Efficient Certificateless Signcryption Tag-KEMs for Resource-constrained Devices
aa r X i v : . [ c s . CR ] O c t Efficient Certificateless Signcryption Tag-KEMs forResource-constrained Devices
Wenhao Liu , Maurizio Adriano Strangio and Shengbao Wang Hangzhou Normal University,School of Information Sciences and Engineering, Hangzhou, Zhejiang, China University of Rome “Roma Tre”,Department of Mathematics and Physics, Rome, Italy
Abstract.
Efficient certificateless one-pass session key establishment protocolscan be constructed from key encapsulation mechanisms (KEMs) by making useof tags and signcryption schemes. The resulting primitives are referred to as Cer-tificateless Signcryption Tag Key Encapsulation Mechanisms (CLSC-TKEMs).In this paper we propose two novel CLSC-TKEM protocols, the first, namedLSW-CLSC-TKEM, makes use of the signature scheme of Liu et al., the sec-ond, named DKTUTS-CLSC-TKEM, is based on the direct key transport usinga timestamp (DKTUTS) protocol first described by Zheng. In order to achievegreater efficiency both schemes are instantiated on elliptic curves without mak-ing use of pairings and are therefore good candidates for deployment on resourceconstrained devices.
Certificateless cryptography (CLC), introduced by Al-Riyami and Paterson [1], does notrequire a public-key infrastructure (PKI) for digital certificate management and doesnot suffer from the inherent key escrow feature of identity-based cyptography (IBC).A certificateless scheme continues to make use of a trusted third party known as thekey generating center (KGC) which, as opposed to IBC, does not have access to theuser’s private key. In the CLC setting user private keys are constructed from two partialsecrets: one generated by the KGC computed from the user’s identity and a secret masterkey and a secret value chosen by the user itself. The scheme is not identity-based,because the public key is no longer exclusively computable from a user’s identity. WhenAlice wants to send a message to Bob using a certificateless scheme, she must obtainBob’s public key. However, no authentication of Bob’s public key is necessary and nocertificate is required (as normally would be the case with a PKI).The generation of a cryptographic secret key and its encryption with a public keyencryption scheme is generally known as key encapsulation mechanism (KEM). Fur-ther encrypting a message with the secret key and a symmetric key encryption schemeis known as a data encryption mechanism (DEM). In general, the resulting KEM-DEMschemes combine advantages of both symmetric and asymmetric cryptographic tech-niques thus giving rise to secure and efficient hybrid public key encryption schemes[2,3]. Efficient one-pass session key establishment protocols [4] can be constructedbased on KEMs by making use of tags [5] and signcryption schemes [6] appropriatelynstantiated in the CLC setting. The resulting primitives are referred to as CertificatelessSigncryption Tag Key Encapsulation Mechanisms (CLSC-TKEMs). The use of a sign-cryption scheme implies additional important security properties such as user (sender)non-repudiation which are derived from the use of a digital signature scheme.In this paper we propose two CLSC-TKEM protocols, the first, named LSW-CLSC-TKEM, makes use of the signature scheme of Liu et al. [7], the second, named DKTUTS-CLSC-TKEM, is based on the direct key transport using a timestamp (DKTUTS) proto-col described in [8]. In order to achieve greater efficiency both schemes can be instanti-ated on elliptic curves without making use of pairings and are therefore ideal candidatesfor deployment on resource constrained devices.
In recent work, Jongho Won et al. [9] proposed an efficient CLSC-TKEM protocol(eCLSC-TKEM) for securing communications between drones and smart objects. Ac-cording to the authors, the protocol supports authenticated key agreement, non-repudiation,and user revocation and significantly reduces the time required to establish a shared keybetween a drone and a smart object by minimizing the computational overhead on thesmart object (since the protocol does not make use of pairings). A problem with thisprotocol is possibly due to the user revocation technique introduced by the authorswhich allows expiration of user partial private keys and therefore requires subsequentreissue of a key and distribution to the user by the KGC. Much like the aforementionedprotocol, the CLSC-TKEM scheme of Seo et al. [10] is also inefficient from the compu-tational perspective if the target recipient is a low-power resource-limited device.In [11] the authors propose a generic architecture for a CLSC-TKEM that is basedon a true random number generator (TRNG) to produce secure cryptographic secretkeys for a KEM/DEM scheme.
We refer to the framework of Signcryption Tag-KEMs (SC-TKEM) introduced by Bjorstadand Dent [12] and extend it to the CLC setting. A CLSC-TKEM is defined as the tupleof six algorithms described below:1.
Setup : A probabilistic common parameter generation algorithm that takes as inputa security parameter k and returns all the global system parameters Ω needed byusers of the scheme, such as choice of groups or hash functions. The algorithm alsooutputs the private/public key pair ( sk KGC , pk
KGC ) of the KGC.2.
PartialPrivateKeyExtract : A probabilistic key generation algorithm that takes asinput the identity ID E of a generic entity E , Ω and outputs the partial private key d E of E . This algorithm is generally run by the KGC which must thereafter deliverthe partial private key d E to E through a secure channel.3. GenUserKeys : A probabilistic key generation algorithm that takes as input Ω andgenerates the private/public key pair ( x E , P E ) of entity E . Entity E sets sk E =( x E , d E ) as its full private key. 2. SymmetricKeyGen : A probabilistic symmetric key generation algorithm that takesas input the public key pk B of the recipient entity B and outputs the symmetric key K and internal state information ω .5. Encapsulation : A probabilistic key encapsulation algorithm that receives as inputthe state information ω , an arbitrary tag τ , the full private key sk A of the sender A and returns an encapsulation φ .6. Decapsulation : A deterministic decapsulation/verification algorithm that takes asinput the public key pk A of the sender A , the full private key sk B of the recipient,an encapsulation φ and a tag τ and returns either the symmetric key K or the uniqueerror symbol ⊥ .For the CLSC-TKEM to be sound, the decapsulation/verification algorithm mustreturn the correct key K whenever the encapsulation φ is correctly formed and thecorresponding keys and tag are supplied. The LSW-CLSC-TKEM protocol, based on the signature scheme of Liu et al. [7], iscompletely specified by the six polynomial time algorithms specified below:1.
Setup : On input the security parameter k ∈ Z + , the KGC returns the system pa-rameters Ω (see below) and the KGC’s master private key x msk . The KGC alsoperforms the following steps: – Chooses a k -bit prime q , generates a cyclic additive group G , a cyclic multi-plicative group G both of order q and defines the tuple h F q , E/F q , G, G , P i ,with P generator of G . – Chooses the master key x msk ∈ R Z ∗ q uniformly at random and computes thesystem public key P pub = x msk P . – Chooses the cryptographic hash functions H : { , } ∗ × G → Z ∗ q , H : { , } ∗ → Z ∗ q and H : { , } ∗ → { , } ∗ ; – Publishes the global system parameters Ω = h F q , E/F q , G, G , P, P pub , H , H i .2. PartialPrivateKeyExtract : For entity A , with identity ID A , the KGC chooses r A ∈ R Z ∗ q computes R A = r A P , h A = H ( ID A , R A ) , d A = r A + x msk h A mod q and delivers the partial private key d A to user ID A through a secret channel. EntityA can validate her key by verifying that d A P = R A + h A P pub .3. GenUserKeys : Entity A with an identity ID A chooses x A ∈ R Z ∗ q as its secretvalue and generates the corresponding public key P A = x A P . Furthermore, entityA sets sk A = ( x A , d A ) as its full private key and pk A = ( P A , R A ) as its full publickey.4. SymmetricKeyGen : Given the sender identity ID A , the receiver identity ID B andthe full public key pk B as inputs, entity A (the sender) proceeds as follows: – Chooses u A ∈ R Z ∗ q and computes U = u A ( R B + H ( ID B , R B ) P pub + P B ) ; – Computes X = u A P and K = H ( X, U, ID A , ID B ) ; – Outputs K and ω = ( u A , ID A , sk A , ID B , pk B , X, U ) .5. Encapsulation : On input ω , an arbitrary tag τ , the full private key sk A , entity A obtains the encapsulation φ by performing the following operations: – Selects a ∈ R Z ∗ q and computes Q = aP ;3 Computes h = H ( τ, ID A , ID B , R A , R B , P A , P B , Q, X, U ) ; – Computes s = a/ ( hx A + d A ) ; – Sets σ = ( s, h ) and outputs φ = h Q, U, σ i .6. Decapsulation : On input the encapsulation φ , tag τ , the sender’s identity ID A ,full public key pk A , the receiver’s identity ID B and the full private key sk B , therecipient entity B performs the following operations: – Computes ( d B + x B ) − · U = u A P = X ; – Computes h = H ( τ, ID A , ID B , R A , R B , P A , P B , Q, X, U ) ; – If s ( hP A + R A + H ( ID A , R A ) P pub ) = Q , returns with an invalid encapsu-lation error ⊥ ; – Otherwise, accepts the key K = H ( X, U, ID A , ID B ) .The correctness of the protocol is determined as follows: s ( hP A + R A + H ( ID A , R A ) P pub ) = a ( hx A + d A ) − ( hP A + R A + h A P pub )= a ( hx A + d A ) − ( hx A P + r A P + h A xP )= a ( hx A + d A ) − ( hx A + r A + h A x ) P = a ( hx A + d A ) − ( hx A + d A ) P = aP = Q The DKTUTS-CLSC-TKEM protocol, based on the direct key transport using a times-tamp (DKTUTS) protocol described in [8], is completely specified by the six polyno-mial time algorithms specified below:1.
Setup : On input the security parameter k ∈ Z + , the KGC returns two systemparameters: Ω and the KGC’s master private key x msk . The KGC also performsthe following steps: – Chooses a k -bit prime q , generates a cyclic additive group G , a cyclic multi-plicative group G both of order q and determines the tuple h F q , E/F q , G, G , P i ,with P generator of G . – Chooses the master key x msk ∈ R Z q ∗ uniformly at random and computes thesystem public key P pub = x msk P . – Chooses the cryptographic hash functions H : { , } ∗ × G → Z ∗ q , H : Z ∗ q →{ , } ∗ and a keyed hash function F K : { , } ∗ → { , } ∗ ; – Chooses the symmetric encryption scheme ( E K ( · ) , D K ( · ) ); – Publishes the global system parameters Ω = h F q , E/F q , G, G , P, P pub , H , H , KH, E, D i .2. PartialPrivateKeyExtract : For entity A , with identity ID A , the KGC chooses r A ∈ R Z ∗ q computes R A = r A P , h A = H ( ID A , R A ) , d A = r A + x msk h A mod q and delivers the partial private key d A to user ID A through a secret channel. EntityA can validate her key by verifying that d A P = R A + h A P pub .3. GenUserKeys : Entity A with an identity ID A chooses x A ∈ R Z ∗ q as its secretvalue and generates the corresponding public key as P A = x A P . Furthermore,entity A sets sk A = ( x A , d A ) as its full private key and pk A = ( P A , R A ) as its fullpublic key. 4. SymmetricKeyGen : Given the sender identity ID A , the receiver identity ID B andthe full public key pk B as input, the sender proceeds as follows: – Chooses K ∈ R { , } l k and x, a ∈ R Z ∗ q ; – Computes U = aP and X = x ( R B + H ( ID B , R B ) P pub + P B ) ; – Computes ( k , k ) = H ( X + U ) ; – Outputs K and ω = ( x, k , k , T S, ID A , ID B , pk B , X, U ) where T S is asuitably defined timestamp.5.
Encapsulation : On input ω , an arbitrary tag τ , the full private key sk A , entity A obtains the encapsulation φ by performing the following computations: – Computes c = E k ( K, T S, τ, ID A , ID B , R A , R B , P A , P B , X, U ) , r = F k ( K, T S, τ, ID A , ID B , R A , R B , P A , P B , X, U ) and s = x/ ( r + x A ) mod q; – Outputs φ = h U, c, r, s i .6. Decapsulation : On input the encapsulation φ , tag τ , the sender’s identity ID A ,full public key pk A , the receiver’s identity ID B and the full private key sk B , therecipient entity B performs the following computations: – Computes X ′ = s ( d B + x B )( P A + rP ) and H ( X ′ + U ) = ( k , k ) ; – Computes
K, T S, τ, ID A , ID B , R A , R B , P A , P B , X, U ′ = D k ( c ) and r ′ = F k ( K, T S, τ, ID A , ID B , R A , R B , P A , P B , X, U ′ ) ; – If T S is not fresh or U = U ′ or X ′ = X or r ′ = r , returns with an invalidencapsulation error ⊥ ; – Otherwise, accepts the key K .The correctness of the protocol is determined as follows: s ( d B + x B )( P A + rP ) = sd B ( P A + rP ) + sx B ( P A + rP )= s ( x A d B P + rd B P ) + s ( x A x B P + rx B P )= s ( x A + r ) d B P + s ( x A + r ) P B = xd B P + xP B = x ( d B P + P B ) = X In this section we compare four CLSC-TKEM protocols from two perspectives: com-putational load and security properties. Tables 1 and 2 summarize the computationalcost of the sender and recipient principals respectively. The features that are taken intoaccount are: a) online and offline exponentiations, the former refer to the operationsthat are performed during running instances of the protocols while the later considerthe pre-computation of values that can be performed before protocol execution (thisdata must be safely stored in the sender device); b) field inversions (fld inv.); c) fieldmultiplications (fld mult.) and d) decryption operations with a symmetric cipher.Table 3 summarizes the security properties of the same CLSC-TKEM protocolsconsidered above. The security properties that are taken into account are: a) sender par-tial forward secrecy (sPFS); b) user authentication (sender); c) non repudiation (sender);5 able 1.
Computational efficiency of CLSC-TKEM protocols - sender
Protocol online exp. offline exp. fld inv. fld mult. encryption
CLSC-TKEM[10] 2EM 0EM 0 2 0eCLSC-TKEM[9] 4EM 2EM 0 0 0LSW-CLSC-TKEM 3EM 0EM 1 2 0DKTUTS-CLSC-TKEM 2EM 0EM 1 1 1
Table 2.
Computational efficiency of CLSC-TKEM protocols - recipient
Protocol online exp. offline exp. fld inv. fld mult. decryption
CLSC-TKEM[10] 5EM 3EM 0 0 0eCLSC-TKEM[9] 4EM 2EM 0 0 0LSW-CLSC-TKEM 3EM 0EM 1 0 0DKTUTS-CLSC-TKEM 2EM 0EM 0 1 1 d) user revocation; e) security proof, indicates whether a formal security proof exists forthe protocol.All protocols considered in table 3 do not guarantee forward secrecy (FS). For thesetypical one-pass key transport schemes where the recipient does not contribute to thecomputation of the session key the appropriate notion is that of partial forward secrecy (PFS) i.e. if compromise of the long-term keys of one or more specific principals doesnot compromise the session keys established in previous protocol runs involving thoseprincipals [13]. In particular, for the protocols we are discussing it makes sense to con-sider sender partial forward secrecy [4] (respect to a passive adversary that can corruptpeers to obtain long-term keying material such as the private key and that does notmodify protocol messages in transit through the network).
Table 3.
Security properties of CLSC-TKEM protocols
Protocol sPFS user auth. non-repud. user revoc. sec. proof
CLSC-TKEM[10] yes yes yes no yeseCLSC-TKEM[9] yes yes yes yes yesLSW-CLSC-TKEM yes yes yes no noDKTUTS-CLSC-TKEM yes yes yes no no
In this paper we have addressed the problem, introduced by [9], of ensuring that dronescan perform secure communications with many different smart objects, such as sensorsand embedded devices. The authors propose a Certificateless Signcryption Tag KeyEncapsulation Mechanism (eCLSC-TKEM) that minimizes the computational load onthe receiving resource-constrained mobile device. We have proposed two constructions6hat achieve better performance in terms of the computational overhead required by therecipient.However, resource-constrained devices are often more susceptible to private key ex-posure therefore forward secrecy (of the recipient) may be indeed a desirable securityproperty for the above protocols. Depending on the target application, when forwardsecrecy is necessary a possible option is to employ two-pass key agreement protocolsat the expense of a greater computational cost for the recipient (the protocols describedin this paper can be modified into equivalent key agreement versions). Another possi-bility of mitigating the consequences of user corruption by an adversary is to use a keyevolving mechanism so that keys are updated periodically an thus damage is limited tothe period of validity of the exposed key [14].
References
1. S.S. Al-Riyami and K.G. Paterson
Certificateless public key cryptography
Advances inCryptology- ASIACRYPT 2003, LNCS 2894, pp. 452474, Springer-Verlag, 20032. J. Herranz, D. Hofheinz, E. Kiltz
KEM/DEM: Necessary and Sufficient Condi-tions for Secure Hybrid Encryption
Cryptology ePrint Archive, Report 2006/265,https://eprint.iacr.org/2006/265.pdf, 20063. A. W. Dent
A Designer’s Guide to KEMS
Cryptology ePrint Archive, Report 2002/174,https://eprint.iacr.org/2002/174.pdf, 20024. M.C.Gorantla, C. Boyd and J.M. Gonzalez Neto
On the Connection between Signcryptionand One-pass Key Establishment , IMA Conference on Cryptography and Coding, 20075. M. Abe, R. Gennaro, K. Kurosawa and V. Shoup,
Tag-KEM/DEM: A New Framework for Hy-brid Encryption and New Analysis of Kurosawa-Desmedt KEM , EUROCRYPT 2005, LNCS3494, pp. 128146, 20056. Y. Zheng,
Digital signcryption or how to achieve Cost (Signature & Encryption) ≪ Cost(Signature) + Cost (Encryption) , Advances in Cryptology, CRYPTO’97, LNCS 1294,pp.165-179, Springer-Verlag, 19977. W. Liu, Q. Xie, S. Wang, L. Han, and B. Hu
Pairing-Free Certificateless Signature withSecurity Proof , Hindawi Publishing Corporation, Journal of Computer Networks and Com-munications Volume 2014, Article ID 792063, 20148. Y. Zheng,
Shortened Digital Signature, Signcryption and Com-pact and Unforgeable Key Agreement Schemes , Tech. Report,http://grouper.ieee.org/groups/1363/StudyGroup/Hybrid.html, A submission to IEEEP1363 Standard Specifications for Public Key Cryptography, 19989. Jongho Won and Seung-Hyun Seo and Elisa Bertino,
A Secure Communication Protocolfor Drones and Smart Objects , Proceedings of the 10th ACM Symposium on Information,Computer and Communications Security (ASIA CCS ’15), pp. 249-260, 201510. S. Seo and E. Bertino,
Elliptic curve cryptography based certificateless hybrid signcryptionscheme without pairing
TRNG Based Key Generation for CertificatelessSigncryption
International Conference on Computer Engineering and Information Technol-ogy, 201512. T. E. Bjorstsd and W. Dent
Building better Signcryption Schemes with Tag-KEMs
CryptologyePrint Archive, Report 2005/405, https://eprint.iacr.org/2005/405.pdf, 200513. C. Boyd and A. Mathuria
Protocols for Authentication and Key Establishment , Springer-Verlag, 2003
4. M. Franklin
A Survey of Key Evolving Cryptosystems
Int. J. Security and Networks, Vol. 1,Nos. 1/2, 200615. M. Abe, R. Gennaro, and K. Kurosawa.
Tag-KEM/DEM: a new framework for hybrid en-cryption
Journal of Cryptology, Vol. 21, No. 1, pp. 97130, 2008.16. F. Li, M. Shirase, T. Takagi
Certificateless Hybrid Signcryption