- Email: [email protected]
TESS: A security system based on discrete exponentiation
TESS: A security system based on discrete exponentiati0n Thomas Beth*, Fritz BauspieB t, Hans-Joachim Knobloch* and Steffen Stempel*
The exponential security system TESS is a toolbox set system of different but cooperating cryptographic mechanisms and functions based on the primitive of discrete exponentiation. With these basic TESS functions, the security system user is able to adapt to very different ranges of applications and security requirements for computer systems, networks, mobile communication, identification, electronic cash, medical or road privacy. This paper describes the basic mechanisms and functions of TESS, demonstrating their suitability to applications in network security and electronic signature. For practitioners, an overview of the implementation of the system is given.
Keywords: network security, authentication,encryption, digital signature, zero-knowledgeidentification
PROPERTIES OF DISCRETE EXPONENTIATION Discrete exponentiation has been used as a primitive for asymmetric cryptography from the beginning ~. It is the n-fold composition of an element ~ with itself in a finite group G (here written multiplicatively): n ~---~ 0~n =
~.~...~ n-times
where s ° is defined as the neutral element of G.
One-way property
since the group operation is associative, it is always possible to use the well-known 'square & multiply' algorithm 2, which needs O(log n) group operations to compute ~". For a general n this means an average effort (number of group operations) of:
O(loglGI) The inverse of the discrete exponentiation, the discrete logarithm problem (DLOG), is in general much harder to compute. Although there is unfortunately no proven nontrivial lower complexity bound for the discrete logarithm problem, the asymptotic running time of the best known algorithms for computing discrete logarithms in any group, like the 'Giant step-Baby step' algorithm or Pollard's p-method 3, is:
As we will see in the next section, there are better algorithms for specific groups, where additional structure can be exploited. In these cases, the average effort of the algorithms is superpolynomial, even though subexponential in NGI. It can therefore be stated that for all practical purposes, discrete exponentiation is a oneway function (i.e. a function whose inverse is infeasible to compute), provided the underlying group is large enough. In practical cases, a group of a few hundred bits provides the effect that a discrete exponentiation can be computed in a relatively short time (i.e. in the order of milliseconds or seconds), whereas computing a discrete logarithm would require the same resources for at least a few years. This is the property which the security of discrete exponentiation cryptosystems relies on.
A very naive way to compute ~" would be to perform the n - I group operations of the definition. However,
Commutativity and homomorphism property *European Institute for System Security (EISS), Universit~it Karlsruhe, Am Fasanengarten 5, D-76128 Karlsruhe, Germany (Email: knobloch(a'ira.uka.de) tCompetence Center [nformatik GmbH, Lohberg 10, D-49716 Meppen, Germany (Email: bauspies(a asterix.cci.de)
466
A direct consequence of the definition is the commutativity in the exponent:
0140-3664/94/07/0466-10 ~), 1994 Butterworth-Heinemann ktd computer communications volume 17 number 7 july 1994
TESS: A security system based on discrete exponentiation: T Beth et al.
The well-known Diffie-Hellman protocol is based on this commutativity. Furthermore, the discrete exponentiation in G fulfils the homomorphism property: ~ x + b,, = (~x)~, (c~,)b
If, in addition to this property, G is cyclic and ~ a generator of G, it is possible to test the validity of an equation in (Zh<, +, .), the ring of integers modulo the group order of G, by checking an equation in G (as an example, see the E1Gamal signature given later). These are the two basic properties which are exploited by all asymmetric cryptosystems based on discrete exponentiation which are mentioned in this paper.
O(e~..x/iogp. log logp n ) There are several ways of representing the elements of G F ( p ' ) , most notably in 'polynomial bases' and 'normal bases'. In polynomial basis representation, a multiplication in G F ( p ' ) can be defined as the multiplication of two polynomials over GF(p) modulo a certain other polynomial. For the special case of GF(2"), highly efficient hardware realizations are possible for both the representations 6 8. Unfortunately, the same properties of GF(2") that allow for more efficient implementations allow for slightly more efficient D L O G computation with average running time~: O(e,"~)
DISCRETE EXPONENTIATION
IN SPECIFIC
GROUPS
still being superpolynomial. However, the efficiency of the implementation can outweigh the slightly larger parameter size, which is necessary for an adequate level of security.
Multiplicative group of a prime field Historically, the first group proposed as a basis for an asymmetric cryptosystem I was the multiplicative group Zp of integers modulo a prime number p (which is the multiplicative group of a finite field GF(p)). The basic operation in this group is integer multiplication modulo a prime number. Since this operation can be performed relatively efficiently using the 32- or 64-bit integer multiplication instruction provided by modern workstation CPUs, Zp is still considered to be a good choice for software implementations. Another fact which makes Zp attractive as a basis for an implementation is that several cryptosystems also need operations in ZIGI, i.e. integer computations in the exponent. Thus, modular integer arithmetic has to be provided in any case. The asymptotic running time of the best known algorithm for computing discrete logarithms in GF(p) is estimated to be of an order of 4:
Elliptic curve groups All the aforementioned subexponential D L O G algorithms make use of the fact that the group G is the multiplicative group of a field and exploits the field structure m. Groups G in another presentation may present a more difficult D L O G problem, and thus a significantly smaller group size can be chosen, reducing the necessary memory space and computing time. This can be especially important for small handheld tokens and the like. The first such group proposed used the points on an elliptic curve over a finite field together with a natural group operation based on the special geometry 11, 12. An elliptic curve is the set of points (x, y ) E G F ( p " ) × GF(p") which satisfy an equation of the form: 3,2 + alx)' + a3)' = x 3 + a2.v2 + a4x + a6
This is superpolynomial, i.e. growing faster than any polynomial in log p. Depending upon the security requirements and-the intended lifetime of a system, the length o f p should be chosen to be at least 512 1024 bits to provide sufficient security.
The values ai are parameters of the curve. For some values of these parameters t3, computing DLOGs on the curve can be reduced to the computation of DLOGs in moderately sized extensions of GF(p"); for others 14 the best known D L O G algorithms are those for general finite groups. Thus, the size of the group can be reduced to an order between 212s and 2161), providing the same security as those for GF(p) of 500 bits and above.
Multiplicative group of an extension field
Subgroups
The natural direction in the search for further suitable groups as the basis for discrete exponentiation cryptosystems was to go from prime fields GF(p) to finite extension fields GF(p"), which can be constructed from polynomials over GF(p). Only recently, an algorithm has been discovered 5 to solve the D L O G problem in any such field with asymptotic running time:
Another class of groups for which there are no better algorithms known than the general ones can be found as subgroups of any of the aforementioned groups. In particular, subgroups of the multiplicative groups of finite fields can be attacked by either computing D L O G in the whole field or by considering the subgroup without the additional field structure So it is possible
O(e'" Q/log p(Iog log p)2 )
c o m p u t e r c o m m u n i c a t i o n s v o l u m e 17 number 7 july 1994
467
TESS: A security system based on discrete exponentiation: T Beth et al.
to use a subgroup with an order between 2128 and 216° of the multiplicative group of a finite field with a size between 2512 and 2 l°24 to balance the estimated effort for both attacks 15'16. Indeed, relatively high security estimates for the small subgroups can be derived from the lower bound for the large groups mentioned earlier. Furthermore, for some cryptosystems it will be necessary that ZIGI is not only a ring but a prime field, which can easily be accomplished by using a prime order subgroup of another group.
The triple (m, r, s) is the signed message. It may be verified by any receiver by checking the equation: O~m
=
yr rS
in G. Note that the signed message has three times the size of the message itself. Furthermore, verification of the signature depends upon the knowledge of the system parameters G and ~, and of the signer's public key y, which has to be authentic.
Variations of EIGamal Further groups Since the 'Giant step-Baby step' algorithm works for any finite group, a further reduction in size below [G I ~ 2128 cannot be suggested to provide a security level at least comparable to that of DES. However, it remains an open problem to find groups with a proven hard D L O G problem, in which the group operation can be much more efficiently implemented than, for example, for elliptic curves. Proposals for very efficient operations have been made 17. Unfortunately this was done without a careful examination of the group structure ~8.
SECURITY PRIMITIVES BASED ON DISCRETE EXPONENTIATION
Digital signature Probably the most important application of asymmetric cryptography is that of digital signatures. Since they can be used to authenticate public keys (we will see an example in the next section), they are in some sense the basis for most other asymmetric cryptosystems.
EIGamal signature For an E1Gamal signature 19 the signer chooses a random number x c Zic I and computes y : = ~x. He publishes y as public key and keeps x secret. These values are constant for all messages to be signed by this one signer. Any message to be signed has to be encoded as a number m c Zj6b, e.g. by its binary representation through concatenating ASCII representations of letters. To sign m, the signer chooses a onetime random k c Zla I. k must never be reused to sign any other message. The signer computes r : = ~k and solves the congruence: m -z x r + k s mod ]G I
secretly, knowing all the parameters. (Note that to be totally correct, in this congruence r would have to be replaced by c(r) for a suitable encoding function c:G --+ ZI~E.) 468
A modification of the ElGamal signature scheme was presented by Agnew et al. 2° (AMV). Instead of m =- x r + k s rood [GI, the signer may solve the congruence m =_ x s + k r m o d I G ] . The signature (m, r, s) is verified by checking the equation ~" = y'~r". An advantage of this scheme over the standard ElGamal signature is that to compute the signature by solving the congruence for s, the signer only needs to compute y-i in Z*~l once, instead of computing k -1 for every signature. In August 1991, the US National Institute of Standards and Technology (NIST) published the draft of a digital signature standard (DSS) 16, which is also a modification of the EIGamal signature scheme. One of the differences between the DSS and the original E1Gamal scheme is the use of a 160-bit prime order subgroup of a prime field. The other main difference is that the check equation is resolved for r. This allows r to be reduced to 160 bits as well, so that a DSS signature appended to a message is only 320 bits long. There is a variation of the E1Gamal signature which we call a 'testimonial '21. Whereas a signature involves a signer and a verifier, a testimonial involves three parties, called the claimer, the notary and the verifier. For a testimonial the notary chooses x and y, as the signer does in the E1Gamal signature. The claimer, who wants to have the message m testified, chooses h E ZI~ I at random, computes r : = a h and passes a on to the notary. Now, the notary chooses k E Z*cl at random and computes r := a k. Then he solves the congruence m =_ x r + k b mod ]G] and passes r and b to the claimer. The claimer computes s : = bh i in Zla I. The triple (m, r, s) is an E1Gamal signature of which the notary does not know s. Note that it is possible for the notary to issue another signature (m, r', s') for the same message, but it is not possible for him to compute a signature containing the particular r and s, or to obtain s if it is not published by the claimer. Obviously, this feature is lost if the claimer proves his possession of a testimonial by presenting r and s. The following sections will show schemes to use the testimonial without publishing s. Nyberg and Rueppe122 have published another modification of the E1Gamal scheme, which allows shortening of the signature to (rm, s) for sufficiently short messages.
computer communications volume 17 number 7 july 1994
TESS: A security system based on discrete exponentiation: T Beth et al.
Zero-knowledge signatures Later we will see how digital signature schemes can also be derived from zero-knowledge identification schemes.
Self-certified public keys using EIGamal signatures As can already be seen in the description of the digital signature schemes, one of the crucial problems of asymmetric cryptography is how to distribute the public keys of the participants in an authentic manner. In general, to do so one will need the help of a trusted third party, which (somehow) certifies that a certain key is associated with a certain real-world entity. We will call such a trusted third party a secure key issuing authority (SKIA). If the S K I A gives each participant an E1Gamal signature of his ID-string, the checking equation can be resolved for: rs
tion can also be exploited to construct a verification protocol 27 for the geometric secret sharing scheme of Simmons-Jackson Martin 28, dealing with general m o n o t o n e access structures. Their scheme consists of a secret variety V~ of some n-dimensional affine geometry AG(n, q) over a finite field GF(q) and a public known variety Va. The secret to be distributed is the intersection of these two varieties P = V~N V~. Each shareholder possesses one or more points t'~ in V~ in such a manner that every designated subset of shareholders is able to construct Vi and therefore to derive the secret point P. The main idea of how to prove the claim that a secret P was distributed according to a monotone access structure is to check the vector valued equations: r
P
Po +
2i(Pi - Po) = Yo + ~ i=1
P/( Yj
}Io)
1:1
,2(ID I' ~"
and r" can be used as a public key for a discrete exponentiation cryptosystem 23 (e.g. for the E1Gamal signature scheme itself). This public key can be readily computed by anyone who knows the ID-string, r and the S K I A ' s public data. Girault 24 later coined the term 'self-certified public key' for such a key which can be computed from a participant's I D together with public data. Note that the S K I A could also issue an A M V signature or a testimonial instead of an EIGamal signature-, whereas a DSS signature cannot be used directly, since r is reduced modulo I(71 before publishing. The difference in the case of using the testimonial scheme is that the S K I A does not know the participant's secret key s. If an A M V signature is used, all participants' public keys share the same basis y, which may be an advantage for several cryptosystems. Recently, the use of the A M V signature for self-certified public keys has been rediscovered by Harn and Yang 26.
for V~ = {P0 . . . . , Pm) and Vd = ( Yo . . . . . Yr) with coefficients 2~, pj E GF(q) under a suitable one-way function. Using discrete exponentiation, the last equation changes to the form: ~I
r
i=1
/=1
After the dealer has broadcast the values ~P, 2i, g P i y j and ~/'J, each participant can check, on the one hand, whether he has received a valid share and, on the other hand, whether the equation above holds (this implies that P lies in the intersection of Vi N Va). A few other protocol steps ensure each participant that Vi A Vj has dimension 0 (that means P is the only point belonging to both varieties). Using this method, a user of a discrete exponentiation cryptosystem can distribute his secret key to a number of shareholders and convince them that, if necessary, they can reconstruct his key according to some monotone access structure, although they never need to actually combine their partial information to become convinced.
Verifiable secret sharing Secret sharing schemes enable a party, usually called the dealer, to distribute a secret (e.g. a cryptographic key) between a group of shareholders in such a way that only certain designated subsets of the group (called the access structure) are able to reconstruct the secret• An example of a simple access structure are k-l-threshold schemes, where any k, but not less, out of a group of l participants can reconstruct the secret• For some applications it is desirable that the participants can verify that they indeed have all the information necessary to reconstruct the secret, even if the dealer and/or some of the shareholders are not commonly trusted• The h o m o m o r p h i c property of discrete exponentia-
Zero-knowledge protocols Zero-knowledge identification Using a zero-knowledge p r o o f system, a prover can convince a verifier of a certain fact without revealing more information than this fact itself'. For example, a prover may convince a verifier that he knows a secret which can only be known to a certain person without giving the verifier any information about the secret itself. Soon after the invention > of zero-knowledge proofs, Chaum et al. 3° published a zero-knowledge scheme to prove the possession of discrete logarithms. Combined with the idea of self-certified public keys (as explained
computer communications volume 17 number 7 july 1994
469
TESS: A security system based on discrete exponentiation: T Beth et al.
earlier), this yields the Beth zero-knowledge identification scheme 23, which was purpose made for efficient implementation. When user A wants to identify himself to another principal B, A sends his ID-string and the value r to B, who can then use the S K I A ' s public key y to compute A's public key r s. Next, A chooses a random t E ZIGI, computes z := r - ' and sends z to B ('commitment'). B chooses a r a n d o m value b from a suitably chosen subset R C ZI~ b and sends it to A ('challenge'). A computes u: = t + b s m o d ]G I and sends it to B ('response'). B accepts the identification, if r"z = (r") h. Since a fraudulent prover can deceive the verifier if he guesses the correct challenge, the possibility for such a lucky guess has to be acceptably low. This can be achieved by increasing the size of R, by repeating the commitment-challenge-response steps or by introducing multiple signatures of the S K I A on messages derived from A's ID-string, and thus multiple challenge values bi in a single round of the protocol. Schnorr later published a similar identification scheme 15 using a prime order subgroup of GF(p).
Signatures based on zero-knowledge identification A zero-knowledge identification scheme can be converted into a digital signature scheme if the challenge is not given by a prover but derived from a hash value that is obtained by applying a cryptographic hash function ('message digest') to the concatenation of the message to be signed and the commitment, a notion due to Fiat and Shamir 31. The message digest function provides for the sequence of the commitment and challenge steps which is crucial for the security of the scheme, since a prover who knows the challenge before sending his commitment can easily cheat.
Session key exchange Diffie-Heliman key exchange The Diffie-Hellman scheme t uses the one-way property of discrete exponentiation to allow two principals, let us call them A and B, to exchange a secret key using a public channel. Each principal i chooses a secret random number x i and publishes the value yi := ~:". Then both can compute a c o m m o n key K = yA~ = y~A =
~ XAxB
"
A well-known attack on this scheme uses the fact that the authenticity of the Yi is not assured. Suppose an attacker C can control the communication channel between A and B. U p o n receiving YA from A he will send Y c := ~x, to B instead. Similarly, he sends Y c to A instead of y , . Using this attack he will share one key I ( = ~xAxc with A and another key K" = ~x~xc with B, and may thus decrypt, read, modify and re-encrypt messages between A and B. 470
KATHY Several protocols have been developed to overcome this weakness of the Diffie-Hellman scheme. They were simultaneously discovered by Giinther 32 and BauspieB and Knobloch 33. We call these protocols K A T H Y (KeY exchange with embedded AuTHentication) protocols. Their basic idea is to use either a selfcertified public key directly or the commitment value z of a successful zero-knowledge authentication as an authentic 'Diffie-Hellman half-key'. In both cases, they will come up with two different keys, each authentic for one of them, since the two principals have two different bases rA and rB (unless the S K I A used an A M V signature). So if necessary, additional steps have to be taken to ensure that both keys are shared with the same principal.
Public key encryption ElGama119 observed that for the Diffie Hellman scheme no interaction is necessary if A, who wants to send a message to B, knows B's half-key in advance. In this case, A will send his half-key concatenated with the encrypted message. Again, A may gain knowledge of B's authentic public half-key by means of a self-certified public key. If a mutual authenticity is desired, A has to sign his random!y chosen half-key before sending it to B.
TESS The Exponential Security System (TESS) consists of arithmetic primitives, of the aforementioned protocol mechanisms and of functions built upon them, and serves as a basis for implementing security systems for very different environments, scopes and security requirements. The following is a summary of the mechanisms and functions TESS currently consists of, and of applications that have been built using TESS's interconnected functions and mechanisms.
Mechanisms According to the mechanisms described in the previous sections, the mechanisms contained in TESS can be grouped in the following way.
Exponentiation Exponentiation is the basic cryptographic primitive within TESS. Most of the other mechanisms contained in TESS are based on this cryptographic primitive, and make extensive use of it. TESS currently concentrates on the multiplicative group GF(p)* of a finite prime field G F ( p ) for computing discrete exponentiation, but may be extended to other groups in future if desirable.
computer communications volume 17 number 7 july 1994
TESS: A security system based on discrete exponentiation: T Beth et al.
The reasons for remaining currently in GF(p)* are that: •
• •
the computation of the exponential function has been extensively optimized, and in the meantime is sufficiently fast; GF(p)* provides good security for strong primes of 512-bits or more; among those groups in which the discrete exponentiation and the D L O G problem has been considered, GF(p)* is the group with the best known properties and on which most research considering the security of the one-way exponential function has been done.
Key exchange The basis for the key exchange is the well-known Diffie Hellman protocol, modified to use self-certified public keys. A successful key exchange between two parties thus gives both parties (whether they have met before or not) one or two authentic session keys (depending upon the variant used) without interaction with an online key distribution or security server. The use of zero-knowledge protocols for authentic key exchange is currently not provided by TESS, but might be added if appropriate.
Digital signature Since TESS is based on the exponentiation primitive, it is only natural that to generate digital signatures the EIGamal scheme is the digital signature scheme normally used. As with the Diffie-Hellman public key exchange, the E1Gamal Signature Scheme is also modified using self-certified public keys, thus giving digital signatures that may be verified without prior interaction with the signer, and without using and relying on an authentic public key distribution system (e.g.X.509), but only using the signer's ID and the SKIA's public information. TESS currently comprises • • •
Verifiable secret sharing Besides the idea of self-certified public keys, the possibility of checking equations without knowing the secrets is one of the basic properties of TESS. Exploiting this property, it is possible to generate a verifiable secret sharing scheme as described above. Using this verifiable secret sharing scheme, it is possible to securely distribute secret keys or to build a basis for different access control mechanisms in distributed systems.
Ciphers Most of the mechanisms contained in TESS make extensive use of discrete exponentiation as described earlier. Confidentiality protection by enciphering messages is also possible using the discrete exponentiation function, but public key encryption is often too slow for security applications in the real world. TESS thus also provides several symmetric ciphers, namely DES, FEAL, IDEA and a multiplexer-based stream cipher for fast data encryption and data authentication (ongoing authentication of data as described elsewhere 33) as separate modules. These ciphers are still well interfaced to the other mechanisms of TESS, since the TESS key management primitives generate symmetric keys suitable for use with symmetric ciphers often even one for each data communications direction.
Functionalities Based on the mechanisms described above, the following security functions are available within TESS. •
•
the EIGamal Scheme the AMV variant, and the testimonial scheme.
With the latter, TESS even allows us to build a security application in which the communication between two parties is provably confidential (in the sense of protocol analysis -~435) even with respect to the ID- and keyissuing certification authorities (CAs or SKIAs).
•
Zero-knowledge authentication Zero-knowledge authentication is currently not extensively used within TESS. It is, however, available. Since the basic idea of TESS was initiated by the Beth protocol 23, this is the basic protocol for zeroknowledge authentication within TESS. Other zeroknowledge protocols may be added on demand.
•
Key management based on self-certified public keys, the key exchange mechanisms as described in the previous section, and the use of SKIAs in the role of certification authorities. Encryption based on the symmetric ciphers mentioned above, in combination with an appropriate TESS key management, or on the E1Gamal public key encryption scheme with or without self-certified public keys. Authentication consists of two different aspects: - user authentication by zero-knowledge proof of a secret or by successful encryption/decryption using authentic keys provided by the key management facility, and data authentication by digital signatures or by encryption in combination with an appropriate TESS key management. Access control based on verifiable secret sharing. The information generated by the verifiable secret sharing scheme might be used by a conventional reference monitor, or for controlling access to information by proper encryption keyed by the shared secret. The shared secret might also be used
computer communications volume 17 number 7 july 1994
471
TESS: A security system based on discrete exponentiation: T Beth et al.
as a basis for physical access control, thus linking the IT-oriented mechanisms of TESS to the non-IT security relevant environment.
Applications Two security systems have currently been implemented using the functions and mechanisms of TESS: 1. The SEcure Local Area Network Environment (SELANE) is an application of the security system which comprises SKIA key management, user authentication and session encryption in LANs. It provides distributed systems with authentic and confidential communications channels. An example of how S E L A N E can be integrated into application programs is given later on. 2. Exponential Electronic Signatures (EES) is another TESS application (preceding the NIST DSS proposal) which provides data authentication and encryption mediated by SKIA key management. It is very convenient to use, for example, for email authentication in networks with S E L A N E user authentication. In this case, both security applications can share the same SKIA mechanisms.
IMPLEMENTATIONS
Toolbox software The software implementation of TESS is divided into toolboxes which implement a limited subset of functions. The toolboxes are implemented in portable system independent form (ANSI-)C. Where performance is important, some of the base functions are available as optimized assembler code, replacing the corresponding C functions. This structure allows a very fast port of a toolbox to a new hardware platform. The C version is expected to compile with only minimal or no changes at all. Once the application is running, the base functions can be independently downcoded to assembler to gain more speed if necessary.
Support toolbox This toolbox contains macro definitions and some minor functions to support a broad range of hardware platforms and operating systems. There is, for instance, a set of macros solving the 'big endian vs. little endian' problem. Other functions perform parsing of data files or scanning of command line options.
Cipher toolbox This toolbox is subdivided into two parts: 1. One module handles stream ciphers based on linear 472
feedback shift registers (e.g. a multiplexer generator). The functions allow the generation of pseudorandom strings based on the feedback structure and the values of the shift registers, which are initialized by the key. Since the security of a stream cipher decreases with transmission length, the key is regularly renewed. 2. The second module handles block ciphers. Each block cipher is described by the width of a data block and the length of its key. The block ciphers DES, FEAL and IDEA are available in the basic (electronic codebook) mode of operation. A generic 'Modes Of Operation Module' on top of these block ciphers allows their use in the CBC, OFB and CFB modes. To improve operation speed, some of the cipher functions are available in assembler code for SunSparc, Motorola MC680x0, Intel 80x86 and VAX architectures. Table 1 shows the speed of the C and assembler versions measured on a Sun SPARCstation
lO/2O. Long integer arithmetic toolbox This toolbox supports arithmetic with long integer operands up to a length of 4096bits. The toolbox is optimized for calculation in GF(p), so most functions need a modulus to prevent an overflow of the results. As it is assumed that operands do not grow beyond a static maximum length known at compile time, the data is stored in static sized arrays. Thus, there is no need for dynamic memory allocation, which makes the toolbox usable even on platforms which do not support memory management. There is a set of low level functions (addition, subtraction, multiplication, squaring, comparison, division, etc.), some of which are available in assembler code to increase performance. Using this 'kernel', a set of high level functions (like modular multiplication, modular exponentiation, modular inversion) is built. In most of the intended cryptographic applications, modular exponentiation is the major time consuming function. Modular exponentiation is, in turn, built from multiplication, squaring and modular reduction. The latter function is implemented here either using trial division for a general modulus or using an improved Mohan Adiga 36 method if the modulus has a special form. Table 2 shows the long integer arithmetic performance on a SPARCstationl0/20 using C and assembler kernel routines. Table 1 Cipher speed
DES FEAL-8 FEAL-32 IDEA Multiplexer generator
computer communications volume 17 number 7 july 1994
C (kByte/s)
Assembler (kByte/s)
170 528 274 160
202
58
65
TESS: A security system based on discrete exponentiation: T Beth et al.
Table 2 Long integer arithmetic performance (in milliseconds) Length of operands
128
256
512
640
768
1024
Multiplication
C Asm.
0.089 0.008
0.353 0.018
1.274 0.059
1.994 0.130
2.981 0.175
5.057 0.186
Square
C Asm.
0.052 0.005
0.181 0.012
0.679 0.046
1.066 0.088
1.520 0.109
2.748 0.148
Reduction (trial division)
C Asm.
0.148 0.036
9.507 0.082
1.778 0.218
2.702 0.378
3.797 (/.422
6.557 0.699
Reduction (imp. Mohan-Adiga)
C Asm.
0.058 0.013
0.191 0.020
0.675 0.048
1.089 0.092
1.506 0.136
2.025 0.116
Exponentiation (trial division)
C Asm.
34.5 7.4
219.6 30.6
1514.0 168.4
3044.0 303.6
4829.0 489.8
11402.0 1014.2
Exponentiation (imp. Mohan Adiga)
C Asm.
18.5 2.9
120.6 9.7
876.2 54.(/
1679.5 137.8
2868.0 213.3
6938.0 343.0
Chipcard toolbox This t o o l b o x i m p l e m e n t s a p r o t o c o l stack for c o m m u nication with p r o c e s s o r chipcards. T h e base layer consists o f a s y s t e m - d e p e n d e n t m o d u l e h a n d l i n g the c o m m u n i c a t i o n between the h o s t system a n d the c h i p c a r d r e a d e r over a s t a n d a r d serial line. C u r r e n t l y , only U N I X a n d M S - D O S - b a s e d m a c h i n e s a n d the A p p l e M a c i n t o s h are s u p p o r t e d . The next layer is used to drive a c h i p c a r d r e a d e r d e v e l o p e d at the EISS which was designed to h a n d l e m o s t p r o c e s s o r c h i p c a r d s that c o n f o r m to ISO-7816 P a r t 1-3 over a s t a n d a r d serial interface. The third layer i m p l e m e n t s t r a n s p o r t p r o t o c o l s a c c o r d i n g to ISO-7816 P a r t 3. T h e final a p p l i c a t i o n is built on top o f these layers. Authentication toolbox This t o o l b o x i m p l e m e n t s K A T H Y authentication p r o t o c o l s . T h e software is i n d e p e n d e n t f r o m the o p e r a t i n g and n e t w o r k system. The a u t h e n t i c a t i o n software p r o v i d e s three classes o f a p p l i c a t i o n functions: 1. 2.
3.
F u n c t i o n s for starting an a u t h e n t i c a t i o n a n d for t e r m i n a t i n g an e n c r y p t e d session. S t a t u s functions which p r o v i d e an a p p l i c a t i o n with v a r i o u s i n f o r m a t i o n a b o u t the state a n d the p a r a meters o f the a u t h e n t i c a t i o n a n d the ( a u t h e n t i c a t e d ) n a m e o f the c o m m u n i c a t i o n p a r t n e r . F i l t e r functions which are to be used by an a p p l i c a t i o n to process all i n c o m i n g a n d o u t g o i n g data.
Because the a u t h e n t i c a t i o n software is installed as an additional software layer between the a p p l i c a t i o n and the t r a n s p o r t system, it can easily be used in any c o n n e c t i o n - o r i e n t e d a p p l i c a t i o n to p r o v i d e an a u t h e n t i c a t e d and e n c r y p t e d c o m m u n i c a t i o n channel. In a d d i t i o n to the e n c r y p t i o n o f user d a t a following an a u t h e n t i c a t i o n , the software can:
re-ensure the a u t h e n t i c i t y o f the c o m m u n i c a t i o n p a r t n e r a n d generate new session keys by d o i n g a user-transparent re-authentication. T a b l e 3 shows the a u t h e n t i c a t i o n time between two S P A R C s t a t i o n 10/20s. Using the c h i p c a r d t o o l b o x the a u t h e n t i c a t i o n software can delegate calculations with a user's secret key to an intelligent c h i p c a r d .
S K I A software T h e S K I A is i m p l e m e n t e d as a s t a n d - a l o n e p r o g r a m which runs on a PC w i t h o u t c o n n e c t i o n to the network. The S K I A ' s secret d a t a is s t o r e d on a disk which is e n c r y p t e d using DES. User d a t a c a l c u l a t e d by the S K I A can be s t o r e d in a file or directly in a chipcard. In b o t h cases, the d a t a is e n c r y p t e d with a p a s s w o r d chosen by the user.
Smartcards A R O M m a s k for a s m a r t c a r d p r o c e s s o r with a c r y p t o g r a p h i c c o p r o c e s s o r 37 has been developed. This s m a r t c a r d can be used by the T E S S t o o l b o x software to h o l d the users' secret keys and to p e r f o r m all necessary c o m p u t a t i o n s with these secret keys inside the card. The limited b a n d w i d t h o f the s m a r t c a r d I / O does not allow us to e n c i p h e r / d e c i p h e r a c o m m t m i c a t i o n s session inside the card. It is, however, not security relevant if a g e n e r a t e d session key is given to a user's local w o r k station, since in a n y case all the c o m m u n i c a t i o n data has to be a v a i l a b l e to this w o r k s t a t i o n unenciphered.
Table 3 Authentication times (in seconds) • •
r e s y n c h r o n i z e the cipher m o d u l e s o f the two communication partners, t r a n s p a r e n t l y switch to the next session key when the c u r r e n t key expires, and
Length of operands
128
256
512
640
768
1024
Time
0.12
0.15
0.29
0.74
1.12
1.47
computer communications volume 17 number 7 july 1994
473
TESS: A security system based on discrete exponentiation: T Beth et al.
Secure Telnet 8
To secure the login from the institute local network as well as from the global Internet into the institute's firewall server, the standard T C P / I P service Telnet was extended to use S E L A N E authentication. The Telnet client and daemon software is available in source code form. Since the Telnet protocol uses the connectionoriented service T C P to exchange data and control sequences, it was easy to install the S E L A N E authentication software as a filter between the network layer and the application (here Unix login). To decide whether or not to encrypt Telnet control sequences, it was necessary to look at the possible login sources into the firewall server: 1. Login from a Telnet client program on another host. 2. Login from a terminal emulation program over a m o d e m line into a terminal server (Network Interface U n i t - N I U ) , which sets up connections to hosts on the internet via the Telnet protocol. To handle both login sources, the authentication software was installed on top of the Telnet protocol layer (i.e. without encrypting control sequences). Thus, it is possible to use a terminal emulator with built-in S E L A N E software on a PC, dial up the modems, connect to the firewall server and start an authenticated session. Since chipcard readers are not available at all users' home machines, the secret data of a user is stored in a disk file. Encryption of this file with a user-chosen password is strictly recommended and enforced by the S E L A N E software.
9 10 I1 12 13 14 15 16 17 18 19 20 21 22 23
ACKNOWLEDGEMENTS 24
The authors would like to thank Willi Geiselmann, Torsten Minkwitz, Marcus Otten and Detlef Zerfowski for their helpful comments during the preparation of this paper.
25 26 27
REFERENCES 28 1 2 3 4 5 6 7
474
Diffie, W and Hellman, M E 'New directions in cryptography', IEEE Trans. lnfo. Theory, Vol 22 (1976) pp 644-654 Knuth, D E The Art of Computer Programming: Vol. 2." Seminumerical Algorithms, 2nd ed., Addison Wesley, Reading, MA (1981) Pollard, J M 'Monte Carlo methods for index computation (mod p)', Math. Comp., Vol 32 (1978) pp 918-924 Gordon, D M 'Discrete logarithms in GF(p) using the number field sieve', preprint (1992) Adleman, L M and DeMarrais, J 'Subexponential algorithm for discrete logarithms over ALL finite fields', Adv. CryptologyCR YPTO "93 (to appear) Agnew, G B, Mullin, R C and Vanstone, S A 'Fast exponentiation in GF(p)', Adv. Cryptology EUROCRYPT '88, SpringerVerlag, Berlin (1988) pp 251 255 Beth, Th and Gollmann, D 'Algorithm engineering for public key
29 30
31
algorithms', IEEE J. Selected Areas in Commun., Vol 7 No 4 (1989) pp 458-466 Geiselmann W and Gollmann, D 'VLSI design for exponentiation in GF(2")', Adv. Cryptology-AUSCRYPT '90, SpringerVerlag, Berlin (1990) pp 398-405 Coppersmith, D 'Fast evaluation of logarithms in fields of characteristic two', IEEE Trans. lnfo. Theory, Vol 30 (1984) pp 587-594 LaMacchia, B A and Odlyzko, A M 'Computation of discrete logarithms in prime fields', Designs, Codes and Cryptography, Vol 1 (1991) pp 47-62 Miller, V S 'Use of elliptic curves in cryptography', Adv. Cryptology-CRYPTO '85, Springer-Verlag, Berlin (1986) pp 417-426 Koblitz, N 'Elliptic curve cryptosystems', Math. Computation, Vol 48 (1987) pp 203-209 Menezes, A, Okamoto, T and Vanstone, S A Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field, University of Waterloo, preliminary version (September 1990) Beth, Th and Schaefer, F 'Non supersingular elliptic curves for public key cryptosystems', Adv. Cryptology EUROCRYPT '91, Springer-Verlag, Berlin (1991) pp 316-327 Schnorr, C P 'Efficient identification and signatures for smart cards', Adv. Cryptology CR YPTO '89, Springer-Verlag, Berlin (1990) pp 239-251 National Institute of Standards and Technology F1PS Pub XX: Digital Signature Standard (DSS), (Draft), NIST, Gaithersburg, MD (1991) Jaburek, W J 'A generalization of E1-Gamal's public key cryptosystem', Adv. Cryptology EUROCRYPT "89, SpringerVerlag, Berlin (1990) pp 23-28 BauspieB, F, Knobloch, H-J and Wichmann, P 'Inverting the pseudo exponentiation', Adv. Cryptology- EUROCR YPT "90, Springer-Verlag, Berlin (1991) pp 344-351 E1Gamal, T 'A public key cryptosystem and a signature scheme based on discrete logarithms', IEEE Trans. Info. Theory, Vol 31 (1985) pp 469-472 Agnew, G B, Mullin, R C and Vanstone, S A 'Improved digital signature scheme based on discrete exponentiation', Electron. Lett., Vol 26 (1990) pp 1024-1025 Beth, Th and Knobloch, H-J 'Open network authentication without an online server', Proc. Symposium on Comput. Security '90, Rome, Italy (1990) pp 160 165 Nyberg, K and Rueppel, R A 'A new signature scheme based on the DSA giving message recovery', rump session of CRYPTO '93 (1993) Beth, Th 'Efficient zero-knowledge identification scheme for smart cards', Adv. Cryptology EUROCRYPT '88, SpringerVerlag, Berlin (1988) pp 77 84 Girault, M 'Self-certified public keys', Adv. CryptologyEUROCRYPT '91. Springer-Verlag, Berlin (1991) pp 49~497 Horster, P and Knobloch, H-J 'Discrete logarithm based protocols', Adv. Cryptology- EUROCR YPT '91, SpringerVerlag, Berlin (1991) pp 399-408 Harn, L and Yang, S 'lD-based cryptographic schemes for user identification, digital signature, and key distribution', IEEE J. Selected Areas in Commun., Vol 11 No 5 (1993) pp 757-760. Beth, Th, Knobloch H-J and Otten, M 'Verifiable secret sharing for monotone access structures', Proc. 1st A C M Conf. on Comput. Commun. Security, Fairfax, VA (November 1993) Simmons, G J, Jackson, W-A and Martin, K 'The geometry of shared secret schemes', Bull. Inst. Combinatorics, Winnipeg, Canada (January 1991) Goldwasser, S, Micali, S and Rackoff, C 'Knowledge complexity of interactive proof systems', Proc. STOC, Providence, RI (1985) pp 291-304 Chaum, D, Evertse, J H and van de Graaf, J 'An improved protocol for demonstrating possession of discrete logarithms and some generalizations', Adv. Cryptology-EUROCRYPT '87, Springer-Verlag, Berlin (1988) pp 127 141 Fiat, A and Shamir, A 'How to prove yourself: Practical solutions to identification and signature problems', Adv. Cryptology CRYPTO '86, Springer-Verlag, Berlin (1987) pp 186-194
32
computer communications volume 17 number 7 july 1994
GiJnther C G 'An identity-based key-exchange protocol', Adv. Cryptology EUROCRYPT '89, Springer-Verlag, Berlin (1990) pp 29 37
TESS: A security system based on discrete exponentiation: T Beth et al. 33 34
35
BauspieB, F and Knobloch, H-J 'How to keep authenticity alive in a computer network', Adv. Cryptology-EUROCRYPT '89, Springer-Verlag, Berlin (1990) pp 3 8 4 6 Burrows, M, Abadi, M and Needham, R 'A logic of authentication', Proc. 12th ACM Symposium on Operating Systems Principles, Litchfield Park, AZ (December 1989) (Published as ACM Operat. Syst. Rev., Vol 23 No 5, 1989) Yahalom, R, Klein, B and Beth, Th 'Trust relationships in secure
36 37
systems-a distributed authentication perspective', Proc. IEEE Symposium on Res. in Security and Privacy, Oakland, USA (1993) Mohan, S B and Adiga, B S 'Fast algorithms for implementing RSA public key cryptosystem', Electron. Lett.. Vol 21 (1985) p 761 de Waleffe, D and Quisquater, J-J 'CORSAIR: A smartcard for public key cryptosystems', Adv. Cryptology CRYPTO '90, Springer-Verlag, Berlin (1991) pp 502 513
computer communications volume 17 number 7 july 1994
475
The exponential security system TESS is a toolbox set system of different but cooperating cryptographic mechanisms and functions based on the primitive of discrete exponentiation. With these basic TESS functions, the security system user is able to adapt to very different ranges of applications and security requirements for computer systems, networks, mobile communication, identification, electronic cash, medical or road privacy. This paper describes the basic mechanisms and functions of TESS, demonstrating their suitability to applications in network security and electronic signature. For practitioners, an overview of the implementation of the system is given.
Keywords: network security, authentication,encryption, digital signature, zero-knowledgeidentification
PROPERTIES OF DISCRETE EXPONENTIATION Discrete exponentiation has been used as a primitive for asymmetric cryptography from the beginning ~. It is the n-fold composition of an element ~ with itself in a finite group G (here written multiplicatively): n ~---~ 0~n =
~.~...~ n-times
where s ° is defined as the neutral element of G.
One-way property
since the group operation is associative, it is always possible to use the well-known 'square & multiply' algorithm 2, which needs O(log n) group operations to compute ~". For a general n this means an average effort (number of group operations) of:
O(loglGI) The inverse of the discrete exponentiation, the discrete logarithm problem (DLOG), is in general much harder to compute. Although there is unfortunately no proven nontrivial lower complexity bound for the discrete logarithm problem, the asymptotic running time of the best known algorithms for computing discrete logarithms in any group, like the 'Giant step-Baby step' algorithm or Pollard's p-method 3, is:
As we will see in the next section, there are better algorithms for specific groups, where additional structure can be exploited. In these cases, the average effort of the algorithms is superpolynomial, even though subexponential in NGI. It can therefore be stated that for all practical purposes, discrete exponentiation is a oneway function (i.e. a function whose inverse is infeasible to compute), provided the underlying group is large enough. In practical cases, a group of a few hundred bits provides the effect that a discrete exponentiation can be computed in a relatively short time (i.e. in the order of milliseconds or seconds), whereas computing a discrete logarithm would require the same resources for at least a few years. This is the property which the security of discrete exponentiation cryptosystems relies on.
A very naive way to compute ~" would be to perform the n - I group operations of the definition. However,
Commutativity and homomorphism property *European Institute for System Security (EISS), Universit~it Karlsruhe, Am Fasanengarten 5, D-76128 Karlsruhe, Germany (Email: knobloch(a'ira.uka.de) tCompetence Center [nformatik GmbH, Lohberg 10, D-49716 Meppen, Germany (Email: bauspies(a asterix.cci.de)
466
A direct consequence of the definition is the commutativity in the exponent:
0140-3664/94/07/0466-10 ~), 1994 Butterworth-Heinemann ktd computer communications volume 17 number 7 july 1994
TESS: A security system based on discrete exponentiation: T Beth et al.
The well-known Diffie-Hellman protocol is based on this commutativity. Furthermore, the discrete exponentiation in G fulfils the homomorphism property: ~ x + b,, = (~x)~, (c~,)b
If, in addition to this property, G is cyclic and ~ a generator of G, it is possible to test the validity of an equation in (Zh<, +, .), the ring of integers modulo the group order of G, by checking an equation in G (as an example, see the E1Gamal signature given later). These are the two basic properties which are exploited by all asymmetric cryptosystems based on discrete exponentiation which are mentioned in this paper.
O(e~..x/iogp. log logp n ) There are several ways of representing the elements of G F ( p ' ) , most notably in 'polynomial bases' and 'normal bases'. In polynomial basis representation, a multiplication in G F ( p ' ) can be defined as the multiplication of two polynomials over GF(p) modulo a certain other polynomial. For the special case of GF(2"), highly efficient hardware realizations are possible for both the representations 6 8. Unfortunately, the same properties of GF(2") that allow for more efficient implementations allow for slightly more efficient D L O G computation with average running time~: O(e,"~)
DISCRETE EXPONENTIATION
IN SPECIFIC
GROUPS
still being superpolynomial. However, the efficiency of the implementation can outweigh the slightly larger parameter size, which is necessary for an adequate level of security.
Multiplicative group of a prime field Historically, the first group proposed as a basis for an asymmetric cryptosystem I was the multiplicative group Zp of integers modulo a prime number p (which is the multiplicative group of a finite field GF(p)). The basic operation in this group is integer multiplication modulo a prime number. Since this operation can be performed relatively efficiently using the 32- or 64-bit integer multiplication instruction provided by modern workstation CPUs, Zp is still considered to be a good choice for software implementations. Another fact which makes Zp attractive as a basis for an implementation is that several cryptosystems also need operations in ZIGI, i.e. integer computations in the exponent. Thus, modular integer arithmetic has to be provided in any case. The asymptotic running time of the best known algorithm for computing discrete logarithms in GF(p) is estimated to be of an order of 4:
Elliptic curve groups All the aforementioned subexponential D L O G algorithms make use of the fact that the group G is the multiplicative group of a field and exploits the field structure m. Groups G in another presentation may present a more difficult D L O G problem, and thus a significantly smaller group size can be chosen, reducing the necessary memory space and computing time. This can be especially important for small handheld tokens and the like. The first such group proposed used the points on an elliptic curve over a finite field together with a natural group operation based on the special geometry 11, 12. An elliptic curve is the set of points (x, y ) E G F ( p " ) × GF(p") which satisfy an equation of the form: 3,2 + alx)' + a3)' = x 3 + a2.v2 + a4x + a6
This is superpolynomial, i.e. growing faster than any polynomial in log p. Depending upon the security requirements and-the intended lifetime of a system, the length o f p should be chosen to be at least 512 1024 bits to provide sufficient security.
The values ai are parameters of the curve. For some values of these parameters t3, computing DLOGs on the curve can be reduced to the computation of DLOGs in moderately sized extensions of GF(p"); for others 14 the best known D L O G algorithms are those for general finite groups. Thus, the size of the group can be reduced to an order between 212s and 2161), providing the same security as those for GF(p) of 500 bits and above.
Multiplicative group of an extension field
Subgroups
The natural direction in the search for further suitable groups as the basis for discrete exponentiation cryptosystems was to go from prime fields GF(p) to finite extension fields GF(p"), which can be constructed from polynomials over GF(p). Only recently, an algorithm has been discovered 5 to solve the D L O G problem in any such field with asymptotic running time:
Another class of groups for which there are no better algorithms known than the general ones can be found as subgroups of any of the aforementioned groups. In particular, subgroups of the multiplicative groups of finite fields can be attacked by either computing D L O G in the whole field or by considering the subgroup without the additional field structure So it is possible
O(e'" Q/log p(Iog log p)2 )
c o m p u t e r c o m m u n i c a t i o n s v o l u m e 17 number 7 july 1994
467
TESS: A security system based on discrete exponentiation: T Beth et al.
to use a subgroup with an order between 2128 and 216° of the multiplicative group of a finite field with a size between 2512 and 2 l°24 to balance the estimated effort for both attacks 15'16. Indeed, relatively high security estimates for the small subgroups can be derived from the lower bound for the large groups mentioned earlier. Furthermore, for some cryptosystems it will be necessary that ZIGI is not only a ring but a prime field, which can easily be accomplished by using a prime order subgroup of another group.
The triple (m, r, s) is the signed message. It may be verified by any receiver by checking the equation: O~m
=
yr rS
in G. Note that the signed message has three times the size of the message itself. Furthermore, verification of the signature depends upon the knowledge of the system parameters G and ~, and of the signer's public key y, which has to be authentic.
Variations of EIGamal Further groups Since the 'Giant step-Baby step' algorithm works for any finite group, a further reduction in size below [G I ~ 2128 cannot be suggested to provide a security level at least comparable to that of DES. However, it remains an open problem to find groups with a proven hard D L O G problem, in which the group operation can be much more efficiently implemented than, for example, for elliptic curves. Proposals for very efficient operations have been made 17. Unfortunately this was done without a careful examination of the group structure ~8.
SECURITY PRIMITIVES BASED ON DISCRETE EXPONENTIATION
Digital signature Probably the most important application of asymmetric cryptography is that of digital signatures. Since they can be used to authenticate public keys (we will see an example in the next section), they are in some sense the basis for most other asymmetric cryptosystems.
EIGamal signature For an E1Gamal signature 19 the signer chooses a random number x c Zic I and computes y : = ~x. He publishes y as public key and keeps x secret. These values are constant for all messages to be signed by this one signer. Any message to be signed has to be encoded as a number m c Zj6b, e.g. by its binary representation through concatenating ASCII representations of letters. To sign m, the signer chooses a onetime random k c Zla I. k must never be reused to sign any other message. The signer computes r : = ~k and solves the congruence: m -z x r + k s mod ]G I
secretly, knowing all the parameters. (Note that to be totally correct, in this congruence r would have to be replaced by c(r) for a suitable encoding function c:G --+ ZI~E.) 468
A modification of the ElGamal signature scheme was presented by Agnew et al. 2° (AMV). Instead of m =- x r + k s rood [GI, the signer may solve the congruence m =_ x s + k r m o d I G ] . The signature (m, r, s) is verified by checking the equation ~" = y'~r". An advantage of this scheme over the standard ElGamal signature is that to compute the signature by solving the congruence for s, the signer only needs to compute y-i in Z*~l once, instead of computing k -1 for every signature. In August 1991, the US National Institute of Standards and Technology (NIST) published the draft of a digital signature standard (DSS) 16, which is also a modification of the EIGamal signature scheme. One of the differences between the DSS and the original E1Gamal scheme is the use of a 160-bit prime order subgroup of a prime field. The other main difference is that the check equation is resolved for r. This allows r to be reduced to 160 bits as well, so that a DSS signature appended to a message is only 320 bits long. There is a variation of the E1Gamal signature which we call a 'testimonial '21. Whereas a signature involves a signer and a verifier, a testimonial involves three parties, called the claimer, the notary and the verifier. For a testimonial the notary chooses x and y, as the signer does in the E1Gamal signature. The claimer, who wants to have the message m testified, chooses h E ZI~ I at random, computes r : = a h and passes a on to the notary. Now, the notary chooses k E Z*cl at random and computes r := a k. Then he solves the congruence m =_ x r + k b mod ]G] and passes r and b to the claimer. The claimer computes s : = bh i in Zla I. The triple (m, r, s) is an E1Gamal signature of which the notary does not know s. Note that it is possible for the notary to issue another signature (m, r', s') for the same message, but it is not possible for him to compute a signature containing the particular r and s, or to obtain s if it is not published by the claimer. Obviously, this feature is lost if the claimer proves his possession of a testimonial by presenting r and s. The following sections will show schemes to use the testimonial without publishing s. Nyberg and Rueppe122 have published another modification of the E1Gamal scheme, which allows shortening of the signature to (rm, s) for sufficiently short messages.
computer communications volume 17 number 7 july 1994
TESS: A security system based on discrete exponentiation: T Beth et al.
Zero-knowledge signatures Later we will see how digital signature schemes can also be derived from zero-knowledge identification schemes.
Self-certified public keys using EIGamal signatures As can already be seen in the description of the digital signature schemes, one of the crucial problems of asymmetric cryptography is how to distribute the public keys of the participants in an authentic manner. In general, to do so one will need the help of a trusted third party, which (somehow) certifies that a certain key is associated with a certain real-world entity. We will call such a trusted third party a secure key issuing authority (SKIA). If the S K I A gives each participant an E1Gamal signature of his ID-string, the checking equation can be resolved for: rs
tion can also be exploited to construct a verification protocol 27 for the geometric secret sharing scheme of Simmons-Jackson Martin 28, dealing with general m o n o t o n e access structures. Their scheme consists of a secret variety V~ of some n-dimensional affine geometry AG(n, q) over a finite field GF(q) and a public known variety Va. The secret to be distributed is the intersection of these two varieties P = V~N V~. Each shareholder possesses one or more points t'~ in V~ in such a manner that every designated subset of shareholders is able to construct Vi and therefore to derive the secret point P. The main idea of how to prove the claim that a secret P was distributed according to a monotone access structure is to check the vector valued equations: r
P
Po +
2i(Pi - Po) = Yo + ~ i=1
P/( Yj
}Io)
1:1
,2(ID I' ~"
and r" can be used as a public key for a discrete exponentiation cryptosystem 23 (e.g. for the E1Gamal signature scheme itself). This public key can be readily computed by anyone who knows the ID-string, r and the S K I A ' s public data. Girault 24 later coined the term 'self-certified public key' for such a key which can be computed from a participant's I D together with public data. Note that the S K I A could also issue an A M V signature or a testimonial instead of an EIGamal signature-, whereas a DSS signature cannot be used directly, since r is reduced modulo I(71 before publishing. The difference in the case of using the testimonial scheme is that the S K I A does not know the participant's secret key s. If an A M V signature is used, all participants' public keys share the same basis y, which may be an advantage for several cryptosystems. Recently, the use of the A M V signature for self-certified public keys has been rediscovered by Harn and Yang 26.
for V~ = {P0 . . . . , Pm) and Vd = ( Yo . . . . . Yr) with coefficients 2~, pj E GF(q) under a suitable one-way function. Using discrete exponentiation, the last equation changes to the form: ~I
r
i=1
/=1
After the dealer has broadcast the values ~P, 2i, g P i y j and ~/'J, each participant can check, on the one hand, whether he has received a valid share and, on the other hand, whether the equation above holds (this implies that P lies in the intersection of Vi N Va). A few other protocol steps ensure each participant that Vi A Vj has dimension 0 (that means P is the only point belonging to both varieties). Using this method, a user of a discrete exponentiation cryptosystem can distribute his secret key to a number of shareholders and convince them that, if necessary, they can reconstruct his key according to some monotone access structure, although they never need to actually combine their partial information to become convinced.
Verifiable secret sharing Secret sharing schemes enable a party, usually called the dealer, to distribute a secret (e.g. a cryptographic key) between a group of shareholders in such a way that only certain designated subsets of the group (called the access structure) are able to reconstruct the secret• An example of a simple access structure are k-l-threshold schemes, where any k, but not less, out of a group of l participants can reconstruct the secret• For some applications it is desirable that the participants can verify that they indeed have all the information necessary to reconstruct the secret, even if the dealer and/or some of the shareholders are not commonly trusted• The h o m o m o r p h i c property of discrete exponentia-
Zero-knowledge protocols Zero-knowledge identification Using a zero-knowledge p r o o f system, a prover can convince a verifier of a certain fact without revealing more information than this fact itself'. For example, a prover may convince a verifier that he knows a secret which can only be known to a certain person without giving the verifier any information about the secret itself. Soon after the invention > of zero-knowledge proofs, Chaum et al. 3° published a zero-knowledge scheme to prove the possession of discrete logarithms. Combined with the idea of self-certified public keys (as explained
computer communications volume 17 number 7 july 1994
469
TESS: A security system based on discrete exponentiation: T Beth et al.
earlier), this yields the Beth zero-knowledge identification scheme 23, which was purpose made for efficient implementation. When user A wants to identify himself to another principal B, A sends his ID-string and the value r to B, who can then use the S K I A ' s public key y to compute A's public key r s. Next, A chooses a random t E ZIGI, computes z := r - ' and sends z to B ('commitment'). B chooses a r a n d o m value b from a suitably chosen subset R C ZI~ b and sends it to A ('challenge'). A computes u: = t + b s m o d ]G I and sends it to B ('response'). B accepts the identification, if r"z = (r") h. Since a fraudulent prover can deceive the verifier if he guesses the correct challenge, the possibility for such a lucky guess has to be acceptably low. This can be achieved by increasing the size of R, by repeating the commitment-challenge-response steps or by introducing multiple signatures of the S K I A on messages derived from A's ID-string, and thus multiple challenge values bi in a single round of the protocol. Schnorr later published a similar identification scheme 15 using a prime order subgroup of GF(p).
Signatures based on zero-knowledge identification A zero-knowledge identification scheme can be converted into a digital signature scheme if the challenge is not given by a prover but derived from a hash value that is obtained by applying a cryptographic hash function ('message digest') to the concatenation of the message to be signed and the commitment, a notion due to Fiat and Shamir 31. The message digest function provides for the sequence of the commitment and challenge steps which is crucial for the security of the scheme, since a prover who knows the challenge before sending his commitment can easily cheat.
Session key exchange Diffie-Heliman key exchange The Diffie-Hellman scheme t uses the one-way property of discrete exponentiation to allow two principals, let us call them A and B, to exchange a secret key using a public channel. Each principal i chooses a secret random number x i and publishes the value yi := ~:". Then both can compute a c o m m o n key K = yA~ = y~A =
~ XAxB
"
A well-known attack on this scheme uses the fact that the authenticity of the Yi is not assured. Suppose an attacker C can control the communication channel between A and B. U p o n receiving YA from A he will send Y c := ~x, to B instead. Similarly, he sends Y c to A instead of y , . Using this attack he will share one key I ( = ~xAxc with A and another key K" = ~x~xc with B, and may thus decrypt, read, modify and re-encrypt messages between A and B. 470
KATHY Several protocols have been developed to overcome this weakness of the Diffie-Hellman scheme. They were simultaneously discovered by Giinther 32 and BauspieB and Knobloch 33. We call these protocols K A T H Y (KeY exchange with embedded AuTHentication) protocols. Their basic idea is to use either a selfcertified public key directly or the commitment value z of a successful zero-knowledge authentication as an authentic 'Diffie-Hellman half-key'. In both cases, they will come up with two different keys, each authentic for one of them, since the two principals have two different bases rA and rB (unless the S K I A used an A M V signature). So if necessary, additional steps have to be taken to ensure that both keys are shared with the same principal.
Public key encryption ElGama119 observed that for the Diffie Hellman scheme no interaction is necessary if A, who wants to send a message to B, knows B's half-key in advance. In this case, A will send his half-key concatenated with the encrypted message. Again, A may gain knowledge of B's authentic public half-key by means of a self-certified public key. If a mutual authenticity is desired, A has to sign his random!y chosen half-key before sending it to B.
TESS The Exponential Security System (TESS) consists of arithmetic primitives, of the aforementioned protocol mechanisms and of functions built upon them, and serves as a basis for implementing security systems for very different environments, scopes and security requirements. The following is a summary of the mechanisms and functions TESS currently consists of, and of applications that have been built using TESS's interconnected functions and mechanisms.
Mechanisms According to the mechanisms described in the previous sections, the mechanisms contained in TESS can be grouped in the following way.
Exponentiation Exponentiation is the basic cryptographic primitive within TESS. Most of the other mechanisms contained in TESS are based on this cryptographic primitive, and make extensive use of it. TESS currently concentrates on the multiplicative group GF(p)* of a finite prime field G F ( p ) for computing discrete exponentiation, but may be extended to other groups in future if desirable.
computer communications volume 17 number 7 july 1994
TESS: A security system based on discrete exponentiation: T Beth et al.
The reasons for remaining currently in GF(p)* are that: •
• •
the computation of the exponential function has been extensively optimized, and in the meantime is sufficiently fast; GF(p)* provides good security for strong primes of 512-bits or more; among those groups in which the discrete exponentiation and the D L O G problem has been considered, GF(p)* is the group with the best known properties and on which most research considering the security of the one-way exponential function has been done.
Key exchange The basis for the key exchange is the well-known Diffie Hellman protocol, modified to use self-certified public keys. A successful key exchange between two parties thus gives both parties (whether they have met before or not) one or two authentic session keys (depending upon the variant used) without interaction with an online key distribution or security server. The use of zero-knowledge protocols for authentic key exchange is currently not provided by TESS, but might be added if appropriate.
Digital signature Since TESS is based on the exponentiation primitive, it is only natural that to generate digital signatures the EIGamal scheme is the digital signature scheme normally used. As with the Diffie-Hellman public key exchange, the E1Gamal Signature Scheme is also modified using self-certified public keys, thus giving digital signatures that may be verified without prior interaction with the signer, and without using and relying on an authentic public key distribution system (e.g.X.509), but only using the signer's ID and the SKIA's public information. TESS currently comprises • • •
Verifiable secret sharing Besides the idea of self-certified public keys, the possibility of checking equations without knowing the secrets is one of the basic properties of TESS. Exploiting this property, it is possible to generate a verifiable secret sharing scheme as described above. Using this verifiable secret sharing scheme, it is possible to securely distribute secret keys or to build a basis for different access control mechanisms in distributed systems.
Ciphers Most of the mechanisms contained in TESS make extensive use of discrete exponentiation as described earlier. Confidentiality protection by enciphering messages is also possible using the discrete exponentiation function, but public key encryption is often too slow for security applications in the real world. TESS thus also provides several symmetric ciphers, namely DES, FEAL, IDEA and a multiplexer-based stream cipher for fast data encryption and data authentication (ongoing authentication of data as described elsewhere 33) as separate modules. These ciphers are still well interfaced to the other mechanisms of TESS, since the TESS key management primitives generate symmetric keys suitable for use with symmetric ciphers often even one for each data communications direction.
Functionalities Based on the mechanisms described above, the following security functions are available within TESS. •
•
the EIGamal Scheme the AMV variant, and the testimonial scheme.
With the latter, TESS even allows us to build a security application in which the communication between two parties is provably confidential (in the sense of protocol analysis -~435) even with respect to the ID- and keyissuing certification authorities (CAs or SKIAs).
•
Zero-knowledge authentication Zero-knowledge authentication is currently not extensively used within TESS. It is, however, available. Since the basic idea of TESS was initiated by the Beth protocol 23, this is the basic protocol for zeroknowledge authentication within TESS. Other zeroknowledge protocols may be added on demand.
•
Key management based on self-certified public keys, the key exchange mechanisms as described in the previous section, and the use of SKIAs in the role of certification authorities. Encryption based on the symmetric ciphers mentioned above, in combination with an appropriate TESS key management, or on the E1Gamal public key encryption scheme with or without self-certified public keys. Authentication consists of two different aspects: - user authentication by zero-knowledge proof of a secret or by successful encryption/decryption using authentic keys provided by the key management facility, and data authentication by digital signatures or by encryption in combination with an appropriate TESS key management. Access control based on verifiable secret sharing. The information generated by the verifiable secret sharing scheme might be used by a conventional reference monitor, or for controlling access to information by proper encryption keyed by the shared secret. The shared secret might also be used
computer communications volume 17 number 7 july 1994
471
TESS: A security system based on discrete exponentiation: T Beth et al.
as a basis for physical access control, thus linking the IT-oriented mechanisms of TESS to the non-IT security relevant environment.
Applications Two security systems have currently been implemented using the functions and mechanisms of TESS: 1. The SEcure Local Area Network Environment (SELANE) is an application of the security system which comprises SKIA key management, user authentication and session encryption in LANs. It provides distributed systems with authentic and confidential communications channels. An example of how S E L A N E can be integrated into application programs is given later on. 2. Exponential Electronic Signatures (EES) is another TESS application (preceding the NIST DSS proposal) which provides data authentication and encryption mediated by SKIA key management. It is very convenient to use, for example, for email authentication in networks with S E L A N E user authentication. In this case, both security applications can share the same SKIA mechanisms.
IMPLEMENTATIONS
Toolbox software The software implementation of TESS is divided into toolboxes which implement a limited subset of functions. The toolboxes are implemented in portable system independent form (ANSI-)C. Where performance is important, some of the base functions are available as optimized assembler code, replacing the corresponding C functions. This structure allows a very fast port of a toolbox to a new hardware platform. The C version is expected to compile with only minimal or no changes at all. Once the application is running, the base functions can be independently downcoded to assembler to gain more speed if necessary.
Support toolbox This toolbox contains macro definitions and some minor functions to support a broad range of hardware platforms and operating systems. There is, for instance, a set of macros solving the 'big endian vs. little endian' problem. Other functions perform parsing of data files or scanning of command line options.
Cipher toolbox This toolbox is subdivided into two parts: 1. One module handles stream ciphers based on linear 472
feedback shift registers (e.g. a multiplexer generator). The functions allow the generation of pseudorandom strings based on the feedback structure and the values of the shift registers, which are initialized by the key. Since the security of a stream cipher decreases with transmission length, the key is regularly renewed. 2. The second module handles block ciphers. Each block cipher is described by the width of a data block and the length of its key. The block ciphers DES, FEAL and IDEA are available in the basic (electronic codebook) mode of operation. A generic 'Modes Of Operation Module' on top of these block ciphers allows their use in the CBC, OFB and CFB modes. To improve operation speed, some of the cipher functions are available in assembler code for SunSparc, Motorola MC680x0, Intel 80x86 and VAX architectures. Table 1 shows the speed of the C and assembler versions measured on a Sun SPARCstation
lO/2O. Long integer arithmetic toolbox This toolbox supports arithmetic with long integer operands up to a length of 4096bits. The toolbox is optimized for calculation in GF(p), so most functions need a modulus to prevent an overflow of the results. As it is assumed that operands do not grow beyond a static maximum length known at compile time, the data is stored in static sized arrays. Thus, there is no need for dynamic memory allocation, which makes the toolbox usable even on platforms which do not support memory management. There is a set of low level functions (addition, subtraction, multiplication, squaring, comparison, division, etc.), some of which are available in assembler code to increase performance. Using this 'kernel', a set of high level functions (like modular multiplication, modular exponentiation, modular inversion) is built. In most of the intended cryptographic applications, modular exponentiation is the major time consuming function. Modular exponentiation is, in turn, built from multiplication, squaring and modular reduction. The latter function is implemented here either using trial division for a general modulus or using an improved Mohan Adiga 36 method if the modulus has a special form. Table 2 shows the long integer arithmetic performance on a SPARCstationl0/20 using C and assembler kernel routines. Table 1 Cipher speed
DES FEAL-8 FEAL-32 IDEA Multiplexer generator
computer communications volume 17 number 7 july 1994
C (kByte/s)
Assembler (kByte/s)
170 528 274 160
202
58
65
TESS: A security system based on discrete exponentiation: T Beth et al.
Table 2 Long integer arithmetic performance (in milliseconds) Length of operands
128
256
512
640
768
1024
Multiplication
C Asm.
0.089 0.008
0.353 0.018
1.274 0.059
1.994 0.130
2.981 0.175
5.057 0.186
Square
C Asm.
0.052 0.005
0.181 0.012
0.679 0.046
1.066 0.088
1.520 0.109
2.748 0.148
Reduction (trial division)
C Asm.
0.148 0.036
9.507 0.082
1.778 0.218
2.702 0.378
3.797 (/.422
6.557 0.699
Reduction (imp. Mohan-Adiga)
C Asm.
0.058 0.013
0.191 0.020
0.675 0.048
1.089 0.092
1.506 0.136
2.025 0.116
Exponentiation (trial division)
C Asm.
34.5 7.4
219.6 30.6
1514.0 168.4
3044.0 303.6
4829.0 489.8
11402.0 1014.2
Exponentiation (imp. Mohan Adiga)
C Asm.
18.5 2.9
120.6 9.7
876.2 54.(/
1679.5 137.8
2868.0 213.3
6938.0 343.0
Chipcard toolbox This t o o l b o x i m p l e m e n t s a p r o t o c o l stack for c o m m u nication with p r o c e s s o r chipcards. T h e base layer consists o f a s y s t e m - d e p e n d e n t m o d u l e h a n d l i n g the c o m m u n i c a t i o n between the h o s t system a n d the c h i p c a r d r e a d e r over a s t a n d a r d serial line. C u r r e n t l y , only U N I X a n d M S - D O S - b a s e d m a c h i n e s a n d the A p p l e M a c i n t o s h are s u p p o r t e d . The next layer is used to drive a c h i p c a r d r e a d e r d e v e l o p e d at the EISS which was designed to h a n d l e m o s t p r o c e s s o r c h i p c a r d s that c o n f o r m to ISO-7816 P a r t 1-3 over a s t a n d a r d serial interface. The third layer i m p l e m e n t s t r a n s p o r t p r o t o c o l s a c c o r d i n g to ISO-7816 P a r t 3. T h e final a p p l i c a t i o n is built on top o f these layers. Authentication toolbox This t o o l b o x i m p l e m e n t s K A T H Y authentication p r o t o c o l s . T h e software is i n d e p e n d e n t f r o m the o p e r a t i n g and n e t w o r k system. The a u t h e n t i c a t i o n software p r o v i d e s three classes o f a p p l i c a t i o n functions: 1. 2.
3.
F u n c t i o n s for starting an a u t h e n t i c a t i o n a n d for t e r m i n a t i n g an e n c r y p t e d session. S t a t u s functions which p r o v i d e an a p p l i c a t i o n with v a r i o u s i n f o r m a t i o n a b o u t the state a n d the p a r a meters o f the a u t h e n t i c a t i o n a n d the ( a u t h e n t i c a t e d ) n a m e o f the c o m m u n i c a t i o n p a r t n e r . F i l t e r functions which are to be used by an a p p l i c a t i o n to process all i n c o m i n g a n d o u t g o i n g data.
Because the a u t h e n t i c a t i o n software is installed as an additional software layer between the a p p l i c a t i o n and the t r a n s p o r t system, it can easily be used in any c o n n e c t i o n - o r i e n t e d a p p l i c a t i o n to p r o v i d e an a u t h e n t i c a t e d and e n c r y p t e d c o m m u n i c a t i o n channel. In a d d i t i o n to the e n c r y p t i o n o f user d a t a following an a u t h e n t i c a t i o n , the software can:
re-ensure the a u t h e n t i c i t y o f the c o m m u n i c a t i o n p a r t n e r a n d generate new session keys by d o i n g a user-transparent re-authentication. T a b l e 3 shows the a u t h e n t i c a t i o n time between two S P A R C s t a t i o n 10/20s. Using the c h i p c a r d t o o l b o x the a u t h e n t i c a t i o n software can delegate calculations with a user's secret key to an intelligent c h i p c a r d .
S K I A software T h e S K I A is i m p l e m e n t e d as a s t a n d - a l o n e p r o g r a m which runs on a PC w i t h o u t c o n n e c t i o n to the network. The S K I A ' s secret d a t a is s t o r e d on a disk which is e n c r y p t e d using DES. User d a t a c a l c u l a t e d by the S K I A can be s t o r e d in a file or directly in a chipcard. In b o t h cases, the d a t a is e n c r y p t e d with a p a s s w o r d chosen by the user.
Smartcards A R O M m a s k for a s m a r t c a r d p r o c e s s o r with a c r y p t o g r a p h i c c o p r o c e s s o r 37 has been developed. This s m a r t c a r d can be used by the T E S S t o o l b o x software to h o l d the users' secret keys and to p e r f o r m all necessary c o m p u t a t i o n s with these secret keys inside the card. The limited b a n d w i d t h o f the s m a r t c a r d I / O does not allow us to e n c i p h e r / d e c i p h e r a c o m m t m i c a t i o n s session inside the card. It is, however, not security relevant if a g e n e r a t e d session key is given to a user's local w o r k station, since in a n y case all the c o m m u n i c a t i o n data has to be a v a i l a b l e to this w o r k s t a t i o n unenciphered.
Table 3 Authentication times (in seconds) • •
r e s y n c h r o n i z e the cipher m o d u l e s o f the two communication partners, t r a n s p a r e n t l y switch to the next session key when the c u r r e n t key expires, and
Length of operands
128
256
512
640
768
1024
Time
0.12
0.15
0.29
0.74
1.12
1.47
computer communications volume 17 number 7 july 1994
473
TESS: A security system based on discrete exponentiation: T Beth et al.
Secure Telnet 8
To secure the login from the institute local network as well as from the global Internet into the institute's firewall server, the standard T C P / I P service Telnet was extended to use S E L A N E authentication. The Telnet client and daemon software is available in source code form. Since the Telnet protocol uses the connectionoriented service T C P to exchange data and control sequences, it was easy to install the S E L A N E authentication software as a filter between the network layer and the application (here Unix login). To decide whether or not to encrypt Telnet control sequences, it was necessary to look at the possible login sources into the firewall server: 1. Login from a Telnet client program on another host. 2. Login from a terminal emulation program over a m o d e m line into a terminal server (Network Interface U n i t - N I U ) , which sets up connections to hosts on the internet via the Telnet protocol. To handle both login sources, the authentication software was installed on top of the Telnet protocol layer (i.e. without encrypting control sequences). Thus, it is possible to use a terminal emulator with built-in S E L A N E software on a PC, dial up the modems, connect to the firewall server and start an authenticated session. Since chipcard readers are not available at all users' home machines, the secret data of a user is stored in a disk file. Encryption of this file with a user-chosen password is strictly recommended and enforced by the S E L A N E software.
9 10 I1 12 13 14 15 16 17 18 19 20 21 22 23
ACKNOWLEDGEMENTS 24
The authors would like to thank Willi Geiselmann, Torsten Minkwitz, Marcus Otten and Detlef Zerfowski for their helpful comments during the preparation of this paper.
25 26 27
REFERENCES 28 1 2 3 4 5 6 7
474
Diffie, W and Hellman, M E 'New directions in cryptography', IEEE Trans. lnfo. Theory, Vol 22 (1976) pp 644-654 Knuth, D E The Art of Computer Programming: Vol. 2." Seminumerical Algorithms, 2nd ed., Addison Wesley, Reading, MA (1981) Pollard, J M 'Monte Carlo methods for index computation (mod p)', Math. Comp., Vol 32 (1978) pp 918-924 Gordon, D M 'Discrete logarithms in GF(p) using the number field sieve', preprint (1992) Adleman, L M and DeMarrais, J 'Subexponential algorithm for discrete logarithms over ALL finite fields', Adv. CryptologyCR YPTO "93 (to appear) Agnew, G B, Mullin, R C and Vanstone, S A 'Fast exponentiation in GF(p)', Adv. Cryptology EUROCRYPT '88, SpringerVerlag, Berlin (1988) pp 251 255 Beth, Th and Gollmann, D 'Algorithm engineering for public key
29 30
31
algorithms', IEEE J. Selected Areas in Commun., Vol 7 No 4 (1989) pp 458-466 Geiselmann W and Gollmann, D 'VLSI design for exponentiation in GF(2")', Adv. Cryptology-AUSCRYPT '90, SpringerVerlag, Berlin (1990) pp 398-405 Coppersmith, D 'Fast evaluation of logarithms in fields of characteristic two', IEEE Trans. lnfo. Theory, Vol 30 (1984) pp 587-594 LaMacchia, B A and Odlyzko, A M 'Computation of discrete logarithms in prime fields', Designs, Codes and Cryptography, Vol 1 (1991) pp 47-62 Miller, V S 'Use of elliptic curves in cryptography', Adv. Cryptology-CRYPTO '85, Springer-Verlag, Berlin (1986) pp 417-426 Koblitz, N 'Elliptic curve cryptosystems', Math. Computation, Vol 48 (1987) pp 203-209 Menezes, A, Okamoto, T and Vanstone, S A Reducing Elliptic Curve Logarithms to Logarithms in a Finite Field, University of Waterloo, preliminary version (September 1990) Beth, Th and Schaefer, F 'Non supersingular elliptic curves for public key cryptosystems', Adv. Cryptology EUROCRYPT '91, Springer-Verlag, Berlin (1991) pp 316-327 Schnorr, C P 'Efficient identification and signatures for smart cards', Adv. Cryptology CR YPTO '89, Springer-Verlag, Berlin (1990) pp 239-251 National Institute of Standards and Technology F1PS Pub XX: Digital Signature Standard (DSS), (Draft), NIST, Gaithersburg, MD (1991) Jaburek, W J 'A generalization of E1-Gamal's public key cryptosystem', Adv. Cryptology EUROCRYPT "89, SpringerVerlag, Berlin (1990) pp 23-28 BauspieB, F, Knobloch, H-J and Wichmann, P 'Inverting the pseudo exponentiation', Adv. Cryptology- EUROCR YPT "90, Springer-Verlag, Berlin (1991) pp 344-351 E1Gamal, T 'A public key cryptosystem and a signature scheme based on discrete logarithms', IEEE Trans. Info. Theory, Vol 31 (1985) pp 469-472 Agnew, G B, Mullin, R C and Vanstone, S A 'Improved digital signature scheme based on discrete exponentiation', Electron. Lett., Vol 26 (1990) pp 1024-1025 Beth, Th and Knobloch, H-J 'Open network authentication without an online server', Proc. Symposium on Comput. Security '90, Rome, Italy (1990) pp 160 165 Nyberg, K and Rueppel, R A 'A new signature scheme based on the DSA giving message recovery', rump session of CRYPTO '93 (1993) Beth, Th 'Efficient zero-knowledge identification scheme for smart cards', Adv. Cryptology EUROCRYPT '88, SpringerVerlag, Berlin (1988) pp 77 84 Girault, M 'Self-certified public keys', Adv. CryptologyEUROCRYPT '91. Springer-Verlag, Berlin (1991) pp 49~497 Horster, P and Knobloch, H-J 'Discrete logarithm based protocols', Adv. Cryptology- EUROCR YPT '91, SpringerVerlag, Berlin (1991) pp 399-408 Harn, L and Yang, S 'lD-based cryptographic schemes for user identification, digital signature, and key distribution', IEEE J. Selected Areas in Commun., Vol 11 No 5 (1993) pp 757-760. Beth, Th, Knobloch H-J and Otten, M 'Verifiable secret sharing for monotone access structures', Proc. 1st A C M Conf. on Comput. Commun. Security, Fairfax, VA (November 1993) Simmons, G J, Jackson, W-A and Martin, K 'The geometry of shared secret schemes', Bull. Inst. Combinatorics, Winnipeg, Canada (January 1991) Goldwasser, S, Micali, S and Rackoff, C 'Knowledge complexity of interactive proof systems', Proc. STOC, Providence, RI (1985) pp 291-304 Chaum, D, Evertse, J H and van de Graaf, J 'An improved protocol for demonstrating possession of discrete logarithms and some generalizations', Adv. Cryptology-EUROCRYPT '87, Springer-Verlag, Berlin (1988) pp 127 141 Fiat, A and Shamir, A 'How to prove yourself: Practical solutions to identification and signature problems', Adv. Cryptology CRYPTO '86, Springer-Verlag, Berlin (1987) pp 186-194
32
computer communications volume 17 number 7 july 1994
GiJnther C G 'An identity-based key-exchange protocol', Adv. Cryptology EUROCRYPT '89, Springer-Verlag, Berlin (1990) pp 29 37
TESS: A security system based on discrete exponentiation: T Beth et al. 33 34
35
BauspieB, F and Knobloch, H-J 'How to keep authenticity alive in a computer network', Adv. Cryptology-EUROCRYPT '89, Springer-Verlag, Berlin (1990) pp 3 8 4 6 Burrows, M, Abadi, M and Needham, R 'A logic of authentication', Proc. 12th ACM Symposium on Operating Systems Principles, Litchfield Park, AZ (December 1989) (Published as ACM Operat. Syst. Rev., Vol 23 No 5, 1989) Yahalom, R, Klein, B and Beth, Th 'Trust relationships in secure
36 37
systems-a distributed authentication perspective', Proc. IEEE Symposium on Res. in Security and Privacy, Oakland, USA (1993) Mohan, S B and Adiga, B S 'Fast algorithms for implementing RSA public key cryptosystem', Electron. Lett.. Vol 21 (1985) p 761 de Waleffe, D and Quisquater, J-J 'CORSAIR: A smartcard for public key cryptosystems', Adv. Cryptology CRYPTO '90, Springer-Verlag, Berlin (1991) pp 502 513
computer communications volume 17 number 7 july 1994
475