First time question poster so I hope the below is clear enough :).
Problem summary: Can a Holder and Verifier safely use ECDH for a Challenge-Response protocol where:
- the Holder proves possession and control over a private key $d$ using material that a trusted Issuer signs, and
- the Verifier learns no correlation handle (e.g., Holder public key $Q_d= dG$)?
Details and research: In previous posts, the Verifier either knows the Holder public key (c.f. 55195) or focuses on security properties that arguably do not apply to the proof of possession context (e.g., PTR-PAKE by Jarecki et al 2015). Here, the challenge-response protocol would be broken if:
- The Verifier learns a correlation handle from the protocol (e.g., the public key $dG$).
- The Holder can generate a proof of possession without being in control of $d$.
- The Verifier successfully verifies a proof of possession that does not include $d$.
Protocol suggestion
Given an elliptic curve over $GF(p)$ with the generator $G$ of order $order$:
Issuer steps:
- uses a PRNG to generate, $r \in [1, order-1]$.
- generates the point $Q_r=rG$
- multiplies the Holder public key with $r$ to generate $Q_{dr}=$ECDH$(r, Q_d)$.
- issues a signature over points $P = (Q_r, Q_{dr})$ to the Holder
The Holder presents $P$ to a Verifier. After validating the Issuer signature, the Verifier continues with:
- using a PRNG to generate scalars, $(m,n) \in [1, order-1]$.
- computes the two challenge points $C = (Q_{rm} = m \cdot Q_r, Q_{drn} = n \cdot Q_{dr})$
- sends $C$ to the Holder.
The Holder:
- uses ECDH to generate the two x-coordinates of the points $R = (x_{drm}=(d \cdot Q_{rm}).x, x_{d^2rn}=(d \cdot Q_{drn}).x)$
The Verifier continues with:
- checks that neither of the values in $R$ correspond to an x-coordinate of the challenge points in $C$.
- computes $(m^{-1}, n^{-1})$
- uses the values in $R$ to recover any of the two possible y coordinates (we denote recovered point as $Q'$) to generate the four response points for testing: $T = (m^{-1} \cdot [Q'_{drm}, Q'_{d^2rn}], n^{-1} \cdot [Q'_{drm}, Q'_{d^2rn}])$.
- accept the response if exactly one x-coordinate of a point in $T$ is equal to a point in $P$
(See update below) As an additional question, and if the above is secure, would a non-interactive alternative be possible by replacing the challenge generation with a random oracle access? For instance, the Holder can generate the challenge pair from a presentation session id and $P$ using a cryptographic hash function e.g., c = SHA512(P || session_id) and m,n=c[:32], c[32:].
Update to the non-interactive part:
Knowing the values $(m,n)$ and $P$ seemingly allows the computation of the correct output even without possession of $d$. With challenge $c_1$ for $Q_r$ and $c_2$ is for $Q_{dr}$, an attacker could generate a random point $S$ and then flip the challenge in the response and compute the x-coordinates of the pair $(ECDH(c_1, Q_{dr}), S)$. Or?
And if the non-interactive part is not possible, the protocol can be simplified, as suggested in the comments, by only focusing on the ecdh input point. This would change steps 5,6,8 and the following verification steps.
The Verifier only has to generate generate scalar $m \in [1, order-1]$ and the challenge becomes $C = m \cdot Q_r$.
The Holder now only has to compute $R=ECDH(d, C)$ and the Verifier could compare $R$ with $ECDH(m, Q_{rd})$.
