𝑝|𝑥𝑥
eger
that
𝑛𝑛|(𝑞𝑞𝑝𝑝dividing
−
1).nThe
elements
of
n∈
denoted
by
𝐸𝐸(𝐹𝐹𝑝𝑝𝑝𝑝)[𝑛𝑛]
in
𝑝𝑝𝑝𝑝) of
𝑝𝑝 )[𝑛𝑛]
𝑝𝑝 )/𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛
E
over
the
field
F
,
p>3
(the
curve
E
over the field Fp is said to be
×
×
𝑛𝑛
order
n.
Then,
there
exists
a
non-degenerate
bilinear
mapping:
=
1}.
Assume
𝐸𝐸(𝐹𝐹
)
contains
an
element
of
𝑝𝑝 ⟨{𝑥𝑥
𝑛𝑛
mapping:
𝑛𝑛 bilinear
.∈⟩)𝐹𝐹𝑛𝑛contains
: 𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
𝐸𝐸(𝐹𝐹
)The
→
/(𝐹𝐹𝑝𝑝of) 𝐸𝐸(𝐹𝐹𝑝𝑝 )[𝑛𝑛] has an influencep on the computation
nerate
ng
order,
andAssume
letmapping:
𝜇𝜇
=𝑝𝑝exists
1}.
𝐸𝐸(𝐹𝐹
) contains
an 𝐹𝐹
element
𝑝𝑝
𝑝𝑝bilinear
𝑝𝑝
𝑛𝑛 =𝐸𝐸(𝐹𝐹
𝑝𝑝 |𝑥𝑥
𝑝𝑝
satisfies𝐸𝐸[𝑃𝑃]
=
[∞]).
subgroup
in The subgroup E(F )[n]
𝐹𝐹𝑝𝑝 |𝑥𝑥
= 1}.
anAssume
element
of)/𝑛𝑛𝑛𝑛(𝐹𝐹
order
order
order
n.n..n.,Then,
Then,
there
there
there
exists
exists
a×
aanon-degenerate
non-degenerate
non-degenerate
bilinear
bilinear
mapping:
mapping:
mapping:
𝑝𝑝Then,
supersingular
if
the
curve
E
satisfies
E[P]=[∞]);
{
p
×
×pairing.
𝑛𝑛
ateThen,
bilinear
first
pairing
is
called
Tate-Lichtenbaum
The
second
one,
𝜏𝜏
,
is
called
⟨.
⟩
n.
aThe
non-degenerate
bilinear
mapping:
,
.
:
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
×
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
→
𝐹𝐹
/(𝐹𝐹
)
× theremapping:
×exists
𝑛𝑛
𝑛𝑛
𝜏𝜏
:
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
×
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
→
𝜇𝜇
𝑛𝑛
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
×
×
𝑛𝑛
𝑝𝑝 so the𝑛𝑛number of iterations is
)𝐸𝐸(𝐹𝐹
→ 𝑝𝑝𝐹𝐹)/𝑛𝑛𝑛𝑛(𝐹𝐹
has[𝑙𝑙𝑙𝑙𝑙𝑙
an 2influence
in itMiller’s
algorithm, so the
→ 𝐹𝐹𝑝𝑝 𝑛𝑛/(𝐹𝐹𝑝𝑝{ )𝑝𝑝
𝑝𝑝 /(𝐹𝐹
𝑝𝑝 )
egenerate
bilinear
Miller's𝑝𝑝algorithm,
( 𝑛𝑛)] [2, on
7].the
Forcomputation
Tate pairing,
is
𝑝𝑝 ) mapping:
×
×
×
×
×
×
𝑛𝑛
𝑛𝑛
𝑛𝑛
𝜏𝜏
:
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
×
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
→
𝜇𝜇
⟨.𝑝𝑝⟨.,,.,.⟩.⟩𝑛𝑛⟩𝑛𝑛𝑛𝑛::𝐸𝐸(𝐹𝐹
:𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
×××𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
))→
→→𝐹𝐹𝐹𝐹𝑝𝑝𝐹𝐹𝑝𝑝𝑝𝑝/(𝐹𝐹
/(𝐹𝐹
/(𝐹𝐹
× 𝑝𝑝𝑛𝑛 )/𝑛𝑛𝑛𝑛(𝐹𝐹
𝑝𝑝𝐹𝐹 × /(𝐹𝐹
𝑛𝑛 𝑝𝑝𝑝𝑝)
× 𝑛𝑛 × 𝑛𝑛𝐸𝐸(𝐹𝐹𝑝𝑝⟨.
𝑝𝑝)[𝑛𝑛]
𝑝𝑝)[𝑛𝑛]
𝑝𝑝𝑝𝑝𝑝𝑝)))
⟨. , . ⟩𝐹𝐹
: 𝐸𝐸(𝐹𝐹
→
𝜇𝜇)/𝑛𝑛𝑛𝑛(𝐹𝐹
𝑝𝑝 )[𝑛𝑛]
𝑝𝑝 ) 𝑝𝑝
𝑝𝑝
𝑝𝑝 ) 𝑝𝑝𝑝𝑝𝑝𝑝
(𝐹𝐹
)
𝐹𝐹
𝜇𝜇𝑛𝑛𝑝𝑝×
𝑛𝑛)/𝑛𝑛𝑛𝑛(𝐹𝐹
numberinof
of𝐸𝐸(𝐹𝐹
iterations
is [log
(n)] [2,
7]. For Tate pairing, it is necessary
modified
Tate-Lichtenbaum
pairing
[2,
7,𝑝𝑝to17,
element
)/𝑛𝑛𝑛𝑛(𝐹𝐹
𝑝𝑝)
𝑝𝑝
𝑝𝑝𝑝𝑝
𝑝𝑝
𝑛𝑛/(𝐹𝐹
{{{)/𝑛𝑛𝑛𝑛(𝐹𝐹
𝑝𝑝 ) 2sure
{ →the
× × 𝐸𝐸(𝐹𝐹
× 𝑛𝑛 )/𝑛𝑛𝑛𝑛(𝐹𝐹
necessary
to
pay
attention
the24].
fieldEach
characteristic
2,3𝑝𝑝and
make
the order of
𝜏𝜏𝑛𝑛 :𝑝𝑝𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
) 𝑝𝑝
→
𝜇𝜇𝑛𝑛
]
×
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
→
𝐹𝐹
/(𝐹𝐹
)
𝜏𝜏
𝜏𝜏
𝜏𝜏
:
:
𝐸𝐸(𝐹𝐹
:
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)[𝑛𝑛]
)[𝑛𝑛]
)[𝑛𝑛]
×
×
×
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
)
)
→
→
→
𝜇𝜇
𝜇𝜇
𝜇𝜇
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
The
first
pairing
is
called
Tate-Lichtenbaum
pairing.
The
second
𝑛𝑛
𝑛𝑛
𝑛𝑛
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑛𝑛
𝑛𝑛
𝑛𝑛
The𝑝𝑝 )first
is called
Tate-Lichtenbaum
The
second
𝜏𝜏
,
is
called
)/𝑛𝑛𝑛𝑛(𝐹𝐹
→ 𝜇𝜇𝑛𝑛pairing
to
pay
attention
to
the
field
characteristic
of 2,3 and make sure the
𝑛𝑛
The first pairing
is called
Tate-Lichtenbaum pairing.
pairing. The
second
one,
𝜏𝜏one,
,
is
called
𝑛𝑛
ring.
The second
𝜏𝜏
, is called
𝐸𝐸(𝐹𝐹𝑝𝑝 )/𝑛𝑛𝑛𝑛(𝐹𝐹
𝜇𝜇one,
⟨𝑃𝑃,
has
form𝑄𝑄
+the
𝑛𝑛𝑛𝑛(𝐹𝐹
it 𝑝𝑝is
as
𝑄𝑄⟩
and
𝜏𝜏𝑛𝑛number
(𝑃𝑃,the𝑄𝑄)group
of
𝑛𝑛second
chtenbaum
pairing.
The
one,
𝜏𝜏pairing.
, isso
called
the
group
𝐸𝐸(𝐹𝐹
)second
isusually
appropriate,
choose
the𝑛𝑛 prime
ninstead
as E(F
the largest
prime divisor
𝑝𝑝 )is→
𝑛𝑛the
𝑝𝑝𝑛𝑛),
one,
τ
,
is
called
modified
Tate-Lichtenbaum
[2,
7,
17,
he first
pairing
called
Tate-Lichtenbaum
The
one, written
𝜏𝜏𝑛𝑛pairing
, is so
called
order
of
)
is
appropriate,
so
choose
the prime number n
n
the modified
Tate-Lichtenbaum
pairing
7,17,
17, 24].
Each
element
in 𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
p
𝑝𝑝 )
he
modified
Tate-Lichtenbaum
[2,[2,7,element
24].
Each
element
in𝑝𝑝one,
𝐸𝐸(𝐹𝐹
enbaum
pairing.
The
second
one,
𝜏𝜏𝑝𝑝𝑛𝑛is
,pairing
is
called
The
The
first
first
first
pairing
pairing
pairing
is17,
called
called
called
Tate-Lichtenbaum
Tate-Lichtenbaum
Tate-Lichtenbaum
pairing.
pairing.
pairing.
The
The
The
second
second
second
one,
one,
𝜏𝜏𝜏𝜏as
𝜏𝜏𝑝𝑝𝑛𝑛,𝑛𝑛,)/𝑛𝑛𝑛𝑛(𝐹𝐹
,is
isiscalled
called
called
𝑝𝑝 ) prime divisor
4].
Each
element
inThe
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)is
𝑛𝑛
𝑝𝑝element
g
[2,
7,
17,
24].
Each
element
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
) the𝐸𝐸(𝐹𝐹
odified
Tate-Lichtenbaum
pairing
[2,in
7,
24].
Each) 𝑝𝑝
in
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
) so it
𝑝𝑝−1
the
largest
of
the
group
order
E(Fp). In Miller’s
24].
Each
in
E(F
)/nE(F
has
form
Q+nE(F
is
𝑝𝑝In
𝑝𝑝),
𝑝𝑝
of
the
group
order
).
Miller’s
algorithm,
integer
n
is
calculated
by
Schoof’s
×
𝑝𝑝
-Lichtenbaum
The
one,
,ispis
called
p written
⟨𝑃𝑃,form𝑄𝑄
𝑄𝑄element
+
𝑛𝑛𝑛𝑛(𝐹𝐹
(𝑃𝑃,
𝑄𝑄 +
𝑛𝑛𝑛𝑛(𝐹𝐹𝑝𝑝 )).
Since
𝐹𝐹𝑝𝑝 𝜏𝜏pis𝑛𝑛 (𝑃𝑃,
a cyclic
group
has pairing.
the
+second
𝑛𝑛𝑛𝑛(𝐹𝐹
so 𝜏𝜏it𝑛𝑛𝑛𝑛
usually
as ⟨𝑃𝑃,
𝑄𝑄⟩𝑛𝑛 and
𝑄𝑄) instead
of of order n, the
𝑝𝑝 ), and𝜏𝜏
𝑝𝑝 )⟩
[2,
7, 17,
24].
Each
in
𝐸𝐸(𝐹𝐹
𝑛𝑛
𝑝𝑝 )/𝑛𝑛𝑛𝑛(𝐹𝐹
𝑝𝑝 )
𝑛𝑛
⟨𝑃𝑃,
algorithm,
integer
n
is
calculated
by
Schoof’s
algorithm
and using the
e
form𝑄𝑄
+
𝑛𝑛𝑛𝑛(𝐹𝐹
),
so
it
is
usually
written
as
𝑄𝑄⟩
and
𝜏𝜏
(𝑃𝑃,
𝑄𝑄)
instead
of
⟨𝑃𝑃,
as
𝑄𝑄⟩
and
𝜏𝜏
(𝑃𝑃,
𝑄𝑄)
instead
of
the
the
the
modified
modified
modified
Tate-Lichtenbaum
Tate-Lichtenbaum
Tate-Lichtenbaum
pairing
pairing
pairing
[2,
[2,
[2,
7,
7,
7,
17,
17,
17,
24].
24].
24].
Each
Each
Each
element
element
element
in
in
in
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)/𝑛𝑛𝑛𝑛(𝐹𝐹
)
)
)
usually
written
as
〈P,Q〉
and
τ
(P,Q)
instead
of
〈P,Q+nE(F
)〉
and
𝑝𝑝
𝑛𝑛
𝑛𝑛
⟨
⟩
⟨𝑃𝑃,
𝑛𝑛
𝑛𝑛
as
the
form𝑄𝑄
+ 𝑛𝑛𝑛𝑛(𝐹𝐹
), so𝜏𝜏𝑛𝑛in
it algorithm
is𝑄𝑄)usually
written
as point
𝑃𝑃, 𝑄𝑄multiplication
instead𝑝𝑝𝑝𝑝kP
ually
written
𝑄𝑄⟩𝑛𝑛element
(𝑃𝑃,
instead
of
𝑝𝑝𝑝𝑝𝑝𝑝
𝑝𝑝 of[1, 4, 16, 25-27].
n )/𝑛𝑛𝑛𝑛(𝐹𝐹
nand
𝑝𝑝and
𝑛𝑛 andp 𝜏𝜏n𝑛𝑛 (𝑃𝑃, 𝑄𝑄)
using× the
algorithm
𝑝𝑝−1
iring
[2,
7, 17, as
24].
Each
𝐸𝐸(𝐹𝐹
𝑝𝑝×𝑛𝑛𝑛𝑛(𝐹𝐹
𝑝𝑝 )Since
𝑝𝑝−1of×order×n, 𝑛𝑛
⟨𝑃𝑃,
𝑄𝑄⟨𝑃𝑃,
+
𝑛𝑛𝑛𝑛(𝐹𝐹
)⟩
and𝜏𝜏
(𝑃𝑃,
𝑄𝑄
+
)).
𝐹𝐹
is
a
cyclic
group
the
point
multiplication
algorithm
kP
[1,
4,
16,
25-27].
×
𝑝𝑝
𝑛𝑛
𝑝𝑝
𝑝𝑝
ly𝑛𝑛𝑛𝑛(𝐹𝐹
written
as
𝑄𝑄⟩
and
𝜏𝜏
(𝑃𝑃,
𝑄𝑄)
instead
of
𝑝𝑝−1
+
)⟩
and𝜏𝜏
(𝑃𝑃,
𝑄𝑄
+
𝑛𝑛𝑛𝑛(𝐹𝐹
)).
Since
𝐹𝐹
is
a
cyclic
group
of
order
n,
the
τ
(P,Q+nE(F
)).
Since
F
is
a
cyclic
group
of
order
n,
the
powers
𝑛𝑛
𝑛𝑛 p𝑝𝑝 𝑄𝑄⟩𝑛𝑛 andp 𝑝𝑝
𝑛𝑛⟨𝑃𝑃,
𝑛𝑛
powers
of
𝜏𝜏so
(𝑃𝑃,itis𝑄𝑄)
give an
isomorphism𝐹𝐹
/(𝐹𝐹
)𝑄𝑄)
→instead
𝜇𝜇𝑛𝑛 . Hence
𝑝𝑝
𝑛𝑛 n
𝑝𝑝−1
𝑛𝑛
𝑝𝑝
𝑝𝑝
𝑛𝑛 group
s a cyclic
ofcyclic
order
n,
the
⟨𝑃𝑃,
⟨𝑃𝑃,𝑄𝑄⟩
𝑝𝑝−1
has
has
the
the
the
form𝑄𝑄
form𝑄𝑄
form𝑄𝑄
+
++𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛𝑛𝑛(𝐹𝐹
so
so
isisofusually
usually
usually
written
written
written
as
asas⟨𝑃𝑃,
𝑄𝑄⟩
𝑄𝑄⟩𝑛𝑛𝑛𝑛𝑛𝑛and
and
𝜏𝜏𝜏𝜏𝑛𝑛𝜏𝜏𝑛𝑛𝑛𝑛(𝑃𝑃,
(𝑃𝑃,
(𝑃𝑃,
𝑄𝑄)
𝑄𝑄)
instead
instead
of
of
of
Since
𝐹𝐹𝑝𝑝× ishas
a
group
of
n,ititthe
𝑝𝑝𝑝𝑝),
𝑝𝑝),),
𝑛𝑛and
𝑝𝑝 usually
⟨𝑃𝑃,
written
as
𝑄𝑄⟩
and
𝜏𝜏𝑄𝑄
𝑄𝑄)
instead
×a cyclic
×
𝑛𝑛and
𝑛𝑛 (𝑃𝑃,
× isomorphism
×𝑛𝑛to
𝑛𝑛 Algorithm
𝑃𝑃,)).
𝑄𝑄⟨𝑃𝑃,
+𝑄𝑄⟩
𝑛𝑛𝑛𝑛(𝐹𝐹
)⟩
and𝜏𝜏
+𝑛𝑛order
𝑛𝑛𝑛𝑛(𝐹𝐹
)).
Since
𝐹𝐹𝜇𝜇×𝑛𝑛 .isHence
group
ofthe
order
the
According
1,𝑛𝑛calculating
Taten,According
pairing⟨𝑃𝑃,
𝑄𝑄⟩𝑛𝑛 , (with1,𝑃𝑃calculating
∈ 𝐸𝐸(𝐹𝐹𝑝𝑝 ),the
𝑄𝑄 ∈
⟨𝑃𝑃,
of〈P,Q〉
𝑄𝑄⟩
and
𝜏𝜏(P,Q)
𝑄𝑄)
give
an
isomorphism𝐹𝐹
give
an
Hence
×
and
𝜏𝜏of
(𝑃𝑃,
𝑄𝑄)
give
anτorder
isomorphism𝐹𝐹
/(𝐹𝐹
𝑝𝑝cyclic
𝑛𝑛𝑛𝑛(𝑃𝑃,
𝑝𝑝𝑝𝑝−1
𝑛𝑛 (𝑃𝑃,n,
𝑝𝑝 /(𝐹𝐹𝑝𝑝 ) → 𝜇𝜇𝑛𝑛.. Hence
Tate pairing 〈P,Q〉n, (with
𝑛𝑛powers
𝑛𝑛 𝑛𝑛
𝑝𝑝
𝑝𝑝 ) → 𝑝𝑝
).s of
Since
𝐹𝐹
is
a
group
of
the
n
n
𝑛𝑛 to Algorithm
×
×𝑝𝑝 𝑛𝑛
𝑝𝑝−1
𝑝𝑝−1
𝑝𝑝−1
×
×
𝑛𝑛
𝑝𝑝−1
𝑛𝑛 𝑝𝑝−1
m𝐹𝐹
.
Hence
×
×
×
𝑝𝑝 /(𝐹𝐹𝑝𝑝 ) →×𝜇𝜇
𝑛𝑛
n
isomorphism𝐹𝐹
/(𝐹𝐹
)
→
𝜇𝜇
.
Hence
𝑝𝑝
𝑝𝑝𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛
⟨𝑃𝑃,
⟨𝑃𝑃,
𝑄𝑄+
+
+
𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛𝑛𝑛(𝐹𝐹
)⟩
)⟩
)⟩
and𝜏𝜏
and𝜏𝜏
and𝜏𝜏
(𝑃𝑃,
(𝑃𝑃,
(𝑃𝑃,
𝑄𝑄
𝑄𝑄
𝑄𝑄
+
+
+
𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛𝑛𝑛(𝐹𝐹
𝑛𝑛𝑛𝑛(𝐹𝐹
)).
)).
)).
Since
Since
Since
𝐹𝐹
𝐹𝐹
𝐹𝐹
is
is
is
a
a
a
cyclic
cyclic
cyclic
group
group
group
of
of
of
order
order
order
n,
n,
n,
the
the
the
l
𝑛𝑛(𝐹𝐹𝑝𝑝 )). Since 𝐹𝐹×
is
a×𝑄𝑄𝑄𝑄
cyclic
group
of
order
n,
the
),
Q∈E(F
))
on
security
applications,
the line coefficients ni
P∈E(F
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑛𝑛
𝑛𝑛
𝑛𝑛
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝
𝑝𝑝−1
𝑝𝑝 ⟨𝑃𝑃,
𝑛𝑛
the line
coefficients
n𝑛𝑛i belongs
to
𝑙𝑙 )) on𝑛𝑛security applications,
p 𝑛𝑛𝑛𝑛
p
𝑛𝑛𝑛𝑛⟨𝑃𝑃,𝐸𝐸(𝐹𝐹
𝜏𝜏)𝑛𝑛𝑛𝑛(𝑃𝑃,
=𝑛𝑛𝑄𝑄)
𝑄𝑄⟩𝑛𝑛𝑝𝑝an
(1)the subfield of 𝐹𝐹𝑝𝑝 ,
somorphism𝐹𝐹
/(𝐹𝐹
→𝜏𝜏⟨𝑃𝑃,
𝜇𝜇
.𝑄𝑄⟩
Hence
⟨𝑃𝑃,
⟩ 𝑝𝑝 and
owers
of⟨𝑃𝑃,
𝑄𝑄
(𝑃𝑃,
give
isomorphism𝐹𝐹𝑝𝑝× /(𝐹𝐹𝑝𝑝× )𝑛𝑛(1)
→ 𝜇𝜇𝑛𝑛 .(1)Hence
(𝑃𝑃, 𝑄𝑄) =
𝑄𝑄⟩
𝑛𝑛
𝑝𝑝 𝜏𝜏
𝑛𝑛
𝑛𝑛
𝑛𝑛 (𝑃𝑃,
𝑛𝑛𝑄𝑄)
(1)
belongs
to
the
subfield
of
F
,
the
finite
field
is
used to calculate the
𝑛𝑛 𝑛𝑛×𝑄𝑄) =
𝑛𝑛
× 𝑛𝑛
p
××× ×××𝑛𝑛𝑛𝑛𝑛𝑛
ve an isomorphism𝐹𝐹
/(𝐹𝐹of
→𝑄𝑄⟩
𝜇𝜇𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛Tate
.and
Hence
⟨𝑃𝑃,
⟨𝑃𝑃,
powers
powers
powers
of)⟨𝑃𝑃,
𝑄𝑄⟩
𝑄𝑄⟩
and
and
𝜏𝜏𝜏𝜏pairing
𝜏𝜏𝑛𝑛𝑛𝑛(𝑃𝑃,
(𝑃𝑃,
(𝑃𝑃,𝑄𝑄)
𝑄𝑄)
𝑄𝑄)according
give
give
give
an
an
an
isomorphism𝐹𝐹
isomorphism𝐹𝐹
isomorphism𝐹𝐹
/(𝐹𝐹
/(𝐹𝐹
)) →
→→
𝜇𝜇𝜇𝜇𝜇𝜇𝑛𝑛𝑛𝑛7,
.𝑛𝑛. Hence
.Hence
Hence
𝑝𝑝 Compute
𝑝𝑝of
the
finite
field
is[3,
used
to24]:
calculate
value
of value
f1 with
af large
length
field.
At
that
time,
the
to 17,
Miller’s
[3,
𝑛𝑛
𝑝𝑝𝑝𝑝algorithm
𝑝𝑝/(𝐹𝐹
𝑝𝑝𝑝𝑝𝑝𝑝)the
(1)
ompute the Tate pairing
according
to(1)
Miller's
algorithm
7,
of
with
a
large
length
field.
At
that
time,
the attacker who
1
Compute
Tatethe
pairing
Miller's algorithm
[3, 7,algorithm
17, 24]:
Tateaccording
pairing
according
to Miller's
[3, 7, 17, 24]:
(1) to
17,Compute
24]:the𝑝𝑝−1
the
attacker
who
wants
to
attack
the
Miller
algorithm
must
solve
the
problem
"The
point
wants
to
attack
the
Miller
algorithm
must
solve
the
problem “The
𝑛𝑛
𝑝𝑝−1
𝑝𝑝−1
𝑝𝑝−1
ven
an
elliptic
curve
E
over
𝐹𝐹
;
P,
Q
are
points
with
prime
order
n
and
𝑃𝑃,
𝑄𝑄
∈
𝑝𝑝
algorithm
[3,=
7,
⟨17,
⟩𝑛𝑛 [3,
𝜏𝜏𝑛𝑛Miller's
(𝑃𝑃, 𝑄𝑄)
𝑃𝑃, 𝑄𝑄24]:
(1)
ng
to
algorithm
7, 17, 24]:
(1)Q are points with prime order n and 𝑃𝑃, 𝑄𝑄 ∈
𝑛𝑛𝑛𝑛
𝑛𝑛
Given Given
an
elliptic
curve
E
over
𝐹𝐹over
; P,
point
P
to
be
found
belongs
to
E(F
)
when
knowing
the
public point
𝑝𝑝
⟨𝑃𝑃,
⟨𝑃𝑃,
⟨𝑃𝑃,
𝜏𝜏
𝜏𝜏
𝜏𝜏
(𝑃𝑃,
(𝑃𝑃,
(𝑃𝑃,
𝑄𝑄)
𝑄𝑄)
𝑄𝑄)
=
=
=
𝑄𝑄⟩
𝑄𝑄⟩
𝑄𝑄⟩
(1)
(1)
(1)
;
P,
Q
are
points
with
prime
order
an
elliptic
curve
E
F
. to
Draw
the line
n1 through
and
Q,24]:
which
intersects
E patbelongs
another
called
R1. with
𝑛𝑛𝑛𝑛𝑛𝑛[3,P7,
Miller's
algorithm
P𝑛𝑛𝑛𝑛𝑛𝑛to
be found
to
) when
knowing
public
point
top 𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 ),
Given
an17,elliptic
curve
E over
𝐹𝐹𝑝𝑝 ; P,point
Q 𝐸𝐸(𝐹𝐹
are
primethe
order
n and
𝑃𝑃, Q
𝑄𝑄 belongs
∈
𝑝𝑝points
nts
with
prime
order
n prime
and
𝑃𝑃,
𝑄𝑄
∈ nthe
l), then finding the point P is more complicated”
Q
belongs
to
E(F
P,
Q
are
points
with
order
and
𝑃𝑃,
𝑄𝑄
∈
𝐸𝐸(𝐹𝐹
).
Draw
the
line
n
through
P
and
Q,
which
intersects
E
at
another
point
called
R
.
n
and
P,Q∈E(F
).
Draw
line
n
through
P
and
Q,
which
intersects
1
1
p
rding to Miller's
24]:
𝑝𝑝 algorithm [3, 7,
p 17,
Tate
pairing
according
to1 Miller's
algorithm
[3,[3,
7,7,7,17,
24]:
⟨𝑃𝑃,𝑄𝑄⟩𝑛𝑛
, QCompute
are pointsthe
with
prime
order
n
and
𝑄𝑄. according
∈
[2,23].
23]. Formula
Formula
is often
often used to calculate Weil
Compute
Compute
the
the
the
Tate
Tate
pairing
pairing
according
according
to
totoMiller's
Miller's
Miller's
algorithm
algorithm
algorithm
[3,
[3,
17,
17,
24]:
24]:
then
the
P which
isline
more
complicated"
[2,
𝑒𝑒𝑛𝑛 (𝑃𝑃,
𝐸𝐸(𝐹𝐹
).
theTate
line
n𝑃𝑃,
P. point
and
Q,
E17,
at24]:
another
point called
R𝑄𝑄)
1finding
1. = ⟨𝑄𝑄,𝑃𝑃⟩ is
E at𝑝𝑝Compute
another
point
Rthrough
Draw
vertical
n ,intersects
which
is 7,the
rsects
E at intersects
another
point
Rcalled
.pairing
1
Q, which
EDraw
at called
another
point
called
Rthe
𝑝𝑝−1
𝑛𝑛
1
are pointsE with
prime point
ordercalled
n and R𝑃𝑃,
𝑄𝑄 ∈
𝑝𝑝 ; P, Qintersects
,𝐹𝐹which
at another
1.
1
2
𝑛𝑛
Given an elliptic
curve
E over
𝐹𝐹𝑝𝑝to
;Eover
P,
Q𝐹𝐹𝐹𝐹𝑝𝑝𝐹𝐹𝑝𝑝are
points
withwith
prime
nnnnand
and
𝑃𝑃,
used
calculate
Weil
pairing
[3,prime
7]. order
In
addition,
the
Given
Given
Given
an
an
anelliptic
elliptic
elliptic
curve
curve
curve
EE
over
over
;𝑝𝑝;;P,
P,
P,Q
QQare
are
arepoints
points
points
with
with
prime
prime
order
order
order
and
and𝑃𝑃,
𝑃𝑃,
𝑃𝑃,
𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄
∈∈Weil
∈∈ pairing is also calculated
and Q, which intersects E at another point called R1.
𝑓𝑓𝑃𝑃 (𝑅𝑅)𝑓𝑓𝑄𝑄 (𝑃𝑃)
theQ,
formula
𝑒𝑒𝑛𝑛 (𝑃𝑃,
𝑄𝑄)
=another
butRRit
(𝐹𝐹𝑝𝑝 ). Draw the𝐸𝐸(𝐹𝐹
line
nDraw
and
Q,PPto
which
intersects
E at
point
called
𝐸𝐸(𝐹𝐹
𝐸𝐸(𝐹𝐹
Draw
the
the
theline
line
lineaccording
nP
n1n11through
through
through
Pand
and
and
Q,
Q,
which
which
whichintersects
intersects
intersects
EEEanother
atatat
another
another
point
point
pointcalled
called
called
R11.R
. 1.not favourable [1, 3, 7]. So,
1 through
1.is
𝑝𝑝𝑝𝑝).
𝑝𝑝).).Draw
𝑓𝑓𝑃𝑃 (𝑄𝑄+𝑅𝑅)𝑓𝑓𝑄𝑄 (∞)
DECEMBER 2022 • VOLUME 64 NUMBER 4
4
the Weil pairing is considered as another way of calculating the Tate pairing when the
conditions for the Weil pairing occur.
algorithm and using the point multiplication algorithm kP [1, 4, 16, 25-27].
According to Algorithm 1, calculating the Tate pairing⟨𝑃𝑃, 𝑄𝑄⟩𝑛𝑛 , (with 𝑃𝑃 ∈ 𝐸𝐸(𝐹𝐹𝑝𝑝 ), 𝑄𝑄 ∈
𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 )) on security applications, the line coefficients ni belongs to the subfield of 𝐹𝐹𝑝𝑝 ,
the finite field is used to calculate the value of f1 with a large length field. At that time,
the attacker who wants to attack the Miller algorithm must solve the problem "The point
MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE
P to be found belongs to 𝐸𝐸(𝐹𝐹𝑝𝑝 ) when knowing the public point Q belongs to 𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 ),
then finding the point P is more complicated" [2, 23]. Formula 𝑒𝑒𝑛𝑛 (𝑃𝑃, 𝑄𝑄) =
⟨𝑃𝑃,𝑄𝑄⟩𝑛𝑛
⟨𝑄𝑄,𝑃𝑃⟩𝑛𝑛
is often
used to calculate
[3, 7].the
InWeil
addition,
theisWeil
pairing is also
calculatedBTS-BLS
pairingWeil
[3, 7].pairing
In addition,
pairing
also calculated
according
tuple in the key generation scheme for the BLS scheme.
but it
it is
is not
notfavourable
favourable [1,
[1,3,
3,7].
7]. So,
but
𝑓𝑓𝑃𝑃 (𝑄𝑄+𝑅𝑅)𝑓𝑓𝑄𝑄 (∞)
So, theis Weil
pairingasisanother
considered
ascalculating
another way
calculating
the the Algorithm 3: The BLS short digital signature [2, 6, 7]
the Weil pairing
considered
way of
theof
Tate
pairing when
- Input: message M∈{0,1}*, private key SK=x
Tate
pairing
when
the
conditions
for
the
Weil
pairing
occur.
conditions for the Weil pairing occur.
- Parameter set: BTS-BLS
), Q∈E(F l), both Tate and Weil pairing calculations
When 𝑃𝑃 ∈ When
𝐸𝐸(𝐹𝐹𝑝𝑝 ),P∈E(F
𝑄𝑄 ∈ 𝐸𝐸(𝐹𝐹
p 𝑝𝑝𝑙𝑙 ), bothp Tate and Weil pairing calculations are time
- Processing steps:
time consuming.
Therefore,
thethe
calculation
time pairing
for the takes
required
consuming.are
Therefore,
the calculation
time for
required Weil
twice as
+
Weil
pairingoftakes
twice
as much
the calculation
of the
Tate the Using MaptoGrouph' algorithm [2], map message M to
much as the
calculation
the Tate
pairing.
In thisasstudy,
the authors have
replaced
point PM=(xM,yM)∈〈P〉 belonging to E/Fpl
pairing.
In this
study,
the authors
replaced theelliptic
non-degenerate
non-degenerate
bilinear
pairing
calculations
onhave
the supersingular
curve with the
bilinear
pairing
calculations
on
the
supersingular
elliptic
curve
with
Weil pairing in the BLS short digital signature scheme. Then, the performance of the + Calculate SM=xPM
the Weil pairing in the BLS short digital signature scheme. Then, the
- Output: signature σ=xS ∈Fpl of the point SM=(xS ,yS )
M
M
M
performance of the BLS short digital signature scheme is evaluated by
In this algorithm, embedding the message M to be signed into
comparison with the classic ECDSA scheme commonly used today.
a point PM=(xM,yM)∈E/Fpl and using the kP multiplier algorithm
Building a BLS short digital signature scheme based on the to create a signature for the message M is necessary. The message
non-degenerate bilinear pairing of supersingular elliptic curves M, before embedding into a point PM∈E/Fpl will be hashed using a
hash function [5]. The mapping of this hash value to a component
The BLS key generation scheme
xM coordinate of point PM is accomplished using the MapToGrouph’
With the BLS short digital signature scheme, the curve E used algorithm [2, 6, 7]. Thus, the process of creating a digital signature of
is y2=x3+Ax+B mod p. The input for key generation consists of a set the BLS short digital signature scheme is more complicated than that
of parameters (A, B, p, q, l, P) denoted BTS-BLS (Table 1) [2]. This of the key generation algorithm of the ECDSA scheme [16, 28, 29].
parameter set is used by the author for all key generation, digital In the BLS short digital signature scheme, the signature generation
signatures, and signature verification processes of the BLS short process requires the use of a cryptographic hash function and the
technique of embedding the message into a point of the curve. This
digital signing scheme.
keeps the value of the digital signature generated by the BLS short
digital signature scheme small.
Table 1. Parameter sets used in the BLS short digital signature scheme.
according to
to the
the formula
formula 𝑒𝑒𝑛𝑛 (𝑃𝑃, 𝑄𝑄) =
𝑓𝑓𝑃𝑃 (𝑅𝑅)𝑓𝑓𝑄𝑄 (𝑃𝑃)
Parameters
Functions
A, B
The coefficients of the supersingular elliptic curve equation
p
Modulo
q
Greatest prime divisor of #(E/Fpl)
l
Key length belongs to Fpl
Point P∈E/F3l
Base point with order q
The BLS signature verification scheme
In Algorithm 2, the generated key pair consists of the public key
PK and the private key SK in which the public key is the parameter set
PK=(l, q, P, R) and the private key SK=x, with x is a random number
belonging to Zp* (with a large enough prime p). When generating the
key for the BLS short digital signatures scheme, the BLS scheme
only uses the kP point multiplication algorithm and choses a random
number belonging to Zp*. This shows that the key generation process
for the BLS short digital signatures scheme is efficient and simple.
Algorithm 2: Generate keys for the short digital signature
scheme BLS [2, 6]
- Input: Let l, the curve (E/Fpl) and q is the greatest prime
divisor of #(E/Fpl), the point P has order q
- Processing steps: Chosen random number x∈Ζp* and
alculate R←xP
- Output: The public key PK=(l, q, P, R) and the private key
SK=x
The BLS short digital signature scheme
According to Algorithm 3, the signing process of the BLS short
digital signatures scheme also uses the input parameters of the
supersingular elliptic curve E on the field Fpl; the parameters of the
curve used for digital signature are the number of the corresponding
In Algorithm 4, signature verification of the BLS scheme is done
using the same set of input parameters of the curve as above Table 1.
To verify the digital signature, first one must check whether the
obtained signature belongs to the curve. Secondly, two values of
Weil pairings will be computed, as the first one is being calculated
from the base point and the digital signature, and the second one from
the public key and the message M. If these two values are
equal or
the inverse of the first value is equal to the second value, then the
signature is valid.
Algorithm 4: The BLS signature verification [2, 6, 7]
- Parameter set: BTS-BLS
- Input: The public key PK=(l, q, P, R), the message M∈{0,1}*, and
the signature σ
- Output: The signature σ is valid or invalid
- Processing steps:
Step 1: Check the condition that the signature σ is the
coordinates xS of the point SM=(xS ,yS )∈E/Fpl. If such a point
M
M
M
does not exist, the signature is invalid.
Step 2: Calculate u←e[P,φ(S)];v←e[R,φ(h(M))], where e is a
non-degenerate bilinear mapping (Weil pairing) on the curve
E/Fp6l and φ:E→E is a Frobenius endomorphism.
Step 3 (check condition u, v): If u=v or u-1=v, then the signature
is valid, otherwise the signature is invalid.
The correctness of the BLS short digital signature verification
algorithm (algorithm 4) is confirmed in step 3 of the algorithm,
whether the signature is valid or not. Specifically, with (σ, y) and (σ, -y)
being two points on E/Fpl, where σ is the x coordinate, one of the two
DECEMBER 2022 • VOLUME 64 NUMBER 4
5
MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE
points can be point SM or can be used to generate digital signatures
in the BLS short digital signatures scheme. From (σ,y)=-(σ,-y) on the
curve, then e(P,φ(-S))=e(P,φ(-S))-1. Therefore, the u=v condition is to
check that (P, R, h(M), S) is a Diffie-Hellman tuple, while the u-1=v
condition is to check that (P, R, h(M), -S) is a Diffie-Hellman set [6, 7].
Begin
Input: Parameters Initial
Elliptic Curve: A, B, p, l, q, P
Theoretical model to prove the security of the BLS short digital
signature scheme
x = random() intend for
In Ref. [2], a secure proof theory for the BLS short digital
signatures scheme was propose. The theoretical model that proves the
security of BLS is based on the difficulty level of the Hidden Field
Equation (HFE), co-CDH (Computational co-Diffie-Hellman), coDDH (Decision co-Diffie-Hellman), and GDH (Gap Diffie-Hellman
groups) problems. It is shown that when an isomorphism ψ:G2→G1
exists, the short digital signatures scheme BLS is vulnerable to the
discrete log problem by MOV attacks [11, 12], and attacks by the
Number Field Sieve algorithm [19-21] on the extended field Fpl.
For Co-GDH signatures from elliptic curves [2], the security
level of the BLS short digital signatures scheme is equivalent to the
difficulty of the co-CDH (Computational co-Diffie-Hellman) problem
on (G1,G2). In other words, it is the computational requirements of a
discrete log in G1 or the computation of a discrete log in . According
to [2], when the BLS scheme uses a special supersingular curve with
p=3, the security level of the BLS scheme is equivalent to DSA using
a 1024-bit prime (MOV attack [11-13]. This is a weakness of the BLS
short digital signatures scheme when the number p is small. To use the
BLS schema in this case, we would have to use a curve E(F3l) where
36l is much larger than 1024 bits.
In the case of a BLS schema using a non-supersingular curves
over fields of high characteristic with the security multiplier α=6,
[2] shows that with l=159-bit (Signature size [log2q] of the BLS
scheme) is equivalent to “DLog Security [log2 p] of 158 bits” and
“MOV Security [6log2q] of 954 bits”. Signatures using this curve
are 168 bits while the best algorithm for co-CDH on E(Fp) requires
either (Formula (1) in [2]) a generic discrete log algorithm taking time
approximately 283, or (Formula (2) in [2]) a discrete log in a 1008-bit
finite field of large characteristic.
R = x.P
Output Public Key PK:
(l,q,P,R);
Private Key SK: x
End
Fig. 1. Scheme of the BLS key generation.
are saved as “bls_private.key” and “bls_public.key,” respectively.
After executing the key pair generation, the program modulo will
issue a notice about the key pair generation time.
Figure 2 shows details the steps of implementing the DSA of
BLS schema with a digital signature called “bls_signature.sig”. First,
when performing a digital signature according to the BLS scheme,
the message to be signed, M, will be passed through a secure hashing
algorithm that outputs a summary (hash value) [5]. This summary is
combined with the private key (the key generated by the BLS key
generator modulo), which is then fed into the digital signature program
modulo, which results in the digital signature bls_signature. The
digital signature program can sign data files of any content with text
Finally, consider the BLS schema in the case of higher security
multipliers (Definition 3). D. Pointcheval, J. Stern (2000) [30] proposed
certain Abelian varieties. However, to obtain security comparable to
DSA using a 2048-bit prime with α=6, we get signatures size l=342
bits. Then, with α=12, the signature is shorter but the security level
is guaranteed (equivalent to 2048-bit discrete-log security) [31]. The
result is an n-bit signature where the pairing reduces the discrete log
problem to a finite field of size approximately 27.5n.
Results and discussion
Architectural design of BLS short digital signature scheme
Figure 1 details the implementation steps of the key generation
algorithm of the BLS schema, the diagram shows that the key
generation modulo is simply designed using only a random function
and multiplication points (kP) on the elliptic curve. The key generation
modulo then will generate the private key and the public key, which
6
x∈ Z *q
Fig. 2. BLS digital signature scheme.
DECEMBER 2022 • VOLUME 64 NUMBER 4
MATHEMATICS
AND
COMPUTER
SCIENCE
COMPUTER
against the
BLS and ECDSA
scheme
were executed
on the| computer
usingSCIENCE
Intel(R) Core
i5-4200U, CPU @ 1.60GHz, up to 2.30 GHz; RAM: 4.00 GB.
on the security
analysis
evaluation
for and
suchevaluation
a BLS scheme,
in this
study
file formats, image files, audio files, video files, etc. WhenBased
performing
Based
on theand
security
analysis
for such
a BLS
digital signature, the program will create a digital signature
file
(bsl_
scheme,
in
this
study
the
authors
have
selected
the
parameters
for
the authors have selected the parameters for the supersingular elliptic curve over finite
signature.sig) and output the execution time of the digital signature the supersingular elliptic curve over finite field Fp such that both
field Fp such that both
a generic
discrete
algorithm
in E(F
p) and the Number Field
process.
a generic
discrete
loglog
algorithm
in E(F
) and
the Number Field
p
∗
Sieve
in
are
intractable,
with
p=7DDCA613A2E3DDB17
Sieve
in
𝐹𝐹
are
intractable,
with
𝑙𝑙
𝑝𝑝
Figure 3 details the implementation of the signature verification
49D0195BB9F14CF44626303,
the
security
multiplier
α=12,
and
algorithm steps of the BLS short digital signature
scheme. The
p=7DDCA613A2E3DDB1749D0195BB9F14CF44626303
, the security multiplier α=12,
program verifies the content of the signed data file and calculates the signature size l=159. The coefficients of the supersingular elliptic curve
are159.
A=-3,
signature
size 𝑙𝑙 =
The B=21C3F3AC7864D1F99273D0F828D3657D8CFD4E
coefficients of the supersingular elliptic curve are A=signature verification time of the BLS short digital and
signature
scheme.
2
3
=x
+Ax+B).
This parameter set was evaluated
by the National
(y
The received message is passed through the hashing
that
3, algorithm
B=21C3F3AC7864D1F99273D0F828D3657D8CFD4E
(y2=x3+Ax+B). This
obtains the hash value. The process of checking the digital signature Institute of Standards and Technology (NIST, US Department of
parameter
was evaluated
bywhich
the National
ofbeing
Standards
Commerce),
minimisedInstitute
the risk of
attackedand
[2, Technology
6, 7, 28].
of the BLS scheme is done by calculating and checking
theset
input
parameters of the hash digest, digital signature, and(NIST,
public key.
If
the
US Department Table
of Commerce),
which
minimised
of key
being
attacked [2,
2 details the
execution
time ofthetherisk
BLS
generation,
conditions are satisfied, then the signature is valid.
digital signature, and signature verification computations. To check
6, 7, 28].
the correctness of the program, the authors tested the program with
2 scenarios, specifically:
Begin
Begin
Begin
Table 2. Results of digital signature and signature verification according
to the BLS scheme.
,lP
),)R)
Input:
Public
Key
q, R
,,P
,P
R
Input:
Public
Key(l(,lq,(q
Input:
Public
Key
* * *
Message:
Message: MM∈
Message:
{0,1
}{0,1
M
∈
{∈0,1
} }
Sign:
Sign:
Sign:
σσ σ
σσ σ
((xx(,y
)) )
x,y,y
==x=
xx
mm m
SS
/F
∈Ε
S
/F
∈Ε
∈Ε
/F
3l 3l 3l
M Mm m mm m m
M
uu==ue(e=P
e,φ(,P
,φ (S))
(P
φ(S))
(S))
v v==ve(R,
eφ(R,
φ (h(M)))
e=(R,
φ(h(M)))
(h(M)))
e e∈Ε
/F
e ∈Ε
/F
∈Ε
/F
363l 6l 36l
φφ: E
EE E
E
→→
:φE:→
u
uvv= v
=
u=
− − −
==vv= v
u
uu
1
1
1
1
Output:
σσ=σ=True
Output:
Output:
= True
True
Fig. 4.
Input data
Digital signature time (ms)
Signature verification time (ms)
535 KB
31
98
1.56 MB
119
161
9.47 MB
577
646
9.79of
MBthe contents
618
Modification
25.5 MB
the signed data file.
1643
671
of Fig. 5. Signature
verification after the
1638
message was modified.
Scenario 1: The authors modified the contents of the input data
of the BLS
short
digital
program,digital
kept the
key andand
Table 2 details files
the execution
time
of the
BLSsignature
key generation,
signature,
signature, then checked the authenticity of the data. Fig 4 details the
signature verification computations. To check the correctness of the program, the
process of modifying the input data, where the results showed that the
authors tested the program
with 2 scenarios,
specifically:
digital signature
is invalid and
the processing time was given (Fig. 5).
Output:
σσ=σ=False
Output:
Output:
=
False
False
Table 2. Results of digital signature and signature verification according to the
BLS scheme.
End
End
End
Fig. 3. The BLS signature verification.
Input data
Digital signature time (ms)
Signature verification time (ms)
Results of the short digital signature program BLS
In this study, the authors have built a program with 3 main
modules: key generation, digital signature and signature verification
according to BLS scheme. First, the key generation modulo generates
a public key and a private key, then the digital signature modulo
performs digital signature with the newly generated private key
in the key generation modulo. Finally, the signature verification
modulo will perform the signature verification with the public
key. In addition, in order to facilitate the performance evaluation
of the BLS short digital signature scheme, the authors also built a
program following the ECDSA digital signature scheme including
the key generation module, digital signature module, and signature
verification module [16, 28, 29]. Comparisons of key generation,
digital signature, and signature verification program against the BLS
and ECDSA scheme were executed on the computer using Intel(R)
Core i5-4200U, CPU @ 1.60GHz, up to 2.30 GHz; RAM: 4.00 GB.
Fig. 4. Modification of the contents of the signed data file.
Fig. 5. Signature verification after the message was modified.
Scenario 2: The program generated an original signature (Fig. 6).
Then, the author modified the signature (Fig. 7) but did not change
the message and the public key. The data verification process for the
modified signature resulted in an invalid signature (Fig. 8). Moreover,
to evaluate the BLS short digital signature program performance, the
DECEMBER 2022 • VOLUME 64 NUMBER 4
7
MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE
functions, i.e., digital signature and signature verification. Second, the authors evaluated
authors tested the digital signature and signature verification program
according to the BLS short digital signature scheme with several data
files of different lengths (Tables 2, 3).
Fig. 6. Original unmodified signature.
the execution speed between the BLS short digital signature program and the ECDSA
Execution
speed of digital signature and signature verification
digital signature program. For each function of the program, the authors ran the test three
BLS: Table
2
details
the execution
execution
times and took the average
time. time results of the digital signature
modulo and BLS signature validation. Fig. 9 shows the corresponding
Execution speed of digital signature and signature verification BLS: Table 2 details
graphthecomparing
the running time between digital signature and
execution time results of the digital signature modulo and BLS signature validation.
signature
verification.
Experimental results of the BLS scheme show
Figure 9 shows the corresponding graph comparing the running time between digital
that the
signing
time
is
faster than the validation time. Theoretically,
signature and signature verification. Experimental results of the BLS scheme show that
the digital
signature of the BLS scheme uses one-point multiplication,
the signing time is faster than the validation time. Theoretically, the digital signature of
while the
theBLS
validation
twomultiplication,
values ofwhile
the the
Weil
pairing
calculation.
scheme usesuses
one-point
validation
uses for
two values
of
In thethe
Weil
non-degenerate
bilinear
pairing
values
calculation,
a point
Weil pairing for calculation. In the Weil non-degenerate bilinear pairing values
multiplication
is
used
for
each
value
of
u
and
v.
Therefore,
calculating
calculation, a point multiplication is used for each value of u and v. Therefore,
u, v requires
multiplications,
which
signature
calculating two-point
u, v requires two-point
multiplications,
which makes
makes thethe
signature
verification
time
the signature
digitaltime.
signature time.
verification
time longer
longer thanthan
the digital
2000
1500
1000
500
0
Fig. 7. Signature after modification.
File 535 KB File 1.56 MB File 9.47 MB File 9.79 MB File 25.5 MB
BLS Digital Signing Time (ms)
BLS Signature Verification Time (ms)
9. Digital
signature time
andand
signature
verification
time of the BLS
scheme.
Fig. 9.Fig.
Digital
signature
time
signature
verification
time
of the BLS
scheme.
4000
BLS Digital Signature Time (ms)
ECDSA Digital Signature Time (ms)
BLS Signature verification time (ms)
ECDSA Signature verification time (ms)
2000
0
Fig. 8. Signature verification after the signature was modified.
Table 3. Runtime comparison of BLS scheme and ECDSA scheme.
Input
data
(mb)
Digital signature time (ms)
Signature verification time (ms)
BLS
ECDSA
Diff. in %
BLS
ECDSA
Diff. in %
1.02
108
350
69.14%
166
347
52.16%
1.56
131
523
74.95%
201
523
61.57%
2.00
186
720
74.17%
241
713
66.20%
3.68
298
1227
75.71%
335
1230
72.76%
4.07
313
1353
76.87%
350
1337
73.82%
5.03
376
1637
77.03%
418
1664
74.88%
6.01
450
1928
76.66%
473
1955
75.81%
Analysis and evaluation of the results achieved by the short
digital signature program BLS
In previous publications, the authors evaluated the execution
speed and occupied resources of the Tate pairing computation and kP
point multiplication algorithm on a Spartan6 XC6SLX150T FPGA
hardware platform [25, 32].
In this study, the authors tested the execution time of the
program under two scenarios. The first was to evaluate the execution
speed between the two program functions, i.e., digital signature
and signature verification. Second, the authors evaluated the
execution speed between the BLS short digital signature program
and the ECDSA digital signature program. For each function of the
program, the authors ran the test three times and took the average
execution time.
8
FILE
FILE
FILE
FILE
FILE
FILE
FILE
1.02 MB 1.56 MB 2.00 MB 3.68 MB 4.07 MB 5.03 MB 6.01 MB
10. Runtime
comparison of BLS
short digital
signature
andsignature
ECDSA schemes.
Fig. 10. Fig.
Runtime
comparison
of BLS
short
digital
and ECDSA
schemes. Execution speed of BLS short digital signature program and ECDSA digital
signature program: Both the BLS and ECDSA digital signature schemes are designed
Execution
speed of BLS short digital signature program and
with a 160-bit key-length key for the same data input. Table 3 and the diagram in Fig.
ECDSA10digital
signature program: Both the BLS and ECDSA digital
present the run-time details of the digital signature function for both the BLS and
signature
schemes
are
designed
ECDSA short digital
signature
scheme. with a 160-bit key-length key for the
same data Table
input.3 Table
3
and
the diagram in Fig. 10 present the runshows that the running speed of the BLS scheme's digital
time details
of the verification
digital algorithm
signature
forbits)
both
thethanBLS and
signature/signature
(with afunction
key length of 160
is better
of the ECDSA
scheme.
Specifically,
BLS’s digital signature generation performs at
ECDSAthatshort
digital
signature
scheme.
least 69% faster than that of ECDSA, while the signature verification process of BLS is
Table
3 shows
the running speed of the BLS scheme’s digital
at least
52% faster that
than ECDSA.
signature/signature
verification
algorithm
(with
a key
length of 160
With the same key length (160 bits),
the same digital
signature,
and signature
bits) is verification
better than
that
of
the
ECDSA
scheme.
Specifically,
data, the BLS short digital signature scheme had a faster execution time than BLS’s
the ECDSA scheme.
Moreover, with
the larger sizeatof least
the input69%
data file,faster
the execution
digital signature
generation
performs
than that of
timewhile
of the BLS
shortsignature
digital signatureverification
scheme linearly increased
with the
data file
ECDSA,
the
process
ofinput
BLS
is at least
size as shown in Fig. 10. This can be explained by two main reasons:
52% faster
than ECDSA.
For digital signature function: The number of operations used for the digital
With
the function
same ofkey
length
(160 abits),
same
digital
signature
the BLS
schema includes
mappingthe
of a point
on the
curve andsignature,
a
point multiplication
kP. Meanwhile,
the number
operations
used for
the digital scheme
and signature
verification
data, the
BLSofshort
digital
signature
signature function of the ECDSA scheme includes one kP point multiplication, one
had a faster
execution time than the ECDSA scheme. Moreover, with
the larger size of the input data file, the execution time of the BLS
short digital signature scheme linearly increased with the input data
file size as shown in Fig. 10. This can be explained by two main
reasons:
For digital signature function: The number of operations used for
the digital signature function of the BLS schema includes a mapping
of a point on the curve and a point multiplication kP. Meanwhile, the
number of operations used for the digital signature function of the
ECDSA scheme includes one kP point multiplication, one inverse
DECEMBER 2022 • VOLUME 64 NUMBER 4
MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE
operator modulo, and two scalar point multiplications. The DSA of
the BLS scheme obviously requires less operations than ECDSA
digital signature.
For the signature verification function: The number of operations
using signature verification for the BLS scheme includes the Weil
non-degenerate bilinear pairing value calculation that uses two points
multiplications to calculate the two values u and v. Meanwhile, the
number of operations used in the signature verification function of the
ECDSA digital signing scheme includes one modulo inverse operator,
two points multiplications, and two scalar multiplications. The larger
number of operations makes the ECDSA scheme operate slower than
the BLS scheme.
Conclusions
In this paper, the authors used the calculation technique of Weil
non-degenerate bilinear pairing (with P∈E(Fp), Q∈E(Fpl) and a
higher security multiplier α=12) in building a BLS short digital
signature scheme based on supersingular elliptic curves with key
generation, digital signature, and digital verification functions. The
set of supersingular elliptic curve parameters (with a sufficiently
large prime p and a higher security multiplier α=12) initialised for
the selected BLS scheme ensures that the signature size is short
and the security of the BLS scheme remains theoretically safe.
The execution time of the BLS short digital signature program was
much improved compared to the ECDSA digital signature scheme,
which makes BLS short digital signature scheme a candidate for
applications that require short processing time, fast computation,
and for devices with low memory and low bandwidth transmission.
ACKNOWLEDGEMENTS
The authors are grateful to the Academy of Cryptography
Techniques for supporting this work.
COMPETING INTERESTS
The authors declare that there is no conflict of interest regarding
the publication of this article.
REFERENCES
[1] H. Cohen, et al. (2005), Handbook of Elliptic and Hyperelliptic Curve
Cryptography, Chapman and Hall/CRC, DOI: 10.1201/9781420034981.
[2] D. Boneh, B. Lynn, H. Shacham (2001), “Short signatures from the weil
pairing”, Advances in Cryptology - CRYPTO 2002, 2248, pp. 514-532.
[10] P.S.L.M. Barreto, et al. (2002), “Efficient algorithms for pairing-based
cryptosystems”, Advances in Cryptology - CRYPTO 2002, 2442, pp.354-369.
[11] A.J. Menezes, T. Okamoto, S.A. Vanstone (1993), “Reducing elliptic curve
logarithms to logarithms in a finite field”, IEEE Trans. Inf. Theory, 39(5), pp.1639-1646.
[12] J. Shikata, Y. Zheng, J. Suzuki (2000), “Realizing the Menezes-OkamotoVanstone (MOV)”, IECE Trans. Fundam., E83-A(4), pp.756-763.
[13] R. Barbulescu, P. Gaudry, A. Joux, E. Thomé (2013), “A quasi-polynomial
algorithm for discrete logarithm in finite fields of small characteristic”, https://arxiv.
org/abs/1306.4244.
[14] O. Abid (2012), “New digital signature protocol based on elliptic curves”, Int.
J. Cryptogr. Inf. Secur., 2(4), pp.13-19.
[15] S. Koppula, J. Muthukuru (2016), “Secure digital signature scheme based on
elliptic curves for internet of things”, Int. J. Electr. Comput. Eng., 6(3), DOI: 10.11591/
ijece.v6i3.9420.
[16] M.A. Mehrabi, C. Doche, A. Jolfaei (2020), “Elliptic curve cryptography
point multiplication core for hardware security module”, IEEE Trans. Comput., 69(11),
pp.1707-1718.
[17] M.H.T. Tran, et al. (2017), “Multilinear mappings based on weil pairing
over elliptic curves”, 2017 4th NAFOSTED Conference on Information and Computer
Science, DOI: 10.1109/NAFOSTED.2017.8108053.
[18] D.P. Le, C.H. Tan (2013), “Improved Miller’s algorithm for computing
pairings on edwards curves”, IEEE Trans. Comput., 63(10), pp.2626-2632.
[19] O. Schirokauer, D. Weber, T. Denny (1996), “Discrete logarithms: The
effectiveness of the index calculus method”, International Algorithmic Number Theory
Symposium, 1122, DOI: 10.1007/3-540-61581-4_66.
[20] R. Padmavathy, C. Bhagvati (2010), “Solving the discrete logarithm problem
for ephemeral keys in chang and chang password key exchange protocol”, J. Inf.
Process. Syst., 6(3), pp.335-346.
[21] D. Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to Elliptic Curve
Cryptography, Springer, 312pp.
[22] D.B. Roy, D. Mukhopadhyay (2019), “High-speed implementation of ECC
scalar multiplication in GF(p) for generic montgomery curves”, IEEE Trans. Very
Large Scale Integr. Syst., 27(7), pp.1587-1600.
[23] C. Costello, P. Longa, M. Naehrig (2016), “Efficient algorithms for
supersingular isogeny Diffie-Hellman”, Annual International Cryptology Conference,
9814, DOI: 10.1007/978-3-662-53018-4_21.
[24] M. Scott (2005), “Computing the tate pairing”, Cryptographers’ Track at the
RSA Conference, 3376, DOI: 10.1007/978-3-540-30574-3_20.
[25] L.N. Quynh, D.V. Son, M.A. Tuan (2017), “Enhancement of implementing
cryptographic algorithm in FPGA built-in RFID tag using 128 bit AES and 233 bit kP
multitive algorithm”, VNU J. Sci. Math. - Phys., 33(2), pp.82-87.
[26] I. Yavuz, S.B.ệ. Yalỗin, ầ.K. Koỗ (2008), FPGA implementation of
an elliptic curve cryptosystem over GF(3^m)”, 2008 International Conference on
Reconfigurable Computing and FPGAs, DOI: 10.1109/ReConFig.2008.66.
[3] S. Wang (2017), Efficient Computation of Miller’s Algorithm in Pairing-Based
Cryptography, Electronic Theses and Dissertations, University of Windsor, 86pp.
[27] J. López, R. Dahab (1999), “Fast multiplication on elliptic curves over GF(2m)
without precomputation”, International Workshop on Cryptographic Hardware and
Embedded Systems, DOI: 10.1007/3-540-48059-5_27.
[4] M. Masoumi, H. Mahdizadeh (2012), “Efficient hardware implementation
of an elliptic curve cryptographic processor over GF(2^163)”, Int. J. Comput. Electr.
Autom. Control Inf. Eng. 2012 Int., 6(5), pp.725-732.
[28] National Institute of Standards and Technology (2013), Digital Signature
Standard (DSS), DOI: 10.6028/NIST.FIPS.186-4.
[5] D. Moody, et al. (2015), “Report on pairing-based cryptography”, J. Res. Natl.
Inst. Stand. Technol., 120, DOI: 10.6028/jres.120.002.
[6] A. Markel, L. Nemirovskiy (2014), “Pairing-based short signatures”, https://
markel.co/projects/ecc/2/article.pdf.
[7] V.S. Miller (2004), “The Weil pairing, and its efficient calculation”, J. Cryptol.,
17, pp.235-261.
[8] J. Shallit, et al. (1999), “Handbook of applied crytography”, Am. Math. Mon.,
106(1), DOI: 10.2307/2589608.
[9] S.S. Dhanda, B. Singh, P. Jindal (2020), “Lightweight cryptography: A solution
to secure IoT”, Wirel. Pers. Commun., 112(3), pp.1947-1980.
[29] D. Johnson, A. Menezes, S. Vanstone (2001), “The elliptic curve digital
signature algorithm (ECDSA)”, Int. J. Inf. Secur., 1(1), pp.36-63.
[30] D. Pointcheval, J. Stern (2000), “Security arguments for digital signatures and
blind signatures”, J. Cryptol., 13(3), pp.361-396.
[31] P.S.L.M. Barreto, B. Lynn, M. Scott (2003), “Constructing elliptic curves
with prescribed embedding degrees”, International Conference on Security in
Communication Networks, 2576, DOI: 10.1007/3-540-36413-7_19.
[32] L.N. Quynh, D.V. Son, M.A. Tuan (2019), “Performance of 697-bit Tate
pairing based on Elliptic curve implementation for Spartan6 XC6vlx760-2ff1760
FPGA”, 4th International Conference on Advanced Materials and Nanotechnology,
pp.166-169.
DECEMBER 2022 • VOLUME 64 NUMBER 4
9
