Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves
Billy Bob Brumley
Helsinki University of Technology Laboratory for Theoretical Computer Science
[email protected]
Abstract
Self-Certified keys provide an attractive alternative to tra- ditional certificate-based public key infrastructures. Many self-certified key issuing protocols strive to blind trusted third parties to users’ private keys. One such key issuing protocol is based on the Nyberg-Rueppel signature scheme, but requires a proof of knowledge to avoid impersonation at- tacks. This paper describes a version of this protocol that uses elliptic curves and eliminates the impersonation attacks and the proof of knowledge.
KEYWORDS: elliptic curve cryptography, identity-based cryptography, self-certified keys, key issuing protocols
1 Introduction
In traditional certificate-based public key infrastructures, a user’s public key is authenticated by means of a trusted third party’s (TTP1) explicit signature on the public key. Self- Certified keys [6] are an efficient alternative in which the user’s public key is extracted using the identity of the user and TTP’s signature on this identity. E-mail addresses and IP addresses are two good examples of identities. Self-certified keys are related to identity-based cryptography [16].
Unfortunately, many self-certified schemes suffer from the key escrow problem, meaning that TTP gains access to the user’s private key as well. Avoiding this problem is a desir- able property of self-certified key issuing protocols [15].
Related Work. Ateniese et al. [1] presented a self- certified, identity-based (SCID) scheme which uses multiplicative groups and is based on the Nyberg-Rueppel signature scheme [14]. While a solution was presented to the key escrow problem by blinding TTP to the user’s private key, this solution is susceptible to impersonation attacks and requires a proof of knowledge to be used securely.
Contributions. The blind key issuing protocol using elliptic curve groups is presented, which does not require a proof of knowledge and is not susceptible to impersonation
∗This work was supported in part by the project “Packet Level Authen- tication” funded by TEKES. Thanks to Prof. Kaisa Nyberg for suggestions and comments. Additionally, the author gratefully acknowledges those in- volved in the PLA project. Additional thanks goes to Tuomas Kivinen for useful comments.
1The trusted third party will henceforth be referred to as the entity TTP.
attacks. Eliminating the proof of knowledge is shown to reduce the complexity of the key issuing protocol.
Applications. Self-certified keys and identity-based schemes are well-suited for dynamic networks, where efficient and compact authentication is needed (for example, [4]). Elliptic curves also provide small key and signature sizes, which can be an advantageous feature in dynamic networks.
2 Background
Authentication is an important facet of computer security.
Digital signatures are a common way of providing such authentication on networks. This section contains a brief review of digital signatures, self-certified keys, and trust.
These concepts are helpful in fully understanding the con- tributions of this paper.
2.1 The Nyberg-Rueppel Signature Scheme
The Nyberg-Rueppel signature scheme is a variation of the ElGamal scheme [5] and similarly based on the Discrete Log Problem: given a generatorg of large prime order and an elementgk, findingk is infeasible.
The Nyberg-Rueppel scheme is one of the few schemes present in many popular standards [9]. A version using mul- tiplicative groups is outlined below;His a collision-resistant hash function.
Setup. Primesr, q such that r | (q − 1) are chosen, as well as a generatorg of order r.
Keygen. Alice generates a private keys and public key w by computing
w = gs (mod q) , where s ∈ Z∗r. (1) Sign. To generate a signature(c, d) on a message m, Alice calculates
c =H(m)gk (mod q) , where k ∈RZ∗r
d = −k − sc (mod r) . (2)
Verify. To verify the signature(c, d) on the message m, Bob checks that
H(m) = cgdwc (mod q) . (3)
This computation is consistent:
cgdwc=H(m)gkg−k−scgsc=H(m)gk−k−sc+sc=H(m) The main operation for signing and verifying is modular ex- ponentiation, which can be computed very efficiently using the Square-and-Multiply Method [11].
If two messages have the same hash value, existential forgery is possible. The signature of the former message can be attached to latter message, which the user may not have signed. But since the hash values are the same, the signa- ture will still verify. This is the reasonHmust be collision- resistant.
Certificates provide a method for verifying public keys.
Certificates are generated by TTP by signing the user’s pub- lic key. This is a common type of Public Key Infrastructure (PKI). While this does provide a method for verifying the in- cluded public key, it requires the certificate to be transmitted with signed messages, causing excess storage and computa- tion requirements.
2.2 Self-Certified Keys
Self-certified keys are an efficient alternative to certificate- based PKI. Instead of verifying public keys using an explicit signature on a user’s public key, the public key is extracted directly from TTP’s signature on the user’s identity. This reduces the storage and computational requirements.
While the extracted public key cannot be explicitly veri- fied, resulting signatures will not verify unless the extracted key is authentic. If the message signature fails to verify, it is unknown whether the user’s signature on the message is invalid or the extracted public key is invalid (or both).
2.3 Trust
The concept of a trusted third party can be fairly vague when discussing self-certified keys. To better define the notion of trust, Girault [6] introduced three distinct trust levels.
Trust Level 1. TTP knows the user’s private key and can therefore impersonate the user without being detected.
Trust Level 2. TTP does not know the user’s private key, but can still impersonate the user without being de- tected.
Trust Level 3. TTP does not know the user’s private key, but can impersonate the user. However, such imperson- ation can be detected.
Detected means that if TTP tries to impersonate a user, the user can prove it; for example, providing two different sig- natures from TTP on the same identity.
Trust Level 1 is inadequate for many reasons, one being that it usually requires a secure key escrow. Reaching Trust Level 3 is generally the goal; consider the following sce- nario. An Internet Service Provider (ISP, the user’s TTP) charges based on bandwidth usage. Each packet is digitally signed by the user, providing assurance that the ISP is billing in an honest manner. If the ISP can impersonate the user in an undetectable manner, the ISP can generate false traffic
from the user to increase the charges. Trust Levels 1 and 2 are therefore inadequate. This is just one example of why Trust Level 3 is desirable.
3 A Nyberg-Rueppel SCID Scheme
A SCID scheme based on the Nyberg-Rueppel signature scheme was presented in [1] where the focus is on provable security. As such, exponentiation of separate generators to the power of the hash values fromHtakes place. No such exponentiation is present here, as the focus is on efficiency and practicality. While it was noted that elliptic curve groups provide an efficient setting, all of the notation therein is for multiplicative groups. The scheme is presented below. Let k(i)be random integers inZ∗r.
Setup. Primesr, q such that r | (q − 1) are chosen, as well as a generatorg of order r. TTP generates a private key sT
and public keywT using (1).
Keygen. To generate a key pair on user Alice’s identity IDA, TTP calculates
rA= gkH(IDA) (mod q)
sA= −k − sTrA (mod r) (4) and escrows(rA, sA) to Alice.
Extract. To extract Alice’s public keywA= gsAon identity IDAgiven public valuerA, Bob calculates
wA= H(IDA) wrDArA
(mod q) (5)
The key issuing protocolKeygenonly reaches Trust Level 1. Note that(rA, sA) is simply a Nyberg-Rueppel signature by TTP on the messageIDA. Alice’s private key issAwhile rAis used by other users to reconstruct Alice’s public key as shown inExtract. The public key is correct:
H(IDA) wrDArA
= H(IDA)
gsTrAgkH(IDA) = 1
g−k−sA+k = gsA As with Nyberg-Rueppel signatures, existential forgery is still possible. In this case, if two users have identities that hash to the same value, they can impersonate the other user.
3.1 A More Secure Key Issuing Protocol
A key issuing protocol that reaches Trust Level 3 was also presented in [1] and appears below.
Keygen. The following protocol is used to generate a key pair on user Alice’s identityIDA.
TTP←− Alice: gkA (mod q) Alice←− TTP: CHAL
TTP←− Alice: SIGkA(CHAL)
TTP:V ERgkA(SIGkA(CHAL)) Alice←− TTP:
(rA= gkAgkTH(IDA) (mod q) sA= −kT− xTrA (mod r)
(6)
Alice’s private key issA = sA− kA (mod r). The public keygsAextracts correctly:
H(IDA)
gxTrAgkAgkTH(IDA)= 1
g−kT−sA+sA−sA+kT = gsA The first few steps of the protocol involves a proof of knowl- edge by Alice. This is done to prevent impersonation attacks as described below. TTP issues a challenge messageCHAL . Alice then signs this message using keykAand TTP veri- fies this signature using keygkA.
3.2 Impersonation Attacks
The threat of an impersonation attack was noted in [1]. How- ever, it is not immediately clear how the attack is carried out, as different generators are used in exponentiation to the power of the hashes. As mentioned, no such exponentiation takes place here; for this case, the attack it is outlined below.
Consider a malicious user Malice attempting to obtain a valid signature from TTP on Alice’s identity using (6) where no proof of knowledge is performed. Malice (identityIDM) needs to choose some differenced such that
dgkAgkTH(IDM) = gkAgkTH(IDA) d = H(IDA)
H(IDM) . (7)
That is, Malice can choose parameters in the following man- ner.
TTP←− Malice: gkAH(IDA)
H(IDM) (mod q)
Malice←− TTP:
rA = gkAH(IDH(IDA)gkTM)H(IDM) (mod q)
= gkAgkTH(IDA)
sA = −kT − xTrA (mod r) (8) Malice now has a valid signature from TTP on Alice’s iden- tity and can freely impersonate Alice. To use this protocol securely, the user must prove knowledge of the discrete log ofgkA to the baseg (given gkA, the user proves thatkAis known) as shown in (6).
4 Using Elliptic Curves
Elliptic curves are defined by their Weierstrass equation:
y2= x3+ ax + b . (9) Taken overR, these curves have the interesting property that given two pointsP, Q such that P 6= Q , the line between them intersects the curve at exactly one other point. The reflection of this point on thex-axis is also on the curve, R.
This operation is called point addition, denotedP + Q = R . IfP = Q , the line tangent to the curve at P is used. In this case, the operation is called point doubling, denoted2P = R . Algebraically, these points form an abelian group. In cryptography [13, 12], these curves are defined over a finite fieldFq, whereq = p (a prime finite field) or q = 2m (a binary finite field2) [9]. That is, allx, y ∈ Fq .
2The elliptic curve and point addition equations are slightly different when using binary fields.
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
P
Q
-R
R
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
P
Q
-R
R
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
P
Q
-R
R
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
P
Q
-R
R
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
-2 -1.5 -1 -0.5 0 0.5 1 1.5 2
P
Q
-R
R
Figure 1:Elliptic curve y2= x
3
− x over R.
Point addition and doubling. The sum of two pointsP = (x1, y1) and Q = (x2, y2) is calculated as follows.
x3= λ2− x1− x2
y3= λ(x1− x3) − y1, where (10)
λ =
y2− y1
x2− x1
ifP 6= Q 3x12+ a
2y1
ifP = Q
Note thatλ is the slope. This calculation is largely dominated by the cost of the single field inversion present.
Scalar multiplication, denoted kP , is the elliptic curve analogue of exponentiation. It is used to computek multi- ples of a point.
kP =
ktimes
z }| {
P + P + . . . + P
This can be carried out efficiently by combining point addi- tions and doublings using the Double-and-Add Method (Alg.
1), which is analogous to the square-and-multiply method for exponentiation. As with exponentiation, There are much more efficient methods [7].
Algorithm 1: Scalar multiplication, Double-and-Add.
Input: integerk, point P ∈ E(Fq) Output:kP
Q ← ∞ /* identity element */
whilek > 0 do
ifk is odd then Q ← Q + P /* k & 1 */
k ← bk/2c /* right shift by one */
P ← 2P /* point doubling */
end returnQ
Digital signatures using elliptic curves. Most digital sig- nature schemes that use multiplicative groups (including El- Gamal variations) can also use elliptic curve groups. Table 1 from [9] outlines the analogous operations and settings. In
practice, an elliptic curveE is used with a base point gen- eratorG of prime order r . It is very difficult to solve the Elliptic Curve Discrete Log Problem: given the generatorG of large prime order and some other pointkG, finding k is infeasible.
Multiplicative Groups Elliptic Curve Groups
Setting Fq curve E overFq
Basic operation multiplication inFq addition of points Main operation exponentiation scalar multiplication Base element generator g base point G Base element order prime r prime r
Private key s (integer modr) s (integer modr) Public key w (element of Fq) W (point on E)
Table 1: Elliptic curve and multiplicative group analogues.
Elliptic curves are often used when small public keys and signatures are needed. Table 2 from [10] shows an equivalent level of security; using elliptic curve cryptography (ECC) requires much fewer bits.
Symmetric ECC DSA/RSA
80 163 1024
112 233 2048
128 283 3072
192 409 7680
256 571 15360
Table 2: Comparable key sizes (in bits).
Point compression. Public keys (or any point on E , a group element) are made up of(x, y) coordinates, but the y- coordinate can be compressed; given anx-coordinate, there are either two or zero solutions to (9) . Therefore, it suffices to storex and a compression bit b (determines which solu- tion to take). This point compression is accomplished using the functionCOMPRESS.
Point decompression. DECOMPRESS yields a point P givenx and compression bit b . The complexity depends on the underlying field. In the prime case, this involves comput- ing a square root in a prime field, not a trivial operation. In the binary case, a quadratic equation is solved. This depends on the representation of the binary field elements. When us- ing a normal basis representation, this is accomplished very quickly and involves only a few field multiplications and some bit rotations.
For more on the basics of ECC, see [8].
4.1 An Elliptic Curve SCID Scheme
The SCID scheme (Sec. 3) as well as the blind key issu- ing protocol (6) can be modified to use elliptic curve groups.
The analogous steps are presented below, with minor modi- fications3. The proof of knowledge is not performed.
Setup. Elliptic curveE is chosen with base point generator G of prime order r where r | #E. TTP generates a domain private keysT ∈R Z∗rand domain public keyWT = sTG.
3Some signs have been changed. This does not affect the principles.
Also, the point kAG can be compressed if needed.
TTP then publishesWT.
Keygen. The following protocol (elliptic curve analogue of (6)) is used to generate a key pair on user Alice’s identity IDA. It reaches Trust Level 3.
TTP←− Alice: kAG
TTP:(rA, bA) =COMPRESS(kAG + kTG) rA= rA+H(IDA)
sA= kT − rAsT (mod r)
Alice←− TTP: (rA, bA, sA) (11) Alice’s private key issA= kA+ sA (mod r) .
Extract. To extract Alice’s public keyWA = sAG on iden- tityIDAgiven public values(rA, bA), Bob calculates
WA=DECOMPRESS(rA−H(IDA), bA) − rAWT (12) The extracted public key is correct (WA= sAG):
WA=DECOMPRESS(rA−H(IDA), bA) − rAWT
=DECOMPRESS(rA+H(IDA) −H(IDA), bA) − rAWT
= kAG + kTG − rAsTG = (kA+ kT− rAsT)G
= (kA+ sA)G = sAG
4.2 Attempting Impersonation Attacks
Consider Malice attempting to obtain a valid signature from TTP on Alice’s identity using (11). Malice must send an el- ement of the group; more specifically, a point in the main subgroup (a multiple of the pointG). TTP can and should verify this. As in (7), Malice needs to choose some differ- enced such that
[(kA+ d)G + kTG]x+H(IDM)
= [kAG + kTG]x+H(IDA) . (13) This seems to be very unlikely, as Malice does not know TTP’s random valuekT .
5 Results & Conclusions
In an attempt to quantify the likelihood of impersonation success, an experiment was run using an implementation in Java. As such an experiment requires every point on the curve to be computed, only small, toy curves can be exam- ined, as standard curves for cryptographic use have too many points. A few different curves over prime fields were exam- ined. The results suggest the probability of impersonation success is extremely low, only slightly higher than guessing a private key on the curve. This suggests that as the size of the curve increases, the probability of success of such an impersonation attack shrinks to an insignificant amount.
Table 3 compares the storage and computation require- ments when verifying message signatures using traditional certificate-based PKI and when using self-certified keys. Not only is there one less elliptic scalar multiplication (ESM) present, but the three can be done simultaneously [3] very efficiently.
In conclusion, a modification to an existing blind self- certified key issuing protocol has been presented for use with
Certificate-Based PKI Self-Certified
signature (2r) signature (2r)
public key (q + 1) self-certified public key (q + 1) TTP signature on public key (2r) -
verify public key (2 ESM’s) extract public key (1 ESM) verify signature (2 ESM’s) verify signature (2 ESM’s)
Table 3: Storage and computation requirements.
elliptic curves (11). This is much less complex than its mul- tiplicative group analogue (6), as no proof of knowledge is needed.
5.1 Future Work
Although experimental results suggest impersonation is not a serious threat in (11), the true upper-bound on the probability of impersonation success is an open question. Future work is planned.
In the area of small and short signatures, probably the most active area of research is pairing-based cryptography [2], which also uses elliptic curves. However, pairings are generally considered much more expensive to compute than scalar multiplications. Efficient settings and methods for cal- culating pairings could be a topic of research.
References
[1] G. Ateniese and B. de Medeiros. A provably se- cure Nyberg-Rueppel signature variant with applica- tions. Cryptology ePrint Archive, Report 2004/093, 2004.http://eprint.iacr.org/.
[2] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In ASIACRYPT ’01: Proceed- ings of the 7th International Conference on the The- ory and Application of Cryptology and Information Se- curity, pages 514–532, London, UK, 2001. Springer- Verlag.
[3] B. B. Brumley. Efficient three-term simultaneous ellip- tic scalar multiplication with applications. In V. Fåk, editor, Proceedings of the 11th Nordic Workshop on Secure IT Systems (NordSec 2006), pages 105–116, Linköping, Sweden, 2006.
[4] C. Candolin, J. Lundberg, and H. Kari. Packet level authentication in military networks. In Proceedings of the 6th Australian Information Warfare & IT Security Conference, Geelong, Australia, November 2005.
[5] T. ElGamal. A Public-Key Cryptosystem and a Sig- nature Scheme Based on Discrete Logarithms. IEEE Transactions on Information Theory, IT-31(4):469–
472, 1985.
[6] M. Girault. Self-certified public keys. In D. W. Davies, editor, Advances in Cryptology - EuroCrypt ’91, pages 490–497, Berlin, 1991. Springer-Verlag. Lecture Notes in Computer Science Volume 547.
[7] D. M. Gordon. A survey of fast exponentiation meth- ods. J. Algorithms, 27(1):129–146, 1998.
[8] D. Hankerson, A. Menezes, and S. Vanstone. Guide to elliptic curve cryptography. Springer, New York, 2004.
[9] IEEE. Standard specifications for public-key cryptog- raphy. Technical Report P1363 / D13, Institute of Electrical and Electronics Engineers (IEEE), Novem- ber 1999.
[10] IETF. ECC cipher suites for TLS. Technical report, TLS Working Group, Internet Engineering Task Force (IETF), October 2005.
[11] D. E. Knuth. The Art of Computer Programming:
Seminumerical Algorithms, volume 2. Addison- Wesley, Reading, MA, 3rd edition, 1998.
[12] N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203–209, 1987.
[13] V. S. Miller. Use of elliptic curves in cryptography.
In CRYPTO ’85: Advances in Cryptology, pages 417–
426, London, UK, 1986. Springer-Verlag.
[14] K. Nyberg and R. A. Rueppel. A new signature scheme based on the DSA giving message recovery. In CCS
’93: Proceedings of the 1st ACM conference on Com- puter and communications security, pages 58–61, New York, NY, USA, 1993. ACM Press.
[15] H. Petersen and P. Horster. Self-Certified Keys: Con- cepts and Applications. In Proceedings of the Third In- ternational Conference on Communications and Multi- media Security, pages 102–116, London, 1997. Chap- man & Hall.
[16] A. Shamir. Identity-based cryptosystems and signa- ture schemes. In Proceedings of CRYPTO 84 on Ad- vances in cryptology, pages 47–53, New York, NY, USA, 1985. Springer-Verlag New York, Inc.
