Cryptographic Applications of Bilinear Maps Noel Michael McCullagh B Sc , M Sc A thesis submitted for the degree of P h D to the DCU Dublin City University Faculty of Engineering and Computing School of Computing Supervisor Dr Michael Scott October 2005 Declaration I, Noel Michael McCullagh, hereby certify that this material, which I now submit for assessment on the programme of study leading to the award of Ph.D. is entirely my own work and has not been taken from the work of others save and to the extent that such work has been cited and acknowledged within the text of my work. The original work in this thesis is as follows: 1. Ch. 3. Sec. 3.10 was joint work with Chevallier-Mames, Coron, Naccache and Scott. 2. Ch. 5. Sec. 5.5 was joint work with Barreto, Libert and Quisquater. 3. Ch. 6. Sec. 6.2.2 is my own work, Section 6.5 was joint work with Libert and Quisquater. 4. Ch. 7. Sec. 7.5.1 is my own work and Section 7.6 was joint work with Barreto. 5. Ch. 8. Sec. 8.6 was joint work with Barreto, Libert and Quisquater. 6. Appendix. A full Java library of pairing based cryptography software was created. © Noel Michael McCullagh. All Rights Reserved. October, 2005. Acknowledgements There are many people I need to thank for making the last three years so enjoyable Firstly, I wish to sincerely thank my supervisor Mike, without whose support I would never have made it this far Mike has been a great support to me, not only with his vast knowledge of the area, but also with his constant encouragement and enthusiasm when things got tough Thank you I also wish to sincerely thank my very good friend Neil Costigan I met Neil for the first time when we both started research studies in the university three years ago Since then Neil has become so much more than a work colleague He is one of the most enthusiastic, energetic, motivating and fun people I know He has made a huge difference to the last three years He has been the first to cheer me up when I am feeling down, and the first to congratulate me on the successes Thank you I would like to thank the other postgraduate students - Barry Cameron, Cara, Claire K, Claire W, Dalen, David, Dave, Hego, Karl, Katrina, Mark, Mary, Michelle, Niall, Noreen, Riona, Ronan, Sara, Thibault & Tommy My thanks also to my good friends Scott & Yann and their families They have made my years in Dublin so enjoyable I would also like to thank my co-authors Paulo S L M Barreto Benoit Chevalher- Mames, Jean-Sebastien Coron, Benoit Libert, David Naccache and Jean-Jacque Quisquater Last but definitely not least, I would especially like to thank my Mum and Dad, my brothers Mark and John and my sister Laura They have been a huge support to me, and have always been there for me Thank you so much Abstract Bilinear maps have become an important new item in the cryptographer’s toolkit They first came to prominence when they were used by Menezes, Okamoto and Vanstone to help solve the elliptic curve discrete logarithm problem on elliptic curves of small embedding degree In 1984, Shamir developed the first identity based signature scheme, and posed the con­ struction of an identity based encryption scheme as an open problem [118] Subsequently identity based identification and identity based key agreement schemes were proposed How­ ever, identity based encryption remained an open problem In 2000, Sakai, Ohgishi and Kasahara used bilinear maps to implement an efficient identity based non-interactive key agreement and identity based digital signature [111] In 2001, some 17 years after it was suggested, Boneh and Franklin proposed the first efficient identity based encryption scheme, constructed using bilinear maps [31] In this thesis we review some of the numerous cryptographic protocols that have been constructed using bilinear maps We first give a review of public key cryptography We then review the mathematics behind the two known bilinear maps, the Weil and Tate pairings, including several im­ provements suggested m [67, 14] We develop a Java library to implement pairing based cryptography In Ch 4 we look at some of the cryptographically hard problems that arise from bilinear maps In Ch 5 we review identity based signature schemes and present the fastest known scheme In Ch 6 we review some encryption schemes, make some ob­ servations that help improve the performance of many identity based cryptosystems, and propose the fastest scheme for public key encryption with keyword search In Ch 7 we review identity based key agreements and propose the fastest scheme secure in a modified Bellare-Rogaway model [19] In Ch 8 we review identity based signcryption schemes and present the fastest known scheme Contents 1 Introductory Mathematical Background 1 1.1 Modular Arithmetic........................................................................................... 1 1.2 Infinite G ro u p s.................................................................................................... 2 1.3 Infinite F ields....................................................................................................... 5 1.4 Finite Groups and Fields .................................................................................. 5 1.4.1 Euclidean Algorithm............................................................................... 8 1.4.2 Extension Fields ...................................................................................... 10 1.5 Calculating the Multiplicative In v e rse ............................................................. 11 1.5.1 Extended Euclidean Algorithm ............................................................. 11 1.6 Random Number Generation............................................................................ 13 1.6.1 Natural Sources of Randomness............................................................. 14 1.6.2 Pseudo-Random Number Generators.................................................... 15 1.7 Prime Number Generation.................................................................................. 16 1.7.1 Miller-Rabin Primality T e s t................................................................... 18 1.8 Discrete Logarithm Problem............................................................................... 20 1.9 Encryption Schemes........................................................................................... 21 1.10 El Gamal Encryption........................................................................................... 23 2 Elliptic Curve Arithmetic 26 2.1 Long Form Weierstrafi Equation ...................................................................... 26 2.1.1 Short Form Weierstrafi Equations.......................................................... 28 i CONTENTS 2.2 Group Law Over Elliptic C u rv e s ..................................................................... 30 2.2.1 Point Addition for E /¥ pk where char Fpk / 2 , 3 ................................ 31 2.2.2 Point Doubling for E/Fpk where char Fpk ^ 2 , 3 ................................ 32 2.2.3 (9, The Point at Infinity.......................................................................... 32 2.3 Group O rder ....................................................................................................... 34 2.3.1 The Trace of Frobenius, t ....................................................................... 34 2.3.2 The Curve Embedding Degree, k ........................................................... 35 2.4 Discrete Logarithm Problem over Elliptic Cu rves........................................... 35 2.5 Efficient Point Scalar M ultiplication............................................................... 36 2.5.1 Double-and-Add Method for Point Scalar Multiplication..................... 37 2.5.2 NAF Window Method for Point Scalar M ultiplication...................... 39 2.6 Multiple Point Scalar M ultiplication............................................................... 42 2.7 Point Compression.............................................................................................. 44 2.8 Projective Space ................................................................................................. 44 2.9 Point Reduction ................................................................................................. 47 2.10 Group S tru c tu re ................................................................................................. 47 3 Bilinear M aps 49 3.1 Divisor T h e o ry ..................................................................................................... 49 3.1.1 Function on a Curve................................................................................. 50 3.1.2 Principal Divisor....................................................................................... 51 3.2 Weil Pairing.......................................................................................................... 54 3.2.1 Bilinearity of the Weil Pairing ............................................................... 55 3.3 Tate Pairing.......................................................................................................... 57 3.3.1 Bilinearity of the Tate P airin g :............................................................... 58 3.3.2 Reduced Tate P a irin g .............................................................................. 59 3.4 Modified Pairings................................................................................................. 60 3.5 Miller’s Algorithm for Pairing Com putation..................................................