Cryptography Reference
In-Depth Information
given a fixed value of
s
z
, whatever the value
gsk
is equal to, there exists one
value
r
z
such that
s
z
=
r
z
+((
α
1
+
β
1
)
x
+
gsk
)
c
.Asaresult,aperfectsimula-
tion of
P
6
,c,s
z
can be realized as for the zero-knowledge property of Schnorr's
protocol (see [33]). Then, if
r
z
is uniformly chosen in
Z
p
, the group secret key
of the user is perfectly hidden in
s
z
.
Theoretically speaking, this protocol appears to be really ecient. However, in
order to demonstrate this eciency in practice, we describe in the next section
an implementation of this new cooperative protocol.
5
Implementation of Coop-XSGS in a RFID Tag
To assess the suitability of the cooperative XSGS protocol for small portable
devices, we have implemented it using a wireless sensor node for the prover
and a laptop for the powerful helping entity. Wireless sensor nodes are small au-
tonomous devices equipped with a small microcontroller and a transceiver. In this
work, we studied the performances of the protocol on two representative sensor
node platforms, the MICAz [12] equipped with an 8-bit 7.37MHz ATmega128L
microprocessor and the TelosB [13], based on the 16-bit 4MHz MSP430 proces-
sor. These devices are conceptually quite close to contactless smart cards. For
instance, the TI RF360 chip for contactless secure government electronic ID em-
beds the same MSP430 processor as the TelosB node [34]. Therefore, although
we consider an active device, the results of our implementation can easily be
extended to platforms such as contactless smart cards.
The protocol implemented follows the cooperative sign procedure described
in Figure 1. The most costly operation for the prover is the point multiplication
P
6
=
r
z
.
Rpk
1
. It can be computed prior to the interactions with the intermediary,
either during idle time (in case of an active device) or precomputed and preloaded
on the tag. The latter case corresponds to the
coupon
mode, as in [20], where
a
coupon
is a pair of (
r
z
,
r
z
.
Rpk
1
) loaded on the device. In the following, the
operation leading to
P
6
is denoted as the off-line phase, although it might still
be computed on-line in the case of a passive device avoiding coupons.
Concerning the pairing parameters, we chose an asymmetric pairing, as it
allows to use small-length inputs on the tag, reducing therefore the storage and
bandwidth costs. For the elliptic curves on which the pairing is applied, we
selected the so-called type D curves (following the classification of [25]), i.e., the
ordinary curves with embedding degree 3, 4 or 6 known as MNT curves [28]. This
type of curve ensures a small input length (around 170 bits for an embedding
degree 6) together with an ecient pairing computation [25].
The prover computations were coded in TinyOS [35] on both the MICAz
and TelosB sensors. For the point multiplication, we extended the TinyECC
library [24] to support the MNT curves. The parameters of the used curve were
taken from the PBC library [26] written by B. Lynn. They are labeled as the d159
parameters, where 159 is the size of the base field of the curve. Their security
level is equivalent to the hardness of the discrete log problem on 6
159 =
954 bits. Parameters for a higher security could be selected if required. On the
·
Search WWH ::
Custom Search