Efficient and Robust Secure Key Issuing Protocol in IDbased Cryptography

1
Efficient and Robust Secure Key Issuing Protocol
in ID-based Cryptography

• 1Byoungcheon Lee, 2Ed Dawson, 3Sangjae Moon
• 1Joongbu Univ, Korea
• 2ISI, QUT, Australia
• 3Kyungpook National Univ, Korea

2
Contents

• Introduction
• Background concepts
• Our key issuing model
• Secure key issuing protocol
• Analysis
• Conclusion

3
Certificate-based Crypto

• Certificate-based crypto
• Users public key is certified with a certificate
  issued by a certification authority (CA)
• Public key infrastructure (PKI) is used to manage
  trust relationship in complex hierarchy
• Pros
• Explicit authentication of a public key
• Cons
• Key revocation is a big issue
• Require a large amount of storage and computing
  time

4
ID-based Crypto

• ID-based crypto
• Public identity information is used as a public
  key
• Private key is computed by a trusted key
  generation center (KGC) and sent to a user
  through a secure channel
• Pros
• Key distribution and key revocation are not
  required
• Can send a secure message even before the private
  key is issued
• Cons
• Key escrow problem KGC knows users private key
• Hard to provide privacy, non-repudiation services
  
• Secure channel is required

5
Secure Key Issuing Problem

• How to provide a Secure Key Issuing (SKI)
  mechanism in ID-based cryptography?
• Multiple authority approach
• Threshold key issuing (distribution of the master
  key) Boneh Franklin 2001
• Addition of multiple keys Chen et. al. 2002
• Require multiple identifications
• Using user chosen randomness
• Certificate-based encryption Gentry 2003
• Certificateless public key cryptography
  Al-Riyami 2003
• Lose the advantage of ID-based cryptography

6
Our Previous SKI Scheme

• Approach
• Single authority-multiple observer model
• Single KGC (key generation center)
  Identification of user, key issuing
• Multiple KPAs (key privacy agents) Privacy
  service
• Single identification by KGC is enough
• Fully serial service by KGC and KPAs
• Drawback
• Not efficient serial computation and
  communication by KGC and multiple KPAs
• Not robust single failure is not allowed
• Correctness of protocol is not verifiable
• Not secure KGC can launch an impersonation
  attack Kwon04

7
Real World Scenarios

• Single authority-multiple observer model
• NGO (non-governmental organization)
• The government has official authority
• NGOs observe and supervise the government (They
  do not have official authority, but are widely
  accepted)
• Ombudsman
• Electronic election
• Election is managed by an administrator
• Political parties observe the election
  administrator to prevent any illegal activities
  illegal voters, double voting, miscounting, etc

8
Our Contribution

• Solve the problem of our previous SKI scheme s.t.
  
• KPAs share a secret key using VSS scheme and
  provide privacy service in a robust manner
• Correctness of protocol is publicly verifiable
• Secure short signature scheme is used
• Keeping useful features
• Fully ID-based secure key issuing (can be used
  with any ID-based cryptosystems)
• Single identification is possible

9
Basic Concepts on Bilinear Pairings
10
Hard problems

• DLP (Discrete Logarithm)
• DDHP (Decisional Diffie-Hellman)
• CDHP (Computational Diffie-Hellman)
• BDHP (Bilinear Diffie-Hellman)
• GDHP (Gap Diffie-Hellman)
• Problems that DDHP is easy but CDHP is hard
• GDH group can be found from supersingular
  elliptic curve or hyperelliptic curve
• Bilinear pairings can be derived from the Weil or
  Tate pairing

11
ID-based Encryption BF01

• Set-up (by KGC)
• Extract (by KGC)

12
ID-based Encryption BF01

• Encrypt (by sender)
• Decrypt (by receiver)

13
Short Signatures BLS01

• Signing
• Verification

14
Our Key Issuing Model
System public key
KGC
(1) Partial key issuing
Share a key pair
(2) Key securing
User
(3) Key retrieving
n KPAs
15
Entities and Their Roles

• Key generation center (KGC) or CA
• Checks identification of user and issues partial
  private key
• Has a key pair Y0s0P
• Key privacy authority (KPA)
• n agents who provide key privacy service
• Share a key pair PKsKP using VSS scheme
• Each KPA has his share PisiP
• User (with ID)
• Chooses a secure randomness XxP
• Finally gets a public/private key pair QID, DID

16
Proposed SKI Protocol

• 1. System setup (by KGC)
• Generate system parameters of pairing
  cryptosystem
• P generator of the additive group G1
• q order of the groups G1 and G2

17
Proposed SKI Protocol

• 2. System public key setup (by KGC and KPAs)
• KGC generates his key pair
• KPAs share a key pair PKsKP using t-out-of-n VSS
  scheme. Each KPA has his share
• KGC computes system public key
• Anyone can verify the validity of Y

18
Proposed SKI Protocol

• 3. Partial key issuing (by KGC to user)

User
KGC
Using proper identification
Public channel (publish)
Signature and blinding
19
Proposed SKI Protocol

• 4. Key securing (by KPAs to user)
• Sequential key privacy service

User
KPAi
Public channel (publish)
Signature and blinding
20
Proposed SKI Protocol

• 5. Key retrieving (by user)
• Check the validity of each signature
• Unblind each message and computes
• Check the validity of each Qi
• Retrieve his private key by
• Verify the correctness of his private key

21
Batch Verification

• Verifying n Qis requires 2n pairing computations
• Apply batch verification technique (small
  exponent test)
• Choose small random numbers
• Verify
• Requires just 2 pairing computations (neglect 2n
  scalar multiplications with small integers)

22
Key Escrow Protocol

• Key escrow per message under a court order
• For a given ciphertext
• KGC and n KPAs cooperate to recover the message m
• KPAi computes
• KGC computes
• KGC computes
• Message is recovered by

23
Analysis

• Key privacy is attained
• If at least n-t KPAs remain honest, DID is not
  exposed
• Every protocol messages are secure (blinded with
  user-chosen secret X)
• Only the legitimate user who knows x can recover
  the private key
• Correctness of protocol messages is publicly
  verifiable
• Blinded protocol messages can be published
• Anyone can verify the correctness of messages
• Kwon04s attack does not work
• Secure short signature scheme is used
• All entities job is publicly verifiable

24
Analysis

• KGC needs to be trusted
• If KGC illegally prepares the stage 3 messages by
  himself with the name of user, he can get users
  private key
• Same scenario in certificate-based scheme CA can
  illegally issue certificate with the name of any
  user
• Proper identification should be used
• Offline identification
• Online identification if previous identification
  exists

25
Analysis

• Efficiency
• Real ID-based crypto with secure key issuing
• Overcome the key escrow problem
• Can be used with any ID-based cryptography

26
Conclusion

• Provide secure key issuing in ID-based crypto
  using single authority-multiple observer model
• Partial key issuing by single KGC
• Key securing by multiple KPAs
• Secure channel by using blinding technique
• Improve Lees SKI scheme LBD04 achieving
• Efficiency
• Robustness
• Public verifiability
• ID-based cryptosystem becomes more practical in
  the real world with secure key issuing mechanism

27
Thank you!

• Q A