An Efficient Key Escrow-Free Identity-based Short Signature Scheme from Bilinear Pairings

Download (0)

Full text


International Journal of Emerging Technology and Advanced Engineering

Website: (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 7, Issue 9, September 2017)


An Efficient Key Escrow-Free Identity-based Short Signature

Scheme from Bilinear Pairings

Subhas Chandra Sahana


, Bubu Bhuyan


1,2Department of Information Technology, North Eastern Hill University, Shillong – 793022, India

Abstract We propose an identity (ID)-based short signature scheme based on bilinear pairings and it is more efficient as compared to other identity-based schemes because it not only proposes a solution for the key escrow problem but also eliminates a secure channel requirement between the Private Key Generator (PKG) and the user. Moreover, the proposed ID-based Signature scheme also generates a short signature. The scheme is secure under the assumption that Computational Diffie-Hellman Problem is an intractable


KeywordsIdentity-based cryptosystem, Key escrow, Private Key Generator, Short Signature, Computational Diffie-Hellman Problem


In 1984, Adi Shamir [1] proposed a conventional way to overcome the problems as seen in the traditional PKI (Public Key Infrastructure) Systems. Shamir came up with the concept of using a user’s identity for eg. name, email-id, IP-address, etc. as the public key. This ID-based system eliminates the use of a Certification Authority (CA) as well as simplifies inherent public key management related problems as seen in traditional PKI based cryptosystem. After Shamir’s pioneer concept about ID-based cryptosystem, many ID-based signature schemes [2, 3 ,10 ,11 ] have been proposed but it was a matter of regret that no practical id-based encryption scheme had been implemented and was remain an open challenge until 2001.

In 2001, Boneh and Franklin [6] proposed their identity based encryption scheme and shown that that the identity-based cryptosystem might be implemented practically.


NIST Recommended Key Sizes

Afterwards, a large number of identity-based encryption and signature schemes [12] have been proposed. As bilinear pairing make a cryptographic scheme simple and efficient so, many identity based signature schemes [13] from pairings have been proposed.

Since in an ID-based cryptosystem the PKG issues the private key for the user, a problem arises where the PKG could be vulnerable and forges a signature for a user to whom the private key is issued. This is known as the key escrow problem. Moreover, identity-based signature scheme requires a secure channel in the process of private key issuance stage by the PKG to a user. In order to overcome these mentioned drawbacks, many cryptographic approaches [12, 14, 15, 16] have been applied and intensively investigated. In 2003, Al-Riyami and Patterson [14] came up with the concept of Certificate-less Public Key Cryptography (CL-PKC). This system solved the key escrow problem but still required a secure channel between the user and the PKG to transfer the partial-private key.

Algorithm Signature Size


Security Level ( )


RSA O( ) 2048

ECDSA 4 512



International Journal of Emerging Technology and Advanced Engineering

Website: (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 7, Issue 9, September 2017)




Boneh and Franklin [12] proposed a technique to solve the key escrow problem. In that technique, a user’s private key is computed by multiple trusted authorities in a threshold manner. As a result, it is a pure computational burden as many verification processes were involved.

In 2010, Das et al. proposed technique, called the blinding-binding technique [17] to overcome the key escrow problem as well as omit the need of a secure channel to be used between the user and the PKG. M.L. Das proposed a key escrow-free identity-based multi signature scheme [9] using the blinding-binding technique. In our proposed scheme, the same technique has been used to construct an efficient key escrow-free identity-based short signature scheme from bilinear pairings.

In recent years, there have been a lot of research works done based on the length of the signature size generated by different signature schemes. This article focuses on constructing a short signature scheme fitted in an ID-based cryptosystem. Short signatures are more efficient as they are particularly used in communications with limited bandwidth, low storage, and power consumption. It is a well established result that communicating a bit in wireless communication environment consumes more power to compute a 32bit instruction. So, it is always a hot research area on how to get a computational and communicational efficient signature scheme. After the pioneer work [6], many short signature schemes [4, 5, 7, 8] have been proposed and intensively investigated. The first short signature scheme was proposed by Boneh, Lynn and Shacham in 2001, called BLS signature [6]. This scheme uses bilinear pairings over elliptic curve to achieve a shorter length signature.

BLS scheme requires only one exponentiation function for key generation, one hash function and one exponentiation function for signature generation and least computational effort for signature verification.

The Table I shows comparison on different key sizes of RSA, Diffie-Hellman and Elliptic curve group used for achieving the same security level of a symmetric key cryptosystem. According to the table, to obtain bit level of security, RSA and Diffie-Hellman requires a key size of 1024 bits whereas Elliptic Curve Cryptography (ECC) requires a key size of 160 bits. Thus from the table it is evident that ECC has the shorter key size as compared to RSA for achieving the same level of security.

The Table II shows comparisons on generated signature length from different short signature schemes. It is clear that RSA, ECDSA, SCHNORR and BLS signature generation algorithm produces a signature size of ( ), 4 3 2 respectively to achieve a security level of bits. Organization of the paper will be as follows. In section II, preliminaries behind our proposed scheme have been discussed. Section III includes the new proposed identity- based short signature scheme. Section IV includes the efficiency comparison of the proposed scheme with a similar already existing ID-based short signature scheme. The conclusion of the paper is done in section V.


Bilinear Pairing

Let and be two cyclic groups of order . Let P be

a generator of . A bilinear pairing or a bilinear map is an efficiently computable function

A bilinear group must also satisfy the following properties.



For there exists such that .


there exists an algorithm for computing .

Symmetric Key Size


RSA and Diffie-Hellman Key



Elliptic Curve Key Size


80 1024 160

112 2048 224

128 3072 256

192 7680 384


International Journal of Emerging Technology and Advanced Engineering

Website: (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 7, Issue 9, September 2017)


Computational Diffie-Hellman Problem (CDHP)

compute for given . The

CDHP is a hard problem.

Decision Diffie-Hellman Problem (DDHP)

determine for given

. If so is called a valid

Diffie-Hellman tuple.

Gap Diffie-Hellman (GDH) Group

A group G is called a Gap Diffie-Hellman (GDH) group

if decision Diffie-Hellman problem (DDHP) can be solved in polynomial time. Whereas CDHP is hard and there is no probabilistic algorithm that can solve CDHP within polynomial time in G.



In our proposed scheme, the blinding-binding technique has been used in order to solve the key escrow problem as seen in traditional ID-based system as well as by using this technique we can also omit the need of a secure channel between the PKG and the user.

A.Review of blinding-binding technique

1.A user selects two blinding factors and

using these two factors computes four binding

parameters X,Y,Z,W where:


re is the public key of the user and is computed

as , where is the corresponding

identity of the user.

2.The user then sends these binding parameters along with the users ID to the PKG through an insecure channel.

3.The PKG then validates these parameters and if validated successfully calculates the corresponding partial private key i.e. and the users public key

status i.e. where:


4.The PKG then sends to the user over an insecure


5.The user then validates and if validated

successfully generates the private key as:


The proposed scheme consists of the following algorithms.

Setup. PKG chooses and as two groups of same prime order ( ) where, k is taken as the security

parameter and a bilinear map .

Let , The PKG selects two hash functions

and as → , and

picks a random number s as its master key and

computes the public key . Then the PKG

releases as the system

parameters but the PKG keeps secret.

User Key Generation.

The blinding binding technique has been used to generate the private key of the user. The public key is generated using the Map-To-Point hash

function, taken user unique identity then the

PKG computes and as

the private key.

Sign. We consider a random number x and is kept secret. Now to generate the signature for a distinct user

with a unique identity ID on a distinct message ,

the signing algorithm works as follows:

 Sets hash of the message as

 Compute the signature , Then

is the signature for distinct identity on a distinct message .

Verification: The signature on a message is accepted if and only if





International Journal of Emerging Technology and Advanced Engineering

Website: (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 7, Issue 9, September 2017)


As a result, this topic has been a focal point of much ongoing research and is based on the fact that generating a short signature which is both computationally and communicationally efficient as well as secure. It is an important aspect in today’s world as schemes generating short signatures are efficient in comparisons to other signature schemes as they generate a short signature size and thus are greatly helpful in communication with limited bandwidth and prolongs the battery power of devices as they consume less power.

The efficiency comparison of our proposed scheme has been done with recently established similar identity-based short signature scheme [4]. The ZSS scheme [7], a classical scheme has been undertaken for our proposed scheme. Let

the symbols and

denote scalar multiplication, map to point hash function, inverse operation in , hash operation such as MD5 or SHA-1, modular multiplication in , Pairing and point addition in the source group operation respectively. The symbol | | denotes the size of an element of the

source group .



Scheme ID-based Short

Signature [4] Proposed Scheme

Private Key Generati

on for the Signer




Signatur e size

| | | |

The Table III depicts the efficiency comparison in terms of involved operations in the processes of key generation, sign and verification. The table III also shows the size of the generated signature of each scheme.


An identity-based short signature scheme from bilinear pairings has been proposed. The length of the generated signature of the proposed scheme is short because the signature is consists of one element of source group used in bilinear pairing. The proposed scheme is efficient as it is key escrow-free and it does not require the secure channel to transmit the private key to the user. The involved operations in the process of signing and verification are more or less same with the scheme proposed by Hongzhen et al. It is to be noted that unlike our scheme, the identity-based short signature scheme proposed by Hongzhen et al. is not key escrow free and require a secure channel for the transmission of the private key.


[1] A.Shamir, Identity-based cryptosystems and signature schemes, in: Proc-Crypto’s 84, Santa Barbara, CA, August 1984, pp.47-53. [2] Cha and Cheon, Identity-based signature from Gap Diffie-Hellman

Group, in: Public Key Cryptography, Lecture Notes in Computer Science 2567, Springer, Berlin (2003) 18-30.

[3] Liqun Chen, An interpretation of identity-based cryptography, in: Foundation of Security Analysis and Design IV. Pp.183-208, Springer 2007.

[4] Hongzhen Du, Qiaoyan Wen, An efficient Identity-Based Short Signature Scheme from Bilinear Pairings, in: International Conference on Computational Intelligence and Security 2007. [5] Dennis Hofheinz, Tibor Jager and Eike Kiltz, Short Signature from

weaker assumptions, in: Advances in Cryptology ASIACRYPT2011 pp.647-666. Springer 2011.

[6] D.Boneh, B.Lynn and H.Shacham Short signatures from the weil pairing. In International Conference on the Theory and Application of Cryptology and Information Security, 514532. Springer, (2001). [7] F. Zhang, R. Safavi-Naini and W. Susilo, 2004, An efficient

signature scheme from bilinear pairings and its applications. PKC 2004, Singapore. LNCS, Springer-Verlag.

[8] S.Akleylek, B.B.Kirlar, O.Sever and Z.Yuce, Short signature scheme from bilinear pairings, Journal of telecommunication and information technology, 2011.

[9] M.L.Das, A Key Escrow Free Identity Based Signature Scheme without using Secure Channel, in: Cryptologia 35 (2011), no.1, pp.58-72.

[10] Guillou, L. and J. J. Quisquater. 1998. A Paradoxical Identity-Based Signature Scheme Resulting from Zero-Knowledge. In Advances in Cryptology - CRYPTO’88, LNCS 403,edited by S. Goldwasser. Berlin: Springer-Verlag, pp. 216–231.

[11] Fiat, A. and A. Shamir. 1986. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Advances in Cryptology - CRYPTO’86, LNCS 263, edited by A. M. Odlyzko. Berlin: Springer-Verlag, pp. 186–194.


International Journal of Emerging Technology and Advanced Engineering

Website: (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 7, Issue 9, September 2017)


[13] Boneh, D. and M. Franklin. 2001. Identity-Based Encryption from

the Weil Pairing. InAdvances in Cryptology - CRYPTO’01, LNCS 2139, edited by J. Kilian. Berlin: Springer-Verlag, pp. 213–229. [14] Al-Riyami, S. and K. Paterson. 2003. Certificateless Public Key

Cryptography. In Advances in Cryptology - ASIACRYPT’03, LNCS 2894, edited by C. S. Laih. Berling: Springer-Verlag, pp. 452–473. [15] Gentry, C. 2003. Certificate-Based Encryption and the Certificate

Revocation Problem. In Advances in Cryptology -

EUROCRYPT’03, LNCS 2656, edited by E. Biham. Berlin: Springer-Verlag, pp. 272–293.

[16] Lee, B., C. Boyd, E. Dawson, K. Kim, J. Yang, and S. Yoo. 2004. Secure Key Issuing in ID-based Cryptography. In Proceedings of Australian Information Security Workshop- AISW’04, pp. 69–74. [17] Das, M. L., A. Saxena, and D. B. Phatak. 2007. Proxy Signature