Chapter 3

Technical Background
In this chapter, a brief discussion about the fundamental primitives such as Elliptic Curve Cryptography (ECC), Identity-based Cryptosystem (IBC), Bilinear Pairing,
Computational Problem, One-way Hash Function (OWHF) and Zero-knowledge (ZK)
protocol are presented. The ECC is a public key cryptosystem (PKC) and presently
it is used in several cryptographic schemes in order to provide desired level of security
and computational efficiency. The IBC is also a PKC, which does not need public key
certificate and thus, it can be considered as an alternative over any CA-PKC. Another
important mathematical tool used in PKC is bilinear pairing, however it is time consuming and its implementation is difficult. It is known that each and every public key
cryptographic scheme is designed based on some computational problems, which are
assumed to be intractable by any polynomial-time bounded algorithm and thus, provides the required security. Also the cryptographic OWHF is computationally efficient
and it is widely applied to map an input binary string of arbitrary length to a binary
string of some fixed length, called hash value, however, it is computationally infeasible
to find the input binary string for given a hash value. A zero-knowledge protocol allows a user, called prover, to demonstrate the truth of a secret to the verifier without
revealing any secret to the verifier. Each of the mathematical functions used in the
present thesis are briefly described below.

26

3.1 Elliptic Curve Cryptography

3.1

Elliptic Curve Cryptography

Miller [83] and Koblitz [84] first proposed ECC and it is believed that the computation
of ECC-based discrete logarithm problem (ECDLP) using a polynomial-time bounded
algorithm is hard. In addition, a 160 bit size ECC-based key offers same level of security
as obtained using 1024 bit RSA-based key [12]. Further, the elementary operations
like elliptic curve scalar point multiplication (ECPM) and elliptic curve point addition
(ECPA) in the elliptic curve group are much faster than the modular exponentiation
executed in the multiplicative group. Thus, the ECC-based protocols/schemes are
efficient in terms of security, computation, storage space, communication bandwidth,
etc. The elliptic curve and its group properties are briefly discussed now.
Let E/Fq be a set of elliptic curve points over the prime field Fq , defined by the
following non-singular elliptic curve equation:
y 2 mod q = (x3 + ax + b) mod q

(3.1)

where x, y, a, bFq and = (4a3 + 27b2 ) mod q 6= 0. The additive elliptic curve group
defined as Gq ={(x, y): x, yFq and (x, y)E/Fq }{O}, where the point O is known
as point at infinity. A brief discussion about the elliptic curve group properties is
given below:
Point addition. Let P , Q are two points on the curve (3.1), then P + Q = R,
where the line joining P and Q intersects the curve (3.1) at R, and the reflection
of it with respect to the x-axis is the point R.
Point subtraction. If Q = P , then P + Q = P P = O, the line joining P and
P intersects the curve (3.1) at O.
Point doubling. Point doubling is the addition of a point P on the curve (3.1)
to itself to obtain another point Q on (3.1). Let 2P = Q, the tangent line at P
intersects the curve (3.1) at Q; reflection of it with respect to the x-axis is the
point Q.

27

3.2 Identity-based Cryptosystem

Scalar point multiplication. The scalar point multiplication on the cyclic group
Gq is defined as kP = P + P + + P (k times), where kR Zq is a scalar.

Order of a point. A point P has order n if n is the smallest integer such that
nP = O and n > 0.
The detailed descriptions about elliptic curve group and its properties can be found in
[12].

3.2

Identity-based Cryptosystem

In 1984, Shamir [8] introduced a variant of traditional CA-PKC/PKI, known as identitybased cryptography (IBC) that allows a user to use his identity such as email address,
physical IP address, etc. rather than a random number as the public key. However,
users private key is generated by binding the identity of the user with a master secret
key of a trusted authority, called private key generator (PKG)/key generation center
(KGC). The private key of the user is given through a secure channel and known to
only user and PKG but, its legitimacy can be verified publicly. This effort makes possible the PKG to remove the operating cost of the public key certificates. Generally,
IBC has the following attractive characteristics:
The use of identity-based public keys in IBC allows any users public key to be
generated and used on the fly without the need for a certificate directory look-up.
IBC does not make use of public key certificates since public keys can be computed
based on some public identifiers. So it can simplify the public key management
system compared to CA-PKC.
Most of the identity-based cryptographic schemes are based on ECC; they can have
smaller key sizes than conventional public key cryptosystems such as RSA.

28

3.3 Bilinear Pairing

Hence, IBC offers more lightweight and flexible key usage and management approaches for real-life applications than CA-PKC does. The IBC approach provides
implicit certification of a users public key, which means when a user gets a correct
private key corresponding to his public identity, only then he will be able to perform
correct cryptographic operations using the private key. Thus, IBC can be a good alternative for CA-PKC cryptosystem in some situations, especially when efficient public
key management and moderate security are required. However, Shamir does not propose any encryption/decryption system based on IBC but, Boneh and Franklin first
demonstrated a practical identity-based encryption (IBE) scheme [34] using bilinear
pairing [12] and a special function, called map-to-point (MTP) hash function over
elliptic curve group.

3.3

Bilinear Pairing

Let Gq denotes an additive group of prime order q (q2k , k is a security parameter), Gm

is a multiplicative group of the same order q. Also let e:Gq Gq Gm be an admissible
bilinear mapping that satisfies the following properties:
Bilinearity: The bilinear map e is said to be bilinear if for all P, QGq and
a, bR Zq , then e(aP, bQ) = e(P, Q)ab holds.

Non-degenerate: There exists P, Q Gq such that e(P, Q) 6=1m , where 1m is the

identity element of the group Gm . Note that the map e does not send all pairs
in Gq Gq to the identity in Gm that is, if P is a generator of the group Gq , then
e(P, P ) is a generator of the group Gm .
Computability: There must be an efficient algorithm that can compute e(P, Q)
for any P, Q Gq .
A bilinear map e is called an admissible bilinear map if it satisfies the three properties defined above. In general, Gq is a group of points on the elliptic curve (3.1),

29

3.4 Computational Problem

and Gm is a multiplicative subgroup of a finite field Fq . The map e will be derived

either from the modified Weil pairing or Tate pairing over the finite field Fq . For
more comprehensive description about bilinear pairing, selection of suitable parameters, elliptic curves and the groups for efficiency and security properties can be found
in [34, 80, 183, 184].
Bilinear Diffie-Hellman Parameter Generator: A Bilinear Diffie-Hellman parameter generator (BDH-PG) G is defined as a polynomial time bounded algorithm that
takes the security parameter kZ + as input and outputs a uniformly random tuple
(q, e, Gq , Gm , P ) of bilinear parameters.

3.4

Computational Problem

This section states some existing intractable computational problems over elliptic curve
group that are frequently used to design secure cryptographic schemes.
Elliptic Curve Discrete Logarithm Problem (ECDLP): Given two elements
P, QGq , it is computationally impossible to find an integer a such that Q = aP by
a polynomial time-bounded algorithm, where P is the group generator and aR Zq .
Elliptic Curve Factorization Problem (ECFP): Given a random instance

(P, Q)Gq , where Q = aP + bP and a, bR Zq , computation of aP and bP is impos-

sible by a polynomial time-bounded algorithm.

Computational Diffie-Hellman Problem (CDHP): Given a random instance

(P, aP, bP )Gq for any a, bR Zq , computation of abP is infeasible by a polynomial

time-bounded algorithm in the elliptic curve group Gq .

Decisional Diffie-Hellman Problem (DDHP): Given (P, aP, bP, cP )Gq for
any a, b, cR Zq , decide whether or not cP = abP , i.e., decide c = ab mod q or not.

30

3.5 One-way Hash Function (OWHF)

Weak Diffie-Hellman Problem (WDHP): For QGq and some aR Zq , from

the given triplet (P, Q, aP ) computation of aQ is infeasible by a polynomial timebounded algorithm.
Bilinear Diffie-Hellman Problem (BDHP): Given a tuple (P, aP, bP, cP ) Gq

and for any a, b, cR Zq , it is impossible to compute e(P, P )abc by a polynomial

time-bounded algorithm.

(k)
Elliptic Curve Discrete Logarithm Assumption: The probability AdvECDLP
A ,Gq
= P r[A (P, Q) = a : a R Zq , Q = aP ] that a polynomial time-bounded algorithm

(k) is negligible.
A can solve ECDLP is negligible, i.e., AdvECDLP
A ,Gq

Computational Diffie-Hellman (CDH) Assumption: A probabilistic polynomial time-bounded algorithm A is said to break the CDH problem with negligible
probability, if for given a random instance (P, aP, bP ) Gq of the CDH problem,

where a, b R Zq are unknown to A , the advantage AdvCDHP

A ,Gq (k) = P r[A (P, aP, bP )

= abP : a, b R Zq ] of A in solving CDH problem is negligible.

Bilinear Diffie-Hellman (BDH) Assumption: If G is a BDH parameter generator, the polynomial time-bounded adversary A breaks the BDH problem with
negligible probability, if for given a random instance (Gq , Gm , e, P , aP , bP ,
cP ), where the tuple (Gq , Gm , e) is the output of G for sufficiently large security parameter k Z + , (P, aP, bP, cP ) Gq and a, b, c R Zq , then the advantage
AdvBDH
(P, P )abc : a, b, c R Zq ] of A in solving BDH
Gq ,A (k)=Pr[A (P, aP, bP, cP ) = e
problem is negligible.

3.5

One-way Hash Function (OWHF)

Suppose, H() is a one-way hash function that takes a variable length input string x and
outputs a fixed-length string y, the hash value, such that an accidental or intentional
change to the data input must change the output hash value. The secure cryptographic

31

3.6 Zero-knowledge Protocol based on ECDLP

OWHF such as MD4, MD5, SHA-1 [12], etc. are generally used, each of which has the
following properties:
It is relatively easy to compute the hash value H(m) for any given message m.
It is infeasible to modify a message m without changing the hash value H(m).
It is infeasible to generate a message m that has a given hash H(m), known as
preimage resistance.
Given an input m1 it should be difficult to find another input m2 , where m1 6=m2
such that H(m1 )=H(m2 ). This property is referred to as weak collision resistance.
It is infeasible to find any two different messages m1 and m2 such that H(m1 )=H(m2 ).
Such a pair is called a cryptographic hash collision. This property is referred to as
strong collision resistance.

3.6

Zero-knowledge Protocol based on ECDLP

In this section, we described the elliptic curve version of zero-knowledge (ZK) protocol
based on ECDLP. It is used to prove to the verifier that the prover knows the secret x
such that Q = xP without revealing the secrecy of x to the verifier. To do so, prover
and verifier agree on an elliptic curve group Gq over a field Fq and a generator P Gq .
They both know QGq and prover claims that he knows x. He then runs the following
four steps and if verifiers check in the forth step is alright, then the prover proofs to
the verifier that he knows the secret x.
prover selects a rR Zq , computes T = rP and sends it to the verifier.
verifier chooses a random number c{0, 1}k and sends it to the prover.
prover computes s = r + cx (mod q) and sends it to the verifier.
verifier checks if T = sP cQ holds, i.e., sP cQ = (r + cx)P cQ = rP + cxP
cxP = rP = T .

32

3.7 Zero-knowledge Test of Elliptic Curve Discrete Logarithm Equality

3.7

Zero-knowledge Test of Elliptic Curve Discrete

Logarithm Equality

The prover argues that he knows x such that Y1 = xP and Y2 = xQ and wants to prove
the knowledge of this fact without revealing x. The prover and verifier first agree on
an elliptic curve group Gq over a field Fq and then execute the following procedure:
prover chooses a number rR Zq and computes T1 = rP and T2 = rQ, and sends
(T1 , T2 ) to the verifier.
verifier chooses a random number c{0, 1}k and sends c to the prover.
prover computes s = r + cx(mod q) and sends s to the verifier.
verifier checks that sP cY1 = (r + cx)P cxP = rP + cxP cxP = rP = T1 and
sQ cY2 = (r + cx)Q cxQ = rQ + cxQ cxQ = rQ = T2 both holds.

The next chapter, i.e., Chapter 4 starts the main contribution of the thesis, where
we design ECC-based two-party authenticated key agreement protocol without using
bilinear pairing and MTP hash function. It is suitable for efficient and secure peer-topeer communication for low-power mobile devices.

33