1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
|
Internet Engineering Task Force (IETF) M. Groves
Request for Comments: 6507 CESG
Category: Informational February 2012
ISSN: 2070-1721
Elliptic Curve-Based Certificateless Signatures
for Identity-Based Encryption (ECCSI)
Abstract
Many signature schemes currently in use rely on certificates for
authentication of identity. In Identity-based cryptography, this
adds unnecessary overhead and administration. The Elliptic Curve-
based Certificateless Signatures for Identity-based Encryption
(ECCSI) signature scheme described in this document is
certificateless. This scheme has the additional advantages of low
bandwidth and low computational requirements.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It has been approved for publication by the Internet
Engineering Steering Group (IESG). Not all documents approved by the
IESG are a candidate for any level of Internet Standard; see Section
2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6507.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Groves Informational [Page 1]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
Table of Contents
1. Introduction ....................................................2
1.1. Requirements Terminology ...................................3
2. Architecture ....................................................3
3. Notation ........................................................5
3.1. Arithmetic .................................................5
3.2. Representations ............................................6
3.3. Format of Material .........................................6
4. Parameters ......................................................7
4.1. Static Parameters ..........................................7
4.2. Community Parameters .......................................8
5. Algorithms ......................................................8
5.1. User Key Material ..........................................8
5.1.1. Algorithm for Constructing (SSK,PVT) Pair ...........8
5.1.2. Algorithm for Validating a Received SSK .............9
5.2. Signatures .................................................9
5.2.1. Algorithm for Signing ...............................9
5.2.2. Algorithm for Verifying ............................10
6. Security Considerations ........................................11
7. References .....................................................13
7.1. Normative References ......................................13
7.2. Informative References ....................................13
Appendix A. Test Data..............................................14
1. Introduction
Digital signatures provide authentication services across a wide
range of applications. A chain of trust for such signatures is
usually provided by certificates. However, in low-bandwidth or other
resource-constrained environments, the use of certificates might be
undesirable. This document describes an efficient scheme, ECCSI, for
elliptic curve-based certificateless signatures, primarily intended
for use with Identity-Based Encryption (IBE) schemes such as
described in [RFC6508]. As certificates are not needed, the need to
transmit or store them to authenticate each communication is
obviated. The algorithm has been developed by drawing on ideas set
out by Arazi [BA] and is originally based upon the Elliptic Curve
Digital Signature Algorithm [ECDSA], one of the most commonly used
signature algorithms.
The algorithm is for use in the following context:
* where there are two parties, a Signer and a Verifier;
* where short unambiguous Identifier strings are naturally
associated to each of these parties;
Groves Informational [Page 2]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
* where a message is to be signed and then verified (e.g., for
authenticating the initiating party during an Identity-based
key establishment);
* where a common Key Management Service (KMS) provides a root of
trust for both parties.
The scheme does not rely on any web of trust between users.
Authentication is provided in a single simplex transmission without
per-session reference to any third party. Thus, the scheme is
particularly suitable in situations where the receiving party need
not be active (or even enrolled) when the message to be authenticated
is sent, or where the number of transmissions is to be minimized for
efficiency.
Instead of having a certificate, the Signer has an Identifier, to
which his Secret Signing Key (SSK) (see Section 2) will have been
cryptographically bound by means of a Public Validation Token (PVT)
(see Section 2) by the KMS. Unlike a traditional public key, this
PVT requires no further explicit certification.
The verification primitive within this scheme can be implemented
using projective representation of elliptic curve points, without
arithmetic field divisions, and without explicitly using the size of
the underlying cryptographic group.
1.1. Requirements Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Architecture
A KMS provisions key material for a set of communicating devices (a
"user community"). Each device within the user community MUST have
an Identifier (ID), which can be formed by its peers. These
Identifiers MUST be unique to devices (or users), and MAY change over
time. As such, all applications of this signature scheme MUST define
an unambiguous format for Identifiers. We consider the situation
where one device (the Signer) wishes to sign a message that it is
sending to another (the Verifier). Only the Signer's ID is used in
the signature scheme.
Groves Informational [Page 3]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
In advance, the KMS chooses its KMS Secret Authentication Key (KSAK),
which is the root of trust for all other key material in the scheme.
From this, the KMS derives the KMS Public Authentication Key (KPAK),
which all devices will require in order to verify signatures. This
will be the root of trust for verification.
Before verification of any signatures, members of the user community
are supplied with the KPAK. The supply of the KPAK MUST be
authenticated by the KMS, and this authentication MUST be verified by
each member of the user community. Confidentiality protection MAY
also be applied.
In the description of the algorithms in this document, it is assumed
that there is one KMS, one user community, and hence one KPAK.
Applications MAY support multiple KPAKs, and some KPAKs could in fact
be "private" to certain communities in certain circumstances. The
method for determining which KPAK to use (when more than one is
available) is out of scope.
The KMS generates and provisions key material for each device. It
MUST supply an SSK along with a PVT to all devices that are to send
signed messages. The mechanism by which these SSKs are provided MUST
be secure, as the security of the authentication provided by ECCSI
signatures is no stronger than the security of this supply channel.
Before using the supplied key material (SSK, KPAK) to form
signatures, the Sender MUST verify the key material (SSK) against the
root of trust (KPAK) and against its own ID and its PVT, using the
algorithm defined in Section 5.1.2.
During the signing process, once the Signer has formed its message,
it signs the message using its SSK. It transmits the Signature
(including the PVT), and MAY also transmit the message (in cases
where the message is not known to the Verifier). The Verifier MUST
then use the message, Signature, and Sender ID in verification
against the KPAK.
This document specifies
* an algorithm for creating a KPAK from a KSAK, for a given
elliptic curve;
* a format for transporting a KPAK;
* an algorithm for creating an SSK and a PVT from a Signer's ID,
using the KSAK;
Groves Informational [Page 4]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
* an algorithm for verifying an SSK and a PVT against a Signer's
ID and KPAK;
* an algorithm for creating a Signature from a message, using a
Signer's ID with a matching SSK and PVT;
* a format for transporting a Signature;
* an algorithm for verifying a Signature for a message, using a
Signer's ID with the matching KPAK.
This document does not specify (but comments on)
* how to choose a valid and secure elliptic curve;
* which hash function to use;
* how to format a Signer's ID;
* how to format a message for signing;
* how to manage and install a KPAK;
* how to transport or install an SSK.
As used in [RFC6509], the elliptic curve and hash function are
specified in Section 2.1.1 of [RFC6509], the format of Identifiers is
specified in Section 3.2 of [RFC6509], and messages for signing are
formatted as specified in [RFC3830].
3. Notation
3.1. Arithmetic
ECCSI relies on elliptic curve arithmetic. If P and Q are two
elliptic curve points, their addition is denoted P + Q. Moreover,
the addition of P with itself k times is denoted [k]P.
F_p denotes the finite field of p elements, where p is prime. All
elliptic curve points will be defined over F_p.
The curve is defined by the equation y^2 = x^3 - 3*x + B modulo p,
where B is an element of F_p. Elliptic curve points, other than the
group identity (0), are represented in the format P = (Px,Py), where
Px and Py are the affine coordinates in F_p satisfying the above
equation. In particular, a point P = (Px,Py) is said to lie on an
elliptic curve if Py^2 - Px^3 + 3*Px - B = 0 modulo p. The identity
point 0 will require no representation.
Groves Informational [Page 5]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
3.2. Representations
This section provides canonical representations of values that MUST
be used to ensure interoperability of implementations. The following
representations MUST be used for input into hash functions and for
transmission. In this document, concatenation of octet strings s and
t is denoted s || t. The logarithm base 2 of a real number a is
denoted lg(a).
Integers Integers MUST be represented as an octet string,
with bit length a multiple of 8. To achieve this,
the integer is represented most significant bit
first, and padded with zero bits on the left until
an octet string of the necessary length is
obtained. This is the octet string representation
described in Section 6 of [RFC6090]. There will
be no need to represent negative integers. When
transmitted or hashed, such octet strings MUST
have length N = Ceiling(lg(p)/8).
F_p elements Elements of F_p MUST be represented as integers in
the range 0 to p-1 using the octet string
representation defined above. For use in ECCSI,
such octet strings MUST have length N =
Ceiling(lg(p)/8).
Points on E Elliptic curve points MUST be represented in
uncompressed form ("affine coordinates") as
defined in Section 2.2 of [RFC5480]. For an
elliptic curve point (x,y) with x and y in F_p,
this representation is given by 0x04 || x' || y',
where x' is the N-octet string representing x and
y' is the N-octet string representing y.
3.3. Format of Material
This section describes the subfields of the different objects used
within the protocol.
Signature = r || s || PVT where r and s are octet strings of length
N = Ceiling(lg(p)/8) representing
integers, and PVT is an octet string of
length 2N+1 representing an elliptic
curve point, yielding a total signature
length of 4N+1 octets. (Note that r and
Groves Informational [Page 6]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
s represent integers rather than elements
of F_p, and therefore it is possible that
either or both of them could equal or
exceed p.)
4. Parameters
4.1. Static Parameters
The following static parameters are fixed for each implementation.
They are not intended to change frequently, and MUST be specified for
each user community. Note that these parameters MAY be shared across
multiple KMSs.
n A security parameter; the size in bits of the
prime p over which elliptic curve cryptography
is to be performed.
N = Ceiling(n/8) The number of octets used to represent fields r
and s in a Signature. Also the number of
octets output by the hash function (see below).
p A prime number of size n bits. The finite
field with p elements is denoted F_p.
E An elliptic curve defined over F_p, having a
subgroup of prime order q.
B An element of F_p, where E is defined by the
formula y^2 = x^3 - 3*x + B modulo p.
G A point on the elliptic curve E that generates
the subgroup of order q.
q The prime q is defined to be the order of G in
E over F_p.
Hash A cryptographic hash function mapping arbitrary
strings to strings of N octets. If a, b, c,
... are strings, then hash( a || b || c || ...)
denotes the result obtained by hashing the
concatenation of these strings.
Identifiers The method for deriving user Identifiers. The
format of Identifiers MUST be specified by each
implementation. It MUST be possible for each
device to derive the Identifier for every
device with which it needs to communicate. In
Groves Informational [Page 7]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
this document, ID will denote the correctly
formatted Identifier string of the Signer.
ECCSI makes use of the Signer Identifier only,
though an implementation MAY make use of other
Identifiers when constructing the message to be
signed. Identifier formats MAY include a
timestamp to allow for automatic expiration of
key material.
It is RECOMMENDED that p, E, and G are chosen to be standardized
values. In particular, it is RECOMMENDED that the curves and base
points defined in [FIPS186-3] be used.
4.2. Community Parameters
The following community parameter MUST be supplied to devices each
time the root of trust is changed.
KPAK The KMS Public Authentication Key (KPAK) is the root of
trust for authentication. It is derived from the KSAK in
the KMS. This value MUST be provisioned in a trusted
fashion, such that each device that receives it has
assurance that it is the genuine KPAK belonging to its KMS.
Before use, each device MUST check that the supplied KPAK
lies on the elliptic curve E.
The KMS MUST fix the KPAK to be KPAK = [KSAK]G, where the KSAK MUST
be chosen to be a random secret non-zero integer modulo q. The value
of the KSAK MUST be kept secret to the KMS.
5. Algorithms
5.1. User Key Material
To create signatures, each Signer requires a Secret Signing Key (SSK)
and a Public Validation Token (PVT). The SSK is an integer, and the
PVT is an elliptic curve point. The SSK MUST be kept secret (to the
Signer and KMS), but the PVT need not be kept secret. A different
(SSK,PVT) pair will be needed for each Signer ID.
5.1.1. Algorithm for Constructing (SSK,PVT) Pair
The KMS constructs a (SSK,PVT) pair from the Signer's ID, the KMS
secret (KSAK), and the root of trust (KPAK). To do this, the KMS
MUST perform the following procedure:
Groves Informational [Page 8]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
1) Choose v, a random (ephemeral) non-zero element of F_q;
2) Compute PVT = [v]G (this MUST be represented canonically -- see
Section 3.2);
3) Compute a hash value HS = hash( G || KPAK || ID || PVT ),
an N-octet integer;
4) Compute SSK = ( KSAK + HS * v ) modulo q;
5) If either the SSK or HS is zero modulo q, the KMS MUST erase
the SSK and abort or restart the procedure with a fresh value
of v;
6) Output the (SSK,PVT) pair. The KMS MUST then erase the value
v.
The method for transporting the SSK to the legitimate Signer device
is out of scope for this document, but the SSK MUST be provisioned by
the KMS using a method that protects its confidentiality.
If necessary, the KMS MAY create multiple (SSK,PVT) pairs for the
same Identifier.
5.1.2. Algorithm for Validating a Received SSK
Every SSK MUST be validated before being installed as a signing key.
The Signer uses its ID and the KPAK to validate a received (SSK,PVT)
pair. To do this validation, the Signer MUST perform the following
procedure, passing all checks:
1) Validate that the PVT lies on the elliptic curve E;
2) Compute HS = hash( G || KPAK || ID || PVT ), an N-octet
integer. The integer HS SHOULD be stored with the SSK for
later use;
3) Validate that KPAK = [SSK]G - [HS]PVT.
5.2. Signatures
5.2.1. Algorithm for Signing
To sign a message (M), the Signer requires
* the KMS Public Authentication Key, KPAK;
* the Signer's own Identifier, ID;
Groves Informational [Page 9]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
* its Secret Signing Key, SSK;
* its Public Validation Token, PVT = (PVTx,PVTy).
These values, with the exception of ID, MUST have been provided by
the KMS. The value of ID is derived by the Signer using the
community-defined method for formatting Identifiers.
The following procedure MUST be used by the Signer to compute the
signature:
1) Choose a random (ephemeral) non-zero value j in F_q;
2) Compute J = [j]G (this MUST be represented canonically).
Viewing J in affine coordinates J = (Jx,Jy), assign to r the
N-octet integer representing Jx;
3) Recall (or recompute) HS, and use it to compute a hash value
HE = hash( HS || r || M );
4) Verify that HE + r * SSK is non-zero modulo q; if this check
fails, the Signer MUST abort or restart this procedure with a
fresh value of j;
5) Compute s' = ( (( HE + r * SSK )^-1) * j ) modulo q; the Signer
MUST then erase the value j;
6) If s' is too big to fit within an N-octet integer, then set the
N-octet integer s = q - s'; otherwise, set the N-octet integer
s = s' (note that since p is less than 2^n, by Hasse's theorem
on elliptic curves, q < 2^n + 2^(n/2 + 1) + 1. Therefore, if
s' > 2^n, we have q - s' < 2(n/2 + 1) + 1. Thus, s is
guaranteed to fit within an N-octet integer);
7) Output the signature as Signature = ( r || s || PVT ).
Note that step 6) is necessary because it is possible for q (and
hence for elements of F_q) to be too big to fit within N octets. The
Signer MAY instead elect to set s to be the least integer of s' and
q - s', represented in N octets.
5.2.2. Algorithm for Verifying
The algorithm provided assumes that the Verifier computes points on
elliptic curves using affine coordinates. However, the Verifier MAY
perform elliptic curve operations using any appropriate
representation of points that achieves the equivalent operations.
Groves Informational [Page 10]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
To verify a Signature ( r || s || PVT ) against a Signer's Identifier
(ID), a message (M), and a pre-installed root of trust (KPAK), the
Verifier MUST perform a procedure equivalent to the following:
1) The Verifier MUST check that the PVT lies on the elliptic
curve E;
2) Compute HS = hash( G || KPAK || ID || PVT );
3) Compute HE = hash( HS || r || M );
4) Y = [HS]PVT + KPAK;
5) Compute J = [s]( [HE]G + [r]Y );
6) Viewing J in affine coordinates (Jx,Jy), the Verifier MUST
check that Jx = r modulo p, and that Jx modulo p is non-zero,
before accepting the Signature as valid.
It is anticipated that the ID, message (M), and KPAK will be
implicitly understood due to context, but any of these values MAY
also be included in signaling.
Note that the parameter q is not needed during verification.
6. Security Considerations
The ECCSI cryptographic algorithm is based upon [ECDSA]. In fact,
step 5) in the verification algorithm above is the same as the
verification stage in ECDSA. The only difference between ECDSA and
ECCSI is that in ECCSI the 'public key', Y, is derived from the
Signer ID by the Verifier (whereas in ECDSA the public key is fixed).
It is therefore assumed that the security of ECCSI depends entirely
on the secrecy of the secret keys. In addition, to recover secret
keys, one will need to perform computationally intensive
cryptanalytic attacks.
The KSAK provides the security for each device provisioned by the
KMS. It MUST NOT be revealed to any entity other than the KMS that
holds it. Each user's SSK authenticates the user as being associated
with the ID to which the SSK is assigned by the KMS. This key MUST
NOT be revealed to any entity other than the KMS and the authorized
user.
The order of the base point G used in ECCSI MUST be a large prime q.
If k bits of symmetric security are needed, Ceiling(lg(q)) MUST be at
least 2*k.
Groves Informational [Page 11]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
It is RECOMMENDED that the curves and base points defined in
[FIPS186-3] be used, since these curves are suitable for
cryptographic use. However, if other curves are used, the security
of the curves MUST be assessed.
In order to ensure that the SSK is only received by an authorized
device, it MUST be provided through a secure channel. The strength
of the authentication offered by this signature scheme is no greater
than the security provided by this delivery channel.
Identifiers MUST be defined unambiguously by each application of
ECCSI. Note that it is not necessary to use a hash function to
compose an Identifier string. In this way, any weaknesses that might
otherwise be caused by collisions in hash functions can be avoided
without reliance on the structure of the Identifier format.
Applications of ECCSI MAY include a time/date component in their
Identifier format to ensure that Identifiers (and hence SSKs) are
only valid for a fixed period of time.
The use of the ephemeral value r in the hash HE significantly reduces
the scope for offline attacks, improving the overall security, as
compared to [ECDSA]. Furthermore, if Identifiers are specified to
contain date-stamps, then all Identifiers, SSKs, signatures, and hash
values will periodically become deprecated automatically, reducing
the need for revocation and other additional management methods.
The randomness of values stipulated to be selected at random, as
described in this document, is essential to the security provided by
ECCSI. If the value of the KSAK can be predicted, then any
signatures can be forged. Similarly, if the value of v used by the
KMS to create a user's SSK can be predicted, then the value of the
KSAK could be recovered, which would allow signatures to be forged.
If the value of j used by a user is predictable, then the value of
his SSK could be recovered. This would allow that user's signatures
to be forged. Guidance on the generation of random values for
security can be found in [RFC4086].
Note that in most instances, the value s in the Signature can be
replaced by q - s. Thus, the malleability of ECCSI signatures is
similar to that in [ECDSA]; malleability is available but also very
limited.
Groves Informational [Page 12]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
7. References
7.1. Normative References
[ECDSA] X9.62-2005, "Public Key Cryptography for the Financial
Services Industry: The Elliptic Curve Digital Signature
Algorithm (ECDSA)", November 2005.
[FIPS186-3] Federal Information Processing Standards Publication
(FIPS PUB) 186-3, "Digital Signature Standard (DSS)",
June 2009.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T.
Polk, "Elliptic Curve Cryptography Subject Public Key
Information", RFC 5480, March 2009.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental
Elliptic Curve Cryptography Algorithms", RFC 6090,
February 2011.
7.2. Informative References
[BA] Arazi, Benjamin, "Certification of DL/EC Keys", paper
submitted to P1363 meeting, August 1998,
<http://grouper.ieee.org/groups/1363/StudyGroup/
contributions/arazi.doc>.
[FIPS180-3] Federal Information Processing Standards Publication
(FIPS PUB) 180-3, "Secure Hash Standard (SHS)",
October 2008.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and
K. Norrman, "MIKEY: Multimedia Internet KEYing",
RFC 3830, August 2004.
[RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
"Randomness Requirements for Security", BCP 106,
RFC 4086, June 2005.
[RFC6508] Groves, M., "Sakai-Kasahara Key Encryption (SAKKE)",
RFC 6508, February 2012.
[RFC6509] Groves, M., "MIKEY-SAKKE: Sakai-Kasahara Key Encryption
in Multimedia Internet KEYing (MIKEY)", RFC 6509,
February 2012.
Groves Informational [Page 13]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
Appendix A. Test Data
This appendix provides test data built from the NIST P-256 curve and
base point. SHA-256 (as defined in [FIPS180-3]) is used as the hash
function. The keys and ephemerals -- KSAK, v, and j -- are arbitrary
and for illustration only.
// --------------------------------------------------------
// Global parameters
n := 256;
N := 32;
p := 0x FFFFFFFF 00000001 00000000 00000000
00000000 FFFFFFFF FFFFFFFF FFFFFFFF;
Hash := SHA-256;
// --------------------------------------------------------
// Community parameters
B := 0x 5AC635D8 AA3A93E7 B3EBBD55 769886BC
651D06B0 CC53B0F6 3BCE3C3E 27D2604B;
q := 0x FFFFFFFF 00000000 FFFFFFFF FFFFFFFF
BCE6FAAD A7179E84 F3B9CAC2 FC632551;
G := 0x 04
6B17D1F2 E12C4247 F8BCE6E5 63A440F2
77037D81 2DEB33A0 F4A13945 D898C296
4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16
2BCE3357 6B315ECE CBB64068 37BF51F5;
KSAK := 0x 12345;
KPAK := 0x 04
50D4670B DE75244F 28D2838A 0D25558A
7A72686D 4522D4C8 273FB644 2AEBFA93
DBDD3755 1AFD263B 5DFD617F 3960C65A
8C298850 FF99F203 66DCE7D4 367217F4;
// --------------------------------------------------------
// Signer ID
ID := "2011-02\0tel:+447700900123\0",
= 0x 3230 31312D30 32007465 6C3A2B34
34373730 30393030 31323300;
Groves Informational [Page 14]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
// --------------------------------------------------------
// Creating SSK and PVT
v := 0x 23456;
PVT := 0x 04
758A1427 79BE89E8 29E71984 CB40EF75
8CC4AD77 5FC5B9A3 E1C8ED52 F6FA36D9
A79D2476 92F4EDA3 A6BDAB77 D6AA6474
A464AE49 34663C52 65BA7018 BA091F79;
HS := hash( 0x 04
6B17D1F2 E12C4247 F8BCE6E5 63A440F2
77037D81 2DEB33A0 F4A13945 D898C296
4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16
2BCE3357 6B315ECE CBB64068 37BF51F5
04
50D4670B DE75244F 28D2838A 0D25558A
7A72686D 4522D4C8 273FB644 2AEBFA93
DBDD3755 1AFD263B 5DFD617F 3960C65A
8C298850 FF99F203 66DCE7D4 367217F4
32303131 2D303200 74656C3A 2B343437
37303039 30303132 3300
04
758A1427 79BE89E8 29E71984 CB40EF75
8CC4AD77 5FC5B9A3 E1C8ED52 F6FA36D9
A79D2476 92F4EDA3 A6BDAB77 D6AA6474
A464AE49 34663C52 65BA7018 BA091F79 ),
= 0x 490F3FEB BC1C902F 6289723D 7F8CBF79
DB889308 49D19F38 F0295B5C 276C14D1;
SSK := 0x 23F374AE 1F4033F3 E9DBDDAA EF20F4CF
0B86BBD5 A138A5AE 9E7E006B 34489A0D;
// --------------------------------------------------------
// Creating a Signature
M := "message\0",
= 0x 6D657373 61676500;
j := 0x 34567;
Groves Informational [Page 15]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
J := 0x 04
269D4C8F DEB66A74 E4EF8C0D 5DCC597D
DFE6029C 2AFFC493 6008CD2C C1045D81
6DDA6A13 10F4B067 BD5DABDA D741B7CE
F36457E1 96B1BFA9 7FD5F8FB B3926ADB;
r := 0x 269D4C8F DEB66A74 E4EF8C0D 5DCC597D
DFE6029C 2AFFC493 6008CD2C C1045D81;
HE := hash( 0x
490F3FEB BC1C902F 6289723D 7F8CBF79
DB889308 49D19F38 F0295B5C 276C14D1
269D4C8F DEB66A74 E4EF8C0D 5DCC597D
DFE6029C 2AFFC493 6008CD2C C1045D81
6D657373 61676500 ),
= 0x 111F90EA E8271C96 DF9B3D67 26768D9E
E9B18145 D7EC152C FA9C23D1 C4F02285;
s' := 0x E09B528D 0EF8D6DF 1AA3ECBF 80110CFC
EC9FC682 52CEBB67 9F413484 6940CCFD;
s := 0x E09B528D 0EF8D6DF 1AA3ECBF 80110CFC
EC9FC682 52CEBB67 9F413484 6940CCFD;
Sig := 0x 269D4C8F DEB66A74 E4EF8C0D 5DCC597D
DFE6029C 2AFFC493 6008CD2C C1045D81
E09B528D 0EF8D6DF 1AA3ECBF 80110CFC
EC9FC682 52CEBB67 9F413484 6940CCFD
04
758A1427 79BE89E8 29E71984 CB40EF75
8CC4AD77 5FC5B9A3 E1C8ED52 F6FA36D9
A79D2476 92F4EDA3 A6BDAB77 D6AA6474
A464AE49 34663C52 65BA7018 BA091F79;
// --------------------------------------------------------
// Verifying a Signature
Y := 0x 04
833898D9 39C0013B B0502728 6F95CCE0
37C11BD2 5799423C 76E48362 A4959978
95D0473A 1CD6186E E9F0C104 B472499E
1A24D6CE 3D85173F 02EBBD94 5C25F604;
Groves Informational [Page 16]
^L
RFC 6507 ECCSI for Identity-Based Encryption February 2012
J := 0x 04
269D4C8F DEB66A74 E4EF8C0D 5DCC597D
DFE6029C 2AFFC493 6008CD2C C1045D81
6DDA6A13 10F4B067 BD5DABDA D741B7CE
F36457E1 96B1BFA9 7FD5F8FB B3926ADB;
Jx := 0x 269D4C8F DEB66A74 E4EF8C0D 5DCC597D
DFE6029C 2AFFC493 6008CD2C C1045D81;
Jx = r modulo p
// --------------------------------------------------------
Author's Address
Michael Groves
CESG
Hubble Road
Cheltenham
GL51 8HJ
UK
EMail: Michael.Groves@cesg.gsi.gov.uk
Groves Informational [Page 17]
^L
|
