(n,t) Threshold Key Generation in Identity-based Cryptosystems

( , )

n t

_{Threshold Key Generation in}

Identity-based Cryptosystems

*

Fu-Kuo Tseng

Department of Computer Science National Chiao Tung University

[email protected]

Rong-Jaye Chen

Department of Computer Science National Chiao Tung University

[email protected]

1

Abstract―In recent years, considerable concern has ari-sen over the security of the master key in ID-based crypto-systems. The Boneh-Franklin scheme proposed a distributed PKG arrangement. The scheme distributes partial master keys among different PKGs using techniques of threshold cryptography. In this paper, we will discuss t-out-of-n key generation and related issues in Boneh-Franklin ID-based cryptosystem.

Index Terms―ID-based cryptosystems, secret splitting,

secret sharing, threshold cryptography

I. Introduction

The past decade has witnessed growing interest in the pairing-based cryptosystems [8]. One of the important findings is the Weil pairing [8] which can be used to construct an ID-based (public-key) cryptosystem. In this system, the public key of a user is some unique identifiers of the user, such as the e-mail address or the telephone number. How-ever, the corresponding private key is generated by a trusted third party called Private Key Generator (PKG) using the system secret called the master key. Therefore, the PKG must be highly trusted since it can generate the private key of any system user. In some circumstances, we cannot tolerate the full possession of the master key by a single PKG. Therefore, the secret sharing scheme and many of its variants have been proposed to eliminate this weakness. The primary goal of this paper is to ex-amine individual secret sharing schemes. It is hoped that this study could lead to a better

*1_{This paper was supported in part by National Science}

Council of Taiwan under Contract No. NSC98-2221-E-009- 079-MY3 and by Industrial Technology Research Institute of Taiwan under Contract No. T2-98020-1.

standing of both identity-based cryptosystems and secret sharing schemes. The remainder of the paper is organized as follows: SectionⅡreviews bilinear pairings and ID-based cryptosystems. SectionⅢ introduces the basic secret sharing schemes and how they are used in Boneh-Franklin scheme. In Section Ⅳ, we discuss related issues when dep-loying secret sharing scheme in Boneh-Franklin scheme. Finally, SectionⅤgives our conclusions and presents future works.

II. Preliminaries

In this section, we briefly describe the basic de-finition and properties of (admissible) bilinear pairings [8] and ID-based cryptosystems [1].

A. (Admissible) Bilinear Pairing

LetG₁be a cyclic additive group generated by P, whose order is a primeq, and G2 be a cyclic

mul-tiplicative group of the same orderq. Leta,bbe the elements in *

q

Z . A bilinear pairings is a map 2

1 1

:G G G

e × → with the following properties: y Bilinear: ∀P Q G, ∈ ₁,

(

) (

)

ab Q P e bQ aP e , = , .

y Non-degenerate: ∃P Q, such thate P Q

(

,

)

≠1

y Computable:

1

,

P Q G

∀ ∈ , e ,

(

P Q

)

is efficiently-computable „ The security of the scheme using bilinear pair-ings relies on the hardness of the computational problem called Bilinear Diffie-Hellman problem (BDH). No algorithm is now available to be able to efficiently solve BDH. We assume BDH is computationally intractable.

™ Bilinear Diffie-Hellman (BDH) Problem: Given groupsG₁of prime orderq, a bilinear map

eand one generatorPofG₁,a b c Z, , ∈ _q*, and given

aP, bP, cP G∈ , compute ₁ e P P

₍

,

₎

abcis hard „

B. ID-based cryptosystems

The concept of identity-based cryptosystems is first proposed by Shamir [7]. The scheme utilizes user’s identity (ID) as public key rather than mea-ningless string in the digital certificate. Therefore, the public key can be inferred by the user’s iden-tifier and no public key certificate is needed. One user authenticates itself to Private Key Generator (PKG) by showing physical identification tokens and obtains the corresponding private key. The sender encrypts messages using the recipient’s ID as public key. The recipient decrypts messages us-ing its private key correspondus-ing to its ID. An iden-tity-based encryption scheme consists of four randomized algorithms: Setup, Extract, Encrypt and Decrypt as shown below and Figure 1.

Setup:

The PKG selects system parameters and one sys-tem master key.

Extract:

The system user Bob authenticates himself to PKG and obtains the private key corresponding to his identity.

Encrypt:

The sender Alice produces ciphertext C by en-crypting plaintext M using Bob’s identity.

Decrypt:

The receiver Bob decrypts ciphertext C using his private key and obtains plaintext M.

Figure 1 Operations defined in Identity-based cryptosystems

At first, Shamir [6] constructed an identity-based signature scheme (IBS) using RSA functions;

however, he was unable to construct an identi-ty-based encryption (IBE) scheme. The first effi-cient and secure ID-based encryption scheme was proposed by Boneh and Franklin[1] in 2003. (Cock [2] constructs another IBE scheme the same year using integer factorization problem. However, the scheme is inefficient since it encrypts messages in a bit-by-bit fashion yielding a very long ciphertext. Thus, in this paper, we focus only on pairing-based identity-based cryptosystems that is widely used and discussed in the research field.) The main idea of Boneh-Franklin scheme is that the sender and the receiver can retrieve the same session key by using a bilinear map of information available and use this shared session key to protect the messages. The four randomized algorithms are described as below and depicted in Figure 2.

Setup: (performed by PKG)

The PKG selects system master key s0 and system

parameters G G H H P Q e1, ,2 1, 2, , ,0

(1) PKG generates cyclic groups G1,G2 of order q _{, bilinear map} e G: 1×G1→G2 and

genera-torP in G₁

(2) PKG picks master key. s Fq

*

0 ∈

Computer system public key Q0=s P0

(3) PKG picks cryptographic hash functions

H * G

1: {0,1} → 1, H G

* 2: 2 →{0,1}

Extract: (performed by PKG)

(1) Bob authenticates himself to PKG using his identity IDBob and some physical identity cre-dentials like the identification card or driver’s license.

(2) Once authenticated by PKG, Bob is given his private key SBob =s Po Bob corresponding to his public keyPBob =H ID1( Bob).

Encrypt: (performed by encrypter)

Given a plaintextM , the recipient’s identity ID_Bob

(1) Alice selects a random number r Fq

*

∈

(2) Alice computes Bob’s public key as Bob

P =H ID1( Bob)

(3) Alice produces ciphertext by computing r

Bob

C = rP M, ⊕H e P2( ( ,Q0) )

Decrypt: (performed by decrypter)

Given a ciphertextC′ = U V,

Bob compute M′ = ⊕V H e S2( ( Bob, ))U

Private Key Generator (PKG) Bob Alice Authentication IDBob PriKeyIDBob

(params, IDBob) PriKeyBob

IDBobis arbitrary and meaningful

ex: [email protected] or 0912345678

Setup generate params and master key Extract

generate PriKeyIDBob

by IDBoband master key

Encrypt Verify or Decrypt Sign or

Figure 2 Boneh-Franklin IBE scheme

III. t-out-of-n Master-key Generation

The security concern of ID-based cryptosystems is the inherent weakness called key escrow. It ori-ginates from the need of PKG to generate the pri-vate key of the system users Therefore, PKG knows the master key of the system; hence it can generate the private key of any system user and perform unauthorized operations such as decryption or signing. In this section, several secret sharing schemes for (master) key generation are introduced and how these schemes integrate with Boneh -Franklin ID-based cryptosystem is also presented.

The first attempt to mend key-escrow weakness is by using secret splitting [11]. In this scheme, the secret information is divided into multiple shares which are given to each individual. All of the indi-viduals with a share have to agree on merging all the shares and retrieve the secret. In this case, the number of shares needed to recover the secret equals to the number of total shares, sayn, which yields ann-out-of-n key generation scheme. This scheme is analogous to splitting treasure map into shares and distributing to all the explorers. Only if all the shares join together can they find the posi-tion of the treasure. It is noted that the scheme need a trusted third party who perform the map-splitting process. They can designate this job to their chief of the village. An example is shown in Figure 3.

1 2

Secret: 010010110100 xor) Share : 101001000110 Share : 111011110010

Figure 3 Secret splitting between 2 shareholders

If there are two users, say Alice and Bob, who want to share a secret. They first find a trusted third party (TTP). If the secret is represented as binary number of lengthm, TTP first generates a share of lengthmrandomly and performs exclusive-or oper-ation (XOR) with the secret to gain another share. TTP then gives one of the shares to Alice and the other to Bob. Alice and Bob can collaborate later to reconstruct the secret by XORing their shares. None of them knows the whole secret without the help of the other share holder.

More generally, if more shares are needed, sayn, TTP needs to generatesn−1 shares of length

mrandomly and XORing all of them together with the secret to gain thenth share. TTP then

distri-butesnshare to each of thenparticipants. An ex-ample is depicted in Figure 4.

1 2 n-1 n Secret: 010010110100 Share : 101001000110 Share : 011101011011 xor)Share : 101010011110 Share : 111011110010 #

Figure 4 Secret splitting amongnshareholders

Sometimes, it might be impractical to gather all the participants to recover the secret. More impor-tantly, if any one of the shares is missing, the secret will no longer be reconstructed. Therefore, the second technique called the threshold scheme [10] is used. In this scheme, the secret information is also broken up into multiple shares which are given to two or more individuals. However, the scheme provides a way to reconstruct the secret without the appearance of all the shares. More specifically, if any subsets of shares with size equal to or larger thantare sufficient to reconstruct the secret in the scheme, we call it a t-out-of-nthreshold scheme.

One version of t-out-of-nthreshold scheme is proposed by Shamir [6]. It makes use of the idea that two points are sufficient to define a line, three points are sufficient to decide a parabola, and so forth. That is, we need t points to uniquely decide a polynomial of degreet−1. An example is depicted in Figure 5.

PriKeyBob

(params, PubKeyBob) PriKeyBob

Setup

Generate params and secret s0

Extract Generate PriKeyBob

by PubKeyBoband secret s0

Encrypt:

• Generate from Msg using PubKeyBob

Decrypt: • Recover Msg from

EncPubKeyBob(Msg) using PriKeyBob

EncPubKeyBob(Msg)

IDBob= [email protected]

PubKeyBob= Hash(IDBob)

Alice Bob

Private Key Generator (PKG)

PriKeyBob = s0 PubKeyBob

The secrets0 is critical in IBE system, since it can

be used to generate the private key of any user.

• (n, 2) scheme • (n, t) scheme

t – 1 degree polynomial

y = at-1* xt-1+ at-2* xt-2+ ... + a1* x + a0

Need t pairs of (x, f(x)) to determine 1 degree polynomial

y = a1* x + a0

Need 2 pairs of (x, f(x)) to determine

(0, s) (x1, y1)

(xn, yn) (xn, yn) (0, s)

indexshare

Figure 5 Concept of Shamir secret sharing

If we want to construct a Shamir( , )n t threshold scheme, there are two phases in the scheme.

Setup: (Perform by TTP)

(1) TTP chooses a prime of orderqinG_1.

(2) TTP defines the coefficienta0 = =s f(0)

(3) TTP choosesa1"at−1at random from Zq

*

(4) For all the shareholderi,

TTP computes t j j j f i a x mod q 1 0 ( ) ( ) − = =

∑

(5) TTP givesf i( )to shareholderifor i∈{1, , }"n

Reconstruct: (Performed by TTP or each of the

share-holder)

(1) TTP collects all the shares of the shareholders or each shareholder gives its share to the others. (2) TTP (or each shareholder) reconstructs secret

by computing t i j j i s f i mod q j i 1 0 ( ( ))( ) ≠ = − = −

∑ ∏

„

An example of threshold (6, 3) scheme is shown in Figure 6. The upper part describes the Setup phase, and the lower two blocks shaded with light yellow color show the Reconstruction phase.

Figure 6 Example of Shamir (6, 3) threshold scheme

™ Modified Boneh-Franklin Scheme There is one main PKG who acts as TTP and anothernPKGi, i= "1, ,nwho act as shareholder.

Modified Setup: (performed by PKG)

The PKG (act as TTP) selects master keys0and

system parameters G G H H P Q e1, ,2 1, 2, , ,0

(1) PKG generates cyclic groups G1,G2 of order q,bilinearmape G: ₁×G₁→G_{2andgeneratorP}

in G1

(2) PKG picks cryptographic hash functions

H * G

1: {0,1} → 1,H G

* 2: 2 →{0,1}

(3) PKG chooses prime of order q _inG1.

(4) PKG picks master keys Fq

*

0∈ and defines

coef-ficient a₀ =s₀ =f(0)

(5) PKG chooses a1"at−1at random from Zq

*

(6) For all the PKGi,

PKG computes t j j j f i a x mod q 1 0 ( ) ( ) − = =

∑

(7) PKG givesf i( )to PKGifor i∈{1, , }" n

(8) PKGi publishes its public key_{Q s P}i

0 = 0 , where

i

s0is the share of PKGi

Modified Extract: (performed by PKGi)

(1) Bob authenticates himself to PKGiusing

iden-tityIDBoband some physical credentials.

(2) Once passed, PKGi issues Bob’s private key

share i Bob

s P0 corresponding to his public key

Bob Bob

P =H ID₁( )

(3) Bob reconstructs its private key by computing t

i

Bob Bob Bob

i j j i S s P s P mod q j i 0 0 1 0 ( )( ) ≠ = − = = −

∑ ∏

„

Once users acquire their own private key, the cryptographic operations are the same as original scheme such as decryption and signing.

IV. Discussion

In the secret splitting scheme, the security relies heavily on randomness of the shares. In computer, the built-in RND function does not produce true randomness [5]. There are some suggested physical methods which are nevertheless time-consuming,

such as coin flipping, dice throwing, and so on. For computational method, pseudo-random number generators can be used. They create a long se-quence of random numbers with satisfying proper-ties; however, the sequence will be repeated eventually. Besides, the safety of each share is also important. At least one share should be kept in se-cret for each shareholder since less thannshares yield no information about the secret.

In secret sharing [10], the number of threshold should be decided carefully. If the number is set too high, it would be a great burden for the system us-ers, and limits the scale of the system. However, if the threshold number is set too low, the capability to resist malicious PKGs would be weakened. Be-sides, the validity of the share has to be guaranteed. That is, the PKG may give you false shares during

Setup phase. Some share holders may cheat the

others by giving fake shares during Reconstruct phase. In Boneh-Franklin paper [1], they mention that these actions can be detected by using the fact that Decision Diffie-Hellman (DDH) is easy inG1.

During Setup phase, each of thenPKG publishes its

i

s P as witness of its share of the master key.

When one user requests his private key, he can ve-rify that the response from the ith PKG is valid by testing the following equation:

i i

ID ID

e s P P( 0 , )=?e P s P( , 0 )

Thus, if the equation fails to hold for specifici, the misbehaving PKGi are caught; otherwise, the PKG is considered honest. We call this kind of secret sharing verifiable since the share can be further ve-rified after distributed.

In the original threshold scheme, the share will be valid forever; however, some PKGs might be compromised leaving the share revealed. It should also be noted that an ex-employee knows the secret but he is not privileged to possess it. We would like the share to remain valid for only a period of time and can be updated periodically. This is sometimes called a proactive property.

There are also adversaries that hinder the others from recovering the secret. This kind of adversary

may give false information, and even deliberately stop functioning during the transaction. We would like to finish the setup and reconstruction process in the appearance of this kind of malicious adversa-ries and remove invalid contribution from the result. This is usually achieved by defining computation and communication protocols. If one cannot follow the protocols, it will be ruled out of the group of the shareholder.

What is more, some people may argue that it is the PKG that picks the master key; therefore, it can still generate any private key of the system user. This problem can be eliminated through the fol-lowing two approaches. One approach is to destroy the master key immediately after the main PKG distributes all the shares. This can be achieved by adding this action into the setup function. The other approach makes use of one protocol called DKG (Distributed Key Generation),n PKG can collabo-rate to decide the master key and each of them have one share of this secret and none of them know the whole secret. This practice can get rid of one main PKG (act as a TTP) with the cost of a little more operations and message exchange when running the DKG protocol during Setup phase. These two ap-proaches can be used to remove the property called

key-escrow inherited from the ID-based

cryptosys-tem [9].

Sometimes we may need hierarchical manage-ment infrastructure. The idea is from the nature of human society, and many global systems have adopted this management mechanism like DNS servers or Certificate Authorities (CA) in certifi-cate-based cryptosystems. Gentry and Silverberg provide the first efficient and secure Hierarchical IBE (HIBE)[3]. If HIBE is needed, what we should do is to integrate secret sharing scheme within HIBE functionality.

V. Conclusion

In this paper, we have presented the pair-ing-based ID-based cryptosystems together with threshold cryptography. We also present how to in-tegrate and deploy the threshold schemes within Boneh-Franklin’s scheme. There are still many is-sues that need considering: secret share update,

se-cret share verification, and robustness of the system when malicious TTP or shareholder exists, to name but a few. We also consider that the hierarchical IBE may be used when deploying IBE in a large network. There are still many circumstances to fig-ure out and different requirements to meet. To sum up, our research will keep on dedicating to con-structing more secure, efficient and escrow-free ID-based cryptosystems in the real world.

REFERENCE

[1] Boneh D., Franklin M., “Identity Based

Encryp-tion from Weil Pairing,” SIAM Journal of Computing, 32, 586-615, 2003.

[2] Cocks C., “An Identity Based Encryption

Scheme Based on Quadratic Residues,” Cryp-tography and Coding, LNCS 2260, pp. 360-363, 2001.

[3] Gentry C., Silverberg A., “Hierarchical ID-

Based Cryptography,” ASIACRYPT 2002, Springer-Verlag, LNCS #2501 (2002).

[4] Joux A., “The Weil and Tate Pairings as

Build-ing Blocks for Public Key Cryptosystems,” ANTS2002, LNCS 2369, pp. 20-32, 2002.

[5] Menezes A., Oorschot P., and Vanstone S.,

“Handbook of Applied Cryptography,” CRC Press, 1996, Chapter 5 Pseudorandom Bits and Sequences

[6] Shamir A., “How to share a secret,”

Communi-cations of the ACM, 22:612-613, 1979.

[7] Shamir A., “Identity-Based Cryptosystems and

Signature Schemes,” Proceedings of Crypto ’84, pp. 47-53, 1984.

[8] The Pairing-Based Crypto Lounge

http://www.larc.usp.br/~pbarreto/pblounge.html

[9] The Risk of Key Recovery, Key escrow, and

Trusted Third Party Encryption

http://users.telenet.be/d.rijmenants/en/secretsplit ting.htm

[10] The Secret Sharing

http://en.wikipedia.org/wiki/Secret_sharing

[11] The Secret Splitting

http://users.telenet.be/d.rijmenants/en/secretsplit ting.htm