ID-base Signature from Pairings on Elliptic Curve Kenneth G. Paterson From IACR Server 2002/004 Reference :Identity-Based Encryption from the Weil Pairing Boneh &Franklin Crypto 2001,LNCS vol 2139,Springer, pp

Outline The introduction of introduction Introduction Notation The Scheme Efficient Conclusions

The introduction of introduction ECDLP : 在橢圓曲線上定義 +,  兩種運 算, P, Q is points on elliptic curve r  Z q * if Q = r  P, 給 P, Q 求出 r, 此為 ECDLP{ 要求出 r 是非常困難的 } Bilinear : we say that a map e : G 1  G 1  G 2 is bilinear if e(aP, bQ) = e(P,Q) ab for all P,Q  G 1 and all a,b  Z Weil pairing on elliptic curve

The Weil pairing of P, Q  E/F p2 is define as :, e(P,Q) = f p (A Q )/f Q (A P ) {e : E[n]  E[n]  F p 2 *, n=p+1} The Weil pairing has the following two properties a. e(P,P) = 1 b. e(P 1 +P 2, Q) = e(P 1,Q)  e(P 2,Q) and e(P,Q 1 + Q 2 ) = e(P,Q 1 )  e(P,Q 2 )

Introduction id-based encryption scheme based on Weil and Tate pairings on elliptic curves has the three important property, fully functioning, efficient and provably secure Such a scheme is a user’s public key is easily calculated function of his identity and private key is calculated by trusted authority This scheme is similar to the ElGamal signature but based on the identity-based

Notation I G 1 : additive group of prime order q and it is a subgroup of the group of points on elliptic curve G 2 : multiplicative group of prime order q and it is a subgroup of a related finite field {F p 2 *, p=6*q-1} ê : bi-linear map from G 1  G 1 to G 2, ê will be derived from the Weil and Tate pairing on the elliptic curve,{note ê(P,Q) = e(P,  (Q)),where  (x,y) = (  x,y) is an automorphism of the group of points on the curve E, where  3  1 mod p}

Notation II P : P  G 1 (point on ec) and ê (P,P)  1 G 2 ID : be a string denoting the identity of a user H 1, H 2, H 3 : hash functions H 1 : {0, 1}*  G 1 {hash the ID to points} H 2 : {0, 1}*  Z q {hash message to Z q } H 3 : G 1  Z q {hash points to Z q }

Notation III Q ID = H 1 (ID) : public key for signature(id based) D ID = s  Q ID : secret key for signature(id based) P pub = s  P : publicly known (non- id based) Where s  Z q is a system-wide master secret known to a trusted authority

The Scheme 若使用者要簽署文件 M, 首先選 k  Z q * 再 計算 M 的 signature (R,S)  G 1  G 1 而且 R=k  P, S = k -1 (H 2 (M)  P+H 3 (R)  D ID ) Where P(generator), R, D ID is points of G 1 k, k -1, H 2 (M), H 3 (R) is numbers of Z q * (R, S) is a Weil paring on elliptic curve

Verification 驗證方式 : ê(R,S) = ê(k  P, k -1 (H 2 (M)  P+H 3 (R)  D ID )) = ê(P, H 2 (M)  P+H 3 (R)  D ID ) k*(k^-1) = ê(P, H 2 (M)  P)  ê(P, H 3 (R)  D ID ) = ê(P, P) H 2 (M)  ê(P, s  Q ID ) H 3 (R) = ê(P, P) H 2 (M)  ê(s  P, Q ID ) H 3 (R) = ê(P, P) H 2 (M)  ê(P pub, Q ID ) H 3 (R)

Efficiency 簽章過程只運用到兩次 hash,4 次 elliptic curve 乘 法 1 次加法,1 次 mod q 下的 inverse, 並不須執行 ê 驗證過程中 ê(P, P) 為定值 (for every user), 故可 先儲存備用, 而 ê(P pub,Q ID ) 亦與 M 無關 so is fixed when verifying any particular user’s signatures. Therefore the cost of computing this pairing can be amortized over many verification of that user’s signatures

Conclusions This scheme is more efficient than Boneh and Franklin’ id-base encryption scheme This scheme’s security is relate to a non- identity-based signature scheme (ElGamal) and they are closely resembles However the adaptation has the property that if (R,S) is a valid signature on M then so too is (t  R, t -1  S) for any t  Z q *