An Efficient Identity-based Cryptosystem for

End-to-end Mobile Security

IEEE Transactions on Wireless Communications, 2006

Jing-Shyang Hwu, Rong-Jaye Chen, Yi-Bing Lin

2008. 12. 04

Presented by Jang Chol Soon

-2-

Contents

Introduction

Background

ID-based Encryption

Elliptic Curves

Divisor

Weil Pairing

Efficient Computation for Weil Pairing

Point Halving

Halve-and-Add Method for Weil Pairing

Performance Evaluation

Application System

Conclusions

-3-

Introduction

Mobile security

Mobile operators have provided security protection including

authentication and encryption for circuit-switched voice services.

Wireless data services(e.g. mobile banking) are likely to be offered

by third parties(e.g. banks)

The third parties can’t trust the security mechanisms of mobile operators.

: their own solution for end-to-end security.

End-to-end security mechanisms in mobile services

: public-key cryptosystem

The main concern in public-key cryptosystem

: the authenticity of public key ⇒ “certificate”

The certificate is issued by a trusted third party consisting of the user name

and his public key.

-4-

Introduction

ID-based cryptography

In 1984, Shamir

The public key of a user can be derived from public information

that uniquely identifies the user. (e.g. e-mail, telephone number)

The first complete ID-based cryptosystem

· In 2001, Boneh and Franklin

· use a bilinear map(Weil pairing) over elliptic curves

Major advantages

· No certificate

· Users need not memorize extra public keys.

Drawback

· Overhead for the pairing computing

-5-

Background

Background

A. ID-based Encryption (scheme)

B. Elliptic Curves

C. Divisor

D. Weil pairing

-6-

Background

A. ID-based Encryption (IBE) scheme

use a bilinear map called Weil pairing over elliptic curves.

bilinear map

· transform a pair of elements(P, Q) in group G1

· send the pair to an element in group G2 in a way that satisfies

some properties (bilinearity: It should be linear in each entry of the pair.)

Weil pairing on elliptic curves is selected as the bilinear map

· G1 : the elliptic curve group →

· G2 : the multiplicative group →

The decryption procedure yields the correct message

because of the bilinearity of the Weil pairing.

-7-

Background

Sender Receiver

PKG

Weil pairing

Elliptic curves

A. ID-based Encryption (IBE) scheme

The security level depends on the size of the finite field

because the scheme is constructed on an elliptic curve.

ex) an elliptic curve over 163-bit finite field = 1024-bit RSA

The most significant overhead is the computation of Weil pairing.

-8-

Background

B. Elliptic Curves

p : a prime larger than 3

: infinity point → the identity element

An elliptic curve over a finite field of size p noted by GE(p)

are

The group operation is written as addition

instead of multiplication.

λ : the slope of the line passing through P and Q

-9-

Background

C. Divisor

A useful device for keeping track of the zeros and poles of relational

functions

defined as a formal sum of points on elliptic curve group

: a non-zero integer that specifies the zero/pole property of point P

and its respective order.

A formula for adding two divisors in canonical form

· provide a method of finding a rational function f

· critical for computing Weil pairing

-10-

Background

D. Weil Pairing

Weil pairing e(P, Q) is defined as follows

The Weil pairing has the bilinearity property.

The first algorithm for e(P, Q) computation is Miller’s Algorithm.

-11-

Efficient Computation for Weil Pairing

Point halving algorithm

proposed by Knudsen

Fast computation for scalar multiplication on elliptic curve

one field multiplication

Three operations

-12-

Halve-and-Add Method for Weil Pairing

Halve-and-Add method

Method for the evaluation of rational functions used in the Miller’s algorithm

To take advantage of point halving

· require 1 inversion, 3 multiplications,

1 squaring, and 1 square root computing

· advantage over the doubling

· require 1 inversion, 3 multiplications,

1 squaring, and 1 square root computing

· advantage over the doubling

-13-

Performance Evaluation

Performance Evaluation

By using halving, save

· 2n inversions

· 2n-3k multiplications

· n squaring at the cost of

solving n quadratic equation

· 2n square roots

· n trace computing

By using halving, save

· 2n inversions

· 2n-3k multiplications

· n squaring at the cost of

solving n quadratic equation

· 2n square roots

· n trace computing

-14-

Performance Evaluation

Performance Evaluation

-15-

Application System

ID-based End-to-End Mobile Encryption System

typically based on Public-key cryptosystem

Traditional public-key cryptosystem

· The sender has to request the receiver’s public-key and verify its validity

before encrypting a message.

· When the receiver is off-line,

the sender can not communication with the receiver to request

the public-key

ID-based cryptosystem

· The sender can user the receiver’s ID(i.e., telephone number) as a public

key without any request and verification.

· Even if the receiver’s device is power-off,

the sender can still send an encrypted short message.

-16-

Application System

ID-based End-to-End Mobile Encryption System

SIM Card

ID-based

Decryption

ID-based

EncryptionMessage

SIM Card

ID-based

Decryption

ID-based

Encryption

Cipher

Cipher

GSM Network

SIM CardKR

Bob(0912345678)Alice

ID=0912345678

Message

Private Key Generator

(PKG)

Bob’s phone number (public-key)

(0912345678)

(1)

(2)

(3)

(5) KR

(6)

Su

bscrip

tion

time

-17-

Conclusion

Conclusion

An efficient ID-based cryptography scheme for end-to-end mobile

security system

A fast method for computing the Weil pairing using point halving algorithm

: λ-representation in a normal basis

Contribution

to apply point halving algorithm to the ID-based scheme

an efficient approach to compute the rational function evaluation

algorithm