Nonlinearities in Elliptic Curve Authentication

Abstract

In order to construct the border solutions for nonsupersingular elliptic curve equations, some common used models need to be adapted from linear treated cases for use in particular nonlinear cases. There are some approaches that conclude with these solutions. Optimization in this area means finding the majority of points on the elliptic curve and minimizing the time to compute the solution in contrast with the necessary time to compute the inverse solution. We can compute the positive solution of PDE (partial differential equation) like oscillations of f(s)/s around the principal eigenvalue λ₁ of −Δ in $H_0^1(\mathrm{\Omega })$. Translating mathematics into cryptographic applications will be relevant in everyday life, wherein there are situations in which two parts that communicate need a third part to confirm this process. For example, if two persons want to agree on something they need an impartial person to confirm this agreement, like a notary. This third part does not influence in any way the communication process. It is just a witness to the agreement. We present a system where the communicating parties do not authenticate one another. Each party authenticates itself to a third part who also sends the keys for the encryption/decryption process. Another advantage of such a system is that if someone (sender) wants to transmit messages to more than one person (receivers), he needs only one authentication, unlike the classic systems where he would need to authenticate himself to each receiver. We propose an authentication method based on zero-knowledge and elliptic curves.

1. Introduction

The system we propose has three components: two parties that communicate and one party that authenticates them and provides the keys for the cryptosystem used. The most common authentication is based on passwords, which help to verify the identity of a user. This method is not secure enough because the passwords are generated from small dictionaries or they are chosen directly by the users who usually make poor selections. In addition, users frequently forget passwords. In such cases, an authentication system needs two authentication modes. The first mode is the primary one, and the second is the emergency one (it is used only when the primary is not available). The most popular emergency mode used on the Internet when a password is forgotten is the e-mail. The password or the instructions to reset it are sent by e-mail. The first password authentication protocol used on a network proven secure was presented by Halevi and Krawczyk [1]. Their protocol prevents leakage of information and the server’s private key can be verified by the user. If the server’s key cannot be verified it is recommended to use strong password authentication protocols. Such protocols were proposed by Bellovin and Merritt [2,3], Jablon [4] and Wu [5], among others.

We propose a zero-knowledge authentication using elliptic curves. A zero-knowledge proof is a proof of some statement that reveals nothing else but the veracity of the statement. In order to give a formal definition for a zero-knowledge proof, we will first define the interactive proof system.

Definition 1

An interactive proof system for a set A is a process between a verifier which executes a probabilistic polynomial-time strategy and a prover, which executes a computationally unbounded strategy satisfying:

• Completeness: For any a ∈ A, the verifier always accepts the common input a (after interacting with the prover).
• Soundness: For some polynomial p, for any x ∉ A and any potential strategy S, the verifier rejects the common input a with a probability of at least $\frac{1}{p(\mid a\mid )}$ (after interacting with S).

Therefore, a proof is complete if an honest verifier is always convinced of the veracity of a statement from an honest prover, and it is sound if a cheating prover can convince an honest verifier with a very small probability that a false statement is true.

Definition 2

A strategy S is zero-knowledge on the set A if for any feasible strategy B exists a feasible computation C so that the following are computationally indistinguishable:

• the output of B after interacting with S on common input a ∈ A
• the output of C on input a ∈ A

From this definition, any information obtained by interacting with S on some input a, can also be obtained from a without interacting with S [6]. In our method, the verifier knows the right answer before communicating with the prover. Therefore, he cannot possibly obtain any new information. This method is called “no-leak” authentication. A formal definition can be obtained from the zero-knowledge definition given above by eliminating “probabilistic polynomial time”. This means that whatever the verifier can compute after communicating with the prover, he could already compute before the communicating process. Like the verifier, a passive adversary cannot obtain new information from the prover.

2. State of Art

2.1. Mathematical Preliminaries

To understand the foundation of the cryptosystem functionality, we have to understand how the secret can be hidden and how it can be revealed ([7] and [8]). This is pure mathematics, and is based on some function operation intractability.

Definition 3

The Waierstrass mathematical model is the basement:

$$E:y^2+a_{1}xy+a_{3}y=x^3+a_2{x}^2+a_{4}x+a_6$$

(1)

where a_i ∈ K and K represents the field over which the curve is defined. From this point we have the discriminant:

$$\mathrm{\Delta }=d_2^2{d}_8-8d_4^3-27d_6^2+9d_2{d}_4{d}_6$$

with:

$$\begin{array}{l}{d}_2=a_1+4a_2\\ d_4=2a_4+a_1{a}_3\\ d_6=a_3^2+4a_6\\ d_8=a_1^2{a}_6+4a_2{a}_6-a_1{a}_3{a}_4+a_2{a}_3^2-a_4^2\end{array}$$

and Δ ≠ 0.

If we have K = F_p where p > 3 is a prime, Equation (1) can be simplified to:

$$E:y^2=x^3+ax+b$$

and the discriminant: Δ = −16(4a³ + 27b²). In case of K = F_2^m we have:

$$E:y^2=x^3+ax+b$$

and the discriminant: Δ = b. If the curve E is defined over a prime field F_p and we have a point P(x, y) ∈ E then the inverse of it will be −P(x,−y). If we want to compute R(x₃, y₃) = P + Q where P(x₁, y₁) ∈ E and Q(x₂, y₂) ∈ E we have:

$$\begin{array}{c}{x}_3={\lambda }^2-x_1-x_2\\ y_3=\lambda (x_1-x_3)-y_1\end{array}$$

where λ is given by:

$$\lambda =\frac{y_1-y_2}{x_1-x_2}$$

For doubling a point 2P(x₃, y₃) we use the formulas:

$$\begin{array}{c}{x}_3={\lambda }^2-2x_1\\ y_3=\lambda (x_1-x_3)-y_1\end{array}$$

where λ is given by:

$$\lambda =\frac{3x_1^2+a}{2y_1}$$

For the affine coordinates we replace x with x/z and y with y/z, where z ≠ 0 obtaining the equation:

$$y^{2}z=x^3+ax{z}^2+b{z}^3$$

To compute P(x₁, y₁, z₁) + Q(x₂, y₂, z₂) = R(x₃, y₃, z₃) we have:

• ${\lambda }_1=x_1{z}_2^2$
• ${\lambda }_2=x_2{z}_1^2$
• λ₃ = λ₁ − λ₂
• ${\lambda }_4=y_1{z}_2^3$
• ${\lambda }_5=y_2{z}_1^3$
• λ₆ = λ₄ − λ₅
• λ₇ = λ₁ + λ₂
• λ₈ = λ₄ + λ₅
• z₃ = z₁z₂λ₃
• $x_3={\lambda }_6^2-{\lambda }_7{\lambda }_3^2$
• ${\lambda }_9={\lambda }_7{\lambda }_3^2-2x_3$
• $y_3=({\lambda }_9{\lambda }_6-{\lambda }_8{\lambda }_3^3)/2$

For doubling a point 2P(x₃, y₃, z₃) we use:

• ${\lambda }_1=3x_1^2+a{z}_1^4$
• z₃ = 2y₁z₁
• ${\lambda }_2=4x_1{y}_1^2$
• $x_3={\lambda }_1^2-2{\lambda }_2$
• $y_3={\lambda }_1({\lambda }_2-x_3)-8y_1^4$

If the curve E is defined over a binary field F_2^m for a point P(x, y) the inverse will be −P(x, x + y). Addition and doubling are defined in the same way as on the prime curves.

To obtain the projective coordinates we proceed as above. The inverse of a point P(x, y, z) is −P(x, x + y, z). To compute P + Q = R we have:

• ${\lambda }_1=x_1{z}_2^2$
• ${\lambda }_2=x_2{z}_1^2$
• λ₃ = λ₁ + λ₂
• ${\lambda }_4=y_1{z}_2^3$
• ${\lambda }_5=y_2{z}_1^3$
• λ₆ = λ₄ + λ₅
• λ₇ = z₁λ₃
• λ₈ = λ₆x₂ + λ₇y₂
• z₃ = z₂λ₇
• λ₉ = λ₆ + z₃
• $x_3=a{z}_3^2+{\lambda }_6{\lambda }_9+{\lambda }_3^2$
• $y_3={\lambda }_9{x}_3+{\lambda }_8{\lambda }_7^2$

And for doubling a point 2P we have:

• $z_3=x_1{z}_1^2$
• $x_3=x_1^4+b{z}_1^8$
• $\lambda =z_3+x_1^2+y_1{z}_1$
• $y_3=x_1^4{z}_3+\lambda x_3$

2.1.1. Frontier Points on Elliptic Curves

According with [9], from all points which define an elliptic curve, only a part can be used on applications (cryptography), we can found the special points with properties in this way, called frontier points:

(1)

|E(F_p)| = c · l where l > 2¹⁶⁰ a prime and c a positive integer. |E(F_p)| denotes the cardinal of the set of points on E over F_p.

(2)

l ≠ p.

(3)

the order of the prime p in the multiplicative group $F_l^{\times }$ of F_l is at least ⌈2000/log₂ p⌉.

These three conditions provide a high level of security. There were developed as algorithms for resolving discrete logarithms with running time equal with the square root of the largest prime factor of the group order [10]. These algorithms cannot be applied to a cryprosystem, which respects the first condition. [11] describes the anomalous curve attack. This attack consists in resolving the elliptic curve discrete logarithm problem for curves with the group order equal to the order of the finite field. The method uses Hensel’s lemma and has low complexity. The second condition presented above makes this kind of attack impossible. In [12] the authors presented an attack which reduces the discrete logarithm problem in E(F_p) to one in a finite extension field F_p. The third condition depends on the assumption that the DLP in a finite field which has a cardinal 2000-bit long is intractable.

The efficiency of an elliptic curve cryptosystem is based on the arithmetic in F_p. So the efficiency is directly proportional with p. This means that |E(F_p)| must be as small as possible. From the first condition we have |E(F_p)| = c · l where l > 2¹⁶⁰. So the efficiency depends on the co-factor c. The first condition becomes:

• |E(F_p)| = c · l where l > 2¹⁶⁰ a prime and c ≤ 4 a positive integer. |E(F_p)| denotes the cardinal of the set of points on E over F_p.

2.1.2. Nonliniarities on Elliptic Curves

For every elliptic curve cryptosystem we have to declare the domain parameters. We will work with a nonsupersingular elliptic curve E defined over a prime field. The domain parameters will be (F, p, a_E, b_E, G, n, h) where F_p is the prime field, a_E, b_E define the curve E: y² = x³ + a_Ex + b_E, G ∈ E is a point of order n (this means that n is the smallest positive number for which nG = O), h = |E(F_p)|/n is the co-factor. To meet the above conditions it is recommended for |E(F_p)| to be prime or |E(F_p)| = h · n where n is a large prime and h ∈ {1, 2, 3, 4} [13].

As is described in [14], starting from an oscillation θ(t)\t around the principal eigenvalue λ₁ of −Δ in $H_0^1(\mathrm{\Omega })$ in one dimensional case will generate infinitely many solutions if θ(t) > 0 in ℝ and

$$\underset{t\to \infty }{\text{lim}}in\hspace{0.17em}f\frac{2\psi (t)}{t^2}<{\lambda }_1<\underset{t\to +\infty }{\text{lim}}sup\frac{2\psi (t)}{t^2},$$

where $\psi (t)={\int }_0^t\theta (\xi )d\xi$.

These conditions, as is proved in [15] can not be replaced by:

$$\underset{t\to +\infty }{\text{lim}}in\hspace{0.17em}f\frac{\theta (t)}{t}<{\lambda }_1<\underset{t\to +\infty }{\text{lim}}sup\frac{\theta (t)}{t}$$

nor by

$$\underset{t\to +\infty }{\text{lim}}in\hspace{0.17em}f\frac{\theta (t)}{t}=0\hspace{0.17em}\text{and}\underset{t\to +\infty }{\text{lim}}sup\frac{\theta (t)}{t}=+\infty$$

The results of these conclude in [16]

$$\{\begin{array}{ll}-\mathrm{\Delta }u=\theta (x,u)\hfill & \text{in\hspace{0.17em}}\mathrm{\Omega }\hfill \\ u=0\hfill & \text{on\hspace{0.17em}}\partial \mathrm{\Omega },\hfill \end{array}$$

where θ:Ω̄: ℝ → ℝ is a continuous function. In [14] it is stated

$$\psi (x,t)={\int }_0^x\theta (x,\xi )d\xi$$

and it is defined the functional $\mathrm{\Phi }:H_0^1(\mathrm{\Omega })\cap L^{\infty }(\mathrm{\Omega })\to ℝ$ with $\mathrm{\Phi }(u)=\frac{1}{2}{\int }_{\mathrm{\Omega }}{\mid \mathrm{\Lambda }u\mid }^{2}dx-{\int }_{\mathrm{\Omega }}\psi (x,u)dx$ as generator of infinitely solutions. From these, the space of chosen criteria for cryptographic points is big enough such that can be considered as space of strong points in cryptography.

2.1.3. Counting the Elliptic Curve’s Frontier Points

To know the amount of points belonging to the elliptic curve we have to compute |E(F_p)|. In 1985 [17] Schoof presented an algorithm for counting the points on an elliptic curve over a large field F_p. Schoof’s algorithm had a polynomial running time and used Hasse’s theorem on elliptic curves.

Theorem 1

Hasse’s Theorem If E is an elliptic curve over the finite field F_p then:

$$\mid p+1-\mid E(F_p)\mid \mid \le 2\sqrt{p}$$

If we define t = p + 1 − |E(F_p)| we have to compute t mod N where $N>4\sqrt{p}$. Schoof’s algorithm computes this using small primes l_i where Πl_i = N. After computing t mod l_i we can find t using the Chinese Remainder Theorem. Knowing t we can then compute |E(F_p)| = p+1−t. To compute t mod l Schoof used the Frobenius endomorphism φ and division polynomials.

Theorem 2

Frobenius endomorphism The Frobenius endomorphism φ satisfies the following:

$${\phi }^2-t\phi +p=0\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }where\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }t=p+1+\mid E(F_p)\mid$$

According to the Theorem 2 we have the equation:

$${\phi }^{2}P+p_{l}P=t_l\phi P\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }where\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }P(x,y)\in E(F_p)$$

Here p_l = p mod l and t_l = t mod l. If we restrict to nontrivial l-torsion points (a tortion subgroup consists of all the elements of an abelian group that have finite order) we obtain:

$$(x^{p^2},y^{p^2})+\overline{p}(x,y)=\overline{t}(x^p,y^p)$$

(2)

where x̄ is an unique integer such that x = x̄ mod l. The above equation is valid because in a l-tortion subgroup the scalar multiplication has the property pG = p̄G. Starting from Equation (2) and applying division polynomials, Schoof’s algorithm computes the value of |E(F_p)|. The reader can study the algorithm and its improvements made over time in [18].

Another algorithm based on Hasse’s theorem was developed by D.Shanks [19]. The algorithm is named Baby Steps-Giant Steps and computes a number $m\in (p+1-2\sqrt{p},p+1+2\sqrt{p})$ such that mG = O where G is a random point from the curve E: y² = x³ + ax + b. The algorithm is described below:

(1)

Compute $s\approx \sqrt[4]{p}$

(2)

Compute G, 2G. . . sG

(3)

Compute Q = (2s + 1)P and R = (p + 1)P

(4)

Compute R, R ± Q, R ± 2Q, . . . R ± tQ where $t=\left[\frac{2\sqrt{p}}{2s+1}\right]$

The first three steps are known as baby steps while computing R, R±Q. . . , R±tQ is the giant step. From Hasse’s theorem we know that R + iQ i = 0,±1,±2, . . . ,±t is equal with one from the points computed in second step. For this i we have:

$$R+iQ=jG\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }\mathrm{\hspace{0.17em} }j\in \{0,\pm 1,\pm 2,\dots ,\pm t\}$$

The number m will be m = p + 1 + (2s + 1)i − j which represents the cardinal of the elliptic curve points set. Variations, improvements and enhancements on this algorithm can be studied in [20]. A very important zero-knowledge protocol, which represents the basis for the most popular zero-knowledge protocols, is the Fiat-Shamir Identification Protocol. Important protocols derived from it are Feige-Fiat-Shamir [21] and Guillou-Quisquater. We chose it because it is the simplest protocol which illustrates the most important properties of the modern sophisticated schemes. This protocol is used in cryptography for authenticating a certain person. Suppose Alice has a secret Se known only by her. She will prove her identity to Bob by proving that she possesses Se, of course, without revealing the secret. Because the secret is not revealed to the verifier, no adversary can find it from the prover response. A trusted part is needed for this protocol which generates two secret prime numbers p and q, and computes the public value n = pq. The steps that follow this operation are repeated t times, each time using independent random numbers. If the verifier has repeated the steps t times then he accepts.

The algorithm is described below (see Algorithm 1) and the repeating steps begin with the fifth one. The first two steps are executed by the third trusted part, while the steps three and four are executed by the prover only one time each. The number t is chosen by the verifier, if the verifier is easy to convince, t can be smaller. A detailed explanation on this algorithm can be found in [22].

Algorithm 1. Fiat-Shamir Identification Protocol.

1:	p and q are generated
2:	n = pq is made public
3:	the prover selects Se co-prime to n such that 1 ≤ Se ≤ n − 1
4:	the prover computes v = Se2 mod n which is his public key
5:	the prover chooses r such that 1 ≤ r ≤ n − 1
6:	the prover computes x = r2 mod n and sends it to the verifier
7:	the verifier chooses a bit e ∈ {0, 1} and sends it to the prover
8:	if e=0 then
9:	the prover computes y = r
10:	else
11:	the prover computes y = rs mod n
12:	end if
13:	the prover sends y to the verifier
14:	the verifier rejects if y = 0 or y2 ≠ x * ve (mod n)

Algorithm 1. Fiat-Shamir Identification Protocol.

1:	p and q are generated
2:	n = pq is made public
3:	the prover selects Se co-prime to n such that 1 ≤ Se ≤ n − 1
4:	the prover computes v = Se2 mod n which is his public key
5:	the prover chooses r such that 1 ≤ r ≤ n − 1
6:	the prover computes x = r2 mod n and sends it to the verifier
7:	the verifier chooses a bit e ∈ {0, 1} and sends it to the prover
8:	if e=0 then
9:	the prover computes y = r
10:	else
11:	the prover computes y = rs mod n
12:	end if
13:	the prover sends y to the verifier
14:	the verifier rejects if y = 0 or y2 ≠ x * ve (mod n)

For example p = 5 and q = 11 then n = 55 is made public. Suppose Alice (prover) chooses her secret Se = 14 and computes v = 14² mod 55 = 31. Bob is an easy to convince verifier and chose t = 2.

(1)

Alice chose r = 9

(2)

Alice sends x = 9² mod 55 = 26 to Bob

(3)

Bob sends e = 0 to Alice

(4)

Alice sends y = r = 9 to Bob

(5)

Bob verifies y ≠ 0 and 9² mod 55 = (26 * 31⁰) mod 55 ⇔ 19 = 19

(6)

Alice chose r = 15

(7)

Alice sends x = 15² mod 55 = 5 to Bob

(8)

Bob sends e = 1 to Alice

(9)

Alice sends y = rs mod 55 = 45 to Bob

(10)

Bob verifies y ≠ 0 and 45² mod 55 = (5 * 31¹) mod 55 ⇔ 45 = 45

The completeness of this protocol is provided by the fact that the prover possessing the secret Se can also compute y = r or y = rs and send it to the verifier. Therefore, an honest verifier will always complete all t iterations and accept with the probability 1. To demonstrate the soundness we suppose the prover does not possess the secret Se. Therefore, on a given round he cannot compute y = r or y = rs. Thus, the probability of rejection will be $\frac{1}{2}$ in each round. The zero-knowledge is provided by the fact that the only values made public in one round are x and y. A (x, y) pair can be simulated by choosing a random y and then computing x = y² or $x=\frac{y^2}{v}$. We can observe that such pairs are computationally indistinguishable from the ones computed in the protocol.

A “no-leak” zero-knowledge authentication was presented in [23]. Alice’s (the prover) private key consists of:

(1)

a subset S₀ ⊂ S where S is an universal set

(2)

an efficient test to verify if an element from S does not belong to S₀

(3)

a method for distinguishing the subset S₀ to some $S_0^{\prime }$

while the public key is the pair of sets $S_0^{\prime }$, S₁ such that $S_0^{\prime }\cap S_1=O$. The algorithm has three steps:

Algorithm 2. No-leak Authentication Protocol.

1:	Bob sends ( $x_1^{\prime },x_2^{\prime },\dots x_{2m}^{\prime }$) to Alice, where $x_i^{\prime }\forall i$ is a random element from $S_0^{\prime }$ or S1, and exactly m elements belong to $S_0^{\prime }$ and m to S1.
2:	Alice uses her private test to check whether for element xi corresponding to $x_i^{\prime }$ does not belong to S0, xi ∉ S0. If the test fails, she supposes that xi ∈ S0 which means that $x_i^{\prime }\in S_0^{\prime }$. She counts how many xi ∉ S0. If the number she obtains is not exactly m then the authentication failed. If she obtains m, she sends to Bob a string with “0” in places corresponding to $x_i^{\prime }\in S_0^{\prime }$ and 1 for $x_i^{\prime }\notin S_0^{\prime }$.
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

Algorithm 2. No-leak Authentication Protocol.

1:	Bob sends ( $x_1^{\prime },x_2^{\prime },\dots x_{2m}^{\prime }$) to Alice, where $x_i^{\prime }\forall i$ is a random element from $S_0^{\prime }$ or S1, and exactly m elements belong to $S_0^{\prime }$ and m to S1.
2:	Alice uses her private test to check whether for element xi corresponding to $x_i^{\prime }$ does not belong to S0, xi ∉ S0. If the test fails, she supposes that xi ∈ S0 which means that $x_i^{\prime }\in S_0^{\prime }$. She counts how many xi ∉ S0. If the number she obtains is not exactly m then the authentication failed. If she obtains m, she sends to Bob a string with “0” in places corresponding to $x_i^{\prime }\in S_0^{\prime }$ and 1 for $x_i^{\prime }\notin S_0^{\prime }$.
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

To prevent guessing the answer these three steps can be repeated a number of times like in the Fiat-Shamir scheme. The author emphasized that if m = 20 then the probability of guessing the answer in a round of three steps is less than $\frac{1}{{10}^6}$.

The authors also presented two particularized methods: a subset sum and polynomials. We will describe only the one based on polynomial equations. In this case Alice’s private key is:

(1)

a polynomial h(x₁, x₂, . . . , x_k) over Z

(2)

a large prime p

(3)

a constant c ∈ Z

while the public key consists of:

(1)

a polynomial f(x₁, x₂, . . . , x_k) = (h(x₁, x₂, . . . , x_k))² − c(mod p)

(2)

a random polynomial g(x₁, x₂, . . . , x_k) over Z which has the same monomials as f and the coefficients with the same magnitude as the ones of f.

We observe that for any (x₁, x₂, . . . , x_k) ∈ Z exists a v ∈ Z such that f(x₁, x₂, . . . , x_k) + c = u²(mod p). The following algorithm describes the steps for a single element:

Algorithm 3. No-leak Polynomial Authentication Protocol.

1:	Bob chose random integers (x1, x2, . . . xk) and plugs them with the same probability into either f or g. Bob sends the result, noted b(x1, x2, . . . xk) to Alice.
2:	Alice computes a = b(x1, x2, . . . xk) + c(mod p). She verifies if a is a square modulo p. If not she sends “1” to Bob because b(x1, x2, . . . xk) ≠ f(x1, x2, . . . xk). If it is a square she sends “0” assuming that b(x1, x2, . . . xk) = f(x1, x2, . . . xk).
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

Algorithm 3. No-leak Polynomial Authentication Protocol.

1:	Bob chose random integers (x1, x2, . . . xk) and plugs them with the same probability into either f or g. Bob sends the result, noted b(x1, x2, . . . xk) to Alice.
2:	Alice computes a = b(x1, x2, . . . xk) + c(mod p). She verifies if a is a square modulo p. If not she sends “1” to Bob because b(x1, x2, . . . xk) ≠ f(x1, x2, . . . xk). If it is a square she sends “0” assuming that b(x1, x2, . . . xk) = f(x1, x2, . . . xk).
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

For this particular method the authors also present some suggestions for the parameters and the keys:

(1)

3 ≤ k ≤ 5

(2)

p = 2^t where t is a security parameter

(3)

2 ≤ degree(h) ≤ 3

(4)

the magnitude of f’s coefficients at least p/2

(5)

the integers x₁, x₂, . . . , x_k are generated uniformly randomly from the interval [1, 2^t/k]

3. Our Method

We propose a zero-knowledge authentication based on elliptic curves and on the algorithms described in the previous section. For the use of elliptic curves we have to declare the domain parameters. For a nonsupersingular elliptic curve E defined over a prime field the domain parameters will be (F, p, a_E, b_E, G, n, h) where F_p is the prime field, a_E, b_E define the curve E: y² = x³ + a_Ex + b_E, G ∈ E is a point of order n (this means that n is the smallest positive number for which nG = O), h = |E(F_p)|/n is the co-factor. To meet the above conditions it is recommended for |E(F_p)| to be prime or |E(F_p)| = h · n where n is a large prime and h ∈ {1, 2, 3, 4} [13]. Not all these parameters are used in a zero-knowledge authentication but they are all used in an elliptic curve cryptosystem. Therefore, defining these parameters provides one less step in the encryption/decryption process which the two communicating parties will use after authentication.

The generalized method uses an universal set S of elliptic curves’ points. S₀ represents the points from a specific elliptic curve E. $S_0^{\prime }$ are elements corresponding to the points from S₀, while S₁ is a set of points which do not belong to the elliptic curve E. The private key and the public one remain the same with the above specifications. The Algorithm 2 becomes:

Algorithm 4. No-leak Elliptic Curve Authentication Protocol.

1:	Bob sends ( $X_1^{\prime },X_2^{\prime },\dots X_{2m}^{\prime }$) to Alice, where $X_i^{\prime }\forall i$ is a random element from $S_0^{\prime }$ or S1, and exactly m elements belong to $S_0^{\prime }$ and m to S1.
2:	Alice uses her private test to check whether for point Xi corresponding to $X_i^{\prime }$ does not belong to S0, Xi ∉ S0. If the test fails, she supposes that Xi ∈ S0 which means that $X_i^{\prime }\in S_0^{\prime }$. She counts how many Xi ∉ S0. If the number she obtains is not exactly m then the authentication failed. If she obtains m, she sends to Bob a string with “0” in places corresponding to $X_i^{\prime }\in S_0^{\prime }$ and 1 for $X_i^{\prime }\notin S_0^{\prime }$.
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

Algorithm 4. No-leak Elliptic Curve Authentication Protocol.

1:	Bob sends ( $X_1^{\prime },X_2^{\prime },\dots X_{2m}^{\prime }$) to Alice, where $X_i^{\prime }\forall i$ is a random element from $S_0^{\prime }$ or S1, and exactly m elements belong to $S_0^{\prime }$ and m to S1.
2:	Alice uses her private test to check whether for point Xi corresponding to $X_i^{\prime }$ does not belong to S0, Xi ∉ S0. If the test fails, she supposes that Xi ∈ S0 which means that $X_i^{\prime }\in S_0^{\prime }$. She counts how many Xi ∉ S0. If the number she obtains is not exactly m then the authentication failed. If she obtains m, she sends to Bob a string with “0” in places corresponding to $X_i^{\prime }\in S_0^{\prime }$ and 1 for $X_i^{\prime }\notin S_0^{\prime }$.
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

This algorithm represents the generalized method for elliptic curves. We also present a particularized method which replaces the polynomials from the Algorithm 3 with elliptic curve points. Here Alice’s keys change:

• the private key contains:

  (1)

  a tuple (x₁P, x₂P, . . . x_kP) where P ∈ E and x_i are random scalars

  (2)

  a random point Q (replacing the constant c)

• the public key contains:

  (1)

  a tuple (x₁M, x₂M, . . . x_kM) = 2(x₁P, x₂P . . . x_kP) − Q where M ∈ E

  (2)

  a random tuple (x₁N, x₂N, . . . , x_kN) where N ∈ E

Using these keys the algorithm becomes:

Algorithm 5. No-leak Elliptic Curve Authentication Protocol.

1:	Bob chose random integers (x1, x2, . . . xk) and plugs them with the same probability into either (x1M, x2M, . . . xkM) or (x1N, x2N, . . . , xkN). Bob sends the result, noted (x1R, x2R, . . . xkR) to Alice.
2:	Alice computes A = (x1R, x2R, . . . xkR) + Q. She verifies if A is a doubled point. If not she sends “1” to Bob because (x1R, x2R, . . . xkR) ≠ (x1M, x2M, . . . xkM). If it is a doubled point she sends “0” assuming that (x1R, x2R, . . . xkR) = (x1M, x2M, . . . xkM).
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

Algorithm 5. No-leak Elliptic Curve Authentication Protocol.

1:	Bob chose random integers (x1, x2, . . . xk) and plugs them with the same probability into either (x1M, x2M, . . . xkM) or (x1N, x2N, . . . , xkN). Bob sends the result, noted (x1R, x2R, . . . xkR) to Alice.
2:	Alice computes A = (x1R, x2R, . . . xkR) + Q. She verifies if A is a doubled point. If not she sends “1” to Bob because (x1R, x2R, . . . xkR) ≠ (x1M, x2M, . . . xkM). If it is a doubled point she sends “0” assuming that (x1R, x2R, . . . xkR) = (x1M, x2M, . . . xkM).
3:	Bob compares Alice’s result with the right value. If they are equal he accepts the authentication.

The scalar multiplication for elliptic curve points can be done with various methods. To improve the efficiency of such an algorithm, we have to improve the scalar multiplication which represents the most complex operation applied to an elliptic curve point. One of the most popular methods for scalar multiplication was introduced by P. Montgomery in [24]. The main idea is to generate q such that c+qp is a multiple of r. The values c, p and r are given, r being a power of 2. Another performance scalar multiplication method for prime fields was presented in [25] and uses the Frobenius endomorphism. Clavier and Jove presented in [26] a new idea to ease the computation of kP. They propose to define k as k₁ + k₂ where k₁ = k − r and k₂ = r, r being a random integer. Therefore, kP becomes k₁P + k₂P. This idea is very usefully because the values of k₁P and k₂P can be computed simultaneously. This can be applied to almost all the algorithms for computing scalar multiplication. An improvement to this idea was given by Ciet in [27].

4. Conclusions

Our communication system is made up of two parts: the authentication and the process of communication itself. The communication part implies a cryptosystem for encrypting and decrypting the messages. These two parts can contain only classical methods, elliptic curve methods or a combination of the two. Using the same type of methods for both parts is more efficient mainly because some of the generated values of the authentication are also used in the second part. On the other hand, using different kind of methods implies generating different values for each part. The optimal situation occurs when there is no need to generate additional values in the second part. For the second part, the elliptic curve methods have proved to be the most adequate for encrypting and decrypting messages because they need shorter keys in order to provide the same performance and security level than the classical ones. For the authentication we recommend our method because it is less complicated and it needs less resources than using a classical method for the first part and an elliptic curve one for the second. The authentication process is accomplished by using a third trusted part. This third part has a very important double role: it is an impartial witness to the communication and it also provides the authentication and the keys needed in the second part for the cryptosystem used. All in all, authentication is the first step to an efficient and secure communication system, which can be accomplished by using our elliptic curve method.