Tate Pairing via Elliptic Nets: Test Cases and Implementation, Lecture notes of Design

Test cases and implementation details for Tate pairing using Elliptic Nets algorithm. It covers the development procedure, integration with existing pairing-based cryptosystems, and the use of BN-Curves for Tate pairing in both algorithms. The document also includes sample test cases to verify the correct implementation of Elliptic Nets algorithm with Tate pairing over different curves.

Typology: Lecture notes

2021/2022

Uploaded on 08/05/2022

aichlinn
aichlinn 🇮🇪

4.4

(46)

1.9K documents

1 / 117

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
A Java Based Software Solution For
Efficient Pairing Cryptography
Yejun Zou
Department of Computer Science
National University of Ireland, Maynooth
Co. Kildare
Ireland
This thesis submitted in partial fulfilment of the requirements for the M.Sc
Degree in Software Engineering
Supervisor: Dr. Joe Timoney
October 2010
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Tate Pairing via Elliptic Nets: Test Cases and Implementation and more Lecture notes Design in PDF only on Docsity!

A Java Based Software Solution For

Efficient Pairing Cryptography

Yejun Zou

Department of Computer Science National University of Ireland, Maynooth Co. Kildare Ireland

This thesis submitted in partial fulfilment of the requirements for the M.Sc Degree in Software Engineering

Supervisor: Dr. Joe Timoney October 2010

Declaration

I hereby certify that this material, which I now submit for assessment on the program of study leading to the award of Master of Science in Computer Science by Research, is entirely my own work and has not been taken from the work of others save and to the extent that such work has been cited and acknowledged within the text of my work.

Signed: Date:

Acknowledgement

With my deepest affections and appreciations I would like to thank my su- pervisor, Dr. Joe Timoney, for his guidance, support and encouragement throughout this project. I also would like to thank IRCSET, Claude Shan- non Institute and the computer science in NUI Maynooth for their financial and technical support in the past three years. Finally many thanks to my family and my friends for their support and encouragement.

Contents

4.6 Flow of Generation of Random Point R on E′^ : y^2 = x^3 + B. 73 4.7 Comparison of the Two TatePairing Classes.......... 77 4.8 System View........................... 80

5.1 Control Flow Graph of TatePairing(int bits, int curveType) Generated by Visustin [1].................... 98 5.2 Comparison of Computation Time for Miller’s Algorithm with the Elliptic Nets Algorithm on Supersingular Curves as the Length of p is increasing..................... 103 5.3 The Relationship between the Length of P and the Difference of the Time Cost between the Two Algorithms........ 104 5.4 Comparison of Computation Time for Miller’s Algorithm with the Elliptic Nets Algorithm on BN-Curves as the Length of p is increasing............................ 105

List of Tables

  • List of Figures
  • List of Tables
  • 1 Introduction
    • 1.1 Overview
    • 1.2 What is Cryptography
      • 1.2.1 Terminology in Cryptography [39]
      • 1.2.2 Well known Ciphers
      • 1.2.3 Cryptographic Attacks
    • 1.3 Pairing Based Cryptography on Elliptic Curves
    • 1.4 Security of Pairing Based Cryptography
    • 1.5 Software & Cryptography
    • 1.6 Motivation of this project
    • 1.7 Outline of The Dissertation
  • 2 Mathematical Background
    • 2.1 Preliminaries
      • 2.1.1 Tate Pairing
      • 2.1.2 Miller’s algorithm for Tate Pairing
    • 2.2 Elliptic Nets Theory
      • 2.2.1 Elliptic Divisibility Sequence
      • 2.2.2 Stange’s Elliptic Net
      • 2.2.3 Tate Pairing using Elliptic Net
      • 2.2.4 Existing Approach
    • 2.3 Suitable Curves for Tate Pairing
      • 2.3.1 Supersingular Curves
      • 2.3.2 Barreto-Naehrig Curves
    • 2.4 Summary
  • 3 Design
    • 3.1 Current State of IBS
    • 3.2 Designing a New IBS
    • 3.3 Design for new curves
    • 3.4 Logical view of the Design
      • 3.4.1 Logical View of existing APIs
      • 3.4.2 Logical View of New APIs
    • 3.5 Software Development Strategy
      • 3.5.1 Waterfall Model
      • 3.5.2 V-Model
      • 3.5.3 Iterative and Incremental Development Model
      • 3.5.4 Our approach of Development process
    • 3.6 Summary
  • 4 Development
    • 4.1 Analysis of existing Elliptic Curve and Pairing libraries
    • 4.2 Development of the Elliptic Net System
      • 4.2.1 Class EDS
      • 4.2.2 Class Block
      • 4.2.3 Class EllipticNet
      • 4.2.4 Class TatePairingViaENet
    • 4.3 Evolving the IBS system
      • 4.3.1 Class blitz.curve.EllipticCurve
      • 4.3.2 Class blitz.Field.Extension.Fp2
      • 4.3.3 nonResidue in class csi.crypto.EllipticNets.EllipticNet
    • 4.4 Adding BN-Curves
      • 4.4.1 Field extension
      • 4.4.2 Curve Generation
      • 4.4.3 Tate Pairing over BN-Curves
    • 4.5 Complete System
    • 4.6 Summary
  • 5 Testing and Results
    • 5.1 Portability and Pre-settings
    • 5.2 User Test Cases
      • 5.2.1 Test cases of EDS and EllipticNet
      • 5.2.2 Test Cases of Tate Pairing Via Elliptic Nets algorithm
      • 5.2.3 Test Cases with a Random Input Value
      • 5.2.4 Condition Testing (White box testing)
    • 5.3 Performance Test
      • 5.3.1 Comparison over supersingular curves
      • 5.3.2 Comparison over BN-Curves
    • 5.4 Summary
  • 6 Conclusion
    • 6.1 Summary
  • 6.2 Future Work
  • 1.1 Diagram of Biometric Identity Based Signature Scheme [13] List of Figures
  • 2.1 Example of Elliptic Net in [58]
  • 2.2 Doubling and Double-adding a Block Centered on W (k, 0)
  • 3.1 Tate Pairing inside IBS
  • 3.2 Desired New Tate Pairing inside IBS
  • 3.3 Package View of Existing Blitz in [12]
  • 3.4 Logical View of the Existing APIs
  • 3.5 Logical View of New APIs
  • 3.6 Waterfall Model of Software Development in [56]
  • 3.7 V-Model of Software Development in [56]
    • [24] 3.8 Iterative and Incremental Model of Software Development in
  • 3.9 Iterations of the Project
  • 4.1 Package Diagram of Elliptic Nets System
  • 4.2 Class Diagram of EllipticNets package
  • 4.3 Flow of Tate Pairing Computation
  • 4.4 Class Diagram of Fp12 and Fp12Element
  • 4.5 Class Diagram of CurveGen, BNCurve and TwistedCurve
  • 1.1 Key-size Equivalence in [27]
    • degree to obtain commonly desired levels of security [41] 1.2 Bit sizes of curve parameters and corresponding embdding
  • 5.1 Test case of class EDS
  • 5.2 Test case of class EllipticNet
  • 5.3 Test case of Elliptic Nets Algorithm
  • 5.4 Test case of Elliptic Nets Algorithm
  • 5.5 Test case of Elliptic Nets Algorithm
  • 5.6 Test case of Elliptic Nets Algorithm
  • 5.7 Test case of Elliptic Nets Algorithm
  • 5.8 Test case of Random Value for Supersingular Curves
  • 5.9 Test Result for TestCase ID:
  • 5.10 Test case of Random Values for BN-Curves
  • 5.11 Test Result for TestCase ID:
  • 5.12 Test cases for TatePairing(int bitLength, int curveType)
  • 5.13 Test Result for Test Cases in Table 5.12
  • 5.14 Raw Benchmark for Supersingular Curve
  • 5.15 Raw Benchmark for BN-Curves

phy. Thus, the goal of this thesis is to apply a software engineering approach to the design, implementation and testing of a practical paring based cryp- tosystem that is founded on the theory of Elliptic nets. Its contribution is to implement a Java Elliptic Nets API, to modify the existing BIO-IBS sys- tem [13], to compute the Tate pairing through both Miller’s algorithm and the Elliptic Nets algorithm, to implement a more secure type of curves, and to compare the two Tate pairing computation algorithms for performance at different security levels with the two types of curves. This is the first Java structured implementation of Elliptic Nets and the first system to offer developers a choice of algorithm in the Tate pairing calculation.

1.2 What is Cryptography

The word Cryptography comes from Greek "Kryto´"(hidden) and "gr´apho"(to write) [39]. It is the science of hiding the meaning of information. Generally speaking, it can be synonymous with the conversion of information. It is usu- ally applied to avoid unwanted people reading the information. Prior to the early 20 th^ century, cryptography was chiefly concerned with linguistic and lexicographic patterns. Since then cryptography intersects the disciplines of mathematics, computer science and engineering, derived using mathemati- cal algorithms and implemented using software that runs on computers or embedded processors. These new forms of cryptography are strongly driven by rapid advances in computer communications technologies. Cryptography is becoming necessary when sensitive data is being transacted over any un- trusted medium. It provides the services such as keeping secrets from an unexpected audience, authentication with a signature, verification of data integrity, and security certificates for the communications.

12

1.2.1 Terminology in Cryptography [39]

  • Cipher: procedure to render messages unintelligible except to an au- thorized recipient;
  • Encryption: process to convert original message to unintelligible mes- sage;
  • Decryption: process to recover the original message;
  • Plaintext: original readable message;
  • Ciphertext: encrypted message;

1.2.2 Well known Ciphers

Modern cryptography can be categorized into symmetric ciphers, asymmetric ciphers and hash functions according to the number of keys. The symmetric cipher only has one private key and this key is used for both encryption and decryption. The examples of symmetric ciphers include DES(Data Encryp- tion Standard), triple-DES, AES(Advanced Encryption Standard), CAST- 128, CAST-256, One-time Pad, RC4, DES-X, IDEA(International Data En- cryption Algorithm) [39]. The asymmetric cipher, also known as public key cryptography (PKC), involves two keys: a private key for decryption and a public key for encryption. The well-known asymmetric ciphers are El Gamal, RSA, Elliptic Curve Cryptography(ECC), McEliece and NTRUEncypt [39]. The cryptographic hash functions, also called message digests, are often used to encrypt passwords and provide a measure of the data integrity. The hash functions in common use today include MD5, SHA1, SHA-256, SHA-512 and

to encrypt or decrypt data([55, 33, 60]). In the 1990’s, many cryptographic schemes were based on the Discrete Log- arithm Problem (DLP)([62]) which is presumed to be a hard mathematical problem, and thus it is the basis of new cryptography schemes such as El Gama and ECC mentioned in Section 1.2.2. Pairing was shown to attack such schemes successfully [36, 23]. In [36], Menezes, Vanstone, and Okamoto proved and used the Weil pairing to reveal the weakness of supersingular curves (see Section 2.3.1). Later on, Frey and Ruck published their attack (FR attack) with Tate pairing in 1994 [23] to break the DLP-based cryp- tography. This drove a new need for more complex cryptographic schemes. However, for implementation purposes, they need to be efficient. Otherwise, a trade-off between efficiency and security is required.

1.3 Pairing Based Cryptography on Elliptic Curves

In reverse to pairing based attacks, pairing is also useful for designing com- plex cryptographic schemes, particularly in pairing-based elliptic curve cryp- tography [34]. This is a new asymmetric cipher technique and it has exploded over the past six years [20]. The central idea is the construction of a map- ping between two useful cryptographic groups: G 1 and G 2 which allows for cryptographic schemes based on the reduction of one problem in one group to a different, usually easier problem in the other group. Such a mapping e is described below:

e : G 1 × G 1 → G 2

where e is supposed to be a bilinear mapping, which means

∀P, Q ∈ G 1 and ∀a, b ∈ Z∗ q , e(aP, bQ) = e(P, Q)ab.

The bilinearity allows pairings such as the Weil Pairing and Tate Pairing to be useful because it enables new identity-based cryptographic primitives. Identity-based (also known as ID-based) crypto schemes have the advantage that there is an explicit connection between a user’s unique identification, such as an e-mail address or biometric measurement, and their private key. This eliminates the need for a public key distribution infrastructure. The au- thenticity of the public keys is guaranteed implicitly as soon as the transport of the private keys to the corresponding user is kept secure. It also allows extra embedding data, such as an expiration date for a message, coded as part of a user ID in the system. Joux firstly introduced a pairing based one- round three-party key exchange in 2000 [2]. In 2001, Boneh and Franklin published the first ID-based encryption (IBE) scheme [7]. Since then there have been many approaches to ID-based cryptography such as [9, 8, 63, 43]. Particularly in 2004, the Java based approaches of IBE and IBS were intro- duced in [47, 19, 13]. The security of the pairing based cryptography is based on the assumption that the Decision Diffie-Hellman (DDH) problem [10] is easily solved with a pairing function but the Computational Diffie-Hellman (CDH) problem remains infeasible. In short, the DDH can be described as: Given 〈P, aP, bP, cP 〉 with a, b, c ∈R Z∗ q , and P is affine point on elliptic curve, then determine whether c = ab. This can be solved easily by defining pairing functions: e 1 = (aP, bP ), e 2 = (P, cP ) and if e 1 = e 2 , then c = ab

1.4 Security of Pairing Based Cryptography

The security of a pairing based cryptosystem relies on two parameters: the bit length, r and the bit size of the extension field k log 2 n, where k is the embedding degree and p is the number of elements in the finite field. The embedding degree is the degree of the extension field that the pairing maps into. The parameters need to be chosen high enough so that the discrete log- arithm problem is hard in both the subgroup of the curve and the finite field [41]. An Elliptic curve with a small embedding degree and a large prime- order subgroup is said to be pairing friendly. According to [22], much work has been done trying to match the bit sizes of curve parameters to obtain commonly desired levels of security. Table 1.2 from [22] shows the size of bit curve parameters and corresponding embedding degrees to obtain commonly desired levels of security, noting that

ρ = log p/ log r

Security Level Subgroup size Extension field size Emgedding degree k (in bits) r (in bits) qk^ (in bits) ρ ≈ 1 ρ ≈ 2 80 160 960-1280 6-8 2*,3- 112 224 2200-3600 10-16 5- 128 256 3000-5000 12-20 6- 192 384 800-10000 20-26 10- 256 512 14000-18000 28-36 14- Table 1.2: Bit sizes of curve parameters and corresponding embdding degree to obtain commonly desired levels of security [41]

In general, for efficient pairing computation we need curves with embedding degree rather small. However, to improve security it is more efficient to have a greater value of k than p [41].

18

1.5 Software & Cryptography

Most cryptographic schemes are implemented as software programs. Well- known examples include PGP[17] and NTRUEncrypt[25]. Biometrics cryp- tography processing normally consists of a hardware interface but the pro- cessing is either done on a computer or embedded processor. There are some existing Java based software solutions to the cryptography. Sun provides security services and utilities since J2SE 1.4.2, which includes the most com- mon hash functions, symmetric and asymmetric ciphers. Up to their latest JDK 1.6.21, the java.security package with its sub-packages and together with the javax.security.* packages could provide most popular security ser- vices including digital certificates, digital signatures, public key cryptogra- phy, and authentication [46]. [26] is another well-known Java based security provider. Their products are also free of charge for educational and research purposes. They provide ECC including the Elliptic Curve Diffie-Hellman protocol and Elliptic Curve Digital Signature protocol. These are not suit- able for our system specification as they are not suitable for identity based cryptographic scheme. We applied pairing to allow identity based crypto- graphic scheme. Since the pairing computation is still very timing consuming compared with other ciphers, there is no official or commercially released li- brary in this area. The cryptographic scheme in [13] was the first java approach for pairing based cryptography as mentioned in Section 1.1. The following Figure 1. shows the system structure, which includes four main stages named Biomet- ric Extraction, Fuzzy Extraction, Parameter Selection, and IBS system [13].