An Efficient Identity-based Cryptosystem for End-to-end Mobile Security IEEE Transactions on Wireless Communications, 2006 Jing-Shyang Hwu, Rong-Jaye Chen, Yi-Bing Lin 2008. 12. 04 Presented by Jang Chol Soon

Contents Introduction Background ID-based Encryption Elliptic Curves Divisor Weil Pairing Efficient Computation for Weil Pairing Point Halving Halve-and-Add Method for Weil Pairing Performance Evaluation Application System Conclusions

Introduction Mobile security Mobile operators have provided security protection including authentication and encryption for circuit-switched voice services. Wireless data services(e.g. mobile banking) are likely to be offered by third parties(e.g. banks) The third parties can’t trust the security mechanisms of mobile operators. : their own solution for end-to-end security. End-to-end security mechanisms in mobile services : public-key cryptosystem The main concern in public-key cryptosystem : the authenticity of public key ⇒ “certificate” The certificate is issued by a trusted third party consisting of the user name and his public key.

Introduction ID-based cryptography In 1984, Shamir The public key of a user can be derived from public information that uniquely identifies the user. (e.g. e-mail, telephone number) The first complete ID-based cryptosystem · In 2001, Boneh and Franklin · use a bilinear map(Weil pairing) over elliptic curves Major advantages · No certificate · Users need not memorize extra public keys. Drawback · Overhead for the pairing computing

Background Background A. ID-based Encryption (scheme) B. Elliptic Curves C. Divisor D. Weil pairing

Background A. ID-based Encryption (IBE) scheme use a bilinear map called Weil pairing over elliptic curves. bilinear map · transform a pair of elements(P, Q) in group G1 · send the pair to an element in group G2 in a way that satisfies some properties (bilinearity: It should be linear in each entry of the pair.) Weil pairing on elliptic curves is selected as the bilinear map · G1 : the elliptic curve group → · G2 : the multiplicative group → The decryption procedure yields the correct message because of the bilinearity of the Weil pairing.

Background A. ID-based Encryption (IBE) scheme The security level depends on the size of the finite field because the scheme is constructed on an elliptic curve. ex) an elliptic curve over 163-bit finite field = 1024-bit RSA The most significant overhead is the computation of Weil pairing. Sender Receiver PKG Weil pairing Elliptic curves

Background B. Elliptic Curves p : a prime larger than 3 : infinity point → the identity element An elliptic curve over a finite field of size p noted by GE(p) are The group operation is written as addition instead of multiplication. λ : the slope of the line passing through P and Q

Background C. Divisor A useful device for keeping track of the zeros and poles of relational functions defined as a formal sum of points on elliptic curve group : a non-zero integer that specifies the zero/pole property of point P and its respective order. A formula for adding two divisors in canonical form · provide a method of finding a rational function f · critical for computing Weil pairing

Background D. Weil Pairing Weil pairing e(P, Q) is defined as follows The Weil pairing has the bilinearity property. The first algorithm for e(P, Q) computation is Miller’s Algorithm.

one field multiplication Efficient Computation for Weil Pairing Point halving algorithm proposed by Knudsen Fast computation for scalar multiplication on elliptic curve one field multiplication Three operations

Halve-and-Add Method for Weil Pairing Method for the evaluation of rational functions used in the Miller’s algorithm To take advantage of point halving · require 1 inversion, 3 multiplications, 1 squaring, and 1 square root computing · advantage over the doubling

Performance Evaluation By using halving, save · 2n inversions · 2n-3k multiplications · n squaring at the cost of solving n quadratic equation · 2n square roots · n trace computing

Performance Evaluation

Application System ID-based End-to-End Mobile Encryption System typically based on Public-key cryptosystem Traditional public-key cryptosystem · The sender has to request the receiver’s public-key and verify its validity before encrypting a message. · When the receiver is off-line, the sender can not communication with the receiver to request the public-key ID-based cryptosystem · The sender can user the receiver’s ID(i.e., telephone number) as a public key without any request and verification. · Even if the receiver’s device is power-off, the sender can still send an encrypted short message.

Bob’s phone number (public-key) Application System ID-based End-to-End Mobile Encryption System Private Key Generator (PKG) ID=0912345678 (1) SIM Card KR Subscription time Alice Cipher Bob(0912345678) SIM Card SIM Card (5) KR GSM Network ID-based Decryption ID-based Decryption (6) Message (2) ID-based Encryption ID-based Encryption Message (3) Cipher Bob’s phone number (public-key) (0912345678)

Conclusion Conclusion An efficient ID-based cryptography scheme for end-to-end mobile security system A fast method for computing the Weil pairing using point halving algorithm : λ-representation in a normal basis Contribution to apply point halving algorithm to the ID-based scheme an efficient approach to compute the rational function evaluation algorithm