Content uploaded by Ji-Jian Chin
Author content
All content in this area was uploaded by Ji-Jian Chin on May 03, 2021
Content may be subject to copyright.
Evaluating Pairing-Free Identity-Based
Identification Using Curve25519
Jason Chia1,2(B
), Ji-Jian Chin1,2, and Sook-Chin Yip1
1Faculty of Engineering, Multimedia University Cyberjaya, 63100 Selangor, Malaysia
chia jason96@live.com, {jjchin,scyip}@mmu.edu.my
2MIMOS Berhad, Technology Park Malaysia, 57000 Kuala Lumpur, Malaysia
Abstract. Identification schemes are cryptographic primitives that
enable strong authentication for access control mechanisms that are crit-
ical to the security of computerized systems. To mitigate the problem
of cryptosystems growing large where certificate management becomes
a major and costly issue in traditional identification schemes, identity-
based identification (IBI) is proposed to eliminate the need for a signa-
ture on public keys by using a publicly verifiable ID string as the user’s
public key. Schnorr signature scheme is a popular choice used as a build-
ing block for several IBI schemes such as Twin-Schnorr, Tight-Schnorr,
and Schnorr-IBI. In this work, we present an alternative implementa-
tion of the various Schnorr IBI schemes using finite field arithmetic on
Curve25519, an elliptic curve implementation known for high-speed and
high-security. The results of the hard experimental evidence suggest that
the re-implemented IBI schemes outperform the existing works as there
is a great improvement in speed for all the algorithms. Specifically, there
is a 1.48x speedup corresponding to a reduction of 32.79% in identifi-
cation runtime. For storage efficiency, the re-implemented IBI schemes
achieved a 91% reduction in master public-key size, a 83% reduction in
user secret-key sizes on pre-computation setups, and a 84% reduction in
bandwidth measured per identification session. These improvements are
significantly due to the use of elliptic curve cryptography (ECC) and a
high-speed Curve25519 implementation.
Keywords: Access control ·Applied cryptography ·Curve25519 ·
Elliptic curve cryptography ·Identity-based identification
1 Introduction
An identity-based identification (IBI) scheme allows users who hold a secret
key corresponding to their publicly known identity to prove their identity to a
verifier by acquiring corroborative evidence through an interactive protocol [21].
Supported by the Ministry of Education of Malaysia through the Fundamental Research
Grant Scheme under Grant FRGS/1/2019/ICT04/MMU/02/5 and in part by Multi-
media University’s Research Management Fund.
c
Springer Nature Singapore Pte Ltd. 2021
M. Anbar et al. (Eds.): ACeS 2020, CCIS 1347, pp. 179–193, 2021.
https://doi.org/10.1007/978-981-33-6835-4_12
180 J. Chia et al.
The identity-based schemes have the advantage whereby the user’s identity is the
public key, thereby relinquishing the need for certificates that requires a signa-
ture from a trusted third party [25]. Figure 1shows an overview of IBI systems.
Thus, identity-based schemes are quite attractive in scenarios with difficulties or
constraints to establish a public key infrastructure (PKI), such as a disastrous
environment and wireless sensor network (WSN). However, recent advances in
PKI technology [12,15] indicated that one can efficiently deploy PKI in such sce-
narios with elliptic curve cryptography (ECC). As sensor networks had evolved
to become a more relevant aspect for the Internet of Things (IoT) [17], security
for these networks must be taken into consideration as security is one of the
greatest challenges for IoT sensors and devices [6,7,16,26].
Key Generation Center
UsersSystem Resources Authentication
Servers
2. Provide Public ID
3. Generate User Key
after verification
1. Obtain Master
Public Key
4. Authenticate
using Public ID
and User Key
5. Grant access
on accept
SETUP
PHASE
NORMAL
PHASE
0. Generate
Master Public Key
and Private Key
Fig. 1. System Architecture of an Identity-based identification system. It allows secure
identification of devices or users using publicly identifiable identities. This removes
the need for certificate authorities and is a suitable alternative towards increasingly
digitized industry systems, data collection networks as well as smart cities.
1.1 Related Works
Although ECC is effective for usages such as generating and verifying digital
signatures with EdDSA for quick and secure 32 bytes short signature [2], and
key exchanges with X25519 based on the elliptic curve Diffie-Hellman algorithm
[3], existing ECC instantiations on IBI schemes [18,19] using the Boneh-Lynn-
Shacham (BLS) signature scheme [5] requires an expensive pairing operation
during identification. In other words, the verifier requires much more processing
capability. Even non-pairing IBI schemes [9,10,27] that use the Schnorr signature
scheme [23] are more effective as compared to their pairing counterparts, most
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 181
of the schemes that are implemented with big integer operations [29] suffer from
a larger group and key sizes in comparison to the BLS-based schemes [8].
1.2 Our Contribution
We present an efficient ECC-based implementation of IBI schemes using finite
field arithmetic on top of Curve25519. In contrast to the Schnorr-based IBI
schemes that are originally implemented with Java BigInteger by Kam et al.
[29], we implement and test all 20 algorithms from 5 of the following schemes:
Schnorr-IBI [18], Tight-Schnorr-IBI [27], Twin-Schnorr-IBI [10], Reset-Secure
(RS) Schnorr-IBI and RS Twin-Schnorr-IBI [9]. Our implementation uses the
popular libsodium library which is designed and implemented1by Bernstein et al.
[4] which aims to reduce implementation errors made by security developers. We
chose libsodium due to its speed and efficiency both on general-purpose CPUs as
well as on embedded systems, with the authors reporting 1000 operations/second
on an ARM Cortex A8 Core while running public key cryptographic primitives.
Aside from improvements in speed, Curve25519 with a high embedding
degree of ≈1075 and thus the finite-field map compared to the field in which the
curve is defined over is absurdly large. Therefore, it allows the use of smaller key
sizes per the Menezes-Okamoto-Vanstone (MOV) reductions [20]. As a result,
the key and group sizes may follow the security level designated by NIST [11]
(i.e., 32 bytes for both key and group sizes). This causes a steep reduction in
key sizes and bandwidth per identification session for our implementation as
compared to the existing Schnorr-IBI implementation. Our work also includes
evaluation on such key size reductions as well as runtime efficiency enhance-
ments. Our source code can be readily found on the public repository https://
github.com/toranova/libid2.
1.3 Preliminaries
The paper focuses on the implementation details with a brief introduction of
some concepts. Throughout the paper, Zdenotes integer while Z/pZor in short
Zpdenotes integers modulo p.Fpis a finite field while Gdenotes a discrete
logarithm group. Similarly, for finite field arithmetic on ECC, small letters (i.e.,
a, b, k) indicate scalar while capital letters (i.e., A, B, Q) indicate points on
the curve. If unspecified, gand Bgenerally represent group generators and base
points for both finite field arithmetic over integers and ECC. Random sampling
is written as r$
←− Sand Sis the finite set such as G, Fp,land E(Fp). The
operation such as Z=gaybfor finite field arithmetic over Fpis equivalently
written as Z=aB +bY for finite field arithmetic over E(Fp). For algorithms,
Pand Vgenerally denote the prover and verifier, respectively.
1libsodium is a fork of NaCL. It is developed and maintained primarily by Frank
Denis.
182 J. Chia et al.
Elliptic Curve Cryptography (ECC). ECC is a form of PKC that is
designed based on elliptic curves over the finite-fields. Elliptic curve E(Z/pZ)
on finite-fields Fpis defined as a set of points that satisfies Eq. 1.
E(Fp)={(x, y):x, y ∈Z/pZ,y
2=x3+ax +b},(1)
where aand bare constants which satisfy 4a3+27b2= 0. The modulo popera-
tions are performed, where pis the order of the field F.
Elliptic Curve Discrete Logarithm Problem (ECDLP). ECDLP is useful
in cryptography because it is improbable to compute the scalar of the multipli-
cation with a base point given the base and the resulting point even if one can
compute point multiplication easily. ECDLP is stated under Definition 1:
Definition 1. Let Ebe an elliptic curve over Z/pZand Pis a point such that
P∈E(Z/pZ). Given a multiple Qof B, find scalar k∈Zpsuch that Q=kB.
The advantage of an adversary Arunning with polynomial-time t succeeds in
finding kis then:
AdvECDLP
E(Fp):= Pr[A(Q, B)=k] (2)
A(t, AdvECDLP
E(Fp))-solves ECDLP if the above probability is non-negligible.
Identity-Based Identification (IBI). Generally, an IBI scheme comprises 4
polynomial-time algorithms, namely Setup, Extract, Prove and Verify:
–Setup: The key generation center (KGC) runs this algorithm to generate the
parameters and setup the IBI scheme. The KGC inputs 1kto Sand obtains
params (mpk) and the master-key (msk). mpk is known to the public while
msk is kept secret
–Extract: This algorithm is run by the KGC to obtain a user secret key
corresponding to a public identity string ID.Usingmsk,mpk and ID,the
algorithm returns the user secret key usk.
–Identification Protocol (Prove,Verify):ProverPwith (mpk,ID,usk)and
Verifier Vwith (mpk,ID) execute this interactive protocol so that Pis able to
prove its possession of usk to Vwithout revealing it, thereby authenticating
the identity of P. The protocol returns accept for any legitimate Pand
reject otherwise.
IBI schemes are proved secure by showing an impersonator that breaks the
scheme can also be subsequently used to solve an underlying hard problem (i.e.,
Discrete Logarithm Problem). Generally, there are 3 classes of attackers and an
additional special class known as reset attackers, which is capable of performing
reset attacks [1].
–Passive Attacker (imp-pa): A passive attacker can eavesdrop on the conver-
sation between provers and verifiers before attempting to impersonate.
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 183
–Active Attacker (imp-aa): In addition to eavesdropping like a passive attacker,
an active attacker can actively participate in the conversation with honest
verifiers to learn more information before the impersonation attempt.
–Concurrent Attacker (imp-ca): A concurrent attacker has multiple instances
of active attackers running in parallel.
–Reset Attacker (imp-rs): A reset attacker is a subset of concurrent attackers,
which possess the ability to reset the protocol to any state it wishes.
1.4 Curve25519 and Ristretto
Curve25519 is an elliptic curve designed and implemented by Bernstein et al.
[3]. It is a Montgomery curve with its equation stated in (3)overFpwith p=
2255 −19, which uses a base point B= 9. The prime order of the curve is
computed as follows:
2252 + 27742317777372353535851937790883648493.
y2=x3+ 486662x2+x(3)
Curve25519 is often used to perform the elliptic curve Diffie-Hellman key
exchange (ECDH). Thus, for a custom construction used for identity-based iden-
tification, the curve itself is not suitable as the order is not a prime qbut rather
a cofactor h= 8 multiplied with q. The order hq cannot be used in the construc-
tion as the prime-order group is required. However, the implementations that
provide prime-order groups qare either unsafe with variable time addition or
incomplete [14].
To ensure the construction of prime-order elliptic curve groups, Ristretto,
a method extending on Decaf point compression [13] for building such groups
with non-malleable encoding is used. Ristretto supports curves with co-factor of
8 (while decaf supports curves with co-factor 4), which makes it an attractive
choice to be used in implementation that requires prime-order group, particularly
with Curve25519. One library that supports Ristretto to perform finite field
arithmetic over ECC is libsodium of version 1.0.18 or greater.
1.5 Schnorr-IBI Schemes
A suite of Schnorr-based IBI schemes has been designed over the decades. The
latest implementation of these schemes is done using Java BigInteger finite field
arithmetic. Table 1shows an overview of Schnorr-based IBI schemes along with
their security. Since Schnorr-based IBI schemes contain abstract hash functions,
we could easily swap them out without much complication as both the previous
implementation and our re-implementation using libsodium uses standard hash
functions (i.e., SHA256, SHA512).
184 J. Chia et al.
Table 1. Overview of Schnorr-based IBI schemes.
IBI scheme Security Hard assumptions
Schnorr-IBI [18] Concurrent attacker DLP
Tight-Schnorr [27] Concurrent attacker DDH
Twin-Schnorr [10] Concurrent attacker DLP
Reset-secure Schnorr [9]Reset attacker OMDLP
Reset-secure Twin-Schnorr [9]Reset attacker DLP
DLP - Discrete Logarithm Problem, DDH - Decisional Diffie-Hellman
Problem, OMDLP - One-More Discrete Logarithm Problem.
2 Implementation
We perform the re-implementation of the Schnorr-based IBI schemes as shown
in Table 1using the C language. In this work, an abstraction of Curve25519,
Ristretto available with libsodium is used. Since the Java implementation source
is available, we show both the Java source and the abstract algorithms and
then discuss the operations of our implementation in detail. A straightforward
example is the Setup algorithm for Schnorr-IBI by [18] as shown in Algorithm 1.
The source code for the implementation can be found on a public git repository
[28].
Algorithm 1. Setup algorithm for Schnorr-IBI
1: procedure Setup(k)Setup system based on security parameter k
2: x$
←− Zq
3: y1←g−x
4: mpk ←g, y1
5: msk ←x
6: return mpk, msk Return params and msk
7: end procedure
We perform substitution using finite field arithmetic with Ristretto shown in
our co de in Fig. 2. Through substitution of function calls based on Tables 2and
3, we successfully reproduce all the setup, extract, and identity algorithms on
the 5 IBI schemes.
3 Results and Analysis
It is noticed from our experiments that our implementation of the Schnorr-IBI
scheme using Ristretto on top of Curve25519 (referred to as Ristretto255) has
several advantages. We perform timing comparisons with both codes running on
the same machine. The implementation is run on an Intel(R) Core(TM) i7-8750H
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 185
Fig. 2. One of the algorithms that is re-implemented using Ristretto255.(Buffer aand
P1 contains the secret and public key respectively. P1 is obtained by performing fixed-
point multiplication with base = 9 on Ristretto255.)
CPU with 6 cores running 2.20 GHz under 64-bit Linux OS. As Curve25519
supports only scalar sizes of 256 bits, which is equivalent to 3072-bit DLOG
security, the original Schnorr-IBI implementation is executed on that security
level.
3.1 Runtime Comparisons
To evaluate the performance of the re-implementation, a total of 40 algorithms
(i.e., 20 on Java BigInteger and 20 on Ristretto255) is run 100 times. The results
are averaged and recorded. Then, the average runtimes of each algorithm are
compared and presented in bar graphs as shown in Figs.3,4and 5.
Figure 3shows the comparisons of the average setup runtime. It is observed
that our implementation is overwhelmingly better as compared to Java BigIn-
teger implementation as do-while blocks are not required to perform the key
generation. There is a speed-up in using Ristretto255 because the checks to
ensure primality is no longer necessary. The abstraction to obtain prime-order
groups can be done in an ad-hoc fashion similar to the previous implementa-
tion of Schnorr-IBI schemes. Although these ad-hoc fixes may be sufficient, they
might introduce design complications and result in potential vulnerabilities if
these fixes are not correctly handled. Another downside is that validation of
groups or integers during generation must be performed by the programmer.
186 J. Chia et al.
Table 2. Operation and function call substitution. st is a state variable for the SHA512
hash function; nx is a temporary scalar of negative x;h512 is a temporary 64-byte buffer
and htmp is a temporary Ristretto point.
Java BigInteger libsodium Ristretto
//Sample a generator
g$
←− G∈Fp
do {
p = BigInteger(rbit,16,rand)
}while p is not prime
repeat for p
G=p*q
g=BigInteger.valueOf(2)
.modPow(G,p)
//Sample base point
B$
←− G∈E(Fp)
crypto core ristretto255 random(B)
//Sample an integer
x$
←− Zp∈Fp
do {
x = BigInteger(
rand.nextInt(rbit)+1,rand).mod(q)
}while x.bitLength() <100
//Sample a scalar
x$
←− Zp∈Fp
crypto core ristretto255 scalar
random(x)
//Hashing SHA256
α←H(ID,A,X)∈Fp
H.update(g.modPow(r,p)
.toByteArray())
alpha=BigInteger(H.digest(
ID.getBytes(”UTF8”)))
.mod(q)
//Hashing SHA512
α←H(ID,A, X)∈E(Fp)
crypto hash state st
crypto hash init( &st )
crypto hash update( &st, ID, ilen)
crypto hash update( &st, A, 32)
crypto hash update( &st, X, 32)
crypto hash final( &st, h512)
crypto core ristretto255
from hash(
htmp , (const unsigned char *)h512 )
crypto core ristretto255 scalar
reduce( alpha, htmp)
The validation process requires costly loops as shown in the Java BigInteger
implementation.
Referring to Figs. 4and 5, it is observed that the runtime of our implemen-
tation is generally shorter because the operations are performed on the well-
optimized Curve25519 as compared to finite field arithmetic using integers. The
results are particularly interesting for identification as those are the cornerstone
algorithms for identification schemes which account for most of the algorithm
runs throughout the deployment of an IBI scheme.
In terms of runtime comparison, it is noticed that our implementation with
Ristretto255 has better runtime performance as compared to the previous imple-
mentations with Java BigInteger. Particularly, the factor in performance benefit
is 1
5(TBigI nteger /Tc25519 ), with a 73x speedup for setup, 3.47x speedup for
extract, and 1.48x speedup for identification runtimes. Since the identification
algorithm is the most used in any IBI scheme as it is run for every identification
attempt, our implementation has effectively reduced the runtime of the 5
Schnorr-based IBI scheme by 32.79%.
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 187
Setup Runtimes (N=100)
Schnorr Tight-Schnorr Twin-Schnorr Reset-Secure Reset-Secure Twin
0
1
2
3
4
5
6
7
8
Execution time (ms)
Java BigInteger Implementation (L=3072)
Ristretto255 (n=256)
Fig. 3. Comparison of average setup runtimes
Extract Runtimes (N=100)
Schnorr Tight-Schnorr Twin-Schnorr Reset-Secure Reset-Secure Twin
0
0.1
0.2
0.3
0.4
0.5
0.6
Execution time (ms)
Java BigInteger Implementation (L=3072)
Ristretto255 (n=256)
Fig. 4. Comparison of average extract runtimes
3.2 Key and Group Comparisons
In addition to runtime performance benefits, our most important findings lie in
group size savings on both storage and bandwidth efficiency. Our calculations
follow the 256-bit security level based on NIST [11]. Specifically, the group and
integer sizes are 3072 bits and 256 bits, respectively in DLOG. For ECC however,
the group and integer sizes are both 256 bits (i.e., A point in ECC is equivalent
188 J. Chia et al.
Table 3. Operation and function call substitution contd. t0, t1 are temporary points;
p and q are primes where G = p*q
Java BigInteger libsodium Ristretto
//Compute public key
X←g−x
g = BigInteger.valueOf(2)
.modPow(G, p)
X = g.modPow(x.negate(), p)
//Compute public key
X←(−x)B
crypto core ristretto255 scalar
negate( nx, x)
crypto scalarmult
ristretto255(X, nx, B);
//Compute usk
s←r+xα ∈Fp
s = (r.add(alpha.multiply(x)))
.mod(q)
//Compute usk
s←r+xα ∈Fp
crypto core ristretto255 scalar
mul(t0,x,alpha)
crypto core ristretto255 scalar
add(s,r,t0)
//Multiplication
A←gsXα∈Fp
A=g.modPow(s,p)
.multiply(X.modPow(alpha,p))
.mod(p)
//Point-Addition
A←sB + αX∈E(Fp)
crypto scalarmult
ristretto255(t0,alpha,X)
crypto scalarmult
ristretto255(t1,s,B)
crypto core
ristretto255 add(A,t0,t1)
//Division
T←A/Xα∈Fp
T = A.multiply(X.modPow(
alpha.negate(),p))
//Point-Subtraction
T←A-αX∈E(Fp)
crypto scalarmult
ristretto255(t0,alpha,X)
crypto core ristretto255 sub(T,A,t0)
to a group element in DLOG). The elements sent and the key sizes required for
each Schnorr-IBI scheme are summarized in Table 4. The sizes for the master
secret key is negligible as that is only kept by the KGC and should not be an
issue as it is only stored once and used during extractions. However, the sizes of
the master public key and user secret key are taken into consideration
as they are needed on devices associated with the IBI scheme (Client
and Verifier).
For user key sizes, there are virtually no savings as they are integers on both
implementations. However, the system key and master public key are signifi-
cantly reduced. As shown in Tables 5and 6, the difference is remarkable due to
the savings in group sizes. The results suggested that the storage and bandwidth
requirements are reduced by a factor of 0.0834x and 0.1588x, respectively. The
improvements correspond to a 91.66% and 84.12% reduction in mpk size
and bandwidth requirements, respectively.
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 189
Identification Runtimes (N=100)
Schnorr Tight-Schnorr Twin-Schnorr Reset-Secure Reset-Secure Twin
0
0.1
0.2
0.3
0.4
0.5
0.6
Execution time (ms)
Java BigInteger Implementation (L=3072)
Ristretto255 (n=256)
Fig. 5. Comparison of average identification runtimes
Table 4. Storage and bandwidth requirements for Schnorr-based IBI schemes.
IBI scheme usk mpk Total Bandwidth
Schnorr-IBI [18] 2Zp2G2G+2Zp/session
Tight-Schnorr [27] 2Zp4G3G+2Zp/session
Twin-Schnorr [10] 3Zp3G2G+3Zp/session
Reset-Secure Schnorr [9] 2Zp3G3G+3Zp/session
Reset-Secure Twin-Schnorr [9] 3Zp4G3G+4Zp/session
3.3 Pre-computations
The Schnorr-IBI schemes allow pre-computation of the commit message2to save
prover’s resources. The prover stores the result of the fixed-point multiplied hash
during user-key extraction, which in turn speeds up the computation of the com-
mit messages. The difference in using pre-computation in a scheme is that the
usk no longer contains the hash but the result of the fixed-point multiplied hash
instead. For non-elliptic curve implementation, storage space is sacrificed for
speed as storing a group element is more costly than storing the hash. How-
ever, for our implementation on Ristretto255, the group (i.e., point) and hash
values (i.e., scalar) are essentially equal in size (32 bytes). In other words, our
implementation could perform pre-computations without increasing the storage
requirements.
2See Chin et al. [10] and Chia and Chin [8] for more in-depth details about the
pre-computation of commit messages.
190 J. Chia et al.
Table 5. mpk key size comparisons.
IBI scheme BigInteger (bits) Ristretto255 (bits) Difference Δ(bits)
Schnorr-IBI [18]2*3,072 2*256 5,632
Tight-Schnorr [27]4*3,072 4*256 11,264
Twin-Schnorr [10]3*3,072 3*256 8,448
Reset-Secure Schnorr [9]3*3,072 3*256 8,448
Reset-Secure Twin-Schnorr [9]4*3,072 4*256 11,264
Average 9,831 820 9,012
Table 6. Bandwidth requirement comparisons (expressed as /session).
IBI scheme BigInteger (bits) Ristretto255 (bits) Difference Δ(bits)
Schnorr-IBI [18]2*3,072 + 2*256 2*256 + 2*256 5,632
Tight-Schnorr [27]3*3,072 + 2*256 3*256 + 2*256 8,448
Twin-Schnorr [10]2*3,072 + 3*256 2*256 + 3*256 5,632
Reset-Secure Schnorr [9]3*3,072 + 3*256 3*256 + 3*256 8,448
Reset-Secure Twin-Schnorr [9]3*3,072 + 4*256 3*256 + 4*256 8,448
Average 8,704 1,382 7,322
Table 7shows the arithmetic components required when pre-computations
are applied to the schemes. Meanwhile, Table 8shows the differences in usk
sizes between the two different implementations of the five schemes. With pre-
computation, the reduction is approximately a factor of 0.1644×, which corre-
sponds to a 83.56% decrease in usk size.
3.4 Use-Cases
In this section, we discuss the advantages of our implementation as compared
to the alternative authentication techniques and describe the use-cases. As our
implementation has shorter user-keys, it is suitable for use in storage constricted
environments such as embedded systems. For instance, our library can be easily
deployed on a popular IoT platform known as the Raspberry-Pi (RPi) [22]. As
the RPi typically comes only with 16 GB on-board storage on an SD-card, a
smaller user-key is therefore useful in saving limited space on the platform in
comparison to RSA keys, which are larger in sizes. The inexpensive computation
required to perform identification on both prover and verifier also indicates that
lightweight devices can easily use our implementation to function both as prover
or verifier.
There is no need to validate any certificate due to the ID-based nature
because the public-key of the prover is their publicly known identity. For
example, in the context of IoT, it could be their static IP addresses that are
known to other nodes in the network or a manufacturer issued sensor-ID. A
notable candidate that could employ our implementation is one proposed by Zhu
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 191
Table 7. Storage requirements with pre-computation.
IBI scheme usk (with pre-computation)
Schnorr-IBI [18]Zp+G
Tight-Schnorr [27]Zp+2G
Twin-Schnorr [10] 2Zp+G
Reset-Secure Schnorr [9]Zp+G
Reset-Secure Twin-Schnorr [9] 2Zp+G
Tight-Schnorr uses two different bases, thus making it more
costly to precompute the commit values as the fixed-point mul-
tiplied hash from different bases are stored.
Table 8. usk key size comparisons.
IBI scheme BigInteger (bits) Ristretto255 (bits) Difference Δ(bits)
Schnorr-IBI [18]256 + 3,072 256 + 256 2,816
Tight-Schnorr [27]256 + 2*3,072 256 + 2*256 5,632
Twin-Schnorr [10]2*256 + 3,072 2*256 + 256 2,816
Reset-Secure Schnorr [9]256 + 3,072 256 + 256 2,816
Reset-Secure Twin-Schnorr [9]2*256 + 3,072 2*256 + 256 2,816
Average 4,044 665 3,379
et al. [24], which substitutes their RSA-based signature verification during trust
bootstrapping. This implementation not only reduces computational overhead
when a node decides to join the network because there is no need to validate the
public-key, but also saves storage space on the authenticating node. After all, it
can authenticate itself with its identity instead of a much larger cryptographic
public-key.
4 Conclusion
In this work, we have re-implemented 20 algorithms from the 5 Schnorr-IBI
schemes with a significantly more efficient implementation using Curve25519 on
libsodium. Our implementation is not only superior through speed improvement,
but also allows more savings in storage and bandwidth. Our evaluation indicates
results of achieving approximately a 91% and 83% reduction in master public-
key sizes and user secret-key sizes, respectively, as well as a 84% decrease in
bandwidth measured per identification session. In terms of runtimes, our imple-
mentation is able to achieve a 1.48x speedup corresponding to a 32.79% decrease
in general runtimes.
Acknowledgments. The authors would like to acknowledge the support of the Min-
istry of Education of Malaysia through the Fundamental Research Grant Scheme
192 J. Chia et al.
under Grant FRGS/1/2019/ICT04/MMU/02/5, and in part by Multimedia Univer-
sity’s Research Management Fund.
The second author is grateful for the Information Security Lab at MIMOS Berhad
which hosted his industrial attachment, during which this paper was written.
References
1. Bellare, M., Fischlin, M., Goldwasser, S., Micali, S.: Identification protocols secure
against reset attacks. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045,
pp. 495–511. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-
630
2. Bernstein, D., Duif, N., Lange, T., Schwabe, P., Yang, B.Y.: High-speed high-
security signatures. IACR Cryptol. ePrint Arch. 2011, 368 (2011)
3. Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M.,
Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–
228. Springer, Heidelberg (2006). https://doi.org/10.1007/11745853 14
4. Bernstein, D.J., Lange, T., Schwabe, P.: The security impact of a new crypto-
graphic library. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol.
7533, pp. 159–176. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-
642-33481-8 9
5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. J. Cryp-
tol. 17(4), 297–319 (2004). https://doi.org/10.1007/s00145-004-0314-9
6. Boubiche, S., Boubiche, D.E., Bilami, A., Toral-Cruz, H.: Big data challenges and
data aggregation strategies in wireless sensor networks. IEEE Access 6, 20558–
20571 (2018). https://doi.org/10.1109/ACCESS.2018.2821445
7. Cerullo, G., Mazzeo, G., Papale, G., Ragucci, B., Sgaglione, L.: Chapter 4 - IoT and
sensor networks security. In: Ficco, M., Palmieri, F. (eds.) Security and Resilience
in Intelligent Data-Centric Systems and Communication Networks, pp. 77–101.
Intelligent Data-Centric Systems, Academic Press (2018). https://doi.org/10.1016/
B978-0-12-811373- 8.00004-5
8. Chia, J., Chin, J.: An identity based-identification scheme with tight security
against active and concurrent adversaries. IEEE Access, p. 1 (2020). https://doi.
org/10.1109/ACCESS.2020.2983750
9. Chin, J.-J., Anada, H., Tan, S.-Y.: Reset-secure identity-based identification
schemes without pairings. In: Au, M.-H., Miyaji, A. (eds.) ProvSec 2015. LNCS,
vol. 9451, pp. 227–246. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-
26059-4 13
10. Chin, J.J., Tan, S.Y., Heng, S.H., Phan, R.: Twin-schnorr: a security upgrade
for the schnorr identity-based identification scheme. Sci. World J. 2015, 237514
(2015). https://doi.org/10.1155/2015/237514
11. Elaine, B.: Recommendation for Key Management, Part 1: General. U.S. Depart-
ment of Commerce, National Institute of Standards and Technology (2016)
12. Ellappan, M., Ajit, G.: Efficient public key infrastructure implementation in wire-
less sensor networks. In: Wireless Communication and Sensor Computing, 2010,
ICWCSC 2010, pp. 1–6 (2010). https://doi.org/10.1109/ICWCSC.2010.5415904
13. Hamburg, M.: Decaf: Eliminating cofactors through point compression. Cryptology
ePrint Archive, Report 2015/673 (2015). https://eprint.iacr.org/2015/673
14. Hamburg, M., de Valence, H., Lovecruft, I., Arcieri, T.: The ristretto group (2018).
https://ristretto.group/why ristretto.html
Evaluating Pairing-Free Identity-Based Identification Using Curve25519 193
15. Kim, D., An, S.: Efficient and scalable public key infrastructure for wireless sensor
networks. In: The 2014 International Symposium on Networks, Computers and
Communications, pp. 1–5 (2014). https://doi.org/10.1109/SNCC.2014.6866514
16. Kobo, H.I., Abu-Mahfouz, A.M., Hancke, G.P.: A survey on software-defined wire-
less sensor networks: challenges and design requirements. IEEE Access 5, 1872–
1899 (2017). https://doi.org/10.1109/ACCESS.2017.2666200
17. Kocakulak, M., Butun, I.: An overview of wireless sensor networks towards internet
of things. In: 2017 IEEE 7th Annual Computing and Communication Workshop
and Conference (CCWC), pp. 1–6 (2017). https://doi.org/10.1109/CCWC.2017.
7868374
18. Kurosawa, K., Heng, S.-H.: From digital signature to ID-based identifica-
tion/signature. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol.
2947, pp. 248–261. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-
540-24632-9 18
19. Kurosawa, K., Heng, S.-H.: Identity-based identification without random oracles.
In: Gervasi, O., Gavrilova, M.L., Kumar, V., Lagan`a, A., Lee, H.P., Mun, Y.,
Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 603–613. Springer,
Heidelberg (2005). https://doi.org/10.1007/11424826 64
20. Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms
to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639–1646 (1993).
https://doi.org/10.1109/18.259647
21. Menezes, A., Oorschot, P.C.V., Vanstone, S.A.: Handbook of Applied Cryptogra-
phy, 5th edn. CRC Press, Boca Raton (1996)
22. Petrov, N., Dobrilovic, D., Kavali´c, M., Stanisavljev, S.: Examples of raspberry
pi usage in internet of things. In: International conference on Applied Inter-
net and Information Technologies, pp. 112–119 (2016). https://doi.org/10.20544/
AIIT2016.15
23. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–
174 (1991). https://doi.org/10.1007/BF00196725
24. Zhu, S., Xu, S., Setia, S., Jajodia, S.: Lhap: a lightweight hop-by-hop authentication
protocol for ad-hoc networks. In: 23rd International Conference on Distributed
Computing Systems Workshops, 2003. Proceedings, pp. 749–755 (2003)
25. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R.,
Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg
(1985). https://doi.org/10.1007/3-540-39568- 7 5
26. Sharma, S.: Issues and challenges in wireless sensor networks. In: 2013 International
Conference on Machine Intelligence and Research Advancement (ICMIRA) (2013).
https://doi.org/10.1109/ICMIRA.2013.18
27. Tan, S.-Y., Heng, S.-H., Phan, R.C.-W., Goi, B.-M.: A variant of Schnorr identity-
based identification scheme with tight reduction. In: Kim, T.H., et al. (eds.) FGIT
2011. LNCS, vol. 7105, pp. 361–370. Springer, Heidelberg (2011). https://doi.org/
10.1007/978-3-642-27142- 7 42
28. Toranova: libid2 (2020). https://github.com/toranova/libid2
29. Kam, Y.H.S., Chin, J.J., Tan, S.Y.: The schnorr-suite: simulation of pairing-free
identity-based identification schemes using java. In: 2015 3rd International Confer-
ence on Software Engineering, Knowledge Engineering and Information Engineer-
ing, pp. 13–18 (2015)
