One option for a digital signature solution for devices with low memory and low bandwidth transmission over channels uses a short digital signature scheme based on Weil bilinear pairing aimed at short processing times, fast computation, and convenient deployment on applications.
MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE DOI: 10.31276/VJSTE.64(4).03-09 Implementation of Boneh - Lynn - Shacham short digital signature scheme using Weil bilinear pairing based on supersingular elliptic curves Nhu-Quynh Luc*, Quang-Trung Do, Manh-Hung Le Academy of Cryptography Techniques Received May 2022; accepted 14 July 2022 Abstract: One option for a digital signature solution for devices with low memory and low bandwidth transmission over channels uses a short digital signature scheme based on Weil bilinear pairing aimed at short processing times, fast computation, and convenient deployment on applications The computational technique of non-degenerate bilinear pairings uses supersingular elliptic curves over a finite field Fpl (where p is a sufficiently large prime number) and has the advantage of being able to avoid Weil-descent, Menezes-Okamoto-Vanstone (MOV) attacks, and attacks by the Number Field Sieve algorithm Compared to Elliptic Curve Digital Signature Algorithm (ECDSA) digital signature schemes, generating a digital signature for a Boneh-Lynn-Shacham (BLS) scheme using Weil bilinear pairing on a supersingular elliptic curve is simple In this study, the authors replace non-degenerate bilinear pairing calculations on a supersingular elliptic curve with a Weil pairing with PϵE(Fp ), QϵE(Fp1) and a higher security multiplier α=12 in the BLS short digital signature scheme The execution time of the BLS short digital signature program showed improvement compared to the commercial ECDSA digital signature scheme Keywords: digital signature, ECDSA, elliptic curve cryptography, tate pairing, Weil pairing Classification number: 1.2 Introduction Information exchange between devices and applications requires security and authentication with high reliability per the demanding strict standards of this digital era New requirements for digital signature solutions such as short digital signatures, fast processing speeds, message authentication without transmissions, and digital signature on short message and low bandwidth channel transmissions are essential for today’s applications [1-5] To date, short digital signature solutions and signature authentication using the calculation of an elliptic curve, such as ECDSA, Elliptic Curve-based Schnorr Digital Signature Algorithm (ECSDSA), or Edwards-Curve Digital Signature Algorithm (EdDSA) have been applied widely in commercial products [1, 2, 6-9] Among these, the digital signature solution with a short digital signature using the calculation of Weil and Tate bilinear pairing of the authors Boneh, Lynn, Schacham (2001) (denoted by the BLS short digital signature scheme) proves to meet the requirements [2, 10] The BLS scheme uses a special supersingular curve with p=3, which raises the security level of the BLS scheme to be equivalent to the Digital Signature Algorithm (DSA) using a 1024-bit prime number [11-13] The BLS short digital signature scheme is secure against attack with selected messages (according to a random oracle model), given that “Computational Diffie-Hellman based on an elliptic curve over finite field Fpl (where p is a sufficiently large prime number) being difficult to solve” [1, 2] The advantage of the BLS scheme when generating a digital signature is its simplicity as both the digital signature and signature verification processes use a non-degenerate bilinear pairing (Weil and Tate bilinear pairings) on the elliptic curve [2, 6, 10, 14-18] Since this non-degenerate bilinear pairing calculus technique uses a supersingular elliptic curve over finite field Fp, such that both generic discrete log algorithm in E(Fp ) and the Number Field Sieve in Fpl * are intractable, it is resistant to some Weil descent and MOV attacks [11, 12], as well as attacks by the Number Field Sieve algorithm [19-21] Several publications have shown that elliptic curve cryptography (ECC) built on non-degenerate bilinear pairing could be a secure cryptosystem for today’s applications with one particular development being the supersingular isogeny DiffieHellman (SIDH) [7, 22, 23] This solution aims towards short processing time, fast computation, and convenient deployment on applications, making it fit for devices with low memory and transmission over low bandwidth channels The authors have used computational techniques of Weil non-degenerate bilinear pairing (with a higher security multiplier α=12) in building a BLS short digital signature scheme based on a supersingular elliptic curve with functions for key generation, digital signature, and signature verification Corresponding author: Email: quynhln@actvn.edu.vn * DECEMBER 2022 • VOLUME 64 NUMBER development being the supersingular isogeny Diffie-Hellman 21] Several publications have shown that elliptic curve cryptography (ECC) built on non-degenerate bilinear pairing could be a secure cryptosystem for today’s applications towards short processing time, and convenient withfast onecomputation, particular development being the supersingular isogeny Diffie-Hellman tions, making it fit for devices with low memory (SIDH) [7, 22, 23] and transmission annels The authors have used computational techniques of Weil SCIENCE | COMPUTER SCIENCE MATHEMATICS AND COMPUTER This solution aims towards short processing time, fast computation, and convenient r pairing (with a higher security multiplier α=12) in building a deployment on applications, making it fit for devices with low memory and transmission blications havebased shown elliptic curve cryptography nature scheme on that a supersingular elliptic curve with(ECC) built on over low bandwidth channels The authors have used computational techniques Draw the vertical lineofn2Weil , which is the line connecting R1 and the point∞ The line n2 bilinear pairing could be signature a works secure verification cryptosystem for today’s applications ration, digital signature, and line connecting R1 and the point ∞ The line n2 intersects E at the third Related on the BLSpairing short digital signatures schemeα=12) in building non-degenerate bilinear (with a higher security intersects multiplier E at the third point,a which is R2 (𝑅𝑅 = 𝑃𝑃 + 𝑄𝑄) The lines n1 and n2 are functions point, which is R2 (R22=P+Q) The lines n1 and n2 are functions on E cular being the scheme supersingular isogeny Diffie-Hellman he BLSdevelopment short digital signatures BLS short digital signature scheme a supersingular elliptic curve with Mathematical basis of Weil andbased Tateon pairing on Ebased and haveona main divisor and have[2]: a main divisor [2]: 23] Supersingular Elliptic curves digital functions generation, is of Weil and Tate pairing based for on key Supersingular Ellipticsignature, and signature verification 𝑑𝑑𝑑𝑑𝑑𝑑(𝑛𝑛1 ) = [𝑃𝑃] + [𝑄𝑄] + [𝑅𝑅1 ] − 3[∞] { points important in the calculations of Weil on aims towards short Torsion processing time,play fast computation, and convenient Related works on an the BLS shortrole digital signatures scheme 𝑑𝑑𝑑𝑑𝑑𝑑(𝑛𝑛2 ) = [𝑅𝑅1 ] + [𝑅𝑅2 ] − 2[∞] and Tate bilinear pairings on elliptic curves and usually torsion points applications, it fit forMathematical devices memory and Tate transmission y an importantmaking role in the calculations of with Weil low and Tate bilinear of Weil and pairing based Divisor on Supersingular [𝑄𝑄′] − [𝑆𝑆]Elliptic will be equivalent 𝐷𝐷𝑄𝑄 be = [𝑄𝑄] − [∞], sotoSDisQ=[Q]-[∞], chosen at random Divisor [Q']-[S]towill equivalent so S is chosen are points of finite orderbasis [1, 7] width channels The authors have used techniques of Weil ves and usually torsion points are points of computational finite order [1, 7] curves at random Calculate gD at D , where at each step in the algorithm 𝑔𝑔𝐷𝐷𝑃𝑃 aat DQ, where at each step in theP algorithm T1 is the point obtained by Q Definition 1: Given an elliptic curve E over a Calculate field K and integer is the point obtained by computing mP where m is an higher security multiplier α=12) in building a computing 1m is an integer represented in binary of the binary expansion of n Torsion important role in the calculations of Weil andwhere TateTbilinear nbilinear an ellipticpairing curve E(with over aafield K and an.points positive integer n.of Then, positive integer Then,play theanset n-torsion points is defined asmP the represented in binary of the binary expansion of n Calculate f to pairings elliptic curves and usually points are Calculate points of finite [1, value 7] at [𝑄𝑄′] − [𝑆𝑆] of the function f satisfying𝑚𝑚([𝑃𝑃] − [∞]) = ital scheme based a supersingular elliptictorsion curve with set nts issignature defined as the set 𝐸𝐸[𝑛𝑛] = {𝑃𝑃 on ∈on𝐸𝐸(𝐾𝐾)|𝑛𝑛𝑛𝑛 = ∞} [1] [1] f1 toorder be the be the value at [Q']-[S] of the function f satisfying m([P]-[∞])=[T1]y generation, and signature verification Definition 1:𝑥𝑥 𝑛𝑛Given anofelliptic curve E over a field a positive integer[∞]+div(f) n.At Then, of the algorithm the value=reaches =∞,f ]− [∞] + 𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓) the endAt ofthe theend algorithm the value reaches𝑇𝑇 ∞, 𝑓𝑓 =T𝑔𝑔𝐷𝐷 =gD ristic of K is not digital divisiblesignature, by n, the equation = does not Since the characteristic K ishave not divisible by Kn,[𝑇𝑇and the equation 1 1 𝑃𝑃 P 𝑔𝑔(𝑃𝑃+𝑆𝑆) n = {𝑃𝑃 ∈ in n that f1 is It= follows [Q']-[S]𝑔𝑔𝐷𝐷 of the function gDP satisfying the ofcyclic n-torsion is defined thehas set n 𝐸𝐸[𝑛𝑛] 𝐸𝐸(𝐾𝐾)|𝑛𝑛𝑛𝑛 = [1] does have multiple solutions, but solutions and μn∞} x𝐾𝐾n=1 For 𝑆𝑆notsignatures 𝐸𝐸[𝑛𝑛], 𝑃𝑃points ∈of𝐸𝐸[𝐾𝐾], g(P+S) = f(n(P+S)) = f(nP) g(P) Thus It follows that f1 is the value at [𝑄𝑄′] −the [𝑆𝑆] value of∈theatfunction − solutions in[𝑅𝑅]) and 𝜇𝜇𝑛𝑛 set is a∈ group order n.then Anas 𝑃𝑃 satisfying 𝑚𝑚([𝑃𝑃] s has on nthe BLS short digital scheme 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃) n n k m([P]-[∞])=div(gD ) as required by the definition of the Tate pairing is a cyclic group of order n An element ζ∈μ satisfies ζ =1 if and only 𝑅𝑅]) For 𝑆𝑆 ∈ 𝐸𝐸[𝑛𝑛], 𝑃𝑃 ∈ 𝐸𝐸[𝐾𝐾], then g(P+S) = f(n(P+S)) = f(nP) = g(P) Thus ∈ P 𝑛𝑛 n [∞]) = 𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔𝐷𝐷 ) as required by the definition of the Tate pairing For 𝑃𝑃 ∈ 𝐸𝐸(𝐹𝐹 ), 𝑄𝑄 ∈ es 𝜁𝜁 𝑘𝑘 = if and only if n is divisible bycharacteristic K, then 𝜁𝜁 isofcalled a divisible Since the K is not by n, the equation 𝑥𝑥 = does not have 𝑃𝑃 𝑔𝑔(𝑃𝑃)𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) For P∈E(F ),Q∈E(Fpl) the Tate pairing is calculated𝑝𝑝 according to cal basis of Weil pairing based Elliptic ifand nand is Tate divisible by K, then ζonis Supersingular called a primitive rootWeil of degree n [1].is 𝑒𝑒 (𝑆𝑆, p 𝜇𝜇 not depend on P Hence, the pairing 𝑇𝑇) = 𝑛𝑛 𝑛𝑛 e n [1] 𝑔𝑔(𝑃𝑃+𝑆𝑆) Tate calculated according formula ⟨𝑃𝑃, 𝑄𝑄⟩𝑛𝑛 and the modified multiple a cyclic group of pairing order An 𝑙𝑙 ), the 𝑔𝑔(𝑃𝑃) solutions, but has n solutions in 𝐾𝐾 and 𝜇𝜇𝑛𝑛 is 𝐸𝐸(𝐹𝐹 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃+𝑆𝑆) then.isformula 〈P,Q〉 and to thethemodified Tate-Lichtenbaum pairing is n depend2:on P.there Hence, the Weil pairing is 𝑒𝑒𝑛𝑛𝑝𝑝(𝑆𝑆,n 𝑇𝑇) = calculated l 𝑛𝑛 and 𝑔𝑔(𝑃𝑃) not Definition Let be be an 𝑘𝑘an elliptic curve E over K and by formula (1) with powers (p -1)/n [1, 3, 7] 𝑔𝑔(𝑃𝑃) 𝑙𝑙 element 𝜁𝜁 = if and only if n is divisible by K, then 𝜁𝜁 is called isa calculated by formula (1) with powers (𝑝𝑝 − 1)/𝑛𝑛 [1, 3, here be an elliptic curve E over K and𝜁𝜁n∈be𝜇𝜇𝑛𝑛ansatisfies integer not divisible Tate-Lichtenbaum pairing integer not divisible by Let the of characteristic of Kbilinear such and that 𝐸𝐸/𝐹𝐹 E[n]⊆E[K] Definition [2]: p[1] be a prime 𝑝𝑝 an elliptic curve with m points ints play an𝐸𝐸[𝑛𝑛] important in the theWeil calculations Weil and Tatepower, primitive root of degreeisnthe K such that ⊆ 𝐸𝐸[𝐾𝐾].role Then, pairing mapping 7].[2] 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) Algorithm 1: Miller’s algorithm for computation with Tate the Weil pairing is𝐸𝐸[𝐾𝐾], the power, mapping en:E[n]×E[n]→μ nnn𝐸𝐸/𝐹𝐹 an elliptic Definition [𝑅𝑅]) 3Then, [2]:For Let ppoints be a𝑃𝑃are and curve n= 𝑝𝑝 [𝑅𝑅]) For For 𝑆𝑆𝑆𝑆𝑆𝑆Let ∈∈∈ 𝐸𝐸[𝑛𝑛], 𝐸𝐸[𝑛𝑛], 𝐸𝐸[𝑛𝑛], 𝑃𝑃𝑃𝑃prime ∈∈𝐸𝐸/𝐹𝐹 ∈points 𝐸𝐸[𝐾𝐾], 𝐸𝐸[𝐾𝐾], then then then g(P+S) g(P+S) g(P+S) === f(n(P+S)) f(n(P+S)) f(n(P+S)) = =f(nP) f(nP) f(nP) == =where g(P) g(P) g(P)nn.n.with Thus Thus Thus ∈∈∈ say that the ̸ m points ptic torsion of finite order [1, 7] [2] curves and usually in[𝑅𝑅]) 𝐸𝐸(𝐹𝐹 ) P in be a point of primer order q 𝑞𝑞 | 𝑚𝑚 We 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) Definition 2: Let there be an elliptic curve E over K and n be an integer not divisible bilinear pairings [2, 7] 𝑝𝑝 𝑝𝑝 Algorithm 1: Miller's algorithm for computation with Tate bilinear pairings [2, 7] Given T∈E[n], there exists a function f such that div(f)=n[T]-n[∞] pairing ̸ 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) by the characteristic of K such that 𝐸𝐸[𝑛𝑛] ⊆ 𝐸𝐸[𝐾𝐾] Then, the Weil is the mapping nhere P𝜇𝜇𝜇𝜇𝜇𝜇curve in 𝐸𝐸/𝐹𝐹 be anot= of primer order q pairing where |(𝑆𝑆, 𝑚𝑚 We the ∗ E over the field F Two points P and exists a Let function f and such 𝑛𝑛[𝑇𝑇] 𝑛𝑛[∞] Then 𝑝𝑝 ) 𝑝𝑝 𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓) Input: Let the of elliptic 1: 𝐸𝐸(𝐹𝐹 Given an elliptic Ethat over ahas field K and− aon positive integer n.Weil Then, 2depend ⟨𝑃𝑃⟩ and do not not depend on on P P P.there Hence, Hence, Hence, the the the pairing pairing is isis𝑞𝑞𝑒𝑒𝑒𝑒𝑛𝑛𝑒𝑒𝑛𝑛Let (𝑆𝑆, (𝑆𝑆,𝑇𝑇) 𝑇𝑇) 𝑇𝑇) = = = 0,say the that subgroup apoint security multiplier α,Weil for some integer 𝛼𝛼 > ifcurve order in curve 𝐹𝐹 the elliptic E over the pfield 𝐹𝐹𝑞𝑞𝑝𝑝 Two points P and Q pon E are points 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) Then T'∈E[n ]depend with nT'=T, exists gWeil such that Input: div(g)=∑ 𝑛𝑛𝑛𝑛𝑛𝑛and 𝑛𝑛 n choose n f(nP) = g(P) n 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) R∈E[n] +S)) f(nP) Thus ∈→ P+S)= = f(n(P+S)) = =𝑔𝑔(𝑃𝑃) g(P) Thus ∈ 𝑒𝑒 : 𝐸𝐸[𝑛𝑛] × 𝐸𝐸[𝑛𝑛] 𝜇𝜇 [2] 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑛𝑛 𝑛𝑛 Q on E are points of order n n − n 𝑔𝑔(𝑃𝑃) ∑𝑅𝑅∈𝐸𝐸[𝑛𝑛] n n hion 𝑛𝑛𝑛𝑛′points = 𝑇𝑇, there exists g such that 𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔) = ([𝑇𝑇′ + 𝑅𝑅] ∗ [𝑅𝑅]) For 𝑆𝑆 ∈ 𝐸𝐸[𝑛𝑛], 𝑃𝑃 ∈ 𝐸𝐸[𝐾𝐾], then g(P+S) = f(n(P+S)) = f(nP) = g(P) Thus ∈ ([T'+R]-[R]) For S∈E[n], P∈E[ ], then g(P+S) =f[n(P+S)]=f(nP)=g(P) is defined aassecurity the set 𝐸𝐸[𝑛𝑛] =n {𝑃𝑃𝑔𝑔(𝑃𝑃+𝑆𝑆) ∈ 𝐸𝐸(𝐾𝐾)|𝑛𝑛𝑛𝑛 = ∞} [1] ubgroup α,∈ for∈ some integer 𝛼𝛼 > 0, if n.the order 𝑔𝑔(𝑃𝑃+𝑆𝑆) of order 𝑔𝑔(𝑃𝑃) of p in 𝐹𝐹𝑞𝑞 n nmultiplier n ⟨𝑃𝑃 ⟩ has is= α In other S) = f(n(P+S)) f(nP) = g(P) Thus g(P+S) = f(n(P+S)) =𝑔𝑔(𝑃𝑃+𝑆𝑆) f(nP) =words: Thus 𝑔𝑔(𝑃𝑃+𝑆𝑆) Output: The value f1 satisfies the definition of a Tate pairing 𝑔𝑔(𝑃𝑃) ∈ 𝐸𝐸[𝑛𝑛], a function fand such that 𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓) = 𝑛𝑛[𝑇𝑇] − 𝑛𝑛[∞] Then 𝑔𝑔(𝑃𝑃) Definition Definition Definition 3g(P) 3𝑇𝑇) 3n[2]: [2]: [2]: Let Let pthere ppbe be be aprime prime prime power, power, power,and and 𝐸𝐸/𝐹𝐹 𝐸𝐸/𝐹𝐹 𝐸𝐸/𝐹𝐹 an an an elliptic elliptic elliptic curve curve curve with with with mm mpoints points points airing 𝑒𝑒𝑛𝑛 (𝑆𝑆, 𝑇𝑇) = ∈μ Thus and not depend on P Hence, the Weil nce, theisWeil pairing is𝑔𝑔(𝑃𝑃) 𝑒𝑒Given𝑇𝑇 =Let aaexists 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑛𝑛 (𝑆𝑆, The value f1 satisfies the definition of a Tate pairing (Theorem 2) 𝑛𝑛 the Weil pairing is 𝑒𝑒 Output: 𝑔𝑔(𝑃𝑃) 𝜇𝜇of not depend on P Hence, haracteristic K is not by n, the equation 𝑥𝑥𝑇𝑇, = does not have 𝑛𝑛 and 𝑛𝑛 (𝑆𝑆, 𝑇𝑇) = 𝑔𝑔(𝑃𝑃) (Theorem 2) 2𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑔𝑔(𝑃𝑃+𝑆𝑆) se, α In other words: 𝑔𝑔(𝑃𝑃)divisible ∑ choose 𝑇𝑇′ ∈ 𝐸𝐸[𝑛𝑛 ] with 𝑛𝑛𝑛𝑛′ = there exists g such that 𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔) = ([𝑇𝑇′ + 𝑅𝑅] − 𝛼𝛼 𝑇𝑇) the Weil pairing 𝑒𝑒𝑛𝑛 (𝑆𝑆, ̸𝑝𝑝 𝑘𝑘be pairing Hence, the Weil pairing is (𝑆𝑆, 𝑇𝑇) = ̸𝑅𝑅∈𝐸𝐸[𝑛𝑛] 𝑞𝑞|𝑝𝑝 − 1= and 𝑞𝑞| − aa1apoint for all 𝑘𝑘primer = 1,2, q,qq𝛼𝛼where −1.1.Randomly 𝑛𝑛 select ∈ 𝐸𝐸(𝐹𝐹 𝑄𝑄′ =F 𝑄𝑄l) + 𝑆𝑆 ∈calculate 𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 ) Q'=Q+S∈E(F l) 𝑔𝑔(𝑃𝑃) in ininis 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 ) ).).𝑒𝑒Let Let Let PPpoints P in inin 𝐸𝐸/𝐹𝐹 𝐸𝐸/𝐹𝐹 𝐸𝐸/𝐹𝐹 be be point point of ofofprimer primer order order order where where 𝑞𝑞𝑞𝑞𝑞𝑞22|2|̸𝑚𝑚 |̸𝑚𝑚 𝑚𝑚.We We We say say say𝑆𝑆that that that the the the𝑝𝑝𝑙𝑙 ) and calculate 𝑔𝑔(𝑃𝑃) and Randomly select S∈E( 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 /𝐹𝐹 an elliptic curve with m power, and 𝐸𝐸/𝐹𝐹 an elliptic curve with m points p p 𝑝𝑝 ons,𝑝𝑝 but has n solutions in3𝐾𝐾[2]: and 𝜇𝜇𝑛𝑛p is group of n.anAn Definition Let be aapcyclic prime power, andorder 𝐸𝐸/𝐹𝐹 elliptic curvecurve with m points 𝑝𝑝 E/F Definition [2]: Let be a prime power, and an elliptic 𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝛼𝛼 𝑘𝑘 n n 2.pinin Let l=[log (n)]-1,T1=P,f1=1 ̸𝑝𝑝then p Let 𝑙𝑙ifif= [𝑙𝑙𝑙𝑙𝑙𝑙 − 1, 𝑇𝑇 For 𝑆𝑆 ∈ 𝐸𝐸[𝑛𝑛], 𝑃𝑃 ∈ 𝐸𝐸[𝐾𝐾], g(P+S) = f(n(P+S)) = f(nP) = g(P) Thus ∈ 𝑞𝑞|𝑝𝑝 − and 𝑞𝑞| − for all 𝑘𝑘 = 1,2, , 𝛼𝛼 − 2 ( 𝑛𝑛)] 1∗∗∗= 𝑃𝑃, 𝑓𝑓12 = ower, and 𝐸𝐸/𝐹𝐹 an elliptic curve with m points ⟨𝑃𝑃⟩ ⟨𝑃𝑃⟩ ⟨𝑃𝑃⟩ ̸ subgroup subgroup subgroup has has has a a a security security security multiplier multiplier multiplier α, α, α, for for for some some some integer integer integer 𝛼𝛼 𝛼𝛼 𝛼𝛼 > > > 0, 0, 0, if the the the order order order of of of p p in 𝐹𝐹 𝐹𝐹 𝐹𝐹 𝑘𝑘 ̸ 𝑔𝑔(𝑃𝑃) 𝑝𝑝 power, and 𝐸𝐸/𝐹𝐹 an elliptic curve with m points rme q where 𝑞𝑞 | 𝑚𝑚 We say that the 𝑞𝑞 𝑞𝑞 𝑞𝑞 of primer order q where 𝑞𝑞 | 𝑚𝑚 We say that the The security multiplier )be security prime order satisfies 𝜁𝜁 in=𝐸𝐸(𝐹𝐹 with if 𝑝𝑝and if nin isE(F divisible then 𝜁𝜁isis called m only points ) Let by P of inK,𝐸𝐸(𝐹𝐹 E/F athe point ofa primer q of ̸𝑚𝑚 order where 𝑞𝑞2 |multiplier We say thatthe thelargest p𝑝𝑝 order q𝑔𝑔(𝑃𝑃+𝑆𝑆) 𝑝𝑝 ) Let P in 𝐸𝐸/𝐹𝐹𝑝𝑝 be pa point of primer While l≥1 𝑔𝑔(𝑃𝑃+𝑆𝑆) 3.multiplier While 𝑙𝑙 ≥ ̸ Hence, dprimer not depend on𝑞𝑞P the pairing is 𝑒𝑒∗𝑛𝑛 (𝑆𝑆, 𝑇𝑇)has = a security ∗Weil 2We order q where | 𝑚𝑚 We say that the say that the subgroup 〈P〉 where ̸ teger 𝛼𝛼 > 0, if the order of p in 𝐹𝐹 𝑔𝑔(𝑃𝑃) 𝑔𝑔(𝑃𝑃) is is is α α α In In In other other other words: words: words: α, for some integer 𝛼𝛼 > 0, if the order of p in 𝐹𝐹 nt of primer order q where 𝑞𝑞 | 𝑚𝑚 We say that the ∗ f degree [1] 𝑞𝑞multiplier α, for 𝑞𝑞some integer 𝛼𝛼 > 0, if the order of p in 𝐹𝐹 - Write equations for the lines n and n with the multiplication ⟨𝑃𝑃⟩ hasin subgroup a security subgroup 𝐸𝐸(𝐹𝐹 ).α>0, The nsecurity of𝑝𝑝𝐸𝐸(𝐹𝐹 theorder security of the largest prime 𝑞𝑞 of T 𝑝𝑝 )ifisthe - words: Write equations for order the lines n1 and n2 with the multiplication α,𝛼𝛼pmultiplier for some integer of p inmultiplier Fq* with is α.mInpoints other ∗ ∗elliptic curve for α, some integer > if 0, the order of p of in 𝐹𝐹𝑞𝑞𝑝𝑝in efinition 3some [2]: Let be 0, a prime power, and 𝐸𝐸/𝐹𝐹 an of T1 lier for integer 𝛼𝛼 > if the order p 𝐹𝐹 𝑞𝑞 other words: 𝛼𝛼𝛼𝛼𝛼𝛼 𝑘𝑘 𝑘𝑘 𝑘𝑘 2: Let there is beα.anInelliptic curve E over K and n be an integer not divisible ̸ ̸ ̸ Calculate 𝑇𝑇 = 2𝑇𝑇 , 𝑓𝑓 = 𝑓𝑓 ((𝑛𝑛 (𝑄𝑄′)𝑛𝑛 (𝑆𝑆))/(𝑛𝑛 (𝑄𝑄′)𝑛𝑛 (𝑆𝑆)) 𝑞𝑞|𝑝𝑝 𝑞𝑞|𝑝𝑝 𝑞𝑞|𝑝𝑝 − − − 1 and and and 𝑞𝑞| 𝑞𝑞| 𝑞𝑞| 𝑝𝑝 𝑝𝑝 𝑝𝑝 − − − 1 for for for all all all 𝑘𝑘 𝑘𝑘 𝑘𝑘 = = = 1,2, 1,2, 1,2, , , 𝛼𝛼 , 𝛼𝛼 𝛼𝛼 − − − 1 1 1 2 1 ubgroup in 𝐸𝐸(𝐹𝐹 ).Theorem =2T1n,f1be =f1 ((n1(Q')n2(S))/(n2(Q')n1(S)) Calculate 𝐹𝐹 a point of1primer q where |̸𝑚𝑚.an We say that the defined over a [2, 7, order 17, 24]: Let E𝑞𝑞2be elliptic curve field 𝐹𝐹𝑝𝑝T 1Let 𝑝𝑝 ) Let P in 𝐸𝐸/𝐹𝐹𝑝𝑝𝑝𝑝be =1 1,2,of .K ,such 𝛼𝛼 −that 𝛼𝛼𝐸𝐸[𝑛𝑛] istic 𝐸𝐸[𝐾𝐾] theall Weil pairing the mappingmultiplier 𝑞𝑞|𝑝𝑝 −multiplier 1⊆ and 𝑞𝑞|̸𝑝𝑝α,𝑘𝑘Then, − 1some for 𝑘𝑘of=E(F 1,2, is , the 𝛼𝛼if − thenlth bit of n is 1, then ) .is0, security ofthe thelth bit of n is security multiplier - If1,the oup ⟨𝑃𝑃⟩ has a security The for integer 𝛼𝛼 p> the order of p in 𝐹𝐹𝑞𝑞∗- If The The Thesecurity security security multiplier multiplier multiplier of ofof1) 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )𝑝𝑝))isisisthe the thesecurity security securitymultiplier multiplier multiplier ofof the the the largest largest prime prime primeorder order order 𝑝𝑝𝑝𝑝The integer so that 𝑛𝑛|(𝑞𝑞 − of 𝐸𝐸(𝐹𝐹𝑝𝑝over )of of nalargest are denoted by 𝐸𝐸(𝐹𝐹n𝑝𝑝1 )[𝑛𝑛] 1,2, , [2] 𝛼𝛼 − largest order subgroup in E(F ) elements 1an [2, 7, prime 17, 24]: Let be an elliptic curve defined field 𝐹𝐹𝑝𝑝 Let nequations be ]𝑘𝑘the → 𝜇𝜇.1,2, write the n1 and nof2 with write equations for the lines andfor n2in withlines the addition pointsthe of addition T1 and P.of =.Theorem of ,1 𝛼𝛼the − n other 𝑛𝑛 words: multiplier largest prime order p security multiplier of the largest prime order The security multiplier ofE𝐸𝐸(𝐹𝐹 security multiplier of the largest prime order 𝑝𝑝 ) is the subgroup subgroup subgroup in in in 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 ) ) ) 𝑛𝑛 points of T and P 𝑝𝑝𝑝𝑝𝑝𝑝and 𝑘𝑘dividing Calculate 𝑇𝑇1 = 𝑇𝑇1 + 𝑃𝑃,an = 1𝑓𝑓1 ((𝑛𝑛1 (𝑄𝑄′)𝑛𝑛 he security multiplier of𝐸𝐸(𝐹𝐹 the prime order 𝜇𝜇1 = 𝐹𝐹𝑝𝑝𝑛𝑛[∞] |𝑥𝑥 ) = 1} Assume 𝐸𝐸(𝐹𝐹aby of (𝑆𝑆))/(𝑛𝑛2 (𝑄𝑄′)𝑛𝑛1 (𝑆𝑆)) Theorem [2, 7, 24]: E𝑛𝑛[𝑇𝑇] be∈an elliptic curve defined over element |𝑝𝑝 − and 𝑞𝑞|̸𝑝𝑝that − for allorder, 𝑘𝑘largest = 1,2, 17, ,let 𝛼𝛼 − subgroup in ) 𝑝𝑝 ) contains -𝑛𝑛 Let Decrease l 𝐸𝐸[𝑛𝑛], there exists a 1function fthe such that 𝑑𝑑𝑑𝑑𝑑𝑑(𝑓𝑓) = {𝑥𝑥 − Then 𝑝𝑝 n) 𝛼𝛼isinteger so 𝑛𝑛|(𝑞𝑞 − 1) The elements of 𝐸𝐸(𝐹𝐹 n are denoted 𝐸𝐸(𝐹𝐹𝑝𝑝Calculate )[𝑛𝑛] 𝑓𝑓in the security multiplier of largest prime order 𝑝𝑝 𝑝𝑝 of T1=T1+P,f1=f12((n1(Q')n2(S))/(n2(Q')n1(S)) Let n be an integer so that n|(q-1) The elements of E(F ) of field F security multiplier of p p aaafield 𝐸𝐸(𝐹𝐹 is the security multiplier ofan the largest prime order over 𝑝𝑝 ) g Theorem Theorem Theorem 11such 117, [2, [2, [2, 7, 7, 7,17, 17, 17, 24]: 24]: 24]: Let Let EEE∑be be an elliptic elliptic elliptic curve curve defined defined over 𝐹𝐹𝑝𝑝.𝑝𝑝.be Let Let Let nbe be be fbe 𝑛𝑛he with 𝑛𝑛𝑛𝑛′ curve = 𝑇𝑇, there exists that 𝑑𝑑𝑑𝑑𝑑𝑑(𝑔𝑔) = ([𝑇𝑇′ +curve 𝑅𝑅] − defined 1an order n there exists aLet non-degenerate bilinear 𝑛𝑛 Theorem 1Then, [2, 24]: Let EReturn an curve overmapping: a over field 𝐹𝐹𝑝𝑝field field Let𝐹𝐹𝐹𝐹𝑝𝑝n 𝑅𝑅∈𝐸𝐸[𝑛𝑛] ve over aare field 𝐹𝐹 7, Let n be - nnDecrease an] defined elliptic defined a field be Let be 𝑝𝑝 ividing order, let 𝜇𝜇over = {𝑥𝑥 ∈ 𝐹𝐹𝐹𝐹 |𝑥𝑥 =nelliptic 1} Assume 𝐸𝐸(𝐹𝐹 an element of l nand denoted E(F )[n] dividing order, anddefined let μn={x∈F |xn=1} 𝑛𝑛 by 𝑝𝑝𝑝𝑝in 𝑝𝑝 ) contains p p oup in 𝐸𝐸(𝐹𝐹𝑝𝑝 ) Return n) elliptic curve defined over a𝑝𝑝that 𝐹𝐹 Let nelements be an integer that 𝑛𝑛|(𝑞𝑞 −𝑛𝑛|(𝑞𝑞 1) The 𝐸𝐸(𝐹𝐹of ) 𝐸𝐸(𝐹𝐹 of n𝑝𝑝𝑝𝑝)𝑝𝑝)are by × 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] 𝑝𝑝by Assume E(F )field contains element of an order n Then, exists a by an aninteger integer integer so so so that that 𝑛𝑛|(𝑞𝑞 − −−an 1) 1) 1) The The The elements elements elements ofof 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )curve of ofofdenoted nthere nnare are are denoted denoted by 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] )[𝑛𝑛]in inin f1 curve E over the field ofann of are denoted byare 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] in 𝑝𝑝 𝑝𝑝by ments 𝐸𝐸(𝐹𝐹 )an of nso denoted 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] in 𝑝𝑝supersingular 𝑝𝑝)[𝑛𝑛] × input is elliptic Edenoted chosen as a𝑛𝑛𝑝𝑝in 𝑝𝑝 p E be elliptic curve defined over a𝑛𝑛|(𝑞𝑞 field n be 𝑝𝑝 ⟨ 𝐹𝐹,The ⟩𝑛𝑛Let :𝑝𝑝𝐸𝐸(𝐹𝐹 )[𝑛𝑛] × 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) → 𝐹𝐹 /(𝐹𝐹 ) heorem 1Then, [2, 7, 17, 24]: Let E beaan elliptic curve defined over a field 𝐹𝐹 Let n be 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 rder n there exists non-degenerate bilinear mapping: 𝑝𝑝 bilinear mapping: nts 𝐸𝐸(𝐹𝐹)Assume )contains of non-degenerate n are denoted {𝐹𝐹letan dividing order, and letby 𝜇𝜇𝑛𝑛𝐸𝐸(𝐹𝐹 = {𝑥𝑥)[𝑛𝑛] |𝑥𝑥 𝑛𝑛 =of 1} 𝐸𝐸(𝐹𝐹𝑝𝑝 ) contains an element of 𝑛𝑛 of 𝑛𝑛𝑛𝑛𝑛𝑛Assume 𝑝𝑝in The is an elliptic curve chosen Eas a supersingular curve ume 𝐸𝐸(𝐹𝐹 an of 𝑥𝑥 =so 1} 𝐸𝐸(𝐹𝐹 )element contains element 𝑝𝑝of𝑝𝑝 𝐸𝐸(𝐹𝐹 > 3{𝑥𝑥 curve EAssume over the 𝐹𝐹𝑝𝑝 isan said to input be if theE curve dividing order, order, and and and let let 𝜇𝜇,𝑛𝑛𝐸𝐸(𝐹𝐹 𝜇𝜇𝑝𝑝 𝜇𝜇𝑛𝑛:𝑛𝑛𝑛𝑛∈ = ==𝐹𝐹)[𝑛𝑛] {𝑥𝑥 {𝑥𝑥 ∈(the ∈ 𝐹𝐹are 𝐹𝐹𝑝𝑝𝐹𝐹𝑝𝑝|𝑥𝑥 |𝑥𝑥 ===1} 1} 1} Assume Assume 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )𝑝𝑝)𝜇𝜇)contains contains contains an an element element element of ofof supersingular 𝑝𝑝order, elements )dividing of are denoted by in 𝑝𝑝 𝜏𝜏𝑝𝑝𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 × 𝐸𝐸(𝐹𝐹 )𝐸𝐸(𝐹𝐹 →𝑝𝑝𝑝𝑝field 𝑝𝑝|𝑥𝑥 eger that 𝑛𝑛|(𝑞𝑞𝑝𝑝dividing − 1).nThe elements of n∈ denoted by 𝐸𝐸(𝐹𝐹𝑝𝑝𝑝𝑝)[𝑛𝑛] in 𝑝𝑝𝑝𝑝) of 𝑝𝑝 )[𝑛𝑛] 𝑝𝑝 )/𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛 E over the field F , p>3 (the curve E over the field Fp is said to be × × 𝑛𝑛 order n Then, there exists a non-degenerate bilinear mapping: = 1} Assume 𝐸𝐸(𝐹𝐹 ) contains an element of 𝑝𝑝 ⟨{𝑥𝑥 𝑛𝑛 mapping: 𝑛𝑛 bilinear ∈⟩)𝐹𝐹𝑛𝑛contains : 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] 𝐸𝐸(𝐹𝐹 )The → /(𝐹𝐹𝑝𝑝of) 𝐸𝐸(𝐹𝐹𝑝𝑝 )[𝑛𝑛] has an influencep on the computation nerate ng order, andAssume letmapping: 𝜇𝜇 =𝑝𝑝exists 1} 𝐸𝐸(𝐹𝐹 ) contains an 𝐹𝐹 element 𝑝𝑝 𝑝𝑝bilinear 𝑝𝑝 𝑛𝑛 =𝐸𝐸(𝐹𝐹 𝑝𝑝 |𝑥𝑥 𝑝𝑝 satisfies𝐸𝐸[𝑃𝑃] = [∞]) subgroup in The subgroup E(F )[n] 𝐹𝐹𝑝𝑝 |𝑥𝑥 = 1} anAssume element of)/𝑛𝑛𝑛𝑛(𝐹𝐹 order order order n.n n.,Then, Then, there there there exists exists a× aanon-degenerate non-degenerate non-degenerate bilinear bilinear mapping: mapping: mapping: 𝑝𝑝Then, supersingular if the curve E satisfies E[P]=[∞]); { p × ×pairing 𝑛𝑛 ateThen, bilinear first pairing is called Tate-Lichtenbaum The second one, 𝜏𝜏 , is called ⟨ ⟩ n aThe non-degenerate bilinear mapping: , : 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] × 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) → 𝐹𝐹 /(𝐹𝐹 ) × theremapping: ×exists 𝑛𝑛 𝑛𝑛 𝜏𝜏 : 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] × 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) → 𝜇𝜇 𝑛𝑛 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 × × 𝑛𝑛 𝑝𝑝 so the𝑛𝑛number of iterations is )𝐸𝐸(𝐹𝐹 → 𝑝𝑝𝐹𝐹)/𝑛𝑛𝑛𝑛(𝐹𝐹 has[𝑙𝑙𝑙𝑙𝑙𝑙 an 2influence in itMiller’s algorithm, so the → 𝐹𝐹𝑝𝑝 𝑛𝑛/(𝐹𝐹𝑝𝑝{ )𝑝𝑝 𝑝𝑝 /(𝐹𝐹 𝑝𝑝 ) egenerate bilinear Miller's𝑝𝑝algorithm, ( 𝑛𝑛)] [2, on 7].the Forcomputation Tate pairing, is 𝑝𝑝 ) mapping: × × × × × × 𝑛𝑛 𝑛𝑛 𝑛𝑛 𝜏𝜏 : 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] × 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) → 𝜇𝜇 ⟨.𝑝𝑝⟨.,,.,.⟩.⟩𝑛𝑛⟩𝑛𝑛𝑛𝑛::𝐸𝐸(𝐹𝐹 :𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] ×××𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ))→ →→𝐹𝐹𝐹𝐹𝑝𝑝𝐹𝐹𝑝𝑝𝑝𝑝/(𝐹𝐹 /(𝐹𝐹 /(𝐹𝐹 × 𝑝𝑝𝑛𝑛 )/𝑛𝑛𝑛𝑛(𝐹𝐹 𝑝𝑝𝐹𝐹 × /(𝐹𝐹 𝑛𝑛 𝑝𝑝𝑝𝑝) × 𝑛𝑛 × 𝑛𝑛𝐸𝐸(𝐹𝐹𝑝𝑝⟨ 𝑝𝑝)[𝑛𝑛] 𝑝𝑝)[𝑛𝑛] 𝑝𝑝𝑝𝑝𝑝𝑝))) ⟨ , ⟩𝐹𝐹 : 𝐸𝐸(𝐹𝐹 → 𝜇𝜇)/𝑛𝑛𝑛𝑛(𝐹𝐹 𝑝𝑝 )[𝑛𝑛] 𝑝𝑝 ) 𝑝𝑝 𝑝𝑝 𝑝𝑝 ) 𝑝𝑝𝑝𝑝𝑝𝑝 (𝐹𝐹 ) 𝐹𝐹 𝜇𝜇𝑛𝑛𝑝𝑝× 𝑛𝑛)/𝑛𝑛𝑛𝑛(𝐹𝐹 numberinof of𝐸𝐸(𝐹𝐹 iterations is [log (n)] [2, 7] For Tate pairing, it is necessary modified Tate-Lichtenbaum pairing [2, 7,𝑝𝑝to17, element )/𝑛𝑛𝑛𝑛(𝐹𝐹 𝑝𝑝) 𝑝𝑝 𝑝𝑝𝑝𝑝 𝑝𝑝 𝑛𝑛/(𝐹𝐹 {{{)/𝑛𝑛𝑛𝑛(𝐹𝐹 𝑝𝑝 ) 2sure { →the × × 𝐸𝐸(𝐹𝐹 × 𝑛𝑛 )/𝑛𝑛𝑛𝑛(𝐹𝐹 necessary to pay attention the24] fieldEach characteristic 2,3𝑝𝑝and make the order of 𝜏𝜏𝑛𝑛 :𝑝𝑝𝐸𝐸(𝐹𝐹 )[𝑛𝑛] ) 𝑝𝑝 → 𝜇𝜇𝑛𝑛 ] × 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) → 𝐹𝐹 /(𝐹𝐹 ) 𝜏𝜏 𝜏𝜏 𝜏𝜏 : : 𝐸𝐸(𝐹𝐹 : 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )[𝑛𝑛] )[𝑛𝑛] )[𝑛𝑛] × × × 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) ) ) → → → 𝜇𝜇 𝜇𝜇 𝜇𝜇 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 The first pairing is called Tate-Lichtenbaum pairing The second 𝑛𝑛 𝑛𝑛 𝑛𝑛 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑛𝑛 𝑛𝑛 𝑛𝑛 The𝑝𝑝 )first is called Tate-Lichtenbaum The second 𝜏𝜏 , is called )/𝑛𝑛𝑛𝑛(𝐹𝐹 → 𝜇𝜇𝑛𝑛pairing to pay attention to the field characteristic of 2,3 and make sure the 𝑛𝑛 The first pairing is called Tate-Lichtenbaum pairing pairing The second one, 𝜏𝜏one, , is called 𝑛𝑛 ring The second 𝜏𝜏 , is called 𝐸𝐸(𝐹𝐹𝑝𝑝 )/𝑛𝑛𝑛𝑛(𝐹𝐹 𝜇𝜇one, ⟨𝑃𝑃, has form𝑄𝑄 +the 𝑛𝑛𝑛𝑛(𝐹𝐹 it 𝑝𝑝is as 𝑄𝑄⟩ and 𝜏𝜏𝑛𝑛number (𝑃𝑃,the𝑄𝑄)group of 𝑛𝑛second chtenbaum pairing The one, 𝜏𝜏pairing , isso called the group 𝐸𝐸(𝐹𝐹 )second isusually appropriate, choose the𝑛𝑛 prime ninstead as E(F the largest prime divisor 𝑝𝑝 )is→ 𝑛𝑛the 𝑝𝑝𝑛𝑛), one, τ , is called modified Tate-Lichtenbaum [2, 7, 17, he first pairing called Tate-Lichtenbaum The one, written 𝜏𝜏𝑛𝑛pairing , is so called order of ) is appropriate, so choose the prime number n n the modified Tate-Lichtenbaum pairing 7,17, 17, 24] Each element in 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 p 𝑝𝑝 ) he modified Tate-Lichtenbaum [2,[2,7,element 24] Each element in𝑝𝑝one, 𝐸𝐸(𝐹𝐹 enbaum pairing The second one, 𝜏𝜏𝑝𝑝𝑛𝑛is ,pairing is called The The first first first pairing pairing pairing is17, called called called Tate-Lichtenbaum Tate-Lichtenbaum Tate-Lichtenbaum pairing pairing pairing The The The second second second one, one, 𝜏𝜏𝜏𝜏as 𝜏𝜏𝑝𝑝𝑛𝑛,𝑛𝑛,)/𝑛𝑛𝑛𝑛(𝐹𝐹 ,is isiscalled called called 𝑝𝑝 ) prime divisor 4] Each element inThe 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 )is 𝑛𝑛 𝑝𝑝element g [2, 7, 17, 24] Each element 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) the𝐸𝐸(𝐹𝐹 odified Tate-Lichtenbaum pairing [2,in 7, 24] Each) 𝑝𝑝 in 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) so it 𝑝𝑝−1 the largest of the group order E(Fp) In Miller’s 24] Each in E(F )/nE(F has form Q+nE(F is 𝑝𝑝In 𝑝𝑝), 𝑝𝑝 of the group order ) Miller’s algorithm, integer n is calculated by Schoof’s × 𝑝𝑝 -Lichtenbaum The one, ,ispis called p written ⟨𝑃𝑃,form𝑄𝑄 𝑄𝑄element + 𝑛𝑛𝑛𝑛(𝐹𝐹 (𝑃𝑃, 𝑄𝑄 + 𝑛𝑛𝑛𝑛(𝐹𝐹𝑝𝑝 )) Since 𝐹𝐹𝑝𝑝 𝜏𝜏pis𝑛𝑛 (𝑃𝑃, a cyclic group has pairing the +second 𝑛𝑛𝑛𝑛(𝐹𝐹 so 𝜏𝜏it𝑛𝑛𝑛𝑛 usually as ⟨𝑃𝑃, 𝑄𝑄⟩𝑛𝑛 and 𝑄𝑄) instead of of order n, the 𝑝𝑝 ), and𝜏𝜏 𝑝𝑝 )⟩ [2, 7, 17, 24] Each in 𝐸𝐸(𝐹𝐹 𝑛𝑛 𝑝𝑝 )/𝑛𝑛𝑛𝑛(𝐹𝐹 𝑝𝑝 ) 𝑛𝑛 ⟨𝑃𝑃, algorithm, integer n is calculated by Schoof’s algorithm and using the e form𝑄𝑄 + 𝑛𝑛𝑛𝑛(𝐹𝐹 ), so it is usually written as 𝑄𝑄⟩ and 𝜏𝜏 (𝑃𝑃, 𝑄𝑄) instead of ⟨𝑃𝑃, as 𝑄𝑄⟩ and 𝜏𝜏 (𝑃𝑃, 𝑄𝑄) instead of the the the modified modified modified Tate-Lichtenbaum Tate-Lichtenbaum Tate-Lichtenbaum pairing pairing pairing [2, [2, [2, 7, 7, 7, 17, 17, 17, 24] 24] 24] Each Each Each element element element in in in 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 )/𝑛𝑛𝑛𝑛(𝐹𝐹 ) ) ) usually written as 〈P,Q〉 and τ (P,Q) instead of 〈P,Q+nE(F )〉 and 𝑝𝑝 𝑛𝑛 𝑛𝑛 ⟨ ⟩ ⟨𝑃𝑃, 𝑛𝑛 𝑛𝑛 as the form𝑄𝑄 + 𝑛𝑛𝑛𝑛(𝐹𝐹 ), so𝜏𝜏𝑛𝑛in it algorithm is𝑄𝑄)usually written as point 𝑃𝑃, 𝑄𝑄multiplication instead𝑝𝑝𝑝𝑝kP ually written 𝑄𝑄⟩𝑛𝑛element (𝑃𝑃, instead of 𝑝𝑝𝑝𝑝𝑝𝑝 𝑝𝑝 of[1, 4, 16, 25-27] n )/𝑛𝑛𝑛𝑛(𝐹𝐹 nand 𝑝𝑝and 𝑛𝑛 andp 𝜏𝜏n𝑛𝑛 (𝑃𝑃, 𝑄𝑄) using× the algorithm 𝑝𝑝−1 iring [2, 7, 17, as 24] Each 𝐸𝐸(𝐹𝐹 𝑝𝑝×𝑛𝑛𝑛𝑛(𝐹𝐹 𝑝𝑝 )Since 𝑝𝑝−1of×order×n, 𝑛𝑛 ⟨𝑃𝑃, 𝑄𝑄⟨𝑃𝑃, + 𝑛𝑛𝑛𝑛(𝐹𝐹 )⟩ and𝜏𝜏 (𝑃𝑃, 𝑄𝑄 + )) 𝐹𝐹 is a cyclic group the point multiplication algorithm kP [1, 4, 16, 25-27] × 𝑝𝑝 𝑛𝑛 𝑝𝑝 𝑝𝑝 ly𝑛𝑛𝑛𝑛(𝐹𝐹 written as 𝑄𝑄⟩ and 𝜏𝜏 (𝑃𝑃, 𝑄𝑄) instead of 𝑝𝑝−1 + )⟩ and𝜏𝜏 (𝑃𝑃, 𝑄𝑄 + 𝑛𝑛𝑛𝑛(𝐹𝐹 )) Since 𝐹𝐹 is a cyclic group of order n, the τ (P,Q+nE(F )) Since F is a cyclic group of order n, the powers 𝑛𝑛 𝑛𝑛 p𝑝𝑝 𝑄𝑄⟩𝑛𝑛 andp 𝑝𝑝 𝑛𝑛⟨𝑃𝑃, 𝑛𝑛 powers of 𝜏𝜏so (𝑃𝑃,itis𝑄𝑄) give an isomorphism𝐹𝐹 /(𝐹𝐹 )𝑄𝑄) →instead 𝜇𝜇𝑛𝑛 Hence 𝑝𝑝 𝑛𝑛 n 𝑝𝑝−1 𝑛𝑛 𝑝𝑝 𝑝𝑝 𝑛𝑛 group s a cyclic ofcyclic order n, the ⟨𝑃𝑃, ⟨𝑃𝑃,𝑄𝑄⟩ 𝑝𝑝−1 has has the the the form𝑄𝑄 form𝑄𝑄 form𝑄𝑄 + ++𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛𝑛𝑛(𝐹𝐹 so so isisofusually usually usually written written written as asas⟨𝑃𝑃, 𝑄𝑄⟩ 𝑄𝑄⟩𝑛𝑛𝑛𝑛𝑛𝑛and and 𝜏𝜏𝜏𝜏𝑛𝑛𝜏𝜏𝑛𝑛𝑛𝑛(𝑃𝑃, (𝑃𝑃, (𝑃𝑃, 𝑄𝑄) 𝑄𝑄) instead instead of of of Since 𝐹𝐹𝑝𝑝× ishas a group of n,ititthe 𝑝𝑝𝑝𝑝), 𝑝𝑝),), 𝑛𝑛and 𝑝𝑝 usually ⟨𝑃𝑃, written as 𝑄𝑄⟩ and 𝜏𝜏𝑄𝑄 𝑄𝑄) instead ×a cyclic × 𝑛𝑛and 𝑛𝑛 (𝑃𝑃, × isomorphism ×𝑛𝑛to 𝑛𝑛 Algorithm 𝑃𝑃,)) 𝑄𝑄⟨𝑃𝑃, +𝑄𝑄⟩ 𝑛𝑛𝑛𝑛(𝐹𝐹 )⟩ and𝜏𝜏 +𝑛𝑛order 𝑛𝑛𝑛𝑛(𝐹𝐹 )) Since 𝐹𝐹𝜇𝜇×𝑛𝑛 isHence group ofthe order the According 1,𝑛𝑛calculating Taten,According pairing⟨𝑃𝑃, 𝑄𝑄⟩𝑛𝑛 , (with1,𝑃𝑃calculating ∈ 𝐸𝐸(𝐹𝐹𝑝𝑝 ),the 𝑄𝑄 ∈ ⟨𝑃𝑃, of〈P,Q〉 𝑄𝑄⟩ and 𝜏𝜏(P,Q) 𝑄𝑄) give an isomorphism𝐹𝐹 give an Hence × and 𝜏𝜏of (𝑃𝑃, 𝑄𝑄) give anτorder isomorphism𝐹𝐹 /(𝐹𝐹 𝑝𝑝cyclic 𝑛𝑛𝑛𝑛(𝑃𝑃, 𝑝𝑝𝑝𝑝−1 𝑛𝑛 (𝑃𝑃,n, 𝑝𝑝 /(𝐹𝐹𝑝𝑝 ) → 𝜇𝜇𝑛𝑛 Hence Tate pairing 〈P,Q〉n, (with 𝑛𝑛powers 𝑛𝑛 𝑛𝑛 𝑝𝑝 𝑝𝑝 ) → 𝑝𝑝 ).s of Since 𝐹𝐹 is a group of the n n 𝑛𝑛 to Algorithm × ×𝑝𝑝 𝑛𝑛 𝑝𝑝−1 𝑝𝑝−1 𝑝𝑝−1 × × 𝑛𝑛 𝑝𝑝−1 𝑛𝑛 𝑝𝑝−1 m𝐹𝐹 Hence × × × 𝑝𝑝 /(𝐹𝐹𝑝𝑝 ) →×𝜇𝜇 𝑛𝑛 n isomorphism𝐹𝐹 /(𝐹𝐹 ) → 𝜇𝜇 Hence 𝑝𝑝 𝑝𝑝𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛 ⟨𝑃𝑃, ⟨𝑃𝑃, 𝑄𝑄+ + + 𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛𝑛𝑛(𝐹𝐹 )⟩ )⟩ )⟩ and𝜏𝜏 and𝜏𝜏 and𝜏𝜏 (𝑃𝑃, (𝑃𝑃, (𝑃𝑃, 𝑄𝑄 𝑄𝑄 𝑄𝑄 + + + 𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛𝑛𝑛(𝐹𝐹 𝑛𝑛𝑛𝑛(𝐹𝐹 )) )) )) Since Since Since 𝐹𝐹 𝐹𝐹 𝐹𝐹 is is is a a a cyclic cyclic cyclic group group group of of of order order order n, n, n, the the the l 𝑛𝑛(𝐹𝐹𝑝𝑝 )) Since 𝐹𝐹× is a×𝑄𝑄𝑄𝑄 cyclic group of order n, the ), Q∈E(F )) on security applications, the line coefficients ni P∈E(F 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑛𝑛 𝑛𝑛 𝑛𝑛 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝 𝑝𝑝−1 𝑝𝑝 ⟨𝑃𝑃, 𝑛𝑛 the line coefficients n𝑛𝑛i belongs to 𝑙𝑙 )) on𝑛𝑛security applications, p 𝑛𝑛𝑛𝑛 p 𝑛𝑛𝑛𝑛⟨𝑃𝑃,𝐸𝐸(𝐹𝐹 𝜏𝜏)𝑛𝑛𝑛𝑛(𝑃𝑃, =𝑛𝑛𝑄𝑄) 𝑄𝑄⟩𝑛𝑛𝑝𝑝an (1)the subfield of 𝐹𝐹𝑝𝑝 , somorphism𝐹𝐹 /(𝐹𝐹 →𝜏𝜏⟨𝑃𝑃, 𝜇𝜇 𝑄𝑄⟩ Hence ⟨𝑃𝑃, ⟩ 𝑝𝑝 and owers of⟨𝑃𝑃, 𝑄𝑄 (𝑃𝑃, give isomorphism𝐹𝐹𝑝𝑝× /(𝐹𝐹𝑝𝑝× )𝑛𝑛(1) → 𝜇𝜇𝑛𝑛 (1)Hence (𝑃𝑃, 𝑄𝑄) = 𝑄𝑄⟩ 𝑛𝑛 𝑝𝑝 𝜏𝜏 𝑛𝑛 𝑛𝑛 𝑛𝑛 (𝑃𝑃, 𝑛𝑛𝑄𝑄) (1) belongs to the subfield of F , the finite field is used to calculate the 𝑛𝑛 𝑛𝑛×𝑄𝑄) = 𝑛𝑛 × 𝑛𝑛 p ××× ×××𝑛𝑛𝑛𝑛𝑛𝑛 ve an isomorphism𝐹𝐹 /(𝐹𝐹of →𝑄𝑄⟩ 𝜇𝜇𝑛𝑛𝑛𝑛𝑛𝑛𝑛𝑛Tate and Hence ⟨𝑃𝑃, ⟨𝑃𝑃, powers powers powers of)⟨𝑃𝑃, 𝑄𝑄⟩ 𝑄𝑄⟩ and and 𝜏𝜏𝜏𝜏pairing 𝜏𝜏𝑛𝑛𝑛𝑛(𝑃𝑃, (𝑃𝑃, (𝑃𝑃,𝑄𝑄) 𝑄𝑄) 𝑄𝑄)according give give give an an an isomorphism𝐹𝐹 isomorphism𝐹𝐹 isomorphism𝐹𝐹 /(𝐹𝐹 /(𝐹𝐹 )) → →→ 𝜇𝜇𝜇𝜇𝜇𝜇𝑛𝑛𝑛𝑛7, 𝑛𝑛 Hence Hence Hence 𝑝𝑝 Compute 𝑝𝑝of the finite field is[3, used to24]: calculate value of value f1 with af large length field At that time, the to 17, Miller’s [3, 𝑛𝑛 𝑝𝑝𝑝𝑝algorithm 𝑝𝑝/(𝐹𝐹 𝑝𝑝𝑝𝑝𝑝𝑝)the (1) ompute the Tate pairing according to(1) Miller's algorithm 7, of with a large length field At that time, the attacker who Compute Tatethe pairing Miller's algorithm [3, 7,algorithm 17, 24]: Tateaccording pairing according to Miller's [3, 7, 17, 24]: (1) to 17,Compute 24]:the𝑝𝑝−1 the attacker who wants to attack the Miller algorithm must solve the problem "The point wants to attack the Miller algorithm must solve the problem “The 𝑛𝑛 𝑝𝑝−1 𝑝𝑝−1 𝑝𝑝−1 ven an elliptic curve E over 𝐹𝐹 ; P, Q are points with prime order n and 𝑃𝑃, 𝑄𝑄 ∈ 𝑝𝑝 algorithm [3,= 7, ⟨17, ⟩𝑛𝑛 [3, 𝜏𝜏𝑛𝑛Miller's (𝑃𝑃, 𝑄𝑄) 𝑃𝑃, 𝑄𝑄24]: (1) ng to algorithm 7, 17, 24]: (1)Q are points with prime order n and 𝑃𝑃, 𝑄𝑄 ∈ 𝑛𝑛𝑛𝑛 𝑛𝑛 Given Given an elliptic curve E over 𝐹𝐹over ; P, point P to be found belongs to E(F ) when knowing the public point 𝑝𝑝 ⟨𝑃𝑃, ⟨𝑃𝑃, ⟨𝑃𝑃, 𝜏𝜏 𝜏𝜏 𝜏𝜏 (𝑃𝑃, (𝑃𝑃, (𝑃𝑃, 𝑄𝑄) 𝑄𝑄) 𝑄𝑄) = = = 𝑄𝑄⟩ 𝑄𝑄⟩ 𝑄𝑄⟩ (1) (1) (1) ; P, Q are points with prime order an elliptic curve E F to Draw the line n1 through and Q,24]: which intersects E patbelongs another called R1 with 𝑛𝑛𝑛𝑛𝑛𝑛[3,P7, Miller's algorithm P𝑛𝑛𝑛𝑛𝑛𝑛to be found to ) when knowing public point top 𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 ), Given an17,elliptic curve E over 𝐹𝐹𝑝𝑝 ; P,point Q 𝐸𝐸(𝐹𝐹 are primethe order n and 𝑃𝑃, Q 𝑄𝑄 belongs ∈ 𝑝𝑝points nts with prime order n prime and 𝑃𝑃, 𝑄𝑄 ∈ nthe l), then finding the point P is more complicated” Q belongs to E(F P, Q are points with order and 𝑃𝑃, 𝑄𝑄 ∈ 𝐸𝐸(𝐹𝐹 ) Draw the line n through P and Q, which intersects E at another point called R n and P,Q∈E(F ) Draw line n through P and Q, which intersects 1 p rding to Miller's 24]: 𝑝𝑝 algorithm [3, 7, p 17, Tate pairing according to1 Miller's algorithm [3,[3, 7,7,7,17, 24]: ⟨𝑃𝑃,𝑄𝑄⟩𝑛𝑛 , QCompute are pointsthe with prime order n and 𝑄𝑄 according ∈ [2,23] 23] Formula Formula is often often used to calculate Weil Compute Compute the the the Tate Tate pairing pairing according according to totoMiller's Miller's Miller's algorithm algorithm algorithm [3, [3, 17, 17, 24]: 24]: then the P which isline more complicated" [2, 𝑒𝑒𝑛𝑛 (𝑃𝑃, 𝐸𝐸(𝐹𝐹 ) theTate line n𝑃𝑃, P point and Q, E17, at24]: another point called R𝑄𝑄) 1finding = ⟨𝑄𝑄,𝑃𝑃⟩ is E at𝑝𝑝Compute another point Rthrough Draw vertical n ,intersects which is 7,the rsects E at intersects another point Rcalled pairing Q, which EDraw at called another point called Rthe 𝑝𝑝−1 𝑛𝑛 are pointsE with prime point ordercalled n and R𝑃𝑃, 𝑄𝑄 ∈ 𝑝𝑝 ; P, Qintersects ,𝐹𝐹which at another 1 𝑛𝑛 Given an elliptic curve E over 𝐹𝐹𝑝𝑝to ;Eover P, Q𝐹𝐹𝐹𝐹𝑝𝑝𝐹𝐹𝑝𝑝are points withwith prime nnnnand and 𝑃𝑃, used calculate Weil pairing [3,prime 7] order In addition, the Given Given Given an an anelliptic elliptic elliptic curve curve curve EE over over ;𝑝𝑝;;P, P, P,Q QQare are arepoints points points with with prime prime order order order and and𝑃𝑃, 𝑃𝑃, 𝑃𝑃, 𝑄𝑄𝑄𝑄𝑄𝑄𝑄𝑄 ∈∈Weil ∈∈ pairing is also calculated and Q, which intersects E at another point called R1 𝑓𝑓𝑃𝑃 (𝑅𝑅)𝑓𝑓𝑄𝑄 (𝑃𝑃) theQ, formula 𝑒𝑒𝑛𝑛 (𝑃𝑃, 𝑄𝑄) =another butRRit (𝐹𝐹𝑝𝑝 ) Draw the𝐸𝐸(𝐹𝐹 line nDraw and Q,PPto which intersects E at point called 𝐸𝐸(𝐹𝐹 𝐸𝐸(𝐹𝐹 Draw the the theline line lineaccording nP n1n11through through through Pand and and Q, Q, which which whichintersects intersects intersects EEEanother atatat another another point point pointcalled called called R11.R 1.not favourable [1, 3, 7] So, through 1.is 𝑝𝑝𝑝𝑝) 𝑝𝑝).).Draw 𝑓𝑓𝑃𝑃 (𝑄𝑄+𝑅𝑅)𝑓𝑓𝑄𝑄 (∞) DECEMBER 2022 • VOLUME 64 NUMBER 4 the Weil pairing is considered as another way of calculating the Tate pairing when the conditions for the Weil pairing occur algorithm and using the point multiplication algorithm kP [1, 4, 16, 25-27] According to Algorithm 1, calculating the Tate pairing⟨𝑃𝑃, 𝑄𝑄⟩𝑛𝑛 , (with 𝑃𝑃 ∈ 𝐸𝐸(𝐹𝐹𝑝𝑝 ), 𝑄𝑄 ∈ 𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 )) on security applications, the line coefficients ni belongs to the subfield of 𝐹𝐹𝑝𝑝 , the finite field is used to calculate the value of f1 with a large length field At that time, the attacker who wants to attack the Miller algorithm must solve the problem "The point MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE P to be found belongs to 𝐸𝐸(𝐹𝐹𝑝𝑝 ) when knowing the public point Q belongs to 𝐸𝐸(𝐹𝐹𝑝𝑝𝑙𝑙 ), then finding the point P is more complicated" [2, 23] Formula 𝑒𝑒𝑛𝑛 (𝑃𝑃, 𝑄𝑄) = ⟨𝑃𝑃,𝑄𝑄⟩𝑛𝑛 ⟨𝑄𝑄,𝑃𝑃⟩𝑛𝑛 is often used to calculate [3, 7].the InWeil addition, theisWeil pairing is also calculatedBTS-BLS pairingWeil [3, 7].pairing In addition, pairing also calculated according tuple in the key generation scheme for the BLS scheme but it it is is not notfavourable favourable [1, [1,3, 3,7] 7] So, but 𝑓𝑓𝑃𝑃 (𝑄𝑄+𝑅𝑅)𝑓𝑓𝑄𝑄 (∞) So, theis Weil pairingasisanother considered ascalculating another way calculating the the Algorithm 3: The BLS short digital signature [2, 6, 7] the Weil pairing considered way of theof Tate pairing when - Input: message M∈{0,1}*, private key SK=x Tate pairing when the conditions for the Weil pairing occur conditions for the Weil pairing occur - Parameter set: BTS-BLS ), Q∈E(F l), both Tate and Weil pairing calculations When 𝑃𝑃 ∈ When 𝐸𝐸(𝐹𝐹𝑝𝑝 ),P∈E(F 𝑄𝑄 ∈ 𝐸𝐸(𝐹𝐹 p 𝑝𝑝𝑙𝑙 ), bothp Tate and Weil pairing calculations are time - Processing steps: time consuming Therefore, thethe calculation time pairing for the takes required consuming.are Therefore, the calculation time for required Weil twice as + Weil pairingoftakes twice as much the calculation of the Tate the Using MaptoGrouph' algorithm [2], map message M to much as the calculation the Tate pairing In thisasstudy, the authors have replaced point PM=(xM,yM)∈〈P〉 belonging to E/Fpl pairing In this study, the authors replaced theelliptic non-degenerate non-degenerate bilinear pairing calculations onhave the supersingular curve with the bilinear pairing calculations on the supersingular elliptic curve with Weil pairing in the BLS short digital signature scheme Then, the performance of the + Calculate SM=xPM the Weil pairing in the BLS short digital signature scheme Then, the - Output: signature σ=xS ∈Fpl of the point SM=(xS ,yS ) M M M performance of the BLS short digital signature scheme is evaluated by In this algorithm, embedding the message M to be signed into comparison with the classic ECDSA scheme commonly used today a point PM=(xM,yM)∈E/Fpl and using the kP multiplier algorithm Building a BLS short digital signature scheme based on the to create a signature for the message M is necessary The message non-degenerate bilinear pairing of supersingular elliptic curves M, before embedding into a point PM∈E/Fpl will be hashed using a hash function [5] The mapping of this hash value to a component The BLS key generation scheme xM coordinate of point PM is accomplished using the MapToGrouph’ With the BLS short digital signature scheme, the curve E used algorithm [2, 6, 7] Thus, the process of creating a digital signature of is y2=x3+Ax+B mod p The input for key generation consists of a set the BLS short digital signature scheme is more complicated than that of parameters (A, B, p, q, l, P) denoted BTS-BLS (Table 1) [2] This of the key generation algorithm of the ECDSA scheme [16, 28, 29] parameter set is used by the author for all key generation, digital In the BLS short digital signature scheme, the signature generation signatures, and signature verification processes of the BLS short process requires the use of a cryptographic hash function and the technique of embedding the message into a point of the curve This digital signing scheme keeps the value of the digital signature generated by the BLS short digital signature scheme small Table Parameter sets used in the BLS short digital signature scheme according to to the the formula formula 𝑒𝑒𝑛𝑛 (𝑃𝑃, 𝑄𝑄) = 𝑓𝑓𝑃𝑃 (𝑅𝑅)𝑓𝑓𝑄𝑄 (𝑃𝑃) Parameters Functions A, B The coefficients of the supersingular elliptic curve equation p Modulo q Greatest prime divisor of #(E/Fpl) l Key length belongs to Fpl Point P∈E/F3l Base point with order q The BLS signature verification scheme In Algorithm 2, the generated key pair consists of the public key PK and the private key SK in which the public key is the parameter set PK=(l, q, P, R) and the private key SK=x, with x is a random number belonging to Zp* (with a large enough prime p) When generating the key for the BLS short digital signatures scheme, the BLS scheme only uses the kP point multiplication algorithm and choses a random number belonging to Zp* This shows that the key generation process for the BLS short digital signatures scheme is efficient and simple Algorithm 2: Generate keys for the short digital signature scheme BLS [2, 6] - Input: Let l, the curve (E/Fpl) and q is the greatest prime divisor of #(E/Fpl), the point P has order q - Processing steps: Chosen random number x∈Ζp* and alculate R←xP - Output: The public key PK=(l, q, P, R) and the private key SK=x The BLS short digital signature scheme According to Algorithm 3, the signing process of the BLS short digital signatures scheme also uses the input parameters of the supersingular elliptic curve E on the field Fpl; the parameters of the curve used for digital signature are the number of the corresponding In Algorithm 4, signature verification of the BLS scheme is done using the same set of input parameters of the curve as above Table To verify the digital signature, first one must check whether the obtained signature belongs to the curve Secondly, two values of Weil pairings will be computed, as the first one is being calculated from the base point and the digital signature, and the second one from the public key and the message M If these two values are equal or the inverse of the first value is equal to the second value, then the signature is valid Algorithm 4: The BLS signature verification [2, 6, 7] - Parameter set: BTS-BLS - Input: The public key PK=(l, q, P, R), the message M∈{0,1}*, and the signature σ - Output: The signature σ is valid or invalid - Processing steps: Step 1: Check the condition that the signature σ is the coordinates xS of the point SM=(xS ,yS )∈E/Fpl If such a point M M M does not exist, the signature is invalid Step 2: Calculate u←e[P,φ(S)];v←e[R,φ(h(M))], where e is a non-degenerate bilinear mapping (Weil pairing) on the curve E/Fp6l and φ:E→E is a Frobenius endomorphism Step (check condition u, v): If u=v or u-1=v, then the signature is valid, otherwise the signature is invalid The correctness of the BLS short digital signature verification algorithm (algorithm 4) is confirmed in step of the algorithm, whether the signature is valid or not Specifically, with (σ, y) and (σ, -y) being two points on E/Fpl, where σ is the x coordinate, one of the two DECEMBER 2022 • VOLUME 64 NUMBER MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE points can be point SM or can be used to generate digital signatures in the BLS short digital signatures scheme From (σ,y)=-(σ,-y) on the curve, then e(P,φ(-S))=e(P,φ(-S))-1 Therefore, the u=v condition is to check that (P, R, h(M), S) is a Diffie-Hellman tuple, while the u-1=v condition is to check that (P, R, h(M), -S) is a Diffie-Hellman set [6, 7] Begin Input: Parameters Initial Elliptic Curve: A, B, p, l, q, P Theoretical model to prove the security of the BLS short digital signature scheme x = random() intend for In Ref [2], a secure proof theory for the BLS short digital signatures scheme was propose The theoretical model that proves the security of BLS is based on the difficulty level of the Hidden Field Equation (HFE), co-CDH (Computational co-Diffie-Hellman), coDDH (Decision co-Diffie-Hellman), and GDH (Gap Diffie-Hellman groups) problems It is shown that when an isomorphism ψ:G2→G1 exists, the short digital signatures scheme BLS is vulnerable to the discrete log problem by MOV attacks [11, 12], and attacks by the Number Field Sieve algorithm [19-21] on the extended field Fpl For Co-GDH signatures from elliptic curves [2], the security level of the BLS short digital signatures scheme is equivalent to the difficulty of the co-CDH (Computational co-Diffie-Hellman) problem on (G1,G2) In other words, it is the computational requirements of a discrete log in G1 or the computation of a discrete log in According to [2], when the BLS scheme uses a special supersingular curve with p=3, the security level of the BLS scheme is equivalent to DSA using a 1024-bit prime (MOV attack [11-13] This is a weakness of the BLS short digital signatures scheme when the number p is small To use the BLS schema in this case, we would have to use a curve E(F3l) where 36l is much larger than 1024 bits In the case of a BLS schema using a non-supersingular curves over fields of high characteristic with the security multiplier α=6, [2] shows that with l=159-bit (Signature size [log2q] of the BLS scheme) is equivalent to “DLog Security [log2 p] of 158 bits” and “MOV Security [6log2q] of 954 bits” Signatures using this curve are 168 bits while the best algorithm for co-CDH on E(Fp) requires either (Formula (1) in [2]) a generic discrete log algorithm taking time approximately 283, or (Formula (2) in [2]) a discrete log in a 1008-bit finite field of large characteristic R = x.P Output Public Key PK: (l,q,P,R); Private Key SK: x End Fig Scheme of the BLS key generation are saved as “bls_private.key” and “bls_public.key,” respectively After executing the key pair generation, the program modulo will issue a notice about the key pair generation time Figure shows details the steps of implementing the DSA of BLS schema with a digital signature called “bls_signature.sig” First, when performing a digital signature according to the BLS scheme, the message to be signed, M, will be passed through a secure hashing algorithm that outputs a summary (hash value) [5] This summary is combined with the private key (the key generated by the BLS key generator modulo), which is then fed into the digital signature program modulo, which results in the digital signature bls_signature The digital signature program can sign data files of any content with text Finally, consider the BLS schema in the case of higher security multipliers (Definition 3) D Pointcheval, J Stern (2000) [30] proposed certain Abelian varieties However, to obtain security comparable to DSA using a 2048-bit prime with α=6, we get signatures size l=342 bits Then, with α=12, the signature is shorter but the security level is guaranteed (equivalent to 2048-bit discrete-log security) [31] The result is an n-bit signature where the pairing reduces the discrete log problem to a finite field of size approximately 27.5n Results and discussion Architectural design of BLS short digital signature scheme Figure details the implementation steps of the key generation algorithm of the BLS schema, the diagram shows that the key generation modulo is simply designed using only a random function and multiplication points (kP) on the elliptic curve The key generation modulo then will generate the private key and the public key, which x∈ Z *q Fig BLS digital signature scheme DECEMBER 2022 • VOLUME 64 NUMBER MATHEMATICS AND COMPUTER SCIENCE COMPUTER against the BLS and ECDSA scheme were executed on the| computer usingSCIENCE Intel(R) Core i5-4200U, CPU @ 1.60GHz, up to 2.30 GHz; RAM: 4.00 GB on the security analysis evaluation for and suchevaluation a BLS scheme, in this study file formats, image files, audio files, video files, etc WhenBased performing Based on theand security analysis for such a BLS digital signature, the program will create a digital signature file (bsl_ scheme, in this study the authors have selected the parameters for the authors have selected the parameters for the supersingular elliptic curve over finite signature.sig) and output the execution time of the digital signature the supersingular elliptic curve over finite field Fp such that both field Fp such that both a generic discrete algorithm in E(F p) and the Number Field process a generic discrete loglog algorithm in E(F ) and the Number Field p ∗ Sieve in are intractable, with p=7DDCA613A2E3DDB17 Sieve in 𝐹𝐹 are intractable, with 𝑙𝑙 𝑝𝑝 Figure details the implementation of the signature verification 49D0195BB9F14CF44626303, the security multiplier α=12, and algorithm steps of the BLS short digital signature scheme The p=7DDCA613A2E3DDB1749D0195BB9F14CF44626303 , the security multiplier α=12, program verifies the content of the signed data file and calculates the signature size l=159 The coefficients of the supersingular elliptic curve are159 A=-3, signature size 𝑙𝑙 = The B=21C3F3AC7864D1F99273D0F828D3657D8CFD4E coefficients of the supersingular elliptic curve are A=signature verification time of the BLS short digital and signature scheme =x +Ax+B) This parameter set was evaluated by the National (y The received message is passed through the hashing that 3, algorithm B=21C3F3AC7864D1F99273D0F828D3657D8CFD4E (y2=x3+Ax+B) This obtains the hash value The process of checking the digital signature Institute of Standards and Technology (NIST, US Department of parameter was evaluated bywhich the National ofbeing Standards Commerce), minimisedInstitute the risk of attackedand [2, Technology 6, 7, 28] of the BLS scheme is done by calculating and checking theset input parameters of the hash digest, digital signature, and(NIST, public key If the US Department Table of Commerce), which minimised of key being attacked [2, details the execution time ofthetherisk BLS generation, conditions are satisfied, then the signature is valid digital signature, and signature verification computations To check 6, 7, 28] the correctness of the program, the authors tested the program with scenarios, specifically: Begin Begin Begin Table Results of digital signature and signature verification according to the BLS scheme ,lP ),)R) Input: Public Key q, R ,,P ,P R Input: Public Key(l(,lq,(q Input: Public Key * * * Message: Message: MM∈ Message: {0,1 }{0,1 M ∈ {∈0,1 } } Sign: Sign: Sign: σσ σ σσ σ ((xx(,y )) ) x,y,y ==x= xx mm m SS /F ∈Ε S /F ∈Ε ∈Ε /F 3l 3l 3l M Mm m mm m m M uu==ue(e=P e,φ(,P ,φ (S)) (P φ(S)) (S)) v v==ve(R, eφ(R, φ (h(M))) e=(R, φ(h(M))) (h(M))) e e∈Ε /F e ∈Ε /F ∈Ε /F 363l 6l 36l φφ: E EE E E →→ :φE:→ u uvv= v = u= − − − ==vv= v u uu 1 1 Output: σσ=σ=True Output: Output: = True True Fig Input data Digital signature time (ms) Signature verification time (ms) 535 KB 31 98 1.56 MB 119 161 9.47 MB 577 646 9.79of MBthe contents 618 Modification 25.5 MB the signed data file 1643 671 of Fig Signature verification after the 1638 message was modified Scenario 1: The authors modified the contents of the input data of the BLS short digital program,digital kept the key andand Table details files the execution time of the BLSsignature key generation, signature, signature, then checked the authenticity of the data Fig details the signature verification computations To check the correctness of the program, the process of modifying the input data, where the results showed that the authors tested the program with scenarios, specifically: digital signature is invalid and the processing time was given (Fig 5) Output: σσ=σ=False Output: Output: = False False Table Results of digital signature and signature verification according to the BLS scheme End End End Fig The BLS signature verification Input data Digital signature time (ms) Signature verification time (ms) Results of the short digital signature program BLS In this study, the authors have built a program with main modules: key generation, digital signature and signature verification according to BLS scheme First, the key generation modulo generates a public key and a private key, then the digital signature modulo performs digital signature with the newly generated private key in the key generation modulo Finally, the signature verification modulo will perform the signature verification with the public key In addition, in order to facilitate the performance evaluation of the BLS short digital signature scheme, the authors also built a program following the ECDSA digital signature scheme including the key generation module, digital signature module, and signature verification module [16, 28, 29] Comparisons of key generation, digital signature, and signature verification program against the BLS and ECDSA scheme were executed on the computer using Intel(R) Core i5-4200U, CPU @ 1.60GHz, up to 2.30 GHz; RAM: 4.00 GB Fig Modification of the contents of the signed data file Fig Signature verification after the message was modified Scenario 2: The program generated an original signature (Fig 6) Then, the author modified the signature (Fig 7) but did not change the message and the public key The data verification process for the modified signature resulted in an invalid signature (Fig 8) Moreover, to evaluate the BLS short digital signature program performance, the DECEMBER 2022 • VOLUME 64 NUMBER MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE functions, i.e., digital signature and signature verification Second, the authors evaluated authors tested the digital signature and signature verification program according to the BLS short digital signature scheme with several data files of different lengths (Tables 2, 3) Fig Original unmodified signature the execution speed between the BLS short digital signature program and the ECDSA Execution speed of digital signature and signature verification digital signature program For each function of the program, the authors ran the test three BLS: Table details the execution execution times and took the average time time results of the digital signature modulo and BLS signature validation Fig shows the corresponding Execution speed of digital signature and signature verification BLS: Table details graphthecomparing the running time between digital signature and execution time results of the digital signature modulo and BLS signature validation signature verification Experimental results of the BLS scheme show Figure shows the corresponding graph comparing the running time between digital that the signing time is faster than the validation time Theoretically, signature and signature verification Experimental results of the BLS scheme show that the digital signature of the BLS scheme uses one-point multiplication, the signing time is faster than the validation time Theoretically, the digital signature of while the theBLS validation twomultiplication, values ofwhile the the Weil pairing calculation scheme usesuses one-point validation uses for two values of In thethe Weil non-degenerate bilinear pairing values calculation, a point Weil pairing for calculation In the Weil non-degenerate bilinear pairing values multiplication is used for each value of u and v Therefore, calculating calculation, a point multiplication is used for each value of u and v Therefore, u, v requires multiplications, which signature calculating two-point u, v requires two-point multiplications, which makes makes thethe signature verification time the signature digitaltime signature time verification time longer longer thanthan the digital 2000 1500 1000 500 Fig Signature after modification File 535 KB File 1.56 MB File 9.47 MB File 9.79 MB File 25.5 MB BLS Digital Signing Time (ms) BLS Signature Verification Time (ms) Digital signature time andand signature verification time of the BLS scheme Fig 9.Fig Digital signature time signature verification time of the BLS scheme 4000 BLS Digital Signature Time (ms) ECDSA Digital Signature Time (ms) BLS Signature verification time (ms) ECDSA Signature verification time (ms) 2000 Fig Signature verification after the signature was modified Table Runtime comparison of BLS scheme and ECDSA scheme Input data (mb) Digital signature time (ms) Signature verification time (ms) BLS ECDSA Diff in % BLS ECDSA Diff in % 1.02 108 350 69.14% 166 347 52.16% 1.56 131 523 74.95% 201 523 61.57% 2.00 186 720 74.17% 241 713 66.20% 3.68 298 1227 75.71% 335 1230 72.76% 4.07 313 1353 76.87% 350 1337 73.82% 5.03 376 1637 77.03% 418 1664 74.88% 6.01 450 1928 76.66% 473 1955 75.81% Analysis and evaluation of the results achieved by the short digital signature program BLS In previous publications, the authors evaluated the execution speed and occupied resources of the Tate pairing computation and kP point multiplication algorithm on a Spartan6 XC6SLX150T FPGA hardware platform [25, 32] In this study, the authors tested the execution time of the program under two scenarios The first was to evaluate the execution speed between the two program functions, i.e., digital signature and signature verification Second, the authors evaluated the execution speed between the BLS short digital signature program and the ECDSA digital signature program For each function of the program, the authors ran the test three times and took the average execution time FILE FILE FILE FILE FILE FILE FILE 1.02 MB 1.56 MB 2.00 MB 3.68 MB 4.07 MB 5.03 MB 6.01 MB 10 Runtime comparison of BLS short digital signature andsignature ECDSA schemes Fig 10 Fig Runtime comparison of BLS short digital and ECDSA schemes Execution speed of BLS short digital signature program and ECDSA digital signature program: Both the BLS and ECDSA digital signature schemes are designed Execution speed of BLS short digital signature program and with a 160-bit key-length key for the same data input Table and the diagram in Fig ECDSA10digital signature program: Both the BLS and ECDSA digital present the run-time details of the digital signature function for both the BLS and signature schemes are designed ECDSA short digital signature scheme with a 160-bit key-length key for the same data Table input.3 Table and the diagram in Fig 10 present the runshows that the running speed of the BLS scheme's digital time details of the verification digital algorithm signature forbits) both thethanBLS and signature/signature (with afunction key length of 160 is better of the ECDSA scheme Specifically, BLS’s digital signature generation performs at ECDSAthatshort digital signature scheme least 69% faster than that of ECDSA, while the signature verification process of BLS is Table shows the running speed of the BLS scheme’s digital at least 52% faster that than ECDSA signature/signature verification algorithm (with a key length of 160 With the same key length (160 bits), the same digital signature, and signature bits) is verification better than that of the ECDSA scheme Specifically, data, the BLS short digital signature scheme had a faster execution time than BLS’s the ECDSA scheme Moreover, with the larger sizeatof least the input69% data file,faster the execution digital signature generation performs than that of timewhile of the BLS shortsignature digital signatureverification scheme linearly increased with the data file ECDSA, the process ofinput BLS is at least size as shown in Fig 10 This can be explained by two main reasons: 52% faster than ECDSA For digital signature function: The number of operations used for the digital With the function same ofkey length (160 abits), same digital signature the BLS schema includes mappingthe of a point on the curve andsignature, a point multiplication kP Meanwhile, the number operations used for the digital scheme and signature verification data, the BLSofshort digital signature signature function of the ECDSA scheme includes one kP point multiplication, one had a faster execution time than the ECDSA scheme Moreover, with the larger size of the input data file, the execution time of the BLS short digital signature scheme linearly increased with the input data file size as shown in Fig 10 This can be explained by two main reasons: For digital signature function: The number of operations used for the digital signature function of the BLS schema includes a mapping of a point on the curve and a point multiplication kP Meanwhile, the number of operations used for the digital signature function of the ECDSA scheme includes one kP point multiplication, one inverse DECEMBER 2022 • VOLUME 64 NUMBER MATHEMATICS AND COMPUTER SCIENCE | COMPUTER SCIENCE operator modulo, and two scalar point multiplications The DSA of the BLS scheme obviously requires less operations than ECDSA digital signature For the signature verification function: The number of operations using signature verification for the BLS scheme includes the Weil non-degenerate bilinear pairing value calculation that uses two points multiplications to calculate the two values u and v Meanwhile, the number of operations used in the signature verification function of the ECDSA digital signing scheme includes one modulo inverse operator, two points multiplications, and two scalar multiplications The larger number of operations makes the ECDSA scheme operate slower than the BLS scheme Conclusions In this paper, the authors used the calculation technique of Weil non-degenerate bilinear pairing (with P∈E(Fp), Q∈E(Fpl) and a higher security multiplier α=12) in building a BLS short digital signature scheme based on supersingular elliptic curves with key generation, digital signature, and digital verification functions The set of supersingular elliptic curve parameters (with a sufficiently large prime p and a higher security multiplier α=12) initialised for the selected BLS scheme ensures that the signature size is short and the security of the BLS scheme remains theoretically safe The execution time of the BLS short digital signature program was much improved compared to the ECDSA digital signature scheme, which makes BLS short digital signature scheme a candidate for applications that require short processing time, fast computation, and for devices with low memory and low bandwidth transmission ACKNOWLEDGEMENTS The authors are grateful to the Academy of Cryptography Techniques for supporting this work COMPETING INTERESTS The authors declare that there is no conflict of interest regarding the publication of this article REFERENCES [1] H Cohen, et al (2005), Handbook of Elliptic and Hyperelliptic Curve Cryptography, Chapman and Hall/CRC, DOI: 10.1201/9781420034981 [2] D Boneh, B Lynn, H Shacham (2001), “Short signatures from the weil pairing”, Advances in Cryptology - CRYPTO 2002, 2248, pp 514-532 [10] P.S.L.M Barreto, et al (2002), “Efficient algorithms for pairing-based cryptosystems”, Advances in Cryptology - CRYPTO 2002, 2442, pp.354-369 [11] A.J Menezes, T Okamoto, S.A Vanstone (1993), “Reducing elliptic curve logarithms to logarithms in a finite field”, IEEE Trans Inf Theory, 39(5), pp.1639-1646 [12] J Shikata, Y Zheng, J Suzuki (2000), “Realizing the Menezes-OkamotoVanstone (MOV)”, IECE Trans Fundam., E83-A(4), pp.756-763 [13] R Barbulescu, P Gaudry, A Joux, E Thomé (2013), “A quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic”, https://arxiv org/abs/1306.4244 [14] O Abid (2012), “New digital signature protocol based on elliptic curves”, Int J Cryptogr Inf Secur., 2(4), pp.13-19 [15] S Koppula, J Muthukuru (2016), “Secure digital signature scheme based on elliptic curves for internet of things”, Int J Electr Comput Eng., 6(3), DOI: 10.11591/ ijece.v6i3.9420 [16] M.A Mehrabi, C Doche, A Jolfaei (2020), “Elliptic curve cryptography point multiplication core for hardware security module”, IEEE Trans Comput., 69(11), pp.1707-1718 [17] M.H.T Tran, et al (2017), “Multilinear mappings based on weil pairing over elliptic curves”, 2017 4th NAFOSTED Conference on Information and Computer Science, DOI: 10.1109/NAFOSTED.2017.8108053 [18] D.P Le, C.H Tan (2013), “Improved Miller’s algorithm for computing pairings on edwards curves”, IEEE Trans Comput., 63(10), pp.2626-2632 [19] O Schirokauer, D Weber, T Denny (1996), “Discrete logarithms: The effectiveness of the index calculus method”, International Algorithmic Number Theory Symposium, 1122, DOI: 10.1007/3-540-61581-4_66 [20] R Padmavathy, C Bhagvati (2010), “Solving the discrete logarithm problem for ephemeral keys in chang and chang password key exchange protocol”, J Inf Process Syst., 6(3), pp.335-346 [21] D Hankerson, A.J Menezes, S Vanstone (2004), Guide to Elliptic Curve Cryptography, Springer, 312pp [22] D.B Roy, D Mukhopadhyay (2019), “High-speed implementation of ECC scalar multiplication in GF(p) for generic montgomery curves”, IEEE Trans Very Large Scale Integr Syst., 27(7), pp.1587-1600 [23] C Costello, P Longa, M Naehrig (2016), “Efficient algorithms for supersingular isogeny Diffie-Hellman”, Annual International Cryptology Conference, 9814, DOI: 10.1007/978-3-662-53018-4_21 [24] M Scott (2005), “Computing the tate pairing”, Cryptographers’ Track at the RSA Conference, 3376, DOI: 10.1007/978-3-540-30574-3_20 [25] L.N Quynh, D.V Son, M.A Tuan (2017), “Enhancement of implementing cryptographic algorithm in FPGA built-in RFID tag using 128 bit AES and 233 bit kP multitive algorithm”, VNU J Sci Math - Phys., 33(2), pp.82-87 [26] I Yavuz, S.B.ệ Yalỗin, ầ.K Koỗ (2008), FPGA implementation of an elliptic curve cryptosystem over GF(3^m)”, 2008 International Conference on Reconfigurable Computing and FPGAs, DOI: 10.1109/ReConFig.2008.66 [3] S Wang (2017), Efficient Computation of Miller’s Algorithm in Pairing-Based Cryptography, Electronic Theses and Dissertations, University of Windsor, 86pp [27] J López, R Dahab (1999), “Fast multiplication on elliptic curves over GF(2m) without precomputation”, International Workshop on Cryptographic Hardware and Embedded Systems, DOI: 10.1007/3-540-48059-5_27 [4] M Masoumi, H Mahdizadeh (2012), “Efficient hardware implementation of an elliptic curve cryptographic processor over GF(2^163)”, Int J Comput Electr Autom Control Inf Eng 2012 Int., 6(5), pp.725-732 [28] National Institute of Standards and Technology (2013), Digital Signature Standard (DSS), DOI: 10.6028/NIST.FIPS.186-4 [5] D Moody, et al (2015), “Report on pairing-based cryptography”, J Res Natl Inst Stand Technol., 120, DOI: 10.6028/jres.120.002 [6] A Markel, L Nemirovskiy (2014), “Pairing-based short signatures”, https:// markel.co/projects/ecc/2/article.pdf [7] V.S Miller (2004), “The Weil pairing, and its efficient calculation”, J Cryptol., 17, pp.235-261 [8] J Shallit, et al (1999), “Handbook of applied crytography”, Am Math Mon., 106(1), DOI: 10.2307/2589608 [9] S.S Dhanda, B Singh, P Jindal (2020), “Lightweight cryptography: A solution to secure IoT”, Wirel Pers Commun., 112(3), pp.1947-1980 [29] D Johnson, A Menezes, S Vanstone (2001), “The elliptic curve digital signature algorithm (ECDSA)”, Int J Inf Secur., 1(1), pp.36-63 [30] D Pointcheval, J Stern (2000), “Security arguments for digital signatures and blind signatures”, J Cryptol., 13(3), pp.361-396 [31] P.S.L.M Barreto, B Lynn, M Scott (2003), “Constructing elliptic curves with prescribed embedding degrees”, International Conference on Security in Communication Networks, 2576, DOI: 10.1007/3-540-36413-7_19 [32] L.N Quynh, D.V Son, M.A Tuan (2019), “Performance of 697-bit Tate pairing based on Elliptic curve implementation for Spartan6 XC6vlx760-2ff1760 FPGA”, 4th International Conference on Advanced Materials and Nanotechnology, pp.166-169 DECEMBER 2022 • VOLUME 64 NUMBER ... building a BLS short digital signature scheme based on supersingular elliptic curves with key generation, digital signature, and digital verification functions The set of supersingular elliptic curve... Runtime comparison of BLS short digital signature andsignature ECDSA schemes Fig 10 Fig Runtime comparison of BLS short digital and ECDSA schemes Execution speed of BLS short digital signature program... bilinear pairing calculations onhave the supersingular curve with the bilinear pairing calculations on the supersingular elliptic curve with Weil pairing in the BLS short digital signature scheme