Butterfly Key Expansion for Vehicle Security

• Butterfly Key Expansion is a cryptographic protocol that derives multiple unlinkable pseudonym keys from a base key to secure vehicle communications.
• It leverages both ECC and RSA-based constructions along with AES-based key derivation functions to ensure privacy without exposing the original private key.
• The protocol achieves dramatic performance improvements, particularly with the RSA approach, while meeting NIST SP 800-57 Rev 5 security criteria.

Butterfly key expansion (BKE) is a cryptographic protocol designed to enable the scalable derivation of multiple unlinkable pseudonymous key pairs (so-called "butterfly keys") from a single initial ("caterpillar") key pair in vehicle Security Credential Management Systems (SCMS). In the context of connected vehicle standards such as IEEE 1609.2.1, BKE enables efficient, privacy-enhancing, and secure issuance of short-lived certificates to on-board units (OBUs). The method ensures that infrastructure authorities involved in key expansion do not gain access to the underlying private keys, leveraging either elliptic-curve cryptography (ECC) or, in recent improvements, an efficient RSA-based construction. Both protocols achieve security parity as defined in NIST SP 800-57 Rev 5 across five levels (80–256 bits), with recent research demonstrating dramatic performance improvements via the RSA-based approach (Chen, 9 Jan 2025).

1. Foundations and Goals

The primary objective of BKE in the IEEE 1609.2.1 SCMS framework is to allow an end entity (EE)—typically a vehicle's OBU—to securely obtain multiple pseudonym certificate key pairs without revealing its base private key(s) to the registration authority (RA) or the authorization certificate authority (ACA). The method enables scalability in privacy-preserving authentication, facilitates the rapid issuance of certificates, and preserves unlinkability between derived keys.

The design goals specify that no party except the EE should learn the expanded private keys, and that the derived pseudonym keys (butterfly keys) should provide unlinkability guarantees. The original BKE’s security is based on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP), confidentiality of AES-based key derivation functions (KDFs), and the integrity of ECIES and ECDSA primitives. In the revised RSA-based approach, security rests on the hardness of integer factorization and RSA assumptions (Chen, 9 Jan 2025).

2. ECC-Based Standard BKE Protocol

The standard BKE method defined in IEEE 1609.2.1 is an ECC-centric nine-step protocol involving three actors: the End Entity (vehicle), Registration Authority, and Authorization Certificate Authority. Let $\mathbb{G}$ represent the elliptic curve group of prime order $n$ with generator $G$. The protocol workflow is as follows:

1. Key Generation: EE generates two AES keys ($ck$, $ek$) and two ECC key pairs $(a, A)$ and $(p, P)$.
2. Parameter Transmission: EE transmits $(ck, ek, A, P)$ to the RA.
3. Cocoon Key Expansion: For each index $i$ (e.g., representing a time epoch), RA computes

$$B_i = A + f_1(ck, i)\,G,\quad Q_i = P + f_2(ek, i)\,G$$

where $f_1$, $f_2$ are AES-based KDFs.

1. Forwarding to ACA: RA forwards $\{(B_i, Q_i)\}_i$ to ACA.
2. Butterfly Key Generation: For each $i$, ACA samples $c \in_R \mathbb{Z}_n$, computes $C = c\,G$, calculates $H_i = B_i + C$, encrypts $c$ under $Q_i$ via ECIES, and signs the ciphertext.
3. Return Path: ACA → RA: $(\widetilde{c_i}, \sigma_i)$; RA → EE: same.
4. Cocoon and Butterfly Key Recovery: EE reconstructs $b_i = a + f_1(ck, i)\bmod n$, $q_i = p + f_2(ek, i)\bmod n$, decrypts $\widetilde{c_i}$ using $q_i$ to obtain $c$, then computes $h_i = b_i + c\bmod n$.
5. Pseudonym Key Output: The pair $(H_i, h_i)$ constitutes a single pseudonym (butterfly) key.

Primitives employed include elliptic-curve scalar multiplication, point addition, ECIES encryption, and AES-based KDFs implemented via counter-mode or CMAC (Chen, 9 Jan 2025).

3. Efficient RSA-Based Butterfly Key Expansion

The RSA-based BKE, proposed by Chen et al., eliminates ECC operations and replaces the protocol machinery with integer arithmetic, yielding significant computational gains. In this method, the EE generates a single RSA key pair $(s, S)$ over modulus $N = p \cdot q$, and "expansion values" $\alpha = g\,h\,\phi(N)$ and $\beta = v\,h\,\phi(N)$ are constructed using large random primes $g, h, v$.

Protocol Overview

• Initialization: EE generates $(s, S)$ such that $s\,S \equiv 1 \pmod{\phi(N)}$ and selects $g, h, v$ to compute $\alpha, \beta$. The expansion values are encrypted with recipients' public keys and distributed,

$$\alpha' = \mathrm{RSA\_Enc}(PK_{RA}, \alpha),\quad \beta' = \mathrm{RSA\_Enc}(PK_{ACA}, \beta)$$

• Cocoon Key Expansion: RA decrypts $\alpha'$ and, for each index $i$, computes $J_i = S + r_i\,\alpha$ for random $r_i$.
• Butterfly Key Generation: ACA decrypts $\beta'$ and, for each $J_i$, computes $H_i = J_i + o_i\,\beta$ for random $o_i$.
• Key Recovery: For each $H_i$, the EE recovers the pseudonym key pair $(H_i, s)$, as all private keys remain $s$.

Correctness and Security

Correctness is guaranteed by the algebraic properties of RSA. For any $x \in \mathbb{Z}_N$ and $s\,S \equiv 1 \pmod{\phi(N)}$, $\mathrm{RSA\_Dec}_s(\mathrm{RSA\_Enc}_S(x)) = x$. Both cocoon and butterfly public keys are constructed such that ciphertexts encrypted under these keys can be decrypted by $s$. Privacy analysis shows that neither RA nor ACA can recover $s$ or factors of $N$ from $\{J_i\}$ or $\{H_i\}$, since $\alpha, \beta$ are protected under encryption and $\gcd(\alpha, \beta) = h\,\phi(N)$ does not facilitate factoring $N$ (Chen, 9 Jan 2025).

4. Comparative Performance Evaluation

Performance benchmarking compares the ECC-based BKE as in IEEE 1609.2.1-2022 and the efficient RSA-based BKE proposed by Chen et al. Experimental setup includes 1,000 repetitions of expansion (1 or 20 pseudonyms) for five NIST security strengths (80, 112, 128, 192, 256 bits), on an Intel i7-10510U platform.

The results are as follows (mean microseconds):

Scenario	ECC-BKE	RSA-BKE	Speedup
1 cocoon key	55,589	11.86	$\sim$4,691×
1 butterfly key	18,173	12.34	$\sim$1,471×
20 cocoon keys	37,657	13.15	$\sim$2,863×
20 butterfly keys	18,685	13.20	$\sim$1,415×

The efficiency gain, ranging from $\sim$1,400× to $\sim$5,800×, is attributed to the substitution of computationally intensive elliptic-curve scalar multiplications with integer additions and multiplications in the RSA-based approach (Chen, 9 Jan 2025).

5. Security-Strength Parity and Standard Alignment

Both BKE variants are designed to achieve the same security levels in line with NIST SP 800-57 Rev 5 recommendations. The ECC-BKE uses NIST P-256 (providing 128-bit security), and the RSA-BKE uses a modulus of 3072 bits to match this security strength. This ensures that replacing ECC with RSA in the protocol does not compromise security guarantees. Key-selection guidelines in the RSA-based approach are chosen to align precisely with these standards (Chen, 9 Jan 2025).

6. Practical Implications and Worked Example

BKE is central to scalable pseudonym issuance in vehicular SCMS. For practical illustration, a worked example with toy parameters (10-bit numbers) demonstrates stepwise key derivation in the RSA-based protocol: from generating primes $p=991$, $q=827$ ($N=819,557$), selecting $s=84,983$, and computing expansion values $\alpha=458,967,205,620$ and $\beta=481,499,213,580$, to constructing cocoon and butterfly keys, and recovering a plaintext encrypted under a butterfly key through $s$.

This suggests that the RSA-based BKE's algebraic structure enables not only efficiency but also straightforward correctness proofs and privacy arguments (Chen, 9 Jan 2025).

7. Cryptographic Primitives and Implementation Details

The ECC-based method relies on the established toolchain of elliptic-curve cryptography: point addition, scalar multiplication (implemented by repeated doubling and addition in $\mathbb{G}$), ECIES encryption, ECDSA signatures, and AES-based counter-mode or CMAC KDFs.

The RSA-based scheme replaces all ECC operations with RSA exponentiation and integer arithmetic. Expansion values conceal factors of $\phi(N)$ but are structured to ensure all pseudonym pubkeys can be used with the same private exponent. Notably, the protocol does not require distributed key generation or secure multiparty computation for expansion; all properties are achieved via precomputation and modular arithmetic (Chen, 9 Jan 2025).