An efficient identity-based cryptosystem for end-to-end mobile security

An Efficient Identity-based Cryptosystem for

End-to-end Mobile Security

Jing-Shyang Hwu, Rong-Jaye Chen, Member, IEEE, and Yi-Bing Lin, Fellow, IEEE

Abstract— In the next generation mobile telecommunications, any third party that provides wireless data services (e.g., mobile banking) must have its own solution for end-to-end security. Existing mobile security mechanisms are based on public-key cryptosystem. The main concern in a public-key setting is the authenticity of the public key. This issue can be resolved by identity-based (ID-based) cryptography where the public key of a user can be derived from public information that uniquely identifies the user. This paper proposes an efficient ID-based encryption algorithm. We actually implement the ID-ID-based encryption schemes and compare the performance to show the advantage of our approach. Our study indicates that our solution outperforms a previously proposed algorithm by 20 – 35%.

Index Terms— End-to-end security, identity-based cryptogra-phy, mobile banking, public key.

I. INTRODUCTION

I

N the recent years, the third generation (3G) and beyond 3G (B3G) mobile telecommunications networks [11] have been widely deployed or experimented. These networks offer large bandwidths and high transmission speeds to support wireless data services besides traditional voice services. For circuit-switched voice services, mobile operators have pro-vided security protection including authentication and en-cryption. On the other hand, wireless data services (such as mobile banking) are likely to be offered by the third parties (e.g., banks) who cannot trust the security mechanisms of mobile operators. In this case, the third parties must have their own solution for end-to-end security [12]. End-to-end security mechanisms used in mobile services are typically based on public-key cryptosystem.

In public-key cryptosystem each user has a key pair (K_U, K_R), where K_U is the public key and K_R is the private key. To generate the key pair, one first chooses a private key K_R and applies some one-way function to K_R to obtain a random and uncontrollable KU. The main concern in a public-key setting is the authenticity of the public key. If an attacker convinces a sender that a receiver’s public key is some key of the attacker’s choice instead of the correct Manuscript received December 7, 2004; revised June 25, 2005; accepted September 15, 2005. The associate editor coordinating the review of this letter and approving it for publication was V. Bhargava. This work was sponsored in part by NSC Excellence project NSC 94-2752-E-009-005-PAE, NSC 94-2219-E-009-001, NSC 94-2213-E-009-104, NSC 93-2213-E-009-010, NTP VoIP Project under grant number NSC 94-2219-E-009-002, IIS/Academia Sinica, Intel, ITRI/NCTU Joint Research Center, MOE ATU program, National Science Council and Taiwan Information Security Center at NCTU.

J.-S. Hwu, R.-J. Chen and Y.-B. Lin are with the Department of Computer Science and Information Engineering, National Chiao Tung University, Hsinchu 30010, Taiwan, R.O.C. (e-mail: {jshwu, rjchen, liny}@csie.nctu.edu.tw).

Digital Object Identifier 10.1109/TWC.2006.04839.

public key, he can eavesdrop and decrypt messages intended for the receiver. This is the well known man-in-the-middle attack. This authentication problem is typically resolved by the use of verifiable information called certificate, which is issued by a trusted third party consisting of the user name and his public key. In 1984, Shamir [20] introduced the concept of

identity-based (ID-based) cryptography where the public key

of a user can be derived from public information that uniquely identifies the user. For example, the public key of a user can be simply his/her email address or telephone number, and hence implicitly known to all other users. A major advantage of ID-based cryptosystem is that no certificate is needed to bind user names with their public keys. The first complete ID-based encryption scheme was proposed by Boneh and Franklin in 2001 [6]. They used a bilinear map (the Weil pairing) over elliptic curves to construct the encryption/decryption scheme. After that, the bilinear pairings have been used to design numerous ID-based schemes, such as key exchange [13] and short signature [7].

In addition to the Weil pairing, there exists another bilinear map on the group of points on an elliptic curve, which is known as the Tate pairing [19]. From a computational point of view, the Tate pairing can be done approximately twice as fast as the Weil pairing as it requires half the evaluations of rational functions in Weil pairing. As our proposed algorithm improves the evaluation of a rational function, it can be similarly applied to the computation of the Tate pairing theoretically. A disadvantage of the Tate pairing is that the outcome is not a unique value, which cannot be used in many applications. This problem can be solved by performing an exponentiation on the outcome of the Tate pairing [19]. The advantage of the Weil pairing is that its definition is more comprehensible than that of the Tate pairing, which involves equivalence classes of quotient groups. For the reader to easily follow the derivation of our proposed algorithm, we introduce the Weil pairing and implement our proposed algorithm on it.

ID-based cryptosystem transparently provides security en-hancement to the mobile applications without requiring the users to memorize extra public keys. For example, sending an ID-based encrypted short message is exactly the same as sending a normal short message [10] if the mobile phone number of the short message recipient is used as the public key. Therefore, the mobile user (the sender) does not need to memorize the public key of the receiver. This feature is espe-cially desirable for mobile applications such as bank or stock transactions. However, in the existing ID-based cryptosystem, the pairing computing has significant overhead. Therefore, efficient algorithm for ID-based cryptosystem is essential in 1536-1276/06$20.00 c 2006 IEEE

mobile devices with limited computing power.

The original algorithm for computing Weil pairing was proposed by Miller [17]. The most important part of the algorithm is the evaluation of a rational function associated with an m-torsion point of the elliptic curve. In this paper, we extend the idea of point halving, which was proposed by Knudsen [14], to speed up the evaluation of a rational function. We first introduce the complete ID-based encryption scheme and provide the background about the elliptic curve group and Weil pairing used in their scheme. We also describe the original Miller’s algorithm for computing Weil pairing. Then we present a new algorithm for computation of Weil pairing using the point halving technique. We actually implement the ID-based encryption schemes and compare the performance to show the advantage of our approach over a previously proposed popular solution. We then illustrate an applicable ID-based end-to-end mobile encryption system.

II. PREVIOUSWORK

The first complete ID-based encryption scheme is con-structed by using an associated bilinear map called Weil pairing on elliptic curves. To realize Weil pairing, we need a mathematical tool called divisor on elliptic curves. With this background, we then present the original algorithm proposed by Miller for computing the Weil pairing [17].

A. ID-based Encryption

Boneh and Franklin proposed the first complete ID-based encryption (IBE) scheme using a bilinear map called Weil pairing over elliptic curves. The bilinear map transforms a pair of elements in group G1 and sends it to an element in group G2 in a way that satisfies some properties. The most important property is the bilinearity that it should be linear in each entry of the pair. Assume that P and Q are two elements (e.g., points on elliptic curves) of an additive group G₁. Let e(P, Q) be the element of a multiplicative group G₂, which is the pairing applied to P and Q. Then the pairing must have the following property: e(rP, Q) = e(P, Q)r _{= e(P, rQ), where r is an integer and rP denotes}

the element generated by r times of additions on P, e.g., 2P = P + P, 3P = P + P + P and so on. Weil pairing on elliptic curves is selected as the bilinear map. That is, they use the elliptic curve group (the set of point collection to be defined in Section II-B) as G1 and the multiplicative group of a finite field as G2. Their ID-based encryption scheme works as follows. A trusted third party called the private key

generator (PKG) initially chooses a secretive master key s

and announces the public information including elliptic curve equation, the base point P, the public key sP of the system, and other needed hash functions. Each user has the public key K_U = Q_ID that is a point on elliptic curve corresponding to his ID and is known to all other users. The private key is generated by K_R = sQ_ID, which is obtained from the PKG. To encrypt a message M, the sender randomly chooses an integer r and sends (U,V) = (rP, M ⊕ h(e(Q_ID, sP)r_{)) to}

the receiver, where h is a hash function announced by PKG in the public information and e is the Weil pairing function to be elaborated in Section II-D. To decrypt the received cipher

text (U,V), the receiver uses the private key sQ_IDto compute

M = V⊕h(e(sQID, U)). This decryption procedure yields the correct message due to the bilinearity of the Weil pairing (i.e., e(sQ_ID, U) = e(sQ_ID, rP) = e(Q_ID, sP)r_).

The standard security model for a public key encryption scheme involves indistinguishability of encryptions against fully adaptive chosen ciphertext attack (IND-CCA) [1]. A strengthened model of IND-CCA called IND-ID-CCA is the standard notion of security for ID-based encryption schemes. Boneh and Franklin’s ID-based encryption scheme is IND-ID-CCA secure, i.e. their encryption scheme is indistinguishably secure against adaptively chosen ciphertext attacks, under an assumption that the Bilinear Diffie-Hellman (BDH) problem is hard [6]. The BDH problem is defined as follows. Given P, aP, bP, cP in G₁, find out e(P, P)abc _{in G}

2. Since the scheme is constructed on an elliptic curve, the security level depends on the size of the finite field. For example, an elliptic curve over a 163-bit finite field currently gives the same level of security as a 1024-bit RSA [2].

The most significant overhead in implementing the ID-based encryption scheme is the computation of Weil pairing, a bilinear pairing defined on the elliptic curve to be described next.

B. Elliptic Curves

Let p be a prime larger than 3. An elliptic curve over a finite field of size p denoted by GF (p) can be given by an equation of the form: y2 = x3+ ax + b, where a, b ∈ GF (p). (The equation over a finite field of size 2n _{denoted by GF (2}n₎

looks slightly different and will be given later.) The set of points on the curve is the collection of ordered pairs (x, y) with coordinates in the field such that x and y satisfy the equation defining the curve, plus an extra point O called the

infinity point. These points form an abelian group E under a

certain addition over GF (p). That is,

E = {(x, y) ∪ O|(x, y) satisfies y2_{= x}3_{+ ax + b,}

x, y ∈ GF (p)}.

The group addition operation is defined as follows: to add two points P = (x_P, y_P) and Q = (x_Q, y_Q) on the curve, we first pass the straight line through them, find out the third point (x_P+Q, y

P+Q) intersected with the curve, and then reflect the point over the x-axis to obtain point P + Q = (x_P+Q, y_P+Q), i.e., y_P+Q= −y_P+Q (see Fig. 1).

Assume that P = (x_P, y_P) and Q = (x_Q, y_Q) are on the curve, λ is the slope of the line passing through P and Q, then the coordinates of P + Q = (x_P+Q, y_P+Q) are

x_P+Q= λ2_{− xP− xQ} y_P+Q = λ(x_P− xP+Q) − yP , where λ =  y_Q−y_P xQ−xP if P= Q 3x2 P+a 2yP if P = Q .

The infinity point O plays a role as the identity element, that is, P +O = O + P = P for any point P. Each point P has a unique inverse element −P such that P + (−P) = O. For P = (xP, yP) in elliptic curve E over GF (p), the unique additive inverse of P is defined by−P = (xP, −yP).

Another category of elliptic curves is defined over the finite field of size 2n _{denoted by GF (2}n_{). The equation defining}

elliptic curves over GF (2n_{) is of the form y}2_{+ xy = x}3₊ ax2_{+ b , where a, b ∈ GF (2}n_{). The addition operation on}

points P and Q is the same as before except that y_P+Q =

x_P+Q+ y_P+Q. Therefore we can obtain the addition formula as follows. Let P = (x_P, y_P), Q = (x_Q, y_Q) ∈ E. Let λ be the slope of the line passing through P and Q, and the coordinates of P + Q be (x_P+Q, y_P+Q). Then x_P+Q= λ2_{+ λ + x} P+ xQ+ a y_P+Q = λ(x_P+ x_P+Q) + x_P+Q+ y_P , where λ =  _y Q+yP x_Q+xP if P= Q x_P+y_P xP if P = Q .

The inverse of P = (xP, yP) is defined by −P = (xP, xP+

y_P) when P is in elliptic curve E over binary field GF (2n_).

For elliptic curves, the group operation is written as addition instead of multiplication. Thus the exponentiation in general multiplicative group can be appropriately referred to as the scalar multiplication in elliptic curve group. That is, we denote

rP as P + P + . . . + P_{  } r times

for an integer r.

C. Divisor

A divisor is a useful device for keeping track of the zeros and poles1 _{of rational functions [16]. A divisor provides a} representation to indicate which points are zeros or poles and their orders for a rational function over the elliptic curve. A divisor D can be defined as a formal sum of points on elliptic curve group E: D =_P∈EnP(P) , where nP is a non-zero integer that specifies the zero/pole property of point P and its respective order. Inequality nP> 0 indicates that point P is a zero, and nP< 0 indicates that P is a pole. For example, for P, Q, R ∈ E, D1= 2(P) + 3(Q) − 3(R) indicates that divisor D₁has zeros at P and Q with order 2 and 3 respectively, and a pole at R with order 3. And D₂ = 2(P) + (−2P) − 3(O) indicates that P and −2P are zeros with order 2 and 1, and

O is a pole with order 3 for the divisor D2. Note that the parenthesis is used to separate the order and the specific point. For example, (2P) indicates that 2P is a zero with order 1, while 2(P) indicates that P is a zero with order 2.

The group of divisors on E, denoted as Div(E), forms an abelian group with the following addition operation. For D₁, D₂ ∈ Div(E), if D₁ = _P∈En_P(P), D₂ = 

P∈EmP(P), then D1 + D2 = P∈EnP(P) + 

P∈EmP(P) = P∈E(nP+ mP)(P). For a divisor D = 

P∈EnP(P), we define supp(D) = {P ∈ E|nP = 0} as the support of divisor D, and deg(D) = _P∈En_P as the degree of divisor D. For example, if D₁ = 2(P) + 3(Q) − 3(R), D2= 2(P) + (−2P) − 3(O), then supp(D1) =

{P, Q, R}, supp(D2) = {P, −2P, O} and deg(D1) = 2 + 3 − 3 = 2, deg(D₂) = 2 + 1 − 3 = 0.

From now on, we consider only the set of divisors of degree zero, denoted as Div0(E). Let f be a rational function

1_{Letf be a non-zero rational function, and P ∈ E. If f(P) = 0 then f is}

said to have a zero atP. If f is not defined at P then f is said to have a pole atP and we write f(P) = ∞.

from K× K to K, where K is a finite field. For example, f(x, y) = 3y−2x−5_5y+3x−2. The evaluation of a rational function f on a point P = (x_P, y_P) is defined by f(P) = f(x_P, y_P) and the evaluation of f on a divisor D = _P∈En_P(P) is defined by f(D) = _P∈supp(D)f(P)nP_{. Define the divisor}

of a rational function f as div(f) = _P∈EnP,f(P), where

n_P,f is the zero/pole order of point P on f. It is well known that the degree of the divisor of a rational function must be zero [16]; that is, div(f)∈ Div0(E) for any rational function f. For example, let P = (x_P, y_P) ∈ E, f(x, y) = x − x_P, then div(f) = div(x− x_P) = (P) + (−P) − 2(O). P and −P are the zeros of f because only they are on both the vertical line x− x_P = 0 and the elliptic curve E. The infinity point

O is a pole of order 2 because div(f) ∈ Div0_{(E). Then for} two rational functions f₁ and f₂, we have div(f₁) + div(f₂) = div(f₁f₂) and div(f₁) − div(f₂) = div(f₁/f₂).

As an example, let E be the elliptic curve defined by y2=

x3_{+ 7x over GF (13). We have P = (4, 1), Q = (5, 2) ∈ E,} and P + Q = (5, 11). Assume that f(x, y) = y−x+3_x−5 . Since P, Q, −(P + Q) = (5, 2) = Q are on the line y − x + 3 = 0, div(y− x + 3) = (P) + (Q) + (−(P + Q)) − 3(O) = (P) + 2(Q) − 3(O). Also, div(x − 5) = (Q) + (−Q) + 2(O) = (Q) + (P + Q) − 2(O) because Q, −Q = (5, 11) = P + Q are on the line x− 5 = 0. Therefore, we have div(f) = div(y −

x + 3) − div(x − 5) = (P) + (Q) − (P + Q) − (O).

A divisor D ∈ Div0(E) is defined to be principal if D = div(f) for some rational function f. The principal divisor D =_P∈En_P(P) is characterized by_P∈En_PP = O [16], where _P∈En_PP denotes the sum by applying addition operation on the points in elliptic curve E. For example, let D₃= (P) + (−P) − 2(O), then D3 satisfies deg(D3) = 0 and P + (−P) − 2O = P − P = O. Therefore D3 is principal. In fact, D3= div(x − xP) for the function x − xP.

Two divisors D₁, D₂∈ Div0(E) are said to be equivalent (denoted as D₁∼ D₂) if D₁−D₂ is principal. For any divisor D =_R∈En_R(R) ∈ Div0_{(E), there is a unique point P =} 

R∈EnRR ∈ E such that D ∼ (P) − (O). In other words, D can be always written in canonical form: D = (P) − (O) + div(f), where f is a rational function.

Now we introduce a formula for adding two divisors in canonical form, such that the result is still in canonical form. This formula provides a method of finding a rational function f such that div(f) = D for a given divisor D, and is critical for computing Weil pairing. Let D₁, D₂∈ Div0(E) be given by D₁= (P₁)−(O)+div(f₁) and D₂= (P₂)−(O)+div(f₂). Assume that P₁+ P₂ = P₃. Let h_P1,P2(x, y) = ay + bx + c

be the equation of the straight line passing through P₁ and P₂, and h_P3(x, y) = x + d be the equation of vertical line passing through P₃. (Note that if P₁= P₂, h_P1,_P2(x, y) is the

line tangent to P₁. And if P₃= O, we have h_P3(x, y) = 1, a constant equation.) Then we have div(h_P1,_P2) = (P₁)+(P₂)+

(−P3)−3(O) where P1, P2, and−P3are zeros because they are on line h_P1,_P2, and div(h_P3) = (P₃)+(−P₃)−2(O) where

P₃,−P3 are zeros because they are on line hP3 (see Fig. 1).

(

x

P+Q

,

y

P+Q

)

(

x

P+Q

,

y

P+Q

′)

Fig. 1. Group law on an elliptic curve

written as:

D₁+ D₂ = (P₁) + (P₂) − 2(O) + div(f1f2) = (P₃) − (O) + div(f1f₂) + div(h_P1,P₂)

− div(hP3)

= (P₃) − (O) + div(f1f₂h_P1,P2/hP3). (1)

Eq. (1) will be used in the computation of Weil pairing in the following subsection.

D. Weil Pairing

Given an elliptic curve E over a finite field K, let m be an integer prime to char(K), the characteristic of K [15]. For example, char(GF (p)) = p and char(GF (2n)) = 2. The Weil pairing is a function

e : E[m]× E[m] → Um,

where E[m] ={P|mP = O, P ∈ E} is called the m-torsion group, Um is the group of the mth roots of unity in K , the

algebraic closure of K [15].

Weil pairing e(P, Q) is defined as follows. Given P, Q ∈

E[m], there exist divisors D_P, D_Q∈ Div0_{(E) such that DP∼} (P) − (O) and DQ∼ (Q) − (O). Here we randomly choose points T, U, and assign DP= (P + T) −(T) and DQ= (Q + U) − (U). It is easy to verify that DP∼ (P)− (O) and DQ∼ (Q) − (O). As mP = mQ = O, divisors mDPand mDQ are principal and there exist rational functions f_P , f_Q such that div(f_P) = mD_P and div(f_Q) = mD_Q. Suppose that D_P and D_Q have disjoint supports, i.e., supp(D_P) supp(D_Q) = φ, then the Weil pairing of P and Q is defined as:

e(P, Q) = fP(DQ) f_Q(D_P).

The Weil pairing has the bilinearity property: for P, Q, R∈

E[m], we have e(P + Q, R) = e(P, R)e(Q, R) and e(P, Q +

R) = e(P, Q)e(P, R). The first algorithm for e(P, Q) compu-tation is described as Algorithm 1.

Algorithm 1: Miller’s Algorithm [17] Input: P, Q ∈ E[m]

Output: e(P, Q)

Step 1. Select random points T, U ∈ E such that P + T, T,

Q + U, U are distinct. Let DP= (P + T) − (T) and DQ= (Q + U) − (U).

Step 2. Use an evaluation algorithm to compute fP(Q + U), fP(U), fQ(P + T) and fQ(T), where fP and fQ satisfy that div(fP) = mDP and div(fQ) = mDQ.

Step 3. Compute e(P, Q) = f_fP_Q(D_(DQ_P)₎ =f_fP_Q(Q+U)f_(P+T)fQ_P(T)_(U)

A crucial part in Miller’s algorithm is the evaluation algo-rithm in Step 2. The evaluation algoalgo-rithm for f_P(S) produces f_P such that div(f_P) = mD_P, and computes f_P(x_S, y_S) for point S = (x_S, y_S). Recall that D_P= (P + T) −(T). For each integer k, there exists a rational function fk such that

div(fk) = k(P + T) − k(T) − (kP) + (O).

If k = m, then div(fm) = m(P + T) −m(T)−(mP)+(O) = m(P + T) − m(T), and fP = fm. For any points R, S, let

h_R,S and h_R be linear functions, where h_R,S(x, y) = 0 is the straight line passing through R, S, and h_R(x, y) = 0 is the vertical line passing through R. Then we have

div(fk_1+k2) = (k₁+ k₂)(P + T) − (k₁+ k₂)(T) − ((k1+ k2)P) + (O) = k₁(P + T) − k1(T) − (k1P) + (O) + k₂(P + T) − k2(T) − (k2P) + (O) + (k₁P) + (k₂P) + (−(k1+ k2)P) − 3(O) − [((k1+ k2)P) + (−(k1+ k2)P) − 2(O)] = div(fk1) + div(fk2) + div(hk1P,k2P)

− div(h(k1+k2)P),

and hence

fk1+k2=

fk1fk2hk1P,k2P

h_(k1+k2)P . (2)

Eq. (2) is recursive with initial conditions f₀ = 1 and f₁ = hP+T hP,T since div(f₁) = (P + T) − (T) − (P) + (O) = (P + T) + (−(P + T)) − 2(O) − [(P) + (T) + (−(P + T)) − 3(O)] = div(h_P+T) − div(hP,T).

Based on Eq. (2), a conventional double-and-add method was proposed for evaluation of a rational function f_P on a given point S, where f_Psatisfies div(f_P) = m(P+T)−m(T). The algorithm denoted as double-and-add evaluation algorithm is described as Algorithm 2.

In the next section, we propose a halve-and-add method to speed up the evaluation for Weil pairing.

III. EFFICIENTCOMPUTATION FORWEILPAIRING We first introduce the point halving operation proposed by Knudsen in speeding up scalar multiplication on elliptic curve over GF (2n_{). The advantage of point halving relies on the}

Algorithm 2: Double-and-Add Evaluation Algorithm (Step 2, Miller’s Algorithm) [3]

Input: the points P, T, S, and the order m = n−1_i=0 bi2i with

bi∈ {0, 1}, bn−1= 1 Output: fm(S) = fP(S) f1←h_hP+T_P,T(S)(S); f ← f1; Z← P; forj ← n − 2, n − 3, ..., 0 do f ← f2 h_hZ,Z_2Z(S)(S); Z← 2Z; ifbj= 1 then f ← f1f_hh_Z+PZ,P(S)_(S); Z← Z + P; end end return f

fast arithmetic operations over GF (2n_{) in a normal basis. We}

then propose an efficient halve-and-add evaluation algorithm in Weil pairing computation.

A. Point Halving

We restrict our attention to elliptic curves E over finite field GF (2n_{) defined by the equation y}2_{+ xy = x}3_{+ ax}2_{+ b}

where a, b∈ GF (2n_{), b = 0. The finite field GF (2}n_{) can be}

viewed as a vector space of dimension n over GF (2). That is, each c∈ GF (2n_{) can be represented as a vector (c}

n₋₁...c₁c₀)

where ci∈ {0, 1}. Let P = (x_P, y_P) be a point on E, where

P = −P. The coordinate of Q = 2P = (xQ, yQ) can be computed as follows: λ = x_P+yP x_P (3) x_Q = λ2_{+ λ + a (4)} y_Q = x2 P+ xQ(λ + 1) (5)

Point halving was first proposed by Knudsen with the fol-lowing operation: given Q = (xQ, yQ), compute P = (xP, yP) such that Q = 2P. Point halving provides fast computation for scalar multiplication on elliptic curve. The basic idea for halving is to solve Eq. (4) for λ, Eq. (5) for x_P, and finally Eq. (3) for y_P if needed. If G is a subgroup of odd order m in E, point doubling and point halving are automorphisms in

G [14] . Therefore, given a point Q ∈ G, there is a unique

point P ∈ G such that Q = 2P. To uniquely find P, Fong et al. [9] designed a point halving computation algorithm using the trace function Tr : GF (2n_{) → GF (2) defined by}

Tr(c) =n_i=0−1ci, where c = (cn₋₁...c₁c₀) ∈ GF (2n).

The halve-and-add method for scalar multiplication uses two kinds of point representation: the usual affine representa-tion P = (x_P, y_P) and the λ-representation (x_P, λ_P), where

λ_P= x_P+(y_P/x_P) denotes the slope of the tangent line to the curve at P. As shown in the following point halving algorithm (Algorithm 3), repeated halving can be performed directly on the λ-representation of a point. Only when a point addition is required, a conversion to affine coordinate is needed.

The point halving algorithm requires one field multipli-cation (Step 2) and three operations: solving the quadratic equation λ2+λ = xQ+a (Step 1), one trace computation (Step 3), and computing a square root (Step 3). In a normal basis, the

Algorithm 3: Point Halving Algorithm [9] Input:λ-representation (xQ, λQ) of Q

Output:λ-representation (xP, λP) of P = (xP, yP), where Q = 2P

Step 1. Find a solutionλ for equation λ 2+ λ = xQ+ a.

Step 2. Computec = xQ(xQ+ λQ+λ). Step 3. If Tr(c) = 0 then λP←λ, x P←√c + xQ, elseλP←λ + 1, x P←√c. Step 4. Return (xP, λP).

time needed for these three operations is negligible compared to the time needed for a multiplication or an inversion. An inversion can be computed using a number of multiplications. The ratio of inversion to multiplication cost is about 8 in our Pentium III platform. In the next subsection we select a normal basis and introduce arithmetic operations over it. With the normal basis we select, the square root operation at Step 3 can be significantly simplified.

B. Normal Basis

Recall that the binary field GF (2n_{) can be viewed as}

a vector space of dimension n over GF (2). That is, there exists a set of n elements α₀, α₁, ..., αn₋₁ in GF (2n) such

that each c ∈ GF (2n) can be written in the form c = _c

iαi = (cn−1...c1c0). In general, there are many bases

of GF (2n). A typical one is the polynomial basis of the form {1, x, x2, ..., xn−1}, and a kind of special basis called

normal basis is the set of the form {β, β2, ..., β2n−1}. In a

normal basis, a field element c on GF (2n_{) is represented}

by c = ciβ2

i

= (cn−1...c1c0). The squaring of c can

be obtained by c2 = n_i=0−1ciβ2 i+1 = n−1 i₌₀ ci−1β2 i = (cn−2...c0cn−1). That is, squaring of c can be accomplished

by a simple left rotation on the vector representation of c. On the other hand, the square root computation is just a right rotation, i.e., √c = (c₀cn₋₁...c₁) at Step 3 in point halving

algorithm. Therefore the quadratic equation x2+ x = c can be solved bitwise at Step 1 in point halving algorithm. These operations are expected to be inexpensive relative to the field multiplication or the field inversion. The field multiplication in a normal basis is more complicated, but, with optimization, it can be reduced to a series of n cyclic shifts of the two vector multiplicands. Mullin, Onyszchuk, Vanstone and Wilson [18] introduced optimal normal bases that can optimize the time complexity for field multiplication in GF (2n). The normal basis implementation we proposed [22] is the basic architecture in the halve-and-add evaluation algorithm to be described in the next subsection.

C. Halve-and-Add Method for Weil Pairing

Now we propose a halve-and-add method for the evaluation of rational functions used in the Miller’s algorithm. The eval-uation algorithm described in Section II-D applies the double-and-add method to compute Weil pairing. To take advantage of point halving, we propose a halve-and-add version of the evaluation algorithm.

Let the λ-representation of a point P = (xP, yP) be (x_P, λ_P), and the canonical form of a divisor D_P be (P)−

(O) + div(g), where g is a rational function. Assume that Q = 2P with λ-representation (x_Q, λ_Q) corresponds to a divisor D_Q with canonical form (Q) − (O) + div(f). Let h_P,P(x, y) = 0 be the equation of the tangent line at P and h_2P(x, y) = 0 be the vertical line through Q = 2P. By the addition formula of two divisors with canonical form (see Eq. (1)), we have D_P+ D_P = (2P) − (O) + div(g2hP,P h_2P ) = (Q) − (O) + div(f). (6) We also have h_P,P(x, y) = y + y_P+ λ_P(x + x_P) = y + λ_Px + x2_P, h_2P(x, y) = x + x_Q. (7)

From Eqs. (6) and (7), we have f = g2 hP,P

h2P = g2 y+λ Px+x2_P x+xQ and thus g = f x + xQ y + λ_Px + x2 P .

Denote the 1/2-representation of m as (m)_1/2 = (ˆbn₋₁...ˆb₀) such that m =

n−1

i=0 ˆbi₂1i mod r, where r is

the order of point P. In order to apply the halve-and-add operation in the evaluation of f, we first determine (m)_1/2. A simple translation was described in [14]. For Weil pairing computation, integer m is not only the scalar in evaluating f but also the order of the point P, i.e., mP = O. To evaluate the rational function fm, we first evaluate fm−1 by

using halve-and-add method, and then obtain fm from fm−1.

This is because (m)_1/2is always the zero string (00...0) after translation and we can not evaluate fm by using the

halve-and-add method directly. The translation of (m− 1)_1/2 in our algorithm is given as follows. Let n = log₂m, and 2n−1_{(m − 1) mod m =} n−1

i=0 ci2i = (cn−1...c0) . Then

(m − 1)1/2 = (ˆbn₋₁...ˆb₀), where ˆbi = cn_−1−ifor i =

0, ..., n − 1. For example, let m = 25 and n = log₂25 = 5, we can compute 24× (25 − 1) mod 25 = 9 and represent it as (01001). Thus the 1/2-representation of 24 is (10010).

Now we compute Step 2 of the Miller’s algorithm (Algo-rithm 1) by the following halve-and-add evaluation algo(Algo-rithm (Algorithm 4).

In our halve-and-add evaluation algorithm, the halving stage requires 1 inversion, 3 multiplications, 1 squaring, and 1 square root computing, and has an advantage over the doubling. A detailed comparison will be given in the next section.

IV. PERFORMANCEEVALUATION

In this section we estimate the saved operations in our halve-and-add evaluation algorithm (Algorithm 4) compared with the double-and-add evaluation algorithm (Algorithm 2). When we consider the arithmetic operations in a normal basis, the time saved by using halving instead of doubling is significant. In affine coordinates, both elliptic doubling and addition for scalar multiplication require 1 inversion, 2 multiplications, and 1 squaring. In the λ-representation, halving stage for scalar multiplication requires 1 multiplication and three extra operations: solving the quadratic equation, trace computation,

Algorithm 4: Halve-and-Add Evaluation Algorithm Input: the points P, T, S, where P is given by λ-representation

(xP, λP) and the order m

Output: fm(S) = fP(S)

Find the 1/2-representation (m − 1)_1/2= (ˆbn−1...ˆb₀) with ˆbi∈ {0, 1},ˆbn−1= 1; f1 ←h_hP+T_P,T(S)(S); f ← f1; Z← P; forj ← n − 2, n − 3, ..., 0 do f ←  f xS+xZ yS+λZ/2xS+x2Z/2; Z← Z/2; if ˆbj= 1 then f ← f1f_hh_Z+PZ,P(S)_(S); Z← Z + P; end end f ← f1f_hh_Z+PZ,P(S)_(S); Z← Z + P; return f TABLE I

ARITHMETICOPERATIONS FORSCALARMULTIPLICATION(n ≥ k)

Operation Double-and-Add Halve-and-Add

Inversion n + k k Multiplication 2n + 2k n + 3k Squaring n + k k Solving ˆλ2+ ˆλ = x_Q+ a 0 n Square root 0 n Trace computing 0 n

and square root computation. The addition stage requires an extra multiplication for the recovery of y-coordinate in the

λ-representation. Let the order of the Weil pairing m be

represented in binary format by a bit string of length n with

k non-zero entries, obviously n ≥ k. Note that our

halve-and-add method requires the 1/2-representation of m− 1 to apply halving and addition. By the translation of (m− 1)_1/2, (m − 1)1/2 is a bit string of length n with k− 1 non-zero entries. Since we need an extra addition in the final step to obtain mP from (m− 1)P, the total addition in halve-and-add method is still k. The operations needed for the scalar multiplication are listed in Table I.

In affine coordinates, the doubling stage requires 2 inver-sions (one for the slope of h_Z,Z(S), another for h_2Z(S)), 4 multiplications, and 1 squaring. Our halving stage requires 1 inversion, 3 multiplications, 1 squiring, and 1 square root com-puting in the λ-representation. The addition in our halve-and-add method requires two extra multiplications for the recovery of y-coordinate. The operations needed for the evaluation of a rational function in Weil pairing are listed in Table II.

As shown in Tables I and II, by using halvings, we can save 2n inversions, 2n − 3k (in general, n ≥ 2k as shown in Table III) multiplications and n squarings at the cost of solving n quadratic equation, 2n square roots, and n trace computing. Note that, in a normal basis, the time needed to calculate the quadratic equation, square root, and the trace is negligible compared with the time needed to compute a multiplication or an inversion.

pair-TABLE II

ARITHMETICOPERATIONS FORRATIONALFUNCTIONEVALUATION

(n ≥ k)

Operation Double-and-Add Halve-and-Add

Inversion 2n + 2k n + 2k

Multiplication 4n + 5k 3n + 7k

Squaring n n

Square root 0 n

TABLE III

THEORDERS OFWEILPAIRING IN THENIST CURVES

NIST m (order of Weil pairing n (length k (weight

Curve in decimal) of(m)2) of(m)2) B-163 5846006549323611672814742442 163 41 876390689256843201587 B-233 6901746346790563787434755862 233 59 2770255558398127373450135553 79383634485463 B-409 6610559687902485989519153080 409 103 3277103982840468296428121928 4648798304157774827374805208 1437237621791109659798672883 66567526771

ing, we implement the Boneh-Franklin’s ID-based encryption (IBE) scheme over the NIST recommended curves [8] on a 700MHz Intel Pentium III. Their scheme requires one pairing operation for both encryption and decryption. The recent IBE schemes proposed by Boneh-Boyen [4][5] and Waters [21] pre-compute one pairing operation before encryption, thus require no pairing for encryption but use two pairings for decryption. Their contributions focus on constructing secure provable IBE schemes in different security models such as selective-ID model and standard model without random or-acle. As our algorithm improves the computation of pairing which is primitive in IBE schemes, we can implement these new schemes in the future work. Our implementation is programmed in C and uses the free GNU Multiple Precision (GMP) arithmetic library to deal with the big number opera-tions. The traditional double-and-add method and our halve-and-add method are both implemented for computation of Weil pairing in the ID-based encryption scheme over NIST recom-mended curves of different strength. Curves B-163, B-233 and B-409 have the same form: y2+ xy = x3+ x2+ b over binary fields GF (2163), GF (2233) and GF (2409), respectively. The orders of the Weil pairing m chosen in these curves are listed in Table III. The representation of elements in the binary field is over a normal basis [22]. The size of message encrypted in our implementation is 160 ASCII characters. Table IV lists the execution times in the ID-based encryption scheme using double-and-add method and halve-and-add method, and shows the improvements. The Weil pairing is the primitive operation for both encryption and decryption in the ID-based encryption scheme. Therefore, the efficient computation for Weil pairing improves both encryption and decryption.

Our method reduces a number of inversions and multipli-cations which are expensive in computing the Weil pairing.

TABLE IV

EXECUTIONTIMES(INmsec)INID-BASEDENCRYPTIONSCHEMES FOR THENIST CURVES

Double-and Halve-and Improvement

-Add -Add Pairing Evaluation 10.76 6.95 35% B-163 Encryption 16.72 12.45 26% Decryption 12.95 8.37 35% Pairing Evaluation 41.56 30.48 27% B-233 Encryption 76.28 50.13 34% Decryption 46.75 37.48 20% Pairing Evaluation 126.48 91.35 28% B-409 Encryption 198.43 135.97 31% Decryption 150.25 110.64 26%

Fig. 2. ID based End-to-end Encryption System

Overall a 20 – 35% improvement in encryption/decryption has been accomplished.

V. ID-BASEDEND-TO-ENDMOBILEENCRYPTION SYSTEM

End-to-end security mechanisms used in mobile services are typically based on public-key cryptosystem. Under tradi-tional public-key cryptosystem, the sender has to request the receiver’s public key and verify its validity before encrypting a message. The sender can not communicate with the receiver to request the public-key when the receiver is off-line. On the other hand, in an ID-based cryptosystem, the sender can use the receiver’s ID (i.e., the telephone number) as his public key without any request and verification. Thus, even if the receiver’s device is power-off, the sender can still send an encrypted short message (which will be queued in the Short Message Service Center, and is forwarded to the receiver later when it is power-on) to achieve the end-to-end security. Based on the algorithm (Algorithm 4) proposed in Section III, an efficient ID-based end-to-end encryption scheme for mobile services is illustrated in Fig. 2. The PKG (Fig. 2 (1)) constructs the ID-based cryptosystem and uses, for example, the phone number as the ID (Fig. 2 (2)). Every mobile user involved in the ID-base cryptosystem is given a SIM card (Fig. 2 (3)) at the subscription time. The ID (phone number) and

its corresponding private key K_Rare loaded in the SIM card by the network operator. The mobile equipment contains two security modules: ID-based encryption module (Fig. 2 (4)) and ID-based decryption module (Fig. 2 (5)). When a mobile user Alice (the sender; (Fig. 2 (6))) wants to encrypt a message to Bob (the receiver), she uses Bob’s phone number (Fig. 2 (7)) as the public key and encrypts the message through the ID-based encryption module. Once Bob receives the cipher (the encrypted message), he uses the private key KR (Fig. 2 (8)) stored in the SIM card to decrypt the cipher through the ID-based decryption module and obtain the original message. In some applications, the sender may choose an arbitrary string as the public key instead of the receiver’s phone number. For instance, an account number can be used as the public key to encrypt the transaction information. While receiving the account number and the encrypted message, the receiver authenticates himself to the network operator and requests for corresponding private key to the account number. Then the network operator extracts the correct private key and sends it securely to the receiver. The dynamic private key extraction provides flexible security for end-to-end network services.

VI. CONCLUSION

This paper proposed an efficient ID-based cryptography scheme for end-to-end mobile security system. We proposed a fast method for computing the Weil pairing using point halv-ing. With the λ-representation in a normal basis, significant improvement in terms of time saving has been demonstrated in computing Weil pairing. Our study indicates that this new approach significantly outperforms a well-known, previously proposed ID-based solution. To sum up, our contribution is twofold: firstly, we are the first to apply point halving algorithm to the ID-based scheme; secondly, we proposed an efficient approach to compute the rational function evaluation algorithm. By reducing the computation complexity, our ap-proach provides an appropriate ID-based encryption solution for mobile services where the mobile terminals have limited computing power.

REFERENCES

[1] M. Bellare et al., “Relations among notions of security for public-key encryption schemes,” Advances in Cryptology-CRYPTO’98, pp. 26-45. [2] I. F. Blake, G. Seroussi and N. P. Smart, Elliptic Curves in Cryptography.

Cambridge University Press, Cambridge, (1999).

[3] I. Blake, K. Murty and G. Xu, “Refinements of Miller’s algorithm for computing Weil/Tate pairing,” to appear in Journal of Algorithms. [4] D. Boneh and X. Boyen, “Efficient selective-ID secure identity

based encryption without random oracle,” Advances in Cryptology-EUROCRYPTO’04, pp. 223-238.

[5] D. Boneh and X. Boyen, “Secure identity based encryption without random oracles,” Advances in Cryptology-CRYPTO’04, pp. 443-459. [6] D. Boneh and M. Franklin, “Identity-based encryption from the Weil

pairing,” Advances in Cryptology-CRYPTO’01, pp. 213-239.

[7] D. Boneh, B. Lynn and H. Shacham, “Short signatures from the Weil pairing,” Advances in Cryptology-ASIACRYPTO’01, pp. 514-532.

[8] FIPS 186-2, Digital Signature Standard (DSS), Federal Information Processing Standards Publication 186-2, NIST 2000.

[9] K. Fong, D. Hankerson, J. Lopez and A. Menezes, “Field Inversion and Point Halving Revisited,” IEEE Trans. Computers, vol. 53, no. 8, 2004, pp. 1047-1059.

[10] H.-N. Hung et al., “A Statistic Approach for Deriving the Short Message Transmission Delay Distributions,” IEEE Trans. Wireless Commun., vol. 3, no. 6, 2004.

[11] Y.-B. Lin and I. Chlamtac, Wireless and Mobile Network Architectures. John Wiley & Sons, 2001.

[12] Y.-B. Lin, M.-F. Chen, and H. C.-H. Rao, “Potential Fraudulent Usage in Mobile Telecommunications Networks,” IEEE Trans. Mobile Computing, vol. 1, no. 2, 2002, pp. 123-131.

[13] A. Joux, ”A One Round Protocol for Tripartite Diffie-Helman”, Algo-rithm Number Theory Symposium, vol. 1838, Springer-Verlag Heidelberg, 2000, pp. 385-393.

[14] E. Knudsen, “Elliptic Scalar Multiplication Using Point Halving,” Ad-vances in Cryptology-ASIACRYPTO’99, pp. 135-149.

[15] R. Lidl and H. Niederreiter, Finite Fields. Cambridge University Press. [16] A. J. Menezes, Elliptic Curve Public Key Cryptosystems. Kluwer

Aca-demic Publishers.

[17] V. Miller, “Short Programs for Functions on Curves,” Unpublished Manuscript, 1986.

[18] R. Mullin et al., “Optimal normal bases inGF (pn_{),” Discrete Applied}

Mathematics, vol. 22, 1988, pp. 149-161.

[19] M. Scott, The Tate Pairing, Available from www.computing.dcu.ie/ mike/tate.html

[20] A. Shamir, “Identity-based cryptosystems and signature schemes,” Ad-vances in Cryptology-CRYPTO’84, pp. 47-53.

[21] B. R. Waters, “Efficient identity-based encryption without random oracles,” Advances in Cryptology-EUROCRYPTO’05, pp. 114-127. [22] S.-H. Yang et al., “Performance analysis for arithmetic in finite field

GF (pn_{),” in Proc. 11th National Conference on Information Security,}

Taiwan, 2001, pp. 185-192.

Jing-Shyang Hwu received his B.S. and M.S.

de-gree in Computer Science and Information Engineer-ing from National Chiao Tung University, Taiwan, R.O.C in 1996 and 1998. He is currently a Ph.D. candidate of the Department of Computer Science and Information Engineering, National Chiao Tung University, Taiwan, R.O.C. His current research in-terests include cryptography, network security, cod-ing theory, and algorithms design.

Rong-Jaye Chen received the B. S. degree in

mathematics in 1977 from Taiwan Tsing Hua Uni-versity, and the Ph.D. degree in computer science in 1987 from the University of Wisconsin-Madison. He is currently a Professor of Computer Science Department at the National Chiao Tung Univer-sity, Hsinchu, Taiwan. His research interests include cryptography, coding theory, algorithm design, and theory of computation.

Yi-Bing Lin (M’96, SM’96, F’04) is Chair Professor

and Vice President of Research and Development, National Chiao Tung University. His current re-search interests include wireless communications and mobile computing Dr. Lin has published over 190 journal articles and more than 200 conference papers. Lin is the co-author of the book Wireless and Mobile Network Architecture (with Imrich Chlam-tac; published by John Wiley & Sons). Lin is an IEEE Fellow, an ACM Fellow, an AAAS Fellow, and an IEE Fellow.