<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2023.144018</article-id><article-id pub-id-type="publisher-id">JIS-127409</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Construction and Implementation of a Privacy-Preserving Identity-Based Encryption Architecture
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>David</surname><given-names>Bissessar</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Carlisle</surname><given-names>Adams</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib></contrib-group><aff id="aff1"><addr-line>School of Electrical Engineering and Computer Science, University of Ottawa, Ottawa, Canada</addr-line></aff><pub-date pub-type="epub"><day>08</day><month>08</month><year>2023</year></pub-date><volume>14</volume><issue>04</issue><fpage>304</fpage><lpage>329</lpage><history><date date-type="received"><day>23,</day>	<month>June</month>	<year>2023</year></date><date date-type="rev-recd"><day>28,</day>	<month>August</month>	<year>2023</year>	</date><date date-type="accepted"><day>31,</day>	<month>August</month>	<year>2023</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  A recent proposal by Adams integrates the digital credentials (DC) technology of Brands with the identity-based encryption (IBE) technology of Boneh and Franklin to create an IBE scheme that demonstrably enhances privacy for users. We refer to this scheme as a privacy-preserving identity-based encryption (PP-IBE) construction. In this paper, we discuss the concrete implementation considerations for PP-IBE and provide a detailed instantiation (based on 
  q-torsion groups in supersingular elliptic curves) that may be useful both for proof-of-concept purposes and for pedagogical purposes.
 
</p></abstract><kwd-group><kwd>Identity-Based Encryption (IBE)</kwd><kwd> Digital Credentials (DC)</kwd><kwd> Privacy</kwd><kwd> Pairing-Based Cryptography</kwd><kwd> Supersingular Elliptic Curve</kwd><kwd> &lt;i&gt;q&lt;/i&gt;-Torsion Group</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>This paper describes, in some details, the considerations involved in implementing the Privacy-Preserving Identity-Based Encryption (PP-IBE) scheme presented by Adams [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref2">2</xref>] . In 2001, Boneh and Franklin proposed the first efficient construction of Identity-Based Encryption (IBE) [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref4">4</xref>] , but their construction has a system authority, the Private Key Generator (PKG), that computes all user private keys; the PKG can therefore decrypt all ciphertexts in the environment. Subsequent constructions to reduce the trust in the PKG have relied on unrealistic assumptions (see [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] ) and have not been described and implemented using easy-to-analyze numerical values.</p><p>The recently introduced proposal by Adams [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref2">2</xref>] incorporates pseudonyms into the IBE process. This ensures that the PKG no longer needs to be fully trusted (in particular, the PKG is successfully able to learn any given user’s private key with probability as small as the user wishes). Adams’ proposal is based on the IBE scheme designed by Boneh and Franklin (BF-IBE) [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref4">4</xref>] but also uses the Digital Credentials (DC) technology of Brands [<xref ref-type="bibr" rid="scirp.127409-ref5">5</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref6">6</xref>] for identity and pseudonym credentials.</p><p>The integrated protocol combines pairing-based cryptography (in the IBE portions) with discrete-log-based cryptography (in the DC portions); thus, parameter values must be carefully chosen to provide a consistent security level throughout the PP-IBE architecture.</p><p>This present paper provides the first concrete construction and numeric example (produced by our SageMath [<xref ref-type="bibr" rid="scirp.127409-ref7">7</xref>] software implementation<sup>1</sup>) of the complete Adams proposal. Our construction uses a q-torsion group (a cyclic subgroup of order q) of a supersingular elliptic curve over F<sub>p</sub>, where p is a prime congruent to 2 modulo 3.</p><p>Section 1 of this paper presents an overview of PP-IBE. Section 2 provides a brief introductory background on BF-IBE, DC, PP-IBE, and the mathematical concepts supporting the proposed construction. Section 3 describes the construction itself. Section 4 presents a detailed numerical example using relatively small, easy-to-verify numbers. Section 5 provides some discussion, including suggested parameters for 128-bit security and enhancements for an admissible encoding of user identities. Section 6 presents performance measurements for the 128-bit secure version, and Section 7 concludes the paper.</p><sec id="s1_1"><title>1.1. Protocol Overview</title><p>Whereas the protocol of BF-IBE includes steps for entity setup, encryption, key extraction, and decryption, PP-IBE introduces a sequence of identity and pseudonym credential steps into the workflow. To obtain the keying material used for decryption from the PKG, Alice must redeem a valid identity/pseudonym credential. Identity and pseudonym credentials are obtained through interaction with a community of Intermediate Certification Authorities (ICAs) who each verify Alice’s identity or the derivation of a pseudonym and issue a Brands digital credential. In the key extraction protocol, the PKG returns initial keying material which can be finalized (“un-blinded”) only by Alice using random data produced during pseudonym creation. The overall flow, from encryption, through pseudonymization, to key extraction, and finally to decryption, is shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>.</p></sec><sec id="s1_2"><title>1.2. Protocol Steps</title><p>Setup: First, as a precursor to protocol execution, all participants undergo a SETUP phase. The required public primitives and parameters for PP-IBE, BF-IBE, and DC are initialized into the environment.</p><p>Following the environment setup, each of the scenario participants is set up. Thus, individual participants (Alice and Bob) and the service providers (ICA<sub>i</sub>,</p><p>ICA<sub>j</sub>, ICA<sub>k</sub> and PKG) are initialized, granted access to the environment, and instantiated with public keys, private keys, and attributes, as appropriate.</p><p>Encrypt: Bob encrypts a message for Alice as in BF-IBE. Given an identity string for Alice (say, alice@gmail.com) and only public functions and data, Bob encrypts a message for Alice and sends her the resulting ciphertext.</p><p>Get Identity/Pseudonym Credentials: To decrypt the message received from Bob, Alice requires a decryption key. This key is calculated by Alice using keying material provided by the PKG and using a set of random values which she chooses and stores during pseudonym creation (each random value is shared with only a single ICA). <xref ref-type="fig" rid="fig1">Figure 1</xref> shows an identity credential being issued by ICA<sub>i</sub> followed by consecutive steps with ICA<sub>j</sub> and ICA<sub>k</sub> in which pseudonym credentials are elaborated. Thus, each pseudonym is associated with a random data value; Alice creates and retains these values in local protected storage.</p><p>Extract: Alice presents a pseudonym credential to query the private key generator (PKG) which conducts a verification protocol. On successful verification, the PKG calculates keying material specific to messages encrypted for Alice. This keying material cannot be used directly to decrypt the ciphertext sent by Bob. Rather, Alice must finalize (“unblind”) the keying material into her decryption key by applying the random values accumulated during the pseudonym creation steps.</p><p>Decrypt: After finalization of her private key, Alice uses it to decrypt the ciphertext received from Bob. Decryption proceeds as specified in BF-IBE.</p></sec></sec><sec id="s2"><title>2. Background</title><p>This section introduces some of the background mathematical concepts used in PP-IBE, as well as the BF-IBE, DC, and PP-IBE algorithms themselves.</p><sec id="s2_1"><title>2.1. Fundamental Principles</title><p>Elliptic Curves. An elliptic curve over a finite field E/F<sub>p</sub> can be seen as the set of ( x , y ) points with x , y ∈ F p which satisfy an equation of the form E: y 2 + a 1 x y + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , where x , y , a 1 , a 2 , a 3 , a 4 , a 6 ∈ F p .</p><p>The set of points in the curve E(F<sub>p</sub>) includes a distinguished point, the point at infinity O , and forms a group under addition. The number of points on a curve #E(F<sub>p</sub>) is called the order of the curve. The Hasse theorem places a bound on the number of points in a curve: # E ( F p ) = p + 1 − t , where | t | ≤ 2 p .</p><p>Background on supersingular elliptic curves can be found in [<xref ref-type="bibr" rid="scirp.127409-ref8">8</xref>] . Given a prime base b, an integer exponent e &#179; 1, and t in a range, such that | t | ≤ 2 p , a supersingular curve E(F<sub>p</sub>) over a field F on prime power p = b<sup>e</sup> is a curve such that its order # E ( F p ) = p + 1 − t , with b | t [<xref ref-type="bibr" rid="scirp.127409-ref9">9</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref10">10</xref>] . The worked example of &#167;4, uses the curve E ( F 281 ) : y 2 = x 3 + 1 , which has order 282, with p = b = 281, e = 1 and t = 0. (To keep our example as simple as possible, we want to use a modulus that is a prime, rather than a prime power; thus, e = 1 and therefore p = b. Furthermore, supersingular curves of the form y 2 = x 3 + 1 over F<sub>p</sub> are known to have order p + 1, meaning that t = 0. We chose p = 281 as this is a relatively small prime that is not too trivial such as 7 or 13.)</p><p>Each point on a curve also has an order, a scalar r, the number of times that point must be added to itself to give O : the order of a point o(P) = r, so that r ∗ P = O for P ∈ E ( F p ) . The r-torsion subgroup of a curve E(F<sub>p</sub>)[r] is the subset of points in E(F<sub>p</sub>) which have order r.</p><p>In this paper, curves are used in the context of bilinear maps (“pairings”). A taxonomy of pairing-friendly curves (including FMT curves, GMV curves, Freeman curves, Cyclotomic families, Sporadic families, Scott-Barreto families, Supersingular curves, Cocks-Pinch curves, MNT curves, and DEM curves) is presented in [<xref ref-type="bibr" rid="scirp.127409-ref11">11</xref>] .</p><p>The construction given in this paper uses a supersingular curve of the form y 2 = x 3 + 1 over F(p), with prime p ≡ 2 ( mod 3 ) . This follows the construction in BF-IBE and lends itself well to the requirements of PP-IBE where a point p<sub>1</sub> must be paired with itself. Other curves are also possible, including other supersingular curves and MNT curves.</p><p>Bilinear Maps. A bilinear map is a function e ^ : G 0 &#215; G 1 → G T where G<sub>0</sub>, G<sub>1</sub> and G<sub>T</sub> have order q. We focus on so-called symmetric pairings, where G<sub>0</sub> = G<sub>1</sub>. The mapping is bilinear if ∀ P 1 , P 2 ∈ G 1 and ∀ a , b ∈ Z q * , e ^ ( P 1 a , P 2 b ) = e ^ ( P 1 , P 2 ) a b , and it is non-degenerate if ∀ non-trivial points P 1 ∈ G 1 , e ^ ( P 1 , P 1 ) ≠ 1 (the multiplicative identity element in G<sub>T</sub>). Two common pairing functions are the Weil pairing and the Tate pairing [<xref ref-type="bibr" rid="scirp.127409-ref8">8</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref12">12</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref13">13</xref>] . The worked example in this document was verified with both the Weil and Tate pairings but, for the sake of brevity, only the computations demonstrating the Weil pairing are shown in this paper.</p><p>The embedding degree of elliptic curve E(F<sub>p</sub>) with respect to the order q of its q-torsion subgroup is the smallest positive integer k such that p k ≡ 1 ( mod q ) (for background, see [<xref ref-type="bibr" rid="scirp.127409-ref8">8</xref>] ). The embedding degree affects security. Curves with a small embedding degree are susceptible to the MOV reduction proposed by Menezes, Vanstone and Okamoto [<xref ref-type="bibr" rid="scirp.127409-ref9">9</xref>] . The MOV reduction allows the discrete log problem to be translated from the elliptic curve setting of G<sub>1</sub> to the finite field setting of G<sub>T</sub>, in which there are faster sub-exponential algorithms to solve it [<xref ref-type="bibr" rid="scirp.127409-ref9">9</xref>] . For this reason, sufficiently large security parameters must be selected when instantiating our construction of PP-IBE (see &#167;3, &#167;5).</p><p>Distortion Maps. As we shall see, in its derivation of ξ, PP-IBE requires that the two inputs to the pairing be from the same cyclic group G<sub>1</sub>. The Weil pairing produces the degenerate result 1 when the inputs P and Q are linearly dependent. The Tate pairing also has this property when k &gt; 1. One technique for working around this issue is to use a supersingular curve, E, with a distortion map φ. The distortion map projects points from the base curve onto the curve on the extension field, in a manner that the points are no longer linearly dependent, and so the result of the Weil pairing is non-degenerate [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref9">9</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref12">12</xref>] . When distortion map functionality is required, supersingular curves are not the only choice. MNT curves and their trace map may also be used [<xref ref-type="bibr" rid="scirp.127409-ref14">14</xref>] . We selected the supersingular curve for pedagogical reasons, as a natural progression from BF-IBE and PP-IBE.</p></sec><sec id="s2_2"><title>2.2. Boneh-Franklin Identity-Based Encryption</title><p>In 2001, Boneh and Franklin published the first Identity-based Encryption scheme [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] . Their scheme is defined in terms of bilinear maps. BF-IBE features four protocols.</p><p>Setup: The environment is initialized with public parameters q prime, groups G<sub>1</sub> and G<sub>T</sub> of order q, bilinear map e ^ : G 1 &#215; G 1 → G T , generator G ∈ G 1 , and hash functions H 1 : { 0 , 1 } * → G 1 * , where G 1 * = G 1 \ { O } , H 2 : { 0 , 1 } n &#215; { 0 , 1 } n → Z q * , H 3 : G T → { 0 , 1 } n , and H 4 : { 0 , 1 } n → { 0 , 1 } n . The PKG is given master private key t ∈ Z q * and master public key T = tG.</p><p>Encrypt: Message M ∈ { 0 , 1 } n is encrypted to ciphertext (u, v, w) using Alice’s public identity string I D i ∈ { 0 , 1 } n as follows.</p><p>1) Map the identity string to point I A = H 1 ( I D i ) .</p><p>2) Apply the pairing μ = e ^ ( I A , T ) .</p><p>3) Select random σ ∈ { 0 , 1 } n .</p><p>4) Set exponent r to H 2 ( σ | | M ) .</p><p>5) Compute z = μ r .</p><p>6) Compute ciphertext ( u , v , w ) = ( r G , σ ⊕ H 3 ( z ) , M ⊕ H 4 ( σ ) ) .</p><p>Extract: To decrypt a message the recipient must present their I D i to a Private Key Generator (PKG). The algorithm first maps the string to a group point I A = H 1 ( I D i ) and then multiplies the point by the master private key to produce the decryption key K A = t I A . The decryption key K<sub>A</sub> is returned to the caller.</p><p>Decrypt: The decryption algorithm applies the private key K<sub>A</sub> to ciphertext (u, v, w) to obtain plaintext M.</p><p>1) Compute z = e ^ ( K A , u ) .</p><p>2) Compute σ = v ⊕ H 3 ( z ) .</p><p>3) M = w ⊕ H 4 ( σ ) .</p><p>4) Verify that u == rG: if these are equal, return M; if they are not equal, the ciphertext is rejected.</p><p>Boneh and Franklin define an adaptive chosen ciphertext notion of security IND-ID-CCA applicable to identity-based encryption, and three different variations of their protocol.</p></sec><sec id="s2_3"><title>2.3. Digital Credentials</title><p>Brands Digital Credentials [<xref ref-type="bibr" rid="scirp.127409-ref5">5</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref6">6</xref>] may be described in terms of three protocols: “setup”, “issue” and “show”.</p><p>Setup: During setup, the environment is initialized with p , q , g 0 , where p is a large prime q is the prime order of a multiplicative subgroup of Z p * , and g<sub>0</sub> is a generator of this q-order subgroup. Issuers of Digital Credentials are each initialized with a private key ( y 1 , y 2 , ⋯ , y m , x 0 ) where y 1 , y 2 , ⋯ , y m , x 0 ∈ Z q and a public key ( g 1 , g 2 , ⋯ , g m , h 0 ) , where g i = g 0 y i for i in [1, m] and h 0 = g 0 x 0 .</p><p>Issue: The issue protocol proceeds between an individual, Alice, and a credential issuer, say Bob, as follows.</p><p>1) Alice selects α ← R Z q and calculates h = ( g 1 x 1 g 2 x 2 ⋯ g m x m h 0 ) α mod p using Bob’s public key and her attributes ( x 1 , x 2 , ⋯ , x m ) . Alice retains h as the first part of the credential.</p><p>2) Bob selects w 0 ← R Z q and calculates a 0 = g 0 w 0 mod p which he sends to Alice.</p><p>3) Alice selects β , γ ← R Z q and calculates the second credential component c ′ 0 = H ( h | h 2 ) where h 2 = g 0 β ( ( g 1 x 1 g 2 x 2 ⋯ g m x m h 0 ) γ ) a 0 mod p . She sends a blinded version c 0 = ( c ′ 0 − β ) mod q to Bob for his signature.</p><p>4) Bob creates receives c<sub>0</sub> and creates signature material r 0 = ( w 0 − c 0 ) / ( x 0 + x 1 ∗ y 1 + x 2 ∗ y 2 + ⋯ + x m ∗ y m ) mod q and sends this r<sub>0</sub> to Alice.</p><p>5) Alice evaluates an issuance verification relation, confirming that g 0 c 0 ( g 1 x 1 g 2 x 2 ⋯ g m x m h 0 ) r 0 mod p is equal to a<sub>0</sub>. If valid, she finalizes Bob’s signature to obtain r ′ 0 = ( r 0 + γ ) / α mod q and stores the issued credential ( h , c ′ 0 , r ′ 0 ) for later use in the showing protocol.</p><p>Show: Alice shows selected contents of her credential to verifier Victor as follows.</p><p>1) Alice sends the credential ( h , c ′ 0 , r ′ 0 ) to Victor.</p><p>2) Victor confirms the credential is valid by evaluating a verification relation, confirming that c ′ 0 is equal to H ( h | g 0 c ′ 0 h r ′ 0 mod p ) .</p><p>3) If the verification relation passes, Alice and Victor engage in a proof of knowledge protocol (a verification of a Boolean predicate on Alice’s credential attributes). Brands describes a variety of predicates in which Alice reveals the value of a required attribute and proves knowledge of the remaining attributes in the credential [<xref ref-type="bibr" rid="scirp.127409-ref5">5</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref6">6</xref>] . One such predicate will be presented in the construction section of this document.</p><p>4) Following successful proof of knowledge, Victor provides Alice with a service or access to a resource. In the PP-IBE protocol, after integrity verification and proof of knowledge, the ICA in the role of verifier grants a pseudonym credential.</p><p>Brands [<xref ref-type="bibr" rid="scirp.127409-ref6">6</xref>] presents variations of the protocols including a version based on the RSA problem. This paper restricts itself to the protocol as described on the discrete logarithm problem [<xref ref-type="bibr" rid="scirp.127409-ref5">5</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref6">6</xref>] . Brands digital credentials are used by Adams to sign and certify identity and pseudonym credentials. The nomenclature in our construction uses p' and q' for p and q above for integration with BF-IBE (which itself uses a p and q).</p></sec><sec id="s2_4"><title>2.4. Privacy-Preserving Identity-Based Encryption</title><p>In [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref2">2</xref>] , Adams proposes PP-IBE, an approach to reduce the amount of trust that must be placed in the PKG. PP-IBE uses digital credentials as both identity certificates and pseudonyms, and proposes a community of ICAs who certify these credentials. In this paper, we focus on the “augmented scheme” of PP-IBE in which Alice interacts with a community of ICAs to obtain a final pseudonym credential that is exchanged for keying material with the PKG.</p><p>Setup: The setup protocol of PP-IBE combines the setup activities of BF-IBE and DC, without introducing additional global (i.e., publicly accessible) data. Thus PP-IBE requires, for BF-IBE, a curve E ρ ( a , b ) with generator point G which generates the group G<sub>1</sub>, and a bilinear map e ^ : G 1 &#215; G 1 → G T . For DC, PP-IBE requires primes p' and q', and g<sub>0</sub>, a generator of the q'-order subgroup of Z p ′ * .</p><p>Encrypt: Encryption proceeds as defined by BF IBE, thus using I A = H 1 (id_string) and μ = e ^ ( I A , T ) , producing ciphertext ( u , v , w ) which is sent to Alice. Alice requires the help of a community of ICAs and a PKG to decrypt the ciphertext.</p><p>Identity Credential Issuance. Alice obtains an identity credential from ICA<sub>i</sub> as follows. 1) Alice sends her id_string to ICA<sub>i</sub> who verifies Alice’s ownership. 2) ICA<sub>i</sub> computes p 1 = I A = H 1 (id_string) and ξ p 1 = e ^ ( p 1 , p 1 ) . Alice and ICA<sub>i</sub> engage in the Brands Issuing protocol with x 1 = ξ p 1 and x<sub>2</sub> = the id of ICA<sub>i</sub>. On successful completion of the issuing protocol, Alice holds c r e d i = ( h , c ′ 0 , r ′ 0 ) , a signed identity credential enclosing a ξ p 1 certified by a trusted service provider.</p><p>Pseudonym Credential Issuance. Alice may choose to pseudonymize the identity credential issued by ICA<sub>i</sub>. To do this, Alice selects another Intermediate Certification Authority, say ICA<sub>j</sub> and proceeds as follows. 1) Alice sends cred<sub>i</sub>, p<sub>i</sub>, a t t r i = ( a 1 , a 2 ) i and s<sub>j</sub> to ICA<sub>j</sub>. 2) ICA<sub>j</sub> applies the verification relation to confirm digital integrity of the credential. 3) If the credential passes the integrity check, Alice and ICA<sub>j</sub> conduct a Brands proof of knowledge on attributes a 1 = ξ p 1 and a 2 = i d i . 4) ICA<sub>j</sub> verifies provenance, confirming that that e ^ ( p i , p i ) = = a 1 i 5) Following successful verification of cred<sub>i</sub>, ICA<sub>j</sub> computes pseudonym point p j = p i ∗ s j , ξ j = e ^ ( p j , p j ) and proceeds with the Brands issuing protocol with</p><p>a t t r j = ( a 1 , a 2 ) j = ( a 1 j , a 2 j ) = ( ξ j , i d ( I C A j ) ) .</p><p>Alice may now choose to pseudonymize further: she can present cred<sub>j</sub>, p<sub>j</sub>, s<sub>i</sub> to another authority (say, ICA<sub>k</sub>), proving knowledge of attr<sub>j</sub>. On successful verification, pseudonym p<sub>k</sub> = s<sub>j</sub> * p<sub>j</sub> is created by ICA<sub>k</sub>, and a new credential, cred<sub>k</sub>, is issued to Alice. Using this process, Alice may create a chain of credentials on pseudonyms of any length she wishes. Note that the random values s<sub>i</sub>, s<sub>j</sub>, ∙∙∙ are retained by Alice for use in key extraction.</p><p>Key Extraction. In PP-IBE, key extraction is in two parts. First Alice provides a credential on a pseudonymized point p<sub>k</sub> to the PKG. After verifying the credential and Alice’s proof of knowledge of the signed attributes, the PKG creates keying material K = t * p<sub>k</sub>, where t is the PKG’s master secret key. This initial keying material is sent to Alice who creates the decryption key K<sub>A</sub> by multiplying this K with the product of the inverses of the scalars used to create p<sub>k</sub>, thus K<sub>A</sub> = wK, where w = ∏ s i ∈ S s i − 1 ( mod q ) .</p><p>Decryption. After having successfully created K<sub>A</sub>, Alice can decrypt ciphertext ( u , v , w ) as per the BF-IBE algorithm.</p><p>Note that in [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref2">2</xref>] , PP-IBE uses two attributes within the credential (one for ξ and one for the id of the issuing ICA). However, in an actual implementation, the output of the pairing function (either the Weil or Tate pairing) will be a polynomial in the extension field p<sup>k</sup>. For the supersingular curves on which we base our construction below, k = 2 and the pairing output will be a polynomial with two coefficients. Therefore, the credentials in our construction have been modified to contain three attributes (two for the coefficients of the pairing output and one for the id of the issuing ICA).</p></sec></sec><sec id="s3"><title>3. Construction</title><sec id="s3_1"><title>3.1. PP-IBE Group Parameters</title><p>The parameter selection consists of finding a tuple of primes (q, p, q', p'). These values determine the main group sizes used in our construction PP-IBE. Parameter q sets the size of G<sub>1</sub>; in our construction G<sub>1</sub> is q-torsion group of the base elliptic curve. Parameter p creates F<sub>p</sub>, the prime field upon which the base elliptic curve is defined. Parameter p' creates Z p ′ the base field for digital credentials. Parameter q' is the order of the multiplicative subgroup of Z p ′ * ; digital credential attributes and other exponents are drawn from Z q ′ * .</p><p>The parameter selection algorithm is as follows:</p><p>1) Select q a prime.</p><p>2) Find p prime such that q | p + 1, q<sup>2</sup> ∤ p + 1 and p &#186; 2 mod 3.</p><p>3) Set q' to p.</p><p>4) Find p' prime such that q' | p' - 1.</p><p>5) Return (q, p, q', p').</p></sec><sec id="s3_2"><title>3.2. Definition of Mathematical Objects</title><p>Given parameters (q, p, q', p') initialize the required mathematical objects:</p><p>1) Let p define the prime field F<sub>p</sub>.</p><p>2) Set base curve E ( F p ) : y 2 = x 3 + 1 .</p><p>3) Set G<sub>1</sub> to be the torsion group E(F<sub>p</sub>)[q].</p><p>4) Extension field F p 2 , curve on extension field E ( F p 2 ) : y 2 = x 3 + 1 , and corresponding torsion group E ( F p 2 ) [ q ] are created.</p><p>5) Set G ′ 1 to be E ( F p 2 ) [ q ] .</p><p>6) Set Z q ′ * , Z p ′ , Z p ′ * [ q ′ ] .</p><p>7) Return ( E ( F p ) [ q ] , E ( F p ) , E ( F p 2 ) , Z q ′ * , Z p ′ ).</p><p>The base curve E ( F p ) : y 2 = x 3 + 1 where p = 2 mod 3 has the following properties. It is a supersingular curve of order #E(F<sub>p</sub>) = p + 1. Since q | p + 1, E(F<sub>p</sub>) contains a torsion group E(F<sub>p</sub>)[q] of order q. The curve E(F<sub>p</sub>) also supports a distortion map φ ( x , y ) = ( ζ x , y ) where ζ ∈ F p 2 and ζ 3 = 1 .</p></sec><sec id="s3_3"><title>3.3. Construction of PP-IBE</title><p>The parameters (q, p, q', p') and mathematical objects ( E ( F p ) [ q ] , E ( F p ) , E ( F p 2 ) , Z q ′ * , Z p ′ * [ q ′ ] , Z p ′ ) are used to initialize the components of PP-IBE as follows:</p><p>1) Set G<sub>1</sub> to E ( F p ) [ q ] .</p><p>2) Set f : E ( F p ) [ q ] &#215; E ( F p ) [ q ] → E ( F p 2 ) to the Weil (or Tate) pairing.</p><p>3) Define e ^ ( p , q ) ≜ f ( p , φ ( q ) ) where φ is the distortion map of E(F<sub>p</sub>).</p><p>4) Set m, the number of attributes for digital credentials, to be 3.</p><p>5) Set Z q ′ * to be the field from which digital credential attributes and exponents are drawn.</p><p>6) Set Z p ′ * to be the base field of digital credentials.</p><p>7) Set G and G H 1 to be elements of G<sub>1</sub>.</p><p>8) Set g<sub>0</sub> to be a generator of Z p ′ * [ q ′ ] .</p></sec><sec id="s3_4"><title>3.4. Hash Functions</title><p>Function H 1 : { 0 , 1 } * → G 1 * is implemented using G H 1 , a generator of G<sub>1</sub>, which is multiplied by the SHA256 hash of the input string (this product is reduced modulo q). Function H 2 : { 0 , 1 } n &#215; { 0 , 1 } n → Z q * takes the hash of the input strings, reduces it modulo q − 1 and adds one to the result. Function H 3 : G T → { 0 , 1 } n has the polynomial representation of the arguments and extracts the n least significant bits. Function H 4 : { 0 , 1 } n → { 0 , 1 } n hashes the input string and extracts the n least significant bits.</p></sec><sec id="s3_5"><title>3.5. Other Considerations</title><p>Use of Distortion Map. In PP-IBE, the identity token ξ p i = e ^ ( p i , p i ) requires that point p i ∈ G 1 be paired with itself. The Weil pairing f(P,Q) returns the degenerate result 1 when the inputs are linearly dependent, which is precisely the case in determining ξ p i . The problem is addressed by using the distortion map to implement a modified pairing function e ^ ( p , q ) = f ( p , φ ( q ) ) where f is a pairing such as the Weil or Tate pairing. The distortion map is defined as</p><p>φ ( x , y ) = ( ζ x , y ) where ζ ∈ F p 2 and ζ 3 = 1 . This map φ : ( F p ) → E ( F p 2 ) translates a point in E(F<sub>p</sub>) to a linearly independent point in E ( F p 2 ) , which allows the pairing to be applied returning non-degenerate results.</p><p>Three-Base Credential. The modified pairing function uses the Weil or Tate pairing and returns ξ ∈ F p 2 , a degree-one polynomial with two coefficients F<sub>p</sub>. Since q' = p, these coefficients may carried as attributes Z q ′ in the digital credential. There are different approaches to carrying ξ in the credential; however, we found that carrying both coefficients is convenient for calculations in key extraction. Thus, one attribute (and corresponding base) is added to PP-IBE as defined in [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] . Commensurate changes are required to the digital credential setup, issue, and verification protocols.</p><p>Choice of the Curve. A supersingular curve was chosen for two main reasons. First, the distortion map permits the pairing of p with itself. Second, this curve follows the construction given in [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] ; our worked example thus complements [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] and contributes to its body of knowledge. Note that by choosing this curve, we also benefit from the BDH generator and security proofs given in [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] .</p><p>Security Impact. From the perspective of elliptic curves and bilinear pairings, we refer to the discussion in [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] . The MOV reduction [<xref ref-type="bibr" rid="scirp.127409-ref9">9</xref>] can be applied to such supersingular curves as we have chosen for our construction. Thus as pointed out in [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] , care must be taken to choose parameters such that the discrete log G<sub>1</sub> = E(F<sub>p</sub>)[q] remains difficult in G T = F p 2 . In addition to security in elliptic curves and bilinear maps, we must also consider the difficulty of the traditional discrete log problem due to use of the digital credentials. Parameter sizes are discussed in &#167;5.</p><p>Issue_on_Point(). We introduce a function issue_on_point() which takes a point in G<sub>1</sub> and a scalar and can be used for issuing both credentials and pseudonyms. Identity credentials and pseudonym credentials are both issued based on some ξ i derived from a source point in G<sub>1</sub>. The elegance of the algorithm allows one to be expressed in terms of the other. An “issue_on_point” algorithm has been implemented, which accepts a point and a scalar (as well as the other DC-required arguments) to produce a credential on the point resulting from the multiplication of the point and the scalar received as arguments. This protocol is called both by identity issuance and pseudonym issuance logic. If an identity credential is to be issued, the scalar has the value one and multiplication leaves the point unchanged. If a pseudonym credential is to be issued, the scalar is the s<sub>i</sub> value selected by Alice to create the pseudonym. See <xref ref-type="fig" rid="fig2">Figure 2</xref> for an illustration of the steps involved in credential issuance.</p></sec></sec><sec id="s4"><title>4. Worked Example</title><p>The following demonstrates the augmented flow from [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] on sample parameters describing an elliptic curve of the form E ( F p ) : y 2 = x 3 + 1 where p = 2 mod 3. The numbers are based on output generated by the SageMath [<xref ref-type="bibr" rid="scirp.127409-ref7">7</xref>] implementation of PP-IBE<sup>2</sup>.</p><sec id="s4_1"><title>4.1. System Parameter Generation</title><p>Group Parameters: First, group parameters are selected. We seek p, q, q', p' all prime with q | p + 1 and q 2   ∤   p + 1 , p = 2 mod 3, p ≠ 3 mod 4, q' = p, and q ′ | p ′ − 1 . Our worked example (a “toy” example with deliberately small numbers for readability and easy verifiability) uses q = 47, p = 281, q' = 281, and p' = 563.</p><p>Let q = 47, for a torsion group G<sub>1</sub> of size 47. Parameters o, p, q' and p' follow from this choice. Our construction uses a supersingular curve of the form E ( F p ) : y 2 = x 3 + 1 , where p = 2 mod 3, which has order o = # E ( F p ) = p + 1 . We require p prime such that q | p + 1 and q 2   ∤   p + 1 . For the worked example, we select p = 281, so that our base curve is E/F<sub>281</sub>: y 2 = x 3 + 1 with G<sub>1</sub> = E(F<sub>281</sub>) [<xref ref-type="bibr" rid="scirp.127409-ref47">47</xref>],</p><p>the set of points in E (F<sub>281</sub>) with order 47, along with O . The order of the base curve o = #E (F<sub>p</sub>) = 282 is divisible by q = 47. The embedding degree of our worked example is k = 2, the smallest positive integer k such that #G<sub>1</sub>| #E (F<sub>p</sub>)<sup>k</sup> + 1. In our example, 47 | 282 k + 1 .</p><p>Credential Parameters: As per our construction, the output of the pairing function will be an element in the extension field F p 2 , a polynomial of degree one with coefficients in F<sub>p</sub>. We carry the coefficients as attributes in the digital credential. The q' of the digital credential parameters must be large enough to accommodate these numbers. We set q' = p = 281. It remains only to find p', the modulus for digital credentials, such that q ′ | p ′ − 1 . For our worked example, we select p' = 563.</p><p>Generators: Select generator G = (1, 132) for IBE and g<sub>0</sub> = 3 for digital credentials.</p></sec><sec id="s4_2"><title>4.2. Key Generation</title><p>The ICAs are each initialized with their DC key pairs in which private key K p r i v = ( y 1 , y 2 , y 3 , x 0 ) which are random values in Z q ′ and public key K p u b = ( g 1 , g 2 , g 3 , h 0 ) where g i = g 0 y i mod p ′ and h 0 = g 0 x 0 mod p ′ . The PKG is initialized with a BF-IBE key pair in which the master secret key is a random scalar in Z<sub>q</sub>, say t = 23, and the public key is calculated as T = t ∗ G = 23 ∗ ( 1 , 132 ) = ( 252 , 202 ) . Select ζ = 68 b + 106 (here, ζ ∈ F p 2 and ζ 3 = 1 ). <xref ref-type="table" rid="table1">Table 1</xref> presents the key pairs for the service providers of the scenario presented in the augmented scheme of [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] .</p></sec><sec id="s4_3"><title>4.3. Encryption</title><p>Encryption proceeds according to BF-IBE. Here, ciphertext ( u , v , w ) is created for M = “abc” (msg_bits: “011000010110001001100011”, of length n = 24) using Alice’s identity string “alice@gmail.com”.</p><p>First u is calculated. Alice’s identity string is first mapped to point I A ∈ G 1 = H<sub>1</sub> (“alice@gmail.com”) = (34, 33). Next the identity point I<sub>A</sub> is paired with the master public key μ = e ^ ( I A , T ) . Recall that e ^ ( p 1 , p 2 ) = f ( p 1 , φ ( p 2 ) ) where φ ( x , y ) = ( ζ x , y ) , ζ = 68 b + 106 , f() is either the Tate or Weil pairing, and b is</p><table-wrap id="table1" ><label><xref ref-type="table" rid="table1">Table 1</xref></label><caption><title> Service provider key pairs</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Service Provider</th><th align="center" valign="middle" >Key Pair</th></tr></thead><tr><td align="center" valign="middle" >ICA<sub>i</sub></td><td align="center" valign="middle" >K<sub>pub</sub>: (243, 541, 498, 27) K<sub>priv</sub>: (5, 9, 7, 3)</td></tr><tr><td align="center" valign="middle" >ICA<sub>j</sub></td><td align="center" valign="middle" >K<sub>pub</sub>: (289, , 349, 470) K<sub>priv</sub>: (15, 19, 17, 13)</td></tr><tr><td align="center" valign="middle" >ICA<sub>k</sub></td><td align="center" valign="middle" >K<sub>pub</sub>: (68, 441, 49, 508) K<sub>priv</sub>: (25, 29, 27, 23)</td></tr><tr><td align="center" valign="middle" >PKG</td><td align="center" valign="middle" >T: (252, 202 ) t: 23</td></tr></tbody></table></table-wrap><p>an arbitrary symbolic variable to be used in polynomials in F p 2 . Using the Weil pairing, μ = weil_pairing ( I A , φ ( T ) ) = weil_pairing ( ( 34 , 33 ) , φ ( 252 , 202 ) ) = weil_pairing ( ( 34 , 33 ) , ( 276 b + 17 , 202 ) ) = 216 b + 147 . Let σ = “100101000111100011000010”, and r = H<sub>2</sub><sub> </sub>(σ, msg_bits) = 43, then u = r ∗ G = 43 ∗ ( 1 , 132 ) = ( 263 , 167 ) .</p><p>The second component of the ciphertext, v, is calculated as follows. Calculate z = μ r = ( 216 b + 147 ) 43 = 21 b + 60 (where exponentiation is reduced modulo the Conway polynomial [<xref ref-type="bibr" rid="scirp.127409-ref15">15</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref16">16</xref>] b<sup>2</sup> + 280b + 3) and let h3z = H<sub>3</sub>(z, n) = 001100110011011000110001; then component v = sigma xor h3z = 101001110100111011110011.</p><p>The last component of the ciphertext is w = msg_bits &#197; H<sub>4</sub>(σ). Assuming H<sub>4</sub>(σ) = 011001100011010001100010, then w = 011000010110001001100011 &#197; 011001100011010001100010 = 000001110101011000000001.</p><p>The ciphertext of M = “abc” encrypted using Alice’s identity string “alice@gmail.com” is (u,v,w) = ((263, 167), 101001110100111011110011, 000001110101011000000001).</p></sec><sec id="s4_4"><title>4.4. Identity Credentials</title><p>PP-IBE uses interactions between Alice and ICAs to certify her identity and pseudonym as precursors to interacting with the PKG to obtain the decryption keys.</p><p>Alice engages with ICA<sub>i</sub> to obtain a digital credential ( h , c ′ 0 , r ′ 0 ) certifying her identity. For this worked example, we choose the following values at random: (α = 12, β = 6, γ = 2, w<sub>0</sub> = 8). As a first step, Alice calculates h on her own. She calculates her identity point p<sub>1</sub> = H<sub>1</sub><sub> </sub>('alice@gmail.com') = I<sub>A</sub> = (34, 33). Following this, she calculates ξ i = e ^ ( p i , p i ) = weil_pairing ( p i , φ ( p i ) ) = weil_pairing ( ( 34 , 33 ) , ( 64 b + 232 , 33 ) ) = 13 b + 211 . Assuming service provider id = 27, Alice has attributes ( x 1 , x 2 , x 3 ) = ( 211 , 13 , 27 ) . Assuming α = 12, she calculates and retains h = ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) α mod p 1 = ( ( 243 211 ) ( 541 13 ) ( 498 27 ) ( 27 ) ) 12 mod 563 = 256 .</p><p>As her next step Alice calculates c ′ 0 = H ( h | h 2 ) with input a committed random from the ICA. ICA<sub>i</sub> selects random w<sub>0</sub> (assume w<sub>0</sub> = 8), calculates a 0 = g 0 w 0 = 3 8 mod 563 , and sends a<sub>0</sub> to Alice. Alice uses a<sub>0</sub> to calculate h 2 = g 0 β ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) γ a 0 mod p ′ = 3<sup>6</sup>(243<sup>211</sup> * 541<sup>13</sup> * 498<sup>27</sup> * 27)<sup>2</sup> * 368 mod 563 = 99. This h<sub>2</sub> is combined with h to form c ′ 0 = H ( h | h 2 ) = SHA256(256|99) mod 281 = 204. This c ′ 0 will be the second component in the digital credential.</p><p>To calculate r ′ 0 , Alice initiates by sending c 0 = c ′ 0 − β mod q ′ = 204 – 6 mod 281 = 198 to ICA<sub>i</sub>. The ICA calculates r 0 = ( w 0 − c 0 ) / ( x 0 + x 1 ∗ y 1 + x 2 ∗ y 2 + x 3 ∗ y 3 ) mod q ′ = ((8 - 198)/(3 + 211 * 5 + 13 * 9 + 27 * 7) mod 281 = 128 and returns it to Alice. Alice checks the integrity of the components using the verification relation: g 0 c 0 ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) r 0 mod p ′ = = a 0 . In this case both a<sub>0</sub> and 3<sup>198</sup> * ((243<sup>211</sup>) * (541<sup>13</sup>) * (498<sup>27</sup>) * 27)<sup>128</sup> mod 563 are equal to 368, so the verification relation holds. Alice finalizes r ′ 0 = r 0 + γ / α mod q ′ = ( 128 + 2 ) / 12 mod 281 = 245 . Alice stores the finalized credential c r e d i = ( h , c ′ 0 , r ′ 0 ) = ( 256 , 204 , 245 ) for the next step in certifying a pseudonym with ICA<sub>j</sub>.</p></sec><sec id="s4_5"><title>4.5. Pseudonym Credentials</title><p>As in the augmented scheme example from [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] , identity credential cred<sub>i</sub> is used as an input in obtaining pseudonym credential cred<sub>j</sub> from ICA<sub>j</sub>, which is then used to obtain another pseudonym credential cred<sub>k</sub> from ICA<sub>k</sub>.</p><p>In general, to issue a pseudonym credential, the ICA conducts a verification of the previous credential and the proposed pseudonym, and then issues a new credential on the pseudonym.</p><p>ICA<sub>j</sub> Issuance of Pseudonym Credential. Alice presents her identity credential cred<sub>i</sub> in the showing protocol. ICA<sub>j</sub> verifies this before issuing a pseudonym credential cred<sub>j</sub>.</p><p>Alice sends cred<sub>i</sub> = (256, 204, 245), p<sub>i</sub> = (34, 33) and a scalar s<sub>j</sub> = 25 to ICA<sub>j</sub>, as input to the pseudonym service, which will yield a new credential cred<sub>j</sub> = (440, 252, 63) on pseudonym point p<sub>j</sub> = (199, 158). This process proceeds in two steps: first the submitted cred<sub>i</sub> is verified, after that, the new cred<sub>j</sub> is issued.</p><p>Verification of cred<sub>i</sub> consists of three checks: the integrity check, the proof of knowledge, and the coefficients check. The integrity of cred<sub>i</sub> is verified using the digital credentials verification relation. Given credential ( h , c ′ 0 , r ′ 0 ) verify that c ′ 0 = = H ( h | g 0 c ′ 0 h r ′ 0 ) Thus with cred<sub>i</sub> = (256, 204, 245), g 0 c ′ h r ′ 0 = (3<sup>204</sup>) (256<sup>245</sup>) mod 563 = 99. This value corresponds to the h<sub>2</sub> calculated during the issuing protocol, so H ( h | g 0 c ′ 0 h r ′ 0 ) = 204 which is equal to c ′ 0 , which satisfies the verification relation.</p><p>The next step is the proof of knowledge. For this example, let’s assume random values w = 6 and c = 7. ICA<sub>j</sub> creates a random challenge c = 7, and sends it to Alice who creates p r o o f i = ( c ′ , x 1 , x 2 , x 3 ) = ( 30 , 211 , 13 , 27 ) where the value for c ′ = c / α + w mod q = 7 / 12 + 6 mod 281 = 30 and x 1 , x 2 , x 3 are Alice’s attributes for cred<sub>i</sub>. Alice sends p r o o f i to ICA<sub>j</sub> who verifies it by confirming the equality of h c ′ a mod p' = (256<sup>30</sup>)363 mod 563 = 485 with g 1 x 1 g 2 x 2 g 3 x 3 h 0 c = (243<sup>211*7</sup>)(541<sup>13*7</sup>)(76<sup>27*7</sup>)(27<sup>7</sup>) mod 563 = 485; thus proof of knowledge has been confirmed.</p><p>In the final verification step, ICA<sub>j</sub> verifies that cred<sub>i</sub> is on the coefficients of ξ<sub>i</sub>. In this case correspondence is confirmed: e ^ ( p i , p i ) = 13 b + 211 , the coefficients of which correspond to the (x<sub>1</sub>, x<sub>2</sub>) received in the proof, above.</p><p>After this successful verification of cred<sub>i</sub>, ICA<sub>j</sub> issues a pseudonym credential to Alice. Let’s assume the random values for the issue protocol to be α = 19, β = 26, γ = 32, w<sub>0</sub> = 18. ICA<sub>j</sub> calculates new point p<sub>j</sub> = p<sub>i</sub> * s<sub>1</sub> = (34, 33) * 25 = (199, 158) and ξ<sub>j</sub> = &#234;(p<sub>j</sub>, p<sub>j</sub>) = &#234;((199, 158), (199, 158)) = weil_pairing((199, 158), phi((199, 158))) = weil_pairing((199, 158), (44b + 19, 158)) = 151b + 29. Assuming id(ICA<sub>j</sub>) = 11, the credential is constructed on attributes (x<sub>1</sub> = 29, x<sub>2</sub> = 151, x<sub>3</sub> = 11). Alice calculates and retains h = ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) α mod p 1 = ((289<sup>29</sup>)(326<sup>151</sup>)(349<sup>11</sup>)(470))<sup>19</sup> mod 563 = 440.</p><p>Next ICA<sub>j</sub> selects random w<sub>0</sub>=18 and calculates a 0 = g 0 w 0 = 3 18 mod 563 = 484 , which it sends to Alice. Alice calculates c ′ 0 = H ( h | h 2 ) where h = 197 and h 2 = g 0 β ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) γ a 0 mod p ′ = 3<sup>26</sup>((289<sup>29</sup>)(326<sup>151</sup>)(349<sup>11</sup>)(470))<sup>32</sup>484 mod 563 = 425, thus c ′ 0 = H ( 440 | 425 ) = 252 . Alice retains this c ′ 0 and calculates c 0 = ( c ′ 0 − β ) mod q 1 = (252 - 26) mod 281 = 226 which is sent to ICA<sub>j</sub>. ICA<sub>j</sub> produces signature data r 0 = ( w 0 − c 0 ) / ( x 0 + x 1 y 1 + x 2 y 2 + x 3 y 3 ) mod q ′ = (18 - 226)/(13 + 29 * 15 + 151 * 19 + 11 * 17) mod 281 = 41, which is sent to Alice. Alice evaluates the issue-time verification relation, confirming that g 0 c 0 ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) r 0 mod p ′ = 3<sup>226</sup>((289<sup>29</sup>)(326<sup>151</sup>)(349<sup>11</sup>)(470))<sup>41</sup> mod 563 = 484 equals the expected value of a<sub>0</sub> = 484. Alice proceeds to unblind the signature r ′ 0 = ( r 0 + γ ) / α mod q ′ = (41 + 32)/19 mod 281 = 63 and stores the resulting credential cred<sub>j</sub> = (440, 252, 63).</p><p>ICA<sub>k</sub> Issuance of Pseudonym Credential. Alice uses pseudonym credential cred<sub>j</sub> to obtain another pseudonym credential with ICA<sub>k</sub>. Alice enters into the “show” protocol, supplying cred<sub>j</sub> = (440, 252, 63), attr<sub>j</sub> = (x<sub>1</sub> = 29, x<sub>2</sub> = 151, x<sub>3</sub> = 11), p<sub>j</sub> = (199, 158) and s<sub>2</sub> = 17. ICA<sub>k</sub> first checks the time verification relation for cred<sub>j</sub>: c ′ 0 = = H ( h | g 0 c ′ 0 h r ′ 0 ) . Here c ′ 0 = 252, h = 440, and g 0 c ′ 0 h r ′ 0 mod p ′ = 3<sup>252</sup>440<sup>63</sup> mod 563 = 425, thus, the hash H(440|425), evaluates, as above, to 252 which is equal to c ′ 0 . The verification relation is satisfied for cred<sub>j</sub>.</p><p>The proof of knowledge follows the verification relation. ICA<sub>k</sub> creates a random challenge, say c = 8, and sends it to Alice who creates p r o o f j = ( c ′ , x 1 , x 2 , x 3 ) = (37, 29, 151, 11) where c' = c/α + w mod q = 8 /19 + 7 mod 281 = 37 and x<sub>1</sub>, x<sub>2</sub>, x<sub>3</sub> are the attributes attr<sub>j</sub>. Alice sends proof<sub>j</sub> to ICA<sub>k</sub> who verifies it by confirming that h c ′ a = = g 1 x 1 g 2 x 2 g 3 x 3 h 0 c mod p ′ . Here, h c ′ a mod p ′ = (440<sup>37</sup>)381 mod 563 = 99 and g 1 x 1 g 2 x 2 g 3 x 3 h 0 c = (289<sup>29*8</sup>)(326<sup>151*8</sup>)(349<sup>11*8</sup>)(470<sup>8</sup>) mod 563 = 99; thus the proof of knowledge verifies correctly.</p><p>For the last verification step, ICA<sub>k</sub> performs a pairing and confirms that the coefficients of ξ j = e ^ ( p j , p j ) = e ^ ( ( 199 , 158 ) , ( 199 , 158 ) ) = 151 b + 29 correspond to (x<sub>1</sub> =29, x<sub>2</sub> = 151) of cred<sub>j</sub>.</p><p>Once cred<sub>j</sub> has been verified, ICA<sub>k</sub> proceeds to issue pseudonym credential cred<sub>k</sub> to Alice. For the issuance of cred<sub>k</sub> assume values of α = 7, β = 26, γ = 22, w<sub>0</sub> = 28 for the random values of the issue protocol.Alice calculates her new point p<sub>k</sub> = p<sub>j</sub> * s<sub>2</sub> = (199 , 158) * 17 = (99, 179) and ξ<sub>k</sub> = &#234;(p<sub>k</sub>, p<sub>k</sub>) = &#234;((99, 179), (99, 179)) = weil_pairing ((99 , 179), phi((99, 179))) = weil_pairing((99, 179), (269b + 97, 179)) = 197b + 190. Assuming id(ICA<sub>k</sub>) = 42, attributes attr<sub>k</sub> = (x<sub>1</sub> = 190, x<sub>2</sub> = 197, x<sub>3</sub> = 42) are used for issuance of cred<sub>k</sub>.</p><p>Credential c r e d k = ( h , c ′ 0 , r ′ 0 ) is calculated as follows. First, Alice calculates and retains h = ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) α mod p 1 = ((68<sup>190</sup>)(441<sup>197</sup>)(49<sup>42</sup>)(508))<sup>7</sup> mod 563 = 92. Alice sends p<sub>j</sub> = (199, 158) and s<sub>2</sub> = 17 to ICA<sub>k</sub>, who calculates the same attr<sub>k</sub>. Next ICA<sub>k</sub> selects a random w<sub>0</sub>, say the value 28, and calculates a 0 = g 0 w 0 = 3<sup>28</sup> mod 563 = 147 and sends this a<sub>0</sub> to Alice. Alice calculates c ′ 0 = H ( h | h 2 ) where h = 92 and h 2 = g 0 β ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) γ a 0 mod p ′ = 3<sup>26</sup>(68<sup>190</sup> * 441<sup>197</sup> * 49<sup>42</sup> * 508)<sup>22</sup> * 147 mod 563 = 513, so c ′ 0 = H ( 92 | 513 ) = 240 . Alice retains c ′ 0 and calculates c 0 = ( c ′ 0 − β ) mod q 1 = ( 240 − 26 ) mod 281 = 214 and sends it to ICA<sub>k</sub>. Finally, ICA<sub>k</sub> produces signature data r 0 = ( w 0 − c 0 ) / ( x 0 + x 1 y 1 + x 2 y 2 + x 3 y 3 ) mod q ′ = ((28 - 214)/(23 + 190 * 25 + 197 * 29 + 42 * 27)) mod 281 = 211, which is sent to Alice. Alice evaluates the issuance-time verification relation, confirming that g 0 c 0 ( g 1 x 1 g 2 x 2 g 3 x 3 h 0 ) r 0 mod p ′ = 3<sup>214</sup>((68<sup>190</sup>)(441<sup>197</sup>)(49<sup>42</sup>)(508))<sup>211</sup> mod 563 = 147 which equals a<sub>0</sub>, as expected. Alice proceeds to unblind the signature r ′ 0 = ( r 0 + γ ) / α mod q 1 = (211 + 22)/7 mod 281 = 234 and stores the resulting credential cred<sub>k</sub> = (92, 240, 234), along with the attributes and other parameters she used to obtain it.</p></sec><sec id="s4_6"><title>4.6. Key Extraction</title><p>Alice sends credential cred<sub>k</sub> = (92, 240, 234) and pseudonymous point p<sub>k</sub> = (99, 179) to the PKG with supporting attributes (190, 197, 42). The PKG checks the verification relation: c ′ 0 = = H ( h | g 0 c ′ 0 h r ′ 0 ) , with h = 92, and g 0 c ′ 0 h r ′ 0 = 3<sup>240</sup> * 92<sup>234</sup> mod 563 = 513, thus H(92|513) = SHA256(92|513) mod 281 = 3b11806f98cd81d368137bb211c63561bff95c219fc5b6649501708d0e14693b mod 281 = 240 which indeed equals c ′ 0 , so the verification relation holds.</p><p>The PKG’s next step in checking cred<sub>k</sub> is the proof of knowledge. Proof of knowledge proceeds with the PKG generating random value w = 8 and Alice generating proof (c' = (9/7 + 8) mod 281 = 210, x<sub>1</sub> = 190, x<sub>2</sub> = 197, x<sub>3</sub> = 42). The PKG evaluates (h<sup>c</sup><sup>'</sup>)a = (92<sup>210</sup>)271 mod 563 = 201 and confirms that it is equal to ( g 1 x 1 ∗ c ) ( g 2 x 2 ∗ c ) ( g 3 x 3 ∗ c ) ( h 0 c ) = ( 68 190 ∗ 9 ) ( 441 197 ∗ 9 ) ( 49 42 ∗ 9 ) ( 508 9 ) mod 563. Finally, the PKG confirms that the coefficients of ξ k = e ^ ( p k , p k ) = 197 b + 190 correspond to attributes (x<sub>1</sub>, x<sub>2</sub>).</p><p>Once cred<sub>k</sub> has been verified, the PKG creates the keying material by multiplying the pseudonymous point p<sub>k</sub> = (99, 179) with PKG private master key t = 23 to obtain keying material K = t * p<sub>k</sub> = 23 * (99, 179) = (34, 248). This keying material is sent to Alice.</p></sec><sec id="s4_7"><title>4.7. Finalization and Decryption</title><p>To finalize her decryption key, Alice applies the scalars she retained during pseudonym creation to the keying material received from the PKG to obtain K<sub>A</sub> = ((s<sub>1</sub>s<sub>2</sub>)<sup>−</sup><sup>1</sup> mod q) * K = ((25 * 17)<sup>−1</sup> mod 47) * (34, 248) = 24 * (34, 248) = (111, 206). Alice had received ciphertext ( u , v , w ) = ( ( 263 , 167 ) , 101001110100111011110011 , 000001110101011000000001 ) from Bob. She proceeds to decrypt it using the decryption key K<sub>A</sub> = (111, 206).</p><p>First, she computes z = e ^ ( K A , u ) = e ^ ( ( 111 , 206 ) , ( 263 , 167 ) ) = 21 b + 60 . Then she derives σ = v ♁ H<sub>3</sub>(z) = 101001110100111011110011 &#197; H<sub>3</sub>(21b + 60) = 101001110100111011110011 &#197; 001100110011011000110001 = 100101000111100011000010. Using σ, she calculates the plaintext M = w &#197; H<sub>4</sub>(σ)) = 000001110101011000000001 &#197; 011001100011010001100010 = 011000010110001001100011. Alice confirms the verification relation: u == r * G = 43 * (1, 132) which is equal to u = (263, 167), the first component in the ciphertext, so the ciphertext is confirmed to be valid. Encryption returns the string value of M, which is “abc”.</p></sec></sec><sec id="s5"><title>5. Discussion</title><p>The worked example of section 4 demonstrates small numbers for ease of calculation and for the sake of communication. This section discusses how to obtain parameters with more realistic security levels. BF-IBE specifies that an admissible mapping is required to achieve IND-ID-CCA security; this section also describes how the current implementation should be extended to achieve this.</p><sec id="s5_1"><title>5.1. Parameter Generation</title><p>The worked example uses small numbers for the sake of illustration. In an IBE deployment, the group parameters must be selected so that identity attacks on G<sub>1</sub> and forgery attacks on the digital credential are cryptographically hard. The parameter generation algorithm described in Section 5 can be modified to set target security sizes for F<sub>p</sub> and Z p ′ . For 128-bit security, we would seek |q| &#179; 254 bits and |p'| &#179; 3072 bits [<xref ref-type="bibr" rid="scirp.127409-ref17">17</xref>] . If we want 128 bits of security, we will need p to be at least 1536 bits in length (so that the group size in F p 2 is at least 3072 bits long). One possible combination of parameters is shown in <xref ref-type="table" rid="table2">Table 2</xref>.</p><table-wrap id="table2" ><label><xref ref-type="table" rid="table2">Table 2</xref></label><caption><title> Parameters for 128 bit security</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Parameter</th><th align="center" valign="middle" >Bits</th><th align="center" valign="middle" >Value</th></tr></thead><tr><td align="center" valign="middle" >q</td><td align="center" valign="middle" >254</td><td align="center" valign="middle" >18084954865587818898836522312022138958973336066876267931291791709863092691657</td></tr><tr><td align="center" valign="middle" >p</td><td align="center" valign="middle" >1536</td><td align="center" valign="middle" >1505815871876832243686385797405417086747442132319081109462549092672986148913147712605096337940259666843405480263668238179551603835975645562629790636718104992081314354208002757169780252290820124108977840797811276102497556726337436129968986667177262848466198170120827878069735673393999481196850397009877651044221861767087908930129815390028325180275750468327194361679184021306800118070504777285350163090899790723555574792186063881861798528780879222016066039614503449</td></tr><tr><td align="center" valign="middle" >q'</td><td align="center" valign="middle" >1536</td><td align="center" valign="middle" >1505815871876832243686385797405417086747442132319081109462549092672986148913147712605096337940259666843405480263668238179551603835975645562629790636718104992081314354208002757169780252290820124108977840797811276102497556726337436129968986667177262848466198170120827878069735673393999481196850397009877651044221861767087908930129815390028325180275750468327194361679184021306800118070504777285350163090899790723555574792186063881861798528780879222016066039614503449</td></tr><tr><td align="center" valign="middle" >p'</td><td align="center" valign="middle" >3072</td><td align="center" valign="middle" >3629486708639658188874499746057268547110688504809725649304977113445485843891988226416095733329498454270713960450335188539726304784408060167646528490906964853179331863001838059741624556709375091891900914352749738258271027659169933305573873952539857360018851241366638408454297306509012854308617198602225491402705421206175355897289262757464648380405283849931512766203476018851853657596881703308179364060566420988320941171772245328812439112862621272347751865936106815502826031574618940455605397692903029852427679997113613688593713995915189775085683864185903166140123843662981946105038658280351384359264239744081386588693869585473360904723762864556311413985996555881224601182359395926837239205682053213762117279742259979783766105627898239021311279630212987364568274804195734882687630845919756759795990674371528553541639713181060812987114762011083691937852821399018394347723914047497617018605459882120604329715099546744578323408879</td></tr></tbody></table></table-wrap><p>The required constraints hold on the above parameters. All numbers are prime, and all required relationships hold, namely that q | p + 1, p &#186; 2 mod 3, p ≠ 3 mod 4, q<sup>2</sup> ∤ p+1, and q' | p' – 1.</p><p>We also note that other (i.e., non-supersingular) elliptic curves may be used to obtain a security level of 128 bits (or higher) with a smaller value of p. For example, BLS12-381 and BLS12-440 curves have an embedding degree of k = 12, allowing a significant reduction in the size of p (which, of course, would lead to a corresponding increase in the efficiency of computations involving p); see [<xref ref-type="bibr" rid="scirp.127409-ref18">18</xref>] . However, these so-called Type 3 curves use an asymmetric pairing ( e ^ : G 0 &#215; G 1 → G T ), rather than a symmetric pairing ( e ^ : G 1 &#215; G 1 → G T ), which would then require a modification to how pairings are used for pseudonym construction in PP-IBE.</p></sec><sec id="s5_2"><title>5.2. IBE Topics</title><p>Security Model. Boneh and Franklin [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref4">4</xref>] define IND-ID-CCA, a form of chosen ciphertext security applicable to IBE schemes. IND-ID-CCA defines adaptive security in which the attacker attempts to demonstrate an advantage at decrypting a ciphertext for a chosen identity. The Attacker is given a choice of which identity to attack, the option of knowing the decryption keys for a set of independent identities, and oracle access to the private key extraction algorithm and to the decryption algorithm.</p><p>Construction: Boneh and Franklin present a construction based on p &#186; 2 mod 3 with its accompanying distortion map. Our example proceeds with such a curve and is, as such, complimentary material for researchers in the area.</p><p>Distribution of Trust: A large amount of trust is placed in the PKG in an IBE deployment. All users obtain their decryption keys from the PKG using their public identity string. The PKG is thus able to derive private keys for all users. Adams’ architectural approach wipes out this complete knowledge, displacing it across the community of ICAs instead. The initial ICA provides a verification of ownership of the identity string (for example, using a challenge and response email pattern). The subsequent ICA issues a pseudonym credential on the trust of the previous ICA’s identity proofing mechanisms. Thus, the full trust that had previously been placed in the PKG is now spread out across the service providers:</p><p>&#183; At the beginning of this chain of trust, the first ICA issues an identity credential, verifying Alice’s ownership of the identity string, and then maps that string to a point (using a map-to-point function H<sub>1</sub>(.) or its stronger “admissible encoding” counterpart L(.); see below).</p><p>&#183; The subsequent ICAs in the chain each issue a pseudonym on the basis of their trust in the integrity and processes of the peers that precede them in the chain, the strength of the signatures, and the quality of the map-to-point function.</p><p>Admissible Encoding: Of the variations presented in [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref4">4</xref>] , only FullIdent’ is IND-ID-CCA secure. The algorithms for FullIdent and FullIdent’ are identical, differing only differ only in terms of the definition of H<sub>1</sub>(.). FullIdent’ tightens requirements on the mapping, such that the distribution is provably uniformly random. In FullIdent', p<sub>1</sub> = H<sub>1</sub>(id_string) is replaced with p 1 = L ( H ′ 1 ( i d _ s t r i n g ) ) where H ′ 1 ( . ) is uniform string hashing and L(.) is uniform point mapping. This is referred to as an “admissible encoding”. The H<sub>1</sub> used in this implementation conforms to FullIdent requirements but has not (yet) been verified against FullIdent’ requirements.</p></sec></sec><sec id="s6"><title>6. Performance</title><p>This section presents performance measures for the scenario of <xref ref-type="fig" rid="fig1">Figure 1</xref> using the 128-bit security parameters presented in section 5.1.</p><p>The computing environment consists of SageMath version 9.6, installed on Ubuntu 20.04.5 LTS within the Windows Subsystem for Linux (GNU/Linux 5.10.16.3-microsoft-standard-WSL2 x86_64) on a Windows 10 Pro computer equipped with an IntelCore i7-1185G7, 3.00 GHz processor with 16.0 GB of RAM.</p><p><xref ref-type="table" rid="table3">Table 3</xref> presents performance measurements at 4 levels of drill-down: a) total demo execution time, b) time spent on initialization vs. protocol execution, c) breakdown by workflow step and, within each step, the breakdown per algorithm, d) within selected algorithms, a view at the primitive operations used. Full drill-down is shown for the issuance of credj, but is omitted from other steps for the sake of brevity.</p><p>The total time to run the demo is made up of two parts: initialization time, and protocol execution time. The actual protocol runs in 1.68 seconds. The full demo runs in 20 seconds, however data structure initialization accounts for 92% of this time, requiring over 18 seconds. Note that this initialization is a one-time pre-deployment cost to instantiate objects using prime moduli and curve parameters; once these are established, the PP-IBE system can be run for a set of users for an indefinite amount of time at sub-second speeds for each protocol step.</p><p><xref ref-type="fig" rid="fig3">Figure 3</xref> presents the relationship of protocol execution to system initialization and shows the execution times and proportions of the main steps in the scenario depicted in <xref ref-type="fig" rid="fig1">Figure 1</xref>.</p><p>Comparative Examination of Workflow Steps. When evaluated with the 128-bit security parameters, each protocol step exhibits sub-second performance. The three credential issuance steps are comparable, requiring between 304 and 462 ms. Also comparable are the encryption and decryption steps, requiring between 132 and 162 ms. These costs are dominated by the cost of the pairing. The issuance of cred<sub>j</sub> requires 2 pairing calculations, whereas the issuance of cred<sub>j</sub> and cred<sub>k</sub> requires three. Encryption and decryption each require one pairing. The key extraction step also requires a pairing for credential verification. Assuming upfront data structure initialization, key-pair establishment and the selection of generators requires 1.6 ms.</p><p>Primitive Usage. The PP-IBE protocol combines elliptic curve operations, pairings, and modular exponentiations. <xref ref-type="fig" rid="fig4">Figure 4</xref> shows the breakdown of Step</p><table-wrap id="table3" ><label><xref ref-type="table" rid="table3">Table 3</xref></label><caption><title> Performance measurements at 128 bit security</title></caption><table><tbody><thead><tr><th align="center" valign="middle"  colspan="6"  >Step</th><th align="center" valign="middle"  colspan="8"  >Performance (ms)</th></tr></thead><tr><td align="center" valign="middle"  colspan="6"  >Demo</td><td align="center" valign="middle"  colspan="2"  >20381.8</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Initialization</td><td align="center" valign="middle"  colspan="3"  >18699.5</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Scenario</td><td align="center" valign="middle"  colspan="3"  >1682.2</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >1) Setup</td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="2"  >1.6</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >2) Encrypt</td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="2"  >132.5</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >3.1) Total for cred<sub>i</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="2"  >304.0</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Alice calculates ζ<sub>i</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="2"  >127.8</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >ICA<sub>i</sub> issues cred<sub>i</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="2"  >176.1</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="5"  >ICA<sub>i</sub> calculates ζ<sub>i</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >132.0</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make h</td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >8.5</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make a<sub>0</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >0.02</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make c ′ 0</td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >8.7</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make c<sub>0</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >0.002</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make r<sub>0</sub></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >0.1</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make r ′ 0</td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="3"  >0.02</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Alice accepts cred<sub>i</sub></td><td align="center" valign="middle"  colspan="3"  >26.6</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="8"  >3.2) Total for cred<sub>j</sub></td><td align="center" valign="middle"  colspan="2"  >461.8</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Alice calculates ζ<sub>j</sub></td><td align="center" valign="middle"  colspan="3"  >128.7</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >ICA<sub>j</sub> verifies cred<sub>i</sub></td><td align="center" valign="middle"  colspan="3"  >160.3</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Verifyintegrity</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >4.8</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Verify ZKP</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >22.2</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Verify Coefficients</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >133.1</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >ICA<sub>j</sub> issues cred<sub>j</sub></td><td align="center" valign="middle"  colspan="3"  >172.54</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >ICA<sub>j</sub> calculates ζ<sub>j</sub></td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >129.06</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make h</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >8.4</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make a<sub>0</sub></td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >0.02</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make c ′ 0</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >8.4</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make c<sub>0</sub></td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >0.003</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make r<sub>0</sub></td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >0.08</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Make r ′ 0</td><td align="center" valign="middle"  colspan="2"  ></td><td align="center" valign="middle"  colspan="2"  >0.02</td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Alice accepts cred<sub>j</sub></td><td align="center" valign="middle"  colspan="3"  >26.49</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="8"  >3.3) Total for cred<sub>k</sub></td><td align="center" valign="middle"  colspan="2"  >462.0</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Alice calculates ζ<sub>k</sub></td><td align="center" valign="middle"  colspan="3"  >129.2</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >ICA<sub>k</sub> verifies cred<sub>j</sub></td><td align="center" valign="middle"  colspan="3"  >159.3</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >ICA<sub>k</sub> issues cred<sub>k</sub></td><td align="center" valign="middle"  colspan="3"  >147.06</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="6"  >Alice accepts cred<sub>k</sub></td><td align="center" valign="middle"  colspan="3"  >26.28</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="8"  >4) Total for PKG</td><td align="center" valign="middle"  colspan="2"  >158.2</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Verify cred<sub>k</sub></td><td align="center" valign="middle"  colspan="3"  >157.7</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Extract key</td><td align="center" valign="middle"  colspan="3"  >0.5</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="8"  >5) Total for Finalize and Decrypt:</td><td align="center" valign="middle"  colspan="2"  >162.0</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Finalize key:</td><td align="center" valign="middle"  colspan="3"  >3.3</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle"  colspan="7"  >Decrypt:</td><td align="center" valign="middle"  colspan="3"  >158.6</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle"  colspan="7"  >Scalar Multiplication:</td><td align="center" valign="middle"  colspan="3"  >0.34</td><td align="center" valign="middle"  colspan="4"  ></td></tr><tr><td align="center" valign="middle"  colspan="7"  >Modular exponentiation:</td><td align="center" valign="middle"  colspan="3"  >0.06</td><td align="center" valign="middle"  colspan="4"  ></td></tr><tr><td align="center" valign="middle"  colspan="7"  >Mapto Point:</td><td align="center" valign="middle"  colspan="3"  >3.14</td><td align="center" valign="middle"  colspan="4"  ></td></tr><tr><td align="center" valign="middle"  colspan="7"  >Weil Pairing:</td><td align="center" valign="middle"  colspan="3"  >125.45</td><td align="center" valign="middle"  colspan="4"  ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr></tbody></table></table-wrap><p>3.2, the interactive protocol between Alice and ICA<sub>J</sub> for the issuance of cred<sub>j</sub>, and provides a view of the usage of the primitive operations and how the costs of these impact protocol performance.</p><p>The total cost of step 3.2, the issuance of cred<sub>j</sub>, is made up of four parts. Alice’s calculation of the pseudonym ζ<sub>j</sub>, the ICA verification of cred<sub>i</sub>, the issuance of cred<sub>j</sub>, and Alice’s acceptance of cred<sub>j</sub>. The first three parts each require a pairing calculation, at approximately 130 ms. The modular exponentiations require a fraction of that time. Looking at credential issuance and acceptance in steps 3 and 4, over 20 modular exponentiations are required, at a total of 43.5 ms, these making up only 25% of the total 172.54 ms required.</p></sec><sec id="s7"><title>7. Conclusions</title><p>In a Boneh-Franklin Identity Based Encryption (BF-IBE) [<xref ref-type="bibr" rid="scirp.127409-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref4">4</xref>] , the Private Key Generator has significant power, with the ability to derive the decryption keys of the community of users. The community must trust, therefore, that this PKG will not be malicious.</p><p>The recently-introduced Privacy Preserving Identity-based Encryption (“PP-IBE”) [<xref ref-type="bibr" rid="scirp.127409-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.127409-ref2">2</xref>] removes this complete knowledge of the PKG, and distributes it across the PKG and a community of Intermediate Certification Authorities (ICA) who grant identity and pseudonym credentials. In PP-IBE, the generation of decryption keys becomes a collaborative responsibility between the ciphertext recipient and the PKG.</p><p>This paper provides an elaboration of the recent privacy preserving IBE proposed by Adams. We offer a construction and a worked example based on torsion groups within supersingular elliptic curves over F<sub>p</sub> in which p = 2 mod 3, along with their accompanying distortion map. We make extensions to Adams’ algorithms, including a parameter generator, an added digital credential base to support our approach of carrying the Weil or Tate pairing coefficients, and a reuse opportunity between the issuance of identity credentials and pseudonym credentials. We offer a software implementation and a worked numeric example that may be useful to researchers and to students new to this area. We also offer selected discussions into representative-sized parameters for privacy and security properties in an open-world setting.</p></sec><sec id="s8"><title>Conflicts of Interest</title><p>The authors declare no conflicts of interest regarding the publication of this paper.</p></sec><sec id="s9"><title>Cite this paper</title><p>Bissessar, D. and Adams, C. (2023) Construction and Implementation of a Privacy-Preserving Identity-Based Encryption Architecture. Journal of Information Security, 14, 304-329. https://doi.org/10.4236/jis.2023.144018</p></sec><sec id="s10"><title>Appendix—Notation</title></sec><sec id="s11"><title>NOTES</title></sec></body><back><ref-list><title>References</title><ref id="scirp.127409-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Adams, C. (2022) Improving User Privacy in Identity-Based Encryption Environments. Cryptography, 6, Article No. 55. https://doi.org/10.3390/cryptography6040055</mixed-citation></ref><ref id="scirp.127409-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Adams, C. (2022) Security Analysis of a Privacy-Preserving Identity-Based Encryption Architecture. Journal of Information Security, 13, 323-336. https://doi.org/10.4236/jis.2022.134018</mixed-citation></ref><ref id="scirp.127409-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Kumar, M. and Chand, S. (2022) Pairing-Friendly Elliptic Curves: Revisited Taxonomy, Attacks and Security Concern. ArXiv Preprint ArXiv: 2212.01855.</mixed-citation></ref><ref id="scirp.127409-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Barker, E., Barker, W., Burr, W., Polk, W. and Smid, M. (2007) NIST Special Publication 800-57. NIST Special Publication 800-57. National Institute of Standards and Technology, Gaithersburg, 1-142.</mixed-citation></ref><ref id="scirp.127409-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Lübeck, F. (2023) Standard Generators of Finite Fields and Their Cyclic Subgroups. Journal of Symbolic Computation, 117, 51-67. https://doi.org/10.1016/j.jsc.2022.11.001</mixed-citation></ref><ref id="scirp.127409-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Heath, L.S. and Loehr, N.A. (2004) New Algorithms for Generating Conway Polynomials over Finite Fields. Journal of Symbolic Computation, 38, 1003-1024. https://doi.org/10.1016/j.jsc.2004.03.002</mixed-citation></ref><ref id="scirp.127409-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Page, D., Smart, N.P. and Vercauteren, F. (2006) A Comparison of MNT Curves and Supersingular Curves. Applicable Algebra in Engineering, Communication and Computing, 17, 379-392. https://doi.org/10.1007/s00200-006-0017-6</mixed-citation></ref><ref id="scirp.127409-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Miller, V.S. (2004) The Weil Pairing, and Its Efficient Calculation. Journal of Cryptology, 17, 235-261. https://doi.org/10.1007/s00145-004-0315-8</mixed-citation></ref><ref id="scirp.127409-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Lynn, B. (2007) On the Implementation of Pairing-Based Cryptosystems. Stanford University, Stanford.</mixed-citation></ref><ref id="scirp.127409-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Freeman, D., Scott, M. and Teske, E. (2010) A Taxonomy of Pairing-Friendly Elliptic Curves. Journal of Cryptology, 23, 224-280. https://doi.org/10.1007/s00145-009-9048-z</mixed-citation></ref><ref id="scirp.127409-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Galbraith, S.D., Paterson, K.G. and Smart, N.P. (2008) Pairings for Cryptographers. Discrete Applied Mathematics, 156, 3113-3121. https://doi.org/10.1016/j.dam.2007.12.010</mixed-citation></ref><ref id="scirp.127409-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Menezes, A., Vanstone, S. and Okamoto, T. (1991) Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field. Proceedings of the 23rd annual ACM symposium on Theory of Computing, New Orleans, 5-8 May 1991, 80-89. https://doi.org/10.1145/103418.103434</mixed-citation></ref><ref id="scirp.127409-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Silverman, J.H. (2009) The Arithmetic of Elliptic Curves. In: Graduate Texts in Mathematics, Vol. 106, Springer, New York. https://doi.org/10.1007/978-0-387-09494-6</mixed-citation></ref><ref id="scirp.127409-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">SageMath (Free Opensource Mathematics Software System).https://www.sagemath.org/</mixed-citation></ref><ref id="scirp.127409-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Brands, S. (2000) Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press, Cambridge. https://doi.org/10.7551/mitpress/5931.001.0001</mixed-citation></ref><ref id="scirp.127409-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Brands, S. (2002) A Technical Overview of Digital Credentials. https://citeseerx.ist.psu.edu/document?repid=rep1&amp;type=pdf&amp;doi=9c2f1b143a9f07e8644aa72d57168638b7f469f4</mixed-citation></ref><ref id="scirp.127409-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">Boneh, D. and Franklin, M. (2003) Identity-Based Encryption from the Weil Pairing. SIAM Journal on Computing, 32, 586-615. https://doi.org/10.1137/S0097539701398521</mixed-citation></ref><ref id="scirp.127409-ref18"><label>18</label><mixed-citation publication-type="book" xlink:type="simple">Boneh, D. and Franklin, M. (2001) Identity-Abased Encryption from the Weil Pairing. In: Kilian, J., Ed., Advances in Cryptology—CRYPTO 2001. CRYPTO 2001. Lecture Notes in Computer Science, Vol. 2139, Springer, Berlin, 213-229. https://doi.org/10.1007/3-540-44647-8_13</mixed-citation></ref></ref-list></back></article>