TECHNISCHE UNIVERSITEIT EINDHOVEN Department of Mathematics and Computing Science MASTER’S THESIS Pairing-Based Cryptography by Martijn Maas Eindhoven, January 2004 Supervisor: Prof. dr. ir. H.C.A. van Tilborg Advisors: Dr. B.M.M. de Weger Drs. G. Schmitz Dr. ir. P.A.H. Bours Acknowledgements I would like to take this opportunity to express my gratitude to some people who were involved in this project. First of all, I owe thanks to Henk van Tilborg for being my overall supervisor and arranging current and previous projects. I would like to thank Benne de Weger, who was closely involved in the writing of this report, for the fruitful discussions and useful advises. Thanks is due to Hans Cuijpers for being on my committee. Patrick Bours and Gido Schmitz deserve thanks for supervising the project and editing this report. Special thanks goes out to Gido, who put a great deal of effort in teaching me all about elliptic curves and making this project into a valuable and enjoyable experience. On a more personal note, I would like to mention some people who mean a lot to me. First of all Vincent, who provided me with a bed to sleep in and, more importantly, a place to call home in The Hague. Thanks goes out to Ard Jan and Maarten who were always there for me – especially whenever I needed a drink after a train ride across country. Last but by no means least, I would like to thank Ciska and Hans for their unconditional support. Contents Acknowledgements 3 1 Introduction 7 1.1 Project Background . 7 1.2 Project Description . 8 1.3 Report Outline . 8 2 Preliminaries 11 2.1 Elliptic Curves . 11 2.2 Functions on an Elliptic Curve . 13 2.3 Multiplicity of Zeros and Poles . 14 2.4 Divisor Theory . 14 2.5 Computing the Function of a Principal Divisor . 16 2.5.1 Example . 17 3 Weil Pairing 19 3.1 Definition . 19 3.2 Properties . 21 3.3 Alternative Definition . 23 3.4 Miller’s Algorithm for the Weil Pairing . 26 3.4.1 Example . 27 3.4.2 Implementation in Mathematica ........................ 28 4 Tate Pairing 30 4.1 Definition . 30 4.2 Properties . 31 4.3 Miller’s Algorithm for the Tate Pairing . 33 4.3.1 Example . 35 4.3.2 Implementation in Mathematica ........................ 36 4.4 Comparison with the Weil Pairing . 36 4.4.1 Algebraic Relation . 36 4.4.2 Efficiency of the Pairings . 38 4.5 Efficient Implementation of the Tate Pairing . 38 4.5.1 Adaptation of the Algorithm . 38 4.5.2 Choice of Parameters . 39 5 Embedding Degree 41 5.1 A Lower Bound . 41 5.2 Additional Conditions . 42 5.2.1 Example . 43 5.3 Curves with Small Embedding Degree . 44 5.3.1 Supersingular Curves . 44 CONTENTS 5 5.3.2 MNT-Curves . 46 6 Distortion Maps 48 6.1 Definition . 48 6.1.1 Non-Supersingular Curves . 48 6.1.2 Supersingular Curves . 49 6.2 Modified Pairings . 50 6.3 Cryptographic Use . 50 6.3.1 Asymmetric Pairings . 51 6.3.2 Symmetric Pairings . 51 7 Elliptic Curve Cryptography 52 7.1 Introduction to the Discrete Logarithm Problem . 52 7.1.1 Discrete Logarithm and Related Problems . 52 7.1.2 Attacks on the Discrete Logarithm Problem . 53 7.1.3 Some Standard Protocols . 54 7.2 Discrete Logarithm on Elliptic Curves . 55 7.2.1 Use of Elliptic Curves . 55 7.2.2 Reductions to Other Groups . 55 7.2.3 Security Issues . 57 7.3 Gap Diffie-Hellman Groups . 58 7.3.1 Definition . 58 7.3.2 Realization with Pairings . 59 7.3.3 Bilinear Diffie-Hellman Problem . 60 7.3.4 Security Issues . 61 8 Identity-Based Cryptography 63 8.1 Definition . 63 8.1.1 Public-Key Cryptography . 63 8.1.2 Identity-Based Cryptography . 64 8.1.3 Security of Identity-Based Cryptosystems . 65 8.2 Comparison to PKI . 67 8.3 Realization with Pairings . 71 8.3.1 The BasicIdent IBE Scheme . 71 8.3.2 The FullIdent IBE Scheme . 73 8.3.3 Observations on IBE . 74 8.3.4 Identity-Based Signature Scheme . 75 8.3.5 Other Identity-Based Applications . 76 9 Other Applications of Pairings 78 9.1 Joux’s Tripartite Diffie-Hellman Key Exchange . 78 9.2 Short Signatures . 79 10 Concluding Remarks 81 10.1 Theory of the Pairings . 81 10.1.1 The Weil versus the Tate Pairing . 81 10.1.2 Suitable Curves . 82 10.1.3 Further Research . 82 10.2 Pairing-Based Cryptography . 83 10.2.1 Identity-Based Cryptography . 83 10.2.2 Security of Pairing-Based Cryptography . 84 10.2.3 Further Research . 84 Bibliography 85 6 CONTENTS Index 90 A Mathematica Code 92 Chapter 1 Introduction This report is the result of my graduation project in completion of the Master program Industrial and Applied Mathematics at the Eindhoven University of Technology (TU/e). It has been written in order to obtain the degree of Master of Science. The project has been carried out at the Netherlands National Communications Security Agency (NLNCSA), which is part of the General Intelligence and Security Service (GISS) in Leidschendam. 1.1 Project Background Elliptic curves have been a subject of research for a long time already. They naturally occur in the study of congruent numbers and Diophantine equations. Initially, researchers were mainly interested in finding points on elliptic curves over infinite fields such as the field of rational or real numbers. The study of curves over finite fields, which at first sight seem to form rather boring abelian groups, aided in finding such points. In 1985, however, elliptic curves over finite fields found an application of their own in cryptography. Koblitz and Miller independently realized that discrete logarithm-based cryptosystems might provide better security when defined on the group of points on an elliptic curve rather than the conventional multiplicative group of a finite field. Or alternatively, they figured, elliptic curves could enable shorter keys, while providing a similar level of security. Since then, a lot of research effort has been put in elliptic curve cryptography and numerous cryptosystems have been proposed. Some of them, however, proved less secure than initially assumed, as the structure of the proposed elliptic curves provides tools to attack the system. This is where pairings first come into play. A pairing in this context is a function that takes as input two points on an elliptic curve and outputs an element of some multiplicative abelian group. Furthermore, a pairing satisfies some special properties, the most important of which is bilinearity. Due to these special properties, pairings are hard to construct. The two pairings that are known at present are the Weil pairing and the Tate pairing. In 1993, Menezes et al. discovered that the Weil pairing can be used to attack discrete logarithm-based systems on a certain class of elliptic curves; the so-called MOV-reduction. One year later, Frey and R¨uck used the Tate pairing to describe a similar attack, called the FR-reduction. This cryptanalytic use was the only known application of pairings for a long time. In 2000, however, Joux discovered that pairings can be used as cryptographic building blocks as well. The bilinearity of the pairings enables many cryptosystems with interesting properties. Joux’s discovery spurred an extensive research into new applications based on pairings. The large number of articles on pairing-based cryptography that have appeared since 2000 indicates the tremendous amount of research effort put into this subject. An excellent reference is Barreto’s ’Pairing-Based Crypto Lounge’ [4]. Undoubtedly the most striking application of pairings is the realization of identity-based cryp- tography. In this variant of public-key cryptography, already proposed by Shamir in 1984, users’ 8 Introduction public keys are derived from their identity and the corresponding secret keys are generated by some trusted party. The fact that public keys are linked to the users’ identity guarantees the authenticity and therefore takes away the need for certificates as in conventional public-key cryp- tosystems. Some satisfactory identity-based signature schemes were proposed soon after Shamir described the concept of identity-based crypto. The implementation of an identity-based encryp- tion scheme, however, remained an open problem until Joux’s discovery of the constructive use of pairings. In 2001, Boneh and Franklin were able to design an efficient identity-based encryption scheme through pairings. (Simultaneously, Cocks came up with a non pairing-based solution; we do not deal with this scheme.) Soon identity-based signature schemes appeared that are com- patible with the encryption scheme by Boneh and Franklin, thus yielding a complete and fully functional solution to the open problem put by Shamir. Besides identity-based systems, numerous other pairing-based schemes with interesting properties have appeared, such as an efficient key agreement protocol and a signature scheme with short signatures. 1.2 Project Description It is of great importance for the NLNCSA to keep abreast of the recent developments in cryptogra- phy. Therefore, the aim of this project is to gain knowledge of the current status of pairing-based crypto in general and identity-based crypto in particular. This includes the mathematics involved on one hand and the potential applications on the other. The fact that in this subject challenging mathematics lies close to real-life applications (in contrast to most interesting mathematics, where usually a.