An Efficient Tate Pairing Algorithm for a Decentralized Key ... - MDPI

Download PDF
1 downloads 0 Views 3MB Size Report
Comment
Jul 15, 2018 - system using point halving (TP-MBNR-PH) with bases 1/2, 3, and 5; secondly, Section 3.2 ... on multi-base number representation system using point halving ...... Dimitrov, V.S.; Imbert, L.; Mishra, P.K. Fast Elliptic Curve Point ...
cryptography Article

An Efficient Tate Pairing Algorithm for a Decentralized Key-Policy Attribute Based Encryption Scheme in Cloud Environments Balaji Chandrasekaran *

ID

and Ramadoss Balakrishnan

Department of Computer Applications, National Institute of Technology, Tiruchirappalli 620015, India; [email protected] * Correspondence: [email protected]; Tel.: +91-948-994-9299 Received: 25 May 2018; Accepted: 13 July 2018; Published: 15 July 2018

 

Abstract: Attribute-based encryption (ABE) is used for achieving data confidentiality and access control in cloud environments. Most often ABE schemes are constructed using bilinear pairing which has a higher computational complexity, making algorithms inefficient to some extent. The motivation of this paper is on achieving user privacy during the interaction with attribute authorities by improving the efficiency of ABE schemes in terms of computational complexity. As a result the aim of this paper is two-fold; firstly, to propose an efficient Tate pairing algorithm based on multi-base number representation system using point halving (TP-MBNR-PH) with bases 1/2, 3, and 5 to reduce the cost of bilinear pairing operations and, secondly, the TP-MBNR-PH algorithm is applied in decentralized KP-ABE to compare its computational costs for encryption and decryption with existing schemes. Keywords: attribute based encryption; TP-MBNR-PH; KP-ABE; multi-authority; cloud computing

1. Introduction Cloud computing, as an emerging computing paradigm, empowers client to remotely store information on a cloud in order to access services on request. Over the past few years, it has been observed that cloud computing has become a full-fledged promising business idea for the IT sector. As data related to people and organizations resides in the cloud, to a large extent, a concern for security is addressed. This issue reduces the potentiality of cloud computing technologies in terms of giving protection and assurance to the end user information and, at the same time, it plaguies the market. In order to secure information from being disclosed, clients need to encipher their information before it is shared. Access control is elementary, as it is the primary line of defense that avoids unauthorized access to the shared information. In considering the above facts, attribute-based encryption (ABE) is given much more attention in providing information security and in comprehending fine-grained, one-to-numerous, and non-interactive access control. Thus it is evident that ABE supports both confidentiality and access control with a single encryption for data sharing in a cloud environment. In 2005, Sahai and Waters [1] proposed another sort of IBE scheme called fuzzy IBE (FIBE) which compliments identities as a collection of descriptive attributes. FIBE is viewed as the primary idea of ABE in which the information owner encrypts a message to all users having a specific collection of attributes. In the same period, Nali et al. [2] also proposed a threshold-based ABE technique to convey the fact that this technique forestalls the collusion attacks and opens a new weakness in which threshold semantics are restricted in planning broader frameworks that require expressive access control. Data user, data owner, attribute authority (AA), and cloud storage server are the four kinds of parties involved in ABE. In the ABE scheme, attributes are assumed to be the critical part. Attributes

Cryptography 2018, 2, 14; doi:10.3390/cryptography2030014

www.mdpi.com/journal/cryptography

Cryptography 2018, 2, 14

2 of 15

use public keys for encrypting data and are also utilized as an access policy for controlling users’ access. It is realized in healthcare and smart grid applications that ABE provides fine-grained access control and broadcasting of a single encrypted message to a specific group of users, respectively. In view of the access policy, ensuing studies are generally ordered [3] either as a key-policy ABE (KP-ABE) or cipher text-policy ABE (CP-ABE). In 2006, Goyal et al. [3] introduced the concept of KP-ABE in which each secret key is associated with an access structure that specifies the type of cipher text which can be decrypted by this secret key. The cipher texts are labelled with a collection of descriptive attributes. In case the attribute set fulfils the access structure indicated in the secret key, the user can decrypt the cipher text. It is one of the prominent encryption techniques with fine-grained access control for applications, say, sharing audit log information. The major drawback in this technique is that no sooner is the access policy built into the secret key, the data owner in this scheme cannot choose the person who is decrypting the cipher text, but can only decide a collection of attributes controlling the access of cipher texts. Later, Ostrovsky et al. [4] proposed a scheme with a non-monotonic access structure where the secret keys are stamped with a collection of attributes comprising positive and negative attributes. Analogously, the ABE scheme with a non-monotonic access structure elicits a more convoluted access policy. Unfortunately, the main flaw in this mechanism is that it doubles the size of the cipher text, and secret key and adds encryption/decryption overheads at the same time. Attrapadung et al. [5] suggested the first KP-ABE scheme with non-monotonic access structures and constant cipher text size. The drawback is that the secret key has a quadratic size in the number of attributes. Goyal et al. [3] proposed the feasibility of a CP-ABE scheme, but not yet endeavored any constructions. In a CP-ABE scheme, a user’s secret key is associated with a subjective number of attributes representing strings, and cipher text with an access structure. A user may have the capacity to decrypt a cipher text if user’s attributes fulfil the access structure of the cipher text. In 2007, utilizing a monotonic access structure, Bethencourt et al. [6] proposed the main CP-ABE development. This technique sustains adaptable access control strategies like the KP-ABE [3] technique. Considering the security aspects under the standard model, Cheung and Newport [7] contributed a provably secure CPABE scheme which, in turn, boosted the security proof in Bethencourt et al. [6]. This scheme supported AND gate on positive and negative attributes as its access policy and is proved to be the chosen plain text attack (CPA), secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. Even though it has some advantages, there are some disadvantages, too. Mostly, this scheme is not adequately expressive because it supports only policies with logical conjunction. The next one is that the size of the cipher text and the secret key increments in a linear fashion with the aggregate number of attributes in this scheme. These two weaknesses made this scheme less proficient than Bethencourt et al.’s [6]. In view of Cheung and Newport’s scheme [7], Nishide et al. [8] enhanced the effectiveness and accomplished hidden policies by proposing a scheme with multi-value attributes as its access policy. Emura et al. [9] utilized a similar access policy and proposed an enhanced scheme accomplishing a steady length of cipher text and a consistent number of bilinear pairing operations. Liang et al. [10] enhanced the bounded CP-ABE (BCP-ABE) by improving the proficiency of the encryption/decryption algorithm and reducing the length of the public key, secret key, and cipher text. The initial ABE scheme was created utilizing single AA [1]. Later multiple-authority-based ABE (MA-ABE) was proposed in [11], since the single-authority ABE technique permitted a large volume of data at a single entity. In the MA-ABE technique, there are numerous AAs in charge of disjoint collections of attributes. In the customary MA-ABE technique, users co-operate with various AAs to obtain decryption credentials for their attributes. On the other hand, there is no security assurance for users; instead all AAs can share (collude) the specific user’s data (attributes) to uncover the user’s identity. Hence, the motivation of this paper is on achieving user privacy during the interaction with AAs by improving the efficiency of ABE schemes in terms of computational complexity. To the best of our knowledge, almost all the ABE schemes available are constructed from bilinear pairings. However,

Cryptography 2018, 2, 14

3 of 15

bilinear pairing has a higher computational complexity, which makes algorithms inefficient to some extent. Therefore, the main focus of this paper is in reducing the cost of bilinear pairing operations to improve the efficiency of the ABE scheme. 1.1. Our Contributions The main contributions of this paper are highlighted as follows:





An efficient Tate pairing algorithm based on multi-base number representation system using point halving (TP-MBNR-PH) with bases 1/2, 3, and 5 has been proposed. This scheme mitigates the cost of bilinear pairing when compared to existing Tate pairing schemes. The efficiency is calculated using the computational costs and pre-computed costs of addition, subtraction, halving, tripling, and quintupling operations. The TP-MBNR-PH algorithm is applied in decentralized KP-ABE to show the reduction in computational costs for encryption and decryption when compared with existing schemes [12,13].

1.2. Paper Organization The rest of this paper is organized as follows: Section 2 covers the related work. Section 3 deals with the proposed work of this paper. It consists of two subsections: firstly, Section 3.1 describes the proposed work of an efficient Tate pairing algorithm based on a multi-base number representation system using point halving (TP-MBNR-PH) with bases 1/2, 3, and 5; secondly, Section 3.2 describes the applicability of the TP-MBNR-PH algorithm in decentralized KP-ABE. Section 4 concludes the paper. 2. Related Work There are two fundamental sorts of ABE, particularly cipher text-policy ABE (CP-ABE) and key-policy ABE (KP-ABE). The ABE scheme is categorized into two: single-authority ABE (SA-ABE) and multi-authority ABE (MA-ABE). In the MA-ABE scheme, there are two sub-categories; with a central authority (CA) and without a central authority. Chase introduced an MA-ABE scheme [14] utilizing a trusted CA for disbursing all the keys. The main drawback of utilizing a CA is that it increases the computation and communication cost. Lin et al. [15] resolved the secure threshold multi-authority fuzzy identity based encryption (threshold MA-FIBE) scheme in the absence of a central authority. In the same lines, Chase and Chow in [11] introduced an MA-ABE scheme removing the CA using distributed pseudorandom functions. In this scheme, every pair of AAs firmly exchange a shared secret among them in the setup process. Users must submit their global identities (GIDs) to every AA to get the decryption credentials in [14]. This cleaves the user protection since a collection of perverted AAs can pool together each of the attributes that belong to the specific GID. In [11], Chase and Chow introduced an anonymous key-issuing protocol to mitigate the privacy vulnerability in which a user can acquire the decryption keys from AAs without exposing his/her GID. Despite the fact that the scheme introduced by Chase and Chow avoids the central AA, all the AAs must be online and collude with each other to set up the ABE system. Thus, it is not fully decentralized. Furthermore, different protocols are proposed to decentralize the ABE scheme [11,14,16,17]; nonetheless, each scheme has its own benefits and bad marks. The first known completely decentralized MA-ABE scheme is suggested in [16] where any party can turn into an AA and there is no prerequisite for any global co-ordination other than the production of a pioneer collection of common reference parameters. This overcomes the collusion vulnerability without providing co-ordination between AAs with novel strategies to tie key parts together and anticipate collusion attacks between users with various global identifiers. This scheme does not protect the user privacy as attributes of users are gathered by AAs following users’ GIDs. The scheme in [11] considers privacy, however, it is not completely decentralized. Han et al. suggested a PP decentralized scheme for KP-ABE in [18] for preserving the user privacy based on the decisional bilinear Diffie-Hellman (DBDH) standard complexity assumption.

Cryptography 2018, 2, 14

4 of 15

In [18], the GID of the user is utilized to tie all the decryption keys together, where blind key generation protocol has been used to issue the decryption keys. Subsequently, perverted AAs cannot pool the users’ attributes by following the GIDs’ of the users from the decryption keys. Unluckily, the scheme cannot counteract user collusion, thus, two users can pool their decryption keys to produce decryption keys for an unauthorized user [19]. This is because of weak binding between users’ GID and the decryption keys. Rahulamathavan et al. [12] constructed the privacy-preserving decentralized KP-ABE scheme in a cloud environment. It protects the users’ privacy when they communicate with multiple authorities to obtain decryption credentials. It reduces the user collusion vulnerability found in [19] and used an anonymous key-issuing protocol based on anonymous credentials. Thus, it cannot generate decryption credentials for malicious users even if two or more users collude their keys. It is both leak-free and selective-failure blind. This scheme is verified using decisional bilinear Diffie-Hellman standard complexity assumption. Yang et al. [13] proposed a scheme to improve privacy and security in decentralizing multi-authority attribute-based encryption in cloud computing. Most often existing ABE schemes are constructed from bilinear pairings. This makes an algorithm inefficient due to its high computational complexity of bilinear pairing. In this paper, first, an efficient Tate pairing based on multi-base number representation system using point halving (TP-MBNR-PH) with point halving, tripling, and quintupling is proposed and then applied in decentralized KP-ABE [12] to determine its computational costs of encryption and decryption. 3. Proposed Work The proposed work consists of two parts. Firstly, we propose an efficient Tate pairing algorithm based on multi-base number representation system using point halving (TP-MBNR-PH) with bases 1/2, 3, and 5 with the aim to reduce the cost of bilinear pairing operations. Secondly, the TP-MBNR-PH algorithm is applied in decentralized KP-ABE to determine its computational costs for encryption and decryption. 3.1. Proposed Tate Pairing Algorithm Construction 3.1.1. Bilinear Maps Let G1 , G2 , and GT be three cyclic groups of prime order q. G1 and G2 are a source group and GT is a target group. Let g1 and g2 be generators of G1 and G2 , respectively. A bilinear map e is defined as e : G1 × G2 → GT which has the following properties:

• • •

Bilinearity: e( g1a , g2b ) = e( g1 , g2 ) ab , where a, b ∈ Z. Computability: The bilinear map e is efficiently computable by G1 × G2 for any pairs. Non-degeneracy: e( g1 , g2 ) 6= 1. This means all pairs of the source group do not map to the identity of the target group. Note: If G1 = G2 , then it is a symmetric map, otherwise it is an asymmetric map.

3.1.2. Point Halving (PH) Fundamentally all the scalar multiplication is ascertained by utilizing the double and add method. However, Knuden (1999) and Schroeppel (2000), in parallel, proposed a strategy to speed up scalar multiplication on elliptic curves characterized over binary augmentation fields. Their technique depends on a novel elliptic curve primitive called point halving, which can be characterized as follows: Given a point Q of odd order, compute P such that Q = 2P. The point P is denoted as 1/2 Q. That means, in this technique the previous double and add method is replaced by the half and add method, which is the exact inverse operation of point doubling. The strategies replaced all point doublings in the double-and-add algorithm with another operation called point halving. This technique is executed for conducting scalar multiplication on non-super singular elliptic curves in

Cryptography 2018, 2, 14

5 of 15

characteristic 2. Point halving is applied to the curves with minimal two-torsion. Since, hypothetically, point halving is up toward three times as quick as point doubling, it is conceivable to enhance the execution of scalar multiplication calculation Q = nP by supplanting the double-and-add algorithm. Let P = ( x, y) be a point on the elliptic curve defined over binary field using affine coordinates. A point doubling requires calculating the coordinates of the point Q = 2P = (u, v) using the following equations: y (1) λ = x+ x u = λ2 + λ + a

(2)

v = x 2 + u ( λ + 1)

(3)

Point halving is just the opposite, i.e., given Q = (u, v), find P = ( x, y) such that Q = 2P. This is computed by solving Equation (2) for λ, Equation (3) for x, and finally, Equation (1) for y. This means that we have to solve λ2 + λ = u + a, for λ, v = x2 + u (λ + 1) for x, and finally obtain y = λ x + x2 . A detailed analysis of the computational complexity of point halving was made in [20]. It was reported that the point halving method is 15% to 24% faster than point doubling. 3.1.3. The Double-Base Number System (DBNS) In [21], a ternary/binary methodology was proposed for fast Elliptic Curve Cryptography. An equivalent tactic was suggested in [22] where an integer k is represented in the double-base number system. The following definitions are needed [23]: Definition 1 (S-integer). Given a set of primes S, an S-integer is a positive integer whose prime factors all belong to S. Definition 2 (double-base number system). Given p, q, two relatively prime positive integers, the double-base number system (DBNS) is a representation scheme into which every positive integer n is represented as the sum or difference of { p, q}-integers, i.e., numbers of the form p a qb : n = ∑im=1 si pbi qti , with si ∈ {−1, 1}, and bi , ti ≥ 0. If the sequences of binary and ternary exponents decrease monotonically, i.e., b1 ≥ b2 ≥ . . . ≥ bm ≥ 0 and t1 ≥ t2 ≥ · · · ≥ tm ≥ 0, a double-base chain is formed. Take the example of 314,159 as used in [24]. Its double-base chain representation is: 314, 159 = 212 34 − 211 32 + 28 31 + 24 31 − 20 30 3.1.4. Multi-Base Number Representation (MBNR) Let k be an integer and let B = {b1 , . . . , bl } be a set of “small” integers. A representation of k as a sum of powers of elements of B is called a multi-base representation [25] of n using the base B. The base set size of the double-base representation, i.e., | B| = 2, and that of multi-base representation is greater than two, i.e., | B| > 2. Definition: A multiple representation l = ∑im=1 si 2bi 3ti 5ri using the bases {2, 3, 5} is called a step multi-base number representation, where each exponent {bi }, {ti }, and {ri } refes to separate monotonic decreasing sequences. The MBNR is compared to DBNS, which is shorter in length and more redundant. For example, in Table 1, 200 has 3027 DBNS representation (base 2 and 3), 316,557 representations using the bases 2, 3 and 5 and has 4,827,147 representations using the bases 2, 3, 5, and 7.

Cryptography 2018, Cryptography 3, x FOR 2018, PEER3,REVIEW x FOR PEER REVIEW

Cryptography 2018, 3, x FOR PEER REVIEW7 of 15

7 of 15

Algorithm 1. TP-MBNR-PH Algorithm 1. TP-MBNR-PH Algorithm 1. Algorithm TP-MBNR-PH 1. TP-MBNR-PH Algorithm 1. TP-MBNR-PH ∑ nput: An integer 𝑙 = ∑ 𝑠 3 5 , 𝑠 ∈ {−1,1} , 𝑏 ≥ 𝑏 ≥ … ≥ 𝑏 ≥ 0,Input: 𝑡 ≥ 𝑡 An ≥ integer 𝑙 = 𝑠 3 5 , 𝑠 ∈ {−1, {−1,1} {−1,1} ∑ , 𝑦𝑠 ) 𝑙∈=𝐸 ∑3𝐹 5[𝑙], integer =integer 𝑠 , 𝑄𝑠 =∈3(𝑥 5, 𝑦 , ),𝑠∈ 𝑏𝐸 ∈Input: ≥ An ≥, ≥… 𝑏integer 𝑏𝑏 ≥ ≥ =𝑡 ≥ 𝑠 ≥≥ ≥5 𝑡 𝑃≥ , 𝑠 (𝑥 ∈ {−1,1} (𝑥 ≥ 0 and 𝑟 ≥Input: 𝑟Cryptography ≥ ⋯An ≥ 𝑟Input: ≥ 0, An 𝑃𝑙 = ⋯ 𝐹𝑏 ≥ 𝑡[𝑙] 0≥≥and 𝑟𝑙0,… ≥ 𝑟∑≥𝑏≥𝑡⋯ ≥0,𝑟𝑡 3≥ 0, , 𝑦 ) ∈ ,𝐸 𝑏𝐹 14 6 of 15 = Cryptography 2018, 3, x FOR2018, PEER2,REVIEW 7 of 15 ⋯ Q) ≥ 𝑡 ≥ 0⋯and ≥ 𝑡 𝑟 ≥≥ 0𝑟 and ≥ ⋯ 𝑟≥ ≥ 𝑟 𝑟≥≥0,⋯𝑃≥=𝑟 (𝑥≥, 𝑦0, )𝑃∈=𝐸 (𝑥 𝐹⋯ , [𝑙], 𝑦≥) 𝑡∈𝑄 𝐸≥ = 𝐹(𝑥 0Output: [𝑙], and , 𝑦 )𝑄𝑟∈=e≥ 𝐸(𝑥 𝑟𝐹 Q) ≥ , 𝑦⋯ [𝑙] )≥ ∈𝐸 𝑟 𝐹≥ 0,[𝑙]𝑃 = (𝑥 , 𝑦 ) ∈ 𝐸 𝐹 [𝑙], Output: e (P, (P, Cryptography 2018, 3, x FOR PEER REVIEW

7 of 15

1. Output: 1. e (P, Output: Q) e (P, Q) Output: e (P, 𝐶 ⟵ 𝑃 Algorithm 𝐶 Q) ⟵𝑃 TP-MBNR-PH Cryptography 2018, 3, x FOR PEER REVIEW Table 1. The number of MBNR of small numbers using various 7bases. of 15 1 1 1. Algorithm 1. 𝐶1.⟵ 𝐶⟵𝑃 𝐶 ⟵ 𝑃Ɲ ⟵ 1. 𝑃TP-MBNR-PH Ɲ2018, ⟵3, xInput: ography FOR PEER REVIEW Cryptography 7 of 2018, 15 3, x FOR PEER REVIEW 2. {−1,1} ∑ An integer 𝑙 = 𝑠 3 5 , 𝑠 ∈ , 𝑏 ≥ 𝑏 ≥ … ≥ 𝑏 ≥ 0, 𝑡 1 1 1 𝑥 −≥𝑥 𝑡 ≥ 𝑥 −𝑥 Algorithm 1. TP-MBNR-PH Ɲ ⟵ Ɲ ⟵ Ɲ ⟵ Cryptography 2018, 3, x FOR PEER REVIEW B = {2,,2. 7 of 15 2. 2. B5= 3,𝑏5} ≥ 𝑏 B 𝑙𝑥 = 𝑏𝑥5, ≥=𝑥0,1,[𝑙] 𝑡then ≥ 𝑡 ≥ (𝑥{2,,, 𝑦3}𝑠 )∈∈{−1,1} − ≥ 0 An andinteger 𝑟 𝑥 ≥ 𝑟− ≥ ⋯ ∑≥ 𝑥𝑟 𝑠− ≥N𝑥0, 𝑃3= 𝐸 𝐹 [𝑙], 𝑄 =3.(𝑥≥,=𝑦…{2,)≥3, ∈𝐼𝑓 𝐸𝑠7}𝐹 𝐼𝑓 𝑠⋯=≥1,𝑡Input: then Algorithm 1. TP-MBNR-PH Algorithm 1. TP-MBNR-PH Cryptography 2018, FOR PEER REVIEW of≥15 Input: =1, 3≥10 50, ⟵ ,𝑃 𝑠= 𝑏3. ≥𝑄 … 𝑡𝐸 then ≥ ⋯ 3. ≥ An 𝑡 3,≥xinteger 0 𝐼𝑓 and 𝑟Q) ≥∑ 𝑟 𝐼𝑓 ≥𝑠𝑠⋯ = ≥ 1, 𝑟 then , 𝑦 ) ∈, 𝐸𝑏 𝐹≥8[𝑙], =4.≥ (𝑥𝑏𝐼𝑓, 𝑦𝑠≥)10 ∈ 1, 𝐹 𝑡7 [𝑙] 𝑠(P,𝑙= then =0, Ɲ 1 ∈(𝑥5{−1,1} Ɲ ⟵1 Output: e3. Algorithm 1. TP-MBNR-PH 20 12 , 𝑏 ≥ 𝑏 32 48≥ Input: {−1,1} ∑ Input: An integer 𝑙 = 𝑠 3 5 , 𝑠 ∈ ≥ … ≥ 𝑏 ≥ 0, 𝑡 𝑡 ≥ An integer 𝑙 = ∑ 𝑠 Ɲ ⟵3 1 5 , 𝑠 (𝑥 , 𝑦 ) ∈ 𝐸 𝐹 Ɲ[𝑙],⟵𝑄1= 4. 5.) ∈1 𝐸 𝐹 𝑒𝑙𝑠𝑒 ⋯ ≥𝑒𝑙𝑠𝑒 𝑡 1. ≥ 4.0 Output: and 𝐶 𝑟⟵ ≥e4.𝑟(P, (𝑥Ɲ, 𝑦⟵ [𝑙] 𝑃 ≥Q)⋯ ≥ 𝑟 ≥ 0, 𝑃 = 50 72 489 1266 Algorithm 1. 𝑟TP-MBNR-PH {−1,1} ∑ 𝑄 𝑠= (𝑥 Input: An ∈[𝑙] 𝑏 ≥ … 𝑟≥ ≥ 𝑏 ⋯≥≥0,𝑟 𝑡 ≥≥ 0,𝑡 𝑃Ɲ ≥= ⟵ (𝑥 Ɲ 5. e𝑟 (P, 5.𝑃⋯ ≥ 𝑟1 ≥ ≥ 𝑡 ≥Output: 01.and ≥ ≥ 0, 𝑃 = (𝑥 , 𝑦integer ∈ 𝐸 402 𝐹𝑙 =[𝑙], ,5.𝑦3 ) 5∈ 6. 𝐸, 𝐹𝑠𝑒𝑙𝑠𝑒 ⋯ ≥ 𝑡 ,≥𝑏 0 ≥and 𝑟 ≥ ,𝑦 𝑒𝑙𝑠𝑒 𝑒𝑙𝑠𝑒 Ɲ ⟵) Ɲ Q)⟵ 𝐶 100 8425 43,777 Ɲ ⟵ 2. 1 (𝑥 𝑥𝑙 =−⋯ ⋯Ɲ ≥ 𝑟,⟵𝑏≥Ɲ 0,𝑏6.𝑃Ɲ = , 𝑦𝑏)586,862 ∈≥𝐸0, 𝐹Output: = , 𝑦1)do ∈ 𝐸 𝐹 [𝑙]Ɲ ⟵ Ɲ ∑𝑥 ≥ 𝑡𝑠 ≥ 0 3and for i =6. 2,Q) . 𝑃. .integer , n −6.1 do for = 1, .(𝑥 , nQ) − Input: An ∈≥{−1,1} ≥ ≥⟵ …7.Ɲ≥ 𝑡 i [𝑙], ≥ 𝑡 𝑄2,≥ 1505 𝑟 , ≥𝑠 𝑟1296 63,446 1.Output: e𝐶1,(P, e. . (P, ⟵ Ɲ ⟵ 2. 200 3027 316,557 4,827,147 1 𝑥 − 𝑥 7. 7. 7. 3. 8. for i = 1, 2, . for . . , n i − = 1 1, do 2, . . . , n − 1 do for i = 1, 2, . . . , n − 1 do 𝐼𝑓 𝑠 = 1, then 𝛼 ⟵ 𝑏 − 𝑏 𝛼 ⟵𝑏 −𝑏 1. Output: e (P, Q) 𝐶 ⟵ 𝑃 𝐶 ⟵ 𝑃 ⋯ ≥ 𝑡 ≥Ɲ0 and = (𝑥 , 𝑦 ) ∈ 𝐸 𝐹 [𝑙], 𝑄 = (𝑥 , 𝑦 ) ∈ 𝐸 𝐹 [𝑙] ⟵ 𝑟 ≥ 𝑟 ≥ ⋯ ≥ 𝑟 ≥ 0, 𝑃 300 2. 11,820 4,016,749 142,196,718 1𝐼𝑓 1 𝑥 − 𝑥 9. 3. 8. 8. 8. 4. ⟵𝑃 𝑡 − 𝑡 𝑠 = 1, then 𝛼Ɲ⟵⟵ 𝑏 1 −𝑏𝛼 ⟵𝑏 −𝑏 𝛼 ⟵ 𝑏 𝛽−⟵ 𝑏 𝑡 −𝑡 1. 𝐶 𝛽⟵ Output: Ɲ ⟵ e (P, Q) Ɲ ⟵ 2. 1𝑟 𝑥 − 𝑥 𝑥 − 𝑥 10. 9. 9. 9. 5. 3. 4. 𝛾 ⟵ 𝑟 − 𝛾 ⟵ 𝛽 ⟵ 𝑡 − 𝑡 𝛽 ⟵ 𝑡 − 𝑡 𝛽 ⟵ 𝑡 − 𝑡 𝑟 −𝑟 𝑒𝑙𝑠𝑒 𝐼𝑓 𝑠 = 1, then Ɲ ⟵ 1 1.   bi   𝐶⟵𝑃 Ɲ ⟵ 2. m 1 𝑟Ɲ−ti𝑟 r𝛾i10. 1 𝑥 − 𝑥 11. 5.𝑠10.= 1, then 3. 4. 𝛾 ⟵ ⟵ 𝑟 − 𝑟 𝛾 ⟵ 𝑟 − 𝑟 𝐼𝑓 𝛼 = 0 𝑡ℎ𝑒𝑛 𝐼𝑓 𝛼 = 0 𝑡ℎ𝑒 𝑒𝑙𝑠𝑒10. 𝐼𝑓6. 𝐼𝑓 𝑠 = 1, then Ɲ ⟵ Ɲ ⟵ 1 1A multiple representation l = ∑i=1 si 2 3 5 using the bases { 2 , 3, 5} is called a modified Ɲ ⟵ 2. 11. 11.𝛼 7. 5. 3. 6. 11. .⟵ . . . ,1[26], 𝛽 do 1, 2, . . . . Ɲ . 𝛼 𝐼𝑓 = 012. 𝑡ℎ𝑒𝑛{b4. 𝐼𝑓 𝛼for=j 0=𝑡ℎ𝑒𝑛 for =𝑥1, 2, .number . . , n − 1 for do 𝑒𝑙𝑠𝑒 multi-base 𝐼𝑓j = 𝑠 1, =2, Ɲ𝐼𝑓where ⟵=Ɲ0 𝑡ℎ𝑒𝑛 Ɲ1,. then 𝑥 i− representation each exponent i }, {ti } and {ri } refers to separate (𝑄)𝐿 (𝑄)𝐿 𝐿 (𝑄) 𝐿 12. 12. 12. 7. 5. 8. 6. 4. for j = 1, 2, . for . . . . j , 𝛽 = do 1, 2, . . . . . , 𝛽 do for j = 1, 2, . . . . . , 𝛽 do for i = 1, 2, . . . , n − 1 do 𝑒𝑙𝑠𝑒 𝑒𝑙𝑠𝑒 𝛼 ⟵ 𝑏 − 𝑏 / , / / , / / , / Ɲ ⟵ Ɲ Ɲ ⟵ 1 3. decreasing 𝐼𝑓 𝑠 =monotonic 1, then Ɲ ⟵ Ɲ sequences. , Ɲ ⟵ Ɲ (𝑄)𝐿 / 6. 𝐿 /𝑏𝑡[26]. 𝐿 / , / (𝑄)𝐿 (𝑄)𝑉 𝑉 𝑉 // (𝑄) 13. 9. 7. 8. for i = 1, 2, . Take 𝛽(𝑄) 𝑡𝑏 Its 𝐿MBNR . . , n −the 15.do 𝛼 ⟵ , − / (𝑄)𝐿 / /, , // (𝑄) , / (𝑄)as: , Ɲ/ Ɲ /⟵ 4. example 𝑒𝑙𝑠𝑒 of 314,159 is represented ƝƝused ⟵ Ɲ as ⟵ Ɲ 1in Ɲ ⟵ Ɲ , , Ɲ ⟵ Ɲ (𝑄)𝑉 (𝑄) (𝑄)𝑉 (𝑄) (𝑄)𝑉 (𝑄) 𝑉 / 𝐶 ⟵ 3C 13. 𝑉 / Ɲ ⟵7.Ɲ 10. 9. i13. 8. 𝐶⟵ 3C 𝑏 − 𝛾⟵ 𝛽 for = 1, 2, . . . , n13. − 1 do 6. for i = 1, 2, . . . , n − 1 do 𝛼⟵ 𝑏 𝑟𝑡 𝑉−/ 𝑟𝑡 5. 𝑒𝑙𝑠𝑒  17  14  10  3 10. 11. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽1,𝛽=𝑏 9. 7. 8. 𝐶𝑟 0⟵ 𝐶 𝐸𝑙𝑠𝑒𝐼𝑓 ⟵ 3C 𝛽 = 𝛾−⟵ − 𝑟3C 3 1𝐶 ⟵14. − 𝑡𝛼1 = for i𝛼=⟵ 2, .𝑡⟵ do 𝑏, n𝐼𝑓 𝛼0 ⟵𝑡 1⟵ 1𝑡ℎ𝑒𝑛 13C 1 6. Ɲ0.−.𝑡ℎ𝑒𝑛 314, 159 = 33 5Ɲ1 − 3 5 + 15. 31 51 + 31 50 14. 14. 14. 12. for j = 1, 2, . . . . . , 𝛼 do for j = 1, 2, . . . .. 10. 11. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝐸𝑙𝑠𝑒𝐼𝑓 𝑡ℎ𝑒𝑛 𝛽 = 0 𝑡ℎ𝑒𝑛 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 9. 8. for =𝑟𝛼1,=2,0.2. 𝑡ℎ𝑒𝑛 . . . , 𝛽 do 𝑟𝑡 j− 𝐼𝑓 𝛽 ⟵𝛾 𝑡2⟵ − 𝛽⟵ 𝛼2 ⟵ 𝑏 − 𝑏 2 7. for i = 1, 2, . . . , n − 1 do (𝑄) (𝑄) 𝐿 𝐿 (𝑄)𝐿 1 𝐿 (𝑄) 15. 12.15. j/𝑏1, =, /2, 1, .2,. . . for . ., .𝛽/. j,do 𝛼 = do . .⟵ . . , 𝛼𝑡 do for j = 1, 2, . . . ./. , ,𝛼/𝛾do⟵ 10. 11. 9. , 𝐼𝑓 /𝑟⟵ for 𝛾 /⟵ 𝑟for 𝛼− =𝑏 0j = 𝑡ℎ𝑒𝑛 −𝑡 ,15. /1, 2, .𝛽 8. Ɲ ⟵ofƝMBNR , 𝐶−⟵ C it is very shorter Ɲ 16. Ɲ 𝛼over ⟵ ƝDBNS , (𝑄) The advantages are and more redundant. In the number Ɲ of ⟵ (𝑄) 𝐿 𝐿 𝐿 / , / (𝑄) (𝑄)𝐿 1 1 𝐿 (𝑄) (𝑄) 𝑉 2 𝑉 / (𝑄) (𝑄)𝑉 (𝑄) 𝑉 13. 12. 10. 11. / , / / , / for j 1, 2, . . . . . , 𝛽 do 𝛾 ⟵ 𝑟 − 𝑟 𝐼𝑓 𝛼 = 0 𝑡ℎ𝑒𝑛 𝐼𝑓 𝛼 / , / / , / / / 9. 𝛽 ⟵ 𝑡 − 𝑡 Ɲ Ɲ ⟵ Ɲ Ɲ of ⟵nƝgrows , 𝐶 ⟵aggressively. C example, 300 has Ɲ 11,820 ⟵ Ɲ ,𝐶 ⟵ 16. 16. Ɲ representations ⟵ , C , 𝐶 ⟵ For base16. elements, the number of (𝑄)𝐿 𝐿 (𝑄) (𝑄) (𝑄) (𝑄) 𝑉 𝑉 2 2 𝑉 (𝑄)𝑉 (𝑄) 17. 𝑉 13. 11. 𝐸𝑙𝑠𝑒 𝐼𝑓for 𝛼= 𝑎𝑛𝑑 0𝛽 𝑟𝐶 𝑡ℎ𝑒𝑛 𝐸𝑙𝑠𝑒 𝐼𝑓/𝛼 = for 0 𝑎𝑛𝑑 j =0 1, 2,/⟵ .,𝛽. ./𝑟.=. ,− do⟵ j = 𝛽1 0 𝑡ℎ𝑒𝑛 / /, /3C / / 𝐼𝑓 𝛼 = 12. 10. Ɲ (base ⟵ Ɲ 2 𝛾and , DBNS representations 3), 4,016,749 representations using the base 2, 3, and 5, 𝐸𝑙𝑠𝑒 and 𝐼𝑓 has𝛼 =for (𝑄)𝐿 𝐿 𝐿. 0. ./𝑡ℎ (𝑄)𝑉 (𝑄) 14. 18. 17. 17. 17. 𝑉 13. 12. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 for j = 1, 2, . . . . . , 𝛾 do j = 1, 2, . ., 𝐸𝑙𝑠𝑒 𝐼𝑓 𝛼 = 𝐸𝑙𝑠𝑒 0 𝑎𝑛𝑑 𝐼𝑓 𝛽 𝛼 = = 0 0 𝑡ℎ𝑒𝑛 𝑎𝑛𝑑 𝛽 = 0 𝑡ℎ𝑒𝑛 0 𝑎𝑛𝑑 𝛽 = 𝐶 ⟵ 3C for j = 1, 2, . . . . . , 𝛽 do / , / / , / / 11. 𝐼𝑓 𝛼 = 0 𝑡ℎ𝑒𝑛 Ɲ ⟵ Ɲ using , and 7. Ɲ ⟵ Ɲ 142,196,718 representations the base 2, 3, 5, (𝑄)𝐿 𝐿 (𝑄) (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 𝐿 (𝑄) 𝐿 (𝑄)𝑉 (𝑄) 15. 14. 18. 18. 18. 𝑉 13. for j = 1, 2, . . . , 𝛼 do 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 for j = 1, 2, . for . . . . j , 𝛾 = do 1, 2, . . . . . , 𝛾 do for j = 1, 2, . . . . . , 𝛾 do 𝐶 ⟵ 3C / , / / , / / ,do/ / , / / , / / , / 12. for j/=/, 1,/ 2, . . . . . , 𝛽 Ɲ ,⟵ Ɲ 19. , Ɲ ⟵ Ɲ powers of Ɲ ⟵ Ɲ (𝑄)𝐿 In [26], mixed 2, ⟵ 3, and 5(𝑄)𝐿 have been proposed representing the scalar. Instead, in /[25], (𝑄) 𝐿 1 /for (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 (𝑄) (𝑄) 𝐿 (𝑄)𝑉 (𝑄) 15. 14. 𝑉 13. for j = 1, 2, . . . . . , 𝛼 do 𝛽 = 0 𝑡ℎ𝑒𝑛 / , / 𝐶 3C 𝐶 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 𝑉 / 𝐸𝑙𝑠𝑒𝐼𝑓 (𝑄) 𝑉 / , / / , , / / / , / / , / / , / / , / , / 𝐿 (𝑄) / / / , /Ɲ , / ,𝐶 ⟵ C Ɲ Ɲ⟵ 16.19. Ɲ ⟵ Ɲof⟵ Ɲ/ 3, , , Ɲ cryptography ⟵ Ɲ 19. 19. ⟵ Ɲpowers ,to obtain the authors proposedƝmixed 1/2, and 5(𝑄)𝑉 the faster elliptic curve (𝑄) 𝐿 1 (𝑄) 𝑉 2 15. 14. for j = 1, 2, . . . . . , 𝛼 do 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 𝐸𝑙𝑠𝑒𝐼𝑓 / , / 𝐶 ⟵ 3C (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 𝑉 (𝑄) (𝑄) 𝑉 / 𝐶⟵ 5C 𝐶 ⟵ 5C 13. / / (𝑄)𝑉/ (𝑄) , 𝐶 ⟵ Ɲ this ⟵𝑉method, Ɲ C is used instead of point doubling and / 16. (ECC) scalar14. multiplication. In the point halving (𝑄) 𝐿 ./.𝐼𝑓 1= 0 𝑡ℎ𝑒𝑛 (𝑄)𝛽 𝑉0𝐶/𝑎𝑛𝑑 2𝐸𝑙𝑠𝑒𝐼𝑓 17. for j =𝐸𝑙𝑠𝑒 1, 2, .⟵ ,𝛼 for j=1 𝛽 15. = 0 𝑡ℎ𝑒𝑛 𝐸𝑙𝑠𝑒 =do ,. ./𝛼 20. ⟵ 5C 𝐶 ⟵ 5C 𝐶 ⟵ 5C 𝐸𝑙𝑠𝑒 𝐶 3C Ɲ ⟵ Ɲ tripling and, 𝐶quintupling ⟵ C 16. quadrupling while maintaining operations. (𝑄) 𝐿 𝐿 / 1 (𝑄) 15. 18. 17.20. for j = 1, 2, . . . . . , 𝛼 do . . . .𝛽. 2, = 𝛾 do 𝐸𝑙𝑠𝑒 = 02, 𝑎𝑛𝑑 0 𝑡ℎ𝑒𝑛 / ,. ./𝑉 / j𝛼 21. 20. 20. 2, .for ,𝐼𝑓 𝛼 do for 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 14. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 == 01,𝑡ℎ𝑒𝑛 Ɲ for ⟵ jƝ= 1, ,𝐶 ⟵𝐸𝑙𝑠𝑒 C Ɲj =⟵1, 2, Ɲ ..., 16.(𝑄) 1 (𝑄)𝐿 (𝑄) 2 𝑉 18.21. 17. (𝑄) j. = . .2, . . ./.for 𝛾, 𝛼do 𝐸𝑙𝑠𝑒 𝛼/ 𝐿 0 ,𝑎𝑛𝑑 / ,do / 𝐿 𝐼𝑓 12, /0 , 𝑡ℎ𝑒𝑛 , . ./𝐿. ,(𝑄) /= /for /for j.1, ., .(𝑄)𝐿 = do 1,/ 2, 𝛼 for j = 1, 2, 𝐿. . ./, 𝛼, /do(𝑄) / ,𝑉 15. .Based .𝛽 .= ,= 𝛼1, do Ɲj21. ⟵ Ɲ ,𝐶 ⟵ C 3.1.5.21. Proposed Tate Algorithm Number System Using 16. Ɲ ƝƝ ⟵for Ɲj = 1, 2, , Representation 19. ⟵Pairing , 𝐶 (𝑄)𝐿 ⟵ C on Multi-Base Ɲ ⟵ Ɲ 22. (𝑄)𝐿 (𝑄) 𝐿 (𝑄) 𝑉 2 18. 17. =𝑎𝑛𝑑 . 0.𝐿, (𝑄)𝑉 𝛾/do 𝐸𝑙𝑠𝑒 𝐼𝑓 𝛼for =.(𝑄) 𝑡ℎ𝑒𝑛 𝛼= 𝐿 / , 𝐸𝑙𝑠𝑒 (𝑄)𝑉 1 𝐿1, / , , / /(𝑄) /, /,1 (𝑄) / / 1 𝐿 /(𝑄) 𝑉=/j0(𝑄) 2 𝑉𝐼𝑓 // 2, , ,𝛽/./.𝑉 / (𝑄) / (𝑄) Point22. Halving (TP-MBNR-PH) ƝƝ ⟵ ƝƝ (𝑄)𝐿 ,⟵ C 19.22. Ɲ ⟵ Ɲ / (𝑄)𝐿 Ɲ ƝC22. , 𝐶 (𝑄) ⟵ C , 𝐶18. Ɲ ⟵ Ɲ ,𝐶 ⟵ ⟵ , 𝐶 ⟵ (𝑄)𝑉 16. 𝐿 17. for j = 1, 2, . . . . . , 𝛾 do for 𝐸𝑙𝑠𝑒 𝐼𝑓 𝛼 = 0 𝑎𝑛𝑑 𝛽 = 0 𝑡ℎ𝑒𝑛 (𝑄)𝑉 𝑉 (𝑄) (𝑄) (𝑄) (𝑄) / , / / , / 𝑉 𝑉 2 2 𝑉 / , / 23. (𝑄) 𝑉 2 for j = 1, 2, . . . , 𝛽/ do 𝐶/ ⟵ /5C for ..1 , / / j = 1, 2,j .= Ɲ a⟵Tate Ɲ pairing , 19. We propose algorithm based on multi-base number representation system using (𝑄)𝐿 (𝑄)𝐿 (𝑄) 𝐿 (𝑄) 𝐿 18. (𝑄)𝐿 (𝑄)𝐿 for j = 1, 2, . . . . . , 𝛾 do 𝐿 (𝑄) 𝐿 (𝑄)𝑉 (𝑄)𝑉 // 0 , 𝑎𝑛𝑑 , .(𝑄) /𝐸𝑙𝑠𝑒 , // 𝐼𝑓 23. 20.23. ⟵ j/𝛽= 1,0/5C 2,𝑡ℎ𝑒𝑛 for ./. , 𝛽j23. = do1, 2, . . . , 𝛽 do for j = 1, 2, ./. ./,, 𝛽 𝐸𝑙𝑠𝑒 , / 𝛼𝑉= //for , 𝐶 /, /do 17. = Ɲ ⟵ Ɲ Ɲ , ⟵ƝƝ 19. (𝑄)𝐿 Ɲ ⟵ , ƝƝ ⟵ point halving. (𝑄)𝐿 𝐿. .1, 𝐿/𝐿/, ,/ //, (𝑄) 𝐿 / , / (𝑄)𝐿 (𝑄)𝑉 𝑉𝑉//j (𝑄)𝑉 / / , / (𝑄) (𝑄)𝑉 (𝑄) / (𝑄)𝐿 𝑉 // (𝑄) 24. 21. 20. j5C = . , 𝛼 do 𝐶1,for ⟵ 𝐸𝑙𝑠𝑒 /, 𝛾2, , (𝑄) /. .(𝑄)𝐿 / ,/ , / (𝑄) ,𝑉 // 18. for = 2, . . . do ⟵Ɲ Ɲ on Point ,Halving Technique. , Ɲ input 19. Ɲ algorithm ⟵ Ɲ ƝƝ , ⟵ Ɲas The proposed Tate Pairing is⟵ based It takes (𝑄) 𝐿 (𝑄)𝑉 (𝑄)𝑉 1 𝑉 (𝑄) (𝑄)𝑉 (𝑄) (𝑄)𝑉 (𝑄) (𝑄)𝑉 (𝑄) 𝑉 𝑉 𝑉 (𝑄)𝐿 (𝑄)𝐿 24. 24. 24. 21. 20. 𝐿 𝐶/ ⟵ 3C5C for/j ,= //1,, 2, 𝐶 / . . . , 𝛼 do 𝐸𝑙𝑠𝑒 / / / 𝐶 ⟵ 3C , / (𝑄) ,𝐶/ ⟵ Ɲ ⟵ with Ɲ bases/1/2,/, 𝐶3, ⟵ C5, along 22. an integer of MBNR and with points P and Q which should Ɲ ⟵representation Ɲ 19. (𝑄) 1 21. for j =for 1, 2, 𝛾2,do = 1, 2, . . . , 𝐶 ⟵ 3C 𝐶2 ⟵25. 3C𝐶 ⟵20. 𝐶for ⟵j 3C j𝑉 =. ./.1,, (𝑄)𝑉 . 𝐿. . 𝑉 ,/𝛼(𝑄)𝑉 5C /(𝑄) 𝐸𝑙𝑠𝑒 /, do (𝑄) ⟵L Ɲ , 𝐶 ⟵ asCline and vertical line passes through the 22. be within the finite field(𝑄)𝐿 FQ.ƝLet and V represented (𝑄) (𝑄) (𝑄) 𝑉 2 2, . . . , 𝛾𝐸𝑙𝑠𝑒 25. 21. 23.25. 20. 𝐿 / , /for j 1, =//2,1, for . . ,do 𝛾25. j do = 1, do for 𝐿j =/ 1, . . . for , 𝛾 /do j = 1, .⟵ 𝛼j5C do j , =/ = ./. ,.1 𝛽 , .(𝑄)𝐿 /, for / 𝐿2, , 𝐶/./for , . 2, , /2,(𝑄)𝐿 Ɲ ⟵asƝfunction with , 𝐶the ⟵ divisor. C, 22. Ɲ points. Ɲ1 ⟵ be represented If the sign value s1 (𝑄) is 1, then set Ɲ1 ⟵ to 1Ɲas (𝑄)𝐿 (𝑄) (𝑄)𝐿 𝐿 𝐿 / 𝐿 (𝑄) (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 1 𝐿 𝐿 (𝑄) 𝐿 (𝑄) 21. 23. / , /𝑉 for / ,1, / 2, . ././,,2𝛽 //do , / for 𝑉 (𝑄)𝑉 (𝑄) /26. /j, ,=//1, 2, . . . , /𝛼 ,do/ /𝑉, / /(𝑄)𝑉 / ,j /= / , / /(𝑄)𝑉 20. ⟵ ƝƝ1 /⟵ ,1⟵ 𝐶as⟵ C , / in step, 6. The22. Ɲ ⟵ Ɲ Ɲ set ⟵ Ɲ toƝ𝐸𝑙𝑠𝑒 Ɲ− Ɲ , , Ɲ ⟵ Ɲ is shown in step 3,Ɲ else is is shown computation of is shown in − 1 (𝑄)𝐿 1 (𝑄) (𝑄)𝑉/ (𝑄)𝑉 (𝑄) 𝑉jj/= 2 24.26. 23. 26. (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 1, 2,𝐿. . /. ,𝑉𝑉 , / (𝑄) ,𝛽/do ,26. 𝑉 // (𝑄) (𝑄)𝐿 /(𝑄)𝑉 (𝑄) 𝑉 (𝑄)𝑉𝐶 ⟵ 𝐶for ⟵ 5C 5C𝑉 21. for 1, Ɲ ⟵ Ɲ ,of base 1/2, ,3, 𝐶 and ⟵ 5,C respectively, while / Ɲ ⟵ Ɲ 2, . . . , 𝛼//do 22. step 2. The variables bi , ti , and r= the exponents i represents (𝑄)𝐿 𝐿 (𝑄) (𝑄) (𝑄)𝑉 (𝑄) 𝑉 2 𝑉 24. 23. 𝐶⟵ 3C for j = 1, 𝐿2, do / ,/. ./,. ,/𝛽(𝑄) / /,⟵ / 5C 1 , 𝐶 ⟵27. 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 𝐶 5C / 𝐶 ⟵ 5C for j = Ɲ Ɲ⟵⟵ ƝƝ inside the main for loop, TP-MBNR-PH initially calculates β, and γ which are the exponents of , 𝐶(𝑄) ⟵ Cdo for jα, 22. 𝐿 / , (𝑄)𝑉 25.27. 𝐿𝐿𝑡ℎ𝑒𝑛 𝐿 (𝑄) 𝑉for 24. j . . . , 𝛾 𝐶 ⟵ 3C = 1, 2, . . . , 𝛽 do , / (𝑄)𝐿 /= , 1, / 2, 27. 27. , / (𝑄) / 𝐼𝑓 𝑠 =23. 1 𝑡ℎ𝑒𝑛 𝐼𝑓 𝑠 = 1 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 (𝑄) 𝑉 2 ⟵ Ɲ , computed ƝƝ ⟵ , Ɲ 28. ƝƝ ⟵ , 𝐶 /⟵8–10. C + P Ɲ ⟵ ,𝐶 1/2, 3, and 5 bases, as Ɲ shown in𝐿steps If the base 2 exponent α is equal to zero, then (𝑄)𝐿 / , / (𝑄) 25. 𝐿 , (𝑄)𝑉 (𝑄) 𝑉 /= for j(𝑄)𝐿 1, do𝐿 , /(𝑄) 𝐶/(𝑄)𝑉 ⟵ 𝑉 for(𝑄) , / 24. / (𝑄) ,. . ./, 𝛾(𝑄)𝐿 , 𝐿 / / (𝑄) , / 3C ,2, 23. 1, .= . .(𝑄) ,𝐿13. 𝛽Ɲ do Ɲ Ɲ+ P ,base , equal to zero, 28. 28. the function Ɲ1 as 28. ⟵shown Ɲ jƝ , ⟵2, Ɲ ⟵ , Ɲ 𝐶 ⟵ C 𝐶 ⟵ C + P Ɲ ⟵ Ɲ , 𝐶 ⟵ C + calculate in step If the computed 3 exponent β is then (𝑄)𝐿 25. 𝑉 / (𝑄)𝑉 (𝑄) 24. 𝐸𝑙𝑠𝑒 for j 𝐿=/ /3C 1, 2, 𝑉 .(𝑄)𝐿 . ./,𝑉𝛾(𝑄)𝑉 do, / /(𝑄)𝑉 𝐶 𝐿⟵ 26. 𝑉 (𝑄) 𝑉 (𝑄) 𝐸𝑙𝑠𝑒 𝐶 /(𝑄) ,29./ (𝑄) (𝑄) , ,/ /(𝑄)𝐿 / /, (𝑄) Ɲ ⟵ Ɲ , compute the functionƝ 1⟵ in step 17. If both of computed bases α and β are equal to zero, Ɲ , the (𝑄) 𝐿,=/, 1,(𝑄)𝐿 (𝑄)𝐿 𝐿as/jshown 29. , (𝑄) 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 𝐶 ⟵25. 𝐸𝑙𝑠𝑒 𝐿for for 2, 𝑉 . . .//, 𝛾𝑉 j= 3C 26.29. (𝑄)𝑉 (𝑄)𝑉 (𝑄) , do / , 29. / (𝑄) 𝐶// C⟵ 5C 24. 30. , 𝐶If(𝑄)𝑉 ⟵ −(𝑄) P the Ɲ ⟵ Ɲ .Ɲ ⟵Ɲ Ɲ. Ɲ in , then calculateƝƝ1⟵ as shown step 21. none of above conditions are satisfied, then the algorithm (𝑄) (𝑄) (𝑄) 𝐿 𝐿 𝐿 (𝑄) (𝑄) (𝑄)𝐿 (𝑄)𝐿 𝑉 𝑉 𝐿 (𝑄) 𝐿 25. , , , for j = 1, 2, . . . , 𝛾 do 26. (𝑄)𝑉 (𝑄)𝑉 𝑉 (𝑄) //𝐶 , ⟵ / 3C𝐶 ⟵ /5C , / 27.30. / , / / , / (𝑄) 𝐼𝑓 30. 𝑠 = 1 𝑡ℎ𝑒𝑛 Ɲ 24, ⟵ . Ɲ Ɲ28.⟵ Ɲstep . Ɲ,30. 𝐶 Cthe − signed P , 𝐶 ⟵value C − P si+1 is equal Ɲ1, ⟵ Ɲ Ɲ. Ɲ Ɲ1 as ⟵shown Ɲ ,⟵ ⟵ Ɲ (𝑄) , 𝐶 ⟵ computes in steps 26Ɲand In 29, if to then / / 1 (𝑄) (𝑄) (𝑄)𝐿 (𝑄)𝐿 𝑉 𝑉 𝑉 𝐿 (𝑄) (𝑄)𝑉 26. 𝑉for (𝑄) 𝑉/ / , 𝑟𝑒𝑡𝑢𝑟𝑛 / 27. Ɲ / , 31. / Ɲ/ , / 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 𝐶 ⟵2, 5C 25. 𝑟𝑒𝑡𝑢𝑟𝑛 j= .𝐿. . ,, 𝛾(𝑄) / (𝑄)𝑉 28. Ɲdo ⟵ ƝC is , Ɲ step ⟵1,30, Ɲ else ,𝐶 ⟵ C+ P and C is computed computed as shown in/ step 32. TP-MBNR-PH / as shown /in 1 and (𝑄) 𝐿 31.𝐼𝑓 𝑠 =𝑟𝑒𝑡𝑢𝑟𝑛 31. 31. (𝑄) 26. (𝑄)𝑉 (𝑄)𝑉 𝑉 𝑉 (𝑄) 27. Ɲ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ (𝑄)𝐿 (𝑄)𝐿 , 1 𝑡ℎ𝑒𝑛 (𝑄) / 𝐶 k −1) /l 𝐿 / , 𝐶/ ⟵ 5C / , / , C / + 28. Ɲ ⟵Ɲ , 𝐶 /⟵ P, Ɲ(q⟵ Ɲ. finally (𝑄)𝑉 𝐸𝑙𝑠𝑒 29. 𝐿 , (𝑄)𝑉 (𝑄) (𝑄) 27. 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 returns 1 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 𝐶 ⟵ 5C 26. (𝑄)𝑉 𝑉 / 28. Ɲ ⟵Ɲ , 𝐶 ⟵(𝑄) C+P (𝑄) 29. 𝐿 , , (𝑄)5C 𝐿𝐸𝑙𝑠𝑒 27. 𝐼𝑓 𝑠Ɲ𝐿 ,⟵ =𝑉 1𝐶Ɲ𝑡ℎ𝑒𝑛 ⟵ 30. . Ɲ 28. Ɲ ⟵Ɲ , 𝐶 ⟵𝑉𝐿C +(𝑄) P ,𝐶 ⟵ C −P Ɲ ⟵Ɲ (𝑄) 29. 𝐿 , (𝑄) 𝐸𝑙𝑠𝑒 (𝑄) 𝑉 𝑉 27. 30. 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 28./ Ɲ ⟵ Ɲ .Ɲ ,𝐶 ⟵ C −P , ,𝐶 ⟵ C + P 𝐿 (𝑄) (𝑄) Ɲ ⟵ Ɲ 𝑉 (𝑄) 29. 31. , (𝑄)𝑉 𝐸𝑙𝑠𝑒 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 𝐿 , 30. Ɲ ⟵ Ɲ . Ɲ , 𝐶 ⟵ C − P / 28. Ɲ ⟵ Ɲ𝐿 , 𝑉 ,𝐶 ⟵ C + P (𝑄) (𝑄) 𝐿 31. 𝐸𝑙𝑠𝑒 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 29. Ɲ ⟵ Ɲ 𝑉 (𝑄) 30. .Ɲ ,𝐶 ⟵ C −P Ɲ ⟵ Ɲ .Ɲ / 𝐿 , (𝑄) 𝑉 (𝑄) 𝑉 31. 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 29. 𝐸𝑙𝑠𝑒 30. Ɲ ⟵ Ɲ .Ɲ ,𝐶 ⟵ C −P / / (𝑄) 𝑉 31. 𝐿 , (𝑄) 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 30. Ɲ ⟵ Ɲ .Ɲ ,𝐶 ⟵ C −P / 31. 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 𝑉 (𝑄) 31.

𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ

/

1.

1. 𝐶 ⟵ 2 9. 9. 𝑃𝐶15. ⟵ 𝑃 15. 𝛽 ⟵ 𝑡 𝛽−for ⟵ 𝑡 j𝑡=− /. .(𝑄) for 1,𝑡𝑉2, j= .1,. .2, , 𝛼. .do . . . , 𝛼 do Algorithm Algorithm TP-MBNR-PH 𝐿1 / ,1.𝑒𝑙𝑠𝑒 5. 𝑒𝑙𝑠𝑒 1 1. /TP-MBNR-PH , / (𝑄)𝐿 / , / (𝑄) / (𝑄)𝐿 10.5. 10. 17. (𝑄) (𝑄) 𝛾, ⟵ 𝑟𝐸𝑙𝑠𝑒 𝛾−⟵ 𝑟𝐼𝑓𝑟𝛼𝐿−=/𝑟 0, /𝑎𝑛𝑑 𝐿 / ,𝛽/ = 0 𝑡ℎ𝑒𝑛 1 1 ⟵ ⟵ ƝƝ16.3,⟵ 2. Cryptography 2. ƝCryptography x2018, FOR3,PEER x FOR REVIEW PEER REVIEW 7 of 15 7 of 15 ⟵ Ɲ𝑠 ⟵ 𝐶≥⟵ C≥ ⟵ C 0, 6.2018, Ɲ= ⟵𝑡ℎ𝑒𝑛 Ɲ ⟵ Ɲ𝑏2, (𝑄)𝑉 𝑉 (𝑄) 𝑠 3 5𝐼𝑓 𝛼 {−1,1} {−1,1} 𝑥 18. − 𝑥16. 𝑥integer − /𝑥 (𝑄)𝑉 Input: Input: An An integer 𝑙 =∑ 𝑙 = 𝑠∑ 3 ,Ɲ 𝑠5𝐼𝑓 ,Ɲ ,Ɲ ≥ , .𝑏.,𝑏,(𝑄) ≥ … 𝑏,2𝐶≥ 𝑏 …2 ≥ 𝑏𝑡 ≥ ≥ 0,𝑡 𝑡 ≥≥ 𝑡 ≥ 11.6. 11. for =𝑉 1, . . . 𝛾 do 0∈ 𝛼 = j0∈ 𝑡ℎ𝑒𝑛 (𝑄) 𝑉 / / 7. 𝐼𝑓 7.=≥ for i≥= 2,i≥ . .⟵ . 1, ,𝑟n≥2, − . .1𝑟.≥ ,do n≥𝑟−⋯≥ 1≥do 3. 3.⋯ 𝑠𝑡 ⋯ 𝐼𝑓 1, = 1,for 𝐶= 5C 12. 12. )𝐿= for j(𝑥 =𝑃for . ∈.𝐼𝑓 ./,1, .𝐸𝑦.,𝛼,2,𝛽 .(𝑄)𝐿 do . .[𝑙], ,𝛽 ≥ ≥ 0𝑠𝑡then and 01, 𝑟then and ≥⋯ 0, 𝑟 𝑃≥ =0, ,1,𝐸𝑙𝑠𝑒 = 𝑦2,j(𝑥 𝐹 ∈ 𝐹=𝑄 [𝑙], =𝑎𝑛𝑑 (𝑥(𝑄)𝐿 𝑄𝛽 ,𝑡ℎ𝑒𝑛 = 𝑦=(𝑥 ) 0/∈𝑡ℎ𝑒𝑛 𝑦/ 𝐹)(𝑄) ∈ 𝐸[𝑙]𝐹 [𝑙] /do ,𝛽 /= ,,𝐸 /)= 17. 𝐸𝑙𝑠𝑒 𝐼𝑓 0.𝐸.𝛼 𝑎𝑛𝑑 0 0 Algorithm Algorithm 1.17. TP-MBNR-PH 1. 𝑟TP-MBNR-PH Ɲ 𝐿⟵ ⟵ Ɲ 𝐿⟵ , 8. 19. 𝛼 ⟵ 𝑏 𝛼 − ⟵ 𝑏 𝑏 − 𝑏 (𝑄)𝐿 (𝑄)𝐿 4. 4. 8. Output: (𝑄) (𝑄) Ɲ Ɲ 1 1 𝐸𝑙𝑠𝑒 / , / for / , j/ = / for , . .2, /, 𝛾(𝑄)𝑉 𝑉, 1,//2, Output: e (P, 18. 18. Q)e (P, Q) j (𝑄)𝑉 =./. .1, . .do . . ,. , 𝛾(𝑄) do Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ , Cryptography 2018, 2, 14 7 Input: Input: An integer An 𝑙 =. .∑ 𝑙 do = 𝑠 ∑ 𝑠3 5 3 , 𝛽𝑠5𝑉 ∈𝐿 {−1,1} ,𝑡 𝛽𝑠−𝑉 ∈ 𝑏 𝑡(𝑄)𝐿 ≥,(𝑄) 𝑏 𝑏 (𝑄)𝐿 ≥≥ … 𝑏 ≥≥𝑏 … ≥(𝑄) 0, 𝑏 𝑡 of ≥ ≥15 0,𝑡 𝑡 ≥≥ 𝑡 ≥ 9. 𝑒𝑙𝑠𝑒 ⟵ ⟵ 𝑡 {−1,1} 𝑡,(𝑄)𝑉 − 5. 5.1. for j⟵ =integer 1, .,𝛼 (𝑄) 13. 13.9. 𝑒𝑙𝑠𝑒 / (𝑄)𝑉 𝐶⟵ 𝑃𝐶 REVIEW 𝑃 2, / , 5C / / , / (𝑄)𝐿 / , / / , 7 /of(𝑄) / , /𝐿/(𝑄)𝐿 / ,𝐶/ ⟵ Cryptography Cryptography 2018, 3,1.x2018, FOR 3,PEER x FOR PEER REVIEW 15 7 of 15 Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ , 19. 19. 10. 10. ⟵ 𝑟∈[𝑙], 𝑟𝐸−𝐹𝑄 𝑟 [𝑙], 1𝑟 𝑃≥Ɲ 6. 6. ≥ 𝑡 ⋯≥≥ 0𝑡 and (𝑥 )⟵ )⟵ ⋯ ≥ 0𝑟 and ≥𝐿𝑟1/𝑟≥ ⋯(𝑄) 𝑟1≥≥𝑟 ⋯≥≥0, =0,(𝑥 𝑃, Ɲ = 𝑦𝛾𝐶 ⟵ ∈𝑟,3C 𝐸Ɲ 𝑦𝛾𝐶−𝐹 (𝑥 𝑄, = 𝑦 (𝑥 )(𝑄) ∈ ,𝐸𝑦 𝐹)(𝑄) ∈ 𝐸[𝑙]𝐹 ,[𝑙] ⟵ ⟵ , /≥ 𝐸𝑙𝑠𝑒 (𝑄)𝑉 (𝑄)𝑉 𝑉 3C 𝑉= ƝƝ20. ⟵⟵Ɲ ,𝐶 ⟵ C / (𝑄)𝑉 / (𝑄)𝑉 Ɲ ⟵ 2. 2. 11.for 𝐼𝑓𝐸𝑙𝑠𝑒𝐼𝑓 𝛼= =𝐼𝑓 0 𝑡ℎ𝑒𝑛 𝑡ℎ𝑒𝑛 𝛼= =0 0 𝑡ℎ𝑒𝑛 𝑡ℎ𝑒𝑛 (𝑄) 7. Algorithm 7. 11.for 𝑉 2 i= 1, 2, ie = .(P, . 1. . 1, ,n 2, .1− . ,do n − 1−do 14. 14. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 0 𝛽 Output: Output: Q) Q) /𝑥 𝑥e−.(P, 𝑥 𝑥 21. for j𝐶=⟵ 1, 2, . , 𝛼5C do Algorithm TP-MBNR-PH TP-MBNR-PH Algorithm 1.1.TP-MBNR-PH 5C 𝐶. .⟵ 12. 12. for j = for 1, 2, j = . . . 1, . . , 2, 𝛽 . do . .,.𝛼. , do 𝛽(𝑄) do 8. 8.3. 1. 𝛼⟵ 𝑏j𝛼= −⟵ 𝑏 𝑏2,j = −. . 1, 𝑏. . ,2,𝛼.do j 𝑠= 1, 2, .bthen . . , 𝛽 do 15. 15.3. 𝐶 20. for for 1, . . . . . 1. ⟵𝑠𝑃𝐶for ⟵ 𝑃 𝐿 1 𝐼𝑓 = 𝐼𝑓 1, then = 1,   / , / 𝐸𝑙𝑠𝑒 20. 𝐸𝑙𝑠𝑒 {−1,1} {−1,1} ∑ 𝑙1 (𝑄)𝐿 Input: An integer An integer 𝑙m𝐿= = 𝑠i 3∑ti 5/ri 𝑠,, 3s / ∈5 3 ,1,⟵ 𝑠15},∈ ,−𝐿⟵ ,𝐿𝐿(𝑄) 𝑏. /. Ɲ ≥ ,/𝑏 𝑏, ≥ ≥(𝑄) … 𝑏 ,t≥≥ … ≥≥0, 𝑏C𝑡 ≥ ≥ 0,𝑡 𝑡 ≥≥ 𝑡 ≥ (𝑄)𝐿 (𝑄)𝐿 ⟵ ,𝑏𝐶(𝑄) ⟵ 𝐿≥𝑠𝑡//bƝ∈ 22. , / , / / / / (𝑄) (𝑄) 1 1 Input: An integer l = s b ≥ . ≥ b ≥ 0, ≥ t {− 9. Input: 9.Cryptography 1 1 ∑ 𝛽 𝑡 𝛽 𝑡 − 𝑡 m / , / 2 2 1 1 i i , / / , / 4. 4.Ɲ21. =1 3,PEER Ɲ 1 ⟵ 1 2 REVIEW (𝑄) 𝑉 2, 2. . . ≥ tm ≥ 0 Cryptography 2018, 3, 2018, x iFOR x FOR PEER REVIEW 7 of 157 of 15 Ɲ ,⟵ ⟵ ƝƝ Ɲ⟵ ⟵Ɲ Ɲ ⟵ , do ,do /,= 21. for j = for 1, j . . . 1, , 𝛼 2, . . . , 𝛼   ⟵ Ɲ ⟵ Ɲ ⟵ Ɲ Ɲ Ɲ , 𝐶 ⟵ 𝐶 C ⟵ C 2. 2. 16. 16.  (𝑄)𝑉 (𝑄)𝑉 (𝑄) 13. 13.0𝑟𝑒𝑙𝑠𝑒 (𝑥 )𝑟∈𝛾− ⋯and ≥ r𝑡 10. ⋯ ≥ ≥ 0𝑡≥and ≥ and ≥≥𝑟 𝑥𝑟0, ≥P ≥ ⋯=𝑟𝑥≥ ≥ 𝑟− ⋯ ≥ ≥ 0, 𝑟 E(𝑄) 𝑃≥F=0,(𝑥 𝑃 ,Q = 𝑦= ,𝐸 𝑦𝑟𝑉 𝐹)𝑟/𝑉 ∈(𝑄) [𝑙], 𝐸 𝐹/𝑄𝑉F(𝑄) [𝑙], =/ (𝑥 𝑄2, = 𝑦 (𝑥 )(𝑄) ∈2,𝐸𝑦 𝐹) ∈ 𝐸[𝑙]𝐹 [𝑙] (𝑄)𝑉 10. /∈𝑟 𝑉 − 𝑥 𝑥 𝛾 ⟵ ⟵ − 𝑉 / 5. 5. 𝑒𝑙𝑠𝑒 ≥ r . . . ≥ r x , y ∈ l , x , y E l ( ) [ ] [ ] k 23. (𝑄) (𝑄) 𝐿 𝐿 for jq = 1 m q 2 P P 1 Q Q / ,1,/ 2, /. . ,. ,/𝛽 do 1 𝐶𝑎𝑛𝑑 ⟵ 3C ⟵ 3C ƝƝ Ɲ ⟵ ƝƝ , 𝐶 ⟵ , 𝐶(𝑄) C⟵ C 22. 11. Output: 11.6. Output: e6.(P, Q) e= (P, Q) 𝐼𝑓 𝛼𝐼𝑓= 0=𝑡ℎ𝑒𝑛 𝛼Ɲ 0=𝑡ℎ𝑒𝑛 3. 3. ⟵then 3C 𝐼𝑓22. 𝑠Algorithm 𝐼𝑓 1,1. 𝑠then =𝐶 1, 17. 17. 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 𝛼𝐼𝑓 𝐼𝑓 0= 𝛼⟵ 𝛽 0𝐶𝑎𝑛𝑑 = 0 𝛽, /(𝑄) =(𝑄)𝐿 0 𝑡ℎ𝑒𝑛 𝐿⟵ Ɲ ⟵ TP-MBNR-PH 1. TP-MBNR-PH / 𝑡ℎ𝑒𝑛 / , / (𝑄) 𝑉 𝑉 2 Output: eAlgorithm P, Q ( ) / / l 14. Ɲ ⟵ ,2 14.𝐶Cryptography 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽= 𝑡ℎ𝑒𝑛 𝛽.do = 0, 𝛾𝑡ℎ𝑒𝑛 12. 12. 1. Cryptography 1.7. for j = for 1, 2,j𝐸𝑙𝑠𝑒𝐼𝑓 = . . .for 1, . . ,2,j𝛽 . do .= .Ɲ .Ɲ.0,2,𝛾𝛽 do for j2, =FOR 1,.x1, 2, . ....1PEER ,.𝛾REVIEW do ⟵ 𝑃𝐶 for ⟵ 𝑃= 4. 4. Ɲ ⟵ 1 ⟵ 1 18. 18.Cryptography 1, . . . . do 3, 2018, x FOR 2018, 3, PEER x 3, REVIEW FOR PEER REVIEW 7 of 157 of 715of 15 7.2018, i for 1, i = . . , n 2, − , do n − 1 do (𝑄)𝑉 (𝑄) 𝑉 24. j∈ =for 1,, 2, j /=. . ≥ .1,, 𝛽𝑏2,𝑏do . .≥ . , 𝛽𝑏…do {−1,1} {−1,1} 1. P 23. Input: Input: An23. integer An 𝑙 = ∑(𝑄)𝐿 𝑙 =𝑠 ∑ 𝐿𝑠 3 for 5 (𝑄)𝐿 , for 𝑠5 (𝑄)𝐿 ∈jfor ,= ≥ ≥≥𝑏… ≥ ≥ 𝑏0, 𝑡 ≥≥0,𝑡𝑡 ≥ 𝑡 ≥ 1 integer 15.C ← 15. j/3/= .⟵ .//𝑠.𝑏1, .(𝑄) .//𝑏,2,𝛼 .do .//.𝑏𝑏 .(𝑄) . , ,𝛼,do (𝑄)𝐿 𝐿1 /𝑒𝑙𝑠𝑒 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 5. 8. 5. // (𝑄) ,, // 𝐿 ,, 1, ////𝑏2, ,, − ,, − 𝐿 𝐿 (𝑄) (𝑄) 𝑒𝑙𝑠𝑒 / , / / , / , / 8. 𝛼 ⟵ 𝛼 / / / , / (𝑄)𝐿 3C 𝐿 / ,𝐶 𝐿⟵ (𝑄) ⟵ Ɲ ⟵ 2.x2.FOR PEER 2. ⋯Ɲ Ɲ Ɲ ,𝐸/(𝑄) ,= / /(𝑄)𝐿 , / (𝑄) ƝREVIEW ⟵ Ɲx𝑥Q𝑡0−1 − ,𝑃 ←≥ Ɲ≥≥⟵ Ɲ Ɲ 0, ⟵𝑃 Ɲ 19. (𝑄) )Ɲ )𝐹∈Ɲ 𝐿𝑉 𝐿 Cryptography 2018, 3,13. 7(𝑥 of ≥−19. ≥ ≥𝑥 𝑥TP-MBNR-PH 0𝑟− and 𝑟1. 𝑟≥ ≥⋯𝑟Ɲ 𝑟⟵ ⋯≥ ≥ 𝑟⟵ ≥Ɲ =0,(𝑥 ,= 𝑦⟵ ∈Ɲ/, 𝑦 𝐸⟵ 𝐹/𝑄1,[𝑙], 𝑄1,15 =𝑦/(𝑥 ), ∈,,/,𝑦𝐸 )𝐹∈, 𝐸[𝑙]𝐹 [𝑙] xand /(𝑥 ,(𝑄)𝑉 /[𝑙], Ɲ ⟵ P1. (𝑄)𝑉 (𝑄) (𝑄) 𝑉 13.9. 6. 6.1𝑡 ⋯ Algorithm 1.≥𝑥TP-MBNR-PH TP-MBNR-PH ⟵ / 𝑡𝑉 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 9. 𝛽/⟵ ⟵ 𝛽 − 𝑡 / 𝑡j,Ɲ − 1, 𝑡/(𝑄) 25. for 2, .𝐶.C./⟵ ,(𝑄) 𝛾(𝑄)𝑉 doC (𝑄) ƝƝ ƝƝ ,= 𝐶 ⟵ ,𝑉 16.Algorithm 16.Algorithm /⟵ (𝑄)𝑉 (𝑄) 𝑉 24. 24. 𝑉 / (𝑄)𝑉 (𝑄)𝑉 (𝑄)Ɲ ⟵/Ɲ𝑉 (𝑄)𝑉 / (𝑄) 2 𝑉 /3C 2 s𝑠Output: = 1,1,Output: efor Q) e. 𝐶 (P, Q) 3.3. 3.10.I𝐼𝑓f 7. =for 𝐼𝑓 𝑠then 1,2,ithen 1 10. 𝐶⟵ ⟵ 7. ithen == 1,(P, = .An . 1, , n⟵ − .1∑ . ,do −𝑠𝑙1 do∑𝑠 3 𝑠𝐶5 ⟵3, 3C 𝛾𝐶 𝑟𝐿5C 𝛾𝑠𝐶 − 𝑟,(𝑄)𝐿 𝑟≥3C (𝑄) ⟵ 5C , ≥ {−1,1} /,⟵ ,𝑟𝑠/{−1,1} ∑= Input: Input: An Input: integer An integer 𝑙2, integer =.5C 𝑙n = 𝑠53⟵ ∈ ,5{−1,1} ∈ ∈− 𝑏⟵ ,/𝐶𝑏,𝑏⟵ ,/≥ ≥3C 𝑏(𝑄)𝐿 𝑏…≥≥≥ 𝑏𝑏/…≥ ≥/…𝑏0, ≥𝑡 𝑏≥≥0,≥ 𝑡𝑡 0,≥𝑡 𝑡≥ ≥𝑡 ≥ 𝐶 Algorithm14. 1. TP-MBNR-PH Ɲ ⟵ Ɲ , 17. 17. 1. 1. ← 1 𝐸𝑙𝑠𝑒 𝐼𝑓 𝐸𝑙𝑠𝑒 𝛼 = 𝐼𝑓 0 𝑎𝑛𝑑 𝛼 = 𝛽 0 𝑎𝑛𝑑 = 0 𝑡ℎ𝑒𝑛 𝛽 = 0 𝑡ℎ𝑒𝑛 𝐶 ⟵ 𝑃 𝐶 ⟵ 𝑃 4. 4. Ɲ ⟵ Ɲ 1 ⟵ 1 14. 𝐸𝑙𝑠𝑒𝐼𝑓 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 𝛽 = 0 𝑡ℎ𝑒𝑛 1 8. 𝛼 ⟵ 𝑏 𝛼 − ⟵ 𝑏 𝑏 − 𝑏 11. 11. 𝐼𝑓 𝑠 = 14.𝑡ℎ𝑒𝑛8. 𝐼𝑓 𝛼 = 𝐼𝑓 0 𝑡ℎ𝑒𝑛 𝛼 = 0 𝑡ℎ𝑒𝑛 20. 20. 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 26. (𝑄)𝑉 (𝑄)𝑉 𝑉 (𝑄) 25. 25. for j = for 1, 2, j = . . . 1, , 𝛾 2, do . . . , 𝛾 do (𝑥 )= )𝐹 ),2,𝛾∈./𝐹 ⋯ ≥𝑒𝑙𝑠𝑒 𝑡⋯≥ ≥ ⋯𝑒𝑙𝑠𝑒 𝑡0 ≥and ≥ 𝑡 0≥ 𝑟and ≥ 0 and 𝑟1𝑟 ≥≥⋯ 𝑟𝑟 ≥≥𝑟 ⋯≥≥≥⋯0, 𝑟 ≥𝑃 ≥𝑟=0,≥ 𝑃0,,= 𝑦 𝑃(𝑥 ∈,(𝑥 𝑦 𝐸j = ∈. .[𝑙], 𝐸 [𝑙], 𝐹 = (𝑥 [𝑙], 𝑄 ,=𝑦𝑄(𝑥 )=∈,(𝑥 𝑦𝐸 )𝐹 , 𝑦∈ 𝐸 ) [𝑙] ∈𝐹𝐸 𝐹[𝑙] [𝑙] 18. 18. for j.⟵ for 1, .,𝑏...𝑦 do ..𝐸.𝑄 do 5.5.integer 5.12. 15. for, j = 1, 2,j𝑏 .j= .= 1, .1, .for 𝛼 .2, .⟵ ..𝑡....1, ,1, 𝛼 do ∑ 9. Input: An15. =9. 𝑠 ⟵Ɲ 3 𝐿⟵ 5, (𝑄) , 𝑠1 ∈ {−1,1} 𝑏 for ≥for ≥ ≥ 𝑡..do 𝑡(𝑄)𝐿 ≥ (𝑄)𝐿 (𝑄) (𝑄) 𝛽j= 𝑡,2, 𝛽j2, − − 12. = 1, jdo .(𝑄)𝐿 ,2, 𝛽 ./.(𝑄)𝐿 ,,,𝛽𝛾≥ do Ɲ 21. 21. for for 2, = .≥ .= ,/1, 𝛼 do . .,.𝑡𝐶do ..0, ,𝛼 2.𝑙else 2. 𝐿… 𝐿𝑡. 2, ⟵ 5C / / , / / , / / , / / , / / Ɲ ⟵ Ɲ , 𝐶 ⟵ C + P Output: Output: e Output: (P, Q) e (P, e Q) (P, Q) 𝑥 − 𝑥(𝑄) 𝑥 −𝑥 (𝑄)𝐿 𝐿1//⟵ 𝐿Ɲ(𝑄)𝐿 (𝑄) (𝑄) 𝐿Ɲ 𝐿 1 /(𝑄)𝐿 6.6. 𝑟 ≥10. 6.𝑟 ≥ ⋯ ⟵ /𝑟(𝑄)𝐿 /𝑟, , 1 / ,, 1 / , / (𝑄) Ɲ ⟵ Ɲ , , , /(𝑥 ,𝛾 //⟵ , , //− (𝑄)𝐿 (𝑄)𝐿 10.≥ 𝑟 27. ← 𝐿Ɲ(𝑄) 𝐿Ɲ ⟵ 𝑟, ,1///− (𝑄) 𝐿/Ɲ 𝐿/⟵ − // (𝑄) // (𝑄) ⋯ ≥ 𝑡 ≥ 0 and ≥ 0,26.𝑃 𝑉= (𝑥 ,𝑠𝑦 ) = ∈ƝƝ 𝐸 𝐹⟵Ɲ [𝑙], 𝑄= 𝑦 ∈//, 𝐸 𝐹C/(𝑄) [𝑙] //,1𝑟 , , ,𝛾 /𝐶) Ɲ Ɲ ⟵ Ɲ , , 𝐼𝑓 1 𝑡ℎ𝑒𝑛 19. 19. ⟵ Ɲ ⟵ Ɲ ⟵ , 𝐶 ⟵ C 26. (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 16. 16. 𝑉 𝑉 (𝑄) (𝑄) Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ , , 1. 1. 1. / / 𝐶 ⟵ 𝑃 𝐶 ⟵ 𝐶 𝑃 ⟵ 𝑃 Ɲ ⟵ Ɲ ⟵ Ɲ , 𝐶 ⟵ , 𝐶 C ⟵ C 22. 22. 3. 3. 𝐼𝑓 𝑠 = 𝐼𝑓 1, 𝑠 then = 1, then 7.7. 7. (𝑄)𝑉 (𝑄)𝑉 (𝑄) 𝑉𝑉=//𝑉𝐼𝑓 𝑉(𝑄)𝑉 (𝑄)(𝑄) (𝑄) 𝑉 /𝐼𝑓(𝑄) 20 for ii = = 1, for 1, 2, 2,i .= .....,1, ,nn2, −.1.1.do ,do n − 1 do 𝐸𝑙𝑠𝑒 𝛼𝑉 0(𝑄)𝑉 𝛼𝑉 =//𝑉 𝑡ℎ𝑒𝑛 (𝑄)𝑉 (𝑄) − 13. (𝑄) 225C 25C /𝑡ℎ𝑒𝑛 /𝐿 Output: e (P, Q) 11.13.for11. / (𝑄) , (𝑄) 1 𝐿 1(𝑄)1 𝐶 ⟵ 𝐶⟵ 4. 12.4. Ɲ 28. Ɲ ⟵ Ɲ 1 ⟵ 1 Ɲ ⟵ , 𝐶 ⟵ C+P 8.8. 8. ⟵ 𝑏 − ⟵ 𝑏 𝑏 − 𝑏 17. 17. 𝐸𝑙𝑠𝑒 𝐼𝑓 𝐸𝑙𝑠𝑒 𝛼 = 𝐼𝑓 0 𝑎𝑛𝑑 𝛼 = 𝛽 0 𝑎𝑛𝑑 = 0 𝑡ℎ𝑒𝑛 𝛽 = 0 𝑡ℎ𝑒𝑛 12. , 𝐶 ⟵ 5C 𝐶 ⟵ 5C for j = for 1, 2, j = . . . 1, . . , 2, 𝛽 . do . . . . , 𝛽 do ⟵ Ɲ Ɲ ⟵ ⟵ 2. α 𝐶12, ⟵ ⟵ 23. 2.23. 2. forbij−=bfor 1, j= . . .3C 1, ,𝐶𝛽2, do . . .3C , 𝛽(𝑄) do 1. i+ 𝑉 𝐶⟵𝑃 Ɲ 27. ⟵ Ɲ27. . Ɲ− 𝑥𝐼𝑓 ⟵=C1−𝑡ℎ𝑒𝑛 P← =,𝑠𝑥𝐶 1 𝑡ℎ𝑒𝑛 𝑥𝑒𝑙𝑠𝑒 𝑥 𝑠−𝑥(𝑄) 𝑥𝐼𝑓 − 5. 5. 𝑒𝑙𝑠𝑒 (𝑄)𝐿 (𝑄)𝐿 9. 9. 𝐿 𝐿 (𝑄) (𝑄) 𝛽 ⟵ 𝑡 𝛽 − ⟵ 𝑡 𝑡 − 𝑡 𝑉 18. 18. for j = for 1, 2, j𝐿− = . ./. 1, .,, . //,2, 𝛾𝐿𝐸𝑙𝑠𝑒 .do .//=. .,, 0 . //, 𝛾 do 20. 14. 20. 29. //𝐸𝑙𝑠𝑒 ,, =//0 // ,, // (𝑄) 1 14. (𝑄) 𝛽(𝑄)𝐿 𝑡ℎ𝑒𝑛 𝛽𝐿(𝑄)𝐿 𝑡ℎ𝑒𝑛 βƝ ← t𝐸𝑙𝑠𝑒𝐼𝑓 𝐸𝑙𝑠𝑒 9. i / tƝ i +1𝐸𝑙𝑠𝑒𝐼𝑓 (𝑄) 𝐿 , ,, (𝑄) ,, ⟵ ,Ɲ 3.𝐼𝑓28. 𝑠 =𝐼𝑓28. 1,𝑠𝐼𝑓 then =𝑠 1,=then 1, then 𝐿 Ɲ Ɲ ⟵ / 3. Ɲ , /⟵ ⟵ ƝƝ Ɲ, 𝑟for ⟵ Ɲ 6. 3.13.6. 2. Ɲ/for ⟵ Ɲ Ɲ/..1, ⟵ (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 10. 𝐿 (𝑄) (𝑄) 𝛾 ⟵ 𝛾 − ⟵ 𝑟 𝑟 − 𝑟 Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ 𝐶do ,C𝐶+⟵ PC+P (𝑄)𝑉 (𝑄)𝑉 (𝑄) 21. 21. 𝑉 𝑉 13. j = for 1, 2, j = . . 1, , 𝛼 2, do . . . ,/,𝛼𝛼 / , / , / , / ,, do /⟵ / / / (𝑄) 15. 15. 𝐿 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 10. for j = 1, 2, j = . . . . , 2, 𝛼 . do . . . . / / 𝑥 − 𝑥 (𝑄)𝑉 (𝑄)𝑉 (𝑄) 𝑉 𝑉 24. 24. γ ← r − r 10. / / i i + 1 (𝑄) 𝑉 1⟵ 𝑉 ⟵1 do Ɲ , C−P 19. 19. 4. Ɲ 1(𝑄) ⟵ Ɲ 1, , (𝑄) 30.i =for Ɲ ⟵ Ɲ . , 𝐶 ⟵ 7. 4. 7.4. for 1, 2, i =. . Ɲ .1,, n2,⟵ −. . 1.Ɲ ,Ɲdo n− 11. 11. 𝐼𝑓 𝛼 = 𝐼𝑓 0 𝑡ℎ𝑒𝑛 𝛼 = 0 𝑡ℎ𝑒𝑛 (𝑄) 𝐿 𝐿 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 1 1 / , / / , / 𝑉 𝑉 (𝑄) (𝑄) 𝐶 ⟵ 3C 𝐶⟵ ⟵ 3C / , 3C /𝐶 / , 3C /𝑉 (𝑄) 3. 𝐼𝑓 𝑠 = /⟵ ⟵ I f /⟵ α =Ɲ 0𝐶 then 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 11.1, then16. 22. 8. 22. 5. 29. 29. Ɲ= Ɲ= Ɲ 𝐶− ⟵ C⟵ C 𝛼 ⟵ 𝑏 𝛼5C − ⟵ 𝑏𝛽= 𝑏/,do 𝑏 2, 𝐶 12. 5. 12.8. 5.25. for j for 1, 2, j . . . 1, . . , 2, 𝛽 . do . . . . , / 14. 14.16.𝑒𝑙𝑠𝑒31. 𝑒𝑙𝑠𝑒𝑒𝑙𝑠𝑒 𝐸𝑙𝑠𝑒𝐼𝑓 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 𝛽 0 𝑡ℎ𝑒𝑛 (𝑄) (𝑄) 𝑉 𝑉 2 / 𝐶 ⟵ 5C 𝐶 ⟵ 4. 25. / .𝐿 1, = .do . . 1, , 𝛾2,do . . ,, 𝛾(𝑄) do𝐿 , (𝑄) 𝑟𝑒𝑡𝑢𝑟𝑛ƝƝ ⟵ 1 for j = 1,for 2, j. Ɲ .= . .for .⟵ . ,2, βj/Ɲ 12. 6. 9. 6. 9.6. Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 (𝑄) (𝑄) 𝛽 ⟵ 𝑡 𝛽 − ⟵ 𝑡 𝑡 − 𝑡 30. 30. Ɲ Ɲ Ɲ . Ɲ Ɲ . Ɲ , 𝐶 ⟵ ,C𝐶−⟵ P C−P / , / / , / / , / / , / 15. 15. 23. 23. for j = for 1, 2, j = . . . 1, . . , 2, 𝛼 . do . . . . , 𝛼 do for j = for 1, 2, j = . . . 1, , 𝛽 2, do . . . , 𝛽 do 20.17. 17. 𝐸𝑙𝑠𝑒 𝐼𝑓 𝐸𝑙𝑠𝑒 𝛼 𝐼𝑓 𝑎𝑛𝑑 𝛼, =/ 𝛽 0(𝑄)𝐿 =,)𝑉, 0/ 𝑡ℎ𝑒𝑛 𝛽(𝑄)𝐿 = 𝐿 (𝑄) 5. 𝑒𝑙𝑠𝑒 20. 7. (𝑄) /(𝑄) ,𝑉, 0 / 𝑡ℎ𝑒𝑛 / , / (𝑄) /Ɲ ,𝐸𝑙𝑠𝑒 /𝐿 ,𝐸𝑙𝑠𝑒 /0/(𝑄)𝐿 L⟵ Q/)=L ((𝑄)𝐿 (/Q𝑎𝑛𝑑 ⟵ 3do C/4,C/4 C/2,5C/2 7.for i =for 1, 2, ifor =. . .1, i ,= n2,− 1, . . 12, . , do n. Ɲ .− . 1, n1 − doƝ 1Ɲ 10. 7. 10. 𝛾 ⟵ 𝑟 𝛾 − ⟵ 𝑟 𝑟 − 𝑟 Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ , , (𝑄)𝑉 (𝑄)𝑉 (𝑄) (𝑄) , ← (𝑄) (𝑄) 𝑉 𝑉 (𝑄)𝐿 (𝑄)𝐿 13. 13. 𝐿 𝐿 𝐿 𝐿 (𝑄) (𝑄) 1 1 1 j/= for /j j= //do /,for /j. .= /𝛾/ .do ,. .(𝑄)𝑉 , (𝑄) / / for 21. 21.18. 18. 31. 31. 1, 2, .Q .= ./1, 𝛼,Ɲ,2, .//,).(𝑄)𝑉 𝛼 for 1, 2, 1, ., ,,. /𝐶 ,do 2, . /,. 𝐶 ,C𝛾/⟵ do 6. 26. V Q 𝑉⟵ 𝑉 (𝑄) (⟵ (𝛼 13. 8. 3C C/2 Ɲ Ɲ ⟵ ⟵V Ɲ Ɲ , C , 16.11. 8.26. 16.11. / )(𝑄)𝑉 /𝑏 𝑟𝑒𝑡𝑢𝑟𝑛Ɲ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ ⟵ ƝƝ ƝƝ ⟵ 8. 𝛼 ⟵ 𝑏 𝛼 − ⟵ 𝑏 ⟵ − 𝑏 𝑏 − 𝑏 𝐼𝑓 𝛼 = 𝐼𝑓 0 𝛼 𝑡ℎ𝑒𝑛 = 0 𝑡ℎ𝑒𝑛 3C 𝐶 3C (𝑄) (𝑄) 𝑉//⟵ 𝑉(𝑄)𝑉 2/ (𝑄)𝐿 2 / , / (𝑄) (𝑄) 𝑉(𝑄) 𝐿𝐿𝐶C//⟵ (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 ← 3C 𝐿𝐶 /, 𝑉 /1 /(𝑄) // (𝑄)𝑉 , , //𝐿 /(𝑄) 7. /𝐶 ,⟵ , 1 / , / (𝑄) for i = 1, 2, 9. . . .24. , n − 124. do /5C ⟵ 9. ƝƝ ⟵ ƝƝ ƝƝ ⟵ ,/.− 𝐶 C5C 22. 22. 𝛽=⟵ 𝑡1, 𝛽,, 𝐶 − ⟵ 𝛽 𝑡. . 𝑡𝑡ℎ𝑒𝑛 ⟵ 𝑡𝛽𝑡⟵ − 𝑡. , C𝛽 do ⟵𝐸𝑙𝑠𝑒𝐼𝑓 ƝƝ ⟵ ⟵ , , 19. 19. 12. 9.17.12. for j = for 2, j = . 1, . 2, , . . do . . 14. 14. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 0 𝑡ℎ𝑒𝑛 𝛽 = 0 17. 𝐶 ⟵ 3C 𝐶 ⟵ 3C 𝐸𝑙𝑠𝑒 𝐼𝑓 𝐸𝑙𝑠𝑒 𝛼 = 𝐼𝑓 0 𝑎𝑛𝑑 𝛼 = 𝛽 0 𝑎𝑛𝑑 = 0 𝑡ℎ𝑒𝑛 𝛽 = 0 𝑡ℎ𝑒𝑛 (𝑄) (𝑄) 𝑉 I f /β = 𝑉 0 then 14. 27. 𝑉 / 2(𝑄)𝑉 2(𝑄)𝑉 (𝑄) (𝑄) 8. / (𝑄)𝑉 𝛼 1⟵𝑡ℎ𝑒𝑛 𝑏 − 𝑏 Else 𝑉 27. 10.𝐼𝑓 𝑠 𝐼𝑓 = 𝑠1 𝑡ℎ𝑒𝑛 = /𝑟 10. 10. 𝛾 ⟵ 𝛾 − ⟵ 𝑟 𝛾 𝑟 ⟵ − 𝑟 𝑟 − 𝑟 (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 (𝑄) (𝑄) /. 2, /.do / do , / 15. 18. 15.25. 18.25. == for 1, 2, j j.= = .⟵ . .for .j1, ,2, 𝛼1, . .𝛽 ,,.𝛾𝛼1, do for = for .,𝐶 ,/do j2, j,,2, = ./.𝐿do ..2, ..j1, ..,/= 2, .𝛾do .2, .,. ., .𝛾/, 𝛾do 23. 23. for for 1,Ɲ2, 𝛽 for 1, ..,1, .,𝐶 .(𝑄) αdo do (𝑄) 9. Ɲjj j= ⟵ Ɲ Ɲ , , 𝐿.= 𝛽 ⟵ 𝑡 − 𝑡 for 15. 11. ⟵ 5C ⟵ 5C 11. 𝐼𝑓 𝛼 = 𝐼𝑓 0 𝛼 𝑡ℎ𝑒𝑛 𝐼𝑓 = 𝛼 0 = 𝑡ℎ𝑒𝑛 0 𝑡ℎ𝑒𝑛 (𝑄)𝑉 (𝑄)𝑉 (𝑄) (𝑄) (𝑄) (𝑄) 𝑉 𝑉 𝐿 𝐿 1 1 28.13. 11. 28.13. Ɲ 𝐿𝐿⟵ Ɲ ⟵ Ɲ , 𝐶 ⟵ C , 𝐶 + ⟵ P C +(𝑄) P(𝑄) /, /(𝑄)𝐿 /(𝑄)𝐿 /, / /, 𝐿 /(𝑄)𝐿 /, /)/, ,/(𝑄)𝐿 /(𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 𝐿 (𝑄) (𝑄)𝐿 (𝑄) (𝑄) , / / , / / , / / , / (𝑄) / / , / / , / / , / , / / Q L ( / / / C/4,C/4 , / 𝑉/ , /(𝑄) , ⟵ / (𝑄) / 10. 2⟵ 𝛾 ⟵ 𝑟Ɲ − 𝑟⟵ 20. 12. 𝑉.C 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 ,/= ,1. 𝐶 C,2, 16. 16. Ɲ⟵ ⟵ ƝƝ ƝƝ ⟵ ƝƝƝƝ ⟵ ƝƝjƝ= , , 19. 19.20. 12. ,⟵ Ɲ ⟵ Ɲ for for 1, 2, jfor .𝐶 .1, j .← = .𝐶 2, , 𝛽1, .C do . .,⟵ .. ,. 𝛽. 2. do . C, 𝛽, do , , 16. 12. 1 ← 1 ⟵ 𝐶 3C ⟵ 3C (𝑄) (𝑄) 2 𝑉 𝑉 2 / / 26. 26. (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 V𝑉C/2 Q (𝑄) ((𝑄)𝑉 )𝑉 (𝑄)𝑉 (𝑄) (𝑄) 𝑉2, (𝑄) (𝑄) 24. 24.21. 29.21. 11. 29. 𝐼𝑓 𝛼 = 0 𝑡ℎ𝑒𝑛 /𝑉 /(𝑄)𝐿 𝐸𝑙𝑠𝑒 /for /. 1, /𝑉 for j/𝑉= 1, j𝐿 = . 𝐸𝑙𝑠𝑒 ./(𝑄)𝑉 ,(𝑄)𝐿 𝛼,2, do ./.(𝑄)𝑉 .(𝑄) , 𝛼,(𝑄) do (𝑄)𝐿 𝐿 𝐿 (𝑄) (𝑄) / , / / , / / , / / / / , / 𝐸𝑙𝑠𝑒𝐼𝑓 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽(𝑄) = 0= 𝛽 𝑡ℎ𝑒𝑛 =𝑡ℎ𝑒𝑛 0 𝑡ℎ𝑒𝑛 17. 17.14. 14. 𝐼𝑓 0⟵ 𝑎𝑛𝑑 𝛼 =𝐶 𝛽 0⟵ 𝑎𝑛𝑑 = 0𝐶 𝛽⟵ 0 f𝛼α= = 0⟵ and β 05C then ⟵ Ɲ𝐶 Ɲ Ɲ ⟵ Ɲ𝐿𝐿 𝐿 17. (𝑄) (𝑄) 1 , 3C 3C 𝐶/= ⟵ 5C 𝐶/, ⟵ 𝐿𝑡ℎ𝑒𝑛 1, , 5C 12. for j = 1, 2, .𝐸𝑙𝑠𝑒 . .Else . .Ɲ , 𝐼𝑓 𝛽I𝐸𝑙𝑠𝑒 do ,Ɲ , (𝑄)𝑉 /𝑉 ,(𝑄) / 5C (𝑄)𝑉 (𝑄) (𝑄) (𝑄) 𝑉 𝑉 13. 13. 13. 30. 30. Ɲ ⟵ Ɲ . ⟵ Ɲ Ɲ . Ɲ , 𝐶 ⟵ C ⟵ P C−P / / / 15. 15. for j = for 1, 2, j = . . . 1, . . 2, , 𝛼 . . do .(𝑄)𝑉 ., .𝐶,− 𝛼 do Ɲ ⟵ Ɲ Ɲ ⟵ Ɲ , 𝐶 ⟵ , 𝐶 C ⟵ C 22. 22. 18. 18. for j = for 1, 2, j = . . . 1, . . , 2, 𝛾 . do . . . . , 𝛾 do (𝑄)𝐿 25. 25. 𝐿 (𝑄) 27. 27. γ for j /=1,for 1,2,2,.j .= ....𝑉..𝐸𝑙𝑠𝑒 1, ,𝑉.𝛾,2, do .do .𝑉.𝐸𝑙𝑠𝑒 ,𝑉𝛾 /do (𝑄) (𝑄) 𝐼𝑓 𝑠 𝐼𝑓 = 𝑠1 𝑡ℎ𝑒𝑛 =/ 1, /𝑡ℎ𝑒𝑛 for 20. 18. 20. (𝑄) (𝑄) / ,j = 2 2 /3C (𝑄) (𝑄) 𝐶 ⟵ 𝐶 ⟵ 𝐶 3C ⟵ 3C 𝐿 𝐿 1 1 Ɲ ⟵ Ɲ/ , /(𝑄)𝐿 , , / 𝐿/ /(𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄) (𝑄) (𝑄) /Ɲ /Q /,(𝑄) ,,/.𝐶 / (𝑄) 𝐿1, /Ɲ (𝑄)𝐿 𝐿𝐿2C/4,C/4 𝐿𝐿((𝑄)𝐿 (𝑄) ,(𝑄)𝐿 ,,(𝑄)𝐿 L⟵ Q//for L Q,,, 𝐶 )⟵ (j/Ɲ (/do )do 21. 21.16. 𝑉/ Ɲ 13. j/Ɲ =,j, ⟵ for 2, = .,j). L.= ,5C/2, 2, .,⟵ ..//,.⟵ 𝛼 // for 16. 31. // Ɲ ,, /(𝑄) ,, for //Ɲ 31. 23. 23. C/2,5C/2 5C/2 = 1, 2, .1, ./𝛼., 1, 𝛽𝛽2, do 𝛽𝑡ℎ𝑒𝑛 /Ɲ5(𝑄)𝑉 𝑟𝑒𝑡𝑢𝑟𝑛𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ ƝƝ Ɲ ← ⟵ 19. 19. 14. ⟵ Ɲ 𝐶/do C.,0,𝐶/+ ⟵ P,,C,/⟵ C +2 P,,C 𝐸𝑙𝑠𝑒𝐼𝑓 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 𝐸𝑙𝑠𝑒𝐼𝑓 0 𝛽 𝑡ℎ𝑒𝑛 = 0 = 𝑡ℎ𝑒𝑛 Ɲ1 ⟵ Ɲ Ɲ𝑉2 ⟵ (𝑄) (𝑄) 𝑉 𝑉 2 19. 14.28. 14.28. / / 1 ⟵ Ɲ (𝑄)𝑉 (𝑄)𝑉 𝑉 (𝑄) (𝑄) (𝑄) (𝑄) 𝑉 1 (𝑄) 1 26. 26. (𝑄)𝑉 /𝑉 (𝑄)𝐿 𝑉C/2 𝑉 (𝑄) 𝐿(𝑄) // (𝑄)𝑉 /𝐿 // (𝑄)𝑉 ,(𝑄) / (𝑄) 𝐶 ⟵ 3C V V/3C V Q ((𝑄)𝑉 )𝐿𝐿for (,jfor )2, ,Q ,1, /. (𝑄)𝐿 / (𝑄) 5C // Ɲ 15. 15. for jQ𝐸𝑙𝑠𝑒 = 1,= 2, =/. )𝛼 .𝑎𝑛𝑑 .1, j .= = .2, , (𝛼 do . ,..0,. 𝛼𝛽 ./𝑡ℎ𝑒𝑛 .C= ,/⟵ 𝛼,0do ƝƝ 𝐸𝑙𝑠𝑒 ⟵ ⟵ Ɲ ,𝛽.𝐶/.𝑎𝑛𝑑 ⟵ , .𝐶do C 22.29. 22.17. 17. 15. 𝐼𝑓 𝛼𝐶 𝐼𝑓 0 0 = 𝑡ℎ𝑒𝑛 ⟵ Ɲ Ɲ ⟵ Ɲ , 29. 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 𝐶 ⟵ 5C ⟵ 5C 𝑉⟵ 𝑉(𝑄)𝑉 2 2 1, 14. 𝐸𝑙𝑠𝑒𝐼𝑓 𝛽 = 0 𝑡ℎ𝑒𝑛 𝐶C ⟵ (𝑄)𝑉 (𝑄) (𝑄) 5C 𝐶 24. 24. /𝑉(𝑄) /𝑉(𝑄) ← 𝐿5C /5C /(𝑄) (𝑄) (𝑄) 𝐿 𝐿 1 1 / , / / , / / , / 18. for⟵ j =⟵ for 1, jƝ =. . .1,.,𝐿.𝐶2, , ,𝛾⟵ . .do . . . ,C𝛾⟵ 𝐿j 2, 20. 16. 20.18. 𝐼𝑓 ⟵for Ɲ𝐸𝑙𝑠𝑒 Ɲ Ɲ ,do 𝐶⟵ C C 16.𝐼𝑓 𝐸𝑙𝑠𝑒 23.𝑠30. 15. j.Ɲ =𝑉for 1, = ., .𝑉(𝑄) .3C 1, ,𝐶𝛽2, do . (𝑄) .3C , 𝛽,2𝐶do j = 1, 2, . . . . . , 𝛼Ɲ 27. 27. = 𝑠1 𝑡ℎ𝑒𝑛 = 1for 𝑡ℎ𝑒𝑛 𝐶 ⟵ ⟵ 30. 16. Ɲdo⟵ ƝElse ⟵ Ɲ Ɲ/2, .Ɲ , ./𝐶 ⟵ C,(𝑄)𝐿 𝐶−⟵ P2 C(𝑄) 20. 23. (𝑄) (𝑄) (𝑄) 𝑉 2− P (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 / 𝐿 𝐿 / , / / , / / , (𝑄) / / , / (𝑄) /(𝑄) , j /𝐿 /, 𝛼 ,2, / . . .(𝑄) (𝑄) 𝑉 𝑉 21. 21. (𝑄)𝐿 (𝑄)𝐿 (𝑄) 𝐿 𝐿 (𝑄) for j = for 1, 2, = . . . 1, do , 𝛼 do 𝐿 (𝑄) 1 𝐿 / , / / , / / , / / , / / , / Ɲ ⟵for , , 25. 25. for j = for 1, 2, j = . . . 1, , 𝛾 2, do . . . , 𝛾 do Ɲ Ɲ ⟵ Ɲ , 19. 19. j⟵ =𝐼𝑓 1,Ɲ 2,= .𝐼𝑓 .,Ɲ .𝐶,𝛼 α⟵ do 21. 17. 𝐸𝑙𝑠𝑒 𝑎𝑛𝑑 𝐼𝑓 =(𝑄) 𝛼 𝑎𝑛𝑑 = 0P(𝑄)𝑉 0𝑎𝑛𝑑 𝛽 =1𝛽 = 0 𝑡ℎ𝑒𝑛 Ɲ, 𝐸𝑙𝑠𝑒 Ɲ𝐸𝑙𝑠𝑒 ⟵ ,𝑡ℎ𝑒𝑛 , , Ɲ ⟵ Ɲ/ 𝐶 ⟵ C𝛼 28. 28. 17. 17. Ɲ⟵ ,𝛽𝐶= + ⟵ C𝑡ℎ𝑒𝑛 + P0 /Ɲ ⟵ 16. (𝑄)𝑉 (𝑄)𝑉 𝑉0 𝑉C0 (𝑄) (𝑄) 𝐿𝐿Ɲ 𝐿(𝑄) / 1(𝑄)𝑉 / ,(𝑄) /𝑉 / /,(𝑄) / (𝑄)𝑉 (𝑄)𝑉 (𝑄) (𝑄) Ɲ Ɲ 𝑉 / (𝑄) 𝑉 𝑉 2 24.31. 24.31. 𝑟𝑒𝑡𝑢𝑟𝑛𝑟𝑒𝑡𝑢𝑟𝑛 𝑉 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 𝐿 (𝑄) (𝑄) / / ,.2, /1.𝐶.C /Ɲj, = / (1, Lfor Q/2, ) ,,= ƝƝ ⟵ 𝐶./. /.1, 22. 18. 22. 18. 18. C/4,C/4 j⟵ .5C = , 𝛾,1, do 2, ./⟵ .5C .,. ,. 𝛾. /. do .C,/𝛾, do/ / , , / ⟵ƝƝ ƝƝ2 ⟵ ⟵ Ɲ for , C ,⟵ C ← 𝐶/jfor 𝐶⟵ (𝑄) 22. 29. 𝑉 22⟵ 2(𝑄)𝑉 29. 𝐸𝑙𝑠𝑒 / (𝑄) 17. 𝐶𝑉𝑉 ⟵ 3C 𝐶 3C 𝐸𝑙𝑠𝑒 𝐼𝑓 𝛼 = 0 𝑎𝑛𝑑1 𝛽←= 0𝐿1 𝑡ℎ𝑒𝑛 26. 26. (𝑄)𝑉 (𝑄)𝑉 V𝐸𝑙𝑠𝑒 Q 𝑉 (𝑄) (𝑄) ( ) (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 C/2 𝐿 𝐿 (𝑄) (𝑄) (𝑄) /// /, , / // / , // , / /, (𝑄)𝐿 / / , / / , / / , / / , 𝐸𝑙𝑠𝑒 (𝑄) 𝐿1, ,2,Ɲ 𝐿,, 𝛽β,2, 23. 19. 23.20. 19. for j (𝑄) = .. .. .for . . . 1, ,𝛽 Ɲ . .⟵ Ɲ ⟵ Ɲj =⟵ Ɲfor , , , 25.20. 19. jdo = 𝛾𝐸𝑙𝑠𝑒 2,do . . 5C . , 𝛾 do 18. for j = 1,Ɲ2, . . .Ɲ ,Ɲ 𝛾for .1, do 23. 25. 𝐶, 𝐶𝑉 ⟵ 5C 𝐶 30. 30.21. 21. ⟵ .do ⟵ Ɲj =Ɲ1,. Ɲ2,𝑉 ⟵ C,/𝐶⟵ −(𝑄)𝑉 ⟵ P (𝑄)𝑉 C −(𝑄)𝑉 P (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 𝑉 (𝑄) / / (𝑄)𝐿 (𝑄)𝐿 for j = for 1, 2, j = . . . 1, ,//Q 𝛼2, do . //. (𝑄) . (𝑄) ,(𝑄)𝐿 𝛼, do/(𝑄) 𝐿 𝐿 (𝑄) (𝑄) (𝑄) 𝑉 𝑉 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 / , / / , / / , / , 𝐿 𝐿 (𝑄) (𝑄) (𝑄)𝐿 (𝑄)𝐿 𝐿 (𝑄) / , / , / / , / / , / / , / L Q L ( ) ( ) / , / / , / / = 1 𝑡ℎ𝑒𝑛 27. 27.Ɲ ⟵ C/4,C/4 C/2,5C/2 𝐼𝑓 𝑠Ɲ 𝐼𝑓 =/𝑠1, 𝑡ℎ𝑒𝑛 Ɲ Ɲ Ɲ , 5C 1 , Ɲ1 ⟵ ⟵Ɲ Ɲ Ɲ31 ⟵ ⟵ Ɲ , (𝑄) , ,5C 𝐶𝐿𝑉 ⟵ 𝐶 ⟵ 19. ← 𝐿⟵ 1, / / /𝐶 ,5C / ,(𝑄) (𝑄) (𝑄) 𝑉C/2 24. 24.22. 31. 31. /Ɲ /Ɲ 26.22.𝑟𝑒𝑡𝑢𝑟𝑛 (𝑄)𝑉 V Q V,/3C 𝑉((𝑄)𝑉 𝑉(𝑄)𝑉 (𝑄), 𝐶C⟵ (𝑄) C (/Q (𝑄)𝑉 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ Ɲ (𝑄) 24. 26. 𝑉 / (𝑄)𝑉 (𝑄) Ɲ ⟵ Ɲ ⟵ , 𝐶 ⟵ , (𝑄) /𝐿)(𝑄)𝑉 /𝐿)(𝑄)𝑉 20.28. 20.28. 20. 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 (𝑄) (𝑄)C, 𝐶+⟵ Ɲ 𝐶⟵ ⟵ ,𝐶 ⟵ 𝑉Ɲ/3C 𝑉 2P C +2 P C⟵ ←Ɲ3C 𝐶𝑉 ⟵ (𝑄) 𝐶 ⟵ 5C 𝐶𝑉 ⟵/(𝑄) 5C 𝐶 ⟵ 5C 21. 21. 21. for j = for 1, 2, j for = . . . 1, j , = 𝛼 2, do 1, . . 2, . , 𝛼 . . do . , 𝛼do do 23. 23. for j = for 1, 2, j = . . . 1, , 𝛽 2, do . . . , 𝛽 25. 25. 1, ,γ for jj = = for 1, 2, 2,j .= . .. . 1, 𝛾𝐸𝑙𝑠𝑒 2,do. . , 𝛾𝐸𝑙𝑠𝑒 do 25. 27. 29. 27.29. 𝐼𝑓 𝑠 𝐼𝑓 = 𝑠1 𝑡ℎ𝑒𝑛 = 1 𝑡ℎ𝑒𝑛 20. 𝐸𝑙𝑠𝑒 (𝑄) (𝑄) (𝑄) 𝐿 𝐿 𝐿 1 1/(𝑄) 1 / , / / , / / , / (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 (𝑄) (𝑄) 2 (𝑄)𝐿 //(𝑄) ,(𝑄)𝐿 /Ɲ ,,𝐿(𝑄)𝐿 ,/ , (𝑄) /(/C ,/⟵ 𝐿 /Ɲ 𝐿((𝑄)𝐿 Q/)ƝL L,/5C/2, Q/⟵ /Ɲ /Q /(𝑄) // ,,/⟵ , ,)𝐶 (𝑄) ,Ɲ /⟵ 𝐿, ,⟵ 𝐿 Ɲ 𝐶 𝐶 C C/2,5C/2 5C/2 22. 22. 22. 5.L. C/4,C/4 , ,)(𝑄) 21. Ɲ/ ⟵ ⟵ Ɲ Ɲ ⟵ Ɲ𝐿((𝑄) ,2 CPC 2− forƝj =← 1, Ɲ 2, . , 𝛼Ɲ,Ɲ do ⟵ Ɲ ⟵ , , ,P , (𝑄) (𝑄) 𝑉 𝑉 𝑉 2 28. 28. 30. 30. ⟵ Ɲ . ⟵ Ɲ Ɲ . Ɲ , 𝐶 ⟵ C , 𝐶 − ⟵ P ⟵ Ɲ ⟵ Ɲ , 𝐶 ⟵ C , 𝐶 + ⟵ P C + 1 1 / (𝑄) (𝑄)𝑉 (𝑄) 𝑉 2 (𝑄)𝑉 26. 26.24. 24. 𝑉C/2 (𝑄) (𝑄) 26. V Q𝑉 )V/3C/(𝑄)𝑉 (𝑉 )/V(𝑄) (𝑉Q//) (𝑄)𝑉 (𝑄) (𝑄) 𝑉 𝐿 / , / (𝑄) 5C(𝑄)𝑉 /1 ( Q𝑉 23. 23. 23. for 1,𝐶2, jfor =. . .1, j ,𝐶= 𝛽2,⟵ do 1, . . 2, . 3C , 𝛽. . do . , 𝛽 do Ɲ ⟵ Ɲ/ , 𝐶 ⟵ for C←j = 22. / 5C 29.31. 29.31. 𝑟𝑒𝑡𝑢𝑟𝑛 𝐸𝑙𝑠𝑒 𝐶C 5C 𝐶𝐸𝑙𝑠𝑒 ⟵⟵ 5C3C 2⟵ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ Ɲ 𝑉 / (𝑄) (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 𝐿 (𝑄) / , / / , / / / , , / / / // , (𝑄) / (𝑄) for⟵ j 𝐿=for 1, 2, j =. . .1,, 𝛾2,do . . . , 𝛾, ,do 27. I f s25. = 27. 27.25. 𝐼𝑓 ,Ɲ(𝑄)𝐿 , (𝑄) 𝑠i+1 𝐼𝑓 = 1𝑠1then 𝑡ℎ𝑒𝑛 = 1 for 𝑡ℎ𝑒𝑛 Ɲ ⟵ ƝƝ ⟵ Ɲ Ɲ , , 23. j = 1, 2, . . . , 𝛽 do 30. 30. Ɲ ⟵ Ɲ . ⟵ Ɲ Ɲ . Ɲ , 𝐶 ⟵ C , 𝐶 − ⟵ P C −P (𝑄)𝑉 (𝑄)𝑉 (𝑄) (𝑄)𝑉 (𝑄) (𝑄) 𝑉/ (𝑄) 𝑉, / /𝑉(𝑄) 24. 24. 24. (𝑄)𝐿 /, /(𝑄) /(𝑄)𝐿 // , / (𝑄)𝐿 / , / (𝑄) / , / (𝑄) /(𝑄) 𝐿L𝐿C,P (,Q/𝐿 )𝐿(𝑄)𝐿 𝑉 𝑉 , , (𝑄)𝐿 𝐿 (𝑄) / , / Ɲ Ɲ1 ⟵ ⟵/ Ɲ Ɲ,Ɲ1 /⟵ ⟵ ƝƝ 𝐶,, 𝐶 , ← C⟵ ← P 28. 28. 28. 𝐶+ + (𝑄)𝑉 P(𝑄) (𝑄) , 3C 𝐶𝑉C, ⟵ 𝐶⟵ 3C ⟵C3C ⟵ Ɲ/ / (𝑄)𝑉 (𝑄)𝑉 VC+ P(𝑄) (,Q𝑉)𝑉⟵ 𝑉 /(𝑄) / (𝑄)𝑉 31.26. 31.26.𝑟𝑒𝑡𝑢𝑟𝑛Ɲ𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ Ɲ 𝑉 / (𝑄)𝑉 (𝑄) 24. for j =for 1, jfor =. . .1, j5C ,𝐶= 𝛾2,⟵ do 1, . . 2, .5C , 𝛾. . do . , 𝛾 do Else 29. 25. 29. 29. 25. 25. 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 𝐶2, ⟵ 𝐶 ⟵ 3C (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 (𝑄)𝐿 𝐿 𝐿 𝐿 , / / / , // , / /, (𝑄)𝐿 / (𝑄) / , // , (𝑄) / (𝑄) / 𝐿 , L/ , (𝑄) (/ Q, 𝐿)//,/, (𝑄) 27. 27. 𝐼𝑓 𝑠 𝐼𝑓=𝑠1 𝑡ℎ𝑒𝑛 Ɲ2, Ɲ−Ɲ Ɲ .C,P Ɲ , , , 25. ← .⟵ ,𝐶C⟵ ←C C𝐶− −⟵ for𝑡ℎ𝑒𝑛 j==11,Ɲ .⟵ . . ,Ɲ 𝛾Ɲ1do 30. 30. 30. Ɲ ⟵ Ɲ Ɲ , , P C − P 1⟵ 1⟵ 26. 26. 26. (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 (𝑄)𝑉 VC−𝑉P(𝑄) 𝑉(𝑄)𝑉 (𝑄) (𝑄) (/Q ) , 𝑉(𝑄) 𝐿(𝑄)𝑉 (𝑄) 𝑉 𝑉 /𝐿 ,/ (𝑄) (𝑄) (𝑄) 28. 28. (qk −1)/l / 𝐿 / , // (𝑄)𝐿 / , / (𝑄)𝐿 / ,Ɲ Ɲ ⟵ Ɲ/ ⟵ Ɲ , 𝐶 ⟵ ,C𝐶+⟵ PC+P 31. 𝐶𝑉⟵, 5C 𝐶𝑉⟵𝐶 5C ⟵ 5C ⟵ ƝƝ (𝑄) (𝑄) 31. 31. return 𝑟𝑒𝑡𝑢𝑟𝑛Ɲ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ 1 26. 𝑉 / (𝑄)𝑉 (𝑄)𝑉 (𝑄) 27.29. 27.29. 27.𝐼𝑓 𝑠 𝐼𝑓=𝑠1𝐼𝑓𝑡ℎ𝑒𝑛 𝑠= 1 = 𝑡ℎ𝑒𝑛 1 𝑡ℎ𝑒𝑛 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒 𝐶 ⟵ 5C 𝐿 , (𝑄) 𝐿(𝑄) (𝑄) 𝐿𝐿, ,(𝑄) 𝐿, ,(𝑄) 28. 28. 28. Ɲ ⟵ ƝƝ ⟵ ⟵. Ɲ , 𝐶 ⟵, 𝐶,C𝐶⟵ +⟵ , P𝐶,C𝐶C⟵ +PCPC+−PP 30. 30. .ƝƝ Ɲ −⟵ 27. 𝐼𝑓 𝑠 = 1 𝑡ℎ𝑒𝑛 𝑉 (𝑄) 𝑉(𝑄) (𝑄) 𝑉𝑉 (𝑄) 𝑉 (𝑄) (𝑄) /𝐿 , / 29.31. 29.31. 29. 𝑟𝑒𝑡𝑢𝑟𝑛 𝐸𝑙𝑠𝑒 𝐸𝑙𝑠𝑒𝐸𝑙𝑠𝑒 28. Ɲ𝑟𝑒𝑡𝑢𝑟𝑛 ,𝐶 ⟵ C + P Ɲ⟵ ƝƝ 𝑉 (𝑄) 𝐿 , (𝑄) 𝐿 , 𝐿(𝑄) , (𝑄) 30. 30. 30. Ɲ Ɲ ⟵. Ɲ Ɲ . Ɲ , 𝐶 ⟵ ,C𝐶−⟵ , P𝐶 C⟵ − CP − P 29. 𝐸𝑙𝑠𝑒 Ɲ ⟵ ƝƝ .⟵ 𝑉 (𝑄) 𝑉 𝑉(𝑄) (𝑄) (𝑄) 𝐿 , 31. 31. 31. 30. ƝƝ/. ƝƝ / / , 𝐶 ⟵ C − P 𝑟𝑒𝑡𝑢𝑟𝑛Ɲ 𝑟𝑒𝑡𝑢𝑟𝑛 Ɲ⟵ 𝑟𝑒𝑡𝑢𝑟𝑛 𝑉 (𝑄)

Cryptography 2018, 2, 14

8 of 15

3.1.6. Experimental Results To obtain the results of the proposed TP-MBNR-PH, initially we have to apply the formula for computing the Tate pairing of elliptic curves over finite fields. Integers with at least 160 bit size which are represented with bases 1/2, 3, and 5 are used in Miller’s algorithm. Table 2 shows the cost and pre-computed cost for the operations TADD, TSUB, THAL, TTRL, and TQNT in the proposed TP-MBNR-PH. Let TADD, TSUB, THAL, TTRL, and TQNT denote the addition, subtraction, halving, tripling, and quintupling operations, respectively, as shown in Table 2. Figure 1 and Table 3 shows the number of multiplication operation to compute Tate pairing using different methods. Let I, S and M denote the cost of inversion, squaring and multiplication in Fq∗ respectively as shown in  Table 1. Let Ik , Sk and Mk ≈ k1.6 M denote the cost of inversion, squaring, and multiplication in Fq∗k , respectively, as shown in Table 1. Let Mb (≈ kM) denote the cost of multiplication between Fq∗ and Fq∗k . An embedding degree denoted as k, which takes the values of 4, 6, and 8 [27]. In Table 4, we significantly improves the proposed TP-MBNR-PH and show the comparison of the proposed TP-MBNR-PH with an existing algorithm. Cryptography 2018, 2, 14 9 of 15

Figure 1. Comparison of number of multiplication operations based on the embedding degree.

Figure 1. Comparison of number of multiplication operations based on the embedding degree. 3.1.7. Efficiency of the Proposed Algorithm Table 2. Operational costs in the proposed Tate pairing algorithm. The total pre-computed cost of the proposed TP-MBNR-PH is: 𝑇𝑇𝑝𝑝𝑝𝑝𝑝𝑝 =Cost 6𝑀𝑀𝑘𝑘 + 3𝑆𝑆𝑘𝑘 + 𝐼𝐼𝑘𝑘 + 7𝑀𝑀𝑘𝑘/2 + 𝐼𝐼𝑘𝑘/2 Pre-Computed Cost Operation Mk 𝑀𝑀6S= Mb 𝑀𝑀8 =I 27𝑀𝑀,S𝑀𝑀𝑘𝑘 = 𝑘𝑘𝑘𝑘, M 𝐼𝐼 =M10𝑀𝑀, S𝑆𝑆k = 0.8𝑀𝑀, Ik 𝐼𝐼𝑘𝑘M=k/2 k 18𝑀𝑀, k 𝐼𝐼 + 𝑘𝑘 2I𝑀𝑀. By taking 𝑀𝑀4 = 9𝑀𝑀, k/2 TheTADD total cost of the proposed algorithm is: 1 2.5 1 1 3 2 7 1 TSUB 1 1 1 2k+3 𝑛𝑛 2 1 +3.5 𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇 + 𝑟𝑟-𝑚𝑚𝑚𝑚𝑚𝑚 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇 THAL 𝑇𝑇𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡 =1𝑏𝑏𝑚𝑚𝑚𝑚𝑚𝑚 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇 1 4 + 2 (𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇 2 -+ 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇) - + 𝑇𝑇𝑝𝑝𝑝𝑝𝑝𝑝 TTRL 3 1 2 1 4 9 1 + (𝑏𝑏𝑚𝑚𝑚𝑚𝑚𝑚-+ 𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚2+𝑟𝑟𝑚𝑚𝑚𝑚𝑚𝑚-+ 3) 𝑆𝑆𝑘𝑘-+ TQNT𝑇𝑇𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡𝑡 = (𝑏𝑏 4 𝑚𝑚𝑚𝑚𝑚𝑚 +1 3𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚5+4𝑟𝑟𝑚𝑚𝑚𝑚𝑚𝑚1 + 𝑛𝑛 +4 6) 𝑀𝑀𝑘𝑘 12 7 5 ( 𝑏𝑏𝑚𝑚𝑚𝑚𝑚𝑚 + 2𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚 +5𝑟𝑟𝑚𝑚𝑚𝑚𝑚𝑚 + 𝑛𝑛) 𝑀𝑀𝑏𝑏 + (4𝑏𝑏𝑚𝑚𝑚𝑚𝑚𝑚 + 9𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚 +12𝑟𝑟𝑚𝑚𝑚𝑚𝑚𝑚 + (𝑘𝑘 + 3)𝑛𝑛) 𝑀𝑀 4 of proposed Tate pairing algorithm and existing algorithms. Table 3. Number2of multiplication operations +(𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚 +𝑟𝑟𝑚𝑚𝑚𝑚𝑚𝑚 + 𝑛𝑛) 𝐼𝐼 + (4𝑡𝑡𝑚𝑚𝑚𝑚𝑚𝑚 +4𝑟𝑟𝑚𝑚𝑚𝑚𝑚𝑚 + 𝑛𝑛)𝑆𝑆 + 𝐼𝐼𝑘𝑘 + 7𝑀𝑀𝑘𝑘/2 + 𝐼𝐼𝑘𝑘/2

Embedding Degree Method 3.2. Applying the Proposed TP-MBNR-PH inka=Decentralized Schemek = 8 4 kKP-ABE =6 The TP-MBNR-PH is applied in a decentralized KP-ABE [12].28,379M The detailed steps are Izu et algorithm al. [28] 12,328M 20,353M Kobayashi et al. [29] 9196M 13,685M 18,121M as follows: Chang’an et al. [27] 8350M 12,554M 17,085M • 𝐺𝐺𝐺𝐺𝐺𝐺𝐺𝐺𝐺𝐺𝐺𝐺 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 (𝐺𝐺𝐺𝐺): Take input as a security parameter 𝜆𝜆 and it generates the bilinear group Proposed Algorithm 6978.8M 10,805.8M 1,4642.8M 𝐺𝐺1 𝑎𝑎𝑎𝑎𝑎𝑎 𝐺𝐺2 �𝐺𝐺𝐺𝐺(1𝜆𝜆 ) → {𝐺𝐺1 , 𝐺𝐺2 }� with prime order 𝑃𝑃. Let e: 𝐺𝐺1 × 𝐺𝐺1 → 𝐺𝐺2 be the bilinear map and 𝑔𝑔1 , 𝑔𝑔2 , 𝑔𝑔3 are generators of the group 𝐺𝐺1 . The 𝑁𝑁 number of authorities are denoted as {𝐴𝐴1 , 𝐴𝐴2 , … , 𝐴𝐴𝑁𝑁 }: 𝐴𝐴𝑘𝑘 monitor 𝑛𝑛𝑘𝑘 attributes i.e., 𝐴𝐴̃𝑘𝑘 = �𝑎𝑎𝑘𝑘,1 , … , 𝑎𝑎𝑘𝑘, 𝑛𝑛𝑘𝑘 �, ∀𝑘𝑘. • 𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴 𝐴𝐴𝐴𝐴𝐴𝐴ℎ𝑜𝑜𝑟𝑟𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖𝑖 𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠𝑠 (𝐴𝐴𝐴𝐴𝐴𝐴): It is executed by each AA to randomly generate the Security parameter (𝑆𝑆𝑆𝑆𝑘𝑘 ) of authority 𝐴𝐴𝑘𝑘 and public parameter (𝑃𝑃𝑃𝑃𝑘𝑘 ) of authority 𝐴𝐴𝑘𝑘 : 𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟

ℤ𝑝𝑝 �⎯⎯⎯⎯⎯⎯� 𝑆𝑆𝑆𝑆𝑘𝑘 = �ϰk , ϱk , [ҷ𝑘𝑘,1 , … , ҷ𝑘𝑘, 𝑛𝑛𝑘𝑘 ]�, ∀ 𝑘𝑘

Cryptography 2018, 2, 14

9 of 15

Table 4. Efficiency of proposed Tate pairing algorithm with the existing algorithms. Cryptography 2018, 3, x FOR PEER REVIEW

9 of 15

Embedding Degree Method

k=4

k=6

k=8

Izu et al. [28] 43.4% 46.9% 48.4% Kobayashi et al. [29] 24.1% 21% 19.1% Figure 1. Comparison of number of multiplication the embedding degree. Chang’an et al. [27] 16.4% operations 13.9%based on14.3%

3.1.7. Efficiency of the Proposed Figure 1. Comparison of numberAlgorithm of multiplication operations based on the embedding degree. 3.1.7. Efficiency of the Proposed Algorithm The total pre-computed cost of the proposed TP-MBNR-PH is: 3.1.7. Efficiency the Proposedcost Algorithm The totalofpre-computed of the proposed TP-MBNR-PH is: 𝑇 = 6𝑀 + 3𝑆 + 𝐼 + 7𝑀 / + 𝐼 / The total pre-computed cost of the proposed TP-MBNR-PH is: Tpre = 6M + 3Sk + Ik + 7Mk/2 + Ik/2 By taking 𝑀 = 9𝑀, 𝑀 = 18𝑀, 𝑀 k= 27𝑀, 𝑀 = 𝑘𝑀, 𝐼 = 10𝑀, 𝑆 = 0.8𝑀, 𝐼 = 𝐼 + 𝑘 𝑀. 𝑇 = 6𝑀 + 3𝑆 + 𝐼 + 7𝑀 / + 𝐼 / The total M cost=of9M, the M proposed algorithm is: 2 By taking 6 = 18M, M8 = 27M, Mk = kM, I = 10M, S = 0.8M, Ik = I + k M. 4 By taking 𝑀 = 9𝑀, 𝑀 = 18𝑀, 𝑀 = 27𝑀, 𝑀 = 𝑘𝑀, 𝐼 = 10𝑀, 𝑆 = 0.8𝑀, 𝐼 = 𝐼 + 𝑘 𝑀. 𝑛 The total cost of the algorithm is: 𝑇 the = 𝑏proposed 𝑇𝐻𝐴𝐿 +𝑡 𝑇𝑇𝑅𝐿 The total cost of proposed algorithm is: + 𝑟 𝑇𝑄𝑇𝑃 + 2 (𝑇𝐴𝐷𝐷 + 𝑇𝑆𝑈𝐵) + 𝑇 n𝑛 TADD++𝑡 TSUB T 3) 𝑆 + Ttotal = bmax=TH AL ++t3𝑡 + r + 𝑛TQTP max TTRL 2 ((𝑏 6) 𝑀+++ +𝑟 ) + (𝑇𝐴𝐷𝐷 + 𝑇𝑆𝑈𝐵) 𝑇 𝑇 = 𝑏 (𝑏𝑇𝐻𝐴𝐿 + 𝑡 +4𝑟 𝑇𝑇𝑅𝐿 +max 𝑟 +𝑇𝑄𝑇𝑃 ++𝑇pre Ttotal =7 (bmax + 3tmax + 4rmax +5n + 6) Mk + (bmax2+ tmax + rmax + 3) Sk + ( = 𝑏7 (𝑏of+multiplication 2𝑡 + +𝑛)5𝑛𝑀 +𝑀 (4𝑏+ the + 9𝑡+ 𝑡 +12𝑟 + 3)𝑛) +2t3𝑡 +5𝑟 +4𝑟operations +M 6) +𝑟 +(𝑘 3) + +3)n𝑀) M Figure 1. Comparison 𝑇 of number degree. + (4b(𝑏 + 9tmax + 12rmax + (𝑆k + max + 5rmax maxembedding 2 ( 2 bmax 4+ 4 n) based b + on 7 5I + +( r+𝑟 n+)𝑛) 4t(4𝑡 + 4r n)𝑛)𝑆 S+ Ik 𝐼+ 7M I3)𝑛) 𝐼 (+ +4𝑟 + ++ 7𝑀 𝐼/ 𝑀 max ++5𝑟 max + + max max++ k/2 k/2 ( 𝑏 Algorithm +t+(𝑡 2𝑡 𝑛) 𝑀 + (4𝑏 9𝑡+ +12𝑟 (𝑘/+ ++ 3.1.7. Efficiency of the Proposed 2 4 3.2. Applyingcost the +(𝑡 Proposed TP-MBNR-PH in a Decentralized KP-ABE + 𝑛)TP-MBNR-PH 𝐼 + (4𝑡 +4𝑟is: + 𝑛)𝑆 + 𝐼 +Scheme 7𝑀 / + 𝐼 / The total pre-computed of the +𝑟 proposed 3.2. Applying the Proposed TP-MBNR-PH in a Decentralized KP-ABE Scheme The TP-MBNR-PH algorithm KP-ABE [12]. The detailed steps are 𝑇 = 6𝑀 + 3𝑆 +is𝐼 applied + 7𝑀 / in+a𝐼 decentralized The TP-MBNR-PH algorithm is applied in a /decentralized KP-ABE [12]. The detailed steps are follows:the Proposed TP-MBNR-PH in a Decentralized KP-ABE Scheme 3.2.asApplying By taking 𝑀 as=follows: 9𝑀, 𝑀 = 18𝑀, 𝑀 = 27𝑀, 𝑀 = 𝑘𝑀, 𝐼 = 10𝑀, 𝑆 = 0.8𝑀, 𝐼 = 𝐼 + 𝑘 𝑀. Cryptography Cryptography 2018, 3, x FOR 2018,PEER 3, x FOR REVIEW PEER REVIEW 12 of 15 12 of 1 The TP-MBNR-PH is applied in a decentralized The detailed steps group are The total cost the proposed as a security parameterKP-ABE λ and it[12]. generates the bilinear • of Global setup (algorithm GSalgorithm ) : Takeis:input    𝐺𝑙𝑜𝑏𝑎𝑙 𝑠𝑒𝑡𝑢𝑝 (𝐺𝑆): Take input as a security parameter 𝜆 and it generates the bilinear group as follows: G1 and G2 𝐒𝐞𝐭𝐮𝐩: GS 1λCryptography →{𝐺 G2 } with prime order Let eto : G𝑎𝑡𝑘, × 𝑠𝑖𝑚 G → chooses G be theϰbilinear { G1 ,To 𝑛public 2018, 3,P. x𝑎𝑡𝑘, FOR 1REVIEW 2018, 3,public xCryptography FOR REVIEW 𝐒𝐞𝐭𝐮𝐩: provide awith aPEER key 𝑃𝐾 key to 𝑃𝐾 𝑠𝑖𝑚 randomly ∈ ℤ ϰmap and ∈ℤ noteand ϰ note = ϰ12 = } provide 𝐺𝑏 𝑎𝑛𝑑𝑇𝐻𝐴𝐿 𝐺Cryptography 𝐺𝑆(1 )To → ,+𝐺 prime order 𝑃. LetPEER e: 𝐺 1 →randomly 𝐺 2be thechooses bilinear map 2018, 3,Cryptography x𝑟 FOR PEER 2018, REVIEW 3, (𝑇𝐴𝐷𝐷 x FOR PEER REVIEW 12 of 15 𝑇 = + 𝑡 are 𝑇𝑇𝑅𝐿 𝑇𝑄𝑇𝑃 + + 𝑇𝑆𝑈𝐵) +𝐺 𝑇 × of and g , g , g generators of the group G . The N number authorities are denoted aspublic 3 ItTake 1ϰ +2(𝐺𝑆): 1𝑔) 2  𝐺𝑙𝑜𝑏𝑎𝑙 𝑠𝑒𝑡𝑢𝑝 input as a security parameter 𝜆 and it generates the bilinear group 𝑎𝑏. ϰ + calculates 𝑎𝑏. It calculates 𝑒(𝑔, 𝑔) 𝑒(𝑔, as: 𝑔) 𝑒(𝑔, as: 𝑒(𝑔, = 𝑒(𝑔, 𝑔) 𝑔) = 𝑒(𝑔, . 𝑒(𝑔, 𝑔) 𝑔) . 𝑒(𝑔, . Finally, 𝑔) . Finally, 𝑠𝑖𝑚 sends 𝑠𝑖𝑚 sends key public ke authorities are denoted as and 𝑔 , 𝑔 , 𝑔 are generators of the group 𝐺 . The 𝑁 number of ek provide 𝐒𝐞𝐭𝐮𝐩: To a public key 𝑃𝐾 to 𝑎𝑡𝑘, 𝑠𝑖𝑚 randomly chooses ϰ A , A , . . . , A : A monitor n attributes i.e., A = a , . . . , a , ∀ k. { } 𝐒𝐞𝐭𝐮𝐩: To provide a public key 𝑃𝐾 to 𝑎𝑡𝑘, 𝑠𝑖𝑚 randomly chooses ϰ ∈ ℤ and note ϰ 2 N 1 k k k,1 k, n )𝐒𝐞𝐭𝐮𝐩: →𝐴{𝐺monitor ,To 𝐺+ }𝑛provide prime Let ×𝑠𝑖𝑚 →k , to 𝐺 𝑎𝑡𝑘, be the 𝑃𝐾to 𝑎𝑡𝑘. 𝑇 𝐺=𝑎𝑛𝑑 (𝑏 + +4𝑟 +with 6) (𝑏 + 𝑡 𝑃. + {𝐴 ,𝐺𝐴𝑃𝐾to ,𝐺𝑆(1 …3𝑡, 𝐴𝑎𝑡𝑘. }: 𝑛 𝑀attributes i.e., 𝐴 =public … , 𝑆𝑎𝐺 𝑃𝐾 ∀𝑘. 𝐒𝐞𝐭𝐮𝐩: a+public To order provide key 𝑃𝐾 a+𝑟 to𝑎e:𝑎𝑡𝑘, key chooses 𝑠𝑖𝑚bilinear randomly ϰ map ∈ ℤchooses and note ϰ ∈ ϰ ℤ= and ,𝐺, 3) ,+randomly ϰ + 𝑎𝑏. It calculates 𝑒(𝑔, 𝑔) as: 𝑒(𝑔, 𝑔) = 𝑒(𝑔, 𝑔) . 𝑒(𝑔, 𝑔) . Finally, 𝑠 ∗ ∗ • andAttribute Authorities setup AAs : It is executed by each AA to randomly generate the Security ( ) ϰ𝟏:𝐏𝐡𝐚𝐬𝐞 + 𝑎𝑏. It this calculates as: 𝑒(𝑔, 𝑔) = attribute 𝑒(𝑔, 𝑔) .𝒜 𝑒(𝑔, 𝑔)denoted .the Finally, 𝑠𝑖𝑚𝒲 sends During phase, this 𝑎𝑡𝑘 phase, 𝑎𝑡𝑘 submits an an set 𝒲 ∈set 𝒲 such ∈. 𝑒(𝑔, 𝒜 that such 𝒲assends that 𝒜 , public to ∉𝑠𝑖𝑚. 𝒜 key ,public to 𝑠𝑖𝑚 𝑔 , 𝑔 , ϰ𝑔𝐏𝐡𝐚𝐬𝐞 are of the 𝐺 𝑔) .submits The 𝑁𝑔) number of authorities (𝐴𝐴𝑠): 𝐴𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝐴𝑢𝑡ℎ𝑜𝑟𝑖𝑡𝑖𝑒𝑠 𝑠𝑒𝑡𝑢𝑝 It is𝑒(𝑔, executed by each AA𝑒(𝑔, to randomly generate Security + 𝑎𝑏.generators calculates ϰ𝟏: + 𝑎𝑏. 𝑒(𝑔, Itgroup 𝑔) calculates as: 𝑒(𝑔, 𝑒(𝑔, 𝑔) =attribute 𝑒(𝑔, as: 𝑔) 𝑔) . 𝑒(𝑔, =𝑔) 𝑒(𝑔, . are 𝑔) Finally, 𝑠𝑖𝑚 𝑔) .∉Finally, 𝑠𝑖𝑚 sends 7  5ItDuring 𝑃𝐾to 𝑎𝑡𝑘. ( ) ( , ) ( SK ) of authority A and public parameter PK of authority A : ( ) 𝑃𝐾to 𝑎𝑡𝑘. ( 𝑏 {𝐴 parameter + 2𝑡 +5𝑟 + 𝑛) 𝑀 + (4𝑏 + 9𝑡 +12𝑟 + (𝑘 + 3)𝑛) 𝑀 k k k k , , parameter 𝐴 , … , 𝐴 𝑃𝐾to }: (𝑆𝐾 𝐴 𝑎𝑡𝑘. monitor 𝑛 attributes 𝐴 = 𝑎 , , … , 𝑎(𝑃𝐾 )4 of authority 𝐴 andi.e., public parameter ), ∀𝑘. of authority 𝐴 : , 𝑃𝐾to 𝑎𝑡𝑘. 2 ∗ ,𝑔 𝒲 , 𝒜. such Simulator Simulator 𝑠𝑖𝑚chooses 𝑠𝑖𝑚chooses 𝑟 ∈ 𝑟 ∈ ℤ . It can ℤ be . It obtained can be obtained as follows: as follows: 𝐷𝐾 = 𝐷𝐾 𝑔 𝑔 = 𝑔 𝑔 𝑔 𝐏𝐡𝐚𝐬𝐞 𝟏: During this phase, 𝑎𝑡𝑘 submits an attribute set ∈ t 𝐏𝐡𝐚𝐬𝐞 𝟏: During this phase, 𝑎𝑡𝑘 submits an attribute set 𝒲 ∈ 𝒜 such that 𝒲 ∉ 𝒜 , to , , , , (𝐴𝐴𝑠):  𝐴𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝐴𝑢𝑡ℎ𝑜𝑟𝑖𝑡𝑖𝑒𝑠 𝑠𝑒𝑡𝑢𝑝 It isphase, executed by each AA to randomly Security 𝐼𝑎𝑡𝑘+  phase,  setgenerate 𝐏𝐡𝐚𝐬𝐞 𝟏: During 𝐏𝐡𝐚𝐬𝐞 this 𝟏: During this submits an 𝑎𝑡𝑘 attribute submits an 𝒲 attribute ∈ 𝒜 the such setthat 𝒲 𝒲 ∈ 𝒜∉ such 𝒜 ∗ , tothat 𝑠𝑖𝑚. 𝒲 ∉ randomly +(𝑡 +𝑟 + 𝑛) 𝐼 each + (4𝑡 +4𝑟 + 𝑛)𝑆 + 7𝑀 + 𝐼 (secret ) / / For each For attribute attribute in 𝒲 , 𝑠𝑖𝑚 in 𝒲 has , 𝑠𝑖𝑚 to choose has to ҷ choose ∈ ҷ ∈ ℤ . It computes ℤ . It computes the rest of the the rest secret of the key ke ⎯⎯⎯⎯⎯⎯ 𝑆𝐾 = parameter ϰk, ϱρk,,[ҷ k,1 … Zℤp 𝐴 →andSK . .,.ҷ, ), k,,of ∀k ( ) ( , , ,,(𝑃𝐾 n] , ∀, 𝑘 k = parameter (𝑆𝐾 ) of authority public Simulator 𝑠𝑖𝑚chooses ∈k authority ℤ .𝐴It :as canfollows: be obtained Simulator 𝑠𝑖𝑚chooses 𝑟, ∈ ℤ .𝑟 It, can be obtained 𝐷𝐾 , as = ,follows: 𝑔 𝑔 , ,𝐷𝐾𝑔, , , Simulator 𝑠𝑖𝑚chooses Simulator ℤ𝑟 ., It ∈ be obtained ℤ . It can as follows: be obtained 𝐷𝐾as =follows: 𝑔 𝑔 𝐷𝐾 ,𝑔 = 𝑔 . 𝑔  can ( ) 𝑟 , 𝑠𝑖𝑚chooses (∈ ) , , For each attribute 𝒲 , 𝑠𝑖𝑚 ∈ , ℤ .rest It computes the ҷ ,ҷ ,ҷhas For each attribute inKP-ABE 𝒲ϰk, , 𝑠𝑖𝑚 hasρ, k… toin choose ∈ to choose ℤҷ ,. ҷItk,, computes the of the secret nk ҷ, , ] , ∀ ℤ ⎯⎯⎯⎯⎯⎯ 𝑆𝐾 = ϱ , [ҷ , ҷ 𝑘 k,1 ,, Ҷ 3.2. Applying the Proposed PK TP-MBNR-PH in a Decentralized Scheme , , , 𝑃𝐾 = Y = e (𝑔 , 𝑔 ) , Z = 𝑔 , [Ҷ = 𝑔 , … = 𝑔 ] , ∀ 𝑘 For each attribute For in each 𝒲 , attribute 𝑠𝑖𝑚 has in to 𝒲 choose , 𝑠𝑖𝑚 ҷ has ∈ to choose ℤ ҷ . It ∈ computes ℤ the . It rest computes of to the𝑎𝑡𝑘. secret thetorest key of th as follows: as follows: 𝐷𝐾 = 𝐷𝐾 𝑔 = , 𝑔 𝐷𝐾 = , 𝐷𝐾 𝑔 = 𝑔 . Finally, . Finally, 𝑠𝑖𝑚 sends 𝑠𝑖𝑚 the sends 𝑆𝐾 the 𝑆𝐾 𝑎𝑡𝑘. , , , ∀ k , = g1 , . . . , k,, n = g1 , g1 , k = Yk = eTP,−MBNR−,PH ( g1 , g1,) , Zk = k,1 k, , ( ) ) , , 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: The The attacker 𝑎𝑡𝑘( submits 𝑎𝑡𝑘 submits two equal two length equal messages length messages m ,, and m m and along m with along a with ҷ, , are The TP-MBNR-PH algorithm is applied inas aattacker decentralized KP-ABE detailed steps ( minimum ) ( ) [12]. ,, ҷThe ҷ ҷ Each A specifies m the number of attributes required to satisfy the access , ,= as , ,𝐷𝐾 𝑔𝑔{0,1} . Finally, ∗ the 𝑆𝐾𝑠𝑖𝑚 ∗ to send 𝑃𝐾Achallenge = Y =challenge eaccess (𝑔 𝑔 )∗ .follows: Z, = 𝑔∗, . 𝐷𝐾 , [Ҷ =𝑔𝑔 , required Ҷ bit = , access ∀{0,1} 𝑘computes as 𝐷𝐾,structure = 𝑔,number .] and Finally, 𝑠𝑖𝑚 computes sends , ,= Each specifies mkfollows: as structure the minimum of attributes satisfy structure ҷ, … ҷ the , , toɦ ,𝒜 , k access 𝑠𝑖𝑚randomly 𝒜 𝑠𝑖𝑚randomly generates generates a ∈ a bit ɦ ∈ and 𝐶𝑇 as C 𝐶𝑇 = as𝑎𝑡𝑘. C , , , , follows: 𝐷𝐾 ,as=Cryptography follows: 𝑔 ,𝐷𝐾 𝐷𝐾 =x𝑔FOR 𝑔 PEER , 𝐷𝐾 . Finally, 𝑠𝑖𝑚 sends . Finally, the 𝑆𝐾 𝑠𝑖𝑚tosends 𝑎𝑡𝑘. the 𝑆𝐾= as follows: , ,= , =𝑔 structureas (m < n ). 2018, 3, REVIEW 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: The attacker 𝑎𝑡𝑘 submits two equal length messages m 𝑎𝑡𝑘 submits two equal length messages m and m along wia (mk < nɦ k )∏. ∈ ɦ ∏ ∈ 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: The attacker ∗ ∗ 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: The 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: attacker 𝑎𝑡𝑘 The submits attacker two equal submits length messages length m access and messages m along m with and ∗m a a . (𝐾𝐺): Finally, . the Finally, 𝑠𝑖𝑚minimum sends 𝑠𝑖𝑚thesends 𝐶𝑇 the to 𝑎𝑡𝑘. 𝐶𝑇 to𝑎𝑡𝑘 Each𝐾𝑒𝑦 A 𝐺𝑒𝑛𝑒𝑟𝑎𝑡𝑖𝑜𝑛 specifies m asThe number of attributes satisfy ∗bilinear attribute set of𝒜 user is𝑎𝑡𝑘. 𝐴the :required 𝐴 ∩e 𝐴two =to 𝐴equal , ∀ 𝑘ɦgenerates .∈the 𝐴 generates ∗the k  𝐺𝑙𝑜𝑏𝑎𝑙 𝑠𝑒𝑡𝑢𝑝•(𝐺𝑆): Take input as a security parameter 𝜆 and it generates group challenge access structure 𝒜 . 𝑠𝑖𝑚randomly a bit ɦ ∈ {0,1} and coC e e e challenge access structure . 𝑠𝑖𝑚randomly generates a bit {0,1} and computes 𝐶𝑇 as Key Generation attribute set (KGaccess ) : The ∗ of the user is∗ A u : A u ∩ A k = A u , ∀ k. A k generates ∗ challenge challenge structure access 𝒜Phase .∈To 𝑠𝑖𝑚randomly structure 𝒜 .generates 𝑠𝑖𝑚randomly a𝑃𝐾 bitto generates ɦ∈ {0,1} and aFor bitcomputes ɦ ∈ {0,1} 𝐶𝑇 and as computes 𝐒𝐞𝐭𝐮𝐩: provide a 𝑥public key 𝑎𝑡𝑘, 𝑠𝑖𝑚 randomly chooses ϰC ∈=ℤ 𝐶 a structure nℤ ).𝟐:and 𝐏𝐡𝐚𝐬𝐞 Same 𝟐: as Same Phase as 1. 1. ∏for ∈ ,(m polynomial 𝑞 each node (including the leaves) 𝕋. each node ∏ {𝐺 }< ɦ ∈ 𝐺 𝑎𝑛𝑑 𝐺 𝐺𝑆(1 )r 𝑟→, ∈ 𝐺 𝐏𝐡𝐚𝐬𝐞 with prime order 𝑃. Let e: 𝐺 × 𝐺 → 𝐺 be the bilinear map ∗ ɦ ∗ polynomial q x for each x𝐶𝑇 (including the . For each node x, ∏Z∈p and ∏ . node Finally, 𝑠𝑖𝑚 sends theleaves) 𝐶𝑇 toT𝑎𝑡𝑘. k,u randomly . Finally, 𝑠𝑖𝑚 sends the to 𝑎𝑡𝑘. ∈ ɦ ɦ ∗ ∗ (𝐾𝐺): The attribute is1 𝐴 : 𝐴ɦas: 𝐴to = 𝐴If, ,simulator ∀ . ɦ𝐴,𝑔) generates ϰ 𝐺𝑠𝑖𝑚 + 𝑎𝑏..set It𝑞𝑁 of calculates 𝑒(𝑔, = 𝑒(𝑔, . 𝑒(𝑔, 𝑔)𝑠𝑖𝑚 . Finally, 𝐆𝐮𝐞𝐬𝐬: The 𝐆𝐮𝐞𝐬𝐬: attacker The 𝑎𝑡𝑘 outputs 𝑎𝑡𝑘 outputs a=user guess aɦ𝑔) guess of .∩ If ɦare of ɦ= ɦ𝑔) .ɦthe ɦ 𝑘= simulator 𝑠𝑖𝑚 guesses guesses that 𝑇 =𝑠𝑖𝑚 that sen 𝑇= 𝑥,𝐺𝑒𝑛𝑒𝑟𝑎𝑡𝑖𝑜𝑛 the degree 𝑑 the of the polynomial is the 𝑑 𝑠𝑖𝑚 𝑘of − where 𝑘𝑒(𝑔, is threshold value of that Finally, the sends 𝑎𝑡𝑘. the 𝑎𝑡𝑘. and 𝑔 , 𝑔 , 𝑔𝐾𝑒𝑦 are of group .attacker The number authorities denoted as the generators degree d x of the. polynomial q xsends isFinally, d𝐏𝐡𝐚𝐬𝐞 = k𝐶𝑇 − 1to where k x 𝐶𝑇 is the threshold value of that node. x Phase x 𝟐: as element Phase 1.element 𝐏𝐡𝐚𝐬𝐞 𝟐: Same as 1.Same 𝑟 ∈ ℤ and polynomial 𝑞 for each node 𝑥 (including the leaves) 𝕋. For each node 𝑒(𝑔, 𝑔) 𝑒(𝑔, . Otherwise, 𝑔) . Otherwise, 𝑇 is a random 𝑇 is a random target group target group in 𝐺 . in 𝐺 . 𝑃𝐾to 𝑎𝑡𝑘. , {𝐴 , 𝐴 , … , 𝐴 }: 𝐴Formonitor attributes 𝐴 (Phase 𝑎 1. , … , For 𝑎as, Phase , ∀𝑘. 𝐏𝐡𝐚𝐬𝐞 𝟐: Same as 𝐏𝐡𝐚𝐬𝐞 𝟐: 1. node x, q x (0) = q ,Same the root𝑛node root, seti.e., qroot 0= = r𝐆𝐮𝐞𝐬𝐬: any other . ɦ guesses )attacker (ofindex ( x )) k,u . 𝑎𝑡𝑘 The attacker outputs aan guess ɦthat . If ɦ 𝑠𝑖𝑚 , simulator 𝐆𝐮𝐞𝐬𝐬: The outputs a guess ɦthe of. threshold ɦ𝑔) . If ɦ.parent = ɦ (,ɦx)simulator that 𝑥, the degree 𝑑 of the polynomial 𝑞 is 𝑑 = 𝑘 − 1 where 𝑘𝑎𝑡𝑘 is.a= 𝐏𝐡𝐚𝐬𝐞 𝟏: During this phase, 𝑎𝑡𝑘 attribute set ∈=𝒜 𝒲𝑠 The advantage The advantage of the attacker of the attacker is 𝜀, when is 𝜀, 𝑇 outputs when = 𝑒(𝑔, 𝑇 𝑒(𝑔, The attacker of thesuch attacker is𝑠𝑖𝑚that , = is 𝐆𝐮𝐞𝐬𝐬: The attacker 𝐆𝐮𝐞𝐬𝐬: 𝑎𝑡𝑘 The outputs attacker a guess 𝑎𝑡𝑘 ɦgenerate of ɦ𝑔) Ifsubmits guess ɦ The = ɦɦadvantage , of simulator ɦvalue . Ifadvantage ɦ of =𝑠𝑖𝑚 ɦthe ,𝒲 guesses simulator that 𝑇 guess  𝐴𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝐴𝑢𝑡ℎ𝑜𝑟𝑖𝑡𝑖𝑒𝑠 𝑠𝑒𝑡𝑢𝑝 (𝐴𝐴𝑠): It for is executed by each AA to as randomly the Security Now decryption key the user u is generates follows: 𝑒(𝑔, 𝑔) 𝑇 isgroup a random target 𝑒(𝑔, 𝑔) . Otherwise, 𝑇 is.aOtherwise, random target element ingroup 𝐺 . element in 𝐺 . when when is aand 𝑇 public is𝑒(𝑔, a random target element group inagroup 𝐺 . Finally, in 𝐺: . Finally, the advantage advantage ofinthe𝐺 simulator in this in thi 𝑒(𝑔,𝑇𝑔) . random Otherwise, 𝑔) 𝑇 is . group Otherwise, atarget random 𝑇ofiselement random element in group 𝐺 . the element . of the simulator parameter (𝑆𝐾 ) of authority 𝐴 parameter (𝑃𝐾 )target authority 𝐴target Simulator of 𝑠𝑖𝑚chooses 𝑟 , isof ∈𝜀,the ℤ . qIt𝑒(𝑔, be obtained as follows: 𝐷𝐾advantage The attacker iscan 𝑇 =advantage 𝑒(𝑔, 𝑔) .ofThe , =𝑔 theadvantage attacker when 𝑇= . The the attacker (0𝜀, ) 𝑔)when ak,j securityThe security game isThe game . advantage isThe advantage ofρk.the advantage attacker of is 𝜀, the when attacker 𝑇 = is 𝑒(𝑔, 𝜀, 𝑔) when . The 𝑇 = 𝑒(𝑔, advantage 𝑔) . The of the advantage attacker of is the , a rk,u 1 each attribute 𝑠𝑖𝑚 hasj in togroup choose ℤ . It computes the restof of (ρFinally, u)ҷk,j, ∈the r random +uwhen +u target element in advantage 𝐺 .eFinally, the advantage ρ,k… +utarget ℤ ⎯⎯⎯⎯⎯⎯ when 𝑆𝐾 =𝑇−is ϰFor , [ҷ , ҷ𝑇 , is1]ain , random ∀𝒲 𝑘 r,k,uelement k+ group 𝐺 . of the simulator in k k ,aϱk,u , DK = DK g1when g2 𝑇 , DKk,u = g2 group = g3 the ∀ ak,j ∈ Aof when 𝑇 k,u is a=random target isg3a group random element target in , DK 𝐺 . k,u element Finally, in 𝐺advantage ., Finally, the advantage simulatorofinthe this simu u the , security game is( . ) security game is Results . , 3.2.3. Experimental 3.2.3. Experimental Results security game issecurity . game is .ҷ , ҷ , ҷ , , follows: . Finally, 𝑠𝑖𝑚 sends the 𝑆 𝑃𝐾 = Y = e (𝑔 , 𝑔 ) , Z as =𝑔 , [Ҷ , 𝐷𝐾 = 𝑔 , =, …𝑔, Ҷ , , =𝐷𝐾 𝑔 , =] 𝑔, ∀ 𝑘 In this section, In this section, we show we theshow totalthe computation total computation cost of encryption cost of encryption and decryption and decryption for the MAfor the MA 3.2.3. Experimental Results 3.2.3. Experimental Results 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: The attacker 𝑎𝑡𝑘 submits two equal length messages m and m 3.2.3. Experimental Results Experimental Results Each A specifies mABE. as the minimum number of attributes required to satisfy the access The ABE. proposed The 3.2.3. proposed Tate pairing Tate pairing algorithm algorithm is discussed is discussed in detail in in detail Section in Section 3. The proposed 3. The propose challenge access structure 𝒜 ∗ .show 𝑠𝑖𝑚randomly generates a bit ɦ of ∈ {0,1} and compute In this section, we the total computation cost encryption andthe deM In this section, we show the total computation cost of encryption and decryption for structure (m < n ). decentralized decentralized is isthe constructed with thewith help of the help proposed of the proposed TP-MBNR-PH and compared compare ∈ In thisKP-ABE section,KP-ABE In∏constructed this show section, total we computation show thethe total cost computation costand of TP-MBNR-PH encryption decryption and forand the decryption MAɦwe ∗ of encryption . Finally, 𝑠𝑖𝑚 sends the 𝐶𝑇 to 𝑎𝑡𝑘. ABE. The proposed Tate pairing algorithm is discussed in detail in Secti ABE. The proposed Tate pairing algorithm is discussed in detail in Section 3. The propo  𝐾𝑒𝑦 𝐺𝑒𝑛𝑒𝑟𝑎𝑡𝑖𝑜𝑛 (𝐾𝐺): with The attribute setABE. ofanusing the user is 𝐴pairing :algorithm 𝐴Tate ∩𝐴 = is 𝐴 ,discussed ∀algorithm 𝑘In. this 𝐴 experiment, generates MA-ABE with using existing an existing Tate algorithm. pairing algorithm. Inisthis experiment, used we an3.used Intel an Intel i3- Core i3 ABE. The MA-ABE proposed The Tate proposed pairing Tate pairing in detail discussed inweSection in detail The in Core Section proposed 3. Th decentralized KP-ABE isand constructed theushelp ofusthe proposed TP-MBN 𝐏𝐡𝐚𝐬𝐞 𝟐:isSame as Phase 1. decentralized KP-ABE constructed with the help of8with the proposed TP-MBNR-PH and compa 𝑟, ∈ ℤ and polynomial 𝑞 for each node 𝑥 (including the leaves) 𝕋. For each node 3217U CPU 3217U processor CPU processor (Intel, China) (Intel, with China) 1.80 with GHz 1.80 GHz 8 GB and RAM. GB Let RAM. assume Let assume the number the number of o decentralized KP-ABE decentralized is constructed KP-ABE with is constructed the help ofwith the the proposed help ofTP-MBNR-PH the proposed and TP-MBNR-PH compared and with MA-ABE using an existing Tate pairing algorithm. In this experiment, we 𝐆𝐮𝐞𝐬𝐬: The attacker 𝑎𝑡𝑘 outputs a guess ɦ of ɦ . If ɦ = ɦ , simulator 𝑠𝑖𝑚 gu with MA-ABE using an existing Tate pairing algorithm. In this experiment, we used an Intel Cor attribute authorities, and 𝑁1 =say, 2,Tate and attribute n algorithm. varies from varies 10this from to 50. to 50. 𝑥, the degree 𝑑 of the polynomial 𝑞 authorities, is 𝑑𝑁 == − where 𝑘say, is attribute the threshold of 10 that with attribute MA-ABE using with MA-ABE an𝑘2,existing using an pairing existing Taten pairing Invalue algorithm. experiment, In this we experiment, used an Intelwe Core used i3-an In CPU processor (Intel, China) with 1.80 GHz and 8. the GB RAM. Letnumbe us as 𝑒(𝑔, 𝑔)3217U . Otherwise, 𝑇 encryption iswith atotal random target group element in 𝐺us 3217U CPU processor (Intel, China) 1.80 GHz and 8 GB RAM. Let assume the Figure 2 Figure depicts 2 the depicts comparison the comparison of total of encryption cost of MA-ABE cost of MA-ABE for the proposed for proposed scheme schem 3217U CPU processor 3217U CPU (Intel,processor China) with (Intel, 1.80 China) GHz and with81.80 GB GHz RAM.and Let 8us GB assume RAM. the Let number us assume of the attribute authorities, 𝑁 = encryption 2, and say, attribute nincreases varies to with 50. to attribute 𝑁of=proposed 2, and attribute nisvaries from 50. The advantage the attacker 𝜀, when 𝑇10 = to 𝑒(𝑔, 𝑔) from . with The10advantage of the and [12,13]. and The [12,13]. timeauthorities, The complexity time complexity ofofsay, proposed encryption algorithm algorithm increases linearly linearly respect respect t

3.2. Applying the Proposed TP-MBNR-PH in a Decentralized KP-ABE Scheme The TP-MBNR-PH algorithm is applied in a decentralized KP-ABE [12]. The detailed steps are as follows: 𝐺𝑙𝑜𝑏𝑎𝑙 𝑠𝑒𝑡𝑢𝑝 (𝐺𝑆): Take input as a security parameter 𝜆 and it generates the bilinear group 10 of 15 } with prime order 𝑃. Let e: 𝐺 × 𝐺 → 𝐺 be the bilinear 12 of 15 map and 𝑔 , 𝑔 , 𝑔 are generators of the group 𝐺 . The 𝑁 number of authorities are denoted as k , ∀ k, i.e. A e e e∀𝑘. em = ϰ = A A • Encryption E set forkey the𝑛𝑃𝐾 message is A {𝐴(To , 𝐴) provide ,:…Attribute , 𝐴 }: a𝐴 public monitor attributes i.e., 𝐴 𝑎em, ,∩… , 𝑎k ,= ,ϰ 𝐒𝐞𝐭𝐮𝐩: to 𝑎𝑡𝑘,m𝑠𝑖𝑚 randomly chooses m =: A m ∈ ℤ and note n o e1m+,.𝑎𝑏. e eN𝐴𝑢𝑡ℎ𝑜𝑟𝑖𝑡𝑖𝑒𝑠 (𝐴𝐴𝑠): 𝐴𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝑠𝑒𝑡𝑢𝑝 is𝑒(𝑔, executed by each randomly generate the key Security ϰA Itkmcalculates as:of𝑒(𝑔, 𝑔) It=m 𝑔) . 𝑒(𝑔, 𝑔) AA . sFinally, 𝑠𝑖𝑚 public ..,A ,...,A . 𝑒(𝑔, Data𝑔) owner message randomly chooses ∈to Zp sends , and output randomly Figure 1. Comparison of numbermof multiplication operations based on the embedding degree. parameter (𝑆𝐾 ) of authority 𝐴 and public parameter (𝑃𝐾 ) of authority 𝐴 : 𝑃𝐾to 𝑎𝑡𝑘. the ciphertext as follows: 𝐏𝐡𝐚𝐬𝐞 𝟏: During this phase, 𝑎𝑡𝑘 submits an attribute set 𝒲 ∈ 𝒜 such that 𝒲 ∉ 𝒜 ∗ , to 𝑠𝑖𝑚.   3.1.7. Efficiency of the Proposed Algorithm ℤ ⎯⎯⎯⎯⎯⎯ 𝑆𝐾 = ϰk s, ϱ , [ҷ , , … ( ) s , ҷ , ] , ∀ 𝑘ρk s ,    C1 = m. ∏ eTP−MBNR−PH (g1 , g1 ) , C2 = g1 , C3 = ∏ g1 ,  , Simulator 𝑠𝑖𝑚chooses 𝑟 ∈ ℤ . It can be obtained as follows: 𝐷𝐾 = 𝑔 𝑔 𝑔 . k ∈ IC , , k∈IC TP-MBNR-PH The total pre-computedCcost of the proposed is: n o = ҷ , ҷ , s   For each attribute . It computes 𝑃𝐾 =𝒲 Y , =𝑠𝑖𝑚 e has to choose (𝑔=, 𝑔ҷ ), ∈, Z = 𝑔 ,ℤ[Ҷ 𝑔 , … , the Ҷ , rest = of 𝑔 the]secret , ∀ 𝑘 key  in  Ck,j , = k,j e jm 𝑇 = 6𝑀 + 3𝑆 + 𝐼 + 7𝑀 / + 𝐼 /∀k∈IC ,ak,j ∈A , ( ) , Each A specifies m as the minimum number of attributes required to satisfy the access ҷ , 𝑆 = 0.8𝑀, 𝐼 = 𝐼 + 𝑘 𝑀. By taking 𝑀where = 9𝑀, 𝑀 = 18𝑀, 𝑀 = 27𝑀, 𝑀 = 𝑘𝑀, 𝐼 = 10𝑀, , as follows: 𝐷𝐾 = 𝑔 , 𝐷𝐾 = 𝑔 . Finally, 𝑠𝑖𝑚 sends the 𝑆𝐾 to 𝑎𝑡𝑘. IC denotes the index set of the authorities. , , structure (m < n ). The total cost of the proposed The algorithm is: 𝑎𝑡𝑘 submits two equal length messages m and m along with a 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: attacker • Decryption D : In order to decrypt C, the user u, computes X, Y, isand ( )  𝐾𝑒𝑦 𝐺𝑒𝑛𝑒𝑟𝑎𝑡𝑖𝑜𝑛 (𝐾𝐺): The attribute set of the user 𝐴 S: k𝐴as∩follows: 𝐴 = 𝐴 , ∀ 𝑘 . 𝐴 generates ∗ ∗ 𝑛 challenge access structure 𝒜 . 𝑠𝑖𝑚randomly generates a bit ɦ ∈ {0,1} and computes 𝐶𝑇For as each C =node 𝑟 ∈ ℤ and polynomial 𝑞 for each node 𝑥 (including the leaves) 𝕋. 𝑇 =𝑏 𝑇𝐻𝐴𝐿 +𝑡 𝑇𝑇𝑅𝐿 + 𝑟 𝑇𝑄𝑇𝑃 + (𝑇𝐴𝐷𝐷 + 𝑇𝑆𝑈𝐵)∆+ 𝑇 (0) ,  ∏ j 2 ∈ ɦ e ∗ j a , A m 𝑥,. Finally, the degree 𝑑sends of the 𝑘 is the threshold value of that 𝑠𝑖𝑚S thepolynomial 𝐶𝑇 to 𝑎𝑡𝑘.𝑞 is 𝑑 = 𝑘 − 1 k,jwhere k = ∏ eTP−MBNR−PH Ck,j , DKk,u 𝑇 = (𝑏 + 3𝑡 +4𝑟 + 𝑛 + 6) 𝑀 + (𝑏 + 𝑡 +𝑟 + 3) 𝑆 + k e 𝐏𝐡𝐚𝐬𝐞 𝟐: Same as Phase a1. k,j ∈ Am   7 5 𝐆𝐮𝐞𝐬𝐬: The attacker 𝑎𝑡𝑘 Youtputs a guess ɦ of C ɦ . ,IfDKɦ1= ɦ , simulator 𝑠𝑖𝑚 guesses that 𝑇 = = e 3 −MBNR −PH ( 𝑏 + 2𝑡 +5𝑟 + 𝑛) 𝑀 + (4𝑏 ∏ +TP9𝑡 +12𝑟 + (𝑘 k,u + 3)𝑛) 𝑀 2 𝑒(𝑔, 𝑔) . Otherwise,4 𝑇 is a random target group element in 𝐺 . k ∈ IC ∆ The (0) advantage when 𝑒(𝑔,/ 𝑔) +(𝑡The+𝑟 + 𝑛) 𝐼of+ the (4𝑡 attacker +4𝑟 is +𝜀,𝑛)𝑆 + 𝐼 𝑇+=7𝑀 + e j advantage of the attacker is , j 𝐼 /.ak,j ,A m Sk = ∏ eTP−MBNR−PH Ck,j , DKk,u when 𝑇 is a random target agroup ek element in 𝐺 . Finally, the advantage of the simulator in this k,j ∈ Am security game is . 3.2. Applying the Proposed TP-MBNR-PH in a Decentralized KP-ABE Scheme 

Cryptography 2018, 2, 14 𝑎𝑛𝑑3,𝐺x FOR 𝐺𝑆(1 ) REVIEW → {𝐺 , 𝐺 Cryptography𝐺2018, PEER

The user then decrypts the message m as follows: The TP-MBNR-PH algorithm is applied in a decentralized KP-ABE [12]. The detailed steps are 3.2.3. Experimental Results as follows: Cryptography Cryptography 2018, 3, x FOR 2018,PEER 3, x FOR REVIEW PEER REVIEW Cryptography Cryptography 2018, 3,Cx1 X FOR 2018,PEER 3, x FOR REVIEW PEER REVIEW 12 of 15 12 of 15 In this section, we show the totalmcomputation cost of encryption and decryption for the MA=  𝐺𝑙𝑜𝑏𝑎𝑙 𝑠𝑒𝑡𝑢𝑝 (𝐺𝑆): Take input as a security parameter Y𝜆∏ and it generates the bilinear group k ABE. The proposed Tate pairing algorithm isSdiscussed in detail in Section 3. The proposed 𝐒𝐞𝐭𝐮𝐩: provide awith public akey public 𝑃𝐾𝐒𝐞𝐭𝐮𝐩: key to𝑃.𝑎𝑡𝑘, 𝑃𝐾 To 𝐒𝐞𝐭𝐮𝐩: to 𝑠𝑖𝑚 provide To a→ public randomly akey public 𝑃𝐾 ϰbilinear key ∈toℤ 𝑎𝑡𝑘, 𝑃𝐾 ϰand ∈to 𝑠𝑖𝑚 ℤ note 𝑎𝑡𝑘, randomly and ϰ𝑠𝑖𝑚 note = randomly ϰ chooses = chooses ϰ ∈ℤ ke: ∈𝑎𝑡𝑘, IC randomly 𝐺 𝑎𝑛𝑑 𝐺 𝐒𝐞𝐭𝐮𝐩: 𝐺𝑆(1 )To → {𝐺 , 𝐺To} provide prime order Let 𝐺 × 𝑠𝑖𝑚 𝐺provide 𝐺chooses be thechooses map decentralized KP-ABE is constructed with the help of the proposed TP-MBNR-PH and compared ϰ ,+ +calculates 𝑎𝑏. It calculates 𝑒(𝑔,of𝑔)the𝑒(𝑔, as: 𝑔) 𝑒(𝑔, ϰ 𝐺 +𝑔) as: 𝑎𝑏. 𝑒(𝑔, ϰ= It 𝑒(𝑔, +calculates 𝑔)𝑎𝑏. 𝑔)= It 𝑒(𝑔, calculates . 𝑒(𝑔, 𝑒(𝑔, 𝑔)𝑔) 𝑔). 𝑒(𝑔, . 𝑒(𝑔, Finally, as: 𝑔) 𝑒(𝑔, . Finally, 𝑠𝑖𝑚 𝑔) as: 𝑒(𝑔, sends = 𝑒(𝑔, 𝑠𝑖𝑚 𝑔)as public 𝑔) sends = 𝑒(𝑔, . 𝑒(𝑔, key public 𝑔)𝑔) . 𝑒(𝑔, .key Finally, 𝑔) . Finally 𝑠𝑖𝑚 s and 𝑔 𝑔 𝑎𝑏. , 𝑔ϰ Itare generators group . The 𝑁 number of authorities are denoted 𝑔) with MA-ABE using an existing Tate pairing algorithm. In this we used an Intel Core i3ek =experiment, The N monitor number of𝑛AAs are denoted as A1 𝑎 , A2𝑎𝑡𝑘. ,… . . ,.𝑎, A N },. ∀𝑘. Let A ak,1 , . . . , ak, nk be the attribute {= 𝑃𝐾to 𝑎𝑡𝑘. 𝑃𝐾to 𝑎𝑡𝑘. 𝑃𝐾to {𝐴 , 𝐴𝑃𝐾to , … , 𝐴𝑎𝑡𝑘. }: 𝐴 attributes i.e., 𝐴 , , 3217U CPU processor (Intel, China) with ,1.80 GHz and 8 GB RAM. Let us assume the number of set𝐏𝐡𝐚𝐬𝐞 managed by𝑠𝑒𝑡𝑢𝑝 Attribute Authority (AA), which is denoted as A The global setup algorithm 𝟏:𝐏𝐡𝐚𝐬𝐞 During 𝟏: this During phase, this 𝑎𝑡𝑘 phase, submits 𝐏𝐡𝐚𝐬𝐞 𝑎𝑡𝑘 submits an 𝟏:𝐏𝐡𝐚𝐬𝐞 attribute During an 𝟏: attribute this During set phase, 𝒲k . ∈ this set 𝒜 𝑎𝑡𝑘 phase, 𝒲 such submits ∈𝒜 that 𝑎𝑡𝑘 such 𝒲 submits anthat ∉attribute 𝒜 ∗𝒲 , an totakes ∉𝑠𝑖𝑚. attribute 𝒜 set∗the ,𝒲 to 𝑠𝑖𝑚. ∈set 𝒜𝒲 such ∈𝒜 thatsuc 𝒲 (𝐴𝐴𝑠):  𝐴𝑡𝑡𝑟𝑖𝑏𝑢𝑡𝑒 𝐴𝑢𝑡ℎ𝑜𝑟𝑖𝑡𝑖𝑒𝑠 It is executed by each AA to randomly generate attribute authorities, 𝑁 = 2, and say, attribute n varies from 10 to 50. the Security ( ) ( , AAs ) security as input for generating bilinear(𝑃𝐾 group order G1 and𝐴G2:. Each AA execute the , parameter (𝑆𝐾 )parameter of authority 𝐴 and public parameter ) of authority Figure𝑠𝑖𝑚chooses 2 depicts of encryption MA-ABE the proposed scheme , can , as. follows: Simulator Simulator 𝑠𝑖𝑚chooses 𝑟 , generate ∈ the 𝑟 ,comparison ∈Simulator ℤpublic . It can Simulator ℤ 𝑠𝑖𝑚chooses be .total Itand obtained can 𝑠𝑖𝑚chooses becorresponding obtained 𝑟as, follows: ∈cost𝑟asof 𝐷𝐾 ∈secret ℤ , . It =keys. can 𝐷𝐾 𝑔 for ℤ ,be 𝑔 .The It =obtained 𝑔public-secret 𝑔be 𝑔 obtained 𝑔 as. follows: 𝐷𝐾 , = 𝐷𝐾 𝑔 , follows: algorithm to randomly the keys the       and [12,13]. The time complexity of proposed encryption algorithm increases linearly with respect to Forkey each For attribute each 𝒲 , as 𝑠𝑖𝑚 in{SK 𝒲 has , 𝑠𝑖𝑚 to For choose each ҷchoose attribute each ∈. .,.ҷ, ҷ,attribute in ∈𝒲 ℤ ,∀ . 𝑠𝑖𝑚 Itk, incomputes 𝒲 has ℤk ,.=𝑠𝑖𝑚 It tocomputes choose the has rest to ҷchoose of the the ҷk,of the ℤkey . Itk}computes . It computes the rest ℤgiven ⎯⎯⎯⎯⎯⎯ 𝑆𝐾 = ϰhas ,,[ҷFor pair for Ak attribute isin ρkto PK Y . .rest . , secret , secret ∀ . ℤkey , ,∈ , n∈ , , ,,… k, ϱ k , Zk , k = k,1 k,, n]k , ∀, 𝑘 k,1 k the attributes. Figure 2 clearly shows the significant improvement of the proposed encryption e , , , , The key-generation algorithm issues the , decryption keys to( user u with a set, of attributes, Au . ( ) ( ) , ( ) ) , ҷ , algorithm when compared with the existing schemes [12,13]. Figure 3 depicts the comparison of the ҷ , ҷ ҷwhich ҷmessage ҷ which The output of the algorithm is a decryption key permits the user to decrypt a , , , , , , , , 𝑃𝐾 = Y = e (𝑔 , 𝑔 ) , Z = 𝑔 , [Ҷ = 𝑔 , … , Ҷ = 𝑔 ] , ∀ 𝑘 as follows: as follows: 𝐷𝐾 , = 𝐷𝐾 𝑔 , =, 𝑔𝐷𝐾 , =, as 𝐷𝐾 𝑔 follows: = as 𝑔 follows: 𝐷𝐾 , = 𝐷𝐾 𝑔 . , Finally, =, , 𝑔𝐷𝐾. ,Finally, 𝑠𝑖𝑚 =, 𝐷𝐾 𝑔sends =the 𝑔sends 𝑆𝐾 to the𝑎𝑡𝑘. 𝑆𝐾 .toFinally, 𝑎𝑡𝑘. . Finally, 𝑠𝑖𝑚 sends 𝑠𝑖𝑚thes , 𝑠𝑖𝑚 total decryption cost of MA-ABEe, kfor the, proposed scheme and [12,13]. The time complexity of the A𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: is 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: encrypted under a set of attributes is based on the threshold policy, which relays onathe u which 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: The attacker The attacker 𝑎𝑡𝑘 submits 𝑎𝑡𝑘 submits two equal 𝐂𝐡𝐚𝐥𝐥𝐞𝐧𝐠𝐞: two The length equal attacker The messages length attacker 𝑎𝑡𝑘 messages submits m 𝑎𝑡𝑘 and submits two m m and equal along two m length with equal along messages length with a messages m and m m proposed algorithm increases linearly with respect to the the attributes. Each Atree-based specifies m decryption as the minimum number of attributes required to satisfy access ∗ Figure ∗3 clearly ∗ ∗ ∗ ∗ access structure. challenge challenge access access structure 𝒜 improvement . 𝑠𝑖𝑚randomly 𝒜challenge . 𝑠𝑖𝑚randomly challenge generates access structure generates access a bitdecryption structure ɦ𝒜 ∈a {0,1} bit . 𝑠𝑖𝑚randomly ɦ algorithm and 𝒜 ∈ {0,1} . computes 𝑠𝑖𝑚randomly and generates computes 𝐶𝑇 generates asa Cbit 𝐶𝑇=ɦwith as ∈a {0,1} Cbit =ɦ and ∈ {0,1} compu and shows thestructure significant proposed when compared the structure∏ (mIn

Suggest Documents

Efficient hardware for the Tate pairing calculation in characteristic three

Efficient hardware for the Tate pairing calculation in characteristic three
Read more
An Efficient Message-Passing Algorithm for Optimizing Decentralized ...

An Efficient Message-Passing Algorithm for Optimizing Decentralized ...
Read more
Computing Tate Pairing on Smartcards

Computing Tate Pairing on Smartcards
Read more
Efficient Tate Pairing Computation Using Double-Base Chains

Efficient Tate Pairing Computation Using Double-Base Chains
Read more
A Decentralized and Efficient Algorithm for Load ... - Semantic Scholar

A Decentralized and Efficient Algorithm for Load ... - Semantic Scholar
Read more
An Efficient Key Point Quantization Algorithm for Large Scale Image ...

An Efficient Key Point Quantization Algorithm for Large Scale Image ...
Read more
Faster computation of the Tate pairing

Faster computation of the Tate pairing
Read more
Implementing the Tate pairing - Semantic Scholar

Implementing the Tate pairing - Semantic Scholar
Read more
An Efficient Algorithm for Automatic Peak Detection in Noisy ... - MDPI

An Efficient Algorithm for Automatic Peak Detection in Noisy ... - MDPI
Read more
An Efficient Algorithm for Direction Finding against Unknown ... - MDPI

An Efficient Algorithm for Direction Finding against Unknown ... - MDPI
Read more
An Efficient Grid-Based K-Prototypes Algorithm for Sustainable ... - MDPI

An Efficient Grid-Based K-Prototypes Algorithm for Sustainable ... - MDPI
Read more
A Decentralized Trading Algorithm for an Electricity Market with ...

A Decentralized Trading Algorithm for an Electricity Market with ...
Read more
Prediction-Learning Algorithm for Efficient Energy ... - MDPI

Prediction-Learning Algorithm for Efficient Energy ... - MDPI
Read more
A Polynomial Algorithm for Decentralized Markov ... - CiteSeerX

A Polynomial Algorithm for Decentralized Markov ... - CiteSeerX
Read more
A decentralized load balancing algorithm for

A decentralized load balancing algorithm for
Read more
A Decentralized Voting Algorithm for Increasing ... - CiteSeerX

A Decentralized Voting Algorithm for Increasing ... - CiteSeerX
Read more
A decentralized convergence detection algorithm for ... - CiteSeerX

A decentralized convergence detection algorithm for ... - CiteSeerX
Read more
An Efficient Algorithm Embedded in an Ultrasonic Visualization ... - MDPI

An Efficient Algorithm Embedded in an Ultrasonic Visualization ... - MDPI
Read more
An Efficient Algorithm Embedded in an Ultrasonic Visualization ... - MDPI

An Efficient Algorithm Embedded in an Ultrasonic Visualization ... - MDPI
Read more
An Efficient Algorithm Embedded in an Ultrasonic Visualization ... - MDPI

An Efficient Algorithm Embedded in an Ultrasonic Visualization ... - MDPI
Read more
Tate pairing implementation for hyperelliptic curves y2 = xp − x + d

Tate pairing implementation for hyperelliptic curves y2 = xp − x + d
Read more
Tate pairing computation on the divisors of hyperelliptic curves for ...

Tate pairing computation on the divisors of hyperelliptic curves for ...
Read more
Decentralized Replica Exchange Parallel Tempering: An Efficient ...

Decentralized Replica Exchange Parallel Tempering: An Efficient ...
Read more
Shrinkwrap: An efficient adaptive algorithm for ... - CiteSeerX

Shrinkwrap: An efficient adaptive algorithm for ... - CiteSeerX
Read more