My group in Nijmegen, together with colleagues from TNO, have been working on efficient implementations of anonymous credentials on smart cards. Last year we managed to implement a simple authentication protocol (using self-blindable credentials) that executes a full protocol run in roughly 1.6 seconds on the card. We will present these results at the CARDIS 2010 conference at Passau, Germany, in a few weeks. But we have made some interesting progress the last month, that allows us to run the protocol in 0.6 seconds on the card instead.

Self blindable credentials were invented by Eric Verheul¹ in 2001. They can be constructed using elliptic curve cryptography, and use a so-called *pairing function* $latex e$ with the following property

$latex e(aP,bQ) = e(P,Q)^{ab},$

(where $latex P$ and $latex Q$ are points on the curve, and $latex a$ and $latex b$ are natural numbers). On elliptic curves, multiplication behaves a bit like exponentiation on groups of natural numbers. In particular, when $latex P$ is known and $latex aP$ given, $latex a$ is hard to compute.

Let card $latex i$ have a private $latex k_i$ and corresponding public key $latex K_i = k_i P$. Let the certification authority have private key $latex a$ and public key $latex A=aQ$. The signs the public key of the card using $latex a$. This yields a certificate $latex C_i=aK_i$.

The authentication protocol now runs as follows. First the card generates a random blinding factor $latex b$ and sends $latex b K_i, b C_i$ (ie the blinded public key and certificate) to the terminal. The terminal receives $latex K,C$ and verifies whether the first is certified by the second using the following test: $latex e(C,Q)=e(K,A)$. The terminal then generates a random nonce $latex n$ and requests a signature from the card. The card signs this with his blinded private key using $latex (r,s)=mbox{signECDSA}(n,b k_i)$. The terminal verifies whether $latex mbox{verifyECDSA}(r,s,K)$ holds using the blinded public key $latex K$ it received earlier.

The results cited above apply to such curves using 128 bit keys (and 128 bit blinding factors). The main slowdown in our first implementation stemmed from the fact that we had to implement big integer multiplication in Java to compute $latex b k_i$. We use JavaCards with a crypto co-processor (of course), but the co-processor can only be accessed through an API with very limited functionality. It supports the most common EC and RSA cryptographic operations, but not plain multiplication unfortunately.

But by rewriting the protocol, and cleverly abusing the API functions that *are* available, we are able to improve the speed of our implementation by a factor 3. In fact the following protocol does the trick.

The terminal first generates a random nonce $latex n$ and sends $latex nP$ it to the card. The card receives this nonce as $latex N$. Then the card generates a random blinding factor $latex b$ and sends $latex b K_i, b C_i, b k_i N$ (ie the blinded public key and certificate and the response to the challenge) to the terminal. The terminal receives $latex K,C, M$ and verifies whether the first is certified by the second using the following test: $latex e(C,Q)=e(K,A)$. The terminal then verifies whether the challenge is correctly answered by testing $latex M = n K$.

The trick we use is to use `genKeyPair()` to generate a random blinding factor $latex b$. If we seed this function with the point $latex n P$ it also returns (as the ‘public key’) the value $latex bnP$!

We are now working on implementing revocation of self-blindable credentials in an efficient manner. This is a bit tougher nut to crack than we initially thought….

¹ Verheul, E.: Self-blindable credential certificates from the Weil pairing. In: Boyd, C. (ed.) Advances in Cryptology – ASIACRYPT 2001. LNCS, vol. 2248, pp. 533-550. Springer (2001)