TY - JOUR
AU - Zeng, Cheng
AB - 1 Introduction With the swift advancement of computer and network technology, the demand for secure communication [1] is increasingly extensive, and the constraint of the symmetric cryptosystem in key distribution and key management is no longer compatible with technological development. In 1976, Diffie and Hellman [2] proposed the public key cryptosystem, which solved the problem of key distribution. Nevertheless, the issue of public key distribution has persistently posed a formidable challenge, with its authenticity predicament remaining unresolved, consequently facilitating susceptibility to man-in-the-middle attacks during key exchange, refer to [3, 4]. Therefore, in order to solve the binding relationship between the authenticity of public key and the user, a certificate mechanism, public key infrastructure (PKI) [5, 6], is proposed to realize the secure correspondence between the user’s identity and the user’s key, which solves the difficult problem of key management. PKI certification authority [7–9] based on certificate mechanism has been widely used and verified in the past three decades and has made great contributions to the development of information security, especially in solving the problem of identity authentication based on personnel for e-government, finance, office and other fields of information development security [10–12]. However, with the rise of the Internet of things [13, 14], the subject of security authentication is no longer limited to people, but more involves devices, sensors and other entities, and also extends to the identity authentication and communication security of non-entity objects such as software and microservices [15, 16]. In particular, the Internet of things terminal not only has the requirements of narrowband communication and low-power computing, but also has the characteristics of large number and wide area distribution. In addition, the Internet of things application itself also has business diversity and particularity requirements [17], which makes the security protection of it different from the traditional human-oriented Internet security protection. The limitations of the traditional PKI certificate authentication technology in the Internet of things are gradually emerging. Therefore, the identity-based public key algorithms, such as SM9 [18], PKIot [19], PKI4IoT [20] came into being, and they were applied to the security applications of the Internet of things. A general class of identity-based public key cryptosystems is combined public key (CPK) [21–23]. Very recently, some related schemes, such as efficient privacy-preserving spatial range query over outsourced encrypted data [24], time-controllable keyword search scheme with efficient revocation in mobile e-health cloud [25], and efficient privacy-preserving spatial data query in cloud computing [26], instead of conventional schemes have been proposed. In this paper, we present a series of identity key generation protocols based on the SM2 public key cryptographic algorithm [27, 28], integrating the identity public key generation protocol. Specifically, our approach, known as identity public key (IPK), consists of three distinct steps: The mapping sequence of the terminal identity was determined through the random generation of public keys for both the identity and terminal, as well as the public key of the key center; The corresponding h (h ≥ 32) matrix elements which relied on the mapping sequence were selected from the combined public and private key matrices to generate the public and private keys of the identity. Subsequently, the distribution’s public and private keys were obtained by combining them with the random public and private keys corresponding to the key center; The public and private keys of the terminal were obtained by computing the random public and private keys generated by the terminal in a covert manner. The organization of our paper is as follows: Section 2 presents a guide to generating private and public keys; Section 3 delves into the security of IPK; The final section provides the summary. 2 Technical design IPK is a key generation protocol based on the identity of SM2 public key cryptography. It mainly includes matrix generation, private key generation and public key calculation. IPK identity key generation protocol transforms existing public keys into identity based public keys in a combinatorial way to solve the problem of public key distribution and proof. The technical principle is based on the combinatorial characteristics of ECC [29], i.e., the sum of private keys and the sum of the corresponding public keys form a new public and private key pair. Suppose that the sum of the private keys is Then the sum of the public keys is given by Clearly, (r, R) forms a new public and private key pair, since Some of the symbols and abbreviations in this paper are shown in Table 1. Download: PPT PowerPoint slide PNG larger image TIFF original image Table 1. Symbols and abbreviations. https://doi.org/10.1371/journal.pone.0312690.t001 2.1 Generation of matrix The key sensitive parameter of IPK ID key generation protocol is IPK private key matrix, which is important for generating private key and identifying the relationship between private key and IPK ID key. 256-bit random numbers are taken as elements of the private key matrix, and the scale of the private key matrix is m × h, where both m and h are powers of 2 and m ≥ h ≥ 32. The private key is also a 256-bit random number. Although the probability of collision is very small (no more than 2−256), the collision of private key matrix elements will reduce the security of the system, so the m × h random numbers of private key matrix are required to be different from each other. Suppose that we have selected m × h different 256-bit random numbers ri,j, where i ∈ {0, 1, …, m − 1}, j ∈ {0, 1 …, h − 1}. Each random number ri,j is modeled on the order n of the elliptic curve base point G of SM2, that is, Set ski,j be the element in row i and column j of the private key matrix. When the private key matrix is generated, each element ski,j needs to be compared with each other. Only when they are different, the private key matrix element is valid. Otherwise, the random numbers are generated again to calculate the private key matrix element until all conditions are met. When the private key matrix element is determined, the corresponding public key matrix element is generated through the calculation of the private key matrix element, that is, where PKi,j is the element in row i and column j of the public key matrix. The private key matrix is only owned by the key center and is stored in hardware cryptographic devices throughout its entire lifecycle. The public key matrix, on the other hand, is the public key generation protocol for IPK, and the public key parameters are distributed to each terminal in the form of a file and stored separately as an important parameter for the terminal to calculate the public keys of other parties. 2.2 Generation of private key The process in Fig 1 is explained in detail by the process of Alice applying for the private key: When Alice applies for a private key, the SM2 key pair (r1, R1) is randomly generated, where R1 = [r1]G; The private key factor r1 is cached, and R1 and the identity of Alice (IDA) are sent to the key center, which randomly generates a key pair (r2, R2), where R2 = [r2]G; The key center computes Alice’s declared public key RA = R1 + R2, takes IDA as the data, then calculates based on SM3, and gets a 32-byte hash value; The hash value is evenly divided into h groups, and the corresponding value vi of each group is modular by m, that is, Select h private key matrix elements: The key center calculates the identity private key The key center then gives the first-order composite private key The key center sends isk′ and RA to the applicant Alice through the secure channel; Alice combines the custom private key factor r1 to obtain the second-order composite private key isk = (isk′ + r1) mod n, and then clears r1. Store the second-order compound private key isk and the declared public key RA. Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 1. Process for generating a private key. https://doi.org/10.1371/journal.pone.0312690.g001 From the method of generating private keys, the method of generating private keys for IPK is only to calculate the selected coordinates of the matrix based on the identity and the declared public key, and then add the selected matrix elements. This generation method does not affect the security of the SM2 cryptographic algorithm because the generated private key satisfies the randomness principle of the SM2 private key by adding the random numbers r1 submitted by the applicant and r2 generated by the key center. 2.3 Computation of public key Fig 2 describes the generation process of the public key. Alice sends IDA and RA to Bob, who can calculate Alice’s final public key according to the public key generation algorithm. The specific process is as follows: Bob uses IDA as the data and RA as the key to compute the SM3 based HMAC and obtain the 32-byte hash value. The hash value is evenly divided into h groups, and the corresponding value vi of each group is modular by m, that is, Select h public key matrix elements , i = 0, 1, … h − 1; Compute identity public key IPKm = PK0 + PK1 + ⋯ + PKh−1; Calculate the composite public key of Alice IPKA = RA + IKPm. Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 2. Process for generating a public key. https://doi.org/10.1371/journal.pone.0312690.g002 According to the technical principle, the public key generated by the above method is corresponding to the private key, that is, the private key and the public key constitute a key pair. In the generation method, the coordinate selection of the binding generation matrix between the signer Alice’s identity IDA and the declared public key RA solves the substitution attack problem of the declared public key and realizes the binding relationship between the identity and the declared public key. 2.1 Generation of matrix The key sensitive parameter of IPK ID key generation protocol is IPK private key matrix, which is important for generating private key and identifying the relationship between private key and IPK ID key. 256-bit random numbers are taken as elements of the private key matrix, and the scale of the private key matrix is m × h, where both m and h are powers of 2 and m ≥ h ≥ 32. The private key is also a 256-bit random number. Although the probability of collision is very small (no more than 2−256), the collision of private key matrix elements will reduce the security of the system, so the m × h random numbers of private key matrix are required to be different from each other. Suppose that we have selected m × h different 256-bit random numbers ri,j, where i ∈ {0, 1, …, m − 1}, j ∈ {0, 1 …, h − 1}. Each random number ri,j is modeled on the order n of the elliptic curve base point G of SM2, that is, Set ski,j be the element in row i and column j of the private key matrix. When the private key matrix is generated, each element ski,j needs to be compared with each other. Only when they are different, the private key matrix element is valid. Otherwise, the random numbers are generated again to calculate the private key matrix element until all conditions are met. When the private key matrix element is determined, the corresponding public key matrix element is generated through the calculation of the private key matrix element, that is, where PKi,j is the element in row i and column j of the public key matrix. The private key matrix is only owned by the key center and is stored in hardware cryptographic devices throughout its entire lifecycle. The public key matrix, on the other hand, is the public key generation protocol for IPK, and the public key parameters are distributed to each terminal in the form of a file and stored separately as an important parameter for the terminal to calculate the public keys of other parties. 2.2 Generation of private key The process in Fig 1 is explained in detail by the process of Alice applying for the private key: When Alice applies for a private key, the SM2 key pair (r1, R1) is randomly generated, where R1 = [r1]G; The private key factor r1 is cached, and R1 and the identity of Alice (IDA) are sent to the key center, which randomly generates a key pair (r2, R2), where R2 = [r2]G; The key center computes Alice’s declared public key RA = R1 + R2, takes IDA as the data, then calculates based on SM3, and gets a 32-byte hash value; The hash value is evenly divided into h groups, and the corresponding value vi of each group is modular by m, that is, Select h private key matrix elements: The key center calculates the identity private key The key center then gives the first-order composite private key The key center sends isk′ and RA to the applicant Alice through the secure channel; Alice combines the custom private key factor r1 to obtain the second-order composite private key isk = (isk′ + r1) mod n, and then clears r1. Store the second-order compound private key isk and the declared public key RA. Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 1. Process for generating a private key. https://doi.org/10.1371/journal.pone.0312690.g001 From the method of generating private keys, the method of generating private keys for IPK is only to calculate the selected coordinates of the matrix based on the identity and the declared public key, and then add the selected matrix elements. This generation method does not affect the security of the SM2 cryptographic algorithm because the generated private key satisfies the randomness principle of the SM2 private key by adding the random numbers r1 submitted by the applicant and r2 generated by the key center. 2.3 Computation of public key Fig 2 describes the generation process of the public key. Alice sends IDA and RA to Bob, who can calculate Alice’s final public key according to the public key generation algorithm. The specific process is as follows: Bob uses IDA as the data and RA as the key to compute the SM3 based HMAC and obtain the 32-byte hash value. The hash value is evenly divided into h groups, and the corresponding value vi of each group is modular by m, that is, Select h public key matrix elements , i = 0, 1, … h − 1; Compute identity public key IPKm = PK0 + PK1 + ⋯ + PKh−1; Calculate the composite public key of Alice IPKA = RA + IKPm. Download: PPT PowerPoint slide PNG larger image TIFF original image Fig 2. Process for generating a public key. https://doi.org/10.1371/journal.pone.0312690.g002 According to the technical principle, the public key generated by the above method is corresponding to the private key, that is, the private key and the public key constitute a key pair. In the generation method, the coordinate selection of the binding generation matrix between the signer Alice’s identity IDA and the declared public key RA solves the substitution attack problem of the declared public key and realizes the binding relationship between the identity and the declared public key. 3 Security analysis The security of IPK key generation protocol mainly includes four aspects: First, the analysis of whether there is collusion attack risk in the private key matrix of IPK key generation protocol; Second, the influence of matrix size in IPK key generation protocol on security is analyzed; Third, in the IPK key generation protocol the security of the declared public key is checked, that is, whether the public key has the risk of replacement attack; Finally, we need to ensure that the composite private key is collision resistant. 3.1 Security of private key 3.1.1 Security of private key matrix. Theorem 3.1. If the one-time encryption OTP (one-time password) is secure, then the security of the private key matrix in the IPK algorithm is ensured. The first-order composite private key isk′ obtained by the attacker from the key center consists of two parts: the identity private key iskm and the private key ri,2 randomly generated by the key center, namely isk′ = iskm + ri,2, where the key center randomly generates new ri,2 every time, and they are different. Suppose that the private key matrix is sk = (aij)m×h. According to the private key generation algorithm, the key center takes the attacker ID IDi as the data and the declared public key as the private key to calculate the HMAC value based on SM3, and maps the value to the private key matrix, and then he sum of the obtained h numbers is recorded as the matrix ID private key, i.e., The final output private key of the key center is Let where t1, t2, ⋯, tm ∈ {0, 1}. We thus rewritten mski by By the principle of private key generation, a total of mh distinct private keys can be generated from the private key matrix. Subsequently, the equations based on all the private keys are listed as follows: We can simply denote the above equation by T ⋅ SK = MSK, where Clearly, there are mh different private keys mski generated by the private key matrix. All possible private keys mski consist the matrix MSK. The objective of the attacker is to solve SK under the relation T ⋅ SK = MSK. Nan [22] has proved that the general solution of the private key matrix can be found from the relation, which has the same effect as the original private key matrix. To counteract the attack, this method incorporates the randomly generated key ri,2 from the key center. This prevents attackers from deducing the correspondence mentioned above and restricts their access to only obtaining the key isk′ = mski + ri,2, where i = 1, 2, …, mh. We simply let T ⋅ SK + R = ISK, where This problem can be transformed into adding noise R to the original matrix relationship, which destroys the original linear relationship T ⋅ SK = MSK, and the Gaussian elimination method is invalid, so there is no effective algorithm to solve it. Since R is random sampling, then entropy H(SK|ISK) = H(SK), which means that even knowing ISK does not increase the attacker’s knowledge of the private key matrix SK, so our method has perfect confidentiality. The system can be regarded as a one-time encryption OTP, where R is the random key of the OTP. If an attacker obtains SK (or T ⋅ SK) from ISK without knowing R, the attacker can crack any OTP system, which contradicts the known reality, so the private key matrix in the IPK is secure and resistant to linear collusion attacks. 3.1.2 Security of the second-order composite private key. The hardness of the elliptic curve discrete logarithm problem (ECDLP) [30, 31] is crucial for the security of elliptic curve cryptographic schemes. Under some well known conditions, such as the ECDLP is intractable against all known attacks [32]. Theorem 3.2. If the ECDLP problem is hard, the second-order composite private key of the IPK algorithm is secure. Suppose there exists an attacker A1 who impersonates an honest and curious key center and wants to try to obtain the second-order combined private key (equivalent to obtaining the private key of the user ID). We can formally define the behavior of the attacker, as following: Alice randomly generates a key pair (r1, R1) that satisfies R1 = [r1]G; Alice sends R1 and the ID to attacker A1; Attacker A1 randomly choose (r2, R2), where R2 = [r2]G, use the ID of Alice and the declared public key R = R1 + R2 to generate the declared private key iskm, and then get the first-order composite private key isk′ = (iskm + r2) mod n. In the view of attacker, the user’s public key R1, the first-order composite private key isk′ and the second-order composite signature public key IPK can be obtained. The final signature private key of Alice is the second-order compound private key isk = isk′ + r1, and the corresponding public key is IPK. There are two ways for attacker A1 to obtain the user’s private key isk, from R1 or IPK to resolve the private key, which is difficult since the ECDLP problem is hard. 3.2 Private key matrix size and its security The quantitative security of a cryptographic scheme is called the security strength or security level (hereinafter referred to as the security strength). It usually refers to the computation cost of solving a hard problem when the cryptographic scheme takes a certain parameter under the current best effective attack method. The following definition is security strength of public key cryptographic schemes. Definition 1. Suppose the time required to determine the key of a public key cryptosystem is similar to the time needed to determine the key of a symmetric cryptosystem. In this case, the security strength of the public key cryptosystem is equal to the key length of the symmetric cryptosystem. The security of the private key matrix is based on the relies on the numerous possibilities of partitions of large integer. In integer partitions [33], the following lemmas are obvious. Lemma 3.1. Suppose that 1 ≤ vi ≤ ℓ for each i ∈ {1, 2, …, t} and . The following equation with has the largest number of solutions. Lemma 3.2. Let v1, v2 be integers on interval [1, ℓ], where . We have When ℓ is large enough, e can approximate the probability as 2/ℓ. Moreover, if there are ℓ′ integers in [1, ℓ] which can not be selected, we have Lemma 3.3. If all integers vi ∈ [1, ℓ] are randomly chosen, then we have The maximum probability is given at t = 2, which is Lemma 2. Theorem 3.3. For m, h ≥ 32, the private key matrix has collision resistance. Proof. Let u1, u2, …, uh be the array formed by extracting one element per column from the mh matrix the first time and v1, v2, …, vh the second time. After a matrix M is chosen, the probability of collision under this matrix can be denoted as We denote event B = {v1 + v2 + ⋯ + vh = u1 + u2 + ⋯ + uh, ui, vi are not all the same}. By the total probability formula, the average collision probability is It should be noted that B in this case does not mean that ui, vi are chosen randomly. The process should be to randomly select u1, u2, …, uh. Next, we give u1, …, uh with m − 1 numbers each and let them form the h columns of the matrix, which we denote as A(u1, u2, …, uh), abbreviated as Au. Obviously, apart from the identified elements u1, …, uh in Au, the remaining numbers are filled in Au randomly. At this point, v1, v2, …, vh are extracted from Au. Note that the probability that vi chooses ui is 1/m; The probability that vi choose the other possible number is equally divided (m − 1)/m. Hence, We now focus on According to the requirements of selection, we have Let Since t ≠ uh in already satisfies the condition that ui, vi are not all identical, this condition is no longer mandatory. For two groups to sum equally, at most h − 2 of the remaining h − 1 numbers vi are the same with the corresponding ui. So for the sake of notation, we write the same numbers backwards, starting with uh−1. It follows that Note that v1 = s − t − uh−1 − ⋯ − u2 is a determined constant. Hence, (1) For probability Pi = P(v1 + ⋯ + vi = s − t − uh−1 − ⋯ − ui+1), random selections of v1, v2, …, vi can be made from at least 2256 − mh numbers. By Lemmas 1, 2 and 3, we derive In addition, we usually take m ≥ h ≥ 32. Then we can get Thus, (2) Combining Eqs (1) and (2) together we obtain We now try to give a reasonable upper bound for . Let s′ = s − uh. We get Iterating the above equation repeatedly we deduce that Clearly, . Recall that m, h ≥ 32. We directly get We then have We finally derive As both m and h increase, P(B) diminishes progressively. Therefore, the maximum value of the upper bound of P(B) realizes at m = h = 32, i.e., This probability is small enough so that our private key matrix is collision resistant. As shown above, the security strength depends on the choice of m and h. This paper provides four sets of proposed parameters, which are (1) m = 32, n = 32; (2) m = 64, n = 32; (3) m = 128, n = 32; (4) m = 256, n = 32. Their security strength is shown in Table 2. Download: PPT PowerPoint slide PNG larger image TIFF original image Table 2. Proposed parameters for private key matrix. https://doi.org/10.1371/journal.pone.0312690.t002 3.3 Non-existence of substitution attacks Suppose that the attacker A has the ability to replace any user ID and public key R with any value, and the goal of attack is to generate the same composite public key IPK as the original user. Attacker A and challenger C engage in the following game: System initialization: The challenger C runs the system to obtain the public key matrix PKM and sends the PKM to attacker A; Claim public key query: Attacker A can query any claim public key with identity IDi. In response, the challenger returns the claim public key of IDi; Output: Attacker A outputs (IDB, RB, IPKA), where the declared public key of IDA has been queried. If the challenger C checks that the output of the attacker A satisfies the composite public key generated by (IDB, RB) is IPKA, it means that the attacker A challenges successfully. Theorem 3.4. In the random oracle model, if the SM3 algorithm has one-way and collision resistance, IPK is resistant to substitution attack. Proof. If an attacker A can use (IDB, RB) to produce a composite public key IPKA, the identifying public key is IPKm = IPkA − RB. According to the calculation method of the public key, the challenger C takes the identity IDB as the data and declares the public key RB as the key to calculate the HMAC based on SM3 and obtain the hash value h of 32 bytes. Noting that the hash value uniquely determines the identifying public key, let us assume that the hash value corresponding to the identifying public key IPKm is h1, thereby obtaining the relation: If the attacker can generate (IDB, RB) that meets the requirements, the plaintext and key corresponding to any SM3 hash value can be obtained, which is contrary to the conclusion that SM3 hash algorithm has one-way and collision resistance, so the IPK scheme in this paper is resistant to substitution attack. 3.4 Security of composite private keys In the previous subsections, we considered the security of each part of the composite private key. This subsection is mainly to consider the collision problem of composite private keys. Theorem 3.5. Given a random integer in the interval [0, 2N − 1), the probability of guessing correctly is 1/2N, which implies that the identification cost is O(2N). In other words, if the probability of collision depends on the length of the number, then it is an NP problem. Next, we illustrate our scheme to generate composite private key is an NP problem. Recall that the order of a base point in the SM2 algorithm is never lower than α2N, where α > 0. Theorem 3.6. The collision probability of the composite private key does not exceed 1/α2N. Therefore, the cracking cost for IPK is at least O(2N), so breaking the composite private key is NP-hard. Proof. Consider the first extracted composite private key isk = u1 + u2 + ⋯ + uh + r1 + r2, where isk is used as a variable to iterate over all possible values. If the re-extracted composite private key isk* = v1 + v2 + ⋯ + vh + γ1 + γ2 collids with isk, the collision probability is . Note that the two extraction is random, have independence. By total probability formula, we have We focus on the value of . Let s = γ1 + γ2. Using total probability formula again, we obtain Note that the sum of v1, …, vh must equal isk − s if γ1, γ2 are chosen well. But, the choice of v1, …, vh depends on the declared public key, which is the hash value obtained by SM3-based HMAC and thus can be regarded as independent of γ1, γ2. It follows that Hence, Recall that the order n of the base point is no less than α2N. We we have selected γ1, the only choice for γ2 is s − γ1, which implies that P(γ1 + γ2 = s) ≤ 1/α2N. We then have Therefore, In summary, we find that the probability of collision is not more than 1/α2N, as desired. Remark 1. In the SM2 algorithm, N = 256 is typically employed. Consequently, the collision probability of our composite private key will not exceed 1/α2256, and as α is not overly small, this collision probability is generally less than 1/2200. Generally speaking, such a small-probability collision problem can be transformed into a circuit satisfiability problem [34], which belongs to the NP category. Therefore, the composite private key cracking problem is also an NP problem. 3.1 Security of private key 3.1.1 Security of private key matrix. Theorem 3.1. If the one-time encryption OTP (one-time password) is secure, then the security of the private key matrix in the IPK algorithm is ensured. The first-order composite private key isk′ obtained by the attacker from the key center consists of two parts: the identity private key iskm and the private key ri,2 randomly generated by the key center, namely isk′ = iskm + ri,2, where the key center randomly generates new ri,2 every time, and they are different. Suppose that the private key matrix is sk = (aij)m×h. According to the private key generation algorithm, the key center takes the attacker ID IDi as the data and the declared public key as the private key to calculate the HMAC value based on SM3, and maps the value to the private key matrix, and then he sum of the obtained h numbers is recorded as the matrix ID private key, i.e., The final output private key of the key center is Let where t1, t2, ⋯, tm ∈ {0, 1}. We thus rewritten mski by By the principle of private key generation, a total of mh distinct private keys can be generated from the private key matrix. Subsequently, the equations based on all the private keys are listed as follows: We can simply denote the above equation by T ⋅ SK = MSK, where Clearly, there are mh different private keys mski generated by the private key matrix. All possible private keys mski consist the matrix MSK. The objective of the attacker is to solve SK under the relation T ⋅ SK = MSK. Nan [22] has proved that the general solution of the private key matrix can be found from the relation, which has the same effect as the original private key matrix. To counteract the attack, this method incorporates the randomly generated key ri,2 from the key center. This prevents attackers from deducing the correspondence mentioned above and restricts their access to only obtaining the key isk′ = mski + ri,2, where i = 1, 2, …, mh. We simply let T ⋅ SK + R = ISK, where This problem can be transformed into adding noise R to the original matrix relationship, which destroys the original linear relationship T ⋅ SK = MSK, and the Gaussian elimination method is invalid, so there is no effective algorithm to solve it. Since R is random sampling, then entropy H(SK|ISK) = H(SK), which means that even knowing ISK does not increase the attacker’s knowledge of the private key matrix SK, so our method has perfect confidentiality. The system can be regarded as a one-time encryption OTP, where R is the random key of the OTP. If an attacker obtains SK (or T ⋅ SK) from ISK without knowing R, the attacker can crack any OTP system, which contradicts the known reality, so the private key matrix in the IPK is secure and resistant to linear collusion attacks. 3.1.2 Security of the second-order composite private key. The hardness of the elliptic curve discrete logarithm problem (ECDLP) [30, 31] is crucial for the security of elliptic curve cryptographic schemes. Under some well known conditions, such as the ECDLP is intractable against all known attacks [32]. Theorem 3.2. If the ECDLP problem is hard, the second-order composite private key of the IPK algorithm is secure. Suppose there exists an attacker A1 who impersonates an honest and curious key center and wants to try to obtain the second-order combined private key (equivalent to obtaining the private key of the user ID). We can formally define the behavior of the attacker, as following: Alice randomly generates a key pair (r1, R1) that satisfies R1 = [r1]G; Alice sends R1 and the ID to attacker A1; Attacker A1 randomly choose (r2, R2), where R2 = [r2]G, use the ID of Alice and the declared public key R = R1 + R2 to generate the declared private key iskm, and then get the first-order composite private key isk′ = (iskm + r2) mod n. In the view of attacker, the user’s public key R1, the first-order composite private key isk′ and the second-order composite signature public key IPK can be obtained. The final signature private key of Alice is the second-order compound private key isk = isk′ + r1, and the corresponding public key is IPK. There are two ways for attacker A1 to obtain the user’s private key isk, from R1 or IPK to resolve the private key, which is difficult since the ECDLP problem is hard. 3.1.1 Security of private key matrix. Theorem 3.1. If the one-time encryption OTP (one-time password) is secure, then the security of the private key matrix in the IPK algorithm is ensured. The first-order composite private key isk′ obtained by the attacker from the key center consists of two parts: the identity private key iskm and the private key ri,2 randomly generated by the key center, namely isk′ = iskm + ri,2, where the key center randomly generates new ri,2 every time, and they are different. Suppose that the private key matrix is sk = (aij)m×h. According to the private key generation algorithm, the key center takes the attacker ID IDi as the data and the declared public key as the private key to calculate the HMAC value based on SM3, and maps the value to the private key matrix, and then he sum of the obtained h numbers is recorded as the matrix ID private key, i.e., The final output private key of the key center is Let where t1, t2, ⋯, tm ∈ {0, 1}. We thus rewritten mski by By the principle of private key generation, a total of mh distinct private keys can be generated from the private key matrix. Subsequently, the equations based on all the private keys are listed as follows: We can simply denote the above equation by T ⋅ SK = MSK, where Clearly, there are mh different private keys mski generated by the private key matrix. All possible private keys mski consist the matrix MSK. The objective of the attacker is to solve SK under the relation T ⋅ SK = MSK. Nan [22] has proved that the general solution of the private key matrix can be found from the relation, which has the same effect as the original private key matrix. To counteract the attack, this method incorporates the randomly generated key ri,2 from the key center. This prevents attackers from deducing the correspondence mentioned above and restricts their access to only obtaining the key isk′ = mski + ri,2, where i = 1, 2, …, mh. We simply let T ⋅ SK + R = ISK, where This problem can be transformed into adding noise R to the original matrix relationship, which destroys the original linear relationship T ⋅ SK = MSK, and the Gaussian elimination method is invalid, so there is no effective algorithm to solve it. Since R is random sampling, then entropy H(SK|ISK) = H(SK), which means that even knowing ISK does not increase the attacker’s knowledge of the private key matrix SK, so our method has perfect confidentiality. The system can be regarded as a one-time encryption OTP, where R is the random key of the OTP. If an attacker obtains SK (or T ⋅ SK) from ISK without knowing R, the attacker can crack any OTP system, which contradicts the known reality, so the private key matrix in the IPK is secure and resistant to linear collusion attacks. 3.1.2 Security of the second-order composite private key. The hardness of the elliptic curve discrete logarithm problem (ECDLP) [30, 31] is crucial for the security of elliptic curve cryptographic schemes. Under some well known conditions, such as the ECDLP is intractable against all known attacks [32]. Theorem 3.2. If the ECDLP problem is hard, the second-order composite private key of the IPK algorithm is secure. Suppose there exists an attacker A1 who impersonates an honest and curious key center and wants to try to obtain the second-order combined private key (equivalent to obtaining the private key of the user ID). We can formally define the behavior of the attacker, as following: Alice randomly generates a key pair (r1, R1) that satisfies R1 = [r1]G; Alice sends R1 and the ID to attacker A1; Attacker A1 randomly choose (r2, R2), where R2 = [r2]G, use the ID of Alice and the declared public key R = R1 + R2 to generate the declared private key iskm, and then get the first-order composite private key isk′ = (iskm + r2) mod n. In the view of attacker, the user’s public key R1, the first-order composite private key isk′ and the second-order composite signature public key IPK can be obtained. The final signature private key of Alice is the second-order compound private key isk = isk′ + r1, and the corresponding public key is IPK. There are two ways for attacker A1 to obtain the user’s private key isk, from R1 or IPK to resolve the private key, which is difficult since the ECDLP problem is hard. 3.2 Private key matrix size and its security The quantitative security of a cryptographic scheme is called the security strength or security level (hereinafter referred to as the security strength). It usually refers to the computation cost of solving a hard problem when the cryptographic scheme takes a certain parameter under the current best effective attack method. The following definition is security strength of public key cryptographic schemes. Definition 1. Suppose the time required to determine the key of a public key cryptosystem is similar to the time needed to determine the key of a symmetric cryptosystem. In this case, the security strength of the public key cryptosystem is equal to the key length of the symmetric cryptosystem. The security of the private key matrix is based on the relies on the numerous possibilities of partitions of large integer. In integer partitions [33], the following lemmas are obvious. Lemma 3.1. Suppose that 1 ≤ vi ≤ ℓ for each i ∈ {1, 2, …, t} and . The following equation with has the largest number of solutions. Lemma 3.2. Let v1, v2 be integers on interval [1, ℓ], where . We have When ℓ is large enough, e can approximate the probability as 2/ℓ. Moreover, if there are ℓ′ integers in [1, ℓ] which can not be selected, we have Lemma 3.3. If all integers vi ∈ [1, ℓ] are randomly chosen, then we have The maximum probability is given at t = 2, which is Lemma 2. Theorem 3.3. For m, h ≥ 32, the private key matrix has collision resistance. Proof. Let u1, u2, …, uh be the array formed by extracting one element per column from the mh matrix the first time and v1, v2, …, vh the second time. After a matrix M is chosen, the probability of collision under this matrix can be denoted as We denote event B = {v1 + v2 + ⋯ + vh = u1 + u2 + ⋯ + uh, ui, vi are not all the same}. By the total probability formula, the average collision probability is It should be noted that B in this case does not mean that ui, vi are chosen randomly. The process should be to randomly select u1, u2, …, uh. Next, we give u1, …, uh with m − 1 numbers each and let them form the h columns of the matrix, which we denote as A(u1, u2, …, uh), abbreviated as Au. Obviously, apart from the identified elements u1, …, uh in Au, the remaining numbers are filled in Au randomly. At this point, v1, v2, …, vh are extracted from Au. Note that the probability that vi chooses ui is 1/m; The probability that vi choose the other possible number is equally divided (m − 1)/m. Hence, We now focus on According to the requirements of selection, we have Let Since t ≠ uh in already satisfies the condition that ui, vi are not all identical, this condition is no longer mandatory. For two groups to sum equally, at most h − 2 of the remaining h − 1 numbers vi are the same with the corresponding ui. So for the sake of notation, we write the same numbers backwards, starting with uh−1. It follows that Note that v1 = s − t − uh−1 − ⋯ − u2 is a determined constant. Hence, (1) For probability Pi = P(v1 + ⋯ + vi = s − t − uh−1 − ⋯ − ui+1), random selections of v1, v2, …, vi can be made from at least 2256 − mh numbers. By Lemmas 1, 2 and 3, we derive In addition, we usually take m ≥ h ≥ 32. Then we can get Thus, (2) Combining Eqs (1) and (2) together we obtain We now try to give a reasonable upper bound for . Let s′ = s − uh. We get Iterating the above equation repeatedly we deduce that Clearly, . Recall that m, h ≥ 32. We directly get We then have We finally derive As both m and h increase, P(B) diminishes progressively. Therefore, the maximum value of the upper bound of P(B) realizes at m = h = 32, i.e., This probability is small enough so that our private key matrix is collision resistant. As shown above, the security strength depends on the choice of m and h. This paper provides four sets of proposed parameters, which are (1) m = 32, n = 32; (2) m = 64, n = 32; (3) m = 128, n = 32; (4) m = 256, n = 32. Their security strength is shown in Table 2. Download: PPT PowerPoint slide PNG larger image TIFF original image Table 2. Proposed parameters for private key matrix. https://doi.org/10.1371/journal.pone.0312690.t002 3.3 Non-existence of substitution attacks Suppose that the attacker A has the ability to replace any user ID and public key R with any value, and the goal of attack is to generate the same composite public key IPK as the original user. Attacker A and challenger C engage in the following game: System initialization: The challenger C runs the system to obtain the public key matrix PKM and sends the PKM to attacker A; Claim public key query: Attacker A can query any claim public key with identity IDi. In response, the challenger returns the claim public key of IDi; Output: Attacker A outputs (IDB, RB, IPKA), where the declared public key of IDA has been queried. If the challenger C checks that the output of the attacker A satisfies the composite public key generated by (IDB, RB) is IPKA, it means that the attacker A challenges successfully. Theorem 3.4. In the random oracle model, if the SM3 algorithm has one-way and collision resistance, IPK is resistant to substitution attack. Proof. If an attacker A can use (IDB, RB) to produce a composite public key IPKA, the identifying public key is IPKm = IPkA − RB. According to the calculation method of the public key, the challenger C takes the identity IDB as the data and declares the public key RB as the key to calculate the HMAC based on SM3 and obtain the hash value h of 32 bytes. Noting that the hash value uniquely determines the identifying public key, let us assume that the hash value corresponding to the identifying public key IPKm is h1, thereby obtaining the relation: If the attacker can generate (IDB, RB) that meets the requirements, the plaintext and key corresponding to any SM3 hash value can be obtained, which is contrary to the conclusion that SM3 hash algorithm has one-way and collision resistance, so the IPK scheme in this paper is resistant to substitution attack. 3.4 Security of composite private keys In the previous subsections, we considered the security of each part of the composite private key. This subsection is mainly to consider the collision problem of composite private keys. Theorem 3.5. Given a random integer in the interval [0, 2N − 1), the probability of guessing correctly is 1/2N, which implies that the identification cost is O(2N). In other words, if the probability of collision depends on the length of the number, then it is an NP problem. Next, we illustrate our scheme to generate composite private key is an NP problem. Recall that the order of a base point in the SM2 algorithm is never lower than α2N, where α > 0. Theorem 3.6. The collision probability of the composite private key does not exceed 1/α2N. Therefore, the cracking cost for IPK is at least O(2N), so breaking the composite private key is NP-hard. Proof. Consider the first extracted composite private key isk = u1 + u2 + ⋯ + uh + r1 + r2, where isk is used as a variable to iterate over all possible values. If the re-extracted composite private key isk* = v1 + v2 + ⋯ + vh + γ1 + γ2 collids with isk, the collision probability is . Note that the two extraction is random, have independence. By total probability formula, we have We focus on the value of . Let s = γ1 + γ2. Using total probability formula again, we obtain Note that the sum of v1, …, vh must equal isk − s if γ1, γ2 are chosen well. But, the choice of v1, …, vh depends on the declared public key, which is the hash value obtained by SM3-based HMAC and thus can be regarded as independent of γ1, γ2. It follows that Hence, Recall that the order n of the base point is no less than α2N. We we have selected γ1, the only choice for γ2 is s − γ1, which implies that P(γ1 + γ2 = s) ≤ 1/α2N. We then have Therefore, In summary, we find that the probability of collision is not more than 1/α2N, as desired. Remark 1. In the SM2 algorithm, N = 256 is typically employed. Consequently, the collision probability of our composite private key will not exceed 1/α2256, and as α is not overly small, this collision probability is generally less than 1/2200. Generally speaking, such a small-probability collision problem can be transformed into a circuit satisfiability problem [34], which belongs to the NP category. Therefore, the composite private key cracking problem is also an NP problem. 4 Technical comparison Several management methods in the certificateless public key management system based on identification, such as TF-CPK, IBC(SM9), manage public keys through identification, which simplifies the management complexity of public keys and has many technical similarities. However, due to different methods in the implementation of public key management system and key application, there are differences in technical indicators. In the following, IPK is compared and analyzed with several major identity cryptosystems, please refer to Table 3. Download: PPT PowerPoint slide PNG larger image TIFF original image Table 3. IPK compared with IBC(SM9), TF-CPK, and SM2 implicit certificates. https://doi.org/10.1371/journal.pone.0312690.t003 TF-CPK, IPK and SM2 implicit certificates use the same SM2 cryptographic algorithm, while the cryptographic algorithm used by IBC is different from SM2. In order to have comparability, the analysis and comparison are based on the security strength of 2128 as the security baseline. In the performance comparison, the unit time (denoted as UT) is taken as the operation time of one 256-bit elliptic curve multiple point. We now briefly explain how the data in Table 3 came from. We initially indicate the length of the digital signature. a. The signature of SM9 has the form (h, S) and the length of h and S are 32B and 64B, respectively. So the total length of signature of SM9 is 96B; b. TF-CPK consists of the signature data (r, s), the declared public key, and the signature of the identity to the declared public key. Thus, its length is 64B × 3 = 192B; c. The signature of SM2 implicit certificates is composed by the signature data (r, s) and the declared public key, and the signature length is 128B in total; d. In terms of digital signatures, IPK has the identical structure to SM2 implicit certificates, and thus its signature length is 128B. Assuming that the private key has a length 32B, the key encapsulation length is as follows. a. The output of the private key encapsulation of SM9 takes the form (K, C), where the length of K and C are 32B and 64B, respectively. So the total length is 96B; b. TF-CPK, SM2 implicit certificate, and IPK all employ the SM2 cryptosystem, thus their length is 128B. Regarding the computational cost, the main time consumption of the algorithm performance encompassed in several schemes is concentrated on the multi-point operation of the elliptic curve. Hence, the time cost of calculation is compared and analyzed with one multi-point operation as the benchmark time unit UT. a. SM9 digital signature requires 13UT (one operation of addition group and one operation of multiplication group), and verification signature is 12UT (one operation of multiplication group); b. TF-CPK is based on SM2. The time cost of digital signature takes 1UT (one operation of addition group), and the verification signature involves data signature verification and public key signature verification, which needs 4UT (2 times of signature verification, 2 operations of addition group for each signature verification); c. The SM2 implicit certificate is also based on SM2. The time cost of digital signature is 1UT (one operation of addition group), the verification signature includes public key calculation and data signature verification, where the calculation of public key has one multi-point operation and the data signature verification needs 2UT; d. IPK is also based on SM2. Similarly, the time cost of digital signature is 1UT. The verification signature includes public key calculation and data signature verification. However, computing the public key merely involves simple operations, and the time consumption is negligible, thus it takes 2UT to verify the signature. As shown in Table 3, the computation cost of SM9 cryptographic algorithm is significantly higher than that of several identity-based public key management schemes based on SM2 cryptographic algorithm, and IPK has the least computation cost. However, the storage cost of IPK and TF-CPK is larger than that of other schemes, which is not suitable for embedded terminal devices with very limited storage space. 5 Conclusion In this paper, we introduce the IPK scheme and verify its security. In summary, the innovations of IPK key generation protocol mainly include the following contents: IPK uses the public and private key matrix and mapping method to realize the binding of identity and key, which can simplify the distribution management of public key through identity; In the process of private key generation, both the center and the terminal participate in the final composite generation of the terminal, that is, a random factor is added in the process of key production to eliminate the linear correlation between the private keys; The terminal private key is finally composite generated by the terminal, and the center does not know the terminal’s second-order composite private key, which solves the trust problem that the identification key can only be generated by the center, and the terminal private key cannot be obtained by the key center in this cooperative generation method, so that the signature can be in line with the electronic signature method; The declared public key factor R directly participates in the identity mapping algorithm to realize the binding relationship between the declaring public key and the identity, and there is no risk of replacement attack. IPK generates a large number of keys through a smaller matrix and the idea of combinatorial mathematics. It is a lightweight identification key generation protocol, which simplifies the complexity of key generation and reduces the construction cost and operation cost of key system. Theoretically, the rigorous determination of the collision probability can assist us in reducing the size of the random matrix. As part of our future work, we will try to decrease the upper bound on the collision probability using mathematical tools. Moreover, we will elaborate on the possible applications of IPK, such as cloud computing, e-health and Internet of things. Acknowledgments We thank the anonymous reviewers for their valuable feedback.
TI - A novel method for generating public keys involving matrix operations
JF - PLoS ONE
DO - 10.1371/journal.pone.0312690
DA - 2024-10-30
UR - https://www.deepdyve.com/lp/public-library-of-science-plos-journal/a-novel-method-for-generating-public-keys-involving-matrix-operations-WJy0C0nUB0
SP - e0312690
VL - 19
IS - 10
DP - DeepDyve
ER -