eu EFFICIENT SIGNATURE SCHEME FROM SELF-PAIRING ON ELLIPTIC CURVES

A Self-pairing es(P,P ) is a special subclass of bilinear pairing where both input points in a group are equal. Self-pairings have some interesting applications in cryptographic scheme and protocols. Recently some novel methods for constructing self-pairings on supersingular elliptic curves have been proposed. In this paper we first give the construction of self-pairings on some supersingular elliptic curves. We will show that the proposed self pairings are efficient than the general pairings on the corresponding curves. Secondly, we present a digital signature scheme from self-pairing on elliptic curves. We also show that the signature scheme from self-pairing is more efficient than the previous one. AMS Subject Classification: 94A60


Introduction
Pairing based cryptography [1] has become one of the most active areas in elliptic curve cryptography since 2000.The first notable application of pairings to cryptography was the work of Menezes, Okamato and Vanstone.They showed that the discrete logarithm problem can be shift from an elliptic curve to a finite field through the Weil pairing as the discrete logarithm problem is more easily solved over a finite field than over an elliptic curve.Many successful cryptographic protocols have been designed by using the pairings.In order to make these cryptographic protocols practical, computation of pairings need to be efficiently carried out.For the purpose of fast developments of algorithmic foundation of pairings, many efficient pairings such as Weil pairing [2,3,4], Tate pairing [2,3,5,6], Ate pairing [7,8], optimal pairing [9] and pairing lattices [10] have been proposed.For speed up pairing computation, many efficient techniques such as shortening the loop length in miller's algorithm [7,10,11], or speeding up doubling and addition steps in Miller's algorithm [12,13], etc., have been presented.
Self-pairing e s (P, P ) [14] is a special subclass of bilinear pairing where both input points in a group are equal.Self-pairings have been used in some cryptographic protocols and schemes such as short signature [15,16], ID-based Chameleon hashing scheme [17], etc.It is well known that e(P, P ) = 1 for any P if we directly compute Weil pairing.Thus for cryptographic applications, the latter P should be mapped to another independent point for keeping non-degeneracy.The point P could be mapped to another independent point by using distortion maps.But the distortion maps exist only on ordinary curves with embedding one [18] and supersingular curves.By using the distortion maps on supersingular elliptic curves with even embedding degree, the author of [14] proposed the self-pairing with a simple final exponentiation.Later this idea also has been generalized to the hyper elliptic curves [19].The author of [20] and [21] proposed the efficient self-pairings on ordinary elliptic curves and self pairings on supersingular elliptic curves with embedding degree 3 respectively.
It was proposed in [14] a novel method for constructing self-pairings on some supersingular elliptic curves with even embedding degree.In this paper we use this method to present self-pairings on some different supersingular elliptic curves.We use the distortion maps on the supersingular elliptic curves E 1 : y 2 + y = x 3 over F 2 n , where n is odd and E 2 : y 2 = x 3 − x + 1 over F 3 n , where n is odd, to proposed self-pairings on these curves.We also construct the self-pairing on the supersingular elliptic curve E 3 : y 2 = x 3 + b over the prime field F p , where p ≡ 2 mod 3. The author of [14] discussed the self-pairing on the curve like E 3 but we are taking the curve in general form.The general bilinear pairing on the curve E 1 has been studied by Soonhak Kwon [22].We also present an efficient signature scheme from self-pairing on elliptic curves.
The paper is organized as follows.In Section 2, we provide some background and notations of pairing on elliptic curves used through this paper.In Section 3, we present new self-pairings on supersingular elliptic curves.In Section 4, we present efficient signature scheme by using self-pairing.In Section 5, we discuss the efficiency of the signature scheme.We draw our conclusion in Section 6.

Mathematical Background
In this section, we give some required mathematical background for pairing based cryptosystems.We recall the definition of the elliptic curve, Weil and Tate pairing.We also give some facts about supersingular elliptic curves.

Elliptic Curves
An elliptic curve [23] over a field K is set of all points on the curve (given by the Weirstrass equation) together with O, the "point at infinity".If the characteristic p of the field K is not equal to two or three, then the Weirstrass equation convert to with the condition that 4a 3 + 27b 2 = 0 mod p.The points on elliptic curve form an abelian group under the group law.To define this group law consider two points, say P and Q, on elliptic curve and draw line from P to Q until it hit the curve again.From this we get another point on the curve.Now we draw a line from the point at infinity, O, through this new point.The point where this line intersects the elliptic curve again is P + Q.If P = Q, we consider the line between P and Q to be the tangent at P and proceed in the same as above.If the line from P to Q does not intersect the curve anywhere on the finite plane then we say it intersect at O. We denote this group by E(K).The most popular choice of the field K is prime field F p .If P (x 1 , y 1 ) and Q(x 2 , y 2 ) be two points on the elliptic curve y 2 = x 3 + ax + b over the field F p , then Q(x 3 , y 3 ) = P + Q and 2P = P + P are defined as: and s = (3x 2 1 + a)/2y 1 mod p; if P = Q (point doubling).
The group E[m] = {P ∈ Ē|[m]P = O} i.e. the group of points of order m on E( Fp ), called m-torsion subgroup of E.

Weil Pairing
Let E be an elliptic curve over a finite field F q with q = p n , where p is a prime number.Let m be a fixed integer coprime to p and k be least positive integer The Weil pairing e m as defined above is well defined i.e. maps to a m th root of unity and is independent of the choice of D P and D Q and the functions f m,P and f m,Q .This e m is non-degenerate and efficiently computable.We use Miller's algorithm [4,24] to compute rational functions f m,P and f m,Q at the divisors D Q and D P .

Tate Pairing
Let E be an elliptic curve which is defined the same as in Weil pairing.Let m be a large prime such that m|#E(F q ), where #E(F q ) denotes the order of the rational point group E(F q ).Let k be the smallest positive integer satisfying m|q k − 1.This k is called embedding degree with respect to m.
. Support of this D should be disjoint from the support of the divisor of f m,P .With these notations, the Tate pairing [5] is a bilinear map ē : Tate pairing is also non-degenerate.It is well defined in the sense that choice of f m,P and D does not matter.It is notable that the evaluation of f m,P at the divisor D can be computed by Miller's algorithm in polynomial time.

Supersingular Elliptic Curve
An elliptic curve E defined over a field F q with q = p n , where p is a prime, is supersingular if p|t.

Self Pairing
Practically, the self-pairing e s (P, P ) can be designed by Type 1 pairing, i.e., it can be constructed on supersingular elliptic curves.We construct the selfpairings on the following supersingular elliptic curves: where n is odd, and E 3 : y 2 = x 3 + b over the prime field F p , where p ≡ 2 mod 3.
Note that the computation of general bilinear pairing on the curve E 1 has been discussed in [22] and on the curves E 2 , E 3 have been discussed in [18].
In this section, we compute the self-pairings on the above curves by using the method of [14].We use his construction to define self-pairing on the mentioned curves.
Theorem 1. [14] Let E be supersingular elliptic curves over the ground field F q as above in E 1 , E 2 and E 3 .Let m be a large prime dividing the order of the group E(F q ).Suppose the embedding degree with respect to m is k.Let π q be Frobenius endomorphism and let Then the self-pairing based on the Weil pairing is defined by e s (P, P ) e m (P, φ(P )) 2(q k/2 −1) = f m,P (φ(P )) 4(q k/2 −1) .
Case-I: We first consider the supersingular elliptic curve E 1 .In this curve q = 2 n , where n is odd.By using the result [26] the rational function f m,P on E 1 can be written as a(x) + b(x)y, where a(x) and b(x) are rational functions over the finite field F 2 n in terms of x.For convenience, we use the notations a and b in place of a(x P + 1) and b(x P + 1).Thus we have f m,P (φ −1 (P )) = a + b(y P + x P + t + 1) = (a + by P + bx P ) + b(t + 1) and f m,P (φ(P )) = a + b(y P + x P + t) = (a + by P + bx P ) + bt Since t 2 + t + 1 = 0, therefore equation (1) follows from Fermat's little theorem.
Case-II: Now we are consider our second curve E 2 .In this curve q = 3 n , where n is odd.Again by using [26], the rational function f m,P on the curve E 2 can be written as a(x) + b(x)y, where a(x) and b(x) are rational functions over F 3 n in terms of x.For convenience, again we use the notations a and b in place of a(α − x P ) and b(α − x P ).Then we have f m,P (φ −1 (P )) = a + by P ρ and f m,P (φ(P )) = a − by P ρ.
Case III: Now we consider our final curve E 3 .In this curve we have q ≡ 2 mod 3.By the same argument, the rational function f m,P on the curve E 3 can be written as c(y) + d(y)x + e(y)x 2 , where c(y), d(y), and e(y) are rational functions over F q in terms of y.Since ω 3 = 1 and ω 2 + ω + 1 = 0, so we get f m,P (φ(P )) = c(y P ) + d(y P )x P ω + e(y P )x 2 P ω 2 = (c(y P ) − e(y P )x 2 P ) + (d(y P )x P − e(y P )x 2 P )ω and f m,P (φ −1 (P )) = c(y P ) + d(y P )x P ω 2 + e(y P )x 2 P ω 4 = (c(y P ) − d(y P )x P ) + (e(y P )x 2 P − d(y P )x P )ω = (c(y P ) − e(y P )x 2 P ) − (d(y P )x P − e(y P )x 2 P )(ω + 1).
Therefore equation (1) follows from the fact that ω 2 + ω + 1 = 0 and Fermat's little theorem.So equation ( 1) holds in all cases and this complete the proof of the theorem 1.
The general bilinear pairing (Tate pairing) on the curve E 1 was discussed by Soonhak Kwon.The final exponentiation of the proposed self-pairing on E 1 is equal to 4(2 m −1), and that of the Tate pairing (2 m −1).After computing (2 m − 1), one cubing and one multiplication are required for the proposed self-pairing.
On the other hand, the computation of the rational function f m,P (φ(P )) in Kwon method is very costly because of many inverses and multiplications in field.So the proposed self-pairing is faster than the self-pairing based on the Tate pairing of Kwon.The proposed self-pairings on E 2 and E 3 are faster than the self-pairings based on reduced Tate pairing since the final exponentiation of these self-pairings are simple than that of the latter and Miller's loop are the same for both of them.However, the Miller loop length for the η T pairing on the curve E 2 is half of the length of that required for the reduced Tate pairing.So the self-pairing proposed in theorem 1 on the curve E 2 will be slower than the self-pairing based on η T pairing.We provide the improvement of the selfpairing on E 2 , as compared to the self-pairing based on η T pairing by using lemma 1 of [14] and the previous theorem.
Proposition 1.Let m be a large prime satisfying m|#E 2 (F q ), where q = 3 n and let t be the trace of the Frobenius endomorphism.Suppose k is the embedding degree with respect to m. Write T = t − 1.For T i = (t − 1) i ≡ q i mod m, where 1 ≤ i ≤ k − 1, we denote T i = T i mod m.Let a i be least positive integer satisfying T a i i ≡ 1 mod m.Because of this, there exists an integer L i such that , where c = a i −1 j=0 T a i −1−j i q j ≡ a i q i(a i −1) mod m. [See the proof in [14]] Using the notations as in proposition 1, we define improved self-pairing based on η T pairing as e s (P, P ) Proof of this result is immediate from the proposition 1 and theorem 1.This self-pairing is non-degenerate Remark 1.For the curve E 2 (F 3 n ), a collection of the self-pairings is obtained by varying i and one with the shortest miller loop is considered to be optimal.This optimal self-pairing should have the same Miller loop length as the η T pairing.Now the final exponentiation of the optimal self-pairing equals 4(3 3n − 1), and that of the η T pairing which equals (3 3n − 1)(3 n + 1)(3 n − 3 (n+1)/2 + 1).So after computing the exponent (3 3n − 1) and cubing and one multiplication are required for optimal self-pairing.This is faster than computing the exponent (3 n + 1)(3 n − 3 (n+1)/2 + 1) required for η T pairing.Therefore optimal self-pairing on the curve E 2 (F 3 n ) will be more efficient than the self-pairing based on η T pairing at any security level.

Signature Scheme Based on Self-Pairing
In this section we present digital signature scheme by using proposed self-pairing on supersingular elliptic curves.The author of [16] proposed a new signature scheme without random oracles from bilinear pairing.We use new self-pairing in this scheme to improve the efficiency of the scheme.The security of this scheme depends on a complexity assumption called (k + 1) square roots assumption [16].We first recall the (k + 1) square root assumption and then present the construction of the scheme.

Construction of the Scheme
Let e : G × G → G T be a bilinear pairing where |G| = |G T | = q for some prime number q.We assume that the prime q and message m are such that |q| ≥ 160 and |m| = 160.If the signature scheme is intended to be used directly for signing message, then |m| = 160 is good enough, since given a suitable collision resistant hash function, one can first hash the message to 160 bits, and then sign the resulting value.Hence the message m can be regarded as an element of Z q .
To give an exact security proof with a good bound for this signature scheme, we assume that q ≡ 3 mod 4, and the message space is {1, 2, ..., (q − 1)/2}.For any message m ∈ {1, 2, ..., (q − 1)/2}, if m is not a quadratic residue module q, then q − m will be a quadratic residue modulo q.So system parameters are (G, G T , q, e, g), where g ∈ G is a random generator.We describe the signature scheme in the following steps: Key Generation: We randomly select x, y ∈ R Z * q , and compute u = g x , v = g y .Then the public and secret keys are (u, v) and (x, y) respectively.
This verification is correct due to the following properties of pairing: = e s (g, g) (x±my+r)   = e(uv ±m g r , g).

Security of Scheme
The security of above scheme based on (k + 1)-square roots problem in (G, G T ).
The following theorem proves that the above scheme is existentially unforgeable in the strong sense under chosen message attacks, provided that the (k + 1)square roots assumption holds in (G, G T ).
Theorem 2. Suppose the (k + 1, t ′ , ε ′ )-square root assumption holds in (G, G T ).Then the above signature scheme is (t, q S , ε)-secure against existential forgery under an adaptive chosen message attack provided that Here T is the maximum time for computing a square root in Z * q and an exponentiation in G. (For more details see [16])

Efficiency of the Scheme
In this section we discuss the efficiency of the signature scheme based on the self-pairing.There exist some secure signature schemes without random oracles from the bilinear pairings, namely BB04 scheme [27], BM S03 scheme [28] and CL04 [29] scheme etc.Compared to BM S03 and CL04 schemes, this scheme has the advantages in all parameters, such as the public key, signature lengths and performance.
The new signature scheme requires one computation of square root in Z * q and one exponentiation in G to sign.For verification, it requires one selfpairing, one or two general pairing.Pairing computation is the most timeconsuming in pairing based cryptosystems.Although many papers have been proposed to discuss the complexity of pairings and how to speed up the pairing computation, it still remains time consuming.In this scheme if we pre-compute the pairing e(u, g) = a, e(v, g) = b and e s (g, g) = c, and publish them as a part of the signer's public key.Then, for a message m ∈ Z * q , and a signature (σ, r), the verification can be done by e s (σ, σ) = a.b ±m .cr is true or not.Now verification requires only one self-pairing and two exponentiations in G T , and exponentiations in G T are significantly faster than pairing computations.A signature in this scheme contains of two elements σ and r, where one element σ is in G and other is in Z * q .When using a supersingular elliptic curve over finite field F p n with embedding degree k = 6 and modified Weil pairing, the length of the signature is approximate 2log 2 q bits.To be more precisely, suppose G is derived from the elliptic curve E(F 3 97 ) defined by y 2 = x 3 − x + 1, which has 923-bit discrete-log security.Since on the above defined supersingular elliptic curve, η T pairing is faster than the modified Weil pairing, so this improves the efficiency of the scheme.We used self-pairing to describe the above scheme and as we showed in section 3 that the self-pairing computation on the above mentioned curve is faster than the general pairing computation.Therefore this scheme now becomes more efficient.