Java Implementation for Pairing-Based Cryptosystems

Java Implementation for Pairing-Based Cryptosystems

Syh-Yuan Tan1, Swee-Huay Heng1, and Bok-Min Goi2

1 Faculty of Information Science and Technology, Multimedia UniversityMelaka, Malaysia

{sytan,shheng}@mmu.edu.my2 Faculty of Engineering and Science, Tunku Abdul Rahman University

Kuala Lumpur, [email protected]

Abstract. We present a Java implementation for Tate pairing over the supersin-gular curve y2 = x3 + x in Fp. We show some available optimisations for groupoperations by manipulating the mathematical equations. Besides, we also showthat it is easy to hash a string into a point for our chosen parameters. A variant ofJava’s BigInteger data type, namely CpxBigInteger is created to serve equationwith complex number and the Java data types are constructed: Curve, Point andLine based on CpxBigInteger. Using these data types and J2SE JDK 1.6.0 02,we implement BLS identity-based identification (IBI) scheme, which is the firstrigorously defined pairing-based IBI scheme. The timings show that the Tatepairing took only 133.12 milliseconds.

Keywords: Java, pairing-based cryptosystem, elliptic curve cryptosystem.

1 Introduction

A pairing or a bilinear map is a function:

e : G1 ×G2 → G3

where G1, G2, G3 are groups of same prime order. The function maps a pair of points,P, Q of elliptic curve, E to an element of the multiplicative group of a finite field [3].Pairings were initially introduced to break elliptic curve cryptosystems (ECC) due to itsuseful properties:

1. Bilinearlity. e(aP, bQ) = e(P, Q)ab for all a, b ∈ Zp.2. Non-degeneracy. e(P, P ) �= 1.3. Efficiently computable.

But it was later discovered in the work of Sakai-Ohgishi-Kasahara [25] and Boneh-Franklin [7] that pairings can be used in building cryptosystems too. This leads theresearchers to a new area of cryptography, namely pairing-based cryptography (PBC).PBC gave birth to some novel cryptographic applications particularly in identity-basedcryptography, such as identity-based encryption [25,7,4,5,34], hierarchical identity-based encryption [6], identity-based signature [8,11,24], identity-based identification[15,16,17], identity-based authenticated key agreement [30], etc.

D. Taniar et al. (Eds.): ICCSA 2010, Part IV, LNCS 6019, pp. 188–198, 2010.c© Springer-Verlag Berlin Heidelberg 2010

Java Implementation for Pairing-Based Cryptosystems 189

However, not much work have been reported on the implementation as pairing basedcryptosystems are more complicated compared to other well-studied cryptosystems likeRSA and DSA. There are a variety of elliptic curves (supersingular, non-supersingular,hyperelliptic, etc.) and pairings (Weil, Tate, Eta, Ate, etc.) which include quite anamount of parameters. Among the curves, supersingular curves are always used becauseof its low extension degree and simple construction. Among the pairings, Tate pairingis favored for its better performance generally. To the best of our knowledge, there areonly two publicly available pairing libraries [27,19] which are in C/C++. Though somework [32,14] had implemented pairings in Java, the source code is not available.

In this paper, we present the ways of implementing Tate pairing using the Sun JavaJ2SE JDK 1.6.0 02, which has not yet provided pairing based cryptographic toolsin their Java Cryptography Architecture (JCA) [12]. Other service providers offeredelliptic curve cryptographic library but pairing functions are not included [22].

We organise the rest of the paper as follows. We describe the parameters and algo-rithms to be used in Section 2. Next, we show the Java implementation and its perfor-mance in Section 3. Finally, we conclude in Section 4.

2 Parameters and Algorithms

2.1 Chosen Curve

The supersingular elliptic curve used in this paper is having the form:

E : y2 = x3 + ax + b

with y, x ∈ Fp and a, b ∈ {0, 1}. Other related terms are as follows:

– Fp - finite field of prime characteristic p– E(Fp) - the elliptic curve over Fp

– #E(Fp) - total points on E(Fp)– r - the subgroup order of E(Fp)– k - the extension degree in order to have E(Fpk)– φ - the distortion map of mapping point in E(Fp) to E(Fpk)

The prime number p ≡3 mod 4 needs to fulfill the requirement of r|p + 1. In order toobtain such p, we choose the prime subgroup order r, a random value l and calculatep = (rl) − 1. If the resulted p does not meet the requirement mentioned, it is recalcu-lated with another random l. Throughout this paper, we use 512 bits p and 160 bits r.Therefore l will be having bit length of approximately 352 bits. r is a Solinas prime inthe form of 2159 + 2α + 1 where 1 ≤ α ≤ 158 for better performance particularly inthe Miller algorithm while l is in the form of 2352 + 2α + 2β where 1 ≤ α, β ≤ 351.The resulted prime p is then having a low Hamming weight and subsequently speeds upthe modular operation.

For our chosen supersingular curve, we set a = 1 and b = 0 so that E : y2 = x3 + xand #E(Fp) = p + 1. The distortion map φ is defined as φ(x, y) = (−x, yi) wherethe non quadratic residue value i is fixed such that i =

√−1. The extension degree (orknown as embedding degree) k is set such that k = 2 in E(Fpk). If r is not coprime to#E(Fp) (or r � p + 1), it is open to anomalous attack [3].

190 S.-Y. Tan, S.-H. Heng, and B.-M. Goi

2.2 Point Addition in E(Fp)

For simplicity, we define a point P ∈ E(Fp) using affine coordinates (x, y) instead ofprojective coordinates (x, y, z). There is always an infinity point O ∈ E(Fp) whichacts as an identity point.

Fig. 1. P + Q = R Fig. 2. 2P = R

Consider two random points P and Q, where P, Q �= O and P �= ±Q on our chosenelliptic curve as shown in Fig. 1. If a line L(·) cuts through P and Q, L(·) will interceptthe curve on a point R′. Then if we draw V (·), a vertical line on R′, we will get anotherpoint interception on the curve, which is −R′ = R. This process is defined as pointaddition on elliptic curve in Fp and having the mathematical form: P + Q = R. Thereare three special cases in point addition:

1. Q = P . LP,Q(R) is a tangent line as depicted in Fig. 2.2. Q = −P . LP,Q(R) is a vertical line which intercepts at O since P + (−P ) = O.3. Q = O. Any point added with identity pointO will get back to itself, P +O = P .

Let P = (x1, y1), Q = (x2, y2), R = (x3, y3) and P + Q = R, the formula of pointaddition is as follows:

x3 = λ− x1 − x2

y3 = λ(x1 − x3)− y1

where

λ =

{y2−y1x2−x1

if P �= Q3x2

1+a2y1

if P = Q

Note that the group operation in elliptic curve is written as addition instead of multipli-cation and the exponentiation can be rewritten as scalar multiplication in elliptic curve.So let t ≤ r and P ∈ E(Fp):

– tP = P + P + · · ·+ P for t times– 0 · P = rP = O

We use Double and Add algorithm as depicted in Algorithm 1 for the point scalarmultiplication.

Java Implementation for Pairing-Based Cryptosystems 191

Algorithm 1. Double and AddRequire: m, PEnsure: Z = mP1: Z ← P2: for all i← (lg(m))− 2 to 0 do3: Z ← 2Z4: if i is 1 then5: Z ← Z + P6: end if7: end for8: return Z

2.3 Point Addition in E(Fp2)

For points lie in the extension field E(Fp2), their coordinates are in the form of (−x, yi)where i =

√−1. For J2SE6 has no predefined function for complex number in BigInte-ger, we create a new class for the complex number, namely CpxBigInteger. The additionand multiplication algorithms in E(Fp) can be applied here but with a little more workon i:

– Multiplication. (a + bi)(c + di) = ac− bd + (bc + ad)i– Squaring. (a + bi)2 = a2 − b2 + (2ab)i– Inversion. (a + bi)−1 = (a− bi)(a2 + b2)−1

– Exponentiation. Using Algorithm 1.

2.4 Torsion Point

Suppose P ∈ E(Fp) and rP = O, P is called a r-torsion point. The set of r-torsionpoints in E(Fp) is denoted by E(Fp)[r].

In order to obtain a random point, we first select a random x and then solve theselected curve for y. For the chosen curve, a square root exists for half of the valuesx ∈ Fp [20]. If the Jacobian symbol does not return 1 for y, this means the resulted y isa non quadratic residue and a new x is selected to repeat the same process. Since p ≡3mod 4, the square root of y can be easily calculated by having the exponent (p + 1)/4[1]. Let n = #E(Fp), the full algorithm of finding a random r-torsion point is asdepicted in Algorithm 2.

2.5 Extract Torsion Point

Some schemes require extraction of a point from a given string and in fact the algorithmis not hard to be implemented. The extraction algorithm is similar to Algorithm 2. Theextraction algorithm replaces the random value x with the hash value from an inputstring (since x-coordinate lies in Fp, SHA-512 is chosen as the hash function) and thensolve the curve for y. Thus, the amendment on Algorithm 2 is to insert:

x← Hash(string)y = x3 + ax + b

192 S.-Y. Tan, S.-H. Heng, and B.-M. Goi

Algorithm 2. Generate Torsion PointRequire: E(Fp), r, p, nEnsure: P = (x, y)1: repeat2: repeat

3: xR←− F

∗p

4: y = x3 + ax + b5: until y(p−1)/2 equal 16: y ← y(p+1)/4

7: cR←− 0 or 1

8: if c equals 0 then9: P ← (x, y)

10: else11: P ← (x,−y)12: end if13: P ← (n/r)P14: until P not equal O15: return P

before line 1 and change the repeat-until loop to:

while y(p−1)/2 not equal 1 dox← x + 1y = x3 + ax + b

end while

2.6 Lines

Referring to the special cases in point addition, three types of lines are involved in Tatepairing, namely linear line, tangent line and vertical line. Recall that λ = y2−y1

x2−x1for

linear line and λ = 3x21+a

2y1for tangent line, we have three equations for the values of

lines:

– Linear Line, LP,Q(R) = Y − λX − c– Tangent Line, TP (R) = Y − λX − c– Vertical Line, VP (O) = X − x1

where c = y1 − λx1 and the points P + Q = R lie on the elliptic curve y2 = x3 + x.Since the equations LP,Q(·), TP (·) and VP (·) each takes as input a point that does notlie on their respective line, the resulted value will always be a non-zero value. Notethat if a line’s input point is in the form of (−x, yi), all operations are done usingCpxBigInteger.

2.7 Tate Pairing

The Tate pairing e(P, Q) requires P ∈ E(Fp) while Q ∈ E(Fpk) for k > 1. Forour parameters y2 = x3 + x, p ≡3 mod 4 and k = 2, the available distortion

Java Implementation for Pairing-Based Cryptosystems 193

map φ is: φ(Q(x, y)) = (−x, yi) [1]. Technically, Tate pairing should be viewedas e(P, φ(Q)). For details of theory and variations of Tate pairing, kindly refer to[25,1,32,27,19,28,20].

The core algorithm of Tate pairing is Miller algorithm [21] which was initiallydesigned for Weil pairing. With the parameters chosen, we use the modified Milleralgorithm for Tate pairing from [1]:

Algorithm 3. Tate PairingRequire: P ∈ E(Fp), Q ∈ E(Fp2), r, pEnsure: e(P, Q)1: f ← 12: Z ← P3: for all i from (lg r)− 2 to 0 do4: f ← f2 · TZ(Q)5: Z ← 2Z6: if i is 1 then7: f ← f · LZ,P (Q)8: Z ← Z + P9: end if

10: end for11: return f (p2−1)/r

Notice that in line 7 and line 8, the same points Z and P are used. So we can reusethe calculated λ of line 7 in line 8 and save one calculation of λ.

The final exponent (p2 − 1)/r is used to standardise the coset representativef ∈ F

∗p2 , which represents the coset fF

∗rp2 . To simplify the calculation f (p2−1)/r =

f (p+1)/r·(p−1), we first compute f ′ = f (p+1)/r = a + bi. Since f = f ′p−1 =(a + bi)p−1 = (ap + (bi)p)/(a + bi) and p ≡3 mod 4, this implies ip = −i andwe can rewrite f as:

f =a2 − b2

a2 + b2− 2abi

a2 + b2

3 Java Implementation

Based on the parameters and algorithms, four new Java data types were constructed.As depicted in Table 1, CpxBigInteger’s constructor takes a BigInteger array and aBigInteger value p as input. The array represents the value of a and b in a + bi and thepresence of imaginary number i is managed using boolean data type. While the value pis the prime value p where the finite field F lies on.

Table 2 shows that the class Curve provides two constructors. The first generatesa random supersingular curve following the way shown in Section 2.1 while the sec-ond customises the curve. Customizable constructor is always needed particularly inexpanding an existing system.

The classes from Table 1 to 3 implement java.io.Serializable but not the class Linewhich is used during internal calculation of Tate pairing only. Serializable enables

194 S.-Y. Tan, S.-H. Heng, and B.-M. Goi

Table 1. Class Structure: CpxBigInteger

Return FunctionCpxBigInteger CpxBigInteger(BigInteger[] value, BigInteger p)CpxBigInteger multiply(CpxBigInteger cpx)CpxBigInteger pow(BigInteger i)CpxBigInteger square()CpxBigInteger Inverse()

boolean equals()

Table 2. Class Structure: Curve

Return FunctionCurve Curve()Curve Curve(BigInteger a, BigInteger b, BigInteger p,

BigInteger n, BigInteger order)Point Point(BigInteger x, BigInteger y)Point Point(BigInteger x, boolean xi, BigInteger y,

boolean yi)Point getTorsionPoint()Point ExtractTorsionPoint(String ID)Line NLineInit(Point P, Point Q)Line TLineInit(Point P)Line VLineInit(Point P)

CpxBigInteger TatePairing(Point P, Point Q)

Table 3. Class Structure: Point

Return FunctionPoint Point(Curve curve, BigInteger x,

boolean xi, BigInteger y,boolean yi)

Point Add(Point Q)Point Multiply(BigInteger m)Point negate()Point DistortionMap()Point clone()

boolean isInfinity()

Table 4. Class Structure: Line

Return FunctionLine Line(BigInteger a, BigInteger b,

BigInteger lamda, BigInteger v,BigInteger p, int type)

CpxBigInteger ValueOn(Point R)

the class which implements it to support socket programming. This indicates thatthe classes CpxBigInteger, Curve and Point are ready to be used in the client-serverenvironment.

3.1 Case Study: BLS Identity-Based Identification (BLS-IBI) Scheme

An identification scheme assures one party (through acquision of corroborative evi-dence) of both the identity of a second party involved, and that the second party wasactive at the time the evidence was created. Common applications of identification are

Java Implementation for Pairing-Based Cryptosystems 195

ATM Card, Credit Card, Identity Card, E-voting, etc. Meanwhile, identity-based cryp-tography is a concept formalied by Shamir in 1984 [29] where the public key is replacedby the user’s public identity, which normally considered as a string (email address,name, phone numbers, etc.). The interesting part of identity-based cryptography is itneeds no keys or certificates storage. This greatly reduces the complexity of public keycryptography for no data managing and searching is needed.

Combination of these two ideas gives us the identity-based identification scheme butthere was no rigorous proof until the independent works of Kurosawa and Heng [15]and Bellare et al. [2]. As the first formally defined IBI (also the first formally definedpairing-based IBI) in [15], BLS-IBI is chosen for our case study and it is defined asfollows:

Setup. On input 1k, generate an additive group G with prime order q. Choose PR←− G

and sR←− Zq . Let the master public key, mpk = (P, Ppub, H) and master secret key,

msk = s where Ppub = sP and H : {0, 1}∗ → G.

Extract. Given a public identity ID, compute user private key, d = sQ whereQ = H(ID).

Identification Protocol. Prover (P) interacts with verifier (V) as follows:

1. P chooses rR←− Zq , computes U = rQ and sends U to V .

2. V chooses cR←− Zq and sends c to P .

3. P computes V = (r + c)d and sends V to V .4. V verifies whether e(P, V ) = e(Ppub, U + cQ).

Using the parameters mentioned in Section 2.1 and set ID as “[email protected]”, thegroup operations and BLS-IBI scheme are executed for 1000 times on Intel PentiumM 1.6 Ghz with 512MB RAM in Windows XP Professional Edition and Knoppix Live5.11. The performance is measured in nanosecond as depicted in Table 5 and Table 6(Cpx stands for CpxBigInteger).

3.2 Performance

Compare to 1024 bits BigInteger operations (security of 1024 bits on Fp in RSA/DSAis comparable to 512 bits on E(Fp2) in ECC) in Table 2 of [33], multiplication inCpxBigInteger is 17,218ns faster and inverse in CpxBigInteger is 1,157,805ns faster.The significant difference in the performance is the exponentiation operation becausethe exponent of pairing is only 160 bits in length.

Next, [14] showed that their scalar multiplication in E(F2163 ) took 116.83ms whiletheir Eta pairing in F397 took only 10.15ms using J2SE (should be JDK 1.5 by then)on Pentium M 1.73 Ghz, which is faster for almost [(439/391)− 1] × 100% ≈ 12%[23]. However, their modular exponentiation of 1024-bit RSA took 75.07ms while ittook only 44.00ms for ours, where it is faster for approximately 41%. This is probablycaused by the optimisations and updates performed by Sun Java on their BigInteger’smodular exponentiation function. So, for standardisation purpose, we scale their timings

196 S.-Y. Tan, S.-H. Heng, and B.-M. Goi

Table 5. Timing (ns) of Group Operation for Pairing Library

Operation SyntaxWindows XP Knoppix

Time in Time in Time in Time inE(Fp) E(F2

p) E(Fp) E(F2p)

Curve Generation Curve() 1,057,162,660 - 1,163,064,634 -Torsion Point Generation getTorsionPoint() 135,860,919 - 142,909,986 -

Extract Torsion Point ExtractTorsionPoint(String ID) 135,891,104 - 142,750,164 -P = mP Multiply(BigInteger m) 77,814,018 77,899,109 81,549,776 81,755,921

R = P + Q P.Add(Point Q) 322,836 323,276 337,839 338,839e(P, Q) TatePairing(Point P, Point Q) - 133,119,594 - 141,406,363

Cpx Exponentiation pow(BigInteger i) - 8,663,367 - 9,734,870Cpx Multiplication multiply(CpxBigInteger cpx) - 45,176 - 51,351

Cpx Inverse Inverse() - 36,572 - 36,851RSA modular modPow(BigInteger pow,

44,004,150-

46,239,373-

exponentiation BigInteger mod)

Table 6. Timing (ns) of BLS-IBI

FunctionWindows XP Knoppix

Time TimeSetup 1,330,370,941 1,633,588,064

Extract 229,168,024 246,206,534IP 679,803,438 682,738,398

Total 2,239,342,403 2,562,532,996

to 68.93ms for scalar multiplication (and 5.99ms for Eta pairing) and it is about 8.88msfaster than ours.

Referring to Table 3 in Section IV-G of the work by [22], our timing of point scalarmultiplication (in 512 bits) is about the same with that of curve P-384 and approxi-mately half of curve P-521. According to [23], the processor (Pentium 4 2.4 Ghz) usedby the author is having performance of (325/391)× 100% ≈ 83% of ours. We scalethe timings by [(0.83× 0.41)/1.12]× 100%≈ 30% and we get 113.56ms for the curveP-521, which is slower around 35.75ms than ours. We omit the comparison in Linuxbecause the timing is slower than Windows in the author’s work and also ours. Thus weassume our point operations are at least as fast as those libraries mentioned [18,9,10,13]by the author.

The specification used in [32] was JDK 1.4.1 and FlexiProvider on Windows XP witha [1− (315/391)]× 100% ≈ 19% slower Pentium M 1400 Mhz processor. We made ascale of [(0.81× 0.41)/1.12]× 100% ≈ 30% on its best timing for Tate pairings and itturns out to be 436.80ms which is roughly 323.68ms slower than ours. This is becausethe author was not using Solinas prime and thus their pairing requires a lot more pointadditions in Miller algorithm as compared to ours.

4 Conclusion

We presented the procedure of computing Tate Pairing using the supersingular curvey2 = x3 + x on Fp with extension degree k = 2, 160 bits prime order r and 512 bits

Java Implementation for Pairing-Based Cryptosystems 197

prime characteristic p. We implemented BLS-IBI scheme using our pairing library inJ2SE JDK 1.6.0 02 and the results showed that the identification protocol can be com-pleted within 0.7 second. This is acceptable for desktop applications but improvement isstill a need for mobile applications. Our future works are to consider more optimisationand implement pairing-based cryptosystems on mobile devices such as Java-enabledsmart card.

References

1. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairing-basedcryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer,Heidelberg (2002)

2. Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identificationand signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS,vol. 3027, pp. 268–286. Springer, Heidelberg (2004)

3. Blake, I., Seroussi, G., Smart, N.P.: Advances in elliptic curve cryptography. CambridgeUniversity Press, Cambridge (2005)

4. Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption without ran-dom oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027,pp. 223–238. Springer, Heidelberg (2004)

5. Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In:Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg(2004)

6. Boneh, D., Boyen, X., Goh, E.J.: Hierarchical identity based encryption with constant size ci-phertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer,Heidelberg (2005)

7. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.)CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)

8. Boneh, D., Lynn, B., Sacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.)ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001)

9. Cryptix Project, http://www.cryptix.org/10. FlexiProvider, http://www.flexiprovider.de/11. Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg, K.,

Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003)12. JavaTM cryptographic architecture (JCA) reference guide for JavaTM Platform Standard

Edition 6,http://java.sun.com/javase/6/docs/technotes/guides/security/cryptocryptospec.html

13. jBorZoi 0.90,http://dragongate-technologies.com/jBorZoi/jBorZoi_0.90.zip

14. Kawahara, Y., Takagi, T., Okamoto, E.: Efficient implementation of Tate pairing on a mobilephone using Java. In: Wang, Y., Cheung, Y.-m., Liu, H. (eds.) CIS 2006. LNCS (LNAI),vol. 4456, pp. 396–405. Springer, Heidelberg (2007)

15. Kurosawa, K., Heng, S.-H.: From digital signature to ID-based identification/signature. In:Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 248–261. Springer,Heidelberg (2004)

16. Kurosawa, K., Heng, S.-H.: Identity-based identification without random oracles. In:Gervasi, O., Gavrilova, M.L., Kumar, V., Lagana, A., Lee, H.P., Mun, Y., Taniar, D.,Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 603–613. Springer, Heidelberg (2005)

198 S.-Y. Tan, S.-H. Heng, and B.-M. Goi

17. Kurosawa, K., Heng, S.-H.: The power of identification schemes. In: Yung, M., Dodis, Y.,Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 364–377. Springer,Heidelberg (2006)

18. Legion of the Bouncy Castle, http://www.bouncycastle.org/19. Lynn, B.: PBC library (2006),

http://rooster.standford.edu/-ben/pbc/download.html20. Lynn, B.: Ph.D thesis: On the implementation of pairing-based cryptosystems (2008),

http://crypto.stanford.edu/pbc/thesis.pdf21. Miller, V.: Short programs for functions on curves. Unpublished manuscript (1986),

http://crypto.stanford.edu/miller/miller.pdf22. Nightingle, J.S.: Comparative analysis of Java cryptographic libraries for public key cryp-

tography. George Mason University: Department of Electrical and Computer Engineering,http://ece.gmu.edu/courses/ECE746/project/specs 2006/java multiprecision.pdf

23. PassMark R© Software, http://www.cpubenchmark.net/24. Paterson, K.G.: ID-based signatures from pairings on elliptic curves. Electronic Let-

ters 38(18), 1025–1026 (2002); IET Digital Library25. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: SCIS 2000 (2000)26. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT

2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)27. Scott, M.: MIRACL library (2005),

http://ftp.computing.dcu.ie/pub/crypto/miracl.zip28. Scott, M.: Computing the Tate pairing. In: Menezes, A. (ed.) CT-RSA 2005. LNCS,

vol. 3376, pp. 293–304. Springer, Heidelberg (2005), Available fromhttp://ftp.computing.dcu.ie/pub/crypto/miracl.zip

29. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum,D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)

30. Smart, N.P.: An identity based authenticated key agreement protocol based on the Weil pair-ing. Electronic Letters 38(13), 630–632 (2002); IET Digital Library

31. Solinas, J.: ID-based digital signature algorithms (2003),http://www.cacr.math.uwaterloo.ca/conferences/2003/ecc2003/solinas.pdf

32. Stogbuer, M.: Diploma thesis: Efficient algorithms for pairing-based cryptosystems (2004),http://www.cdc.informatik.tu-darmstadt.de/reports/reports/KP/Marcus Stoegbauer.diplom.pdf

33. Tan, S.-Y., Heng, S.-H., Goi, B.-M., Chin, J.-J., Moon, S.: Java implementation for identity-based identification. International Journal of Cryptology Research 1(1), 21–32 (2009)

34. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.)EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)