Implicit certificate

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

In cryptography, implicit certificates are a variant of public key certificate, such that a public key can be reconstructed from any implicit certificate, and is said then to be implicitly verified, in the sense that the only party who can know the associated private key is the party identified in the implicit certificate. This does not rule out the possibility that nobody knows the private key, but this possibility is not considered a major problem.

By comparison, traditional public-key certificates include a copy of the public key and the digital signature of the certificate authority. Upon verification of the digital signature, the public key is explicitly verified, in the sense that the party identified in the certificate knows the associated private key and is the only party who can know the private key. Unlike an implicit certificate, there is no possibility that nobody knows the private key. For the purposes of this article, such certificates will be called explicit certificates.

Elliptic Curve Qu-Vanstone (ECQV) are one kind of implicit certificates. ECQV is described in the document Standards for Efficient Cryptography 4 (SEC4)[1].
This article will use ECQV as a concrete example to illustrate implicit certificates.

The cryptographic portion of an ECQV implicit certificate is the size of an elliptic curve point, making it considerably smaller than a comparable explicit certificate. Smaller certificates are useful in highly constrained environments, such as Radio-frequency Identification RFID tags, where not a lot of memory or bandwidth is available.

Digital certificates are considered the best-known method of establishing identity in network communications. A certificate provides a binding between identity information and a public key; a key pair can subsequently be used for key exchange to set up secured communications and for digital signatures, to authenticate users or transactions for example.

Conventional explicit certificates are made up of three parts: identification data, a public key and a digital signature which binds the public key to the user’s identification data (ID). The digital certificate is created by a trusted third party and its signature can be independently verified by anyone in the network. The public key, ID and digital signature are distinct data elements which make up the physical size of the certificate. Conventional certificates can get very large. For example, a standard X.509 certificate is on the order of 1KB in size (~8000 bits).

Implicit certificates carry the same data (ID, public key and digital signature) but the data elements are super imposed into a string the size of the public key. For example, using an elliptic curve system at 160 bits would give us implicit certificates of size 160 bits.

With implicit certificates there is no explicit validation of the certificate authority's (CA’s) signature on a certificate. Instead, a user computes a public key from the implicit certificate and simply uses it in the intended ECC operation, e.g. key agreement protocols such as ECDH and ECMQV, or signing such as ECDSA. The operation will fail if the certificate is invalid. Thus ECQV is regarded as an implicit validation scheme. Computing the public key is very fast, much faster than a public key operation.

Generating implicit certificates[edit]

Initially the elliptic curve parameters must be agreed upon. We define as a generating point of order . The certificate authority (CA) will have private key and public key . Alice will be the user who requests the implicit certificate from the CA.

  1. Alice generates a random integer and computes and sends that to the CA. The CA does all the rest.
  2. CA selects a random integer from and computes .
  3. CA computes (this is the public key reconstruction data)
  4. CA computes , IDA is Alice's identifying information and is an encoding function
  5. CA computes , where is a cryptographic hash function, such as SHA
  6. CA computes where is private key reconstruction data
  7. CA sends to Alice

Alice’s private key is

Alice’s public key is

Computing the public-key from the implicit certificate[edit]

Computing Alice's public key can be computed by any third party provided they know , and .

Note that the size of the implicit certificate is the same size as Alice's public key .


A security proof for ECQV has been published by Brown et al.[2]

See also[edit]


  1. ^ "Standards for efficient cryptography, SEC 4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV)" (PDF). 2013-01-24. Retrieved 2017-07-05.
  2. ^ Brown, Daniel R. L.; Gallant, Robert P.; Vanstone, Scott A. (2001). "Provably Secure Implicit Certificate Schemes". Financial Cryptography 2001. Lecture Notes in Computer Science. 2339 (1): 156–165. CiteSeerX doi:10.1007/3-540-46088-8_15. Retrieved 27 December 2015.

External links[edit]