IPASJ International Journal of Information Technology (IIJIT)

Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm

A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

Efficiency Comparison of Various Important

Established Digital Short Signature Schemes
Based on Bilinear Pairings
Subhas Chandra Sahana1 and Bubu Bhuyan2
1,2
Department of Information Technology
North Eastern Hill University, Shillong 793022, INDIA

ABSTARCT
Short signature is a variant of digital signature. Short digital signatures are needed in environments where a human is asked to
manually key in the signature. The short signature provides shorter signature length compare to the other simple digital
signature. Several short signature schemes using bilinear pairings have been proposed but they are different in terms of
involved operations cost. In this paper, we compare the efficiency of important established short signatures schemes based on
the involved operation cost and generated signature length. The security of all the short signature schemes is based on the
intractability of some Diffie-Hellman problem. We also implement all the undertaken short signature scheme and compare
the schemes according to their consumed running time.
Keywords: Digital Signature, Short signature, bilinear pairings, Diffie-Hellman Problem.

1. INTRODUCTION
Digital signatures are the most important primitive in cryptography, providing authenticity, integrity, and non-
repudiation of digital information in asymmetric key cryptography setting. Short digital signatures are useful in
resource constrained environments such as low-bandwidth communication environments as it reduces the number of
bits in generated signature. Experimental study [10] shows that communicating a single bit over a wireless channel
consumes more power than the execution a 32 bit instruction. So, communicational cost has the same role as
computational cost. Short signature can also provide a desired level of security with relatively shorter signature length.
Without pairing, the best known short signature was obtained by using Digital Signature Algorithm (DSA) over a finite
field The length of the signature is about about . When bilinear pairing has been used as tool, the length of
the signature is approximately where and is the largest prime divisor of the number of the
points in the elliptic curve. The table 1 shows the NIST's recommendation [11] of key size to be used for achieving
same security level of symmetric key cryptosystem. It is clear from the table that Elliptic Curve Cryptography (ECC)
has the shorter key size than the RSA with same level of security. Table 2 shows the comparison on the number of bits
present in the produced signature of different signature generation algorithms. From the table it is clear that to get a
security level of bits, the RSA, ECDSA, Schnoor and BLS signature scheme produces a signature of size
and respectively.
Table 1. Recommend key sizes NIST [11]

Symmetric key RSA and Diffie-Hellman Elliptic Curve Key

Size(bits) Key Sizes(bits) size(bits)

80 1024 160
112 2048 224
128 3072 256
192 7680 384

256 15360 512

In 2001, Boneh, Lynn and Shacham proposed the first short signature scheme [2] (called BLS scheme) from
bilinear pairings. Since then, there are various short signature schemes have been proposed and investigated
intensively using bilinear pairings. BLS is based on Weil pairing and uses a special hash function called Map-to-Point
hash function. The main improvement in short signature schemes is the use of general cryptographic hash function

Volume 5, Issue 9, September 2017 Page 7

 IPASJ International Journal of Information Technology (IIJIT)
Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

instead of a special function called Map-to-Point hash operation [8-9] as there are cryptographic hash function is more
efficient than others Map-to-Point hash operation and there is no standard secure algorithm for this.
Another short Signature Scheme [3] (called ZSS scheme) was designed by Zhang, Safavi- Naini, and Susilo from
bilinear pairings. This scheme is better than BLS scheme in an aspect that as it does not require any special hash
function such as Map-to-Point hash function, which is still probabilistic and generally inefficient. The ZSS algorithm
can use any general cryptographic hash functions such as SHA-1 or SHA-2 and is computationally efficient as number
of pairing operation is less.
In a similar setting in the ZSS scheme, a new short signature is proposed by Sedat et al. [5]. This scheme is
based on Bilinear Inverse-Square Diffie-Hellman problem, a combination of Bilinear Inverse Diffie-Hellman Problem
(BIDHP) and Bilinear Square Diffie-Hellman Problem (BSDHP). The main advantage of this scheme is that it can use
any cryptographic hash function such as MD5, SHA-1.

Table 2. Signature size level at security level =128bits

Algorithm Signature size

RSA

ECDSA

Schnorr

BLS

The rest of this paper is organized as follows. In Sect. 2, we briefly discuss some preliminary behind the under taken
short signature schemes. In section 3, we review three important short signature schemes. In section 4, the efficiency
analysis has been done in terms of involved operation and consumed running time. Finally, in Sect. 5, we conclude our
work. An implementation result of the undertaken schemes has been provided in the appendix I.

2. PRELIMINARIES

Bilinear pairings
Given two cyclic groups and of prime order , a map satisfying the following properties is
called bilinear pairing:
Bilinearity: , for all and .
Non-degeneracy: There exists , such that .
Computability: There is an efficient algorithm to compute , for all .
The Weil pairing and Tate pairing are examples of cryptographic bilinear maps.

Bilinear Diffie-Hellman Problem (BDHP)

Let be a finite cyclic group of order with a generator , and let . The BDHP is to compute the value of
the bilinear pairing , whenever are given.
Decision Diffie-Hellman Problem (DDHP)
For . If is given to decide whether is computationally hard and is known as
Decisional Diffie-Hellman Problem.
Computational Diffie-Hellman Problem (CDHP)
For a, , given to compute is known as Computational Difffie-Hellman Problem which is hard
problem.
Gap Diffie-Hellman Groups (GDH) group
A group is called a Gap Diffie-Hellman (GDH) group if DDHP can be solved in polynomial time but no probabilistic
algorithm can solved in CDHP with non-negligible advantage within polynomial time in .

Volume 5, Issue 9, September 2017 Page 8

 IPASJ International Journal of Information Technology (IIJIT)
Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

3. REVIEW OF THE SHORT SIGNATURE SCHEME

A Short Signature scheme consists of the following components.
Key Generation: For the security parameter k, PKG generates the systems public parameters and the master
key.
Signature: To produce a signature on a message m and secret key uses this algorithm with input .
Verification: This algorithm takes an input and verifies whether or not is a valid signature.
3.1 BLS short signature scheme [2]
Setup: Let be a bilinear pairing where is an additive cyclic group of prime order and is
multiplicative group of same order. Let be a generator of and is Map-to-point hash function.
Key Generation: A random value and computes
Signing: Given a secret key and a message , computes the signature, .
Verification: Using public key and a signature , verifies the signature by the following equation holds or
not .
3.2 ZSS signature scheme [3]
Setup: Let be a bilinear pairing where is an additive cyclic group of prime order and is
multiplicative group of same order.

Key Generation: Let be the generator of , and computes . Here is the secret key and
is the public key.

Signing: Given a secret key , a general cryptographic hash function and a message , computes the signature

Verification: Using public key and a signature , verifies the signature by the following equation holds
or not .
3.3 Sedat et al. short signature scheme [5]
Setup: Let be a bilinear pairing where is an additive cyclic group of prime order and is
multiplicative group of same order.

Key Generation: A random value is chosen and and is computed where are
public keys and is the secret key.
Signing: Given a secret key and a message , and is computed. Where is the
Signature.
Verification: Given the public keys and a message and a signature . The signature is verified if
holds.

4. EFFICIENCY
Efficiency comparison has been made based on involved operations and consumed running time. All the short
signature schemes are implemented on Linux systems with an Intel Core i3 CPU 2.13GHz and 6.00GB RAM using
Pairing-Based Cryptography (PBC) library [7] in C.
Table 3. Comparison of running time

User Key Signature

Scheme Sign (MS) Verify(MS)
(MS) Length
BLS [2] 3.237 2.592 4.680
ZSS [3] 2.617 2.420 13.902
Sedat et al. [5] 7.350 2.418 16.117

Volume 5, Issue 9, September 2017 Page 9

 IPASJ International Journal of Information Technology (IIJIT)
Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

Figure 1. Comparison between BLS, ZSS and Sedat Scheme

All schemes are different in the process of user key generation, signature generation and the signature verification.
So, it is worth of giving the efficiency comparison of all the schemes in the phases of key generation, signature
generation and the signature verification. Table 3 depicts the consumed running time by the different algorithms and
the signature length of each of the signature schemes. It can be claimed that, the key generation of the ZSSs scheme
[3] is less computation cost than BLS scheme and Sedat et al. [5] scheme. In signing process, the scheme proposed by
Sedat et al [5]. is less computation cost than BLS scheme and ZSS scheme and in verification, the BLSs scheme is less
computation cost than ZSS scheme and the scheme proposed by Sedat et al [5]. The results in table 3 have been
presented in a bar chart shown in Figure 1. It is to be noted that we cannot rely on the running time as the system may
be sometime heavily loaded or lightly loaded. It is always better to compare the schemes according to their involved
operational cost within the scheme. Table 5 depicts the efficiency comparison in terms of involved operations in each of
the schemes with their symbolic meaning given in the Table 4. Moreover, the implementation results have been given
in appendix-I.
Table 4. Operation notation and description

Notation Description

Execution of a bilinear pairing operation

Execution of an inversion in

Execution of a hash function

Execution of an point addition in

Execution of a square operation in

Execution of a cube operation in

Execution of scalar multiplication in

Execution of a elliptic curve point addition

Execution of Map to point hash function

Table 5. Efficiency Comparison in terms of involved operation

Key-
Schemes Signing Verification
Generation

BLS [2]

ZSS [3]

Sedat et
al. [5]

Volume 5, Issue 9, September 2017 Page 10

 IPASJ International Journal of Information Technology (IIJIT)
Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

5. CONCLUSION
All the signature schemes, undertaken in our work are all short signature scheme as the signature length of each
scheme is the size one element in the source group. All schemes except the BLS scheme do not require any special hash
function such as Map-to-Point hash function. We have observed all the short signature schemes are not equally efficient
in terms of involved operations within. Moreover, as pairing operation is more time consuming operation compare to
the other operations, so it is always an interest of research on how to reduce number of pairing operation. In this
regard, BLS signature scheme has more number of pairing operations than the other schemes but it also to be noted that
there have been less number other operations such as scalar multiplication, point addition, hash operation. As a result,
total time consumption in BLS signature is lesser than the other short signature schemes.

REFERENCES
[1] Fips 186. Elliptic Curve Digital Signature Algorithm, 1998.
[2] D.Boneh, B.Lynn and H.Shacham Short signatures from the weil pairing. In International Conference on the
Theory and Application of Cryptology and Information Security, 514532. Springer, (2001).
[3] F. Zhang, R. Safavi-Naini and W. Susilo, 2004, An efficient signature scheme from bilinear pairings and its
applications. PKC 2004, Singapore. LNCS, Springer-Verlag.
[4] Neetu Sharma and Birendra Kumar Sharma, New Short Signature Scheme with Weil Pairing, International
Journal of Computer Applications, vol. 94.10,pp. 25-28, 2014.
[5] S.Akleylek, B.B.Kirlar, O.Sever and Z.Yuce, Short signature scheme from bilinear pairings, Journal of
telecommunication and information technology, 2011.
[6] Boneh, Dan and M.Franklin, Identity-based encryption from the weil pairing, In Annual International Cryptology
Con-ference, 213229. Springer, 2001.
[7] Lynn, Ben. "The pairing-based cryptography (PBC) library." (2010).
[8] Boneh, D. and M. Franklin. 2001. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology -
CRYPTO01, LNCS 2139, edited by J. Kilian. Berlin: Springer-Verlag, pp. 213229.
[9] Koblitz, N. 1994. A Course in Number Theory and Cryptography. Springer-Verlag.
[10] Mihir Bellare and Gregory Neven, Multi-signatures in the plain public-key model and a general forking lemma,
in Proceedings of the 13th ACM conference on Computer and communications security, pp. 390 399. ACM, 2006
[11] Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid, Recommendation for key
management part 1: General (revision 3), NIST special publication, vol. 800, no. 57, pp. 1147, 2012

Appendix-I

EXPERIMENTAL RESULTS

4.1 BLS short signature scheme

System parameter =
[75519991119811847701182508625757193360376432431472683316903767135057395135373787818511090298000
28103617979291501731681403501614410294513231523524854052962,421668637956455131225063293774184543
259384082305424636353562283781562027363471113445059544484516572427432560669409781749204736506685
7788251124886045280707]

Private Key = 182875242088299739501280757491605368937947815933

Public key =
[42524995518418633287817031734352902673852880771585608239842326910313477447344775343077308224486
12916049097988925382824992174374639116105140085097394394906,220917023938802830217258176852536775
986887674740553427010288720342959155961654043687738993769515057334228928757471423885991678640296
8508700552288366064003]

Signature =
[86453814010785079290376636815645615883064541471882382759181574268456080402066108796671535844676
41586728601374919698620360171201422457556064149638882281297,321037088879597478080421542817351152
661246867542437128530240975398285142689715307214938370799721958520826774624421555646352307445037
8426979957814263792299]

Volume 5, Issue 9, September 2017 Page 11

 IPASJ International Journal of Information Technology (IIJIT)
Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

=
[39702374877522299133184647061972954840938568671730408597287804588265888902475238737273584936305
43458852590269062415803855752612389176546063760246882520470,162995765366588926798484527839966607
199018000526973586160961963073711020796163939253192926408368308569059303369632911827914380391942
1530112017315403170581]

=
[39702374877522299133184647061972954840938568671730408597287804588265888902475238737273584936305
43458852590269062415803855752612389176546063760246882520470,162995765366588926798484527839966607
199018000526973586160961963073711020796163939253192926408368308569059303369632911827914380391942
1530112017315403170581]

Signature Verifies
4.2 ZSS short signature scheme
System parameter =
[57932393200320432371432622073389434619321373006500565121178401243612278258726487998500959544496
77406180127942632396592742182866557411743642698578687657049,494927429509847713621198666722722225
321272470933309613360890616084359543196826022775772395052118392850336762423690208747673194744614
612873592824839971228]

Private key = 637765792821017165484599671259332436985696999185

Public key =
[52506699147765950231785038520440787824660431812619521259084491447132716828634367149090246386686
74117904840799502742590671020513543729448673733567883667430,875105281079382751540000172728977752
510135031143498541062827412196912477909462712699613798269367077137156582386964902841698776665890
6269952215605229703672]

Signature =
[31745608540302871941000138796443430447187969655364195606219928526532988493033981951569646646432
10513872512292391156937058197947224533819464827421899204760,720431852908183245362283285681115461
290852569443935163709818528701414169087649427068582380745689176796110054483742614574988762747765
9145067708244740789901]

=
[18889206876980288897701326476084358290334400739008639445972570709334480932034302421752733786987
77470105228457246601601960776885520373202905604128763616906,533272675159434568935544558203668014
210873006753152966856188301477736197929348829481873836938890867307711297998260012587087030565167
211477296591838704349]

=
[18889206876980288897701326476084358290334400739008639445972570709334480932034302421752733786987
77470105228457246601601960776885520373202905604128763616906,533272675159434568935544558203668014
210873006753152966856188301477736197929348829481873836938890867307711297998260012587087030565167
211477296591838704349]

Signature is valid

4.3 Sedat short signature scheme

System parameter =
[52374381218091742318020809885058734804323612994866154907601748145368027763164280213646516549828
78150181596655968175116538545065420568208040441246428064184,731065656529132283692624768729522719

Volume 5, Issue 9, September 2017 Page 12

 IPASJ International Journal of Information Technology (IIJIT)
Web Site: http://www.ipasj.org/IIJIT/IIJIT.htm
A Publisher for Research Motivation ........ Email:editoriijit@ipasj.org
Volume 5, Issue 9, September 2017 ISSN 2321-5976

259970125767168057651976495956696047817576899755630186774159130223443634033455206420210815104016
2012459892449300865475]

Private key = 706897427965160684087625129021078306795870981386

Public key
=
[48594274943550476766508699229554988014753392264764364305750549492684706727755302938011314097449
70111800319862028249085633463535106887015629134348955124073,809823359883271246601789175227720405
049810892966216348799880661205505430783137072299036176082319887454040515066668890301244582279278
0562035086726573728533]

=
[84130082340482297356019875772681823016392698069816054452529719392299897297772563564377406653487
52665137037723771710288773226750850693180195472169297458679,302217906215813788572220830333232168
542535372598977216421320222258910726104751845089476661975749580965282220607489403834225278262671
6851513542625685857016]

Signature =
[85657856831803315703566280677017098430353727866238165997459012335909072955404171611796350226185
48883552658571238489691818919287640819244446814599574703530,692740937823508600205396185873238455
355556075298185454588860860235679149197508888924956994575127480792251242815586211130385804891764
2676920625950340100496]

=
[34436989791892658499237998669557052400642315429864584655863495416778769552350348694662665548661
05248410191609385607674660383479261760373619741057584336547,857340246975461533634664278183813649
841442149935942481772893505992125700331928246993709215562662499859776104760739404805953532343173
4902005093592969981903]

=
[34436989791892658499237998669557052400642315429864584655863495416778769552350348694662665548661
05248410191609385607674660383479261760373619741057584336547,
857340246975461533634664278183813649841442149935942481772893505992125700331928246993709215562662
4998597761047607394048059535323431734902005093592969981903]

Signature is valid

Volume 5, Issue 9, September 2017 Page 13