WO2020041499A1 - Systems and methods for a butterfly key exchange program - Google Patents

Systems and methods for a butterfly key exchange program Download PDF

Info

Publication number
WO2020041499A1
WO2020041499A1 PCT/US2019/047547 US2019047547W WO2020041499A1 WO 2020041499 A1 WO2020041499 A1 WO 2020041499A1 US 2019047547 W US2019047547 W US 2019047547W WO 2020041499 A1 WO2020041499 A1 WO 2020041499A1
Authority
WO
WIPO (PCT)
Prior art keywords
entity
public key
key
verification
signature
Prior art date
Application number
PCT/US2019/047547
Other languages
French (fr)
Inventor
Paulo Sergio Licciardi Messeder BARRETO
Original Assignee
Lg Electronics, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lg Electronics, Inc. filed Critical Lg Electronics, Inc.
Priority to US16/634,874 priority Critical patent/US11165592B2/en
Priority to EP19852665.9A priority patent/EP3841703A4/en
Publication of WO2020041499A1 publication Critical patent/WO2020041499A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3268Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters
    • H04L9/3013Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters involving the discrete logarithm problem, e.g. ElGamal or Diffie-Hellman systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/84Vehicles

Definitions

  • the invention is related to privacy in vehicular communications, in particular for scenarios that use pseudonym certificates to enable secure and privacy-preserving
  • Vehicular entities usually communicate with each other through a secured
  • the Security Credential Management System has been used as a leading vehicular public-key infrastructure (VPKI) candidate designs for protecting vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications.
  • VPKI vehicular public-key infrastructure
  • the SCMS combines an efficient and privacy-preserving method for vehicles to obtain large batches of pseudonym certificates (also known as butterfly key expansion), and an ancillary process for revoking the user's privacy in case of misbehavior, so that multiple certificates belonging to the same user can be linked together.
  • pseudonym certificates also known as butterfly key expansion
  • an ancillary process for revoking the user's privacy in case of misbehavior, so that multiple certificates belonging to the same user can be linked together.
  • ECDLP elliptic curve discrete logarithm problem
  • Some embodiments of the present invention provide a method for providing digital certificates for use by devices in authentication operations. Specifically, a cocoon public key is received at a first entity for generating a digital certificate. The cocoon public key is generated by expanding a caterpillar public key with a random function and the first entity is uninformed of which device the caterpillar public key is originated from. Butterfly reconstruction credentials are generated based on the cocoon public key and a random value. A certificate is generated based on the butterfly reconstruction credentials and metadata. A hash value is generated of both the certificate and a verification public key reserved for the first entity. A signature is generated based on the random value, the hash value and a verification private key associated with the verification public key. The certificate and the signature are encrypted using the cocoon public key. The encryption package from the encrypted certificate and signature is sent to a second entity. The second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
  • Some embodiments of the present invention provide a method for using digital certificates in authentication operations.
  • An encryption package forwarded by a second entity that is unable to decrypt the encryption package is received, at a device and from a first entity.
  • a private cocoon key is generated for decrypting the encryption package based on a private key associated with the device and a random function.
  • the encryption package is decrypted using the private cocoon key into a certificate and a signature.
  • a verification private key reserved for the device is generated based on the private cocoon key and the signature.
  • a verification public key reserved for the device is generated based on the verification public key reserved for the first entity, the hash value and butterfly reconstruction credentials. It is then verified that the generated verification public key reserved for the device and the generated verification private key satisfies a relationship.
  • Some embodiments of the present invention provide a method for using a ring- learning-with-errors (RLWE) based post-quantum protocol to provide digital certificates for use by devices in authentication operations.
  • RLWE ring- learning-with-errors
  • a cocoon public key for generating a digital certificate is received at a first entity.
  • the cocoon public key is generated by expanding a caterpillar public key with a first random function and a second random function, and the first entity is uninformed of which device the caterpillar public key is originated from.
  • a verification public key reserved for the device is generated based on the received cocoon public key, a first pseudo-random value and a second pseudo-random value sampled from a 0-centered discrete Gaussian distribution on a first multi-dimensional space with a first standard deviation value according to a pseudo-random sampler having a seed value.
  • a signature is generated over the verification public key reserved for the device along with metadata, a verification public key reserved for the first entity and a private key pair reserved for the first entity.
  • a set of the seed value, the metadata and the signature is encrypted into an encryption package.
  • the encryption package is sent to a second entity.
  • the second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
  • Some embodiments of the present invention provide a method for using a ring- learning-with-errors (RLWE) based post-quantum protocol to verify digital certificates for use by devices in authentication operations.
  • An encryption package forwarded by a second entity that is unable to decrypt the encryption package is received, at a device and from a first entity.
  • a private cocoon key pair for decrypting the encryption package is generated based on a caterpillar private key pair associated with the device, a first random function and a second random function.
  • the encryption package is decrypted using the private cocoon key pair into a set of a seed value, metadata and a signature.
  • a verification public key reserved for the device is generated based on a public cocoon key, a first pseudo-random value and a second pseudo- random value sampled from a 0-centered discrete Gaussian distribution on a first multi- dimensional space with a first standard deviation value according to a pseudo-random sampler having the seed value.
  • a verification private key pair reserved for the device is generated based on a private cocoon key pair, the first pseudo-random value and the second pseudo-random value. It is then verified that the generated verification public key reserved for the device and the generated verification private key pair satisfies a relationship.
  • Fig.1 illustrates an example SCMS infrastructure in which systems and methods of the present disclosure can operate.
  • FIG.2 provides an example diagram illustrating the butterfly key expansion in SCMS.
  • Fig.3 illustrates an embodiment of a computing device 150 which is used by any of the entities shown in Fig.1, according to some embodiments.
  • FIG.4 is an example table that compares existing explicit and implicit protocols with an implicit protocol with Schnorr-style signatures, according to embodiments described herein.
  • FIG.5A provides an example logic flow diagram illustrating an example RLWE- based component scheme for the use of butterfly effect protocols, known as the qTESLA digital signature scheme, according to some embodiments.
  • FIG.5B provides an example logic flow diagram illustrating an example RLWE- based component scheme for the use of butterfly effect protocols, known as the Lyubashevsky- Peikert-Regev (LPR) digital signature scheme, according to some embodiments.
  • LPR Lyubashevsky- Peikert-Regev
  • FIG.6 provides an example table that compares the ECC-based (pre-quantum) and the lattice-based (post-quantum) variants of the explicit butterfly protocol, according to some embodiments described herein.
  • Fig.1 illustrates an example SCMS infrastructure in which systems and methods of the present disclosure can operate.
  • Devices 102a-c which may be a vehicle, a mobile device, and/or the like, may communicate through the SCMS infrastructure 103.
  • each device 102a-c receives two types of certificates: an enrollment certificate, which have long expiration times and identify valid devices in the system, and multiple pseudonym certificates, each of which has a short valid period (e.g., a few days).
  • a number C (e.g., ? ⁇ 1 ) pseudonym certificates may be valid simultaneously.
  • a particular vehicle e.g., 102a or 102b
  • SCMS is configured to allow the distribution of multiple pseudonym certificates to vehicles 102a-c in an efficient manner, while providing mechanisms for easily revoking them in case of misbehavior by their owners.
  • the SCMS infrastructure 103 includes a Pseudonym Certificate Authority (PCA) 105 that is responsible for issuing pseudonym certificates to devices 102a-c.
  • PCA Pseudonym Certificate Authority
  • RA Registration Authority
  • SCMS is configured to allow the distribution of multiple pseudonym certificates to vehicles 102a-c in an efficient manner, while providing mechanisms for easily revoking them in case of misbehavior by their owners.
  • the SCMS infrastructure 103 includes a Pseudonym Certificate Authority (PCA) 105 that is responsible for issuing pseudonym certificates to devices 102a-c.
  • Registration Authority (RA) 108 receives and validates requests for batches of pseudonym certificates from devices 102a-c via the location obscurer proxy 112, which are identified by their enrollment certificates. Those requests are
  • the PCA 105 may include one or more distributed PCA(s), which are connected to a root certificate authority 118 via one or more intermediate certificate authority 117.
  • the root certificate authority 118 may interface with the SCMS manager cloud 120 to receive control commands, configuration data, etc. from the manager could 120.
  • the SCMS infrastructure 103 further includes Linkage Authority (LA) modules, e.g., 115a-b.
  • LA modules 115a-b generate random-like bit-strings that are added to certificates so the certificates can be efficiently revoked (namely, multiple certificates belonging to the same device can be linked together by adding a small amount of information to certificate revocation lists (CRLs)).
  • CTLs certificate revocation lists
  • the SCMS infrastructure 103 also includes a Misbehavior Authority (MA) 116 that is configured to identify misbehavior by devices and, whenever necessary, revokes the certificates issued to the misbehaved devices by placing their certificates into a CRL.
  • MA Misbehavior Authority
  • the MA 116 includes a CRL generator 116c that adds the certificates of misbehaved devices to a CRL store 122 and broadcasts the revoked certificate information through a CRL broadcast module 124.
  • FIG.2 provides an example diagram illustrating the butterfly key expansion in SCMS.
  • the pseudonym certification provisioning process in SMCS provides an efficient mechanism for devices to obtain arbitrarily large batches of (short-lived) certificates with a small-sized request message. It comprises the following steps, as illustrated in Figure 2.
  • the device e.g., vehicle 102a
  • the device generates two caterpillar private/public key pairs 2
  • the public caterpillar keys 201 ? and ? are then sent
  • the key ? is employed by the RA 108 in the generation of ? public cocoon signature for an arbitrary value of ?; similarly, the RA 108 uses ? for generating ? public cocoon encryption keys ? Pairs of cocoon keys
  • the PCA 105 After receiving the cocoon keys, the PCA 105 computes the device's public signature key 206a-n as for a random value ? ? , inserts ? ? into a certificate ???? ? containing
  • the encrypted data is also signed by the PCA 105 using its own private signature key, aiming to prevent an "honest-but-curious" RA 108 from engaging in a Man-in-the-Middle (MitM) attack.
  • a MitM attack by the RA 108 could be performed as follows: (1) instead of ? the RA 108 sends to the PCA 105 a fake cocoon encryption key for an arbitrary value of ?; (2) the RA 108 decrypts the PCA's response using
  • the butterfly key expansion process shown in FIG.2 is generally quite efficient, but sometimes may consume significant processing resource and bandwidth, especially when implemented with the SMCS system shown in FIG. 1.
  • Fig.3 illustrates an embodiment of a computing device 150 which is used by any of the entities shown in Fig. 1, according to some embodiments.
  • the computing device 150 may be housed within the vehicle 102a-b, the PCA 105, the RA 108, etc.
  • computing device 150 includes one or more computer processors 150P coupled to computer storage (memory) 150S, and wireless communication equipment 150W for radio communications. Operation of computing device 150 is controlled by processor 150P, which may be implemented as one or more central processing units, multi-core processors, microprocessors, microcontrollers, digital signal processors, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), graphics processing units (GPUs), tensor processing units (TPUs), and/or the like in computing device 150P.
  • processor 150P may be implemented as one or more central processing units, multi-core processors, microprocessors, microcontrollers, digital signal processors, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), graphics processing units (GPUs), tensor processing units (TPUs), and/or the like in computing device 150P.
  • Memory 150S may be used to store software executed by computing device 150 and/or one or more data structures used during operation of computing device 150. Memory
  • machine readable media may include floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, EEPROM, FLASH-EPROM, any other memory chip or cartridge, and/or any other medium from which a processor or computer is adapted to read.
  • Processor 150P and/or memory 150S may be arranged in any suitable physical arrangement.
  • processor 150P and/or memory 150S may be implemented on a same board, in a same package (e.g., system-in-package), on a same chip (e.g., system-on- chip), and/or the like.
  • processor 150P and/or memory 150S may include distributed, virtualized, and/or containerized computing resources. Consistent with such embodiments, processor 150P and/or memory 150S may be located in one or more data centers and/or cloud computing facilities.
  • memory 150S may include non-transitory, tangible, machine readable media that includes executable code that when run by one or more processors (e.g., processor 150P) may cause the computing device 150, alone or in conjunction with other computing devices in the environment, to perform any of the methods described further herein
  • Computing device or equipment 150 may include user interface 150i, e.g. such as present in a smartphone, an automotive information device, or of some other type device, for use by pedestrians, vehicle drivers, passengers, traffic managers, and possibly other people.
  • user interface 150i e.g. such as present in a smartphone, an automotive information device, or of some other type device, for use by pedestrians, vehicle drivers, passengers, traffic managers, and possibly other people.
  • FIG.4 is an example table that compares existing explicit and implicit protocols with an implicit protocol with Schnorr-style signatures, according to embodiments described herein.
  • the existing explicit protocol 401, the existing implicit protocol 402 and the implicit Schnorr protocol 403 employs the same process for the vehicles 102a-b to generate a public key o the PCA 105 via the RA 108, as described in FIG.2.
  • the RA 108 expands the caterpillar public key S into b cocoon public Since f is shared only among the vehicle 102a and
  • the RA 108 receives, from RA 108, the cocoon public key and randomizes by adding r i G to it, for a randomly picked r i .
  • the resulting elliptic curve point is used directly as the vehicle’s butterfly public key Ui; it is then placed into a certificate together with any required metadata (e.g., a validity period), and signed.
  • the randomized point is used as the butterfly reconstruction credential Vi; it is also combined with some metadata, and then signed.
  • the resulting certificate is encrypted with the originally provided and sent back to the RA 108.
  • the RA 108 unable to decrypt the PCA’s response pkg, simply forwards it back to the requesting vehicle 102a, in batch.
  • the vehicle 102a computes the key for decrypting pkg. It then
  • the retrieved certificate verifies that the retrieved certificate is indeed valid. This is done either by checking its signature (for explicit certificates) or by performing the corresponding key verification process (for implicit certificates). As long as such verification is successful, the keys obtained can be used for signing messages sent to other vehicles.
  • the implicit Schnorr protocol 403 adopts a Schnorr variant in key generation.
  • the implicit Schnorr protocol 403 generating a hash of both the certificate and an intended verification public key, , where ? denotes the public
  • keys and certi denotes certificates.
  • the previous schemes 401 and 402 only hash certificates and metadata (presumably, vehicle signatures only include messages and possibly metadata as well).
  • the implicit Schnorr protocol 403 is able to thwart attacks against several keys at once. This effective measure may be implemented for all signatures (not only those of certificates, but future ones generated and verified by vehicles using their certified keys) to improve robustness of the public keys.
  • PCA 105 then generates a signature based at least in part on the hash and a private key u, encrypts the certificate and the signature with the public key, and sends the encrypted certificate and signature to the device.
  • the implicit Schnorr protocol 403 further provides implicit private key recovering at the vehicle 102a.
  • the old implicit private key recovering equation used in the existing implicit protocol 402 involves a modular multiplication.
  • implicit Schnorr protocol 403 can implement private key recovering in a fast and more efficient manner to defend against side channel leaks without loss of efficiency, and the implementation structure matches the corresponding computation that has been used the explicit protocol 401.
  • the implicit Schnorr protocol 403 adopts implicit private key verification.
  • the existing implicit scheme 402 while other vehicles implicitly trust the PCA 105 by mixing its public key ? with the received key V i and the hashed certificate h i , the signing vehicle itself performs no verification at all of the received encrypted certificate, e.g., h This might be a point of protocol security failure.
  • the implicit Schnorr protocol 403 adopts a mechanism in which the received key element s i g i is formally similar to a signature element.
  • the vehicle 102a-b can verify the received certificate (and hence its private key) by checking that .
  • the vehicle 102a-b can verify the received certificate (and hence its private key) by checking that .
  • the vehicle 102a-b can verify the received certificate (and hence its private key) by checking that .
  • the vehicle 102a-b can verify the received certificate (and hence its private key) by checking that .
  • the vehicle 102a-b can verify the received certificate
  • the implicit Schnorr protocol 403 implicit public key recovering.
  • the existing implicit protocol 402 adopts a public key recovering equation, ? ? which involves a multiplication by scalar where the curve point is different for each vehicle. No optimization opportunities are clear in this approach for a generic choice of the underlying elliptic curve.
  • the implicit Schnorr protocol 403 adopts a public key recovering equation as , which involves a multiplication by scalar where the curve point (namely, the PCA public key is one and the same for all vehicles, so that dedicated code and
  • precomputation could be adopted to speed up the recovering operation. For instance, if the scalars are 256 bits long and written in hex, namely
  • the implicit public key recovering mechanism provided by the implicit Schnorr protocol 403 can be about 3 to 4 times faster than a plain arithmetic mechanism.
  • the implicit Schnorr protocol 403 adopts implicit PCA signing.
  • L denote the cost of one full-length multiplication by scalar.
  • the costs of hashing or performing a simple point addition may be ignored, as they tend to be much smaller than the other involved costs (for instance, the cost of one point addition is roughly only a fraction 1/?2?? of L, which is small at practical security levels).
  • a security equivalent and interchangeable form is ??, ??, whereby verification consists of computingh ⁇ H??, ?, ?? and checking whether ?
  • an example scenario of use of vehicular keys may include: vehicle signs some message using its private key ? ? and sends it to vehicle (e.g., 102b) together with the certificate rom which the public key can be extracted (explicit variant) or
  • the certificate prepared by the PCA 105 contains either itself and a signature such that
  • vehicle B verifies the signed message by checking that
  • the implicit form may have an efficiency advantage over the explicit form. Indeed, recovering the implicitly verified key ? ? requires only a half-length multiplication by scalar, while an explicitly verified key incurs one full-length and one half- length multiplications. This may be true if the explicit form adopts the more common
  • vehicle ? can verify the certificate and the signed message in batch, by computing
  • the implicit variant and the explicit form may achieve comparable processing efficiency (with the implicit variant may possess a marginal advantage when is used). It is worth noting that this assessment is not affected by the availability of table-based implementations as suggested previously: both the implicit and the explicit forms would benefit equally from it, and the overall cost would decrease to ?3/2 + ??? if the actual cost of computingh ? ⁇ ? were only ?? (0 ⁇ ? ⁇ 1? rather than ?
  • the implicit Schnorr protocol 403 contains a butterfly protocol that automatically protects against such attacks.
  • M. Bellare and G. Neven discussed in“Multisignatures in the Plain Public-Key Model and a General Forking Lemma.” Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pp.390–399, 2006, DOI: 10.1145/1180405.1180453 do not necessarily affect the implicit Schnorr protocol 403.
  • ? is a genuine public key and an attacker is allowed to pick their public key ? ⁇ at will, the attacker can mount the following attack.
  • the attacker's goal is to come up with fake signatures ? ?, ? ? for a message ? and for a message ? ⁇ that will likely not verify
  • Similar attack variants may fail in a similar way, as there is generally no way other quantities in the attack equation could be chosen as a function of the others: of all curve points involved, ? and ? are given and cannot be changed; the other two points, ? and ? ⁇ , both appear as inputs and outputs of hash functions in the same fashion as ? ⁇ ; and finally, the two integers ? and ? ⁇ are only extractible from the equation by directly solving an instance of the discrete logarithm problem.
  • the key faking attack may fail for batch verification of a hierarchy of keys, but potentially may apply when all involved keys are at the same level.
  • the Elliptic-curve cryptography (ECC) based protocols may be extended to quantum-resistant schemes as long as those schemes support both encryption and signatures under the same key pair.
  • the PCA 105 encrypts the certificate under which apart from an offset ? is functionally the same key
  • blind transference of LWE samples can be used for RLWE version of post-quantum protocols, which provides the possibility of blind transferences of elliptic curve points.
  • post-quantum setting it depends on the existence of an RLWE-based encryption (more precisely, key encapsulation) scheme and a digital signature scheme that can sport additively homomorphic keys, share the same key pair for their individual operations, and are similarly secure for the same set of distributions and parameters. Specifically, the sum of two private keys and s still an algebraically admissible private key ,
  • a lattice-based analogue of the ECC-based explicit protocol can be achieved, e.g., with (a minor variant of) the qTESLA digital signature scheme and the Lyubashevsky-Peikert-Regev (LPR) key encapsulation scheme further described below in relation to FIGS.5A-5B. It is worth noting that any digital signature scheme and key encapsulation scheme that is purely based on RLWE or LWE would work with the post-quantum butterfly key expansion discussed throughout this disclosure.
  • FIG.5A provides an example logic flow diagram illustrating an example RLWE- based component scheme 500a for the use of butterfly effect protocols, known as the qTESLA digital signature scheme, according to some embodiments.
  • ? be a permutation that sorts the components of a ring element u in decreasing order of their absolute magnitudes, i.e.
  • ??? ? (?) denotes the i-th largest component of ? in absolute value, that is, Furthermore, for any integer ? and for a given parameter ?, [ denotes the unique integer in such that ? mod the centered ?
  • the qTESLA digital signature scheme 500a starts at process 502, where a vehicle (e.g., 102a) computes key generation with the parameters h where n denotes the
  • ? denotes a permutation that sorts the components of a ring element u in decreasing order of their absolute magnitudes q denotes a prime number; and are the
  • sub-process 510 the scheme computes At sub-process 512, the vehicle sets the public key as ?, and the secret key as
  • parameter ? is sampled uniformly from
  • process 518 to compute at sub-process 518. If ? or
  • scheme 500a restarts. Otherwise, scheme 500a generates signature s usually represented as a short raw hash value) at subprocess 520.
  • the vehicle rejects the signature at
  • FIG.5B provides an example logic flow diagram illustrating an example RLWE- based component scheme 500b for the use of butterfly effect protocols, known as the
  • LPR Lyubashevsky-Peikert-Regev
  • the LPR scheme is a variant of the Gentry-Peikert-Vaikuntanathan (GPV) dual scheme
  • ? ÎN is the lattice dimension
  • ? ÎN is a prime
  • ? and ? are suitable distribution parameters
  • ? Î ? ? ⁇ is a uniformly sampled ring element (which is shared among the users in the present scenario, but elsewhere could be individually chosen as part of the public key).
  • the encryption base ? naturally corresponds to the signing base ? and hence both are represented with the same notation.
  • uppercase letters are used to denote long, uniformly random ring elements
  • lowercase letters are used to denote short ring elements.
  • the vehicle e.g., 102a
  • the vehicle samples from un At subprocess 538 the vehicle computes
  • the public key as ? and the secret key as ?.
  • the e component remains secret but is not further used.
  • the PCA (e.g., 105) performs encryption based on parameters
  • the PCA samples At sub-process 544, the PCA encodes ? as ? truncat ed to, ? out of ? coefficients. At sub-process 546, the PCA computes the
  • the vehicle decrypts the cipher text based on , , , , ,
  • the RLWE-based component schemes described in Figures 5A-5B provide a post- quantum secure approach for issuing multiple pseudonym certificates from a small piece of information, while traditionally most encryption schemes are vulnerable to post-quantum attacks (e.g., in a traditional SCMS). Thus, the RLWE-based component schemes described in Figures 5A-5B improves long-term security of SCMS.
  • FIG.6 provides an example table that compares the ECC-based (pre-quantum) and the lattice-based (post-quantum) variants of the explicit butterfly protocol, according to some embodiments described herein.
  • ? denotes the random sampling of a value u from
  • Gaussian distribution onZ with standard deviation ? taking seed as the seed of the pseudo- random sampler.
  • the vehicle 102a starts by generating a caterpillar private/public key pair.
  • the private caterpillar key has two components, the short ring elements (s and e), which are obtained by random sampling the zero-centered discrete Gaussian distribution ? ? ? with standard deviation s.
  • This public caterpillar key S is then sent to the RA 108 along with two suitable pseudo-random functions f(i) and g(i) that deterministically emulate sampling from ? ? ? with i as seed.
  • the RA 108 then uses the public caterpillar key S as well as the pseudo-random
  • the RA 108 shuffles keys from different vehicles (as
  • the corresponding pseudonym certificate is then created by the PCA 105.
  • the PCA 105 signs the vehicle’s public butterfly key U i , along with any required metadata (meta), using the qTESLA signature scheme described in FIG.5A and the PCA’s own private key u.
  • the set (seed i, meta, sigi ) is then encrypted using so only the vehicle who sent the
  • the request is able to decrypt the resulting package pkg. Subsequently, the encrypted package pkg is then sent to the RA 108, which forwards the package to the vehicle 102a.
  • the vehicle 102a decrypts the RA’s response using the private key
  • this set does not contain
  • the vehicle 102a first computes the public key
  • the vehicle 102a then checks the PCA’s signature sigi and, if the
  • the scheme requires the private key samples to
  • the PCA 105 cannot check this for the since the PCA does not know ? or ? ? . This will force the vehicle 102b to reject the received key if it fails to pass the checks, as it might otherwise cause genuine signatures not to verify. Fortunately, it is possible to choose parameters such that the probability of key rejection is fairly low, so that instead of receiving a fixed number of keys from the PCA 105, the vehicle 102b obtains a variable amount (albeit very close to the expected value). This also compensates for the possibility of decryption failure for the LPR scheme (although this should be negligible, even though one must use qTESLA parameters and keys).
  • the blind transference of samples may be defined
  • sample is a ring element sampled from the (zero-centered) Gaussian distribution onR with parameter
  • simulating ? ? -sampling are -indistinguishable from the point of view of the PCA 105 and other vehicles (unless they too know which are supposed to be known only by the vehicle and the RA 108). This is because the RA 108 is essentially masking the ? ? - indistinguishable element ? with another ? ? -indistinguishable element, yielding a ring element identical to that obtained from ring elements ? , which are themselves
  • the parameters ensure that all signature operations are efficient with distribution parameter (and related
  • Encryption requires functions to deterministically emulate sampling from with as the seed, until that is, they are both invertible.
  • encryption occurs in the scheme only under the key pair (and implicitly ? ⁇ ? ), so in principle the actual scheme parameters could be chosen under this premise, but the final signature key pair already forces a more stringent condition. If the final key pair is used not only for signatures but for encryption as well, then the parameters are usually double-checked (although the requirements for encryption tend to be less stringent than those for signatures, e.g. the distributions need not be as precise).
  • a public certificate ???? ? contains: a q public key of size
  • a general q signature would include a K-bit seed for the pseudo-
  • Metadata of unspecified size includes
  • an encrypted clipped certificate ??? contains a LPR capsule bits (where ? is the encryption nonce and ?
  • bits, a MAC tag ? ? of size K bits as part of the
  • the encrypted clipped certificate has a size of
  • pedestrians smart phones or other mobile systems equipped with computer and communication systems 150.
  • vehicle is not limited to terrestrial vehicles, but includes aircraft, boats, space ships, and maybe other types of mobile objects.
  • vehicle techniques can be also be used by non-mobile systems, e.g. they can be used on a computer system.
  • the invention is not limited to the embodiments described above. Other embodiments and variations are within the scope of the invention, as defined by the appended claims.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Analysis (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Physics (AREA)
  • Pure & Applied Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Algebra (AREA)
  • Electromagnetism (AREA)
  • Storage Device Security (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Embodiments described herein provide an implicit protocol with improved resource and bandwidth efficiency. A post-quantum secure approach for issuing multiple pseudonym certificates from a small piece of information is provided, while traditionally most encryption schemes are vulnerable to post-quantum attacks (e.g., in a traditional SCMS). Long-term security can be improved with the post-quantum protocol.

Description

SYSTEMS AND METHODS FOR A BUTTERFLY KEY EXCHANGE PROGRAM
Inventor: Paulo Barreto CROSS REFEENCE TO RELATED APPLICATIONS
[0001] The present application claims priority to U.S. Provisional Patent Application No. 62/720,866,“IMPLICIT SCHNORR AND THE UNIFIED POST-QUANTUM BUTTERFLY KEY EXCHANGE PROGRAM,” filed on 21 August 2018, which is hereby expressly incorporated herein by reference herein in its entirety.
COPYRIGHT NOTICE
[0002] A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
TECHNICAL FIELD
[0003] The invention is related to privacy in vehicular communications, in particular for scenarios that use pseudonym certificates to enable secure and privacy-preserving
communications between vehicles.
BACKGROUND
[0004] Vehicular entities usually communicate with each other through a secured
communication mechanism. The Security Credential Management System (SCMS) has been used as a leading vehicular public-key infrastructure (VPKI) candidate designs for protecting vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. Specifically, the SCMS combines an efficient and privacy-preserving method for vehicles to obtain large batches of pseudonym certificates (also known as butterfly key expansion), and an ancillary process for revoking the user's privacy in case of misbehavior, so that multiple certificates belonging to the same user can be linked together. In SCMS, however, the security of the construction relies on the hardness of the elliptic curve discrete logarithm problem (ECDLP). As a result, its security properties may be lost in a post-quantum setting, i.e., if a large-enough quantum computer is built for running Shor's algorithm, attackers may have sufficient time to solve the ECDLP in polynomial time and thus launch a successful attack on the SCMS.
SUMMARY
[0005] This section summarizes some features of the invention. Other features may be described in the subsequent sections. The invention is defined by the appended claims, which are incorporated into this section by reference.
[0006] Some embodiments of the present invention provide a method for providing digital certificates for use by devices in authentication operations. Specifically, a cocoon public key is received at a first entity for generating a digital certificate. The cocoon public key is generated by expanding a caterpillar public key with a random function and the first entity is uninformed of which device the caterpillar public key is originated from. Butterfly reconstruction credentials are generated based on the cocoon public key and a random value. A certificate is generated based on the butterfly reconstruction credentials and metadata. A hash value is generated of both the certificate and a verification public key reserved for the first entity. A signature is generated based on the random value, the hash value and a verification private key associated with the verification public key. The certificate and the signature are encrypted using the cocoon public key. The encryption package from the encrypted certificate and signature is sent to a second entity. The second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
[0007] Some embodiments of the present invention provide a method for using digital certificates in authentication operations. An encryption package forwarded by a second entity that is unable to decrypt the encryption package is received, at a device and from a first entity. A private cocoon key is generated for decrypting the encryption package based on a private key associated with the device and a random function. The encryption package is decrypted using the private cocoon key into a certificate and a signature. A hash value of both the certificate and a verification public key reserved for the first entity. A verification private key reserved for the device is generated based on the private cocoon key and the signature. A verification public key reserved for the device is generated based on the verification public key reserved for the first entity, the hash value and butterfly reconstruction credentials. It is then verified that the generated verification public key reserved for the device and the generated verification private key satisfies a relationship.
[0008] Some embodiments of the present invention provide a method for using a ring- learning-with-errors (RLWE) based post-quantum protocol to provide digital certificates for use by devices in authentication operations. Specifically, a cocoon public key for generating a digital certificate is received at a first entity. The cocoon public key is generated by expanding a caterpillar public key with a first random function and a second random function, and the first entity is uninformed of which device the caterpillar public key is originated from. A verification public key reserved for the device is generated based on the received cocoon public key, a first pseudo-random value and a second pseudo-random value sampled from a 0-centered discrete Gaussian distribution on a first multi-dimensional space with a first standard deviation value according to a pseudo-random sampler having a seed value. A signature is generated over the verification public key reserved for the device along with metadata, a verification public key reserved for the first entity and a private key pair reserved for the first entity. A set of the seed value, the metadata and the signature is encrypted into an encryption package. The encryption package is sent to a second entity. The second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
[0009] Some embodiments of the present invention provide a method for using a ring- learning-with-errors (RLWE) based post-quantum protocol to verify digital certificates for use by devices in authentication operations. An encryption package forwarded by a second entity that is unable to decrypt the encryption package is received, at a device and from a first entity. A private cocoon key pair for decrypting the encryption package is generated based on a caterpillar private key pair associated with the device, a first random function and a second random function. The encryption package is decrypted using the private cocoon key pair into a set of a seed value, metadata and a signature. A verification public key reserved for the device is generated based on a public cocoon key, a first pseudo-random value and a second pseudo- random value sampled from a 0-centered discrete Gaussian distribution on a first multi- dimensional space with a first standard deviation value according to a pseudo-random sampler having the seed value. A verification private key pair reserved for the device is generated based on a private cocoon key pair, the first pseudo-random value and the second pseudo-random value. It is then verified that the generated verification public key reserved for the device and the generated verification private key pair satisfies a relationship. BRIEF DESCRIPTION OF THE DRAWINGS
[00010] Fig.1 illustrates an example SCMS infrastructure in which systems and methods of the present disclosure can operate.
[00011] FIG.2 provides an example diagram illustrating the butterfly key expansion in SCMS.
[00012] Fig.3 illustrates an embodiment of a computing device 150 which is used by any of the entities shown in Fig.1, according to some embodiments.
[00013] FIG.4 is an example table that compares existing explicit and implicit protocols with an implicit protocol with Schnorr-style signatures, according to embodiments described herein.
[00014] FIG.5A provides an example logic flow diagram illustrating an example RLWE- based component scheme for the use of butterfly effect protocols, known as the qTESLA digital signature scheme, according to some embodiments.
[00015] FIG.5B provides an example logic flow diagram illustrating an example RLWE- based component scheme for the use of butterfly effect protocols, known as the Lyubashevsky- Peikert-Regev (LPR) digital signature scheme, according to some embodiments.
[00016] FIG.6 provides an example table that compares the ECC-based (pre-quantum) and the lattice-based (post-quantum) variants of the explicit butterfly protocol, according to some embodiments described herein.
DETAILED DESCRIPTION OF SOME EMBODIMENTS
[00017] This description and the accompanying drawings that illustrate aspects,
embodiments, implementations, or applications should not be taken as limiting—the claims define the protected invention. Various mechanical, compositional, structural, electrical, and operational changes may be made without departing from the spirit and scope of this description and the claims. In some instances, well-known circuits, structures, or techniques have not been shown or described in detail as these are known to one skilled in the art. Like numbers in two or more figures represent the same or similar elements.
[00018] In this description, specific details are set forth describing some embodiments consistent with the present disclosure. Numerous specific details are set forth in order to provide a thorough understanding of the embodiments. It will be apparent to one skilled in the art, however, that some embodiments may be practiced without some or all of these specific details. The specific embodiments disclosed herein are meant to be illustrative but not limiting. One skilled in the art may realize other elements that, although not specifically described here, are within the scope and the spirit of this disclosure. In addition, to avoid unnecessary repetition, one or more features shown and described in association with one embodiment may be incorporated into other embodiments unless specifically described otherwise or if the one or more features would make an embodiment non-functional.
[00019] The following notations are used throughout the description:
r, e - random numbers;
sig - a digital signature;
cert– a digital certificate;
meta– metadata of the digital certificate;
U, ?– public signature keys (stylized ?: reserved for the pseudonym certificate authority) u, ?– private signature keys associate with U, ?
S, s– public and private caterpillar keys;
?? , ?̂– public and private cocoon keys; V– public key reconstruction credential;
b– number of cocoon keys in a batch of certificates;
f, g– pseudo-random functions;
????? - hash of bitstring str;
Enc (K, str)– encryption of bitstring str with encryption key K. Introduction
[0020] Fig.1 illustrates an example SCMS infrastructure in which systems and methods of the present disclosure can operate. Devices 102a-c, which may be a vehicle, a mobile device, and/or the like, may communicate through the SCMS infrastructure 103.
[0021] In SCMS, each device 102a-c receives two types of certificates: an enrollment certificate, which have long expiration times and identify valid devices in the system, and multiple pseudonym certificates, each of which has a short valid period (e.g., a few days). A number C (e.g., ? ^ 1 ) pseudonym certificates may be valid simultaneously. For protecting the privacy, a particular vehicle (e.g., 102a or 102b) may then frequently change the pseudonym certificate employed in their communications, thus avoiding tracking by nearby vehicles or by roadside units. In some implementations, the number of pseudonym certificates ? is usually limited to a small number to avoid“sybil-like” attacks, in which one vehicle poses as a platoon aiming to get some advantage over the system. For example, such a fake platoon could end up receiving preferential treatment from traffic lights programmed to give higher priority to congested roads.
[0022] SCMS is configured to allow the distribution of multiple pseudonym certificates to vehicles 102a-c in an efficient manner, while providing mechanisms for easily revoking them in case of misbehavior by their owners. As shown in FIG.1, the SCMS infrastructure 103 includes a Pseudonym Certificate Authority (PCA) 105 that is responsible for issuing pseudonym certificates to devices 102a-c. Registration Authority (RA) 108 receives and validates requests for batches of pseudonym certificates from devices 102a-c via the location obscurer proxy 112, which are identified by their enrollment certificates. Those requests are individually forwarded to the PCA 105, where requests associated with different devices are shuffled together so the PCA 105 cannot link a group of requests to the same device.
[0023] In some embodiments, the PCA 105 may include one or more distributed PCA(s), which are connected to a root certificate authority 118 via one or more intermediate certificate authority 117. The root certificate authority 118 may interface with the SCMS manager cloud 120 to receive control commands, configuration data, etc. from the manager could 120. [0024] The SCMS infrastructure 103 further includes Linkage Authority (LA) modules, e.g., 115a-b. The LA modules 115a-b generate random-like bit-strings that are added to certificates so the certificates can be efficiently revoked (namely, multiple certificates belonging to the same device can be linked together by adding a small amount of information to certificate revocation lists (CRLs)). Although two LAs 115a-b are shown in the SCMS infrastructure 103, additional LAs may be supported.
[0025] The SCMS infrastructure 103 also includes a Misbehavior Authority (MA) 116 that is configured to identify misbehavior by devices and, whenever necessary, revokes the certificates issued to the misbehaved devices by placing their certificates into a CRL. For example, the MA 116 includes a CRL generator 116c that adds the certificates of misbehaved devices to a CRL store 122 and broadcasts the revoked certificate information through a CRL broadcast module 124.
[0026] FIG.2 provides an example diagram illustrating the butterfly key expansion in SCMS. The pseudonym certification provisioning process in SMCS provides an efficient mechanism for devices to obtain arbitrarily large batches of (short-lived) certificates with a small-sized request message. It comprises the following steps, as illustrated in Figure 2.
[0027] First, the device (e.g., vehicle 102a) generates two caterpillar private/public key pairs 2 The public caterpillar keys 201 ? and ? are then sent
Figure imgf000009_0001
to the Registration Authority (RA 108) together with two suitable pseudorandom functions
Figure imgf000009_0006
and ? The key ? is employed by the RA 108 in the generation of ? public cocoon signature
Figure imgf000009_0002
for an arbitrary value of ?; similarly, the RA 108 uses ? for generating ? public cocoon encryption keys ? Pairs of cocoon keys
Figure imgf000009_0003
Figure imgf000009_0005
205a-n generated through the butterfly key expansion process 203, from different devices are then shuffled together by the RA 108 and sent in batch to the PCA 105 for the generation of the corresponding pseudonym certificates.
[0028] After receiving the cocoon keys, the PCA 105 computes the device's public signature key 206a-n as for a random value ??, inserts ?? into a certificate ????? containing
Figure imgf000009_0004
any necessary metadata, and digitally signs this certificate. The signed certificate 207a-n, together with the value of ?? is then encrypted using ?? ?, so only the original device can decrypt the result to learn ?? and compute the corresponding private signature key
Figure imgf000009_0007
[0029] The encrypted data is also signed by the PCA 105 using its own private signature key, aiming to prevent an "honest-but-curious" RA 108 from engaging in a Man-in-the-Middle (MitM) attack. Namely, without this signature, a MitM attack by the RA 108 could be performed as follows: (1) instead of ?
Figure imgf000010_0002
the RA 108 sends to the PCA 105 a fake cocoon encryption key for an arbitrary value of ?; (2) the RA 108 decrypts the PCA's response using
Figure imgf000010_0004
Figure imgf000010_0001
learning the value of ??; and (3) the RA 108 re-encrypts the certificate with the correct
Figure imgf000010_0003
sending the result to the device, which proceeds with the protocol as usual. As long as the device verifies the PCA's signature on the RA's response, however, the attack would fail because RA 108 would not be able to provide a valid signature for the re-encrypted certificate 208a-n using the private signature key by PCA 105.
[0030] The user's privacy is protected in this process as long as the RA 108 and PCA 105 do not collude. After all, the shuffling of public cocoon keys 205a-n performed by the RA 108 prevents the PCA 105 from learning whether or not a group of keys in the batch belong to a same device. Unlinkability of public keys towards the RA 108, in turn, is also obtained because the latter does not learn the value of ??, randomized by the PCA 105 using ??.
[0031] The butterfly key expansion process shown in FIG.2 is generally quite efficient, but sometimes may consume significant processing resource and bandwidth, especially when implemented with the SMCS system shown in FIG. 1.
[0032] Fig.3 illustrates an embodiment of a computing device 150 which is used by any of the entities shown in Fig. 1, according to some embodiments. For example, the computing device 150 may be housed within the vehicle 102a-b, the PCA 105, the RA 108, etc.
[0033] As shown in Fig.3, computing device 150 includes one or more computer processors 150P coupled to computer storage (memory) 150S, and wireless communication equipment 150W for radio communications. Operation of computing device 150 is controlled by processor 150P, which may be implemented as one or more central processing units, multi-core processors, microprocessors, microcontrollers, digital signal processors, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), graphics processing units (GPUs), tensor processing units (TPUs), and/or the like in computing device 150P. [0034] Memory 150S may be used to store software executed by computing device 150 and/or one or more data structures used during operation of computing device 150. Memory 150S may include one or more types of machine-readable media. Some common forms of machine readable media may include floppy disk, flexible disk, hard disk, magnetic tape, any other magnetic medium, CD-ROM, any other optical medium, punch cards, paper tape, any other physical medium with patterns of holes, RAM, PROM, EPROM, EEPROM, FLASH-EPROM, any other memory chip or cartridge, and/or any other medium from which a processor or computer is adapted to read.
[0035] Processor 150P and/or memory 150S may be arranged in any suitable physical arrangement. In some embodiments, processor 150P and/or memory 150S may be implemented on a same board, in a same package (e.g., system-in-package), on a same chip (e.g., system-on- chip), and/or the like. In some embodiments, processor 150P and/or memory 150S may include distributed, virtualized, and/or containerized computing resources. Consistent with such embodiments, processor 150P and/or memory 150S may be located in one or more data centers and/or cloud computing facilities. In some examples, memory 150S may include non-transitory, tangible, machine readable media that includes executable code that when run by one or more processors (e.g., processor 150P) may cause the computing device 150, alone or in conjunction with other computing devices in the environment, to perform any of the methods described further herein
[0036] Computing device or equipment 150 may include user interface 150i, e.g. such as present in a smartphone, an automotive information device, or of some other type device, for use by pedestrians, vehicle drivers, passengers, traffic managers, and possibly other people.
A Schnorr-Style Variant Of The Implicit Protocol
[0037] In view of the need for a protocol with improved resource and bandwidth efficiency, a Schnorr-stype variant protocol is provided. FIG.4 is an example table that compares existing explicit and implicit protocols with an implicit protocol with Schnorr-style signatures, according to embodiments described herein. The existing explicit protocol 401, the existing implicit protocol 402 and the implicit Schnorr protocol 403 employs the same process for the vehicles 102a-b to generate a public key o the PCA 105 via the RA 108, as described in FIG.2.
Figure imgf000011_0001
[0038] In all three protocols 401-403, the vehicle 102a starts by picking a random caterpillar private key s and computing the corresponding caterpillar public key S = s·G. The vehicle 102a then sends S, together with a pseudorandom instance f, to the RA 108.
[0039] In response to the vehicle’s request, the RA 108 expands the caterpillar public key S into b cocoon public Since f is shared only among the vehicle 102a and
Figure imgf000012_0001
the RA 108, the resulting cocoon keys are unlinkable to the original S from the perspective of any entity other than the vehicle 102a and the RA 108. The RA 108 then sends each individual
Figure imgf000012_0003
to the PCA 105, while shuffling together requests associated to different batches to ensure their unlinkability. [0040] The PCA 105 receives, from RA 108, the cocoon public key and randomizes by
Figure imgf000012_0004
Figure imgf000012_0002
adding riG to it, for a randomly picked ri. For existing explicit certificates in protocol 401, the resulting elliptic curve point is used directly as the vehicle’s butterfly public key Ui; it is then placed into a certificate together with any required metadata (e.g., a validity period), and signed. For existing implicit certificates with protocol 402, the randomized point is used as the butterfly reconstruction credential Vi; it is also combined with some metadata, and then signed. In all cases for protocols 401-403, the resulting certificate is encrypted with the originally provided
Figure imgf000012_0005
and sent back to the RA 108. The RA 108, unable to decrypt the PCA’s response pkg, simply forwards it back to the requesting vehicle 102a, in batch.
[0041] Finally, the vehicle 102a computes the key for decrypting pkg. It then
Figure imgf000012_0006
verifies that the retrieved certificate is indeed valid. This is done either by checking its signature (for explicit certificates) or by performing the corresponding key verification process (for implicit certificates). As long as such verification is successful, the keys obtained can be used for signing messages sent to other vehicles.
[0042] Specifically, at PCA 105, the implicit Schnorr protocol 403 adopts a Schnorr variant in key generation. The implicit Schnorr protocol 403 generating a hash of both the certificate and an intended verification public key, , where ? denotes the public
Figure imgf000012_0007
keys and certi denotes certificates. The previous schemes 401 and 402 only hash certificates and metadata (presumably, vehicle signatures only include messages and possibly metadata as well). Thus, by including the intended verification public key ? in the hash, the implicit Schnorr protocol 403 is able to thwart attacks against several keys at once. This effective measure may be implemented for all signatures (not only those of certificates, but future ones generated and verified by vehicles using their certified keys) to improve robustness of the public keys. PCA 105 then generates a signature based at least in part on the hash and a private key u, encrypts the certificate and the signature with the public key, and sends the encrypted certificate and signature to the device.
[0043] In some embodiments, the implicit Schnorr protocol 403 further provides implicit private key recovering at the vehicle 102a. The old implicit private key recovering equation used in the existing implicit protocol 402, involves a modular multiplication.
Figure imgf000013_0002
Instead, in the implicit Schnorr protocol 403, at the vehicle 102a, private key recovering is implemented via which only involves a modular addition. In this way, the
Figure imgf000013_0005
implicit Schnorr protocol 403 can implement private key recovering in a fast and more efficient manner to defend against side channel leaks without loss of efficiency, and the implementation structure matches the corresponding computation that has been used the explicit protocol 401.
[0044] In some embodiments, the implicit Schnorr protocol 403 adopts implicit private key verification. In the existing implicit scheme 402, while other vehicles implicitly trust the PCA 105 by mixing its public key ? with the received key Vi and the hashed certificate hi, the signing vehicle itself performs no verification at all of the received encrypted certificate, e.g., ℎ
Figure imgf000013_0004
Figure imgf000013_0006
This might be a point of protocol security failure. To prevent the potential protocol security failure, the implicit Schnorr protocol 403 adopts a mechanism in which the received key element sigi is formally similar to a signature element. For example, in the existing implicit scheme 402, the vehicle 102a-b can verify the received certificate (and hence its private key) by checking that . In the implicit Schnorr protocol 403, the vehicle
Figure imgf000013_0007
102a-b does it by checking that Although the private key recovering
Figure imgf000013_0001
in the implicit Schnorr protocol 403 may incur either a full-length (old scheme) or half-length (new scheme) multiplication by scalar, such private key recovering scheme may be used as a security measure against potential threats that have not been previously addressed by existing protocols.
[0045] In some embodiments, the implicit Schnorr protocol 403 implicit public key recovering. The existing implicit protocol 402 adopts a public key recovering equation, ?? which involves a multiplication by scalar where the curve point is different for each
Figure imgf000013_0003
vehicle. No optimization opportunities are clear in this approach for a generic choice of the underlying elliptic curve. The implicit Schnorr protocol 403 adopts a public key recovering equation as
Figure imgf000014_0006
, which involves a multiplication by scalar where the curve point (namely, the PCA public key is one and the same for all vehicles, so that dedicated code and
Figure imgf000014_0007
precomputation could be adopted to speed up the recovering operation. For instance, if the scalars are 256 bits long and written in hex, namely
Figure imgf000014_0003
Figure imgf000014_0002
for all 0 by precomputing and storing a single, fixed
Figure imgf000014_0004
Figure imgf000014_0005
one could implement the computation of
Figure imgf000014_0001
at a fixed cost of only 63 point additions (rather than 255 point doublings plus an average of 85 further point additions, even if a non-adjacent form (NAF) is adopted). In this way, the implicit public key recovering mechanism provided by the implicit Schnorr protocol 403 can be about 3 to 4 times faster than a plain arithmetic mechanism.
[0046] It is worth noting that an isochronous implementation may not be necessary for the public key recovering operation described above, as all quantities involvingℎ?and ? are public. The fixed, shared precomputed table occupies exactly 32 KB at the classical 128-bit security level with 256-bit keys.
[0047] In some embodiments, the implicit Schnorr protocol 403 adopts implicit PCA signing. The implicit PCA signing equation adopted by the existing implicit protocol 402, e.g., involves a modular multiplication where both factors are different for each
Figure imgf000014_0008
vehicle. No optimization opportunities are clear in this approach. Instead, the implicit Schnorr protocol 403 adopts a PCA signing equation ? which involves a modular
Figure imgf000014_0009
multiplication where one of the factors (namely, the PCA private key ?) is one and the same for all vehicles, so that a similar precomputed table lookup technique as above can be adopted to speed up certificate generation. [0048] In this case, however, because the fixed factor is private, one needs to adopt an isochronous approach as shown in Table 1
Figure imgf000015_0004
defined for the p-th step, which would involve an isochronous sequential search for the proper hex digitℎ?,? among the 16 possibilities and subsequently a modular addition is integrated into the
Figure imgf000015_0005
accumulator (the modular reduction can even be postponed until the end, since the sum of 64 values will be no more than 256 + 6 bits long).
Figure imgf000015_0007
Schnorr variants
[0049] In some embodiments, if a Schnorr-style scheme at the ?-bit security level is used for all signatures, so that modular integers are 2? bits long (full-length), but hash values can be only ? bits long (half-length), because the Schnorr-style signatures only require preimage resistance. Here, it is assumed that the signature scheme hashes the intended verification key together with the nonce and the metadata or message.
[0050] Let L denote the cost of one full-length multiplication by scalar. Here the costs of hashing or performing a simple point addition may be ignored, as they tend to be much smaller than the other involved costs (for instance, the cost of one point addition is roughly only a fraction 1/?2?? of L, which is small at practical security levels). The most common form of a Schnorr-style signature for a message m under a key pair
Figure imgf000015_0006
corresponding to a signing process where the signer samples a pseudo-random integer ? and computes
Figure imgf000015_0002
Other forms of the Schnorr-style signature are also possible, e.g., a security equivalent and interchangeable form is ??, ??, whereby verification consists of computingℎ ^ℋ??, ?, ?? and checking whether ?
Figure imgf000015_0003
Figure imgf000015_0001
Implicit vs. explicit protocols
[0051] In some embodiments, if the PCA 105 issues a key pair
Figure imgf000016_0022
an example scenario of use of vehicular keys may include: vehicle
Figure imgf000016_0008
signs some message using its private key ??and sends it to vehicle (e.g., 102b) together with the certificate rom which the public key
Figure imgf000016_0023
can be extracted (explicit variant) or
Figure imgf000016_0034
inferred (implicit variant), and then used to verify the signed message. The certificate
Figure imgf000016_0029
prepared by the PCA 105, contains either
Figure imgf000016_0024
itself and a signature
Figure imgf000016_0006
such that
Figure imgf000016_0030
Figure imgf000016_0019
in the explicit variant, or else a point ?? such that
Figure imgf000016_0007
Figure imgf000016_0001
in the implicit variant. To sign ?? under
Figure imgf000016_0005
vehicle A samples a pseudo-random integer computes assembles the
Figure imgf000016_0028
Figure imgf000016_0004
signature
Figure imgf000016_0003
Afterwards, vehicle B verifies the signed message by checking that
Figure imgf000016_0018
Figure imgf000016_0002
Relative efficiency
[0052] As described above, the implicit form may have an efficiency advantage over the explicit form. Indeed, recovering the implicitly verified key ?? requires only a half-length multiplication by scalar, while an explicitly verified key incurs one full-length and one half- length multiplications. This may be true if the explicit form adopts the more common
Figure imgf000016_0031
signature form. However, if the alternative form is adopted instead, the implicit form may
Figure imgf000016_0027
not appear to have a significant advantage.
[0053] Specifically, upon receiving an implicit certificate together with a message ?
Figure imgf000016_0026
Figure imgf000016_0021
signed as
Figure imgf000016_0009
, vehicle ? must recover at the cost / of a half-
Figure imgf000016_0020
Figure imgf000016_0017
length multiplication by scalar, then verify the signature on by checking that
Figure imgf000016_0016
at the cost of a full-length multiplication by scalar and a half-length
Figure imgf000016_0010
multiplication by scalar, or roughly 3 Therefore, the combined cost is 2?. This cost does
Figure imgf000016_0025
not change whichever alternative signature form, is adopted.
Figure imgf000016_0011
[0054] By comparison, with signatures in the alternative form upon receiving an
Figure imgf000016_0032
explicit certificate signed as together with a message ?? signed as
Figure imgf000016_0033
Figure imgf000016_0012
by vehicle ? can verify the certificate and the signed message in batch, by computing
Figure imgf000016_0014
and checking whether
Figure imgf000016_0015
Figure imgf000016_0013
at a cost of a full-length multiplication by scalar and two half-length
Figure imgf000017_0004
multiplications by scalar, or roughly 2?. This is essentially the same cost as the implicit variant.
[0055] Therefore, the implicit variant and the explicit form may achieve comparable processing efficiency (with the implicit variant may possess a marginal advantage when
Figure imgf000017_0005
is used). It is worth noting that this assessment is not affected by the availability of table-based implementations as suggested previously: both the implicit and the explicit forms would benefit equally from it, and the overall cost would decrease to ?3/2 + ??? if the actual cost of computingℎ?∙ ? were only ?? (0<?≪ 1? rather than ?
Figure imgf000017_0006
Attacking and defending batch verification
[0056] In general, batch verification is usually deployed with care to prevent attacks. The implicit Schnorr protocol 403, however, contains a butterfly protocol that automatically protects against such attacks. For example, the attacks on multisignatures as proposed by M. Bellare and G. Neven (discussed in“Multisignatures in the Plain Public-Key Model and a General Forking Lemma.” Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), pp.390–399, 2006, DOI: 10.1145/1180405.1180453) do not necessarily affect the implicit Schnorr protocol 403. The reason is that the very countermeasure adopted in the aforementioned Bellare-Neven work, namely multiplying each involved public key by a different hash, is already embedded in the scheme definition of the implicit Schnorr protocol 403 (more precisely, the signatures here never cease to be individual rather than collective). In addition, naive multisignatures require the same hash value to be signed by all participants, and the Bellare-Neven scheme thwarts it by forcing independent hash values to be signed. In the implicit Schnorr protocol 403, the hash values are naturally different to begin with, only the verification process is expedited by the batch mechanism.
The key faking attack
[0057] If ? is a genuine public key and an attacker is allowed to pick their public key ?¢ at will, the attacker can mount the following attack. The attacker's goal is to come up with fake signatures ??, ?? for a message ? and for a message ?¢ that will likely not verify
Figure imgf000017_0003
separately (nor are they required to), e.g., most likely
Figure imgf000017_0002
, but that do verify in batch, i.e.
Figure imgf000017_0001
Figure imgf000017_0007
Figure imgf000018_0002
, , To attain that attack goal, the attacker chooses points ? and ?¢ and integers ? and ?¢ uniformly at random, and messages ? and ?¢ at will. Then the attacker defines
Figure imgf000018_0001
Attack failure against butterflies
[0058] Such key faking attack, however, does not work against the butterfly protocol. One aspect of the butterfly protocols is that the PCA 105 only ever signs the vehicle's public keys. Therefore, the above attack is only meaningful for ? = ? when ? = ?¢ and the attacker, who is not a genuine participant vehicle in the system, intends to convince other vehicles otherwise by sending them fake certificates and messages that would verify in batch. But in that case the attack equation becomes
Figure imgf000018_0003
whereby ?¢ must be provided beforehand as part of its own definition. Thus, the choice of a public key is no longer free as required by the attacker, which therefore thwarts the attack.
[0059] Similar attack variants may fail in a similar way, as there is generally no way other quantities in the attack equation could be chosen as a function of the others: of all curve points involved, ? and ? are given and cannot be changed; the other two points, ? and ?¢, both appear as inputs and outputs of hash functions in the same fashion as ?¢; and finally, the two integers ? and ?¢ are only extractible from the equation by directly solving an instance of the discrete logarithm problem.
[0060] In general, the key faking attack may fail for batch verification of a hierarchy of keys, but potentially may apply when all involved keys are at the same level.
Hierarchical batch verification security
[0061] However, if the butterfly protocol with variant Schnorr-style signatures are insecure with regard to hierarchical batch verification, then the attacker would be able to solve the discrete logarithm problem to extract the two integers ? and ?¢. Specifically, the attacker would be able to retrieve the PCA's private key from ? and the corresponding public key ? alone.
[0062] Indeed, if the attacker, when given ? and ?, could come up with a public key ?¢ and two pairs
Figure imgf000018_0006
satisfying the batch verification equation ¢
Figure imgf000018_0005
hey could apply the Pointcheval-Stern technique of
Figure imgf000018_0004
running the same Turing machine that describes this process with the same randomness input but different hash oracles and end up with three such equations for the same fake signatures ( under three different hash oracles). Thus, even if the attacker did not know the discrete logarithms of ? + ?¢ and ?¢ (let alone that of ?) to the base ?, in the end the attacker may get a determinate linear system in those three unknowns, and thus recover the private key corresponding to ?.
Post-Quantum Butterfly Key Expansion for Vehicular Communications
[0063] In some embodiments, the Elliptic-curve cryptography (ECC) based protocols may be extended to quantum-resistant schemes as long as those schemes support both encryption and signatures under the same key pair. For example, in all schemes, the PCA 105 encrypts the certificate under
Figure imgf000019_0004
which apart from an offset ? is functionally the same key
Figure imgf000019_0001
Figure imgf000019_0002
that will be later used to verify signatures. This requires the encryption and signing key pairs to have the same algebraic/combinatorial nature. However, while this is possible in the ECC setting, such scheme precludes most post-quantum candidate cryptosystems. Specifically, it precludes hash-based schemes (which only support signatures), multivariate schemes (which mostly support signatures, while encryption/key encapsulation mechanism (KEM) are much less scrutinized for security and require entirely different algorithms and parameters), code-based and isogeny-based schemes (which mostly support encryption/KEM, while signatures are very hard to obtain, inefficient when available, and require entirely different parameters). However, in general it does not preclude lattice-based cryptosystems, in particular those schemes that rely on the Ring-learn-with-errors (RLWE) assumption (specifically where keys have the form
Figure imgf000019_0003
? + ?? for short private vectors ?? and ? sampled from a suitable distribution and ? is a uniformly random public vector), as both encryption and signature schemes are known to differ in much less disparate ways than in other families of post-quantum proposals. Therefore, with a proper choice of algorithms and, above all, distributions and parameters, it is possible to attain the same functionality with post-quantum protocols with the ECC protocols.
[0064] In some embodiments, blind transference of LWE samples can be used for RLWE version of post-quantum protocols, which provides the possibility of blind transferences of elliptic curve points. In the post-quantum setting, it depends on the existence of an RLWE-based encryption (more precisely, key encapsulation) scheme and a digital signature scheme that can sport additively homomorphic keys, share the same key pair for their individual operations, and are similarly secure for the same set of distributions and parameters. Specifically, the sum of two private keys
Figure imgf000020_0015
and
Figure imgf000020_0019
s still an algebraically admissible private key
Figure imgf000020_0001
,
The sum the corresponding public keys ? and ?¢ is still an
Figure imgf000020_0011
Figure imgf000020_0002
algebraically admissible public key and is so the same key that naturally corresponds to the sum of public keys. This can be achieved, for instance, when the keys have the form ?
Figure imgf000020_0013
a
Figure imgf000020_0012
[0065] In some embodiments, a lattice-based analogue of the ECC-based explicit protocol can be achieved, e.g., with (a minor variant of) the qTESLA digital signature scheme and the Lyubashevsky-Peikert-Regev (LPR) key encapsulation scheme further described below in relation to FIGS.5A-5B. It is worth noting that any digital signature scheme and key encapsulation scheme that is purely based on RLWE or LWE would work with the post-quantum butterfly key expansion discussed throughout this disclosure.
[0066] FIG.5A provides an example logic flow diagram illustrating an example RLWE- based component scheme 500a for the use of butterfly effect protocols, known as the qTESLA digital signature scheme, according to some embodiments. Let ? be a permutation that sorts the components of a ring element u in decreasing order of their absolute magnitudes, i.e. |
Figure imgf000020_0021
Figure imgf000020_0010
In what follows, ????(?) denotes the i-th largest component of ? in absolute value, that is,
Figure imgf000020_0007
Furthermore, for any integer ? and for a given parameter ?, [
Figure imgf000020_0020
denotes the unique integer in such that ? mod the centered ?
Figure imgf000020_0006
Figure imgf000020_0008
Figure imgf000020_0009
least significant bits of ?) and [?]? denotes the value (i.e. the corresponding
Figure imgf000020_0018
centered most significant bits of ?, with [?]? and ?? denoting the application of these operations to all coefficients of ?.
[0067] The qTESLA digital signature scheme 500a starts at process 502, where a vehicle (e.g., 102a) computes key generation with the parameters ℎ where n denotes the
Figure imgf000020_0014
dimension of the key; ? denotes a permutation that sorts the components of a ring element u in decreasing order of their absolute magnitudes q denotes a prime number; and are the
Figure imgf000020_0016
Figure imgf000020_0017
chosen the qTESLA parameters that bound the random sampling; and G denotes a uniformly sampled ring element. Specifically, at sub-process 506, ? is sampled from ?? ? until
??? max? ( At sub-process 508, ? is sampled from ?? ? until
Figure imgf000020_0004
Figure imgf000020_0005
Figure imgf000020_0003
sub-process 510, the scheme computes
Figure imgf000021_0008
At sub-process 512, the vehicle sets the public key as ?, and the secret key as
Figure imgf000021_0009
[0068] At process 503, PCA 105 signs with parameters
Figure imgf000021_0010
Specifically, at sub-process 514, parameter ? is sampled uniformly from
Figure imgf000021_0011
process
Figure imgf000021_0012
, computes
Figure imgf000021_0001
Next, if max?(? scheme 500a restarts. Otherwise, scheme 500a proceeds to sub-
Figure imgf000021_0002
process 518 to compute
Figure imgf000021_0006
at sub-process 518. If ? or
Figure imgf000021_0005
Figure imgf000021_0013
the scheme 500a restarts. Otherwise, scheme 500a generates signature s usually represented as a short raw hash value) at subprocess 520.
Figure imgf000021_0014
[0069] At process 504, the vehicle verifies the signatures with parameters
Specifically, if the vehicle rejects the
Figure imgf000021_0007
Figure imgf000021_0004
signature at 522. Otherwise, the scheme 500a proceeds to sub-process 524 to compute
Figure imgf000021_0015
the vehicle rejects the signature at
Figure imgf000021_0003
522, otherwise the vehicle accepts the signature at 526.
[0070] FIG.5B provides an example logic flow diagram illustrating an example RLWE- based component scheme 500b for the use of butterfly effect protocols, known as the
Lyubashevsky-Peikert-Regev (LPR) digital signature scheme, according to some embodiments. The LPR scheme is a variant of the Gentry-Peikert-Vaikuntanathan (GPV) dual scheme
(discussed in C. Gentry, C. Peikert, and V. Vaikuntanathan. "Trapdoors for hard lattices and new cryptographic constructions". STOC 2008, pp.197-206, 2008, which is hereby expressly incorporated by reference herein in its entirety), which in turn is a dual variant of the original Regev cryptosystem (discussed in O. Regev. "On lattices, learning with errors, random linear codes, and cryptography." STOC 2005, pp.84-93, 2005, which is hereby expressly incorporated by reference herein in its entirety). One of the differences is that, in LPR, both the public key and the encryption nonce are (R)LWE samples, while in GPV and Regev either the nonce or the public key are syndromes of an (R)LWE sample.
[0071] In what follows, ? Îℕ is the lattice dimension, ? Îℕ is a prime, ? and ? are suitable distribution parameters, and ? Î ?? × is a uniformly sampled ring element (which is shared among the users in the present scenario, but elsewhere could be individually chosen as part of the public key). The encryption base ? naturally corresponds to the signing base ? and hence both are represented with the same notation. Here, uppercase letters are used to denote long, uniformly random ring elements, and lowercase letters are used to denote short ring elements.
[0072] At process 532, the vehicle (e.g., 102a) performs key generation using parameters (?, ?, ?). Specifically, at subprocess 536, the vehicle samples
Figure imgf000022_0016
from un At
Figure imgf000022_0017
Figure imgf000022_0008
subprocess 538, the vehicle computes At sub-process 540, the vehicle sets
Figure imgf000022_0004
the public key as ?, and the secret key as ?. Here, the e component remains secret but is not further used.
[0073] At process 533, the PCA (e.g., 105) performs encryption based on parameters
where l denotes the encryption length. Specifically, at sub-process
Figure imgf000022_0003
542, the PCA samples At sub-process 544, the PCA encodes ? as ?
Figure imgf000022_0009
truncat
Figure imgf000022_0006
ed to, ? out of ? coefficients. At sub-process 546, the PCA computes the
Figure imgf000022_0002
ciphertext
Figure imgf000022_0005
[0074] At process 534, the vehicle decrypts the cipher text based on
Figure imgf000022_0010
, , , ,
Specifically, at sub-process 548 the vehicle computes At sub-process 550, for all
Figure imgf000022_0011
[0075] Here,
Figure imgf000022_0007
Figure imgf000022_0001
Thus the decryption will be correct as long as
Figure imgf000022_0015
is within the error threshold of decoding, If ? is less than ? bits long (as
Figure imgf000022_0014
it typically indeed is, since it stands for an ephemeral symmetric key at the desired security level, long as compared to ? = 1024, or ? = 256 bits long as compared to
Figure imgf000022_0012
? = 2048 the ? component of the cryptogram ( or a capsule in a KEM) can be restricted to its
Figure imgf000022_0013
first ? bits, thereby considerably reducing bandwidth occupation and slightly speeding up both encryption and decryption.
[0076] The RLWE-based component schemes described in Figures 5A-5B provide a post- quantum secure approach for issuing multiple pseudonym certificates from a small piece of information, while traditionally most encryption schemes are vulnerable to post-quantum attacks (e.g., in a traditional SCMS). Thus, the RLWE-based component schemes described in Figures 5A-5B improves long-term security of SCMS.
[0077] FIG.6 provides an example table that compares the ECC-based (pre-quantum) and the lattice-based (post-quantum) variants of the explicit butterfly protocol, according to some embodiments described herein. Here, ? denotes the random sampling of a value u from
Figure imgf000023_0008
the 0-centered discrete Gaussian distribution onℤ with standard deviation ?. Additionally, ?
Figure imgf000023_0009
denotes the pseudo-random sampling of a value ? from the 0-centered discrete
Figure imgf000023_0010
Gaussian distribution onℤ
Figure imgf000023_0007
with standard deviation ?, taking seed as the seed of the pseudo- random sampler.
[0078] Specifically, in the lattice-based post-quantum variants of the explicit butterfly protocol 602, the vehicle 102a starts by generating a caterpillar private/public key pair. In this case, however, the private caterpillar key has two components, the short ring elements (s and e), which are obtained by random sampling the zero-centered discrete Gaussian distribution ?? ? with standard deviation s. The corresponding public caterpillar key is then computed as S =s·G+e, which corresponds to a ring element following the LWE distribution and, thus, is
indistinguishable from random. This public caterpillar key S is then sent to the RA 108 along with two suitable pseudo-random functions f(i) and g(i) that deterministically emulate sampling from ?? ? with i as seed.
[0079] The RA 108 then uses the public caterpillar key S as well as the pseudo-random
Figure imgf000023_0012
outputs from pseudo-random functions f(i) and g(i), for generating b public cocoon public keys
Figure imgf000023_0011
Then, the RA 108 shuffles keys from different vehicles (as
Figure imgf000023_0002
described in FIG.2) and sends the batch of cocoon keys to the PCA 105.
Figure imgf000023_0013
[0080] After receiving a cocoon key ? the PCA 105 computes the vehicle’s public butterfly
Figure imgf000023_0003
?
In this process, the randomization factors are
Figure imgf000023_0001
Figure imgf000023_0004
generated to prevent the RA 108 from learning the vehicle’s actual butterfly key. Instead of using a single random factor ?? sampled fromℤ as use in the existing explicit protocol 601, the
Figure imgf000023_0005
factors are obtained by pseudo-random sampling the zero-centered discrete Gaussian
Figure imgf000023_0006
distribution with standard deviation s, meaning that ??, ?? can be recovered by the requesting vehicle as long as the requesting vehicle is provided with the pseudo-randomness source seed i.
[0081] The corresponding pseudonym certificate is then created by the PCA 105. Namely, the PCA 105 signs the vehicle’s public butterfly key Ui, along with any required metadata (meta), using the qTESLA signature scheme described in FIG.5A and the PCA’s own private key u. The set (seed i, meta, sigi ) is then encrypted using so only the vehicle who sent the
Figure imgf000024_0009
request is able to decrypt the resulting package pkg. Subsequently, the encrypted package pkg is then sent to the RA 108, which forwards the package to the vehicle 102a.
[0082] Finally, the vehicle 102a decrypts the RA’s response using the private key
Figure imgf000024_0008
thus recovering the set (seed i, meta, sigi ). Here, this set does not contain
Figure imgf000024_0003
the public key Ui itself, but just the (more compact) seed i that enables its computation.
Therefore, the vehicle 102a first computes the public key
Figure imgf000024_0004
. The vehicle 102a then checks the PCA’s signature sigi and, if the
Figure imgf000024_0002
verification is successful, sets its i-th pseudonym certificate to ce The
Figure imgf000024_0007
qTesla private signature key corresponding to U is thus, To ensure
Figure imgf000024_0010
Figure imgf000024_0005
that this private key (ui, wi) is correct, the vehicle 102a also verifies that ?
Figure imgf000024_0006
Blind Transference of LWE Samples
[0083] In some embodiments, the scheme requires the private key samples to
Figure imgf000024_0011
satisfy and meaning these conditions must hold for ?? and ?? as well.
Figure imgf000024_0012
Figure imgf000024_0013
Yet, the PCA 105 cannot check this for the since the PCA does not know ?
Figure imgf000024_0001
or ??. This will force the vehicle 102b to reject the received key if it fails to pass the checks, as it might otherwise cause genuine signatures not to verify. Fortunately, it is possible to choose parameters such that the probability of key rejection is fairly low, so that instead of receiving a fixed number of keys from the PCA 105, the vehicle 102b obtains a variable amount (albeit very close to the expected value). This also compensates for the possibility of decryption failure for the LPR scheme (although this should be negligible, even though one must use qTESLA parameters and keys). In principle, this increases the chance of rejection during signing, since the probability of decryption failure grows in the opposite direction as the chance of key rejection. [0084] To mitigate this issue, especially-tailored parameters can be constructed that keep both key and signing rejection under control. Even the actual rate of plain signature restarts ( an unavoidable but predicted and controlled phenomenon that is in the nature of most if not all LWE-based signatures) was actually observed to be very close to the typical q rate
Figure imgf000025_0015
(specifically, approximately 38.8% as compared to a design value of 40%).
[0085] In some embodiments, the blind transference of samples may be defined
Figure imgf000025_0014
through the following definitions:
Definition 1. sample is a ring element sampled from the (zero-centered) Gaussian distribution onℛ with parameter
Figure imgf000025_0013
Let and be uniformly sampled from The (R)LWE assumption for a sample of form
Figure imgf000025_0016
Figure imgf000025_0012
(where ? and ? are "short" ?-samples) is that distinguishing between ? and ? is hard.
Figure imgf000025_0008
Definition 2. A ring element of form , where ? and ? are ?-samples, will be called
Figure imgf000025_0011
?-indistinguishable (from a uniform random sample) under the (R)LWE assumption.
Here it is assumed that the (R)LWE assumption holds at the desired security level for all ? Î where If so, then the vehicle's ring elements, of form ? for
Figure imgf000025_0009
Figure imgf000025_0010
Figure imgf000025_0017
-samples and are -indistinguishable from the point of view of the RA 108, the PCA 105, and other vehicles. The RA’s ring elements, of form ?
Figure imgf000025_0001
simulating ??-sampling, are -indistinguishable from the point of view of the PCA 105 and other vehicles (unless they too know which are supposed to be known only by the vehicle and the RA 108). This is because the RA 108 is essentially masking the ??- indistinguishable element ? with another ??-indistinguishable element, yielding a ring element identical to that obtained from ring elements ? , which are themselves
Figure imgf000025_0003
identical to ?2??-samples by virtue of being the sum of two ??-samples each. The ring elements signed by the PCA 105, of form
Figure imgf000025_0002
for ??-samples ?? and ??, are
Figure imgf000025_0004
indistinguishable from the point of view of the RA 108 and other vehicles. This is because the PCA 105 is essentially masking the indistinguishable element with a
Figure imgf000025_0007
Figure imgf000025_0005
Figure imgf000025_0006
indistinguishable element, yielding a ring element identical to that obtained from (the vehicle's new secret) ring elements
Figure imgf000026_0017
which are themselves identical to ?
Figure imgf000026_0001
samples by virtue of being the sum of a sample and a ??-sample each.
Figure imgf000026_0020
Signature Scheme
[0086] In some embodiments, signing only requires functions
Figure imgf000026_0002
and to
Figure imgf000026_0019
deterministically emulate sampling from
Figure imgf000026_0015
with ? as the seed. Accordingly, the PCA 105 must sample and Î from ?
Figure imgf000026_0024
? and encryption will impose additional constraints on these functions.
[0087] From the R assumption, is indistinguishable from uniformly
Figure imgf000026_0025
Figure imgf000026_0016
random for ? and ? sampled with distribution parameter ?, while the
Figure imgf000026_0003
are indistinguishable from uniformly random for ?
Figure imgf000026_0023
and
Figure imgf000026_0022
sampled with distribution parameter
Figure imgf000026_0004
Ö by virtue of these secret components being each the sum of 2 identically parametrized Gaussian variables, namely
Figure imgf000026_0007
and the
Figure imgf000026_0006
are indistinguishable from uniformly random for ?? and ?? sampled with distribution parameter
Figure imgf000026_0005
virtue of these secret components being each the sum of 3 such variables, namely and
Figure imgf000026_0018
The actual scheme parameters are to be chosen to remain secure at the
Figure imgf000026_0008
desired level or above for all of these distribution parameters. Furthermore, the parameters ensure that all signature operations are efficient with distribution parameter (and related
Figure imgf000026_0021
quantities, e.g., the qTESLA parameters and since the final certificate is equivalent to
Figure imgf000026_0027
Figure imgf000026_0028
keys prepared according to this setting.
[0088] Encryption requires functions
Figure imgf000026_0026
to deterministically emulate sampling from with as the seed, until that is, they are both invertible.
Figure imgf000026_0030
Accordingly, the PCA 105 samples until Like the secret ?
Figure imgf000026_0029
Figure imgf000026_0009
component, the ̂ and components need not actually be computed, nor Î? kept after the
Figure imgf000026_0031
certificate generation. Here, set
Figure imgf000026_0013
to bridge the qTESLA and LPR notations. From the RLWE assumption, indistinguishable from uniformly random for ? (and ?)
Figure imgf000026_0012
sampled with distribution parameter ? while the
Figure imgf000026_0010
̅Gare indistinguishable from
Figure imgf000026_0034
uniformly random for (and ? sampled with distribution parameter
Figure imgf000026_0032
Ö
Figure imgf000026_0011
by virtue of these
Figure imgf000026_0033
secret components being each the sum of 2 identically parametrized Gaussian variables, namely
Figure imgf000026_0014
[0089] In some embodiments, encryption occurs in the scheme only under the key pair
Figure imgf000027_0008
(and implicitly ?̂?), so in principle the actual scheme parameters could be chosen under this premise, but the final signature key pair already forces a more stringent condition. If the final key pair is used not only for signatures but for encryption as well, then the parameters are usually double-checked (although the requirements for encryption tend to be less stringent than those for signatures, e.g. the distributions need not be as precise).
Bandwidth Requirements
[0090] In some embodiments, a public certificate ????? contains: a q public key of
Figure imgf000027_0009
Figure imgf000027_0011
size A general q signature would include a K-bit seed for the pseudo-
Figure imgf000027_0005
Figure imgf000027_0012
random choice of the base ?, but this is omitted here since the same ? must be used systemwide
Figure imgf000027_0010
to preserve the vehicle's anonymity. Metadata of unspecified size includes |
Figure imgf000027_0014
A signature ???? has a size bits (more precisely, a hash
Figure imgf000027_0018
Figure imgf000027_0004
value of size K bits and a ring element inℛ with 0-centered coefficients not exceeding
Figure imgf000027_0017
Figure imgf000027_0013
in absolute value). Hence the bandwidth requirement of the public certificate certi has a size of
Figure imgf000027_0001
[0091] In some embodiments, an encrypted clipped certificate ??? contains a LPR capsule bits (where ? is the encryption nonce and ?
Figure imgf000027_0002
is the encapsulation of a ?-bit symmetric key), a seed of size
Figure imgf000027_0016
bits for the blind LWE transfer, metadata of unspecified size signature ???? of
Figure imgf000027_0015
size | bits, a MAC tag ?? of size K bits as part of the
Figure imgf000027_0006
authenticated symmetric encryption of the clipped certificate. Hence the encrypted clipped certificate has a size of |
Figure imgf000027_0007
Figure imgf000027_0003
[0092] The embodiments described above illustrate but do not limit the invention. For example, the techniques described for vehicles can be used by other mobile systems, e.g.
pedestrians’ smart phones or other mobile systems equipped with computer and communication systems 150. The term“vehicle” is not limited to terrestrial vehicles, but includes aircraft, boats, space ships, and maybe other types of mobile objects. The vehicle techniques can be also be used by non-mobile systems, e.g. they can be used on a computer system. [0093] The invention is not limited to the embodiments described above. Other embodiments and variations are within the scope of the invention, as defined by the appended claims.

Claims

CLAIMS What is Claimed is:
1. A method for providing digital certificates for use by devices in authentication operations, the method comprising:
receiving, by a first entity, a cocoon public key for generating a digital certificate, wherein the cocoon public key is generated by expanding a caterpillar public key with a random function and the first entity is uninformed of which device the caterpillar public key is originated from; generating butterfly reconstruction credentials based on the cocoon public key and a random value;
generating a certificate based on the butterfly reconstruction credentials and metadata; generating a hash value of both the certificate and a verification public key reserved for the first entity;
generating a signature based on the random value, the hash value and a verification private key associated with the verification public key;
encrypting the certificate and the signature using the cocoon public key; and
sending an encryption package from the encrypted certificate and signature to a second entity, wherein:
the second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
2. The method of claim 1, further comprising;
sampling the random value from a multi-dimensional space; and
generating the signature by adding the random value and a product of the hash value and the verification private key.
3. The method of claim 2, wherein the generating the signature further comprises using an isochronous table lookup to speed up signature generation based on a fixed factor of the verification private key.
4. The method of claim 3, further comprising:
performing an isochronous sequential search for a hex digit among 16 possibilities, and a modular addition into an accumulator.
5. A method for using digital certificates in authentication operations, the method comprising:
receiving, at a device and from a first entity, an encryption package forwarded by a second entity that is unable to decrypt the encryption package;
generating a private cocoon key for decrypting the encryption package based on a private key associated with the device and a random function;
decrypting the encryption package using the private cocoon key into a certificate and a signature;
generating a hash value of both the certificate and a verification public key reserved for the first entity;
generating a verification private key reserved for the device based on the private cocoon key and the signature;
generating a verification public key reserved for the device based on the verification public key reserved for the first entity, the hash value and butterfly reconstruction credentials; and
verifying that the generated verification public key reserved for the device and the generated verification private key satisfies a relationship.
6. The method of claim 5, further comprising:
in response to verifying that the generated verification public key reserved for the device and the generated verification private key reserved for the device satisfies a relationship, using the generated verification public key reserved for the device and the generated verification private key reserved for the device for signing a message to be sent to another device.
7. The method of claim 5, further comprising:
originating a request to generate the certificate at the first entity by:
randomly picking a private caterpillar key and generating a public caterpillar key according to the relationship, and sending the public caterpillar key to the second entity.
8. The method of claim 7, wherein the first entity not being informed with which device the certificate is associated, and wherein the certificate is to be transmitted to the device in the encryption package from which the certificate is recoverable.
9. The method of claim 5, wherein the verification public key reserved for the device involves a multiplication of the hash value and the verification public key reserved for the first entity.
10. The method of claim 9, wherein the multiplication is performed via precomputing possibilities of a product of the hash value and the verification public key reserved for the first entity into a fixed lookup table.
11. A computing device for providing digital certificates for use by devices in authentication operations, the computing device comprising:
a memory containing machine readable medium storing machine executable code;
one or more processors coupled to the memory and configured to execute the machine executable code to cause the one or more processors to:
receive, by a first entity, a cocoon public key for generating a digital certificate, wherein the cocoon public key is generated by expanding a caterpillar public key with a random function and the first entity is uninformed of which device the caterpillar public key is originated from;
generate butterfly reconstruction credentials based on the cocoon public key and a random value;
generate a certificate based on the butterfly reconstruction credentials and metadata;
generate a hash value of both the certificate and a verification public key reserved for the first entity;
generate a signature based on the random value, the hash value and a verification private key associated with the verification public key; encrypt the certificate and the signature using the cocoon public key; and
send an encryption package from the encrypted certificate and signature to a second entity, wherein:
the second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
12. The computing device of claim 11, wherein the one or more processors are further configured to execute the machine executable code to cause the one or more processors to:
sample the random value from a multi-dimensional space; and
generate the signature by adding the random value and a product of the hash value and the verification private key.
13. The computing device of claim 12, wherein the one or more processors are further configured to execute the machine executable code to cause the one or more processors to generate the signature by using an isochronous table lookup to speed up signature generation based on a fixed factor of the verification private key.
14. The computing device of claim 13, wherein the one or more processors are further configured to execute the machine executable code to cause the one or more processors to perform an isochronous sequential search for a hex digit among 16 possibilities, and a modular addition into an accumulator.
15. A computing device for using digital certificates in authentication operations, the computing device comprising:
a memory containing machine readable medium storing machine executable code;
one or more processors coupled to the memory and configured to execute the machine executable code to cause the one or more processors to:
receive, at a device and from a first entity, an encryption package forwarded by a second entity that is unable to decrypt the encryption package;
generate a private cocoon key for decrypting the encryption package based on a private key associated with the device and a random function;
decrypt the encryption package using the private cocoon key into a certificate and a signature;
generate a hash value of both the certificate and a verification public key reserved for the first entity;
generate a verification private key reserved for the device based on the private cocoon key and the signature;
generate a verification public key reserved for the device based on the verification public key reserved for the first entity, the hash value and butterfly reconstruction credentials; and
verify that the generated verification public key reserved for the device and the generated verification private key satisfies a relationship.
16. The computing device of claim 15, wherein the one or more processors are further configured to execute the machine executable code to cause the one or more processors to:
in response to verifying that the generated verification public key reserved for the device and the generated verification private key reserved for the device satisfies a relationship, use the generated verification public key reserved for the device and the generated verification private key reserved for the device for signing a message to be sent to another device.
17. The computing device of claim 15, wherein the one or more processors are further configured to execute the machine executable code to cause the one or more processors to:
originate a request to generate the certificate at the first entity by:
randomly picking a private caterpillar key and generating a public caterpillar key according to the relationship, and
sending the public caterpillar key to the second entity.
18. The computing device of claim 17, wherein the first entity not being informed with which device the certificate is associated, and wherein the certificate is to be transmitted to the device in the encryption package from which the certificate is recoverable.
19. The computing device of claim 15, wherein the verification public key reserved for the device involves a multiplication of the hash value and the verification public key reserved for the first entity.
20. The computing device of claim 19, wherein the multiplication is performed via precomputing possibilities of a product of the hash value and the verification public key reserved for the first entity into a fixed lookup table.
21. A method for using a ring-learning-with-errors (RLWE) based post-quantum protocol to provide digital certificates for use by devices in authentication operations, the method comprising:
receiving, by a first entity, a cocoon public key for generating a digital certificate, wherein the cocoon public key is generated by expanding a caterpillar public key with a first random function and a second random function, and the first entity is uninformed of which device the caterpillar public key is originated from;
generating a verification public key reserved for the device based on the received cocoon public key, a first pseudo-random value and a second pseudo-random value sampled from a 0- centered discrete Gaussian distribution on a first multi-dimensional space with a first standard deviation value according to a pseudo-random sampler having a seed value;
generating a signature over the verification public key reserved for the device along with metadata, a verification public key reserved for the first entity and a private key pair reserved for the first entity;
encrypting a set of the seed value, the metadata and the signature into an encryption package; and
sending the encryption package to a second entity, wherein:
the second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
22. The method of claim 21, wherein the cocoon public key is generated by the second entity using ring elements based on the first random function and the second function simulating sampling from the 0-centered discrete Gaussian distribution on the first multi-dimensional space with the first standard deviation value,
wherein the ring elements are indistinguishable by the first standard deviation value times a square root of two from a point of view of the first entity and other devices.
23. The method of claim 21, wherein the signature is generated by:
signing ring elements composed of the verification public key reserved for the device generated based on the first pseudo-random value and the second pseudo-random value,
wherein the ring elements are indistinguishable by the first standard deviation value times a square root of three from a point of view of the registration authority entity and other devices.
24. The method of claim 27, wherein the signature is recoverable from the encryption package along with the seed value at the device.
25. The method of claim 21, further comprising:
sampling a first random value and a second random value from the 0-centered discrete Gaussian distribution on the first multi-dimensional space with the first standard deviation value; sampling a third random value from the 0-centered discrete Gaussian distribution on a second multi-dimensional space with the first standard deviation value, wherein the second multi-dimensional space has a dimension corresponding to an encryption length;
encoding a message by truncating a size of the message to the encryption length; and computing a cyphertext based at least in part on the first random value, the second random value, the third random value and the encoded message.
26. The method of claim 25, further comprising:
returning the cyphertext to the device, wherein the cyphertext is decrypted at the device based at least in part on a secret key.
27. A method for using a ring-learning-with-errors (RLWE) based post-quantum protocol to verify digital certificates for use by devices in authentication operations, the method comprising: receiving, at a device and from a first entity, an encryption package forwarded by a second entity that is unable to decrypt the encryption package;
generating a private cocoon key pair for decrypting the encryption package based on a caterpillar private key pair associated with the device, a first random function and a second random function;
decrypting the encryption package using the private cocoon key pair into a set of a seed value, metadata and a signature;
generating a verification public key reserved for the device based on a public cocoon key, a first pseudo-random value and a second pseudo-random value sampled from a 0-centered discrete Gaussian distribution on a first multi-dimensional space with a first standard deviation value according to a pseudo-random sampler having the seed value;
generating a verification private key pair reserved for the device based on a private cocoon key pair, the first pseudo-random value and the second pseudo-random value; and
verifying that the generated verification public key reserved for the device and the generated verification private key pair satisfies a relationship.
28. The method of claim 27, further comprising:
in response to decrypting the encryption package using the private cocoon key pair into the set of the seed value, metadata and the signature, verifying the signature with public key data and the metadata; and
in response to successful verification of the signature, setting a certificate based on the verification public key reserved for the device, the metadata and the signature.
29. The method of claim 27, further comprising:
originating a request to generate the encryption package at the first entity by:
randomly picking a private caterpillar key pair from the 0-centered discrete Gaussian distribution on the first multi-dimensional space with the first standard deviation value; and
generating a public caterpillar key according to the relationship.
30. The method of claim 29, wherein the public caterpillar key is originated at the device based on ring elements that are indistinguishable by the first standard deviation value from the point of view of the first entity or the second entity.
31. A computing device for using a ring-learning-with-errors (RLWE) based post-quantum protocol to provide digital certificates for use by devices in authentication operations, the computing device comprising:
a memory containing machine readable medium storing machine executable code;
one or more processors coupled to the memory and configured to execute the machine executable code to cause the one or more processors to:
receive, by a first entity, a cocoon public key for generating a digital certificate, wherein the cocoon public key is generated by expanding a caterpillar public key with a first random function and a second random function, and the first entity is uninformed of which device the caterpillar public key is originated from;
generate a verification public key reserved for the device based on the received cocoon public key, a first pseudo-random value and a second pseudo-random value sampled from a 0-centered discrete Gaussian distribution on a first multi-dimensional space with a first standard deviation value according to a pseudo-random sampler having a seed value;
generate a signature over the verification public key reserved for the device along with metadata, a verification public key reserved for the first entity and a private key pair reserved for the first entity;
encrypt a set of the seed value, the metadata and the signature into an encryption package; and
send the encryption package to a second entity, wherein:
the second entity is unable to decrypt the encryption package, and the encryption package is forwarded from the second entity to a requesting device.
32. The computing device of claim 31, wherein the cocoon public key is generated by the second entity using ring elements based on the first random function and the second function simulating sampling from the 0-centered discrete Gaussian distribution on the first multi- dimensional space with the first standard deviation value, wherein the ring elements are indistinguishable by the first standard deviation value times a square root of two from a point of view of the first entity and other devices.
33. The computing device of claim 31, wherein the signature is generated by:
signing ring elements composed of the verification public key reserved for the device generated based on the first pseudo-random value and the second pseudo-random value,
wherein the ring elements are indistinguishable by the first standard deviation value times a square root of three from a point of view of the registration authority entity and other devices.
34. The computing device of claim 33, wherein the signature is recoverable from the encryption package along with the seed value at the device.
35. The computing device of claim 21, wherein the one or more processors coupled to the memory are further configured to execute the machine executable code to cause the one or more processors to:
sample a first random value and a second random value from the 0-centered discrete Gaussian distribution on the first multi-dimensional space with the first standard deviation value; sample a third random value from the 0-centered discrete Gaussian distribution on a second multi-dimensional space with the first standard deviation value, wherein the second multi-dimensional space has a dimension corresponding to an encryption length;
encode a message by truncating a size of the message to the encryption length; and compute a cyphertext based at least in part on the first random value, the second random value, the third random value and the encoded message.
36. The computing device of claim 35, wherein the one or more processors coupled to the memory are further configured to execute the machine executable code to cause the one or more processors to:
return the cyphertext to the device, wherein the cyphertext is decrypted at the device based at least in part on a secret key.
37. A computing device for using a ring-learning-with-errors (RLWE) based post-quantum protocol to verify digital certificates for use by devices in authentication operations, the computing device comprising:
a memory containing machine readable medium storing machine executable code;
one or more processors coupled to the memory and configured to execute the machine executable code to cause the one or more processors to:
receive, at a device and from a first entity, an encryption package forwarded by a second entity that is unable to decrypt the encryption package;
generate a private cocoon key pair for decrypting the encryption package based on a caterpillar private key pair associated with the device, a first random function and a second random function;
decrypt the encryption package using the private cocoon key pair into a set of a seed value, metadata and a signature;
generate a verification public key reserved for the device based on a public cocoon key, a first pseudo-random value and a second pseudo-random value sampled from a 0- centered discrete Gaussian distribution on a first multi-dimensional space with a first standard deviation value according to a pseudo-random sampler having the seed value;
generate a verification private key pair reserved for the device based on a private cocoon key pair, the first pseudo-random value and the second pseudo-random value; and
verify that the generated verification public key reserved for the device and the generated verification private key pair satisfies a relationship.
38. The computing device of claim 37, wherein the one or more processors coupled to the memory are further configured to execute the machine executable code to cause the one or more processors to:
in response to decrypting the encryption package using the private cocoon key pair into the set of the seed value, metadata and the signature, verify the signature with public key data and the metadata; and
in response to successful verification of the signature, set a certificate based on the verification public key reserved for the device, the metadata and the signature.
39. The computing device of claim 37, wherein the one or more processors coupled to the memory are further configured to execute the machine executable code to cause the one or more processors to:
originate a request to generate the encryption package at the first entity by:
randomly picking a private caterpillar key pair from the 0-centered discrete Gaussian distribution on the first multi-dimensional space with the first standard deviation value; and
generating a public caterpillar key according to the relationship.
40. The computing device of claim 39, wherein the public caterpillar key is originated at the device based on ring elements that are indistinguishable by the first standard deviation value from the point of view of the first entity or the second entity.
PCT/US2019/047547 2018-08-21 2019-08-21 Systems and methods for a butterfly key exchange program WO2020041499A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US16/634,874 US11165592B2 (en) 2018-08-21 2019-08-21 Systems and methods for a butterfly key exchange program
EP19852665.9A EP3841703A4 (en) 2018-08-21 2019-08-21 Systems and methods for a butterfly key exchange program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862720866P 2018-08-21 2018-08-21
US62/720,866 2018-08-21

Publications (1)

Publication Number Publication Date
WO2020041499A1 true WO2020041499A1 (en) 2020-02-27

Family

ID=69591149

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2019/047547 WO2020041499A1 (en) 2018-08-21 2019-08-21 Systems and methods for a butterfly key exchange program

Country Status (3)

Country Link
US (1) US11165592B2 (en)
EP (1) EP3841703A4 (en)
WO (1) WO2020041499A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245619A (en) * 2020-03-27 2020-06-05 上海汽车集团股份有限公司 Key derivation method, device and system for Internet of vehicles, vehicle end and middle layer
CN113660093A (en) * 2021-07-30 2021-11-16 矩阵时光数字科技有限公司 Quantum digital signature system and method for transmitting Gaussian signals based on sequence
CN113766452A (en) * 2021-06-29 2021-12-07 国家计算机网络与信息安全管理中心 V2X communication system, communication key distribution method and implicit authentication method

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12010247B2 (en) * 2019-05-14 2024-06-11 Volkswagen Aktiengesellschaft Implementation of a butterfly key expansion scheme
US20230146229A1 (en) * 2020-03-23 2023-05-11 Sony Group Corporation Entity, gateway device, information processing device, information processing system, and information processing method
SG10202003210TA (en) * 2020-04-07 2021-11-29 Panasonic Ip Corp America Communication apparatuses and communication methods for security in resource pool allocation
CN114938282B (en) * 2022-07-22 2022-12-30 中国科学技术大学 Threshold group signature method and device based on multidimensional quantum system and electronic equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170222990A1 (en) * 2016-01-28 2017-08-03 TrustPoint Innovation Technologies, Ltd. System and Method for Certificate Selection in Vehicle-to-Vehicle Applications to Enhance Privacy
WO2018026807A1 (en) * 2016-08-02 2018-02-08 Pcms Holdings, Inc. Managing automotive vehicle premium lane access
US20180176209A1 (en) * 2016-12-15 2018-06-21 At&T Mobility Ii Llc V2X Certificate Management

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7607009B2 (en) * 2003-02-10 2009-10-20 International Business Machines Corporation Method for distributing and authenticating public keys using time ordered exchanges
US7697693B1 (en) * 2004-03-09 2010-04-13 Bbn Technologies Corp. Quantum cryptography with multi-party randomness
CN101222772B (en) * 2008-01-23 2010-06-09 西安西电捷通无线网络通信有限公司 Wireless multi-hop network authentication access method based on ID
EP2506176A1 (en) * 2011-03-30 2012-10-03 Irdeto Corporate B.V. Establishing unique key during chip manufacturing
US10536279B2 (en) * 2017-10-22 2020-01-14 Lg Electronics, Inc. Cryptographic methods and systems for managing digital certificates
CN113940027B (en) * 2019-04-11 2023-07-21 Lg电子株式会社 System and method for accelerating credential provisioning
WO2020229895A2 (en) * 2019-04-11 2020-11-19 Lg Electronics, Inc. Systems and methods for countering co-existence attack
US12010247B2 (en) * 2019-05-14 2024-06-11 Volkswagen Aktiengesellschaft Implementation of a butterfly key expansion scheme

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170222990A1 (en) * 2016-01-28 2017-08-03 TrustPoint Innovation Technologies, Ltd. System and Method for Certificate Selection in Vehicle-to-Vehicle Applications to Enhance Privacy
WO2018026807A1 (en) * 2016-08-02 2018-02-08 Pcms Holdings, Inc. Managing automotive vehicle premium lane access
US20180176209A1 (en) * 2016-12-15 2018-06-21 At&T Mobility Ii Llc V2X Certificate Management

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BRECHT BENEDIKT; THERRIAULT DEAN; WEIMERSKIRCH ANDRE; WHYTE WILLIAM; KUMAR VIRENDRA; HEHN THORSTEN; GOUDY ROY: "A Security Credential Management System for V2X Communications", IEEE TRANSACTIONS ON INTELLIGENT TRANSPORTATION SYSTEMS, vol. 19, no. 12, 1 December 2018 (2018-12-01), pages 3850 - 3871, XP011697243, ISSN: 1524-9050, DOI: 10.1109/TITS.2018.2797529 *
JOSHUA KOLLEDA, TYLER POLING, DAVID FITZPATRICK, SCOTT ANDREWS, JAMES MAROUSEK, LAWRENCE FRANK, JOANNE THORNTON: "National Security Credential Management System (SCMS) Deployment Support", 12 March 2018 (2018-03-12), pages 1 - 104, XP055687948, Retrieved from the Internet <URL:https://rosap.ntl.bts.gov/view/dot/36395/dot_36395_DSl.pdf?> [retrieved on 20200421] *
MARCOS A SIMPLICIO JR ET AL., THE UNIFIED BUTTERFLY EFFECT: EFFICIENT SECURITY CREDENTIAL MANAGEMENT SYSTEM FOR VEHICULAR COMMUNICATIONS
See also references of EP3841703A4

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111245619A (en) * 2020-03-27 2020-06-05 上海汽车集团股份有限公司 Key derivation method, device and system for Internet of vehicles, vehicle end and middle layer
CN113766452A (en) * 2021-06-29 2021-12-07 国家计算机网络与信息安全管理中心 V2X communication system, communication key distribution method and implicit authentication method
CN113766452B (en) * 2021-06-29 2023-10-27 国家计算机网络与信息安全管理中心 V2X communication system, communication key distribution method and implicit authentication method
CN113660093A (en) * 2021-07-30 2021-11-16 矩阵时光数字科技有限公司 Quantum digital signature system and method for transmitting Gaussian signals based on sequence
CN113660093B (en) * 2021-07-30 2023-08-25 矩阵时光数字科技有限公司 Quantum digital signature system and method based on Gaussian signal sequence transmission

Also Published As

Publication number Publication date
US11165592B2 (en) 2021-11-02
EP3841703A1 (en) 2021-06-30
US20210211306A1 (en) 2021-07-08
EP3841703A4 (en) 2022-05-18

Similar Documents

Publication Publication Date Title
US11165592B2 (en) Systems and methods for a butterfly key exchange program
US20240283663A1 (en) Cryptographic methods and systems for managing digital certificates
CN108964919B (en) Lightweight anonymous authentication method with privacy protection based on Internet of vehicles
Wang et al. SEMA: Secure and efficient message authentication protocol for VANETs
US20220158854A1 (en) Cryptographic methods and systems using blinded activation codes for digital certificate revocation
KR102444402B1 (en) NFC tag authentication to remote servers with applications to secure supply chain asset management
CN109559122A (en) Block chain data transmission method and block chain data transmission system
US20240243928A1 (en) Cryptographic methods and systems using activation codes for digital certificate revocation
Othman et al. Physically secure lightweight and privacy-preserving message authentication protocol for VANET in smart city
Zhang et al. A Novel Privacy‐Preserving Authentication Protocol Using Bilinear Pairings for the VANET Environment
WO2021071918A1 (en) Balancing privacy and efficiency for revocation in vehicular public key infrastructures
Xie et al. [Retracted] Provable Secure and Lightweight Vehicle Message Broadcasting Authentication Protocol with Privacy Protection for VANETs
Ogundoyin An Efficient, Secure and Conditional Privacy-Preserving Authentication Scheme for Vehicular Ad-hoc Networks.
CN115314284B (en) Public key authentication searchable encryption method and system based on trusted execution environment
CN112425117A (en) Configuration method and device of pseudonymous credentials
KR102304831B1 (en) Encryption systems and method using permutaion group based cryptographic techniques
Sun et al. NEHCM: A Novel and Efficient Hash-chain based Certificate Management scheme for vehicular communications
EP2289227B1 (en) Improvements related to the authentication of messages
Simplicio Jr et al. A privacy-preserving method for temporarily linking/revoking pseudonym certificates in vehicular networks
Fatima et al. Certificate based security services in adhoc sensor network
Oliveira qSCMS: post-quantum security credential management system for vehicular communications.
Yang et al. Modern Cryptography for ADS-B Systems
Bharti et al. Enhancing The Massage Authentication Process in VANET Under High Traffic Condition Using The PBAS Approach
Kait et al. Wireless Adhoc Networks Security Principles, Issues & Applications
Bleumer Cryptography Primer

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19852665

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2019852665

Country of ref document: EP

Effective date: 20210322