Implicit certificate explained

In cryptography, implicit certificates are a variant of public key certificate. A subject's public key is reconstructed from the data in an implicit certificate, and is then said to be "implicitly" verified. Tampering with the certificate will result in the reconstructed public key being invalid, in the sense that it is infeasible to find the matching private key value, as would be required to make use of the tampered certificate.

By comparison, traditional public-key certificates include a copy of the subject's public key, and a digital signature made by the issuing certificate authority (CA). The public key must be explicitly validated, by verifying the signature using the CA's public key. For the purposes of this article, such certificates will be called "explicit" certificates.

Elliptic Curve Qu-Vanstone (ECQV) is one kind of implicit certificate scheme. It is described in the document Standards for Efficient Cryptography 4 (SEC4).[1]
This article will use ECQV as a concrete example to illustrate implicit certificates.

Comparison of ECQV with explicit certificates

Conventional explicit certificates are made up of three parts: subject identification data, a public key and a digital signature which binds the public key to the user's identification data (ID). These are distinct data elements within the certificate, and contribute to the size of the certificate: for example, a standard X.509 certificate is on the order of 1KB in size (~8000 bits).

An ECQV implicit certificate consists of identification data, and a single cryptographic value. This value, an elliptic curve point, combines the function of public key data and CA signature. ECQV implicit certificates can therefore be considerably smaller than explicit certificates, and so are useful in highly constrained environments such as Radio-frequency Identification RFID tags, where not a lot of memory or bandwidth is available.

ECQV certificates are useful for any ECC scheme where the private and public keys are of the form (d, dG). This includes key agreement protocols such as ECDH and ECMQV, or signing algorithms such as ECDSA. The operation will fail if the certificate has been altered, as the reconstructed public key will be invalid. Reconstructing the public key is fast (a single point multiplication operation) compared to ECDSA signature verification.

Comparison with ID-based cryptography

Implicit certificates are not to be confused with identity-based cryptography. In ID-based schemes, the subject's identity itself is used to derive their public key; there is no 'certificate' as such. The corresponding private key is calculated and issued to the subject by a trusted third party.

In an implicit certificate scheme, the subject has a private key which is not revealed to the CA during the certificate-issuing process. The CA is trusted to issue certificates correctly, but not to hold individual user's private keys. Wrongly issued certificates can be revoked, whereas there is no comparable mechanism for misuse of private keys in an identity-based scheme.

Description of the ECQV scheme

Initially the scheme parameters must be agreed upon. These are:

G

of order

n

.

rm{Encode}(\gamma,ID)

with a public key reconstruction data

\gamma

and an identifying information

ID

encodes its arguments as a byte-block, and a corresponding

rm{Decode}\gamma(\sdot)

which extracts the

\gamma

value from an encoding.

Hn(\sdot)

which accepts a byte-block and yields a hash value as an integer in the range

[0,n-1]

The certificate authority CA will have private key

c

and public key

QCA=cG

Certificate request protocol

Here, Alice will be the user who requests the implicit certificate from the CA. She has identifying information

IDA

.
  1. Alice generates a random integer

\alpha

  1. Alice computes

A=\alphaG

and sends

A

and

IDA

to the CA.
  1. CA selects a random integer

k

from

[1,n-1]

and computes

kG

.
  1. CA computes

\gamma=A+kG

(this is the public key reconstruction data)
  1. CA computes

Cert=rm{Encode}(\gamma,rm{ID}A)

  1. CA computes

e=Hn(Cert)

  1. CA computes

s=ek+c\pmod{n}

(

s

is the private key reconstruction data)
  1. CA sends

(s,Cert)

to Alice
  1. Alice computes

e'=Hn(Cert)

and her private key

a=e'\alpha+s\pmod{n}

  1. Alice computes

\gamma'=rm{Decode}\gamma(Cert)

and her public key

QA=e'\gamma'+QCA

  1. Alice verifies that the certificate is valid, i.e. that

QA=aG

Using the certificate

Here, Alice wants to prove her identity to Bob, who trusts the CA.

  1. Alice sends

Cert

to Bob, and a ciphertext

C

created using her private key

a

. The ciphertext can be a digital signature, or part of an Authenticated Key Exchange protocol.
  1. Bob computes

\gamma''=rm{Decode}\gamma(Cert)

and

e''=Hn(Cert)

.
  1. Bob computes Alice's alleged public key

QA'=e''\gamma''+QCA

  1. Bob validates ciphertext

C

using

QA'

. If this validation is successful, he can trust that the key

QA'

is owned by the user whose identity information is contained in

Cert

.

Proof of equivalence of private and public keys

Alice's private key is

a=e'\alpha+s=e\alpha+ek+c\pmod{n}

The public key reconstruction value

\gamma=A+kG=(\alpha+k)G

Alice's public key is

QA=e\gamma+QCA=e(\alpha+k)G+cG=(e\alpha+ek+c)G

Therefore,

QA=aG

, which completes the proof.

Security

A security proof for ECQV has been published by Brown et al.[2]

See also

References

External links

Notes and References

  1. Web site: Standards for efficient cryptography, SEC 4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV) . www.secg.org . 2013-01-24 . 2017-07-05.
  2. Book: Brown . Daniel R. L. . Gallant . Robert P. . Vanstone . Scott A. . Financial Cryptography . 2001 . Provably Secure Implicit Certificate Schemes . http://www.cacr.math.uwaterloo.ca/techreports/2000/corr2000-55.ps . Financial Cryptography 2001 . 2339 . Lecture Notes in Computer Science . 1 . 156–165 . 10.1007/3-540-46088-8_15 . 978-3-540-44079-6 . 27 December 2015. 10.1.1.32.2221 .