Implicit certificate

Last updated May 23, 2024

In cryptography, implicit certificates are a variant of public key certificate. A subject's public key is reconstructed from the data in an implicit certificate, and is then said to be "implicitly" verified. Tampering with the certificate will result in the reconstructed public key being invalid, in the sense that it is infeasible to find the matching private key value, as would be required to make use of the tampered certificate.

By comparison, traditional public-key certificates include a copy of the subject's public key, and a digital signature made by the issuing certificate authority (CA). The public key must be explicitly validated, by verifying the signature using the CA's public key. For the purposes of this article, such certificates will be called "explicit" certificates.

Elliptic Curve Qu-Vanstone (ECQV) is one kind of implicit certificate scheme. It is described in the document Standards for Efficient Cryptography 4 (SEC4).^[1]
This article will use ECQV as a concrete example to illustrate implicit certificates.

Comparison of ECQV with explicit certificates

Conventional explicit certificates are made up of three parts: subject identification data, a public key and a digital signature which binds the public key to the user's identification data (ID). These are distinct data elements within the certificate, and contribute to the size of the certificate: for example, a standard X.509 certificate is on the order of 1KB in size (~8000 bits).

An ECQV implicit certificate consists of identification data, and a single cryptographic value. This value, an elliptic curve point, combines the function of public key data and CA signature. ECQV implicit certificates can therefore be considerably smaller than explicit certificates, and so are useful in highly constrained environments such as Radio-frequency Identification RFID tags, where not a lot of memory or bandwidth is available.

ECQV certificates are useful for any ECC scheme where the private and public keys are of the form ( d, dG ). This includes key agreement protocols such as ECDH and ECMQV, or signing algorithms such as ECDSA. The operation will fail if the certificate has been altered, as the reconstructed public key will be invalid. Reconstructing the public key is fast (a single point multiplication operation) compared to ECDSA signature verification.

Comparison with ID-based cryptography

Implicit certificates are not to be confused with identity-based cryptography. In ID-based schemes, the subject's identity itself is used to derive their public key; there is no 'certificate' as such. The corresponding private key is calculated and issued to the subject by a trusted third party.

In an implicit certificate scheme, the subject has a private key which is not revealed to the CA during the certificate-issuing process. The CA is trusted to issue certificates correctly, but not to hold individual user's private keys. Wrongly issued certificates can be revoked, whereas there is no comparable mechanism for misuse of private keys in an identity-based scheme.

Description of the ECQV scheme

Initially the scheme parameters must be agreed upon. These are:

The elliptic curve parameters, including a generating point $G\,$ of order $n\,$ .
An encoding function ${\textrm {Encode}}(\gamma ,ID)$ with a public key reconstruction data $\gamma$ and an identifying information $ID$ encodes its arguments as a byte-block, and a corresponding ${\textrm {Decode}}_{\gamma }(\cdot )$ which extracts the $\gamma$ value from an encoding.
A hash function $H_{n}(\cdot )$ which accepts a byte-block and yields a hash value as an integer in the range $[0,n-1]$

The certificate authority CA will have private key $c\,$ and public key $Q_{CA}=cG$

Certificate request protocol

Here, Alice will be the user who requests the implicit certificate from the CA. She has identifying information $ID_{A}$ .

Alice generates a random integer $\alpha \,$
Alice computes $A=\alpha \,G\,$ and sends $A$ and $ID_{A}$ to the CA.
CA selects a random integer $k\,$ from $[1,n-1]\,$ and computes $kG\,$ .
CA computes $\gamma =A+kG\,$ (this is the public key reconstruction data)
CA computes $Cert={\textrm {Encode}}(\gamma ,{\textrm {ID}}_{A})\,$
CA computes $e=H_{n}(Cert)$
CA computes $s=ek+c{\pmod {n}}\,$ ( $s\,$ is the private key reconstruction data)
CA sends $(s,Cert)\,$ to Alice
Alice computes $e'=H_{n}(Cert)$ and her private key $a=e'\alpha +s{\pmod {n}}\,$
Alice computes $\gamma '={\textrm {Decode}}_{\gamma }(Cert)$ and her public key $Q_{A}=e'\gamma '+Q_{CA}\,$
Alice verifies that the certificate is valid, i.e. that $Q_{A}=aG$

Using the certificate

Here, Alice wants to prove her identity to Bob, who trusts the CA.

Alice sends $Cert$ to Bob, and a ciphertext $C$ created using her private key $a$ . The ciphertext can be a digital signature, or part of an Authenticated Key Exchange protocol.
Bob computes $\gamma ''={\textrm {Decode}}_{\gamma }(Cert)$ and $e''=H_{n}(Cert)$ .
Bob computes Alice's alleged public key $Q_{A}'=e''\gamma ''+Q_{CA}$
Bob validates ciphertext $C$ using $Q_{A}'$ . If this validation is successful, he can trust that the key $Q_{A}'$ is owned by the user whose identity information is contained in $Cert$ .

Proof of equivalence of private and public keys

Alice's private key is $a=e'\alpha +s=e\alpha +ek+c{\pmod {n}}$

The public key reconstruction value $\gamma =A+kG=(\alpha +k)G$

Alice's public key is $Q_{A}=e\gamma +Q_{CA}=e(\alpha +k)G+cG=(e\alpha +ek+c)G$

Therefore, $Q_{A}=aG$ , which completes the proof.

Security

A security proof for ECQV has been published by Brown et al.^[2]

Related Research Articles

In coding theory, the Bose–Chaudhuri–Hocquenghem codes form a class of cyclic error-correcting codes that are constructed using polynomials over a finite field. BCH codes were invented in 1959 by French mathematician Alexis Hocquenghem, and independently in 1960 by Raj Chandra Bose and D.K. Ray-Chaudhuri. The name Bose–Chaudhuri–Hocquenghem arises from the initials of the inventors' surnames.

In probability theory and statistics, the gamma distribution is a versatile two-parameter family of continuous probability distributions. The exponential distribution, Erlang distribution, and chi-squared distribution are special cases of the gamma distribution. There are two equivalent parameterizations in common use:

With a shape parameter $k$ and a scale parameter $θ$
With a shape parameter $and an inverse scale parameter, called a rate parameter.$

The alpha process, also known as alpha capture or the alpha ladder, is one of two classes of nuclear fusion reactions by which stars convert helium into heavier elements. The other class is a cycle of reactions called the triple-alpha process, which consumes only helium, and produces carbon. The alpha process most commonly occurs in massive stars and during supernovae.

In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, specifically the theory of polynomial time problems. Not being one-to-one is not considered sufficient for a function to be called one-way.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

In cryptography, the McEliece cryptosystem is an asymmetric encryption algorithm developed in 1978 by Robert McEliece. It was the first such scheme to use randomization in the encryption process. The algorithm has never gained much acceptance in the cryptographic community, but is a candidate for "post-quantum cryptography", as it is immune to attacks using Shor's algorithm and – more generally – measuring coset states using Fourier sampling.

The Cayley–Purser algorithm was a public-key cryptography algorithm published in early 1999 by 16-year-old Irishwoman Sarah Flannery, based on an unpublished work by Michael Purser, founder of Baltimore Technologies, a Dublin data security company. Flannery named it for mathematician Arthur Cayley. It has since been found to be flawed as a public-key algorithm, but was the subject of considerable media attention.

The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of the Decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998, it is an extension of the ElGamal cryptosystem. In contrast to ElGamal, which is extremely malleable, Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a universal one-way hash function and additional computations, resulting in a ciphertext which is twice as large as in ElGamal.

Pollard's rho algorithm for logarithms is an algorithm introduced by John Pollard in 1978 to solve the discrete logarithm problem, analogous to Pollard's rho algorithm to solve the integer factorization problem.

In probability theory and statistics, the inverse gamma distribution is a two-parameter family of continuous probability distributions on the positive real line, which is the distribution of the reciprocal of a variable distributed according to the gamma distribution.

In probability theory and statistics, the beta prime distribution is an absolutely continuous probability distribution. If $has a beta distribution, then the odds has a beta prime distribution.$

Integrated Encryption Scheme (IES) is a hybrid encryption scheme which provides semantic security against an adversary who is able to use chosen-plaintext or chosen-ciphertext attacks. The security of the scheme is based on the computational Diffie–Hellman problem.
Two variants of IES are specified: Discrete Logarithm Integrated Encryption Scheme (DLIES) and Elliptic Curve Integrated Encryption Scheme (ECIES), which is also known as the Elliptic Curve Augmented Encryption Scheme or simply the Elliptic Curve Encryption Scheme. These two variants are identical up to the change of an underlying group.

In cryptography, XTR is an algorithm for public-key encryption. XTR stands for 'ECSTR', which is an abbreviation for Efficient and Compact Subgroup Trace Representation. It is a method to represent elements of a subgroup of a multiplicative group of a finite field. To do so, it uses the trace over $to represent elements of a subgroup of .$

The Fréchet distribution, also known as inverse Weibull distribution, is a special case of the generalized extreme value distribution. It has the cumulative distribution function

CEILIDH is a public key cryptosystem based on the discrete logarithm problem in algebraic torus. This idea was first introduced by Alice Silverberg and Karl Rubin in 2003; Silverberg named CEILIDH after her cat. The main advantage of the system is the reduced size of the keys for the same security over basic schemes.

In cryptography, learning with errors (LWE) is a mathematical problem that is widely used to create secure encryption algorithms. It is based on the idea of representing secret information as a set of equations with errors. In other words, LWE is a way to hide the value of a secret by introducing noise to it. In more technical terms, it refers to the computational problem of inferring a linear $-ary function over a finite ring from given samples some of which may be erroneous. The LWE problem is conjectured to be hard to solve, and thus to be useful in cryptography.$

In probability theory, a beta negative binomial distribution is the probability distribution of a discrete random variable $equal to the number of failures needed to get successes in a sequence of independent Bernoulli trials. The probability of success on each trial stays constant within any given experiment but varies across different experiments following a beta distribution. Thus the distribution is a compound probability distribution.$

In coding theory, Zemor's algorithm, designed and developed by Gilles Zemor, is a recursive low-complexity approach to code construction. It is an improvement over the algorithm of Sipser and Spielman.

<span class="mw-page-title-main">Glossary of Lie groups and Lie algebras</span>

This is a glossary for the terminology applied in the mathematical theories of Lie groups and Lie algebras. For the topics in the representation theory of Lie groups and Lie algebras, see Glossary of representation theory. Because of the lack of other options, the glossary also includes some generalizations such as quantum group.

Quantum secret sharing (QSS) is a quantum cryptographic scheme for secure communication that extends beyond simple quantum key distribution. It modifies the classical secret sharing (CSS) scheme by using quantum information and the no-cloning theorem to attain the ultimate security for communications.

References

↑ "Standards for efficient cryptography, SEC 4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV)" (PDF). www.secg.org. 2013-01-24. Retrieved 2017-07-05.
↑ Brown, Daniel R. L.; Gallant, Robert P.; Vanstone, Scott A. (2001). "Provably Secure Implicit Certificate Schemes". Financial Cryptography. Lecture Notes in Computer Science. Vol. 2339. pp. 156–165. CiteSeerX 10.1.1.32.2221 . doi:10.1007/3-540-46088-8_15. ISBN 978-3-540-44079-6 . Retrieved 27 December 2015.{{cite book}}: |journal= ignored (help)

Hankerson, D.; Vanstone, S.; Menezes, A. (2004). Guide to Elliptic Curve Cryptography. Springer Professional Computing. New York: Springer. CiteSeerX 10.1.1.331.1248 . doi:10.1007/b97644. ISBN 978-0-387-95273-4.
certicom.com, Explaining Implicit Certificates, Code and Cipher Vol. 2, no. 2
Leon Pintsov and Scott Vanstone, Postal Revenue Collection in the Digital Age, Financial Cryptography 2000, Lecture Notes in Computer Science 1962, pp. 105–120, Springer, February 2000.

External links

Standards for Efficient Cryptography Group
Blackberry Crypto API supports ECQV
Blackberry's Certicom Corp. uses ECQV for Zigbee Smart Energy
Standards for ISO/IEC 27001:2022 Certifications

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Standards for efficient cryptography, SEC 4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV)" (PDF). www.secg.org. 2013-01-24. Retrieved 2017-07-05.

[2] Brown, Daniel R. L.; Gallant, Robert P.; Vanstone, Scott A. (2001). "Provably Secure Implicit Certificate Schemes". Financial Cryptography. Lecture Notes in Computer Science. Vol. 2339. pp. 156–165. CiteSeerX 10.1.1.32.2221 . doi:10.1007/3-540-46088-8_15. ISBN 978-3-540-44079-6 . Retrieved 27 December 2015.{{cite book}}: |journal= ignored (help)

[1]

[2]