College of Computer and Information Engineering, Hohai University. Nanjing, Jiangsu ... based encryption (CBE) such as implicit certificate and no private key escrow. ...... Conference for Young Computer Scientists (ICYCS 2008),. China, pp.
JOURNAL OF NETWORKS, VOL. 5, NO. 5, MAY 2010
527
Forward-Secure Certificate-Based Encryption and its Generic Construction Yang Lu and Jiguo Li College of Computer and Information Engineering, Hohai University Nanjing, Jiangsu Province, China Email: {luyangnsd, ljg1688}@163.com
Abstract—In this paper, we introduce a new asymmetric encryption paradigm called Forward-Secure CertificateBased Encryption. It preserves the advantages of certificatebased encryption (CBE) such as implicit certificate and no private key escrow. At the same time it also inherits the properties of the forward-secure public key encryption. In a forward-secure CBE scheme, all users’ private keys are updated at regular periods throughout the lifetime of the system; exposure of a user’s private key corresponding to a given time period does not enable an adversary to break the security of the ciphertext sent to this user for any prior time period. We first provide the formal definition for forwardsecure CBE and its security model. Then we propose a generic construction of forward-secure CBE and prove it to be secure against chosen plaintext attacks in the standard model. We also describe how this construction can be enhanced to achieve security against adaptive chosenciphertext attacks both in the standard model and in the random oracle model. Finally, a concrete forward-secure CBE scheme is constructed. Index Terms—asymmetric encryption, certificate-based encryption, forward-security, generic construction
I. INTRODUCTION In traditional public key cryptography (PKC), a Public Key Infrastructure (PKI) is used to provide an assurance to the user about the relationship between a public key and the identity of the holder of the corresponding private key by certificates. However, the need for PKI supporting certificates is considered the main difficulty in the deployment and management of traditional PKC. To simplify the management of the certificates, Shamir [1] introduced identity-based cryptography (IBC) in which the public key of each user is derived directly from certain aspects of its identity, such as an IP address or an e-mail address, and the corresponding private key is generated by a trusted third party called Private Key Generator (PKG). For a long while it was an open problem to obtain a secure and efficient identity based encryption (IBE) scheme. Until 2001, Boneh and Franklin [2] presented the first practical and provably secure IBE scheme using the bilinear pairings on elliptic curves. The main practical benefit of IBC lies in greatly reduction of need for public key certificates. However, the PKG can generate the private keys of all its users, so private key escrow becomes an inherent problem in IBC. Moreover, private keys must be sent to the users over
© 2010 ACADEMY PUBLISHER doi:10.4304/jnw.5.5.527-534
secure channels. It makes private key distribution a daunting task. To fill the gap between traditional PKC and IBC, Al-Riyami and Paterson proposed a new paradigm called certificateless public key cryptography (CL-PKC) [3] in 2003. CL-PKC eliminates the keyescrow problem inherent in IBC. At the same time, it preserves the advantage of IBC which is the absence of digital certificates and their heavy management overhead. In CL-PKC, a trusted third party called Key Generating Center (KGC) is involved in the process of issuing a partial secret key for each user. The user independently generates its public/private key pair and combines the partial secret key from the KGC with its private key to generate the actual decryption key. By way of contrast to the PKG in IBC, the KGC does not have access to the user’s decryption key. Therefore, CL-PKC solves the key escrow problem. However, due to the lack of public key certificate, CL-PKC is pointed out that it suffers from public key replacement attack and Denial-of-Decryption attack. Moreover, CL-PKC suffers the same key distribution problem as IBC because partial secret keys must be sent to the users over secure channels. In Eurocrypt 2003, Gentry [5] introduced the notion of certificate-based encryption (CBE), which combines IBE and traditional PKI-supported PKE while preserving some of their most attractive features. CBE provides an implicit certificate mechanism for a traditional PKI and allows a periodical update of certificate status. As traditional PKIs, each user in CBE generates his own public/private key pair and requests a long-lived certificate from the CA. This long-lived certificate has all the functionalities of a traditional PKI certificate. But, CA generates the long-lived certificate as well as shortlived certificates (i.e., certificate status). A short-lived certificate can be pushed only to the owner of the public/private key pair and acts as a partial decryption key. This additional functionality provides an implicit certificate so that the sender is not required to obtain fresh information on certificate status and the receiver can only decrypt the ciphertext using his private key along with an up-to-date short-lived certificate from its CA. The feature of implicit certificate allows us to eliminate third-party queries for the certificate status and simplify the public key revocation problem so that CBE does not need infrastructures like CRL [6] and OCSP [7]. Therefore, CBE can be used to construct an efficient PKI requiring fewer infrastructures. Furthermore, there is no
528
key escrow problem (since the CA does not know the private keys of users) and key distribution problem (since the certificates need not be kept secret) in CBE. On the other hand, as cryptographic computations are performed more frequently on small, unprotected, and easily-stolen devices (e.g., mobile phones), the notion of forward security [25] was introduced to counter the acute threat of the private key exposure. In a forward-secure scheme, the users’ private keys are updated at regular periods throughout the lifetime of the system; furthermore, exposure of a user’s private key corresponding to a given time period does not enable an adversary to break the scheme (in the appropriate sense) for any prior time period. Forward-secure scheme has a number of obvious applications, as it can be used to protect the secrecy of communications for devices operating in insecure environments where key exposure is an immediate concern. A. Related Work Since the introduction of CBE [5], there are different variants or improvements proposed in the literature later on. Yum and Lee [8] provided a formal equivalence theorem among IBE, certificateless public-key encryption (CL-PKE) [3] and CBE. They showed that IBE implies both CBE and CL-PKE by giving a generic construction from IBE to those primitives. However, Galindo et al. [9] pointed out that a dishonest authority could break the security of the generic constructions given in [8]. These constructions were inherently flawed due to a naive use of double encryption without further treatments. Lu et al. solved this problem and achieved two generic CBE constructions from PKE and IBE in [11,12]. Al-Riyami and Paterson [4] gave an analysis of Gentry’s CBE concept and repaired a number of problems with the original definition and security model for CBE. They also presented a generic conversion of CBE from CL-PKE and claimed that a secure CBE scheme could be constructed from any secure CL-PKE scheme using this conversion. Kang and Park [13] pointed out that their conversion was incorrect due to the flaw in their security proof. Recently, Wang et al. [14] proposed a certificatebased proxy cryptosystem based on Gentry’s CBE scheme. Galindo et al. [10] proposed the first construction of CBE scheme secure in the standard model. Liu and Zhou [15] proposed another CBE scheme secure in the standard model. Moreover, Lu et al. [16] proposed an efficient CBE scheme secure in the random oracle model [18,21]. The same authors [17] also proposed the notion of threshold certificate-based encryption to improve the reliability of CBE. The notion of forward security was first proposed in the context of key-exchange protocols by Günther [23] and Diffie, et al. [24]. Subsequently, Anderson [25] suggested forward security for the more challenging noninteractive setting. The notion of forward security was first formalized in the context of signature by Bellare and Miner [19]. Forward security in the symmetric-key setting has also been studied in [20]. However, the existence of non-trivial, forward-secure PKE schemes has been open for a long while since the question was first © 2010 ACADEMY PUBLISHER
JOURNAL OF NETWORKS, VOL. 5, NO. 5, MAY 2010
posed by Anderson [25]. Until 2003, Canetti, Halevi and Katz [22] first formalized the notion of forward security for PKE and constructed the first forward-secure PKE scheme. B. Our Contribution In CBE, once a user accidentally reveals his private key or an attacker actively compromises it, he can make his private key be disused by revoking his short-time certificate. However, anyone who learns the private key of a user can read all past messages sent to the user since all the past short-time certificates are public. To fix this problem in CBE, we propose a new notion called Forward-Secure Certificate-Based Encryption. This notion preserves the advantages of CBE such as implicit certificate and no private key escrow. At the same time it inherits the properties of the forward-secure PKE. In the following paper, we first formalize the scheme and security model for forward-secure CBE. Then we propose a generic construction of forward-secure CBE from IBE and forward-secure PKE (fs-PKE), and also construct a concrete forward-secure CBE scheme. II. FORWARD-SECURE CERIFICATE-BASED ENCRYPTION In this section, we provide the formal definition for forward-secure CBE and its security model. Our definitions for forward-secure CBE generalize the standard definitions for CBE, similar to the way in which the definitions of fs-PKE [22] generalize the standard definitions for PKE. A. Scheme Definition Definition 1. A forward-secure certificate-based encryption scheme (fs-CBE) is a tuple of six PPT algorithms (Setup, SetKeyPair, Certify, KeyUpd, Enc, Dec) such that: y Setup takes as input a security parameter Λ and the total number of time periods N. It returns a master-key msk and the public system parameters params that include the descriptions of a finite message space MSPC and a finite ciphertext space CSPC. We consider params to be an implicit input to the rest of the algorithms. Usually, this algorithm is run by a CA. y SetKeyPair takes params as input and returns a public key upk and an initial secret key usk0. y Certify takes as input the master-key msk, the index τ of the current time period, a user’s identity id and his public key upk. It returns a short-lived certificate Certid,τ which is sent to the user id. y KeyUpd takes as input a secret key uskτ-1 for the time period τ-1 as well as the index τ of the current time period. It returns a private key uskτ for the time period τ. y Enc takes as input the index τ of the current time period, the receiver’s identity id, the receiver’s public key upk, and a message M. It returns a ciphertext C for the time period τ. We represent the output as a pair and write ← Enc(τ, id, upk, M). y Dec takes as input the receiver’s short-lived certificate Certid,τ and private key uskτ for the time period τ, and a ciphertext . It returns a message M or the
JOURNAL OF NETWORKS, VOL. 5, NO. 5, MAY 2010
special symbol ⊥ indicating a decryption failure. We denote this by M = Dec(τ, Certid,τ, uskτ, C). B. Security Definitions The security model for fs-CBE is defined against four different types of adversaries: the Type I adversary A1 models an uncertified user who has no access to the master-key; the Type II adversary A2 models an honestbut-curious certifier who possesses the master-key msk; the Type III adversary A3 models a user who possesses the private key uskτ for time period τ of a certified user; the Type IV adversary A4 models an honest-but-curious certifier who possesses the master-key msk and the private key uskτ for time period τ of a certified user. Under above security model, the strongest security notion for fs-CBE, namely forward-security under adaptive chosen-ciphertext attacks, is defined as follows: Definition 2. A fs-CBE scheme is forward-secure against adaptive chosen ciphertext attacks (fs-CBE-CCA) if no PPT adversary has non-negligible advantage in the following four games: Game 1. The challenger C runs Setup(Λ, N) to generate msk and params. It gives params to the adversary A1 and keeps msk to itself. Phase 1. A1 adaptively interleaves a series of certificate and decryption queries, C handles these queries as follows: On certificate query , C runs Certify(msk, τ, id, upk) to generate Certid,τ. It returns Certid,τ to A1. On decryption query , C runs Certify(msk, τ, id, upk) to generate Certid,τ and outputs Dec(τ, Certid,τ, uskτ, C) to A1. Challenge. On challenge query , where M0, M1 are of equal length, C checks that is not the subject of a certificate query in phase 1. If so, it picks a random bit b∈{0,1}, encrypts Mb under the challenge public key upk* and sends the resulting ciphertext to A1; else it returns ⊥. Phase 2. As in phase 1, with the restriction that is not the subject of a decryption query and is not the subject of a certificate query. Guess. A1 outputs a guess b’∈{0,1} and wins the game if b = b’. A1’s advantage in this game is defined to be Adv(A1) := 2|Pr[b = b’]-1/2|. Game 2. C runs Setup(Λ, N) and gives params and msk to the adversary A2. Then it runs SetKeyPair(params) to generate a key-pair (upk*, usk0) and gives upk* to A2. Phase 1. A2 issues a series of decryption queries. On decryption query , C runs Certify(msk, τ, id, upk*) to obtain Certid,τ, computes uskτ via KeyUpd(…KeyUpd(usk0, 1),…, τ), and outputs Dec(τ, Certid,τ, uskτ, C) to A2. These queries may be asked adaptively. Challenge. On challenge query , where M0, M1 are of equal length, C picks a random bit
© 2010 ACADEMY PUBLISHER
529
b∈{0,1}, encrypt Mb under the challenge public key upk* and sends the resulting ciphertext to A2. Phase 2. As in phase 1, with the restriction that is not the subject of a decryption query. Guess. A2 outputs a guess b’∈{0,1} and wins the game if b = b’. A2’s advantage in this game is defined to be Adv(A2) := 2|Pr[b = b’]-1/2|. Game 3. C runs Setup(Λ, N) to generate msk and params. It gives params to the adversary A3 and keeps msk to itself. Then it runs SetKeyPair(params) to generate a key-pair (upk*, usk0) and gives upk* to A3. Phase 1. A3 issues one breakin query, a series of certificate and decryption queries, C handles these queries as follows: On breakin query where 0 ) t −1 k =1
e(Ti1…ik , U k )
e(r2 P, xH1 (i1 ) + ∑ k =1 si1 ...ik H1 (i1 ...ik +1 )) t −1
=
∏
t −1 k =1
e( si1 ...ik P, r2 H1 (i1 ...ik +1 ))
e( P, H1 (i1 )) r2 x ⋅ ∏ k =1 e( P, H1 (i1 ...ik +1 )) 2 i1 ...ik t −1
=
∏
t −1 k =1
rs
rs
e( P, H1 (i1 ...ik +1 )) 2 i1 ...ik
= e( P, H1 (i1 )) r2 x , e(V1, Certid,i) = e(r1P, sH3(i||id||upk)) r
= e(Q, H3(i||id||upk) ) 1 . Thus, applying decryption after encryption produces the original message M as required. Therefore, our scheme satisfies the consistency constraint. C. Security Statement According to the security statement in [2] and [22], we can obtain following corollary from Theorem 1 directly: Corollary 1. Assuming that H1, H2, H3, H4 are random oracles, and the BDH assumption holds in G1, the above fs-CBE scheme is secure in the sense of fs-CBE-CPA. V. CONCLUSION In this paper, we propose the notion fs-CBE which combines fs-PKE and CBE while preserving some of their most attractive features. We propose a generic construction of fs-CBE which is secure against chosen plaintext attacks in the standard model. We also discuss how the proposed generic scheme achieves security against adaptive chosen-ciphertext attacks both in the standard model and in the random oracle model. Based on the proposed generic constructing method, we constructed a concrete fs-CBE scheme from two existing schemes. We believe that the notion of forward-secure CBE is of practical interest in some application, such as electronic commerce and wireless communication. ACKNOWLEDGMENT This work is supported by the National Natural Science Foundation of China (No.60673070), the National High Technology Research and Development Program of China (No. 2007AA01Z409), and the Natural Science Foundation of Hohai University (No. 2008428611).
534
JOURNAL OF NETWORKS, VOL. 5, NO. 5, MAY 2010
REFERENCES [1] A. Shamir, “Identity-based cryptosystems and signature schemes,” In Advances in Cryptology- CRYPTO’84, USA, LNCS 196, pp. 47-53, 1984. [2] D. Boneh. and M. Franklin, “Identity-based encryption from the Weil pairing,” In Advances in Crptology CRYPTO’01, USA, LNCS 2139, pp.213-229, 2001. [3] S. S. Al-Riyami and K.G. Paterson, “Certificateless public key cryptography,” In Advances in CryptologyASIACRYPT 2003, Taiwan, LNCS 2894, pp. 452–473, 2003. [4] S. S. Al-Riyami and K.G. Paterson, “CBE from CL-PKE: A Generic Construction and Efficient Schemes”, In PKC 2005, Switzerland, LNCS 3386, pp. 398-415, 2005. [5] C. Gentry, “Certificate-based Encryption and the Certificate Revocation Problem”, In Advances in Cryptology -EUROCRYPT 2003, Ploand, LNCS 2656, pp. 272-293, 2003. [6] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile”, RFC 3280, IETF, 2002. [7] M. Myers, R. Ankney, A. Malpani, S. Galperin, and C. Adams, “X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP”, RFC 2560, IETF, 1999. [8] D.H. Yum and P.J. Lee, “Identity-based Cryptography in Public Key Management”, In EuroPKI 2004, Greece, LNCS 3093, pp.71-84, 2004. [9] D. Galindo, P. Morillo and C. Ràfols, “Breaking Yum and Lee Generic Constructions of Certificate-Less and Certificate-Based Encryption Schemes”, In EuroPKI 2006, Italy, LNCS 4043, pp.81-91, 2006. [10] D. Galindo, P. Morillo and C. Ràfols, “Improved Certificate-based Encryption in the Standard Model”, Journal of Systems and Software, Elsevier, vol. 81(7), pp.1218-1226, 2008. [11] Y. Lu, J. Li, and J. Xiao, “Generic Construction of Certificate-based Encryption,” In 9th International Conference for Young Computer Scientists (ICYCS 2008), China, pp. 1518-1594, 2008. [12] Y. Lu, J. Li, and J. Xiao, “Generic Construction of Certificate-based Encryption in the Standard Model,” In 2nd International Symposium on Electronic Commerce and Security (ISECS 2009), China, pp.25-29, 2009. [13] B.G. Kang and J.H. Park, “Is It Possible to Have CBE from CL-PKE?”, Cryptology ePrint Archive, Report 2005/431. [14] L. Wang, J. Shao, Z. Cao, M. Mambo, and A. Yamamura, “A Certificate-based Proxy Cryptosystem with Revocable Proxy Decryption Power,” In Indocrypt 2007, India, LNCS 4859, pp.297-311, 2007. [15] J. K. Liu and J. Zhou, “Efficient certificate-based encryption in the standard model,” In the 6th International Conference on Security and Cryptography for Networks (SCN 2008), Italy, LNCS 5229, pp.144-155, 2008. [16] Y. Lu, J. Li, and, J. Xiao, “Constructing efficient certificate-based encryption with paring,” Journal of Computers, Academy Publisher, Finland, vol.4(1), 2009, pp. 19-26. [17] Y. Lu, J. Li, and, J. Xiao, “Threshold Certificate-based Encryption: Definition and Concrete Construction,” In the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC 2009), China, pp.276-280, 2009. [18] M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” In 1st ACM Conference on Communications and Computer Security, USA, pp. 62-73, 1993.
© 2010 ACADEMY PUBLISHER
[19] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes”, In Advances in Cryptology CRYPTO’98, USA, LNCS 1462, pp. 26–45. 1998. [20] M. Bellare and B. Yee, “Forward Security in Private-Key Cryptography”, In RSA Cryptographers’ Track - CT-RSA 2003, USA, LNCS 2612, pp. 1–18, 2003. [21] R. Canetti, O. Goldreich, and S. Halevi, “The Random Oracle Methodology, Revisited,” In STOC’98, USA, pp.209-218, 1998. [22] R. Canetti, S. Halevi, and J. Katz, “A Forward-Secure Public-Key Encryption Scheme”, In Advances in Cryptology - EUROCRYPT 2003, Ploand, LNCS 2656, pp. 255–271, 2003. [23] C.G. G¨unther, “An Identity-Based Key-Exchange Protocol”, In Advances in Cryptology- EUROCRYPT ’89, Belgium, LNCS 434, pp.29–37, 1990. [24] W. Diffie, P. C. Van-Oorschot, and M. J. Weiner, “Authentication and Authenticated Key Exchanges”, Des.,Codes, Cryptogr, vol. 2(2), pp. 107–125, 1992. [25] R. Anderson, “Two Remarks on Public Key Cryptology”, Invited Lecture, ACM CCS ’97. Available at http://www.cl.cam.ac.uk/ftp/users/rja14/forwardsecure.pdf. [26] R. Canetti, S. Halevi, and J. Katz, “Chosen-Ciphertext Security from Identity-based Encryption”, In Advances in Cryptology-EUROCRYPT 2004, Switzerland, LNCS 3027, pp. 207-22, 2004. [27] D. Boneh and J. Katz, “Improved Efficiency for CCASecure Cryptosystems Built Using Identity Based Encryption,” In RSA - Cryptographers’ Track 2005, USA, LNCS 3376, pp. 87-103, 2005. [28] E. Fujisaki and T. Okamoto, “Secure Integration of Asymmetric and Symmetric Encryption Schemes,” In Advances in Cryptology-CRYPTO’99, USA, LNCS 1666, pp. 537–554, 1999. [29] E. Fujisaki and T. Okamoto, “How to Enhance the Security of Public-key Encryption at Minimum Cost,” In PKC’99, Japan, LNCS 1560, pp.53-68, 1999.
Yang Lu was born in Yangzhou City, Jiangsu Province, P.R. China, in 1977. He received the B.S. degree in mathematics and the M.S. degree in computer science from Nanjing Normal University in 2000 and 2003 respectively, and his Ph.D. degree from PLA University of Science and Technology in 2009. He has been working in HoHai University from 2003. Currently, he is a Lecturer in College of Computer and Information Engineering. He has published more than 20 papers in International conferences/journals and Chinese journals. His major research interests include network security and cryptography.
Jiguo Li received the B.S. degree from Heilongjiang University in 1996, M.S. and Ph.D. degree from Harbin Institute of Technology in 2000 and 2003. He has been working in HoHai University from 2003. Currently, he is a Professor in College of Computer and Information Engineering. His major research interests include information security and cryptography.
