Documente Academic
Documente Profesional
Documente Cultură
ISSN: 2393-9842
www.irjcs.com
Mazleena Salleh
Faculty of Computing, Universiti Teknologi Malaysia
Abstract The significant advantage of managing the key in Public Key Cryptosystems in compare with Symmetric
ones, made this category of cryptosystems one of the most interesting research areas. In this way, many cryptographic
primitives have been proposed based on traditional Public Key Cryptosystems. The use of certificates issued by
Certification Authorities is the basis of supporting trust in these primitives. However, the need to trust for
Certification Authorities leads to imposing many expenses to handle Public Key Infrastructures. In order to solve this
problem Identity-Based cryptosystems came into the cryptographic literatures. Followed by the first applicable
Identity-Based Encryption scheme by Boneh and Franklin, a large variety of cryptographic primitives in the context
of Identity-Based cryptosystems have been proposed. This paper investigates the importance and position of IdentityBased cryptosystems. In addition, it reviews the details of a subset of protocols to make the phases of mentioned
Identity-Based primitives understandable for future researchers in this area especially for beginners.
Keywords Identity-Based Cryptography, Bilinear Pairings, Encryption, Digital Signature, Identification, KeyAgreement.
I. INTRODUCTION
Identity-Based Cryptography, is a kind of Public Key Cryptography that have been introduced by Adi Shamir [1]. The
significant attribute of this category of cryptosystems is replacing the existing public-key with easily computable
function of publicly known identity of users such as email address, digital image, phone number, etc. However, in order
to have a consistent cryptosystem, a Trusted Third Party , called Private Key Generator is responsible to generate and
distribute entities private-key. The significant advantage of this category of cryptosystems is to eliminate the need to
expensive management of Public Key Infrastructure and maintenance of Certificate Authorities .
In continue to what mentioned above, it is worth to note that the use of bilinear pairings is the basis of developing a
large variety of proposed Identity-Based cryptographic protocols. If roughly speaking, bilinear pairings are cryptographic
functions that map an input which consists of two elements of algebraic elliptic curves to a multiplicative algebraic group
over finite fields. Although these cryptographic functions were first introduced in cryptographic literatures in order to
perform some attacks such as MOV attack [2] and FR attack [3], the interesting functionality of them led to proposing
many pairing based schemes. In this area, followed by Jouxs three-party key agreement protocol [4] and an IdentityBased Encryption scheme of Boneh and Franklin [5] many Identity-Based cryptographic schemes have been proposed
[6-9]. One of the aspects of this paper is to present a subset of these schemes.
The rest of this paper is as follows. First of all, we presented the technical backgrounds to make the rest of this
literature more understandable. The first subsection of this part assigns to the Bilinear Pairings as one of the most
applicable maps in the Identity-Based cryptographic literatures. The goal of third section is to show the advantages of
Identity-Based cryptosystems. To represent the importance of this category of public key cryptosystems, we traced the
policy of key management in traditional public key cryptographic schemes followed by what investigated in [10]. Then,
we give precise definitions of fundamental cryptographic primitives and describe the main phases of them in section 4.
Some samples of proposed Identity-Based schemes (over Encryption, Digital Signature, Identification and Key
Agreement primitives) are investigated in the fifth section. Finally, the last section gives a conclusion of the outline and
the contents of this paper.
II. PRELIMINARIES
This section presents a brief review over Bilinear Pairings as a widely used cryptographic map in a large variety of
public key cryptosystems especially Identity-Based ones.
A. Bilinear Pairings
Bilinear Pairings are cryptographic building blocks in designing many recently proposed cryptosystems. These
maps which most of them are based on Miller algorithm [11] are deterministic functions over an input consists of two
algebraic groups. To introduce a Bilinear Pairing in more detail, consider that
and
are three algebraic groups
with prime order q. A cryptographic map such as
is a Bilinear Pairing if it can support following
properties:
i.
Bilinearity, means that:
,
,
ii.
and
are identity elements of
unless
and
,respectively, then do
_________________________________________________________________________________________________
2015, IRJCS- All Rights Reserved
Page -22
ISSN: 2393-9842
www.irjcs.com
iii.
Here, the Security Level field in TABLE I and TABLE II, refers to the size of required field to attain a given
level of security against the Discrete Logarithm problem.
III. IDENTITY-BASED VERSUS TRADITIONAL PUBLIC KEY CRYPTOSYSTEMS
This section represents the advantages of Identity-Based cryptography in compare with Traditional ones. In
order to study these advantages, the functionality of Traditional Public Key Cryptosystems is required to be understood.
The use of Certification Authorities is the fundamental idea in Traditional Public Key cryptosystems. Since the second
partys public-key is a crucial item in all primitives over Public Key Cryptosystems, before sending all cryptographic
information on an unsecure channel, the first party must be sure that the obtained second partys public-key is the correct
one. This issue can be investigated in more detail over two steps, which are extracting and verifying the mentioned
public-key. If we assume that the public-key extraction step is easy and does not need to be focused on, the verifying step
would be difficult. However, there is a well-known technique to verify existing public-keys, which is relying on publickey certificates.
In general, a public-key certificate can be any evidence that proves the validity of the certified public-key. As a
simple way, it seems that the use of Digital Signature is a suitable way to rich this goal. This method, in turn imposes
some other concerns. First of all, the used Digital Signature scheme must be cryptographically secure. In addition, all
existing entities must be able to verify the signature of the other entity who certified the required public-key. By
assuming that the utilized Signature scheme cannot be forged, the second concern leads to two other consequences. The
first consequence is that the entity who plays the role of a verifier must be sure that the public-key of the signer is valid.
Beside of this, the mentioned entity should trust the signer. Clearly, a dishonest signer can replace the second partys
public-key by the public-key of the entity of his choice.
Unfortunately, mentioned two conditions cannot be satisfied easily. To explain the main problem, which is
named Certification Path problem, assume that the first entity, Alice, does not know the assigned public-key, which is
required to verify the Bobs certified public-key. In this case, she needs to verify another certificate to obtain the Bobs
public-key. Of course, if she is unable to verify the last certificate, this scenario will continue until she can obtain a
verifiable certificate. The only solution to the Certification Path problem is assuming that all entities are initially given at
least one of the public-keys securely. As a simple solution, one of the mentioned keys can be pre-installed for all existing
entities. This simple solution makes all entities able to verify the certificates if there exists a Certification Path to validate
the public-keys of existing entities.
_________________________________________________________________________________________________
2015, IRJCS- All Rights Reserved
Page -23
ISSN: 2393-9842
www.irjcs.com
An admissible method to implement the solution above is the use of Certification Tree, which can be created by
a Certification Authority as a root node, intermediate delegate authorities that are certified by their father node, and
finally the last communicating parties as the leaves of the tree. In this method, each entity must possess the public-keys
of all intermediate authorities, which are placed between him and the root Certification Authority. As a result, by starting
from the shared authority of Alice and Bob, these entities would be able to check the certificate of each others publickey.
Although it seems that the solution above is perfect, it suffers from the problem of managing the trust to the
owner of the first public-key. This problem can be investigated based on two different viewpoints. From a hierarchical
organization viewpoint, a trusted system administrator who is responsible to setting up a Certification Authority can
solve this problem. Since the administrator is trusted by mentioned organization, other entities can trust him during the
communications. Although this solution seems to be perfect for the organizations, from individual partys viewpoint it is
not a proper one. The reason is that all parties cannot trust this initial key, which is provided by a company.
To escape the mentioned difficulty above, it is possible to let parties create certificates. Based on this solution,
any party can trust a certificate that has been created by a trusted entity as his friend. However, this solution suffers from
another significant problem. In the systems based on this solution, individual parties cannot trust an entity which is a
friend of their friend (or a friend of one of the friends of their friend and so on) while they never met that entity. As a
result, this problem can void the value of certificates in a direct trusted party method. Therefore, this issue can be limited
to an expensive and hardly quantifiable method in which last parties could obtain the same key through some
independent channels until satisfying by the validity of the considered public-key.
To avoid a large fraction of mentioned problems above, Identity-Based cryptography offers a powerful theory.
The fundamental notification in an Identity-Based cryptosystem is that all involving entities already need to learn some
basic information before they communicate with each other. At the very least, they need to obtain the identifier of the
other communicating entities such as their telephone number, image, email address or another similar one. Based on what
pointed out by Shamir in [1], the important advantage of Identity-Based cryptosystems is replacing entities public-key
by this identifier.
To conclude what pointed out in this section, it can be claimed that although certificate-based cryptosystems
could solve the problem of Public-key validity of authorized entities by the use of CA2, the need to a valid certificate for
CAs public-key in these systems led to a new concern which is Public Key Infrastructure (PKI) complex management.
As a result, Identity-Based cryptosystems are a useful and admissible techniques to avoid this problem. The reason is that
replacing the users public-key by their identity, can lead to eliminate the need to certificates and all consequences of
managing them.
IV. IDENTITY-BASED CRYPTOGRAPHIC PRIMITIVES
This section describes the used algorithms of four fundamental cryptographic primitives, which are Encryption,
Digital Signature, Identification, and Key Agreement, in the context of Identity-Based cryptosystems. Followed by our
standardization, it is possible to classify an Identity-Based scheme of mentioned primitives to four phases. The first and
second phases are two algorithms named SETUP and EXTRACTION. The SETUP algorithm takes the security
parameter and generates publicly known parameters, Params, and a confidential secret named Master-key. Both
algorithms above must be executed by a trusted third party named Private key Generator (PKG). The second algorithm,
EXTRACTION, is an interaction between existing users and PKG in order to generating and distributing the private-key.
However, the third and fourth algorithms are depended on the category of considered cryptographic scheme. These
algorithms for any security primitive are as followed:
(i) Encryption
The third and fourth algorithms of Encryption primitives are named ENCRYPT and DECRYPT, respectively. In
an ENCRYPT algorithm, the first party computes the deformed message named Ciphertext by taking the
plaintext, Params and the second partys identity. The second party is responsible to execute DECRYPT
algorithm in order to compute the plaintext by taking the ciphertext, Params and his own private-key.
(ii) Digital Signature
The third and fourth algorithms of Digital Signature primitives are named SIGNING and VERIFICATION,
respectively. In a SIGNING algorithm, the first party computes the signed message by taking the message,
Params and his own private-key. The second party is responsible to execute VERIFICATION algorithm in order
to verifying the signature by taking the signed message, Params and second partys identity.
(iii) Identification
The proposed Identification scheme by Fiat and Shamir [16] is the basis of algorithms of recently proposed
Identification schemes. In mentioned Identification scheme, the authors assumed that Prover and Verifier are
involving entities that execute two algorithms named Proving and Verification. It is worth to note that Proving
algorithm consists of three sub-algorithms named COMMITMENT, CHALLENGE and RESPONSE,
respectively. In a COMMITMENT algorithm, the Prover sends a one-way function of a randomly chosen value
2
Certification Authority
_________________________________________________________________________________________________
2015, IRJCS- All Rights Reserved
Page -24
ISSN: 2393-9842
www.irjcs.com
to the Verifier. Then, in the CHALLENGE algorithm, the Verifier randomly chooses a value from the set
and sends it back to the Prover. In the RESPONSE algorithm the Prover computes a deterministic function of
this received value, the private-key of the expected entity from the Verifiers viewpoint and the randomly
chosen value of the COMMITMENT sub-phase, then sends the result back to the Verifier entity. The second
party, Verifier, is responsible to execute VERIFICATION algorithm in order to deciding whether accept or
reject the claimed identity.
(iv) Key Agreement
The third and fourth algorithms of Identity-Based Key Agreement primitives are named MATERIALEXCHANGE and SESSION-KEY-COMPUTATION, respectively.In the MATERIAL-EXCHANGE algorithm,
involving participants must compute a one-way function of a randomly chosen value and exchange it. Then, in
the SESSION-KEY-COMPUTATION algorithm, participants are responsible to compute the considered
session-key based on the Params and other possessing public and secret parameters.
V. SAMPLES OF IDENTITY-BASED SCHEMES
After the entrance of the first fully functional Identity-Based cryptographic scheme, an Identity-Based
Encryption scheme by Boneh and Franklin [5], many Identity-Based cryptographic schemes have been proposed. Since,
this area is very broad, the contents of this section are investigations of some instances of Identity-Based schemes over
four mentioned fundamental cryptographic primitives in general.
Before introducing the samples, it is necessary to note that the used Bilinear Pairings are defined over two
groups
number
and
in the form
and
is the prime
.In addition,
and
are
five one-way collision-free hash functions. Followed subsections introduce one sample of any Identity-Based primitive.
A. An Identity-Based Encryption scheme
In this section, we introduce an Identity-Based Encryption scheme, which has been proposed by Boneh et al.
[5].The phases of this scheme are as follow:
SETUP: In this phase, the proposed SETUP algorithm takes the security parameter and generates the Masterkey and Params that:
Here,
and
and
(Eq.1)
(Eq.2)
ENCRYPT: In this phase, the Encryption algorithm takes the pair
the identity of the second party, then chooses the random value
(Eq.3):
Beside of what mentioned above, the authors could evaluate the security of the scheme and proved that the
proposed scheme is secure under solving the Bilinear Diffie-Hellman (BDH) hard problem.
B. An Identity-Based Digital Signature scheme
In this section, we introduce an Identity-Based Digital Signature scheme that has been proposed by Hess [17]. In
continue, the phases of this scheme are introduced.
_________________________________________________________________________________________________
2015, IRJCS- All Rights Reserved
Page -25
ISSN: 2393-9842
www.irjcs.com
Here,
that
that
and
. Then, after
are as follow:
(Eq.7)
(Eq.8)
VERIFICATION: In this phase, the Verifier entity takes the public-pair of the Signer,
,
, the message
as (Eq.9).
(Eq.9)
Then, the Verifier accepts the signature if and only if the (Eq.10) be correct.
(Eq.10)
In continue to what mentioned above, it is worth to note that the author could evaluate the security of the
proposed scheme by proving that the scheme is secure under solving the Weak Diffie-Hellman (WDH) hard problem.
C. An Identity-Based Identification sample
In this section, we introduce an Identity-Based Identification scheme that has been proposed by Kurosawa and
Heng [18].The five phases of this scheme are as follow:
SETUP: In this phase, the Master-key and Params are as follow:
Here,
identity, tries to take the corresponding private-key from PKG. In this case, the PKG randomly
, and computes
then he sends
ISSN: 2393-9842
www.irjcs.com
SETUP: In this phase, the proposed SETUP algorithm takes the security parameter and generates the Masterkey and Params:
Here,
EXTRACT: In this phase, assume that a user who possesses the identity
and
to the
this
phase,
the
first
communicating
party
computes
ISSN: 2393-9842
www.irjcs.com
[14] NIST Recommendation For Key Management Part 1: General, Nist Specialpublication 800-57. August, (2005).
[15] ECRYPT Yearly Report On Algorithms And Keysizes (2004).
[16] A. Fiat And A. Shamir. (1987). How To Prove Yourself: Practical Solutions To Identification And Signature
Problems. Advances In Cryptology Crypto 86, Lncs 263, Springer-Verlag.
[17] F. Hess. (2002). Efficient Identity Based Signature Schemes Based on Pairings. SAC 2002, LNCS 2595, pp. 310324, Springer-Verlag.
[18] K. Kurosawa and S.-H. Heng. (2005). Identity-based identification without random oracles. Information Security
and Hiding ISH 05 (in conjuction with ICCSA 05), LNCS 3481, pp. 603613, Springer-Verlag.
[19] D. Boneh and X. Boyen. (2004). Short signatures without random oracles. Advances in Cryptology
EUROCRYPT 04, LNCS 3027, pp. 5673, Springer-Verlag.
[20] Y.Wang. (2013). Efficient Identity-Based And Authenticated Key Agreement Protocols. Transactions On
Computational Science XVII.
_________________________________________________________________________________________________
2015, IRJCS- All Rights Reserved
Page -28