ID-base Signature from Pairings on Elliptic Curve

1. ID-base Signature from Pairings on Elliptic Curve Kenneth G. Paterson From IACR Server 2002/004 Reference :Identity-Based Encryption from the Weil Pairing Boneh &Franklin Crypto 2001,LNCS vol 2139,Springer, pp213-229

2. Outline • The introduction of introduction • Introduction • Notation • The Scheme • Efficient • Conclusions

3. The introduction of introduction • ECDLP : 在橢圓曲線上定義 + ,  兩種運算 , P, Q is points on elliptic curve r Zq* if Q = rP , 給 P , Q 求出 r , 此為 ECDLP{要求出 r 是非常困難的} • Bilinear : we say that a map e : G1G1G2 is bilinear if e(aP, bQ) = e(P,Q)ab for all P,Q G1 and all a,b Z • Weil pairing on elliptic curve

4. Weil pairing on elliptic curve • The Weil pairing of P , Q E/Fp2 is define as :, e(P,Q) = fp(AQ)/fQ(AP) {e : E[n]E[n]  Fp2* , n=p+1} • The Weil pairing has the following two properties • a . e(P,P) = 1 • b . e(P1+P2, Q) = e(P1,Q)e(P2,Q) and e(P,Q1 + Q2) = e(P,Q1)e(P,Q2)

5. Introduction • id-based encryption scheme based on Weil and Tate pairings on elliptic curves has the three important property , fully functioning , efficient and provably secure • Such a scheme is a user’s public key is easily calculated function of his identity and private key is calculated by trusted authority • This scheme is similar to the ElGamal signature but based on the identity-based

6. Notation I • G1 : additive group of prime order q and it is a subgroup of the group of points on elliptic curve • G2 : multiplicative group of prime order q and it is a subgroup of a related finite field {Fp2*, p=6*q-1} • ê : bi-linear map from G1G1 to G2 , ê will be derived from the Weil and Tate pairing on the elliptic curve ,{note ê(P,Q) = e(P,(Q)),where (x,y) = (x,y) is an automorphism of the group of points on the curve E , where 3  1 mod p}

7. Notation II • P : P  G1(point on ec) and ê (P,P)  1G2 • ID : be a string denoting the identity of a user • H1 , H2 , H3 : hash functions • H1 : {0 , 1}*  G1 {hash the ID to points} • H2 : {0 , 1}*  Zq {hash message to Zq } • H3 : G1 Zq {hash points to Zq}

8. Notation III • QID = H1(ID) : public key for signature(id based) • DID = s QID : secret key for signature(id based) • Ppub = s P : publicly known (non- id based) • Where sZq is a system-wide master secret known to a trusted authority

9. The Scheme • 若使用者要簽署文件M , 首先選 kZq* 再計算M 的 signature (R,S)  G1G1 而且 R=kP , S = k-1(H2(M)P+H3(R)DID) • Where P(generator) , R , DID is points of G1 • k , k-1 , H2(M) , H3(R) is numbers of Zq* • (R , S) is a Weil paring on elliptic curve

10. Verification • 驗證方式 : • ê(R,S) = ê(kP , k-1(H2(M)P+H3(R)DID)) • = ê(P , H2(M)P+H3(R)DID)k*(k^-1) • = ê(P , H2(M)P)ê(P , H3(R)DID) • = ê(P, P)H2(M) ê(P, sQID)H3(R) • = ê(P, P)H2(M) ê(sP, QID)H3(R) • = ê(P, P)H2(M) ê(Ppub , QID)H3(R)

11. Efficiency • 簽章過程只運用到兩次hash,4次elliptic curve 乘法1次加法,1次mod q下的inverse,並不須執行 ê • 驗證過程中ê(P, P)為定值(for every user) , 故可先儲存備用,而ê(Ppub ,QID)亦與M無關 so is fixed when verifying any particular user’s signatures. • Therefore the cost of computing this pairing can be amortized over many verification of that user’s signatures

12. Conclusions • This scheme is more efficient than Boneh and Franklin’ id-base encryption scheme • This scheme’s security is relate to a non-identity-based signature scheme (ElGamal) and they are closely resembles • However the adaptation has the property that if (R,S) is a valid signature on M then so too is (tR , t-1 S) for any t Zq*