Crypto Corner

Editors: Peter Gutmann, pgut001@cs.auckland.ac.nz David Naccache, david.naccache@ens.fr Charles C. Palmer, ccpalmer@us.ibm.com

Securing E-passports with Elliptic Curves

his is the story of how the solution to a relatively abstract mathematics problem related to elliptic curves has led to improved security for ID documents.
secret. Theyre also required to be as secure as possible against all passive and active attacks. Basically, all an adversary can do to learn the password is an online dictionary attack (guess the password and try to execute the protocol with one of the parties). We can prevent this through latency, smart card blocking, and so on. For implementing PAKE pro-

Suppose that two parties share a common low-entropy secret (such as a four-digit PIN or a selfpicked alphabetic password) and want to establish a secure, authenticated communication channel. This scenario is common, from payment terminals and e-passport readers to online services. But even today, many implementations rely on more or less ad hoc protocols that might be vulnerable to replay attacks, man-inthe-middle attacks, and so on. Moreover, although some of those protocols are reasonably secure when the shared secret cant be guessed, they tend to be vulnerable to offline dictionary attacks. In these attacks, the attacker eavesdrops on communication between the parties and uses the data recorded that way to bruteforce the password without further interaction with either party. Because the password has low entropy, the search space is small, so offline brute-forcing isnt difficult. A class of cryptographic protocols called Password-Authenticated Key Exchange (PAKE) provides a more robust solution to this problem. PAKE protocols ensure that an eavesdropper cant learn any information on the low-entropy
MARCH/APRIL 2011

tocols, especially in constrained environments such as e-passports, elliptic-curve cryptography is fast and requires little memory. However, it involves representing numeric values (in this case, passwords) as points on an elliptic curve, and how to do this efficiently and securely isnt obvious. Here we discuss how researchers have solved this problem and describe two PAKE protocols that use this technique to achieve different security properties. More generally, encoding to curve points provides a convenient way to integrate passwords into existing elliptic-curvebased protocols, in addition to other cryptographic applications.

Herv Chabanne Morpho Mehdi Tibouchi cole normale suprieure

1540-7993/11/$26.00 2011 IEEE

COPUBLISHED BY THE IEEE COMPUTER AND RELIABILITY SOCIETIES

75

Crypto Corner

Input: u, an integer Output: (x, y), a point of the curve for i 0 to k 1 do x ui; if x3 + ax + b is a square then return (x, y = (x3 + ax + b)1/2) end end return ;
Figure 1. The try-and-implement algorithm enables construction of a group-valued encoding function. However, for Password-Authenticated Key Exchange (PAKE) protocols, this algorithm would still allow an adversary to determine a password.

The Encoding Problem

In Ren Schoof s famous 1985 paper describing how to efficiently count points on elliptic curves over finite fields, he asked for a method to deterministically construct points on an elliptic curve.1 In 2006, Andrew Shallue and Christiaan van de Woestijne developed the first algorithm for this.2 In 2009, Thomas Icart introduced another solution.3 These results have prompted further research in this area as well as various cryptographic applications. Given a finite field and two of its elements, a, b, we determine an elliptic curve by an equation of the form y2 = x3 + ax + b.(1) The curve consists of the set of points (x, y) verifying Equation 1, together with a point at infinity. We can define the addition of two points of this curve to obtain a group. One reason elliptic curves are interesting for cryptography is that the discretelogarithm problem in that group (the problem of retrieving integer l from point G on the curve and lG = G + + G ) is believed to be computationally hard. This means that elliptic-curve-based protocols can use shorter keys and more efficient arithmetic than
76
IEEE SECURITY & PRIVACY

protocols based on other groups, such as nonzero integers modulo a prime number. Cryptographic protocols based on groups often involve representing certain numeric values as elements of the group. In the elliptic- curve case, this amounts to mapping an integer u to a point (x, y) on the curve. For instance, Dan Boneh and Matt Franklins identity-based encryption represents user identities as curve points.4 For this purpose, they proposed a very natural way to encode values to that curve. However, this works only for curves of a special form (supersingular curves), which arent suitable for most applications owing to subpar security properties. Because a typical PAKE implementation using elliptic curves would preferably avoid super singular curves, we need to encode points on ordinary (that is, nonsupersingular) elliptic curves.

Some Less-ThanSatisfactory Solutions

For certain cryptographic groups, such as the multiplicative group Z* p of nonzero integers modulo a prime number p, constructing a group-valued encoding function is relatively easy. For Z * p , just taking the numeric value to be encoded and reducing it modulo p usually provides a suitable function. This

isnt the case for elliptic curves. You cant hope to construct an encoding function by, for example, choosing the numeric value as a curve points x-coordinate. This is because only about half of all the possible x-values correspond to actual points on the curve. What does work is the try-andincrement algorithm (see Figure 1). Append a short counter to the value to be encoded, and initialize it to 0. If the resulting concatenated value is an existing x-coordinate, return the corresponding point. Otherwise, increment the counter and try again. For each value of counter i, the probability of x being the x -coordinate of an actual point on the elliptic curve is approximately 1/2. So, if the counter can take k values, the algorithm will fail to find a point with a probability of 2 k . This is negligibly small if we take, for example, k = 128, so the algorithm will always succeed in practice. However, this algorithms running time depends on u, which can be a problem for implementations of protocols in which u must stay confidential. Regarding PAKE protocols, u is related to the underlying password. So, different passwords lead to different running times. An attacker can then partition the password dictionary according to the different running times, which will reveal the password after a few executions of the protocol.5 We could modify the try-and-increment algorithm to make it run in constant time and thwart this attack, but this makes the encoding function prohibitively inefficient.

Constant-Time Encoding Functions

An important property of an encoding function such as Shallue and van de Woestijnes or Icarts is that its computation time doesnt depend on u. So, we can compute
MARCH/APRIL 2011

Crypto Corner

a secret values point encoding efficiently without leaking information about it to timing attackers. Also, we can compute preimages under the encoding function in polynomial time. This ensures that knowledge of u doesnt help an attacker compute the discrete logarithm of encoding(u). Additionally, we can compute the size of such a functions image.6,7 For Icarts function, the size is approximately 5/8 of all the points on the curve, which is large enough for most applications.

Chip Password Stage 1 (randomization) Randomly select s, a binary string. z Encrypt s by a block cipher keyed by to get z. Stage 2 (mapping) = encoding ((s||)), Compute G where is a hash function and || stands for concatenation.

Terminal Password

Decrypt z to get s. Randomly select , a binary string. Compute G.

Stage 3 (key establishment) X=xG Y=yG Randomly select y. Compute Z = xy G.

Randomly select x. Compute Z = xy G.

PACE v2
One application of these encoding functions is PACE (Password- Authenticated Communication Esta blishment) v2, a PAKE protocol recently standardized for epassport applications. The International Civil Aviation Organization (ICAO) maintains a series of specifications pertaining to secure communication between the chips on machine-readable travel documents (MRTDs) and MRTD readers. Recently, the ICAO expanded the specifications to include PACE, which uses Icarts encoding for authenticated key agreement.8 PACE aims to establish a secure communication channel between a chip and terminal sharing a password p. For e-passports, this password is obtained from the MRTDs machine-readable zone. PACE has six steps; Figure 2 describes the first three. After these three steps, the two parties have obtained a common highentropy secret: point Z on the elliptic curve. The next three steps are key derivation, key confirmation, and session establishment, which are relatively standard and dont involve point encodings. We dont describe them here. In this very practical instance, the ICAO presumably preferred Icarts encoding to other, more classic techniques (such as the try-and

Figure 2. The first three steps of PACE (Password-Authenticated Communication Establishment) v2, a PAKE (Password-Authenticated Key Exchange) protocol for e-passport applications. After these first three steps, the two parties have obtained a common high-entropy secret: a point Z on the elliptic curve.

increment algorithm) to protect the password against side-channel attacks. This encoding is also more efficient (slightly faster than the best case of try-and-increment, and many times faster than the worst case), which is desirable in such a resource-constrained setting.

A few executions of the protocol are then sufficient to recover the actual password p. To avoid such an attack, it would be desirable to represent curve points as bit strings such that all bit strings correspond to actual points and a uniformly random bit string corresponds to a uniformly distributed curve point. We can achieve this using admissible encoding, which Eric Brier and his colleagues developed.10 A function f from a set of bit strings to an elliptic curve is admissible if it satisfies three requirements: Its efficiently computable. It can be sampled; that is, an efficient algorithm exists that takes a curve point as input and returns a bit string chosen uniformly at random among its preimages by f. Its regular; that is, the image by f of a uniformly random bit string is an almost uniformly random curve point. Icarts encoding(u) function
www.computer.org/security

Private PAKE
Another application is the classic PAKE protocol, DH-EKE (DiffieHellman encrypted key exchange; see Figure 3).9 DH-EKE can be implemented over any group, but over the group of points on an elliptic curve, its vulnerable to the following offline dictionary attack. An eavesdropping attacker who sees an encryption of point Gi can try to decrypt it using a guessed password p . If the guess is incorrect, then, with a probability of approximately 1/2 (or much higher than that, depending on how the points are represented), the resulting point wont belong to the curve. So, the attacker can throw away half or more of his or her password dictionary for every encrypted message the attacker catches between the two parties.

77

Crypto Corner

Chip Parameter: G, a point on the curve Password Pick . Compute G1 = G. Send G1 encrypted by a block cipher that depends on . Retreive G2 by decryption, and compute K = G2.

Server Password Pick . Compute G2 = G. Send G2 encrypted by a block cipher that depends on . Retreive G1 by decryption, and compute K = G1.

Figure 3. DH-EKE (Diffie-Hellman encrypted key exchange), a classic PAKE (Password-Authenticated Key Exchange) protocol. The basic protocol is vulnerable to offline dictionary attacks, but elliptic-curve cryptography can alleviate this problem.

fulfills the first two requirements but not the third. From this functions image size alone, we can see that it cant be regular. Fortunately, Brier and his colleagues showed that Encoding(u, v) =
encoding(u) + encoding(v)

practically, other applications to actual cryptographic protocols certainly remain to be found.

References 1. R. Schoof, Elliptic Curves over Finite Fields and the Computation of Square Roots mod p, Mathematics of Computation, vol. 44, no. 170, 1985, pp. 483494. 2. A. Shallue and C. van de Woestijne, Construction of Rational Points on Elliptic Curves over Finite Fields, Algorithmic Number Theory, LNCS 4076, Springer, 2006, pp. 510524. 3. T. Icart, How to Hash into Elliptic Curves, Advances in CryptologyCrypto 2009, LNCS 5677, Springer, 2009, pp. 303316. 4. D. Boneh and M.K. Franklin, Identity-Based Encryption from the Weil Pairing, Advances in CryptologyCrypto 2001, LNCS 2139, Springer, 2001, pp. 213229. 5. D. Brumley and D. Boneh, Remote Timing Attacks Are Practical, Computer Networks, vol. 48, no. 5, 2005, pp. 701716. 6. R.R. Farashahi, I.E. Shparlinski, and J.F. Voloch, On Hashing into Elliptic Curves, J. Mathematical Cryptology, vol. 3, no. 4, 2010, pp. 353360; www.ma. utexas.edu/users/voloch/Preprints/ Hashing.pdf. 7. P.-A. Fouque and M. Tibouchi, Estimating the Size of the Image of Deterministic Hash Functions to Elliptic Curves, Progress in CryptologyLatincrypt 2010, LNCS 6212, Springer, 2010, pp. 8191.

is admissible. On the basis of admissible encoding, Julien Bringer and his colleagues introduced a PAKE protocol with the novel property that the underlying elliptic-curve parameters remain private.11 This property is particularly useful for e-passports and other identification documents because the country issuing the documents typically chooses the curve parameters. If the parameters leak during authentication, an eavesdropper can discover the document owners nationality, which is a security concern. To achieve privacy, Bringer and his colleagues treated the curve parameters as part of the password and modified DH-EKE to use the Encoding function instead of a block cipher. So, the messages exchanged by the parties are completely random bit strings, which reveal no information about the password or curve.

8. Supplemental Access Control for Machine Readable Travel Documents, ver. 1.01, tech. report, Intl Civil Aviation Org., 11 Nov. 2010; w w w 2 . ic a o. i nt /e n /M RT D/ D o w n l o a d s / Te c h n i c a l % 2 0 Reports/Technical%20Report.pdf. 9. S.M. Bellovin and M. M errit, Encrypted Key Exchange: Password-Based Protocol Secure against Dictionary Attacks, Proc. Symp. Research in Security and Privacy, IEEE Press, 1992, pp. 7284. 10. E. Brier et al., Efficient Indifferentiable Hashing into Ordinary Elliptic Curves, Advances in CryptologyCrypto 2010, LNCS 6223, Springer, 2010, pp. 237254. 11. J. Bringer, H. Chabanne, and T. Icart, Password Based Key Exchange Protocols on Elliptic Curves Which Conceal the Public Parameters, Applied Cryptography and Network Security, LNCS 6123, 2010, pp. 291308.
Herv Chabanne is a deputy director and security expert in Morphos identification division and an associate professor of cryptography at Tlcom ParisTech. Contact him at herve. chabanne@morpho.com. Mehdi Tibouchi is a researcher and PhD candidate in the cryptology team at cole normale suprieure. Contact him at mehdi.tibouchi@normalesup.org.

S
78

ome questions regarding encoding points of elliptic curves are still open. For instance, on the mathematical side, having injective encodings to ordinary curves would be interesting. More
IEEE SECURITY & PRIVACY

Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
MARCH/APRIL 2011