Internet Engineering Task Force (IETF) M. Groves Request for Comments: 6507 CESG Category: Informational February 2012 ISSN: 2070-1721
Elliptic Curve-Based Certificateless Signatures for Identity-Based Encryption (ECCSI)
Abstract
Many signature schemes currently in use rely on certificates for authentication of identity. In Identity-based cryptography, this adds unnecessary overhead and administration. The Elliptic Curve- based Certificateless Signatures for Identity-based Encryption (ECCSI) signature scheme described in this document is certificateless. This scheme has the additional advantages of low bandwidth and low computational requirements.
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
This document is a product of the Internet Engineering Task Force (IETF). It has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6507.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Groves Informational [Page 1]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
Table of Contents
1. Introduction ....................................................2 1.1. Requirements Terminology ...................................3 2. Architecture ....................................................3 3. Notation ........................................................5 3.1. Arithmetic .................................................5 3.2. Representations ............................................6 3.3. Format of Material .........................................6 4. Parameters ......................................................7 4.1. Static Parameters ..........................................7 4.2. Community Parameters .......................................8 5. Algorithms ......................................................8 5.1. User Key Material ..........................................8 5.1.1. Algorithm for Constructing (SSK,PVT) Pair ...........8 5.1.2. Algorithm for Validating a Received SSK .............9 5.2. Signatures .................................................9 5.2.1. Algorithm for Signing ...............................9 5.2.2. Algorithm for Verifying ............................10 6. Security Considerations ........................................11 7. References .....................................................13 7.1. Normative References ......................................13 7.2. Informative References ....................................13 Appendix A. Test Data..............................................14
Digital signatures provide authentication services across a wide range of applications. A chain of trust for such signatures is usually provided by certificates. However, in low-bandwidth or other resource-constrained environments, the use of certificates might be undesirable. This document describes an efficient scheme, ECCSI, for elliptic curve-based certificateless signatures, primarily intended for use with Identity-Based Encryption (IBE) schemes such as described in [RFC6508]. As certificates are not needed, the need to transmit or store them to authenticate each communication is obviated. The algorithm has been developed by drawing on ideas set out by Arazi [BA] and is originally based upon the Elliptic Curve Digital Signature Algorithm [ECDSA], one of the most commonly used signature algorithms.
The algorithm is for use in the following context:
* where there are two parties, a Signer and a Verifier;
* where short unambiguous Identifier strings are naturally associated to each of these parties;
Groves Informational [Page 2]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
* where a message is to be signed and then verified (e.g., for authenticating the initiating party during an Identity-based key establishment);
* where a common Key Management Service (KMS) provides a root of trust for both parties.
The scheme does not rely on any web of trust between users.
Authentication is provided in a single simplex transmission without per-session reference to any third party. Thus, the scheme is particularly suitable in situations where the receiving party need not be active (or even enrolled) when the message to be authenticated is sent, or where the number of transmissions is to be minimized for efficiency.
Instead of having a certificate, the Signer has an Identifier, to which his Secret Signing Key (SSK) (see Section 2) will have been cryptographically bound by means of a Public Validation Token (PVT) (see Section 2) by the KMS. Unlike a traditional public key, this PVT requires no further explicit certification.
The verification primitive within this scheme can be implemented using projective representation of elliptic curve points, without arithmetic field divisions, and without explicitly using the size of the underlying cryptographic group.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
A KMS provisions key material for a set of communicating devices (a "user community"). Each device within the user community MUST have an Identifier (ID), which can be formed by its peers. These Identifiers MUST be unique to devices (or users), and MAY change over time. As such, all applications of this signature scheme MUST define an unambiguous format for Identifiers. We consider the situation where one device (the Signer) wishes to sign a message that it is sending to another (the Verifier). Only the Signer's ID is used in the signature scheme.
Groves Informational [Page 3]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
In advance, the KMS chooses its KMS Secret Authentication Key (KSAK), which is the root of trust for all other key material in the scheme. From this, the KMS derives the KMS Public Authentication Key (KPAK), which all devices will require in order to verify signatures. This will be the root of trust for verification.
Before verification of any signatures, members of the user community are supplied with the KPAK. The supply of the KPAK MUST be authenticated by the KMS, and this authentication MUST be verified by each member of the user community. Confidentiality protection MAY also be applied.
In the description of the algorithms in this document, it is assumed that there is one KMS, one user community, and hence one KPAK. Applications MAY support multiple KPAKs, and some KPAKs could in fact be "private" to certain communities in certain circumstances. The method for determining which KPAK to use (when more than one is available) is out of scope.
The KMS generates and provisions key material for each device. It MUST supply an SSK along with a PVT to all devices that are to send signed messages. The mechanism by which these SSKs are provided MUST be secure, as the security of the authentication provided by ECCSI signatures is no stronger than the security of this supply channel.
Before using the supplied key material (SSK, KPAK) to form signatures, the Sender MUST verify the key material (SSK) against the root of trust (KPAK) and against its own ID and its PVT, using the algorithm defined in Section 5.1.2.
During the signing process, once the Signer has formed its message, it signs the message using its SSK. It transmits the Signature (including the PVT), and MAY also transmit the message (in cases where the message is not known to the Verifier). The Verifier MUST then use the message, Signature, and Sender ID in verification against the KPAK.
This document specifies
* an algorithm for creating a KPAK from a KSAK, for a given elliptic curve;
* a format for transporting a KPAK;
* an algorithm for creating an SSK and a PVT from a Signer's ID, using the KSAK;
Groves Informational [Page 4]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
* an algorithm for verifying an SSK and a PVT against a Signer's ID and KPAK;
* an algorithm for creating a Signature from a message, using a Signer's ID with a matching SSK and PVT;
* a format for transporting a Signature;
* an algorithm for verifying a Signature for a message, using a Signer's ID with the matching KPAK.
This document does not specify (but comments on)
* how to choose a valid and secure elliptic curve;
* which hash function to use;
* how to format a Signer's ID;
* how to format a message for signing;
* how to manage and install a KPAK;
* how to transport or install an SSK.
As used in [RFC6509], the elliptic curve and hash function are specified in Section 2.1.1 of [RFC6509], the format of Identifiers is specified in Section 3.2 of [RFC6509], and messages for signing are formatted as specified in [RFC3830].
ECCSI relies on elliptic curve arithmetic. If P and Q are two elliptic curve points, their addition is denoted P + Q. Moreover, the addition of P with itself k times is denoted [k]P.
F_p denotes the finite field of p elements, where p is prime. All elliptic curve points will be defined over F_p.
The curve is defined by the equation y^2 = x^3 - 3*x + B modulo p, where B is an element of F_p. Elliptic curve points, other than the group identity (0), are represented in the format P = (Px,Py), where Px and Py are the affine coordinates in F_p satisfying the above equation. In particular, a point P = (Px,Py) is said to lie on an elliptic curve if Py^2 - Px^3 + 3*Px - B = 0 modulo p. The identity point 0 will require no representation.
Groves Informational [Page 5]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
This section provides canonical representations of values that MUST be used to ensure interoperability of implementations. The following representations MUST be used for input into hash functions and for transmission. In this document, concatenation of octet strings s and t is denoted s || t. The logarithm base 2 of a real number a is denoted lg(a).
Integers Integers MUST be represented as an octet string, with bit length a multiple of 8. To achieve this, the integer is represented most significant bit first, and padded with zero bits on the left until an octet string of the necessary length is obtained. This is the octet string representation described in Section 6 of [RFC6090]. There will be no need to represent negative integers. When transmitted or hashed, such octet strings MUST have length N = Ceiling(lg(p)/8).
F_p elements Elements of F_p MUST be represented as integers in the range 0 to p-1 using the octet string representation defined above. For use in ECCSI, such octet strings MUST have length N = Ceiling(lg(p)/8).
Points on E Elliptic curve points MUST be represented in uncompressed form ("affine coordinates") as defined in Section 2.2 of [RFC5480]. For an elliptic curve point (x,y) with x and y in F_p, this representation is given by 0x04 || x' || y', where x' is the N-octet string representing x and y' is the N-octet string representing y.
This section describes the subfields of the different objects used within the protocol.
Signature = r || s || PVT where r and s are octet strings of length N = Ceiling(lg(p)/8) representing integers, and PVT is an octet string of length 2N+1 representing an elliptic curve point, yielding a total signature length of 4N+1 octets. (Note that r and
Groves Informational [Page 6]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
s represent integers rather than elements of F_p, and therefore it is possible that either or both of them could equal or exceed p.)
The following static parameters are fixed for each implementation. They are not intended to change frequently, and MUST be specified for each user community. Note that these parameters MAY be shared across multiple KMSs.
n A security parameter; the size in bits of the prime p over which elliptic curve cryptography is to be performed.
N = Ceiling(n/8) The number of octets used to represent fields r and s in a Signature. Also the number of octets output by the hash function (see below).
p A prime number of size n bits. The finite field with p elements is denoted F_p.
E An elliptic curve defined over F_p, having a subgroup of prime order q.
B An element of F_p, where E is defined by the formula y^2 = x^3 - 3*x + B modulo p.
G A point on the elliptic curve E that generates the subgroup of order q.
q The prime q is defined to be the order of G in E over F_p.
Hash A cryptographic hash function mapping arbitrary strings to strings of N octets. If a, b, c, ... are strings, then hash( a || b || c || ...) denotes the result obtained by hashing the concatenation of these strings.
Identifiers The method for deriving user Identifiers. The format of Identifiers MUST be specified by each implementation. It MUST be possible for each device to derive the Identifier for every device with which it needs to communicate. In
Groves Informational [Page 7]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
this document, ID will denote the correctly formatted Identifier string of the Signer. ECCSI makes use of the Signer Identifier only, though an implementation MAY make use of other Identifiers when constructing the message to be signed. Identifier formats MAY include a timestamp to allow for automatic expiration of key material.
It is RECOMMENDED that p, E, and G are chosen to be standardized values. In particular, it is RECOMMENDED that the curves and base points defined in [FIPS186-3] be used.
The following community parameter MUST be supplied to devices each time the root of trust is changed.
KPAK The KMS Public Authentication Key (KPAK) is the root of trust for authentication. It is derived from the KSAK in the KMS. This value MUST be provisioned in a trusted fashion, such that each device that receives it has assurance that it is the genuine KPAK belonging to its KMS. Before use, each device MUST check that the supplied KPAK lies on the elliptic curve E.
The KMS MUST fix the KPAK to be KPAK = [KSAK]G, where the KSAK MUST be chosen to be a random secret non-zero integer modulo q. The value of the KSAK MUST be kept secret to the KMS.
To create signatures, each Signer requires a Secret Signing Key (SSK) and a Public Validation Token (PVT). The SSK is an integer, and the PVT is an elliptic curve point. The SSK MUST be kept secret (to the Signer and KMS), but the PVT need not be kept secret. A different (SSK,PVT) pair will be needed for each Signer ID.
The KMS constructs a (SSK,PVT) pair from the Signer's ID, the KMS secret (KSAK), and the root of trust (KPAK). To do this, the KMS MUST perform the following procedure:
Groves Informational [Page 8]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
1) Choose v, a random (ephemeral) non-zero element of F_q;
2) Compute PVT = [v]G (this MUST be represented canonically -- see Section 3.2);
3) Compute a hash value HS = hash( G || KPAK || ID || PVT ), an N-octet integer;
4) Compute SSK = ( KSAK + HS * v ) modulo q;
5) If either the SSK or HS is zero modulo q, the KMS MUST erase the SSK and abort or restart the procedure with a fresh value of v;
6) Output the (SSK,PVT) pair. The KMS MUST then erase the value v.
The method for transporting the SSK to the legitimate Signer device is out of scope for this document, but the SSK MUST be provisioned by the KMS using a method that protects its confidentiality.
If necessary, the KMS MAY create multiple (SSK,PVT) pairs for the same Identifier.
Every SSK MUST be validated before being installed as a signing key. The Signer uses its ID and the KPAK to validate a received (SSK,PVT) pair. To do this validation, the Signer MUST perform the following procedure, passing all checks:
1) Validate that the PVT lies on the elliptic curve E;
2) Compute HS = hash( G || KPAK || ID || PVT ), an N-octet integer. The integer HS SHOULD be stored with the SSK for later use;
RFC 6507 ECCSI for Identity-Based Encryption February 2012
* its Secret Signing Key, SSK;
* its Public Validation Token, PVT = (PVTx,PVTy).
These values, with the exception of ID, MUST have been provided by the KMS. The value of ID is derived by the Signer using the community-defined method for formatting Identifiers.
The following procedure MUST be used by the Signer to compute the signature:
1) Choose a random (ephemeral) non-zero value j in F_q;
2) Compute J = [j]G (this MUST be represented canonically). Viewing J in affine coordinates J = (Jx,Jy), assign to r the N-octet integer representing Jx;
3) Recall (or recompute) HS, and use it to compute a hash value HE = hash( HS || r || M );
4) Verify that HE + r * SSK is non-zero modulo q; if this check fails, the Signer MUST abort or restart this procedure with a fresh value of j;
5) Compute s' = ( (( HE + r * SSK )^-1) * j ) modulo q; the Signer MUST then erase the value j;
6) If s' is too big to fit within an N-octet integer, then set the N-octet integer s = q - s'; otherwise, set the N-octet integer s = s' (note that since p is less than 2^n, by Hasse's theorem on elliptic curves, q < 2^n + 2^(n/2 + 1) + 1. Therefore, if s' > 2^n, we have q - s' < 2(n/2 + 1) + 1. Thus, s is guaranteed to fit within an N-octet integer);
7) Output the signature as Signature = ( r || s || PVT ).
Note that step 6) is necessary because it is possible for q (and hence for elements of F_q) to be too big to fit within N octets. The Signer MAY instead elect to set s to be the least integer of s' and q - s', represented in N octets.
The algorithm provided assumes that the Verifier computes points on elliptic curves using affine coordinates. However, the Verifier MAY perform elliptic curve operations using any appropriate representation of points that achieves the equivalent operations.
Groves Informational [Page 10]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
To verify a Signature ( r || s || PVT ) against a Signer's Identifier (ID), a message (M), and a pre-installed root of trust (KPAK), the Verifier MUST perform a procedure equivalent to the following:
1) The Verifier MUST check that the PVT lies on the elliptic curve E;
2) Compute HS = hash( G || KPAK || ID || PVT );
3) Compute HE = hash( HS || r || M );
4) Y = [HS]PVT + KPAK;
5) Compute J = [s]( [HE]G + [r]Y );
6) Viewing J in affine coordinates (Jx,Jy), the Verifier MUST check that Jx = r modulo p, and that Jx modulo p is non-zero, before accepting the Signature as valid.
It is anticipated that the ID, message (M), and KPAK will be implicitly understood due to context, but any of these values MAY also be included in signaling.
Note that the parameter q is not needed during verification.
The ECCSI cryptographic algorithm is based upon [ECDSA]. In fact, step 5) in the verification algorithm above is the same as the verification stage in ECDSA. The only difference between ECDSA and ECCSI is that in ECCSI the 'public key', Y, is derived from the Signer ID by the Verifier (whereas in ECDSA the public key is fixed). It is therefore assumed that the security of ECCSI depends entirely on the secrecy of the secret keys. In addition, to recover secret keys, one will need to perform computationally intensive cryptanalytic attacks.
The KSAK provides the security for each device provisioned by the KMS. It MUST NOT be revealed to any entity other than the KMS that holds it. Each user's SSK authenticates the user as being associated with the ID to which the SSK is assigned by the KMS. This key MUST NOT be revealed to any entity other than the KMS and the authorized user.
The order of the base point G used in ECCSI MUST be a large prime q. If k bits of symmetric security are needed, Ceiling(lg(q)) MUST be at least 2*k.
Groves Informational [Page 11]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
It is RECOMMENDED that the curves and base points defined in [FIPS186-3] be used, since these curves are suitable for cryptographic use. However, if other curves are used, the security of the curves MUST be assessed.
In order to ensure that the SSK is only received by an authorized device, it MUST be provided through a secure channel. The strength of the authentication offered by this signature scheme is no greater than the security provided by this delivery channel.
Identifiers MUST be defined unambiguously by each application of ECCSI. Note that it is not necessary to use a hash function to compose an Identifier string. In this way, any weaknesses that might otherwise be caused by collisions in hash functions can be avoided without reliance on the structure of the Identifier format. Applications of ECCSI MAY include a time/date component in their Identifier format to ensure that Identifiers (and hence SSKs) are only valid for a fixed period of time.
The use of the ephemeral value r in the hash HE significantly reduces the scope for offline attacks, improving the overall security, as compared to [ECDSA]. Furthermore, if Identifiers are specified to contain date-stamps, then all Identifiers, SSKs, signatures, and hash values will periodically become deprecated automatically, reducing the need for revocation and other additional management methods.
The randomness of values stipulated to be selected at random, as described in this document, is essential to the security provided by ECCSI. If the value of the KSAK can be predicted, then any signatures can be forged. Similarly, if the value of v used by the KMS to create a user's SSK can be predicted, then the value of the KSAK could be recovered, which would allow signatures to be forged. If the value of j used by a user is predictable, then the value of his SSK could be recovered. This would allow that user's signatures to be forged. Guidance on the generation of random values for security can be found in [RFC4086].
Note that in most instances, the value s in the Signature can be replaced by q - s. Thus, the malleability of ECCSI signatures is similar to that in [ECDSA]; malleability is available but also very limited.
Groves Informational [Page 12]
RFC 6507 ECCSI for Identity-Based Encryption February 2012
[ECDSA] X9.62-2005, "Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", November 2005.
[FIPS186-3] Federal Information Processing Standards Publication (FIPS PUB) 186-3, "Digital Signature Standard (DSS)", June 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, March 2009.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, February 2011.
This appendix provides test data built from the NIST P-256 curve and base point. SHA-256 (as defined in [FIPS180-3]) is used as the hash function. The keys and ephemerals -- KSAK, v, and j -- are arbitrary and for illustration only.
// -------------------------------------------------------- // Global parameters