Elliptic Curve Based Zero Knowledge Proofs and Their Applicability on Resource Constrained Devices (1107.1626v1)

Abstract: Elliptic Curve Cryptography (ECC) is an attractive alternative to conventional public key cryptography, such as RSA. ECC is an ideal candidate for implementation on constrained devices where the major computational resources i.e. speed, memory are limited and low-power wireless communication protocols are employed. That is because it attains the same security levels with traditional cryptosystems using smaller parameter sizes. Moreover, in several application areas such as person identification and eVoting, it is frequently required of entities to prove knowledge of some fact without revealing this knowledge. Such proofs of knowledge are called Zero Knowledge Interactive Proofs (ZKIP) and involve interactions between two communicating parties, the Prover and the Verifier. In a ZKIP, the Prover demonstrates the possesion of some information (e.g. authentication information) to the Verifier without disclosing it. In this paper, we focus on the application of ZKIP protocols on resource constrained devices. We study well-established ZKIP protocols based on the discrete logarithm problem and we transform them under the ECC setting. Then, we implement the proposed protocols on Wiselib, a generic and open source algorithmic library. Finally, we present a thorough evaluation of the protocols on two popular hardware platforms equipped with low end microcontrollers (Jennic JN5139, TI MSP430) and 802.15.4 RF transceivers, in terms of code size, execution time, message size and energy requirements. To the best of our knowledge, this is the first attempt of implementing and evaluating ZKIP protocols with emphasis on low-end devices. This work's results can be used from developers who wish to achieve certain levels of security and privacy in their applications.

• The paper adapts established zero knowledge proof protocols to ECC, reducing key size and computational overhead for low-power IoT devices.
• It evaluates protocols like Schnorr's and coin flip-based methods on microcontroller platforms, showing significant improvements in execution time and energy efficiency.
• The study illustrates ECC-based ZKPs’ practical applications in scenarios such as anonymous polling, digital ticketing, and smart city parking.

The paper "Elliptic Curve Based Zero Knowledge Proofs and Their Applicability on Resource Constrained Devices" (1107.1626) explores the implementation and evaluation of Zero Knowledge Interactive Proof (ZKIP) protocols on resource-constrained devices, such as those found in wireless sensor networks, RFID tags, and mobile devices within the Internet of Things. The core challenge addressed is providing security and privacy (proving knowledge without revealing the secret) while operating within severe limitations of computational power, memory, energy, and communication bandwidth inherent in these devices.

The authors propose adapting established ZKIP protocols based on the Discrete Logarithm Problem (DLP) to use Elliptic Curve Cryptography (ECC). This adaptation is critical because ECC offers the same security levels as traditional public-key cryptosystems like RSA but with significantly smaller key sizes. This translates directly into less computational effort, reduced memory footprint for keys and parameters, and smaller message sizes, all of which are advantageous for constrained devices.

The paper transforms and implements several specific ZKIP protocols under the ECC setting:

1. Zero Knowledge Proof of Discrete Logarithm with Coin Flip: An interactive protocol where the prover proves knowledge of $x$ such that $B = x \cdot G$ (where $G, B$ are points on an elliptic curve and $x$ is a scalar) by responding to random challenges (simulated coin flips) from the verifier. This protocol requires multiple rounds for sufficient security.
2. Schnorr's Protocol: An improved, more efficient interactive protocol for proving knowledge of a discrete logarithm. It uses a hash function ($c = HASH(G, B, A)$) to generate the verifier's challenge based on the prover's initial commitment ($A = r \cdot G$), reducing the interaction to a single round of challenge-response. The verifier checks $m \cdot G = A + c \cdot B$.
3. Schnorr's Protocol to Digital Signature (Non-Interactive): Applies the Fiat-Shamir heuristic to Schnorr's protocol, removing interactivity. The prover calculates the challenge $c$ using a hash function over relevant protocol parameters and their commitment $A$. The prover sends a single message containing the commitment and the response ($s$). The verifier recalculates $c$ and verifies the relationship.
4. Zero Knowledge Test of Discrete Logarithm Equality: A protocol where the prover proves that they know a single secret $x$ that is the discrete logarithm for two different public points $B=x \cdot G$ and $C=x \cdot H$, without revealing $x$. This can also be made non-interactive using the Fiat-Shamir heuristic.
5. Zero Knowledge Proof of Single Bit: A protocol to prove knowledge of $x$ and $h$ such that $B = x \cdot G + h \cdot H$ where $h = \pm 1$, without revealing $x$ or the sign of $h$. It involves multiple commitments and a shuffled response based on the value of $h$.

For practical implementation, the authors used Wiselib, a generic and open-source algorithmic library designed for portability across different sensor network platforms and firmwares. This allows the ZKP code to be largely OS-independent and compiled for various hardware targets without significant code changes. The elliptic curve operations were ported from an existing optimized implementation.

The protocols were evaluated on two popular hardware platforms equipped with low-end microcontrollers and 802.15.4 RF transceivers:

• Coalesenses iSense: Jennic JN5139 32-bit RISC (16MHz, 96KB RAM).
• Crossbow TelosB: TI MSP430 16-bit (8MHz, 10KB RAM, 48KB Flash).

The evaluation considered code size, execution time, message size, and energy consumption.

Key findings from the evaluation:

• Execution Time: ECC scalar multiplication (point multiplication) was the most time-consuming operation (e.g., 11.121 sec on JN5139, 58.02 sec on MSP430 for public key generation). Interactive protocols requiring many rounds, like the ZKP of DL with Coin Flip (requiring 100+ rounds for sufficient security), were prohibitively slow (2277 sec on iSense). Single-round protocols like Schnorr's were much faster (33.894 sec on iSense).
• Energy Consumption: Scalar multiplication also dominated energy consumption. Similar to execution time, multi-round protocols consumed significantly more energy (tens of Joules) compared to single-round protocols (hundreds of milliJoules to a few Joules). The MSP430 was more energy-efficient per operation but took longer.
• Code Size: The compiled code for each protocol was relatively small, fitting within the limited memory of the devices (approximately 7KB to 11KB, depending on the protocol and device).
• Message Size: Due to ECC, most messages were small (typically < 85 bytes), fitting within a single 802.15.4 packet (max 128 bytes payload). Only the prover's message in the non-interactive Schnorr protocol exceeded this and had to be fragmented. This is a significant advantage over using cryptosystems requiring larger keys.

The paper illustrates the practical utility of these ECC-based ZKPs through application scenarios:

• Course Polling at University: Students use devices to anonymously prove eligibility to vote on course feedback without revealing identity, using a Schnorr-like protocol.
• Anonymous Travel Ticket plus Discount Benefits: Passengers use mobile phones with NFC to prove travel class and discount eligibility in duty-free shops using ZKPs (Schnorr's and ZKP of DL Equality) without revealing personal data from their ticket.
• Parking in Smart Cities: Vehicles equipped with RFID tags use ZKP of Single Bit to prove they are valid citizens eligible to park in a specific neighborhood space (associated with one of two streets) without revealing which street or their specific identity/location.

The authors conclude that ECC-based ZKPs are feasible and practical for resource-constrained devices, offering a valuable tool for security and privacy in future Internet of Things applications. They highlight that the performance overhead, while significant compared to simpler cryptographic operations, is acceptable for enabling these privacy-preserving functionalities. Future work includes expanding the library to support more complex ZKPs needed for attribute-based credentials.