GB2416283A

GB2416283A - Identifier Based Encryption system (IBE) in which a public key is generated using the identity of a trusted authority

Info

Publication number: GB2416283A
Application number: GB0415776A
Authority: GB
Inventors: Keith Alexander Harrison; Liqun Chen; John Malone-Lee
Original assignee: Hewlett Packard Development Co LP
Current assignee: Hewlett Packard Development Co LP
Priority date: 2004-07-15
Filing date: 2004-07-15
Publication date: 2006-01-18
Anticipated expiration: 2024-07-15
Also published as: GB2416283B; GB0415776D0

Abstract

A trusted authority 63 is provided for identity-based cryptography. The trusted authority 63 has a secret x and derives first and second elements g, y. At least the second element is made public. The first element is calculated as a cryptographic hash of an identifier IDTA associated with the trusted authority (step 2). The second element is a combination of the first element and the secret x (step 4). The trusted authority 63 provides a private-key generation service to a third party 62 who is the recipient of an encrypted message J. A private keys h<zx> is calculated (steps 15 and 16) in dependence on the secret x and an identifier string (STR) associated with the third party. Preferably the invention is El-Gamal based. The invention may not be based on bilinear maps. A Bilinear map embodiment is disclosed in GB 2401763 and GB 2390515.

Description

24 1 6283 Trusted Authority for identifier-Based Cryptography The present

invention relates to a trusted authority for identifier-based cryptography. As used herein, the term "trusted authority" means an entity that is trustable to make available an identifier-based private key to a third party, or its proxy, only when satisfied that the third party is entitled to the key (in certain cases, the trusted authority may itself act as a proxy for the third party).

Identifier-Based Cryptography (IBC) is an emerging cryptographic schema for data encryption and signing data. Figure 1 of the accompanying drawings illustrates an Identifier-Based Encryption (IBE) system in which a data provider 10 encrypts payload data 13 using both an encryption key string 14, and public data 15 provided by a trusted authorityl2. This public data 15 is related to private data held by the trusted authority, for example, the public data is derived by the trusted authority 12 from private data 17 using a ore-way function 18.. The date provider to then provides the encryptedpayloaddata<l3> to a recipient 11 who decrypts it, or has it decrypted, using a decryption key computed by the trusted authority 12 in dependence on the encryption key string and its own private data.

A feature of identifier-based encryption is that because the decryption key is generated from the encryption key string, its generation can be postponed until needed for decryption.

Another feature of identifier-based encryption is that the encryption key string is cryptographically unconstrained and can be any kind of string, that is, any ordered series of bits whether derived from a character string, a serialized image bit map, a digitized sound signal, or any other data source. The string may be made up of more than one component and may be formed by data already subject to upstream processing. In order to avoid cryptographic attacks based on judicious selection of a key string to reveal information about the encryption process, as part ofthe encryption process the encryption key string is passed through a one-way function (typically some sort of hash function) thereby making it impossible to choose a cryptographically-prejudicial encryption key string. In applications where defence against such attacks is not important, it would be possible to omit this processing of the string.

Frequently, the encryption key string serves to "identify' the intended message recipient and the trusted authority is arranged to provide the decryption key only to this identified intended recipient. This has given rise to the use ofthe label "identifier-based" or "identity- based" generally for cryptographic methods of the type under discussion. However, depending on the application to which such a cryptographic method is put, the string may serve a different purpose to that of identifying the intended recipient and may be used to convey other information to the trusted authority or, indeed, may be an arbitrary string having no other purpose than to form the basis of the cryptographic processes.

Accordingly, the use of the term "identifier-based" or "IBE" herein in relation to cryptographic methods and systems is to be understood simply as implying that the methods and systems are based on the use of a cryptographically unconstrained string whether or not the string serves to identify the intended recipient. Gene' ally, in the present specification, the term "encryption key string" or "EKS" is used rather than "identity string" or "identifier string"; the term "encryption key string" is also used in the shortened form "encryption key" for reasons of brevity.

A number of IBE algorithms are known and Figure 2 indicates, for three such algorithms, the following features, namely: - the form ofthe encryption parameters 5 used, that is, the encryption key string and the public data of the trusted authority (TA); - the conversion process 6 applied to the encryption key string to prevent attacks based on judicious selection of this string; - the primary encryption computation 7 effected; - the form of the encrypted output 8.

The three prior art [BE algorithms to which Figure 2 relates are: Quadratic Residuosity (QR) method as described in the paper: C. Cocks, "An identity based encryption scheme based on quadratic residues", Proceedings of the 8 1MA International Conference on Cryptography and Coding LNCS 2260, pp 360- 363, Springer-Verlag, 2001. A brief description of this form of IBE is given hereinafter.

- Bilinear Mappings p using, for example, a modified Tate pairing or modified Weil pairing for which: p:GxGr G2 where G' and G2 denote two algebraic groups of large prime order l in which the discrete logarithm problem is believed to be hard. Go is a [l]-torsion subgroup of a larger algebraic group Go and satisfies [l]P = 0 for all P G' where O is the identity element, l is a large prime, and [*cofactor = number of elements in Go. G2 is a subgroup of a multiplicative group of a finite field. For the Tate pairing, an asymmetric mapping is also possible: p:G,xGo G2 Generally, the elements of the groups Go and G' are points on an elliptic curve (typically, though not necessarily, a supersingular curve); however, this is not necessarily the case. A description of this form of IBE method, using modified Weil pairings is given in the paper: D. Boneh, M. Franklin - "Identity-based Encryption from the Weil Pairing" in advances in Cryptology - CRYPTO 2001, LNCS 2139, pp. 213-229, Springer-Verlag, 2001.

- RSA-Based methods The RSA public key cryptographic method is well known and in its basic form is a two-party method in which a first party generates a public/private key pair and a second party uses the first party's public key to encrypt messages for sending to the first party, the latter then using its private key to decrypt the messages. A variant of the basic RSA method, known as "mediated RSA", requires the involvement of a security mediator in order for a message recipient to be able to decrypt an encrypted message, this being achieved by dividing the decryption key between the recipient and security mediator. An IBE method based on mediated RSA is described in the paper "Identity based encryption using mediated RSA", D. Boneh, X. Ding and G. Tsudik, 3rd Workshop on Information Security Application, Jeju Island, Korea, Aug. 2002. An RSA-based IB method that does not require dividing the decryption key is described in US patent 6,275,936; here, the decryption key is dynamically computed from the encryption key, the latter being a hash of the sender-chosen string.

An IB encryption method based on the ElGamal cryptosystem is described in our UK patent applicationNo.: GB 0413056.3 filed 11 June 2004. In the described embodiment of this IB method, the trusted authority carries out the decryption acting as a proxy for the intended recipient (in fact, this is also the case for the RSA method described in the above- referenced US patent).

In our published UK patent application GB 2,390,515A there are described IBC methods and apparatus using hierarchical arrangements of trusted authorities; these methods and apparatus are based on the bilinear mappings and typically employ points on elliptic curves. As is well known by persons skilled in the art, in lBC using bilinear mappings and points on an elliptic curve, the encryption key string is converted into a point by a "mapToPoint" hash function (as depicted in Figure 2 of the present application). For various reasons explained in our published application GB 2,390,515A, there is a need in l 5 the embodiments there described for the master public points of the non-root trusted authorities to be provably un-related. Since the mapToPoint hash provides a convenient way of achieving this when applied to non-identical strings, the required unrelated points are generated by applying the mapToPoint hash to the respective identity strings of the non-root trusted authorities. Furthermore, it was noted in passing that the master public point of the root trusted authority could also be generated in the same way (this being a convenience as it meant that all trusted authorities derived their points in the same way).

It has now been found that there are good reasons for generating public key elements of trusted authorities of other forms of IBC from strings by means of hash functions, notwithstanding that such functions may only tee usable for such purposes and not possess the general usability of the mapToPoint hash in IBC based on bilinear mappings.

According to a first aspect of the present invention, there is provided an identifier-based cryptographic method, comprising a trusted authority, with a secret and an associated identifier string, carding out operations of: deriving a first element from said identifier string using a one-way mapping function; deriving a second element using the secret and the first element; s making at least the second element publicly available; and providing a private-key generation service comprising generating a private key for a third party in dependence on said secret s and on an identifier string associated with that third party; the method being otherwise than one based on bilinear maps.

The present invention also encompasses apparatus and computer program products.

Embodiments of the invention will now be described, by way of nonlimiting example, with reference to the accompanying diagrammatic drawings, in which: Figure 1 is a diagram illustrating the operation of a prior art encryption schema known as Identifier-Based Encryption (IBE); Figure 2 is a diagram illustrating how certain IBE operations are implemented by

three different prior art IBE methods; and

Figure 3 is a diagram of an embodiment of the invention involving ElGamalbased IB cryptography.

The Figure 3 embodiment is an ElGamal identifier-based encryption system and involves three parties, namely a message sender A acting through computing entity 61, a message receiver B acting through computing entity 62, and a trusted authority TA acting through computing entity 62. The computing entities 61, 62 and 63 are typically based around programcontrolled processors though some or all of the cryptographic fimctions may be implemented in dedicated hardware. Furthermore, the entities 61, 62 and 63 inter communicate, for example, via the internet or other computer network though it is also possible that two or all three entities actuallyreside on the same computing platform or that a portable storage medium is used for data transfer between the entities. For convenience, the following description is given in terms ofthe parties A, B and TA, it being understood that these parties act through their respective computing entities.

In general trims, the TA has a private key x and public keys g, p and y where y=gx mod p and g is derived from an identifier IDTA by use of a hash function H4. The TA is arranged to decrypt for B a message encrypted by the sender A. The encryption process effected by the sender A involves the use of a sender-chosen "identifier" string (typically, though not necessarily, identifying the intended recipient B). The string is provided to the trusted party TA and is a required component of the decryption process whereby any change in the string will result in a failure to correctly decrypt the message. The detailed steps of the Figure 3 method are set out below.

Initial Set Up Phase 1. TA chooses random prime p. 2. TA generates g as H4(IDTA) where g is in the range 2 to (p-1).

3. TA chooses a secret x.

4. TA computes y= gx mod p. 5. TA publishes (g, p, y) and keeps x secret.

Message Transfer Phase Message Encryption by Sender A 6. A chooses an identifier string STR.

7. A computes z = Hs(STR) where H5 is a hash fimction (for example, SHA-1) .

8. A computes y' = yZ mod p 9. A chooses a secret r.

10. A computes h = gr mod p 11. A computes J = (y'r)*m mod p 12. A sends (STR, h, J) to B and destroys r.

(Steps 8 and 11 can be merged to have A compute J as: (yZ r)*m mod p) Message Decryption for Recipient B by Trusted Authority TA 13. B forwards (STR, h, J) to TA.

14. TA checks that B meets the conditions set out in STR.

14. TA computes z = Hs(STR).

15. TA computes J/ h (Z a) mod p to recover the message m.

16. TA returns message m to B. 17. B receives recovered message m.

The transmissions are preferably integrity protected in any suitable manner. A potential drawback of the Figure 3 embodiment is that the TA can read the messages m. In order to prevent this, B can blind the encrypted message before sending it to TA for decryption, B subsequently un-blinding the decrypted, but still blinded, message returned by the TA to recover the message m.

As noted above, the public key element g is formed from an identifier string IDTA of the trusted authority using the hash function H4(). This identifier string can be chosen at random or, preferably, as any meaningful information ofthe trusted authority (for example, a contact address such as the URL of a website of the trusted authority) together with a definition of the identifier string (e.g. encryption key string) formats that it accepts from users for private key generation. Providing such meaningful information in the string from which g can be generated by any party gives a convenient way of distributing such information. Other advantages also arise from having the trusted authority generate the element g from a string, including that since the trusted authority cannot control the outcome of the H40 hash function, it is not possible for the trusted authority to maliciously choose g for cryptographic (dis) advantage.

It will be appreciated by persons skilled in the art that H4 should be such that: g9 = 1 mod p where q is a large prime that divides (p-l). A suitable implementation of H4() is of the form: H4(IDTA) = ( #(IOTA) ) where # is a hash function such as SHA- 1 and #(IOTA) is converted to integer form for raising to the power (p-l)/q.

It will be appreciated by persons skilled in the art that in the same way it is possible for the trusted authorities of other IBC cryptosystems to derive public key elements from their respective identifiers. The applicability or otherwise ofthis approach to anyparticular IBC cryptosystem will be readily apparent to a skilled person on inspection having regard to what randomly-chosen key elements, if any, of the trusted authority can be made public.

It will be understood that in the foregoing, reference to an element being public simply means that it is made available to all parties that are authorised to participate in the cryptographic scheme concemed.

Claims

1. An identifier-based cryptographic method, comprising a trusted authority, with a secret and an associated identifier string, carrying out operations of: deriving a first element from said identifier string using a one-way mapping function; deriving a second element using the secret and the first element; making at least the second element publicly available; and providing a private-key generation service comprising generating a private key for a third party in dependence on said secret- and on an identifier string associated with that third party; the method being otherwise than one based on bilinear maps.

2. A method according to claim 1, wherein the method is based on the ElGamal cryptosystem with the second element being of the form: gx mod p where g is the first element, x is said secret, and p is a random prime.

3. A method according to claim 2, wherein said mapping function is ofthe form: ( #(IDEA) ) where: # is a hash function, IDrA is the identifier string of the trusted authority, and q is a prime that divides (p-l); the result of #(1DJA) being converted to integer form for raising to the power (p-1)/q.

4. A method according to claim 1, wherein the identifier string associated with the trusted authority comprises a contact address for the trusted authority.

5. A method according to claim 1, wherein the identifier string associated with the trusted authority comprises data specifying a format to be used for the third-party identifier strings.

6. Apparatus for use as a trusted authority in respect of identifierbased cryptographic methods otherwise than ones based on bilinear maps, the apparatus comprising: a store for holding a secret; a first derivation arrangement for deriving a first element from an identifier string ofthe trusted authority using a one-way mapping function; a second derivation arrangement for deriving a second element using the secret and the first element; a distribution arrangement for making at least the second element publicly available; and a private-key generation arrangement for generating a private key for a third party in dependence on said secret and on an identifier string associated with that third party.

7. Apparatus according to claim 6 for use as a trusted authority in an ElGamal-based cryptosystem, the second derivation arrangement being arranged to derive the second element as: gx mod p where g is the first element, x is said secret, and p is a random prime.

8. Apparatus according to claim 7, wherein said mapping function is of the form: ( #(IOTA) ) where: # is a hash function, IDTA iS the identifier string of the trusted authority, and q is a prime that divides (p-1); the result of #(1DTA) being converted to integer form for raising to the power (p-l)/q.

9. Apparatus according to claim 6, wherein the identifier string of the trusted authority comprises a contact address for the trusted authority.

10. Apparatus according to claim 6, wherein the identifier string ofthe trusted authority comprises data specifying a format to be used for the third-party identifier strings.

11. A computer program product for conditioning programmable apparatus to provide a trusted authority apparatus according to any one of claims 6 to 10.