Self authentication in the iots

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY

TRAN VAN HAU

SELF-AUTHENTICATION IN

THE IOTS/TRANSPORTATION SYSTEM

Major: Computer Science Major code: 8480101

MASTER’S THESIS

THIS THESIS IS COMPLETED AT

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY – VNU-HCM

Supervisor: Dr TRUONG TUAN ANH

Examiner 1: Assoc Prof Dr NGUYEN TUAN DANG Examiner 2: Dr PHAN TRONG NHAN

This master’s thesis is defended at HCM City University of Technology, VNU- HCM City on July 11th, 2023

Master’s Thesis Committee:

1 Chairman: Assoc Prof Dr TRAN MINH QUANG 2 Secretary: Dr NGUYEN THI AI THAO

3 Examiner 1: Assoc Pror Dr NGUYEN TUAN DANG 4 Examiner 2: Dr PHAN TRONG NHAN

5 Commissioner: Dr DANG TRAN TRI

Approval of the Chairman of Master’s Thesis Committee and Dean of Faculty of Computer Science and Engineering after the thesis being corrected (If any)

CHAIRMAN OF THESIS COMMITTEE DEAN OF FACULTY OF COMPUTER SCIENCE AND ENGINEERING

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY

SOCIALIST REPUBLIC OF VIETNAM Independence – Freedom - Happiness

THE TASK SHEET OF MASTER’S THESIS

Full name: TRAN VAN HAU Student ID: 1970505

Date of birth: April 2nd, 1997 Place of birth: HCM City

Major: Computer Science Major ID: 8480101

I THESIS TITLE:

SELF-AUTHENTICATION IN THE IOTS/TRANSPORTATION SYSTEM BẢO VỆ TÍNH RIÊNG TƯ TRONG TỰ XÁC THỰC CỦA HỆ THỐNG GIAO THÔNG THÔNG MINH

II TASKS AND CONTENTS:

1 Research and evaluate authentication schemes in Intelligent Transportation System 2 Research on mathematics for self-authentication

3 Research on applying Blockchain in Intelligent Transportation System 4 Propose a self-authentication scheme with Blockchain support

5 Implement and evaluate the proposed scheme with respect to security

III THESIS START DAY: February 6th, 2023IV THESIS COMPLETION DAY: June 10th, 2023V SUPERVISOR: Dr TRUONG TUAN ANH

Ho Chi Minh City, June 9th, 2023

SUPERVISOR

(Full name and signature)

CHAIR OF PROGRAM COMMITTEE

(Full name and signature)

Dr Truong Tuan Anh

DEAN OF FACULTY OF COMPUTER SCIENCE AND ENGINEERING

ACKNOWLEDGEMENTS

I would like to express my profound gratitude to my thesis instructor Dr.Truong Tuan Anh for his invaluable guidance and support throughout every stage of the thesis process

A special thanks goes to my family and friends at the BKU, who have faith in me and been a constant source of encouragement on this journey

I would also like to acknowledge my colleagues at TMA Solutions, who have shared with me the tasks so that I can focus on this research

ABSTRACT

With the evolution of the world, technology has become an integral part of a new transportation model called Intelligent Transportation System (ITS) Within ITS, Vehicular Adhoc Network (VANET) is a crucial infrastructure component that provides features such as traffic monitoring and road safety messages However, the process of broadcasting is susceptible to privacy threats because the user's identity is transmitted in clear text Therefore, alongside Connectivity and Bottleneck, Privacy can be seen as a significant challenge in ITS Privacy and authentication are closely linked, as vulnerabilities can be exposed during anomalous actions followed by successful authentication Hence, to protect the privacy, authentication with a Pseudonym-based System is deployed, relying on a Trusted Authority (TA) as a pseudonym supervisor However, the connection between TA and vehicles can lead to Connectivity or Bottleneck issues in rural and urban areas respectively As a result, authentication is considered as a front line of defense against Privacy breaches, but Connectivity and Bottleneck concerns necessitate self-authentication, which authenticates independently of TA

TÓM TẮT LUẬN VĂN

Với sự phát triển của thế giới, công nghệ đã trở thành một phần không thể thiếu trong mơ hình giao thơng mới được gọi là Hệ thống Giao thông Thông minh (ITS) Trong ITS, Mạng Adhoc dành cho phương tiện giao thông (VANET) là một thành phần cơ sở hạ tầng quan trọng cung cấp các tính năng như giám sát giao thông và thông báo an tồn đường bộ Tuy nhiên, q trình phát sóng dễ bị đe dọa về quyền riêng tư vì danh tính của người dùng được truyền dưới dạng văn bản thường Do đó, bên cạnh vấn đề về Kết nối, Quyền riêng tư có thể được coi là một thách thức đáng kể trong ITS Quyền riêng tư và xác thực được liên kết chặt chẽ, vì các lỗ hổng có thể dễ dàng khai thác thông qua các hành vi bất thường sau khi xác thực thành cơng Do đó, để bảo vệ Quyền riêng tư, xác thực bằng Hệ thống dựa trên bút danh được triển khai, dựa vào Cơ quan đáng tin cậy (TA) với tư cách là người giám sát bút danh Tuy nhiên, kết nối giữa TA và phương tiện vẫn tồn đọng những vấn đề về hiện thực ở cả nông thôn và thành thị Nhìn chung, xác thực được coi là tiền tuyến bảo vệ chống lại các vi phạm Quyền riêng tư, nhưng các mối lo ngại về Kết nối đòi hỏi phải tự xác thực, một cách độc lập với TA

COMMITMENT

I understand that plagiarism is an unethical academic practice and is considered a serious offense Therefore, I hereby commit to avoiding any instances of plagiarism in my thesis All information sources and references utilized in this thesis will be appropriately cited, ensuring that the work is entirely original and free from any plagiarism

I also plight to conduct an extensive review of any literature I have referenced or utilized, ensuring that any quotes and ideas are cited accordingly Furthermore, I will adhere to proper academic standards and guidelines, including but not limited to proper citation format, citation style, and ethical consideration for the authorship of cited materials

Table of Contents

THE TASK SHEET OF MASTER’S THESIS i

ACKNOWLEDGEMENTS i ABSTRACT iii COMMITMENT v Table of Contents vi Table of Figures ix Table of Tables x 1 Introduction 1 1.1 Context 1 1.2 Problem statement 2 1.3 Thesis contribution 5 1.3.1 Scientific significance 5 1.3.2 Practical significance 5 1.4 Thesis structure 6

2 Overview of authentication schemes in ITS 7

2.1 Related works 7

2.1.1 Public Key Infrastructure (PKI) 7

2.1.2 Group Signatures 8

2.1.3 Cooperation 9

2.1.4 Pseudonym-based System 10

2.1.5 Blockchain 12

2.2 Research statement 15

3 Self-authentication scheme in ITS with Blockchain support 17

3.1 Preliminaries 17

3.1.1 Elliptic Curve (EC) 17

3.1.1.1 Definition 17

3.1.1.2 Group Law 19

3.1.1.3 Elliptic Curve over Finite Field 22

3.1.2 Bilinear Pairing 25 3.1.2.1 Definition 25 3.1.2.2 Application 27 3.1.2.3 Pairing-Based Cryptography (PBC) 28 3.1.3 BLS Signatures 29 3.1.3.1 Definition 29 3.1.3.2 Construction 30 3.1.3.3 Security 32 3.1.3.4 BGLS Signatures definition 33 3.1.3.5 BGLS Signatures construction 34 3.1.4 Curve BLS12-381 35 3.1.4.1 Definition 35 3.1.4.2 Characteristics 36 3.1.4.3 Utilization 37 3.1.4.4 Security 38 3.2 System model 39

3.3 Proposed self-authentication scheme 40

3.3.1 System initialization 41 3.3.2 Vehicle registration 42 3.3.3 Message exchange 46 3.3.4 Revocation List (RL) 51 3.4 Scheme evaluation 53 3.5 Security analysis 56 3.5.1 Security on BLS Signatures 56 3.5.2 Location privacy 57 3.5.3 Conditional privacy 57

3.5.4 Unlinkability and forward unlinkability 57

4 Demo implementation 59

4.1 Step construction 59

5 Conclusion and Future work 72

5.1 Conclusion 72

5.2 Future work 72

Table of Figures

Figure 1.1 Enhanced VANET model with Trusted Authority supported [25] 4

Figure 2.1 Illustration of GSIS protocol under Group Signature scheme [18] 9

Figure 2.2 Illustration of sample authentication protocol under Pseudonym-Identity scheme [23] 11

Figure 2.3 Illustration of key derivation with Smart Contract supported [38] 13

Figure 2.4 Illustration of Blockchain-enabled edge computing based on Cooperation scheme [44] 14

Figure 3.1 A catalog of elliptic curves with the region shown is x, y ∈ [−3,3] [50]18 Figure 3.2 Two types of a Singular Curve (Cusp and Node) [52] 19

Figure 3.3 Group Law on point addition of P+Q+R=0 [53] 20

Figure 3.4 Group Law on point addition with P=Q comes to a tangent to EC [53] 21 Figure 3.5 Point P(3, 6) repeating cyclically within 5 points after multiplying [56] 23

Figure 3.6 Relationship between order and subgroup order on cyclic curves [56] 24 Figure 3.7 Elliptic Curve Cryptography in comparison with Pairing-Based Cryptography [65] 28

Figure 3.8 BLS Signatures on Message Signing step [72] 31

Figure 3.9 BLS Signatures on Signature Verification step [72] 32

Figure 3.10 BGLS Signatures (Aggregate BLS Signatures) illustration [71] 35

Figure 3.11 ITS system model with Blockchain supported feature 39

Figure 3.12 Proposed scheme on System initialization stage 42

Figure 3.13 Proposed scheme on Vehicle Registration stage 46

Figure 3.14 ITS system model on proposed scheme 46

Figure 3.15 Proposed scheme on Message exchange stage (Normal condition) 48

Figure 3.16 Proposed scheme on Message exchange stage (No-Internet condition) 51

Figure 3.17 Proposed scheme on Revocation List (RL) update stage 53

Figure 3.18 Performance test of proposed scheme on local environment 55

Table of Tables

Table 3.1 Performance of proposed scheme compared to others 54 Table 3.2 Cost of deployment test for proposed scheme on Ethereum network 56 Table 3.3 Cost of deployment for proposed scheme on different Blockchain

1 Introduction 1.1 Context

New technologies are constantly emerging, leading to a world that moves at a rapid pace The movement of billions of related journeys each day makes transportation the most complex system on the planet Technology has brought about the development of Intelligent Transportation Systems (ITS), which involves equipping vehicles with electronic devices The changes in transportation policy beginning in the 1980s were brought about due to safety and environmental concerns, and the realization that traditional transportation programs were not well-suited for future needs The cost-effective nature of technology has supported the advancement of traffic management, with new technology developments such as microprocessors, computers, sensors, and communication technologies having direct implications for transportation [1, 2] The global market size of ITS is currently estimated at USD 23 billion, and may likely reach USD 100 billion by 2030 [3-5] The adoption of ITS is expected to expand in regions such as Asia Pacific and Europe, with North America holding a 40% market share of the worldwide market by 2021 Advanced Transportation Management Systems (ATMS) which is the most widely used ITS category because they effectively monitor traffic flow and detect incidents Generally, ITS applications offer solutions to reduce environmental impact, promote overall mobility and improve road safety

With V2V communication notifying drivers of traffic conditions both nearby and farther down the road, road safety applications aim to reduce the number of accidents Similarly, traffic monitoring and management based on wireless technology can provide precise real-time information to aid in reducing congestion and widening the capacity of roads

However, as ITS and particularly VANET continue to grow significantly, the potential for attacks on these systems widens Ensuring the security of VANET requires addressing a range of attackers to protect against potential assaults Attackers can be broadly categorized as either Insider/Outsider, Active/Passive, or Malicious/Rational types [7, 8] For VANET, security requirements must consider availability, confidentiality, authenticity, and other critical factors, and a lack of attention to security makes VANET more vulnerable to different attack types Examples of attacks that may exploit features of VANET include Denial-of-Service (DoS) and Jamming attacks that target availability, Eavesdropping attacks that target confidentiality, and Sybil attacks and Location Service spoofing attacks that exploit issues concerning authenticity [9] In brief, VANET relies on dependable connections, with data delivery that is both secure and swift in real-time Addressing security enhancement is crucial to developing a solid framework for further ITS advancements in the future

1.2 Problem statement

authority is implemented between A and B for message exchange A Trusted

Authority (TA) is utilized in the model, as shown in Figure 1.1, to authenticate

responses and ensure anonymity among vehicles that operate under VANET While this solution may seem simple to implement and adequate for upgrading VANET requirements, it has three significant drawbacks: Privacy, Connectivity, and Bottlenecks

Privacy

Figure 1.1 Enhanced VANET model with Trusted Authority supported [25]

In VANET, the concept of anonymity can be implemented through the use of pseudonyms, which is a technique that preserves an individual's privacy [10] The sender's identity must remain concealed from the recipient, except for the Trusted Authority (TA) positioned in between If a dangerous or necessary behavior takes place within the system, TA can trace and reveal the sender's true identity from their pseudonym, which puts the idea of conditional privacy into practice Many studies have demonstrated the potential of pseudonyms in protecting the connection between message broadcasts in VANETs, which may include safety information, such as the vehicle's position and the sender's identity Without pseudonyms, hostile actors could track particular cars while using simple pseudonym implementations [13] Therefore, research on pseudonyms in VANETs has expanded to include more intriguing ideas on when and how to update a vehicle's pseudonym, and comparisons with other systems are discussed under the Related Works section

Connectivity

Bottleneck

A bottleneck in VANET occurs when numerous vehicles attempt to connect and authenticate simultaneously Upgrading the infrastructure with load balancing algorithms can address part of the problem However, the endpoint of the process before sending a data message is the authentication stage, which means that researchers tend to focus on finding solutions to the authentication problem rather than hardware updates The bottleneck concern highlights the importance of ensuring the availability of VANET, particularly for implementation in urban areas

1.3 Thesis contribution 1.3.1 Scientific significance

Authentication is a top priority in the field of VANET security because it is indisputable This thesis aims to advance knowledge and reduce the security burden associated with the fast-paced development of VANET, if successful, by providing relevant information on the authentication industry It will compare various authentication methods, highlighting their advantages and disadvantages in the process Later, a cutting-edge approach will be implemented to showcase a novel way of authenticating in a VANET application

1.3.2 Practical significance

As previously mentioned, the attack surface of VANET expands as technology progresses Educating individuals about this field is equivalent to providing them with the necessary tools to defend themselves in everyday situations In any case, the more people who are prepared to participate in VANET, the easier it will be for the government to address environmental and socio-economic development issues

thesis is expected to contribute to the effort of raising awareness and creating a brighter future in ITS

1.4 Thesis structure

Introduction provides a brief overview of the context and contribution of the

research topic, which involves developing a secure and automated authentication scheme for Intelligent Transportation Systems (ITS), which can be extended to the

Internet of Things (IoT) scenario The subsequent chapter, Overview of

authentication schemes in ITS, offers a comprehensive view of the recent

authentication schemes and outlines the thesis's purpose From that point of view,

Self-authentication scheme in ITS with Blockchain support presents a series of

mathematical background, system modeling, and security analysis to develop the

ultimate proposal for the research topic Additionally, Demo implementation

demonstrates the prototype for feasibility testing to supplement the previous chapter

Finally, Conclusion and Future work proposes ways to improve the work in future

2 Overview of authentication schemes in ITS 2.1 Related works

2.1.1 Public Key Infrastructure (PKI)

Based on the idea of "Digital signatures as a building block," the authors develop a PKI system where Certification Authorities (CA, with the same functionality as TA) are in charge of granting key certificates to cars [14, 15] Then, before sending a safety message, the vehicles sign it and include the CA's certificate Additionally, CA can maintain track of a vehicle's connected data, such as true names, serial numbers, and linked certificates, in order to offer conditional privacy through key revocation, particularly when system misbehaviors occur Due to the fact that digital signatures eliminate the first handshake for overhead-free at authenticated session setup, PKI has also been shown to be more efficient than any asymmetric equivalents However, certificate lifespan and anonymous key set size are now the two most significant effects on the system itself

occurs Because of this, the PKI solution faces two major issues: scalability and network congestion

2.1.2 Group Signatures

According to the Group Signature scheme stated in [16, 17], it can provide anonymity of the signers As a result, a verifier can judge whether a signer belongs to a group without knowing who the signer is in the group However, in an exceptional situation, TA, which serves as a group manager, can reveal the unique identity of the signature’s originator Compared to PKI technique, this one also reduces the workload of the public key verification and certificate path verification

operations Authors in [18] have implemented a solution, modeled in Figure 2.1, that

is based on Group Signature (for V2V communication) and Identity-based signature (for V2I communication) schemes With regard to V2V, conditional privacy is offered by allowing a group management to monitor the signer whenever an identity must be divulged; in contrast, it is computationally challenging for anybody other than the group manager to identify the real signer The solution has also been modified with a memory and processing efficient revocation mechanism On the other hand, by using a verification method that double-checks the timestamp and message type, V2I communication is improved by the prevention of replication and replay assaults

Figure 2.1 Illustration of GSIS protocol under Group Signature scheme [18]

2.1.3 Cooperation

The usage of pseudonyms between broadcasts is supported by a solution put out by the authors of [20] that makes use of the silent period approach Afterward, use a group idea to expand the previously indicated strategy The idea emerges while navigating; the group leader is a single vehicle that can symbolize the entire group Randomization is used to choose a group leader from among the participants Additionally, if merely the group leader speaks on behalf of the group or group members, it is adequate As a result, if vehicles do not switch groups in between two probe data requests, they may remain silent for a long random amount of time Considering that only the group leader responds to the RSU with probe data, unnecessary overhead and duplication in neighbors' broadcast of potentially duplicate probe data is eliminated Additionally, there have been a lot fewer modifications to pseudonyms used to evade adversary monitoring during broadcasting

proxy" idea highlights a lack of end-to-end connectivity between the service provider and group members, which results in a single point-of-failure for members requesting services, a well-known issue of Network Address Translation (NAT) routing Similar to this, a group leader, if it is a corrupted one, not only needs constant communication with TA (which causes network congestion), but also compromises the privacy of every group member

2.1.4 Pseudonym-based System

Shamir devised the Identity-based approach in 1984 [22] to lessen the cost of preloading many key pairs and their matching certificates from common PKI schemes This method reduces the overhead produced by certificate-required communications by not using a certificate for message verification and so doing away with the requirement for key pairs and PKI certificates that go with them [23] Instead of a lengthy string that appears random in standard PKI, the notion is that a user's public key might be an identity-related string, such as their name and email address The implicit validation of the public key significantly eliminates the need for the

unnecessary public key management which is illustrated in Figure 2.2 [24] In order

Figure 2.2 Illustration of sample authentication protocol under

Pseudonym-Identity scheme [23]

Authors in [25] proposed that the TA provide a credential to the cars, after which the vehicles are able to self-generate a number of pseudonyms, in order to address the trade-off between efficient revocation and autonomy Without having to make contact with the cars, the TA is still able to restrict the creation of new pseudonyms and remove users' anonymity Despite the proposal's many benefits, it is unable to synchronize the revocation list across all cars The authors of [32] therefore update the existing system with the notion that cars and servers only need to contact TA once in order to obtain secret information, after which they may sign on the sending message with their signature based on the secret information There is no doubt that the receivers can handle the authentication and there is no need to get in touch with TA This may solve the problem of traffic as well as the situation where the cars cannot connect to the internet in order to contact the TA for verification Other methods also aim to increase processing speed, such as [33, 34], which reduces computational overhead and average latency in both sparse and dense network scenarios by distributing real identity to pseudonym mappings and condensing the size of the revocation list by only saving the most recent ones

2.1.5 Blockchain

Blockchain is a novel method that has grown rapidly in recent years The idea of Bitcoin by Satoshi Nakamoto [35] back in 2008 had given it a solid foundation to evolve into what it is today: a peer-to-peer, distributed ledger that is cryptographically secure, append-only, immutable (very difficult to modify), and updateable only through consensus procedures (agreement among peers) The main tool for simulating real-world conditions onto meaning blocks is a Smart Contract (SC), which runs on top of the Blockchain This term can be used in many fields, including financial services to secure transaction information in a centralized manner, supply chains to monitor the shipping process, and retailers to combat counterfeit products [36] In connection with the ITS, authors in [37, 38] leveraged SC on TA's actions to load/map a vehicle public key table to compile references to every vehicle's

"identity-public key" association, as illustrated in Figure 2.3 Consequently, giving automated

highlighting is the participation rate Because VANET is not widely implemented in some regions, authors in [39, 40] provided a small amount of incentive for each participant to raise demand on it Results are stored on the Blockchain network and the procedure uses VANET authentication as inputs for rewarding

Figure 2.3 Illustration of key derivation with Smart Contract supported [38]

The new approach, which is specifically targeted towards ITS/VANET authentication, promises to reduce overall computing cost and eliminate a TA's single point of failure With the use of Blockchain, both V2V and V2I can communicate in an environment where trust isn't completely established Many authors had adapted the legacy VANET authentication scheme as a part of new implementation According to authors relying on PKI [41], traffic data is gathered by RSUs, and passing cars will confirm accuracy when receiving event notifications In addition, two-phase Blockchain transactions are implemented to deliver warning messages in the proper areas and at the proper times

anonymous aggregate vehicular announcement protocol packed with conditional privacy, allowing for the maintenance of announcement reliability while protecting user privacy in a partially trusted context To achieve reputation message synchronization and trustworthiness, the latter approach also included a Blockchain-based trust management architecture

To develop a certificate-based authentication strategy for automobile accident detection and reporting, Blockchain was used in the following Cooperation scheme [44] The concept is the same as that suggested by legacy Cooperation, as indicated

in Figure 2.4, where each vehicle may securely notify accident-related transactions

to its local group leader (referred to as a Cluster Head) The transaction is subsequently passed by the group leader to the appropriate later processing units (Edge Server, Blockchain Center), where it is sent for verification and consensus before becoming a full block in the Blockchain Center

Figure 2.4 Illustration of Blockchain-enabled edge computing based on

Cooperation scheme [44]

presented a traceable, decentralized system that, in the event of harmful conduct on the network, inherited the idea of revocation list Additionally, authors in [48] offered a strategy for managing pseudonyms that consists of distribution and shuffling phases based on physical/virtual mixed zones, allowing the reuse of pre-existing pseudonyms to other vehicles

Generally speaking, Blockchain applications assist in the implementation of a more effective solution by minimizing shortcomings of conventional ITS authentication systems, such as their centralization and high overhead during computing processes Although it is now rather refreshing, this plan tends to be a promising improvement in the near future

2.2 Research statement

To summarize, the enhanced VANET scheme with TA support has three

primary drawbacks: Privacy, Connectivity, and Bottleneck (as stated in the 1.2

Problem statement) The Privacy issue requires a systematic protection mechanism,

specifically an Authentication process that sends a pseudonym instead of the user's actual identity To address the current developments, an improved Authentication scheme is necessary to adequately cover Privacy Moreover, to resolve the Connectivity issue, the Authentication method must minimize the number of message exchanges between TA and OBU (RSU) to achieve a non-centralized solution Lastly, an appropriate Authentication system would reduce processing/traversing activities for efficient network load balancing, thereby resolving the Bottleneck The goal of this thesis is to propose an Authentication scheme that can address the three weaknesses mentioned above

3 Self-authentication scheme in ITS with Blockchain support 3.1 Preliminaries

This section provides mathematical backgrounds in general which the proposed scheme relies on Starting from the basics of Elliptic Curve, the following subsection of Bilinear Pairing helps build up a core for BLS Signatures The last subsection of Curve BLS12-381 explains the reason for choosing this curve to other options

3.1.1 Elliptic Curve (EC) 3.1.1.1 Definition

Elliptic Curve (EC) is defined as a plan algebraic curve which consists all result come from the function of:

𝑦2 = 𝑥3+ 𝐴𝑥 + 𝐵 (3.1)

Above equation is called the simplified Weierstrass form of an EC with the field characteristic being different from 2 and 3 Otherwise, EC can be implemented over fields of characteristic 2 and 3 to enjoy many optimizations, but suffer from specialized discrete log attacks and should generally be avoided A recommendation is to always define curves over a field of prime order and of characteristic greater than 3 [49] The value of 𝐴, 𝐵 decide the curve shape on plane; EC can also be seen symmetric about x-axis Another crucial thing on EC is the ideal point (or point at infinity), which denoted by 0 (zero) symbol and will be explained through later subsections An illustration for EC shapes with respect to 𝐴 and 𝐵 is shown in Figure

Figure 3.1 A catalog of elliptic curves with the region shown is x, y ∈ [−3,3] [50]

A special case when forming EC is Singular Curve (or Singularity) Generally, it refers to a point at which a mathematical object no longer behaves in a desirable manner, typically due to characteristic traits being absent, such as differentiability or analyticity [51] Hence, a discriminant of:

∆ = 4𝐴3+ 27𝐵2 ≠ 0 (3.2)

is provided to eliminate Singular Curve from happening Delta with 2 distinct roots ensures the discriminant is non-zero When dealing with an Elliptic Curve (EC) over the complex numbers in a traditional setting, the discriminant is capable of being represented geometrically There are three cases the discriminant is capable of:

1 ∆ ≠ 0: A Non-Singular curve with curve genius 1 (or torus)

3 ∆ = 0 and 𝐴 ≠ 0: It forms a Node, which is a Singularity with 2 distinct tangent directions [51]

Figure 3.2 Two types of a Singular Curve (Cusp and Node) [52]

In general, EC based on real number can be defined formally as:

{(𝑥, 𝑦) ∈ ℝ2 | 𝑦2 = 𝑥3+ 𝐴𝑥 + 𝐵, 4𝐴3+ 27𝐵2 ≠ 0} ∪ {0} (3.3)

3.1.1.2 Group Law

Group Law on EC is built up with the basis of Abelian Group, which is introduced as a set for processing on binary operations like “addition” (denoted by + symbol) Such Abelian Group must suffice following properties:

1 Closure: If 𝐴 and 𝐵 are members of group 𝐺, then 𝐴 + 𝐵 is also a member of 𝐺

2 There exists an identity element 0 such that 𝐴 + 0 = 0 + 𝐴 = 𝐴

3 Every element has an inverse, for example, for every 𝐴 there will 𝐵 such that 𝐴 + 𝐵 = 0

4 Associativity: 𝐴 + (𝐵 + 𝐶) = (𝐴 + 𝐵) + 𝐶 5 Commutativity: 𝐴 + 𝐵 = 𝐵 + 𝐴

Extend to the Group Law on EC, properties above will be mapped as [53]: 1 Group elements are points on EC

2 The identity element is equal to the point at infinity 0 (recalled from

subsection 3.1.1.1 Definition)

a Three aligned, non-zero points 𝑃, 𝑄, 𝑅 infers the sum of 𝑃 + 𝑄 +

𝑅 = 0, portrayed in Figure 3.3

b All three points don’t have to be aligned, so it will match the Associativity and Commutativity rules

In a nutshell, besides point addition corresponding to mentioned properties on EC, Group Law also implies the scalar multiplication Firstly, point addition is done by drawing a line through them; which results in the line intersecting the curve at a third point called 𝑅 The point 𝑅 then reflects through x-axis to get the – 𝑅, then the formal presentation of point addition can be written as 𝑃 + 𝑄 = −𝑅 (or equal to 𝑃 +𝑄 + 𝑅 = 0)

Figure 3.3 Group Law on point addition of P+Q+R=0 [53]

Furthermore, roughly 3 special cases will likely to be happen:

1 𝑃 = 0 or 𝑄 = 0: The element of 0 is considered as identity element, one can imply that 𝑃 + 0 = 𝑃 and 0 + 𝑄 = 𝑄

2 𝑃 = −𝑄: A vertical line will pass through 2 points and there is no intersection If 𝑃 is the inverse of 𝑄, so 𝑃 + 𝑄 = 𝑃 − 𝑃 = 0

3 𝑃 = 𝑄: Many lines that will pass through the point 𝑃 When 𝑄 gets closer to 𝑃, lines become tangent to EC as 𝑃 + 𝑄 = 𝑃 + 𝑃 = −𝑅 (the intersection

Figure 3.4 Group Law on point addition with P=Q comes to a tangent to EC

[53]

Secondly, scalar multiplication the form as the same on usual mathematics with multiplication by 0 returns point at infinity The operation is as below:

𝑛𝑃 = 𝑃 + ⋯ + 𝑃 (𝑛 𝑡𝑖𝑚𝑒) (3.4)

On EC, scalar multiplication is processed by using “double-and-add” mechanism, considering the example of 27𝑃, exemplify 27 into:

27 = 24+ 23+ 22+ 2027𝑃 is rewritten as: 27𝑃 = 24𝑃 + 23𝑃 + 22𝑃 + 20𝑃 1 Take 𝑃 for 20𝑃 2 Double 𝑃 as 2𝑃 for 21𝑃 3 Add 𝑃 to 2P for 21𝑃 + 20𝑃 4 Double 21𝑃 for 22𝑃 5 Double 22𝑃 for 23𝑃 6 Double 23𝑃 for 24𝑃

7 Add all together for 24𝑃 + 23𝑃 + 22𝑃 + 20𝑃 = 27𝑃

robust concepts based on EC, such as cryptography The way to utilize scalar multiplication is explained in the upcoming subsections with precision

3.1.1.3 Elliptic Curve over Finite Field Finite Field of Prime Order

A set with a finite number of elements is called a Finite Field; when the number of elements on field is a prime number (set of integers modulo 𝑝), it is called a Finite Field of prime order and denoted by 𝔽𝑝 In such field, all math is done modulo [54]:

1 𝑎 + 𝑏 → (𝑎 + 𝑏) 𝑚𝑜𝑑 𝑝 2 𝑎 − 𝑏 → (𝑎 − 𝑏) 𝑚𝑜𝑑 𝑝 3 𝑎 ⋅ 𝑏 → (𝑎 ⋅ 𝑏) 𝑚𝑜𝑑 𝑝 4 𝑎 ÷ 𝑏 → (𝑎 ⋅ 𝑏−1) 𝑚𝑜𝑑 𝑝

Division is a special case here by replacing 1

𝑏 with 𝑏−1 (a multiplicative inverse of 𝑏); hence, it can be solved efficiently under the Extended Euclidean Algorithm [55] The condition that 𝑝 must be a prime number holds significant importance because it can be observed that the group of integers modulo 4 doesn't form a field This is because the number 2 does not have any multiplicative inverse over modulo 4, leading to the lack of a solution for equation 2 ⋅ 𝑥 = 1 𝑚𝑜𝑑 4

With the add-on above, the formal definition from 3.1.1.1 Definition now

changes to below form to support EC over 𝔽𝑝:

{(𝑥, 𝑦) ∈ (𝔽𝑝)2 | 𝑦2 ≡ 𝑥3+ 𝐴𝑥 + 𝐵 (𝑚𝑜𝑑 𝑝), 4𝐴3+ 27𝐵2 ≢ 0 (𝑚𝑜𝑑 𝑝)} ∪ {0}(3.5) where 𝐴, 𝐵 are 2 points belonging to 𝔽𝑝 and 0 is still the point at infinity Furthermore, EC still forms the Abelian Group and inherits all properties from it

Order and Cofactor

of all EC points on the curve represents the curve's order This count also includes a unique point called the "point at infinity", which arises from multiplying a point by 0 As an instance, consider the following curve:

𝑦2 ≡ 𝑥3+ 2𝑥 + 3 (𝑚𝑜𝑑 97) 𝑤𝑖𝑡ℎ 𝑝𝑜𝑖𝑛𝑡 𝑃(3, 6) The multiple of 𝑃 are just 5 distinct points as shown in Figure 3.5:

(0𝑃, 1𝑃, 2𝑃, 3𝑃, 4𝑃)

Figure 3.5 Point P(3, 6) repeating cyclically within 5 points after multiplying [56]

There are certain curves that create a sole cyclic group holding all of their respective Elliptic Curve (EC) points, whereas some form multiple non-overlapping cyclic subgroups (each preserving a subset of the curve's EC points) In the latter scenario, the points present on the curve are divided into smaller ℎ cyclic subgroups, wherein each subgroup has an equal number of points having an order of 𝑟 The overall order of the entire group is calculated as follows:

𝑛 = ℎ × 𝑟 (3.6)

Therefore, the cofactor can be inferred in the subsequent equation: ℎ =𝑛

𝑟 (3.7)

where:

 𝑛: Order of the curve (total count of all points on EC)

 𝑟: Order of the subgroup (total count of points in each subgroup, including the infinity point on EC)

Figure 3.6 Relationship between order and subgroup order on cyclic curves

[56]

In summary, points that exist on an EC are categorized into one or more separate and non-overlapping subsets, which are also known as cyclic subgroups The number of such subgroups is referred to as cofactor ℎ The collective count of all points present in these subgroups is denoted as 𝑛 If the curve is made up of just one cyclic subgroup, then cofactor ℎ = 1; otherwise, cofactor ℎ > 1 [56]

3.1.1.4 Elliptic Curve Cryptography (ECC) Generator Point (Base Point)

ECC cryptosystems establish a particular pre-defined (constant) point called generator point 𝐺 (base point) for ECs over Finite Fields, which may produce any other point in its subgroup over the elliptic curve by multiplying 𝐺 by some randomized integers in the range of prime order 𝑟 from (0, , 𝑟) EC subgroups often contain numerous generator points, but cryptographers carefully pick one of them to create the complete group (or subgroup) and be suitable for speed improvements in calculations

For some curves, it is known that various generating points yield subgroups of varying order As a result, certain generators on the same curve will produce fewer subgroups than others Security is compromised when the size of subgroup is small, which is characterized as a "small-subgroup" attack This is why cryptographers commonly select the subgroup order 𝑟 to be a prime integer [57]

In ECC, using a randomized integer k to multiply with a generator point 𝐺 results in another point 𝑃 on EC (supported by modular math) Consequently, there are four components in ECC:

1 EC over Finite Field 𝔽𝑝

2 𝐺: Generator point (A fixed base point on the EC) 3 𝑘: Private key (A randomized integer number) 4 𝑃: Public key (A resulted point on EC)

Calculating 𝑃 = 𝑘 × 𝐺 is efficient using the previously discussed “double-and-add” approach; for example, 256-bit curves require a few hundreds basic EC operations Calculating 𝑘 = 𝑃

𝐺, on the other hand, it is exceedingly slow (or impossible for large 𝑘)

Elliptic Curve Discrete Logarithm Problem (ECDLP)

The previous claiming on calculating ECC components helps to build up the security strength behind ECC cryptography, called ECDLP In cryptography, it is defined by given EC over Finite Field 𝔽𝑝 with a generator point 𝐺 and point 𝑃 on EC, find the integer k (if it exists) that 𝑃 = 𝑘 × 𝐺 ECDLP has no efficient solution for Finite Fields and ECs that have been properly designed (by cryptographers) There is an equivalence between multiplication of EC points in the group 𝔽𝑝 and exponentiation of integers in the group ℤ𝑝 (multiplicative notation) One can said that, ECDLP problem is similar to the DLP problem (Discrete Logarithm Problem) [58]

3.1.2 Bilinear Pairing 3.1.2.1 Definition

Bilinear Pairing (or Bilinear Mapping) defines a map between 2 additive group elements in EC groups to a third group element in a multiplicative group that retains its isomorphism It is formally defined as a mapping function formalized as:

where three groups 𝐺1, 𝐺2 and 𝐺𝑇 of prime order 𝑝, with generators on 𝐺1 = 〈𝑔1〉, 𝐺2 = 〈𝑔2〉 and 𝐺𝑇 = 〈𝑔𝑇〉, respectively In addition, 3 other constraints are enforced to form the admissible pairing [59]:

1 Bilinearity

Follow 𝑃 ∈ 𝐺1, 𝑄 ∈ 𝐺2 𝑎𝑛𝑑 ∀𝑎, 𝑏 ∈ ℤ𝑝, bilinearity denoted as:

𝑒(𝑃𝑎, 𝑄𝑏) = 𝑒(𝑃, 𝑄)𝑎𝑏 (3.9)

2 Non-degeneracy

It is necessary that:

𝑒(𝑔1, 𝑔2) ≠ 1𝐺𝑇 (3.10)

Without this constraint, it is pointless to construct a bilinear map that returns just one point 1𝐺𝑇 for each input

3 Efficiency

To perform the pairing on any input, it is necessary to have a procedure that operates within a polynomial-time operation based on the size of group elements This is necessary in order to prevent the joining together of computationally-intractable pairings which would otherwise be trivial

In general, Bilinear Pairing divides into three types [60]: 1 Symmetric with 𝐺1 = 𝐺2 = 𝐺𝑇, denoted as:

𝑒: 𝐺 × 𝐺 → 𝐺𝑇 (3.11)

2 Asymmetric 1 with 𝐺1 ≠ 𝐺2 and a homomorphism 𝜓: 𝐺2 → 𝐺1, denoted as:

𝑒: 𝐺1× 𝐺2 → 𝐺𝑇 (3.12)

3 Asymmetric 2 with 𝔾1 ≠ 𝔾2 and no homomorphism, denoted as in Type 2:

𝑒: 𝐺1× 𝐺2 → 𝐺𝑇 (3.13)

 𝑒(𝑃𝑎, 𝑄𝑏) = 𝑒(𝑃, 𝑄)𝑎𝑏 𝑒(𝑃𝑎, 𝑄) = 𝑒(𝑃, 𝑄𝑎) = 𝑒(𝑃, 𝑄)𝑎 𝑒(𝑃, 𝑄 ⋅ 𝑅) = 𝑒(𝑃, 𝑄) ⋅ 𝑒(𝑃, 𝑅)  𝑒(𝑃, 𝑄 / 𝑅) =𝑒(𝑃,𝑄)𝑒(𝑃,𝑅)3.1.2.2 Application Miller’s Algorithm

Victor Miller produced a manuscript in 1985 demonstrating that Weil's pairing, which necessitates evaluating an exponential-degree polynomial, could be efficiently calculated in polynomial time This manuscript was the initial step in the creation of Pairing-Based Cryptography, which will be detailed in the next subsection

of 3.1.2.3 PBC While Miller's work may have appeared to jeopardize ECC, as it

appeared to prove the opposite of what he had intended, the extension field's degree to which the Weil pairing mapped was too extensive As a result, the unwanted reduction was inefficient and did not occur at all [61]

MOV Attack

Menezes, Vanstone, and Okamoto used Miller's technique for calculating the Weil pairing to violate the discrete logarithm assumption on certain ECs in sub-exponential time in 1991 This was a noteworthy result given that no sub-sub-exponential algorithms for ECs had been developed at the time Their approach, known as the MOV attack, converted an ECDLP challenge of 𝑔𝑎 ∈ 𝐺 to a target group using the pairing and computing 𝑒(𝑔𝑎, 𝑔) = 𝑒(𝑔, 𝑔)𝑎 ∈ 𝐺𝑇 Given that the target group was a subgroup of a Finite Field 𝔽𝑝, quicker sub-exponential techniques might be used to compute the discrete logarithm on 𝑒(𝑔, 𝑔)𝑎 [62]

Joux’s Tripartite Diffie-Hellman

protocol employing pairings for three parties, which is also known as tripartite Diffie-Hellman Prior to this discovery, only two-round protocols for three parties were known for three parties, whereas one-round protocols were only known for two-party communications [63] Following that breakthrough, a plethora of new and efficient cryptographic techniques emerged [64]:

 BLS (short) signatures (which the proposed scheme is based on)

 Identity-Based Encryption (IBE)

 Additively-Homomorphic Encryption

 Succinct Zero-knowledge Proofs

3.1.2.3 Pairing-Based Cryptography (PBC)

Pairing-Based Cryptography (PBC) is a kind of ECC that needs the processing of the underlying ECs Pairing-Friendly Curves are the ECs utilized for PBC, and

they determine the security (in bits) of PBC in general Figure 3.7 illustrates the

comparison between ECC and PBC

Figure 3.7 Elliptic Curve Cryptography in comparison with Pairing-Based

Cryptography [65]

The advantage is that PBC may be used in a black-box mode, with no knowledge of its internals Because pairing in PBC necessitates a deep dive into mathematics, this thesis will only cover the fundamentals of how to compute it within two steps:

1 Form constructing

Recall a general mapping form as defined earlier: 𝑒: 𝐺1× 𝐺2 → 𝐺𝑇