cross-platform identity-based cryptography using

Cross-platform Identity-based Cryptography using WebAssembly

DOI 1036244ICJ201945

INFOCOMMUNICATIONS JOURNAL

DECEMBER 2019 bull VOLUME XI bull NUMBER 4 31

1

Cross-platform Identity-based Cryptography usingWebAssembly

Adam Vecsi Attila Bagossy and Attila Petho

AbstractmdashThe explosive spread of the devices connected to theInternet has increased the need for efficient and portable cryp-tographic routines Despite this fact truly platform-independentimplementations are still hard to find In this paper an Identity-based Cryptography library called CryptID is introduced Themain goal of this library is to provide an efficient and open-source IBC implementation for the desktop the mobile and theIoT platforms Powered by WebAssembly which is a specificationaiming to securely speed up code execution in various embeddingenvironments CryptID can be utilized on both the client and theserver-side The second novelty of CrpytID is the use of structuredpublic keys opening up a wide range of domain-specific use casesvia arbitrary metadata embedded into the public key Embeddedmetadata can include for example a geolocation value whenworking with geolocation-based Identity-based Cryptography ora timestamp enabling simple and efficient generation of single-use keypairs Thanks to these characteristics we think thatCryptID could serve as a real alternative to the current Identity-based Cryptography implementations

Index TermsmdashPairing-based Cryptography Identity-basedCryptography WebAssembly

I INTRODUCTION

Identity-based cryptography (IBC) is an important branchof public-key cryptography Although its foundations wereestablished in 1985 by Shamir [1] who managed to build anidentity-based signature (IBS) scheme identity-based encryp-tion (IBE) remained an open problem until Boneh and Franklin[2] created their pairing-based scheme in 2001 which was fastenough for practical use

IBCrsquos uniqueness lies in the fact that its public key is astring clearly identifying an individual or organization in acertain domain Such a string can be an email address or ausername The core purpose behind the IBC was to simplifythe certificate management and eliminate the need for certifi-cation authorities In a standard scenario when employing thepublic key infrastructure (PKI) the key is bound to its userrsquosidentity with a public key certificate however with IBC theuserrsquos identity is the public key itself thus there is no need fora certificate Despite this advantage IBC still requires trustedthird-party servers as private key generation and distributioncan only be done by a so-called private key generator (PKG)

Manuscript submitted October 30 2019 This work was partially supportedby the construction EFOP-363-VEKOP-16-2017-00002 The project wassupported by the European Union co-financed by the European Social FundResearch of A Vecsi and A Petho was partially supported by the 2018-121-NKP-2018-00004 Security Enhancing Technologies for the Internet of Thingsproject

The authors are with the Department of Computer ScienceUniversity of Debrecen H-4028 Debrecen Kassai str 26 (emailsin order vecsiadaminfunidebhu bagossyattilainfunidebhuPethoAttilainfunidebhu)

One can find several IBC implementations on the Internet[3] [4] [5] [6] However most of these libraries are focusedon a single platform as their target Unfortunately applicationsdeveloped for one specific platform can not be directly adaptedfor different use In our opinion this is a disadvantage of theselibraries because nowadays there is an increasing numberof mobile devices connecting to the Internet making use ofapps or web-based services Our motivation was to create across-platform portable IBC solution targeting a large poolof diverse devices that are capable to maintain an internetconnection

One popular technology for development with such goalsis JavaScript One early library of IBC is WebIBC [3] whichwas developed in 2008 using JavaScript The authors of thepaper concluded that the web browsers and the JavaScriptenvironment were not powerful enough to implement a stan-dard IBC library which is based on pairing because it isrdquotoo complex and overkillrdquo Instead they built a combinedscheme which requires much less computation-power and yetthe performance on a desktop was barely satisfying (15-25seconds on average for encryption using a 192-bit integer asthe key)

Of course since 2008 the performance of JavaScript en-gines significantly increased An article written by a developerof the V8 JavaScript engine [7] points out that the performanceof V8 quadrupled over the last ten years which may inspireus to give a chance to implement a standard IBC library withthe listed goals using JavaScript However over the years anew technology called WebAssembly came into the picturewhich seems even more promising

Developed by the W3C WebAssembly Community Groupsince 2015 WebAssembly is a virtual instruction set architec-ture aiming to provide a basis for fast computations on theweb while also giving a solution which is embeddable intoany environment [8] Albeit being a quite young technologyalready 86 of the internet users have a compatible browserenjoying its benefits [9] Therefore we can consider thistechnology as a promising choice for the development of across-platform IBC solution

In this paper we will introduce our open source solutionfor a cross-platform IBC implementation using WebAssemblyThe source code is available at httpsgithubcomcryptid-orgwhile a consumable NPM package can be downloaded fromhttpswwwnpmjscompackagecryptidcryptid-js Our so-lution called CryptID is on the one hand small enough tobe stored on devices with limited storage capacity while onthe other hand its performance is acceptable even on deviceswith limited computational power Our experiments proved

(complexrandom) linear layer for signatures with secretlinear layer Note that while this eliminates some of thesparsity from the system the block structure related tocipher rounds remains the same

bull Decompose larger S-boxes to individual AND gates andcall these AND gates new S-boxes In this case wecreate a MRHS system with right-hand sides consist-ing of sets related to AND gates consisting of triples000 010 100 111 Signer produces a vector of bits oflength 2m and verifier just appends bits that are productsof successive pairs and verifies the coset System matrixin this case is more complex as individual IO bits onindividual AND gates need to be expressed as linear com-binations of variables This is also the main disadvantageof the system system matrix becomes excessively largeincreasing the size of the public key

bull Use a different cipher design Eg a wide cipher with alarge branch number could have a complex enough linearlayer in each round If we study Figure 4 we can see thatthe main problem is that S-box inputs from one roundare only connected to S-box outputs from the previousrounds If we do not need the encryption algorithm tobe reversible (eg for a use in stream cipher mode) wecan propagate some internal bits to multiple rounds Notethat this must be done carefully to avoid enabling linearor differential attacks on the underlying cipher

bull Would it be possible to hide some information Eg wemight consider what would happen if we only includeodd numbered rounds in the signature The MRHS systemis still present and the signature system works correctlyMain difference is that here are now fewer blocks ofM and parity check matrix has smaller dimension (ifwe remove half of blocks dimension becomes zero)This means there would be false solutions and multiplesignatures per message hash It is not clear whether thereis a suitable trade-off when removing selected blockswould actually improve the security

Implementing some of these solutions can also solve prob-lems with structural attacks based on known signatures How-ever we believe that provably secure scheme can only beobtained with a carefully designed block cipher with a goal ofproviding signatures (through our general scheme) along withsymmetric encryption

VII CONCLUSIONS

In this paper we have presented a new concept of signaturescheme based on symmetric cipher design whose signatureand verification algorithm are comparable in complexity tosymmetric encryption Parameters of the system and its con-nection to symmetric ciphers are quite favourable to considerit for future use

The proposed design should be not be considered a securesignature scheme as our assumptions are heuristic The sig-nature scheme relies on hardness of the decoding problem MRHS problem Moreover if the signature system aspresented here is instantiated by current cipher designs (suchas AES) it would presumably not attain the required security

due to structural attacks We have proposed some optionson how to further hide the inner structure of the encryptionsystem but all of these options require further research Webelieve that the most promising direction is to design a specificsymmetric cipher that will support solid security arguments forthe proposed scheme

ACKNOWLEDGMENT

The authors would like to thank anonymous reviewers of theCentral European Conference on Cryptology for the commentson the first proposal of this scheme that led to identificationof some types of attacks on the scheme

REFERENCES

[1] A Hulsing D J Bernstein et al ldquoSphincs+rdquo 2018 [Online]Available httpssphincsorg

[2] G Zaverucha M Chase et al ldquoThe Picnic signature algorithmrdquo 2018[Online] Available httpsmicrosoftgithubioPicnic

[3] S Chow P Eisen H Johnson and P C Van Oorschot ldquoWhite-boxcryptography and an aes implementationrdquo in International Workshopon Selected Areas in Cryptography Springer 2002 pp 250ndash270 doi1010073-540-36492-7 17

[4] J Ding and B-Y Yang ldquoMultivariate public key cryptographyrdquo in Post-quantum cryptography Springer 2009 pp 193ndash241 doi 101007978-3-540-88702-7 6

[5] H Raddum and I Semaev ldquoSolving multiple right hand sides linearequationsrdquo Design Codes and Cryptography vol 49 no 1 pp 147ndash160 2008 doi 101007s10623-008-9180-z

[6] M R Albrecht C Rechberger T Schneider T Tiessen and M ZohnerldquoCiphers for mpc and fherdquo in Advances in CryptologyndashEUROCRYPT2015 Springer 2015 pp 430ndash454 doi 101007978-3-662-46800-5 17

[7] J Daemen and V Rijmen The design of Rijndael AES-the advancedencryption standard Springer Science amp Business Media 2013

[8] H Raddum and P Zajac ldquoMRHS solver based on linear algebra andexhaustive searchrdquo Journal of Mathematical Cryptology vol 12 no 3pp 143ndash157 2018 doi 101515jmc-2017-0005

[9] P Zajac ldquoMRHS equation systems that can be solved in polynomialtimerdquo Tatra Mountains Mathematical Publications vol 67 no 1 pp205ndash219 2016 doi 101515tmmp-2016-0040

[10] The Sage Developers SageMath the Sage Mathematics Software System(Version 72) 2016 httpwwwsagemathorg

[11] P Zajac ldquoConnecting the complexity of MQ-and code-based cryptosys-temsrdquo Tatra Mountains Mathematical Publications vol 70 no 1 pp163ndash177 2017 doi 101515tmmp-2017-0025

[12] N T Courtois M Finiasz and N Sendrier ldquoHow to achieve aMcEliece-based digital signature schemerdquo in International Conferenceon the Theory and Application of Cryptology and Information SecuritySpringer 2001 pp 157ndash174 doi 1010073-540-45682-1 10

[13] M Baldi QC-LDPC code-based cryptography Springer Science ampBusiness 2014

Pavol Zajac received PhD in applied mathematics from Slovak Universityof Technology in Bratislava in 2008 His research interest is mathematicalcryptography see httpsscholargooglecomcitationsuser=kutD0ZsAAAAJfor a list of publications Currently he is a full professor at Slovak Universityof technology working on problems related to post-quantum cryptography

Peter Spacek is a PhD student under supervision of Pavol Zajac His researchfocus is on post-quantum cryptography and its adaptation into real worldapplications


Aacutedaacutem Veacutecsi Attila Bagossy and Attila Pethő

AbstractmdashThe explosive spread of the devices connected to the Internet has increased the need for efficient and portable cryptographic routines Despite this fact truly platform-independent implementations are still hard to find In this paper an Identitybased Cryptography library called CryptID is introduced The main goal of this library is to provide an efficient and opensource IBC implementation for the desktop the mobile and the IoT platforms Powered by WebAssembly which is a specification aiming to securely speed up code execution in various embedding environments CryptID can be utilized on both the client and the server-side The second novelty of CrpytID is the use of structured public keys opening up a wide range of domain-specific use cases via arbitrary metadata embedded into the public key Embedded metadata can include for example a geolocation value when working with geolocation-based Identity-based Cryptography or a timestamp enabling simple and efficient generation of singleuse keypairs Thanks to these characteristics we think that CryptID could serve as a real alternative to the current Identitybased Cryptography implementations

Index Termsmdash Pairing-based Cryptography Identity-based Cryptography WebAssembly

1





I INTRODUCTION










1





I INTRODUCTION










(complexrandom) linear layer for signatures with secretlinear layer Note that while this eliminates some of thesparsity from the system the block structure related tocipher rounds remains the same

bull Decompose larger S-boxes to individual AND gates andcall these AND gates new S-boxes In this case wecreate a MRHS system with right-hand sides consist-ing of sets related to AND gates consisting of triples000 010 100 111 Signer produces a vector of bits oflength 2m and verifier just appends bits that are productsof successive pairs and verifies the coset System matrixin this case is more complex as individual IO bits onindividual AND gates need to be expressed as linear com-binations of variables This is also the main disadvantageof the system system matrix becomes excessively largeincreasing the size of the public key

bull Use a different cipher design Eg a wide cipher with alarge branch number could have a complex enough linearlayer in each round If we study Figure 4 we can see thatthe main problem is that S-box inputs from one roundare only connected to S-box outputs from the previousrounds If we do not need the encryption algorithm tobe reversible (eg for a use in stream cipher mode) wecan propagate some internal bits to multiple rounds Notethat this must be done carefully to avoid enabling linearor differential attacks on the underlying cipher

bull Would it be possible to hide some information Eg wemight consider what would happen if we only includeodd numbered rounds in the signature The MRHS systemis still present and the signature system works correctlyMain difference is that here are now fewer blocks ofM and parity check matrix has smaller dimension (ifwe remove half of blocks dimension becomes zero)This means there would be false solutions and multiplesignatures per message hash It is not clear whether thereis a suitable trade-off when removing selected blockswould actually improve the security

Implementing some of these solutions can also solve prob-lems with structural attacks based on known signatures How-ever we believe that provably secure scheme can only beobtained with a carefully designed block cipher with a goal ofproviding signatures (through our general scheme) along withsymmetric encryption

VII CONCLUSIONS

In this paper we have presented a new concept of signaturescheme based on symmetric cipher design whose signatureand verification algorithm are comparable in complexity tosymmetric encryption Parameters of the system and its con-nection to symmetric ciphers are quite favourable to considerit for future use

The proposed design should be not be considered a securesignature scheme as our assumptions are heuristic The sig-nature scheme relies on hardness of the decoding problem MRHS problem Moreover if the signature system aspresented here is instantiated by current cipher designs (suchas AES) it would presumably not attain the required security

due to structural attacks We have proposed some optionson how to further hide the inner structure of the encryptionsystem but all of these options require further research Webelieve that the most promising direction is to design a specificsymmetric cipher that will support solid security arguments forthe proposed scheme

ACKNOWLEDGMENT

The authors would like to thank anonymous reviewers of theCentral European Conference on Cryptology for the commentson the first proposal of this scheme that led to identificationof some types of attacks on the scheme

REFERENCES

[1] A Hulsing D J Bernstein et al ldquoSphincs+rdquo 2018 [Online]Available httpssphincsorg

[2] G Zaverucha M Chase et al ldquoThe Picnic signature algorithmrdquo 2018[Online] Available httpsmicrosoftgithubioPicnic

[3] S Chow P Eisen H Johnson and P C Van Oorschot ldquoWhite-boxcryptography and an aes implementationrdquo in International Workshopon Selected Areas in Cryptography Springer 2002 pp 250ndash270 doi1010073-540-36492-7 17

[4] J Ding and B-Y Yang ldquoMultivariate public key cryptographyrdquo in Post-quantum cryptography Springer 2009 pp 193ndash241 doi 101007978-3-540-88702-7 6

[5] H Raddum and I Semaev ldquoSolving multiple right hand sides linearequationsrdquo Design Codes and Cryptography vol 49 no 1 pp 147ndash160 2008 doi 101007s10623-008-9180-z

[6] M R Albrecht C Rechberger T Schneider T Tiessen and M ZohnerldquoCiphers for mpc and fherdquo in Advances in CryptologyndashEUROCRYPT2015 Springer 2015 pp 430ndash454 doi 101007978-3-662-46800-5 17

[7] J Daemen and V Rijmen The design of Rijndael AES-the advancedencryption standard Springer Science amp Business Media 2013

[8] H Raddum and P Zajac ldquoMRHS solver based on linear algebra andexhaustive searchrdquo Journal of Mathematical Cryptology vol 12 no 3pp 143ndash157 2018 doi 101515jmc-2017-0005

[9] P Zajac ldquoMRHS equation systems that can be solved in polynomialtimerdquo Tatra Mountains Mathematical Publications vol 67 no 1 pp205ndash219 2016 doi 101515tmmp-2016-0040

[10] The Sage Developers SageMath the Sage Mathematics Software System(Version 72) 2016 httpwwwsagemathorg

[11] P Zajac ldquoConnecting the complexity of MQ-and code-based cryptosys-temsrdquo Tatra Mountains Mathematical Publications vol 70 no 1 pp163ndash177 2017 doi 101515tmmp-2017-0025

[12] N T Courtois M Finiasz and N Sendrier ldquoHow to achieve aMcEliece-based digital signature schemerdquo in International Conferenceon the Theory and Application of Cryptology and Information SecuritySpringer 2001 pp 157ndash174 doi 1010073-540-45682-1 10

[13] M Baldi QC-LDPC code-based cryptography Springer Science ampBusiness 2014

Pavol Zajac received PhD in applied mathematics from Slovak Universityof Technology in Bratislava in 2008 His research interest is mathematicalcryptography see httpsscholargooglecomcitationsuser=kutD0ZsAAAAJfor a list of publications Currently he is a full professor at Slovak Universityof technology working on problems related to post-quantum cryptography

Peter Spacek is a PhD student under supervision of Pavol Zajac His researchfocus is on post-quantum cryptography and its adaptation into real worldapplications


DECEMBER 2019 bull VOLUME XI bull NUMBER 432


3

ID is the userrsquos identity and sQID the corresponding secretkey

There are already multiple types of implementations ofthe IBE The most popular variants are based on factoringdiscrete logarithm or pairing The first implementation worthmentioning is the Cocks IBE [13] which is based on integerfactorization and the quadratic residuosity problem Unfor-tunately this solution produces long ciphertexts and suffersfrom long runtimes rendering it inadequate for practical useThe real break-through came with the Boneh-Franklin IBE[2] which is based on pairing This scheme is appropriate forpractical use but there exist other well-known IBE schemeswith better performance such as the Boneh-Boyen IBE [14]Sakai-Kasahara IBE [15] and TinyIBE [4]

The standard IBS scheme is similar to the IBE scheme byitrsquos structure The first schemes were based on factoring orRSA [1] [16] [17] but these were not practical Nowadaysthe ones based on pairing seem to be the preferred schemesfor instance [18] [19] to name a few

To assess the security provided by the schemes BellareNamprempre and Neven compared most of the existing IBSschemes with their framework [20]

C WebAssembly

In this section we would like to provide a short overview ofWebAssembly which is the key technology behind our work

During the past decades the Web has become a ubiquitousapplication platform allowing developers to target a hugeaudience of users in a platform-independent manner Thus onecan see more and more use cases for the Web platform evenin computation-intensive niches such as games computer-aided design or audio and video manipulation software Onthe other hand efficient and at the same time secure codeexecution remained an issue technologies such as ActiveX[21] PNaCl [22] or asmjs [23] failed to consistently deliverthese properties

Therefore a new Web specification WebAssembly hasborn aiming to securely speed up code execution on the Web[24] The design goals of WebAssembly revolve around twokey points semantics and representation [8]

1) Design Goals Regarding semantics WebAssemblyaims to execute code with near-native performance in a safesandboxed environment while being hardware- language- andplatform-independent As WebAssembly can be seen as acompilation target language-independence means the lack ofa privileged programming or object model

Considering representation WebAssembly offers a compactmodular binary format that can be efficiently decoded vali-dated and compiled The specification also considers streamingand parallel compilation of modules

2) Targeting WebAssembly Several popular programminglanguages offer WebAssembly as a compilation target suchas CC++ Rust or C As our library is written in C here wewould only cover targeting facilities for that case

Emscripten is a compiler toolchain built on top of LLVMthat can create WebAssembly modules from C and C++source files [25] [26] It should be noted however that

Emscripten is capable of much more than simply emittingWebAssembly modules As the browser (which is the maintarget of Emscripten) is a vastly different environment thanthe one assumed by most C applications Emscripten offersthe Emscripten Runtime Environment including for examplea virtual file system libc and libcxx implementations andtailored input and output handling

3) Embedding WebAssembly Despite its nameWebAssembly was designed considering server-sidedeployments from the ground up The specification explicitlystates openness as one of its design goals which is achievedby providing a small well-defined interface between thehost environment and the WebAssembly semantics Since thebirth of the specification several server-side runtimes haveappeared such as Lucet [27] or Wasmer [28]

Regarding Emscripten we have previously highlighted thatit provides its own runtime environment in the browser Asthe WebAssembly specification does not cover interfacingwith system resources (such as files) currently each host hasto define its own incompatible runtime environment In thefuture this is going to change since the WebAssembly SystemInterface (WASI) specification aims to cover this area [29]

III CRYPTID

In most of the cases it is not obvious how to implement areliable cryptosystem even if a mathematically proved securecryptography protocol is available to build on During theimplementation it is easy to make mistakes that open vul-nerabilities These vulnerabilities could come from program-ming negligence (incorrect input validation) or mathematicalinattention ignorance (using unsafe elliptic curves)

Most of the mistakes could be prevented by using thestandards during the implementation In the case of IBCmultiple standards assist and guide the implementation [30][31] [32] [33] [34] [35]

This section of the paper is about our solution calledCryptID which is in brief an IBC implementation based onthe RFC 5091 Nevertheless it is not just a usual implemen-tation its novelty can be approached from two directions

The novelty in the implementation is that CryptID is basedon WebAssembly Thanks to this property CryptID is ableto work on both the server-side and the client-side or evencompletely separated from the web providing a truly cross-platform and efficient IBC solution

The novelty in the IBC scheme can be found in the publickey CryptID uses structured public keys which may containany kind of metadata with the identity string This opens upmany kinds of domain-specific opportunities For example ifthe current time is part of the metadata then the keypair isdevised for one-time use

A Cross-platform operation

With CryptID we wanted to create a library which providesefficient client-side IBC mainly targeting web browsers Fur-thermore we intended to implement a solution that can be usedon the server-side and even on IoT and alike The motivationbehind this was that we did not know about any open source

2

that public key solutions based on IBC are similarly efficientas those which are based on the PKI However the formerprovides additional possibilities thanks to the properties of thepublic key

The rest of the paper is organized as follows Section IIcontains some discussion about the relevance of IBC andWebAssembly and also describes Pairing-based cryptographyand the standard IBC scheme Our IBC implementation andits novelties are presented in Section III Afterward SectionIV outlines the performance of our library on multiple plat-forms Section V gives a conclusion and contains some futuredevelopment plans

II PRELIMINARIES

A Pairing

For q = pk with a prime p denote Fq the finite field withq elements Let E = E(Fq) be an elliptic curve over Fq Forthe subgroup G1 sube E the mapping e G1 timesG1 rarr Fq with ge 1 is called pairing ifbilinear For all PQ isin G1 and for all a b isin Zlowast

q we havee(aP bQ) = e(PQ)ab

non degenerated If P is a non-zero element of G1 thene(P P ) generate Fq

Pairing is a rich theory and has numerous applicationsin cryptography see the book of Cohen et al [10] Its firstcelebrated application is due to Menezes Okamoto and Van-stone [11] who proved that for supersingular elliptic curvesthe discrete elliptic logarithm problem can be reduced inpolynomial time to a discrete logarithm problem To prove thisresult they used the efficiently computable Weil pairing Toavoid technical difficulties we do not define the Weil pairingbut refer to the paper of Boneh and Franklin [2] There youmay find not only the exact definition of the Weil pairing butalso its application to the identity based cryptography

B Identity-based Cryptography

In a public-key cryptography system one very importanttask is key management Nowadays it is mostly handled bythe PKI which seems to work well however it has someshortcomings In the white paper published by Micro FocusInternational plc [12] six important requirements are specifiedfor enterprise key management

bull Deliver encryption keysbull Authenticate users and deliver decryption keysbull Jointly manage keys with partnersbull Deliver keys to trusted infrastructure componentsbull Recover keysbull Scale for growth

The paper also clearly points out the shortcomings of the PKIIn many ways it is difficult to use implement and manageThis difficulty mainly comes from the need of maintainingenormous databases which can be compromised or damagedleading to severe data breaches or data loss Additionallymaintaining such databases can get very expensive

IBC may offer an obvious solution to these problems IBCis a type of public-key cryptography in which the public key

is a string clearly identifying an individual or organization ina certain domain It is important to mention that not just theidentifier can be arbitrary but also the domain which specifiesthe scope of the identifier This domain can be a global oreven a local one with only a few people in it

The attractiveness of IBC comes from the previously men-tioned properties of the public key making it possible to estab-lish systems without certification authorities and with simplerkey management Thus IBC satisfies all six requirements ina cost-effective and user-accessible way

From the point of this paper two applications of IBCare relevant encryption (IBE) and digital signature creation(IBS) Figure 1 shows how a standard IBE scheme worksThe main participants are as follows those want to exchangeencrypted messages with each other and a third party whichhandles the authentication and the private key generation Forauthentication purposes any already deployed resource can bereused since this aspect is not limited by the scheme itselfThe private key generation is performed by a trusted thirdparty called the Private Key Generator (PKG)

Fig 1 How IBE works

The IBE scheme is based on four algorithms

bull Setup Responsible for the initialization of the systemIt generates the public parameters of the system and themaster secret

bull Extract This is the algorithm for calculating the privatekey from the public parameters the userrsquos identity andthe master secret

bull Encrypt The algorithm for message encryption It pro-duces a ciphertext from the public parameters of thesystem the public key and the plaintext message

bull Decrypt The algorithm for message decryption It usesthe public parameters of the system a private key gener-ated by the PKG and an encrypted message

It should be noted that Encrypt and Decrypt are the inverseof each other This means if the message space is M thenforallM isin M Decrypt(Encrypt(M ID) sQID) = M where




3





C WebAssembly











III CRYPTID








2



II PRELIMINARIES

A Pairing













Fig 1 How IBE works










5

an element of Fp2 The implementation is based on Lynnrsquosdissertation [42] and Martinrsquos book [43]

Identity-based cryptography The IBC routines are em-bedded into this layer It includes the implementation ofthe Boneh-Franklin IBE [2] and the Hess IBS [18] It alsocontains some miscellaneous helper functions like an SHAimplementation based on the RFC 6234 standard [44] andother hash functions based on SHA

WasmJavaScript interoperability The previous three lay-ers together form an IBC implementation which can evenbe consumed by native applications without the need forWebAssembly compilation However when targeting the Webthese layers are hidden behind a JavaScript interface as aWebAssembly module

This abstraction is not absolutely necessary because theWebAssembly embedding environment allows to call the func-tions of the module directly However CryptID is designed forthose embedding environments which grant the WebAssemblymodule calls via JavaScript Such environments include webbrowsers or Nodejs This way CryptID can be called likeany other JavaScript library rendering WebAssembly a simpleimplementation detail for clients

To support this approach it is crucial to implement aninteroperability layer which is responsible for the followingtasks

bull Wrapping the C functions To make the C functionscallable from JavaScript they need to be wrapped withthe cwrap function of Emscriptenrsquos Module object

bull Conversion between datatypes In our case two conver-sions were necessary in both cases back and forth Thefirst one is the converson of GMPrsquos mpz t big numbertype to JavaScript strings The other one is the conversionbetwen raw C byte arrays and JavaScript ArrayBuffers

bull Bidirectional dataflow It is not possible to use complextypes like structs as parameters or return values so theonly way to exchange values is to copy between theisolated memory spaces accessible to JavaScript and toWebAssembly

JavaScript interface The JavaScript interface is a group offunctions and datatypes which are public for outside clientsWhile previous layers can all be seen as implementationdetails this layer is the actual interface that clients mayconsume

Besides being a facade to lower layers this layer has furtherresponsibilities

bull Input validation Being the public interface of the librarythis is the only point where invalid input may enter intothe system Such values include null values or objects andstrings with incorrect structure Thanks to the validationperformed by this layer malformed values cannot formthe basis of any computation

bull Key conversion One of CryptIDrsquos novelties was thestructured public key which is able to contain any kind ofmetadata Currently structured public keys are handled inthe interoperability layer as JSON values As there can bemultiple JSON representations of the semantically sameinformation it is an important task to always convertJSON strings with the same content to the same bitstream

Our solution is to first create a new JavaScript objectfrom the JSON string with keys added in alphabet-ical order Afterwards JSONstringify is calledon this object to produce a new JSON string SinceJSONstringify is guaranteed to preserve the origi-nal key addition order when producing JSON documentswe will always get the same bitstream from documentswith the same keys Thanks to this solution the lowerlayers do not need to know anything about the structureof the public key

IV PERFORMANCE

In the next section the performance of the CryptID libraryis covered We ran several benchmarks in multiple differentenvironments while exercising the most performance-criticalparts of the codebase Where appropriate we also comparedthe performance of our solution with the native version ofother well-established libraries The IBS scheme is based onthe same algorithms as the IBE protocol so itrsquos performanceevaluation is not included in the paper but the main resultsare identical

First we briefly outline the benchmark environments whichis followed by a detailed description of the performed exper-iments and their results

A Environments

Proving the platform-independent nature of our librarywe aimed to benchmark it on a variety of platforms andWebAssembly embedders On the desktop we performedexperiments in three different embedders (Mozilla FirefoxGoogle Chrome Nodejs) and we also included the perfor-mance of the native version of the library as a baseline resultThe exact hardware and software specifications can be seen inTable I Regarding the mobile we executed measurements ina single embedder (Google Chrome) Detailed specificationsare available in Table II

On all platforms we used the Google Benchmark library[45] for our experiments An experiment comprises twentyperformance tests where each test contains multiple execu-tions of the same code on the same input The result of theexperiment is calculated as the average of the execution timesInputs were chosen randomly for the four RFC defined securitylevels shown in Table III Here p is the order of the base finitefield the elliptic curve is defined over while k stands for theRSA keylength providing comparable security [46]

Parameter ValueModel Dell Inspiron 5567 (2017)CPU i7-7500U 27 GHzOS Ubuntu 16044 LTSemscripten 1388gcc 540 20160609Nodejs v891Firefox Quantum 6203

TABLE I Desktop hardware and software configuration

4

IBC implementation which is out-of-the-box compatible withthese platforms

Earlier the only technology which was able to servethese needs was JavaScript Unfortunately JavaScript is farfrom ideal regarding the performance of computation-intensivetasks which is just made worse by the fact that every browserhas different optimizations meaning if something runs fastin one browser it may be slow in the other One solutionfor this problem is asmjs [23] which is a carefully choseneasy-to-optimize subset of JavaScript However asmjs is nota well-established standard

WebAssembly on the other hand is a great choice forprojects like CryptID because it is designed from the groundup as a performance and secure target platform MoreoverWebAssembly made it possible for us to use GMP [36] asour arbitrary-precision arithmetic library providing a stablethoroughly tested foundation to our library

B Structured public key

As was written earlier the essence of IBC is that thepublic key clearly identifies an individual in a certain domainFurthermore Boneh and Franklin in their work [2] mentionedthat the public keys are expandable with any kind of metadataIt can be for example a year which assigns a limited periodof validity to the public and private keys In that paper theysimply concatenate the metadata to the identifier

rdquobobcompanycom current-yearrdquo

In our opinion this is a brilliant idea with one serious flawBy using concatenation flexibility suffers greatly everythingneeds to be in a fixed order Of course this cannot be changedas the public key needs to be the same on the bit-level bothat encryption and extraction time This could be a possiblepoint of failure especially if there are plenty of metadataconcatenated

One solution to this is to add an extra step to the protocolbefore we use the public key If we convert the public key toJSON we can accept arbitrary-ordered JSON documents fromthe clients The idea is simple as the order of keys in a JSONobject does not carry any meaning we are free to reorder themWhen given a public key we always use the same key-sortingalgorithm making it possible to feed bit-accurate public keysto the rest of the protocol Thus the clients of CryptID do notneed to worry about the way they structure the public key

Of course this solution is only applicable to standard IBCprotocols There are schemes that are using more flexiblepublic keys and do not require complete bit-accuracy Thefirst work related to this idea was presented by Sahai andWaters [37] This idea opened an entire branch of protocolswhich are focusing on the idea that decryption should bepossible for users who own a public key that is not bit-accurate to the key used for encryption but satisfies somekind of rules This way it is possible to target a group of userswith single encryption The branch is called Attribute-basedEncryption which has two papers containing the fundamentalsand both approaches the problem from different ways Oneis Key Policy Attribute-based Encryption [38] and the other

is Ciphertext Policy Attribute-based Encryption [39] Besidesthere are some IBC protocols too with the same essentials[40] [41]

Unfortunately most of the protocols that are targetingmultiple users with a single encryption suffer from the sameproblem The more flexibility the encryption provides themore computation is required by the clients which results inslower encryption andor decryption

C Library structure

CryptID can be divided into two main componentsCryptIDwasm which is a WebAssembly module containingthe IBC routines The source code is written in C and iscompiled to WebAssembly via Emscripten The second partof the library is CryptIDjs which is a wrapper on top of theWebAssembly module written in JavaScript It provides aneasy to use interface for the developers

The library formed by these parts can in turn be dividedinto five smaller layers shown in Figure 2

Fig 2 The structure of CryptID

Elliptic-curve arithmetics Most of the popular IBCschemes are based on elliptic-curve cryptography so the corepart of our library is the elliptic-curve arithmetics The reasonbehind writing our own implementation is that we could notfind a third-party solution that is well-tested and compilableto WebAssembly As our routines were designed and testedwith WebAssembly in mind we could be sure that they wouldoperate correctly in this environment

This layer is optimized to Type-1 curves as recommendedin the RFC 5091 The class of curves of Type-1 is defined asthe class of all elliptic curves of equation E(Fp) y

2 = x3+1for all primes p equiv 11(mod 12) This class forms a subclassof the class of supersingular curves

To represent big numbers we are using the GMP [36]arithmetic library The elliptic-curve points are representedon the affine plane The layer contains only the necessarymethods namely point doubling point addition and pointscalar multiplication

Pairing-based cryptography The majority of IBC protocolsare using the pairing operation As the RFC 5091 recommendsthis layer provides a custom implementation of the Tatepairing The implementation maps two points of E(Fp) to




5














IV PERFORMANCE



A Environments





4












C Library structure












6

Parameter ValueModel Nokia 61 TA-1043CPU Qualcomm Snapdragon 630 22 GHzOS Android 810 - Kernel 4478-perf+Chrome for Mobile 680344091

TABLE II Mobile hardware and software configuration

Security Level p bitlength k

LOWEST 512 1024LOW 1024 2048MEDIUM 1536 3072HIGH 3840 7680

TABLE III Security levels and values for appropriateparameters as stated in RFC 5091

B Benchmark Results

1) Elliptic Curve Scalar Multiplication Considering theelliptic curve arithmetics the scalar multiplication of ellipticcurve points is a key operation to IBE This operation can befound in a vast number of libraries from which we choseMIRACL [5] and PARI [47] for our benchmarks becausethese are well-known and thoroughly tested solutions In ourexperiments we compared the performance of four differentconfigurations native MIRACL native PARI native CryptIDand CryptID WebAssembly (Nodejs)

In Figure 3 we graphed the benchmark results on a loga-rithmic scale where the vertical axis represents the runtime innanoseconds It is clear that MIRACL is several magnitudesfaster than any other solution On the other hand we wouldlike to highlight that the native version of CryptID is justa little behind PARI which is promising Being this closeresults from the same choice of algorithm (double-and-add)and arithmetic library (GMP) In the case of the WebAssemblyversion a somewhat consistent performance penalty can be no-ticed compared to the native version As the specification andthe implementations mature we expect this gap to decreasegradually

Fig 3 Performance comparison of elliptic curve scalarmultiplication solutions

2) Encrypt CryptID was primarily designed for client-sideuse cases where encryption and decryption take place on theuserrsquos device Optimizing the performance of these operationsis crucial as we expect them to executed be frequently in awide variety of browsers and devices Thus we first measured

the runtime of the encrypt method in four different config-urations desktop Nodejs desktop Firefox browser desktopChrome browser and again desktop native as a baseline

The logarithmically graphed results can be seen in Figure4 where the vertical axis represents the runtime in millisec-onds On the desktop the same sized performance gap ispresent between the native and WebAssembly versions asin the case of elliptic curve scalar multiplication Executingthe WebAssembly code is consistently three to four timesslower than the native program However we were quitesurprised to discover that our experiments took approximatelythe same time to finish in Nodejs and Firefox consideringthe difference between the WebAssembly runtimes of theseenvironments

Fig 4 Performance comparison of the encrypt function inacross various environments

Unfortunately encryption on the mobile is around four tofive times slower than on the desktop The difference resultsfrom the gap between desktop and mobile computationalpower In spite of that execution time of the low and mediumsecurity level can still be considered acceptable in practice

3) Components of Encrypt After outlining and comparingthe performance of the encrypt operation in different envi-ronments we would also like to further break this operationdown into smaller components The pie charts of Figure 5show the results of profiling an experiment on a high inputin the desktop Firefox environment

Fig 5 Profiling results of a single encrypt execution onHIGH input in the desktop Firefox environment

The run time of encrypt is impacted by the performanceof the Tate pairing and the HashToPoint function As itcan be seen on the bottom right chart the execution time

6






B Benchmark Results












6






B Benchmark Results












7

of the latter is approximately equivalent to that of a singleelliptic curve scalar multiplication Regarding the Tate pairingmodular exponentiation and multiplicative inverse have thelargest influence on the performance

4) Decrypt We also performed experiments on the de-crypt function in the same configurations as in the case ofencryption Based on the previous tests we already had anapproximate expectation regarding the performance of thisfunction

The actual results are shown in Figure 6 graphed on alogarithmic scale Just as expected the native desktop versionhas the best performance while desktop Firefox is on parwith Nodejs The performance gaps are of the same size asobserved in the case of encryption

Fig 6 Performance comparison of the decrypt function inacross various environments

Comparing the performance of decryption and encryptionone can notice that decrypt runs for two-thirds of the run timeas of encrypt This is caused by the fact that decrypt is equalto a single execution of the Tate pairing

V CONCLUSION AND FUTURE WORK

We created a novel IBC library which serves as a realalternative to the current implementations One of the li-braryrsquos unique characteristics lies in its portability Thanks toWebAssemblyrsquos platform-independent nature CryptID offersan IBC solution on desktop mobile and IoT The portabilityis combined with simple integrability which makes for anappealing application development experience CryptID alsoextends the already appealing identity-based public keys withoptional metadata in a structured easy-to-manage way givingan opportunity for many domain-specific use cases

Several applications can be built on the above-mentionednovelties of the library The client-side execution of the crypto-graphic functions provides a secure use of IBC for example asa secure e-mail service Besides the domain-specific optionsstructured public keys can also be used for the creation ofsingle-use public keys which is another important potentialapplication of the library

Considering future work there are multiple possibilities toimprove the performance of the library With the implementa-tion of better-performing arithmetic functions we can optimizeCryptID Our main goal is to improve the elliptic-curve arith-metic layer with the implementation of the Heuberger-Mazzoli

scalar multiplication [48] and with some useful tricks likeprecalculations

Furthermore another direction is the binary size reductionEven though our bare library itself is lightweight our de-pendency on GMP increases the linked binary size to a fewhundred kilobytes Unfortunately dropping this dependencywould cost us a lot of work thus we are thinking of dif-ferent approaches Such an approach for example is calledtree-shaking which means the disposal of the unused codepotentially reducing the size of the linked binary even further

ACKNOWLEDGMENT

We would like to thank the anonymous referees for theirthoughtful comments and efforts towards improving ourmanuscript

COMPETING INTERESTS

The authors declare that they have no competing interests

REFERENCES

[1] A Shamir ldquoIdentity-based Cryptosystems and Signature Schemesrdquo inProceedings of CRYPTO 84 on Advances in Cryptology New YorkNY USA Springer-Verlag New York Inc 1985 pp 47ndash53 [Online]Available httpdlacmorgcitationcfmid=1947819483

[2] D Boneh and M K Franklin ldquoIdentity-Based Encryption fromthe Weil Pairingrdquo in Proceedings of the 21st Annual InternationalCryptology Conference on Advances in Cryptology ser CRYPTOrsquo01 London UK UK Springer-Verlag 2001 pp 213ndash229 [Online]Available httpdlacmorgcitationcfmid=646766704155

[3] Z Guan Z Cao X Zhao R Chen Z Chen and X Nan ldquoWebIBCIdentity based cryptography for client side security in web applicationsrdquoin 2008 The 28th International Conference on Distributed ComputingSystems IEEE Jun 2008 DOI 101109icdcs200824

[4] P Szczechowiak and M Collier ldquoTinyIBE Identity-based encryptionfor heterogeneous sensor networksrdquo in 2009 International Conferenceon Intelligent Sensors Sensor Networks and Information Processing(ISSNIP) IEEE 2009 DOI 101109issnip20095416743

[5] (2019) MIRACL Cryptographic SDK [Online] Available httpsgithubcommiraclMIRACL

[6] L Ducas V Lyubashevsky and T Prest ldquoEfficient identity-basedencryption over NTRU latticesrdquo in Lecture Notes in Computer ScienceSpringer Berlin Heidelberg 2014 pp 22ndash41 DOI 101007978-3-662-45608-8 2

[7] M Bynens (2018) Celebrating 10 years of V8 [Online] Availablehttpsv8devblog10-years

[8] (2018) WebAssembly Specification WebAssembly Community Group[Online] Available httpswebassemblygithubiospeccore downloadWebAssemblypdf

[9] (2018) Can I use WebAssembly [Online] Available httpscaniusecomfeat=wasm

[10] H Cohen G Frei R Avanzi C Doche T Lange K Nguyen andF Vercauteren Eds Handbook of Elliptic and Hyperelliptic CurveCryptography Second edition Chapman amp HallCRC 2012

[11] A Menezes T Okamoto and S Vanstone ldquoReducing elliptic curve log-arithms to logarithms in a finite fieldrdquo IEEE Transactions on InformationTheory vol 39 pp 1639 ndash 1646 1993 DOI 10110918259647

[12] (2018) The Identity-Based Encryption Advantage [On-line] Available httpswwwmicrofocuscommediawhite-papertheidentity based encryption advantage wppdf

[13] C Cocks ldquoAn identity based encryption scheme based on quadraticresiduesrdquo in In IMA International Conference Springer-Verlag 2001pp 360ndash363 DOI 1010073-540-45325-3 32

[14] D Boneh and X Boyen ldquoEfficient selective-ID secure identity-basedencryption without random oraclesrdquo in Advances in Cryptology - EU-ROCRYPT 2004 Springer Berlin Heidelberg 2004 pp 223ndash238 DOI101007978-3-540-24676-3 14

[15] R Sakai and M Kasahara ldquoId based cryptosystems with pairing onelliptic curverdquo 2003 [Online] Available httpeprintiacrorg2003054




7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences

[1] A Shamir ldquoIdentity-based Cryptosystems and Signature Schemesrdquo in Proceedings of CRYPTO 84 on Advances in Cryptology New York NY USA Springer-Verlag New York Inc 1985 pp 47ndash53 [Online] Available httpdlacmorgcitationcfmid=1947819483

[2] D Boneh and M K Franklin ldquoIdentity-Based Encryption from the Weil Pairingrdquo in Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology ser CRYPTO rsquo01 London UK UK Springer-Verlag 2001 pp 213ndash229 [Online] Available httpdlacmorgcitationcfmid=646766704155

[3] Z Guan Z Cao X Zhao R Chen Z Chen and X Nan ldquoWebIBC Identity based cryptography for client side security in web applicationsrdquo in 2008 The 28th International Conference on Distributed Computing Systems IEEE Jun 2008 doi 101109icdcs200824

[4] P Szczechowiak and M Collier ldquoTinyIBE Identity-based encryption for heterogeneous sensor networksrdquo in 2009 International Conference on Intelligent Sensors Sensor Networks and Information Processing (ISSNIP) IEEE 2009 doi 101109issnip20095416743

[5] (2019) MIRACL Cryptographic SDK [Online] Available httpsgithubcommiraclMIRACL [6] L Ducas V Lyubashevsky and T Prest ldquoEfficient identity-based

encryption over NTRU latticesrdquo in Lecture Notes in Computer Science Springer Berlin Heidelberg 2014 pp 22ndash41

doi 101007978-3-662-45608-8_2 [7] M Bynens (2018) Celebrating 10 years of V8 [Online] Available httpsv8devblog10-years [8] (2018) WebAssembly Specification WebAssembly Community Group

[Online] Available httpswebassemblygithubiospeccore downloadWebAssemblypdf

[9] (2018) Can I use WebAssembly [Online] Available httpscaniusecomfeat=wasm [10] H Cohen G Frei R Avanzi C Doche T Lange K Nguyen and

F Vercauteren Eds Handbook of Elliptic and Hyperelliptic Curve Cryptography Second edition Chapman amp HallCRC 2012

[11] A Menezes T Okamoto and S Vanstone ldquoReducing elliptic curve logarithms to logarithms in a finite fieldrdquo IEEE Transactions on Information Theory vol 39 pp 1639 ndash 1646 1993

doi 10110918259647 [12] (2018) The Identity-Based Encryption Advantage [Online] Available

httpswwwmicrofocuscommediawhite-paperthe_identity_based_encryption_advantage_wppdf

[13] C Cocks ldquoAn identity based encryption scheme based on quadratic residuesrdquo in In IMA International Conference Springer-Verlag 2001 pp 360ndash363 doi 1010073-540-45325-3_32

[14] D Boneh and X Boyen ldquoEfficient selective-ID secure identity-based encryption without random oraclesrdquo in Advances in Cryptology - EUROCRYPT 2004 Springer Berlin Heidelberg 2004 pp 223ndash238 doi 101007978-3-540-24676-3_14

7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



















Aacutedaacutem Veacutecsi graduated as a computer scientist at the Faculty of Informatics University of Debrecen in 2019 He started his PhD in the same year at the Doctoral School of Informatics University of Debrecen His current research interests include various aspects of cryptography mainly Identity-based Cryptography You can contact him vecsiadaminfunidebhu

Attila Bagossy graduated as a computer scientist at the Faculty of Informatics University of Debrecen in 2019 He started his PhD in the same year at the Doctoral School of Informatics University of Debrecen His current research interests include unconventional models of computation cryptography and WebAssembly You can contact him bagossyattilainfunidebhu

Attila Pethő is a professor and was the head of the Department of Computer Science Faculty of Informatics University of Debrecen Hungary He got PhD degree in mathematics from the Lajos Kossuth University He is an ordinary member of the Hungarian Academy of Sciences His research interest are number theory and cryptography You can contact him pethoattilainfunidebhu

[15] R Sakai and M Kasahara ldquoId based cryptosystems with pairing on elliptic curverdquo 2003 [Online] Available httpeprintiacrorg2003054

[16] A Fiat and A Shamir ldquoHow to prove yourself Practical solutions to identification and signature problemsrdquo in Advances in Cryptology mdash CRYPTOrsquo 86 Springer Berlin Heidelberg 2000 pp 186ndash194

doi 1010073-540-47721-7_12[17] T Okamoto ldquoProvably secure and practical identification schemes

and corresponding signature schemesrdquo in Advances in Cryptology mdash CRYPTOrsquo 92 Springer Berlin Heidelberg 2001 pp 31ndash53

doi 1010073-540-48071-4_3[18] F Hess ldquoEfficient identity based signature schemes based on pairingsrdquo

in Selected Areas in Cryptography Springer Berlin Heidelberg 2003 pp 310ndash324 doi 1010073-540-36492-7_20

[19] P S L M Barreto B Libert N McCullagh and J-J Quisquater ldquoEfficient and provably-secure identity-based signatures and signcryption from bilinear mapsrdquo in Lecture Notes in Computer Science Springer Berlin Heidelberg 2005 pp 515ndash532

doi 10100711593447_28[20] M Bellare C Namprempre and G Neven ldquoSecurity proofs for identity-

based identification and signature schemesrdquo Journal of Cryptology vol 22 no 1 pp 1ndash61 Aug 2008 doi 101007s00145-008-9028-8

[21] (2017) Introduction to ActiveX Controls [Online] Available httpsdocsmicrosoftcomen-usprevious-versionswindows internet-explorerie-developerplatform-apisaa75197228v 3dvs8529

[22] (2017) NaCl and PNaCl [Online] Available httpsdeveloperchromecomnative-clientnacl-and-pnacl

[23] (2014) asmjs Specification [Online] Available httpasmjsorgspeclatest[24] A Haas A Rossberg D L Schuff B L Titzer M Holman D

Gohman L Wagner A Zakai and J Bastien ldquoBringing the web up to speed with webassemblyrdquo SIGPLAN Not vol 52 no 6 pp 185ndash200 jun 2017 doi 10114531405873062363

[25] A Zakai ldquoEmscripten An LLVM-to-JavaScript Compilerrdquo in Proceedings of the ACM International Conference Companion on Object Oriented Programming Systems Languages and Applications Companion ser OOPSLA rsquo11 New York NY USA ACM 2011 pp 301ndash312 doi 10114520481472048224

[26] A Zakai (2015) Big Web App Compile It [Online] Available kripkengithubiomloc_emscripten_talk[27] (2019) Lucet the Sandboxing WebAssembly Compiler [Online]

Available httpsgithubcomfastlylucet[28] (2019) Wasmer ndash Universal WebAssembly Runtime [Online]

Available httpswasmerio[29] L Clark (2019) Standardizing WASI A system interface to run

WebAssembly outside the web [Online] Available httpshacksmozillaorg201903standardizing-wasi-a-webassembly-system-interface

[30] X Boyen and L Martin ldquoIdentity-based cryptography standard (IBCS) 1 Supersingular curve implementations of the BF and BB1 cryptosystemsrdquo RFC vol 5091 pp 1ndash63 2007 doi 1017487RFC5091

[31] G Appenzeller L Martin and M Schertler ldquoIdentity-based encryption architecture and supporting data structuresrdquo Tech Rep Jan 2009 doi 1017487rfc5408

[32] L Martin and M Schertler ldquoUsing the boneh-franklin and boneh-boyen identity-based encryption algorithms with the cryptographic message syntax (CMS)rdquo Tech Rep Jan 2009 doi 1017487rfc5409

[33] ldquoIEEE standard for identity-based cryptographic techniques using pairingsrdquo 2013 doi 101109ieeestd20136662370

[34] ldquoIsoiec 18033-52015 Information technology - security techniques - encryption algorithms - part 5 Identity-based ciphersrdquo 2015 [Online]

Available httpswwwisoorgstandard59948html[35] ldquoIsoiec 15946-12016 Information technology - security techniques

- cryptographic techniques based on elliptic curves - part 1 Generalrdquo 2016 [Online] Available httpswwwisoorgstandard65480html

[36] T Granlund and the GMP development team (2016) GNU MP The GNU Multiple Precision Arithmetic Library [Online] Available httpgmpliborg

[37] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquo in Lecture Notes in Computer Science Springer Berlin Heidelberg 2005 pp 457ndash473 doi 10100711426639_27

[38] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-based encryption for fine-grained access control of encrypted datardquo in Proceedings of the 13th ACM conference on Computer and communications security - CCS rsquo06 ACM Press 2006

doi 10114511804051180418[39] J Bethencourt A Sahai and B Waters ldquoCiphertext-policy attribute-

based encryptionrdquo in 2007 IEEE Symposium on Security and Privacy (SP rsquo07) IEEE May 2007 doi 101109sp200711

[40] M Abdalla D Catalano A W Dent J Malone-Lee G Neven and N P Smart ldquoIdentity-based encryption gone wildrdquo in Automata Languages and Programming Springer Berlin Heidelberg 2006 pp 300ndash311

doi 10100711787006_26[41] O Blazy P Germouty and D H Phan ldquoDowngradable identity-based

encryption and applicationsrdquo in Topics in Cryptology ndash CT-RSA 2019 Springer International Publishing 2019 pp 44ndash61

doi 101007978-3-030-12612-4_3[42] B Lynn ldquoOn the implementation of pairing-based cryptosystemsrdquo

PhD dissertation Stanford University Stanford CA USA 6 2007 [Online] Available httpscryptostanfordedupbcthesispdf

[43] L Martin Introduction to Identity-based Encryption Boston Artech House 2008

[44] D Eastlake and T Hansen ldquoUS secure hash algorithms (SHA and SHA-based HMAC and HKDF)rdquo Tech Rep May 2011

doi 1017487rfc6234[45] (2019) Google Benchmark ndash A microbenchmark support library

[Online] Available httpsgithubcomgooglebenchmark[46] (2009) The Case for Elliptic Curve Cryptography National Security

Agency [Online] Available httpswebarchiveorgweb20090117023500 httpwwwnsagovbusinessprogramselliptic_curveshtml

[47] (2018) PARIGP version 2110 The PARI Group Univ Bordeaux [Online] Available httpparimathu-bordeauxfr

[48] C Heuberger and M Mazzoli ldquoSymmetric digit sets for elliptic curve scalar multiplication without precomputationrdquo Theoretical Computer Science vol 547 pp 18ndash33 aug 2014 doi 101016jtcs201406010




3





C WebAssembly











III CRYPTID








2



II PRELIMINARIES

A Pairing













Fig 1 How IBE works










3





C WebAssembly











III CRYPTID








2



II PRELIMINARIES

A Pairing













Fig 1 How IBE works










5














IV PERFORMANCE



A Environments





4












C Library structure












5














IV PERFORMANCE



A Environments





4












C Library structure












6






B Benchmark Results












6






B Benchmark Results












6






B Benchmark Results












7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences
















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



































































3





C WebAssembly











III CRYPTID








2



II PRELIMINARIES

A Pairing













Fig 1 How IBE works










5














IV PERFORMANCE



A Environments





4












C Library structure












5














IV PERFORMANCE



A Environments





4












C Library structure












6






B Benchmark Results












6






B Benchmark Results












6






B Benchmark Results












7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences
















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



































































5














IV PERFORMANCE



A Environments





4












C Library structure












5














IV PERFORMANCE



A Environments





4












C Library structure












6






B Benchmark Results












6






B Benchmark Results












6






B Benchmark Results












7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences
















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



































































5














IV PERFORMANCE



A Environments





4












C Library structure












6






B Benchmark Results












6






B Benchmark Results












6






B Benchmark Results












7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences
















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



































































6






B Benchmark Results












6






B Benchmark Results












6






B Benchmark Results












7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences
















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES



































































7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
















6






B Benchmark Results












RefeRences
















7












ACKNOWLEDGMENT


COMPETING INTERESTS


REFERENCES
































































cross-platform identity-based cryptography using

Documents