A Review On Security Primitives in The Basis of Identity-Based Cryptosystems

International Research Journal of Computer Science (IRJCS)
Issue 1, Volume 2 (January 2015)
ISSN: 2393-9842
www.irjcs.com
A Review on security primitives in the basis of

Identity-Based Cryptosystems
Shabnam Kasra-Kermanshahi*
Faculty of Computing, Universiti Teknologi Malaysia
Mazleena Salleh
Faculty of Computing, Universiti Teknologi Malaysia
Abstract The significant advantage of managing the key in Public Key Cryptosystems in compare with Symmetric
ones, made this category of cryptosystems one of the most interesting research areas. In this way, many cryptographic
primitives have been proposed based on traditional Public Key Cryptosystems. The use of certificates issued by
Certification Authorities is the basis of supporting trust in these primitives. However, the need to trust for
Certification Authorities leads to imposing many expenses to handle Public Key Infrastructures. In order to solve this
problem Identity-Based cryptosystems came into the cryptographic literatures. Followed by the first applicable
Identity-Based Encryption scheme by Boneh and Franklin, a large variety of cryptographic primitives in the context
of Identity-Based cryptosystems have been proposed. This paper investigates the importance and position of IdentityBased cryptosystems. In addition, it reviews the details of a subset of protocols to make the phases of mentioned
Identity-Based primitives understandable for future researchers in this area especially for beginners.
Keywords Identity-Based Cryptography, Bilinear Pairings, Encryption, Digital Signature, Identification, KeyAgreement.
I. INTRODUCTION
Identity-Based Cryptography, is a kind of Public Key Cryptography that have been introduced by Adi Shamir [1]. The
significant attribute of this category of cryptosystems is replacing the existing public-key with easily computable
function of publicly known identity of users such as email address, digital image, phone number, etc. However, in order
to have a consistent cryptosystem, a Trusted Third Party , called Private Key Generator is responsible to generate and
distribute entities private-key. The significant advantage of this category of cryptosystems is to eliminate the need to
expensive management of Public Key Infrastructure and maintenance of Certificate Authorities .
In continue to what mentioned above, it is worth to note that the use of bilinear pairings is the basis of developing a
large variety of proposed Identity-Based cryptographic protocols. If roughly speaking, bilinear pairings are cryptographic
functions that map an input which consists of two elements of algebraic elliptic curves to a multiplicative algebraic group
over finite fields. Although these cryptographic functions were first introduced in cryptographic literatures in order to
perform some attacks such as MOV attack [2] and FR attack [3], the interesting functionality of them led to proposing
many pairing based schemes. In this area, followed by Jouxs three-party key agreement protocol [4] and an IdentityBased Encryption scheme of Boneh and Franklin [5] many Identity-Based cryptographic schemes have been proposed
[6-9]. One of the aspects of this paper is to present a subset of these schemes.
The rest of this paper is as follows. First of all, we presented the technical backgrounds to make the rest of this
literature more understandable. The first subsection of this part assigns to the Bilinear Pairings as one of the most
applicable maps in the Identity-Based cryptographic literatures. The goal of third section is to show the advantages of
Identity-Based cryptosystems. To represent the importance of this category of public key cryptosystems, we traced the
policy of key management in traditional public key cryptographic schemes followed by what investigated in [10]. Then,
we give precise definitions of fundamental cryptographic primitives and describe the main phases of them in section 4.
Some samples of proposed Identity-Based schemes (over Encryption, Digital Signature, Identification and Key
Agreement primitives) are investigated in the fifth section. Finally, the last section gives a conclusion of the outline and
the contents of this paper.
II. PRELIMINARIES
This section presents a brief review over Bilinear Pairings as a widely used cryptographic map in a large variety of
public key cryptosystems especially Identity-Based ones.
A. Bilinear Pairings
Bilinear Pairings are cryptographic building blocks in designing many recently proposed cryptosystems. These
maps which most of them are based on Miller algorithm [11] are deterministic functions over an input consists of two
algebraic groups. To introduce a Bilinear Pairing in more detail, consider that
and
are three algebraic groups
with prime order q. A cryptographic map such as
is a Bilinear Pairing if it can support following
properties:
i.
Bilinearity, means that:
,
,
ii.
Non-degeneracy, means that if ,

not map any pair of
to
and
are identity elements of
unless
and
,respectively, then do
_________________________________________________________________________________________________
2015, IRJCS- All Rights Reserved
Page -22

ISSN: 2393-9842
www.irjcs.com
iii.
Computability, means that for any

and
, there must be an efficient algorithm to
compute
.
Recently, widely usage of cryptographic pairing-based applications persuaded many researchers to propose
efficient Bilinear Pairings. Weil pairing and Tate pairing are examples of the most recently used Bilinear Pairings in
cryptographic schemes [12, 13]. However, this research excludes the details of this category of cryptographic maps. To
implement Bilinear Pairings, mentioned groups which are inputs of this map are the elements of an algebraic Elliptic
Curve. Many reasons could persuade cryptologists to use Elliptic Curves based cryptosystems. One of the most
significant advantages of using ECC1 based algebraic groups in compare with RSA based ones is the need to a smaller
key size in the same security level. The TABLE I and TABLE II depict the suggested key sizes for ECC based and RSA
based cryptosystems of two standard documents, NIST [14] and ECRYPT [15], respectively.
Table I. Key sizes of NIST standard [14]
Table II. Key sizes of ECRYPT standard [15]
Here, the Security Level field in TABLE I and TABLE II, refers to the size of required field to attain a given
level of security against the Discrete Logarithm problem.
III. IDENTITY-BASED VERSUS TRADITIONAL PUBLIC KEY CRYPTOSYSTEMS
This section represents the advantages of Identity-Based cryptography in compare with Traditional ones. In
order to study these advantages, the functionality of Traditional Public Key Cryptosystems is required to be understood.
The use of Certification Authorities is the fundamental idea in Traditional Public Key cryptosystems. Since the second
partys public-key is a crucial item in all primitives over Public Key Cryptosystems, before sending all cryptographic
information on an unsecure channel, the first party must be sure that the obtained second partys public-key is the correct
one. This issue can be investigated in more detail over two steps, which are extracting and verifying the mentioned
public-key. If we assume that the public-key extraction step is easy and does not need to be focused on, the verifying step
would be difficult. However, there is a well-known technique to verify existing public-keys, which is relying on publickey certificates.
In general, a public-key certificate can be any evidence that proves the validity of the certified public-key. As a
simple way, it seems that the use of Digital Signature is a suitable way to rich this goal. This method, in turn imposes
some other concerns. First of all, the used Digital Signature scheme must be cryptographically secure. In addition, all
existing entities must be able to verify the signature of the other entity who certified the required public-key. By
assuming that the utilized Signature scheme cannot be forged, the second concern leads to two other consequences. The
first consequence is that the entity who plays the role of a verifier must be sure that the public-key of the signer is valid.
Beside of this, the mentioned entity should trust the signer. Clearly, a dishonest signer can replace the second partys
public-key by the public-key of the entity of his choice.
Unfortunately, mentioned two conditions cannot be satisfied easily. To explain the main problem, which is
named Certification Path problem, assume that the first entity, Alice, does not know the assigned public-key, which is
required to verify the Bobs certified public-key. In this case, she needs to verify another certificate to obtain the Bobs
public-key. Of course, if she is unable to verify the last certificate, this scenario will continue until she can obtain a
verifiable certificate. The only solution to the Certification Path problem is assuming that all entities are initially given at
least one of the public-keys securely. As a simple solution, one of the mentioned keys can be pre-installed for all existing
entities. This simple solution makes all entities able to verify the certificates if there exists a Certification Path to validate
the public-keys of existing entities.
Elliptic Curve Cryptography
_________________________________________________________________________________________________
Page -23

ISSN: 2393-9842
www.irjcs.com
An admissible method to implement the solution above is the use of Certification Tree, which can be created by
a Certification Authority as a root node, intermediate delegate authorities that are certified by their father node, and
finally the last communicating parties as the leaves of the tree. In this method, each entity must possess the public-keys
of all intermediate authorities, which are placed between him and the root Certification Authority. As a result, by starting
from the shared authority of Alice and Bob, these entities would be able to check the certificate of each others publickey.
Although it seems that the solution above is perfect, it suffers from the problem of managing the trust to the
owner of the first public-key. This problem can be investigated based on two different viewpoints. From a hierarchical
organization viewpoint, a trusted system administrator who is responsible to setting up a Certification Authority can
solve this problem. Since the administrator is trusted by mentioned organization, other entities can trust him during the
communications. Although this solution seems to be perfect for the organizations, from individual partys viewpoint it is
not a proper one. The reason is that all parties cannot trust this initial key, which is provided by a company.
To escape the mentioned difficulty above, it is possible to let parties create certificates. Based on this solution,
any party can trust a certificate that has been created by a trusted entity as his friend. However, this solution suffers from
another significant problem. In the systems based on this solution, individual parties cannot trust an entity which is a
friend of their friend (or a friend of one of the friends of their friend and so on) while they never met that entity. As a
result, this problem can void the value of certificates in a direct trusted party method. Therefore, this issue can be limited
to an expensive and hardly quantifiable method in which last parties could obtain the same key through some
independent channels until satisfying by the validity of the considered public-key.
To avoid a large fraction of mentioned problems above, Identity-Based cryptography offers a powerful theory.
The fundamental notification in an Identity-Based cryptosystem is that all involving entities already need to learn some
basic information before they communicate with each other. At the very least, they need to obtain the identifier of the
other communicating entities such as their telephone number, image, email address or another similar one. Based on what
pointed out by Shamir in [1], the important advantage of Identity-Based cryptosystems is replacing entities public-key
by this identifier.
To conclude what pointed out in this section, it can be claimed that although certificate-based cryptosystems
could solve the problem of Public-key validity of authorized entities by the use of CA2, the need to a valid certificate for
CAs public-key in these systems led to a new concern which is Public Key Infrastructure (PKI) complex management.
As a result, Identity-Based cryptosystems are a useful and admissible techniques to avoid this problem. The reason is that
replacing the users public-key by their identity, can lead to eliminate the need to certificates and all consequences of
managing them.
IV. IDENTITY-BASED CRYPTOGRAPHIC PRIMITIVES
This section describes the used algorithms of four fundamental cryptographic primitives, which are Encryption,
Digital Signature, Identification, and Key Agreement, in the context of Identity-Based cryptosystems. Followed by our
standardization, it is possible to classify an Identity-Based scheme of mentioned primitives to four phases. The first and
second phases are two algorithms named SETUP and EXTRACTION. The SETUP algorithm takes the security
parameter and generates publicly known parameters, Params, and a confidential secret named Master-key. Both
algorithms above must be executed by a trusted third party named Private key Generator (PKG). The second algorithm,
EXTRACTION, is an interaction between existing users and PKG in order to generating and distributing the private-key.
However, the third and fourth algorithms are depended on the category of considered cryptographic scheme. These
algorithms for any security primitive are as followed:
(i) Encryption
The third and fourth algorithms of Encryption primitives are named ENCRYPT and DECRYPT, respectively. In
an ENCRYPT algorithm, the first party computes the deformed message named Ciphertext by taking the
plaintext, Params and the second partys identity. The second party is responsible to execute DECRYPT
algorithm in order to compute the plaintext by taking the ciphertext, Params and his own private-key.
(ii) Digital Signature
The third and fourth algorithms of Digital Signature primitives are named SIGNING and VERIFICATION,
respectively. In a SIGNING algorithm, the first party computes the signed message by taking the message,
Params and his own private-key. The second party is responsible to execute VERIFICATION algorithm in order
to verifying the signature by taking the signed message, Params and second partys identity.
(iii) Identification
The proposed Identification scheme by Fiat and Shamir [16] is the basis of algorithms of recently proposed
Identification schemes. In mentioned Identification scheme, the authors assumed that Prover and Verifier are
involving entities that execute two algorithms named Proving and Verification. It is worth to note that Proving
algorithm consists of three sub-algorithms named COMMITMENT, CHALLENGE and RESPONSE,
respectively. In a COMMITMENT algorithm, the Prover sends a one-way function of a randomly chosen value
2
Certification Authority
_________________________________________________________________________________________________
Page -24

ISSN: 2393-9842
www.irjcs.com
to the Verifier. Then, in the CHALLENGE algorithm, the Verifier randomly chooses a value from the set
and sends it back to the Prover. In the RESPONSE algorithm the Prover computes a deterministic function of
this received value, the private-key of the expected entity from the Verifiers viewpoint and the randomly
chosen value of the COMMITMENT sub-phase, then sends the result back to the Verifier entity. The second
party, Verifier, is responsible to execute VERIFICATION algorithm in order to deciding whether accept or
reject the claimed identity.
(iv) Key Agreement
The third and fourth algorithms of Identity-Based Key Agreement primitives are named MATERIALEXCHANGE and SESSION-KEY-COMPUTATION, respectively.In the MATERIAL-EXCHANGE algorithm,
involving participants must compute a one-way function of a randomly chosen value and exchange it. Then, in
the SESSION-KEY-COMPUTATION algorithm, participants are responsible to compute the considered
session-key based on the Params and other possessing public and secret parameters.
V. SAMPLES OF IDENTITY-BASED SCHEMES
After the entrance of the first fully functional Identity-Based cryptographic scheme, an Identity-Based
Encryption scheme by Boneh and Franklin [5], many Identity-Based cryptographic schemes have been proposed. Since,
this area is very broad, the contents of this section are investigations of some instances of Identity-Based schemes over
four mentioned fundamental cryptographic primitives in general.
Before introducing the samples, it is necessary to note that the used Bilinear Pairings are defined over two
groups
number
and
in the form
. The order of both groups
Moreover, the identity of the entity i, is a string of characters or
and
is the prime
.In addition,
and
are
five one-way collision-free hash functions. Followed subsections introduce one sample of any Identity-Based primitive.
A. An Identity-Based Encryption scheme
In this section, we introduce an Identity-Based Encryption scheme, which has been proposed by Boneh et al.
[5].The phases of this scheme are as follow:
SETUP: In this phase, the proposed SETUP algorithm takes the security parameter and generates the Masterkey and Params that:
Here,
is a chosen high order element of
and
is the block size of plain-texts and cipher-texts.
EXTRACT: In this phase, a user such as , who possesses

private-key. Assume that
computed as Eq.1 and Eq.2:
and
, refers to the PKG to take the corresponding
are corresponding public-key and private-key, respectively. These values are
(Eq.1)
(Eq.2)
ENCRYPT: In this phase, the Encryption algorithm takes the pair
the identity of the second party, then chooses the random value
(Eq.3):
as the plain-text message and

and generates the cipher-text like
(Eq.3)
DECRYPT: In this phase, the DECRYPTION algorithm takes the pair

computes the plain-text like (Eq.4):
as the cipher-text and

(Eq.4)
Beside of what mentioned above, the authors could evaluate the security of the scheme and proved that the
proposed scheme is secure under solving the Bilinear Diffie-Hellman (BDH) hard problem.
B. An Identity-Based Digital Signature scheme
In this section, we introduce an Identity-Based Digital Signature scheme that has been proposed by Hess [17]. In
continue, the phases of this scheme are introduced.
_________________________________________________________________________________________________
Page -25

ISSN: 2393-9842
www.irjcs.com
SETUP: In this phase, the Master-key and Params are as follow:
Here,
EXTRACT: In this phase, a user who possesses a unique identity such as
, refers to the PKG to take the
corresponding private-key. Assume that

and
are corresponding public-key and private-key, respectively. These
values are computed as shown in (Eq.5) and (Eq.6):
(Eq.5)
(Eq.6)
SIGNING: In the SIGNING phase, the signer takes the message
an element of the set
and chooses a random value
computing the value
that could be any string of characters or
and an arbitrary element
, the signature would be the pair
that
that
and
. Then, after
are as follow:
(Eq.7)
(Eq.8)
VERIFICATION: In this phase, the Verifier entity takes the public-pair of the Signer,
,
and the signature
to compute the value of
, the message
as (Eq.9).
(Eq.9)
Then, the Verifier accepts the signature if and only if the (Eq.10) be correct.
(Eq.10)
In continue to what mentioned above, it is worth to note that the author could evaluate the security of the
proposed scheme by proving that the scheme is secure under solving the Weak Diffie-Hellman (WDH) hard problem.
C. An Identity-Based Identification sample
In this section, we introduce an Identity-Based Identification scheme that has been proposed by Kurosawa and
Heng [18].The five phases of this scheme are as follow:
SETUP: In this phase, the Master-key and Params are as follow:
Here,
is a chosen high order element of .

EXTRACT: In this phase, users can interact with the PKG to take their private-key. For instance, assume that a
user who possesses

chooses
identity, tries to take the corresponding private-key from PKG. In this case, the PKG randomly
, and computes
. Then, the user's private-key would be:
COMMITMENT: In this phase, the Prover randomly chooses
and computes (Eq.11).

(Eq.11)
then he sends
to the Verifier entity.
CHALLENGE: In this phase, the Verifier randomly chooses
and sends it to the Prover.
RESPONSE: In this phase, the Prover computes

and returns value
to the Verifier entity.
VERIFICATION: In this phase, the Verifier accepts the claimed identity of the Prover, if and only if
Beside of what mentioned above, it would be worth to mention that the authors proved that the proposed scheme
is secure under reducing to Boneh-Boyen signature scheme [19], which is in turn Provably Secure under reducing to the
k-Strong Diffie-Hellman (k-SDH) hard problem.
D. An Identity-Based Key Agreement scheme
In this section, we are going to investigate the Identity-Based Key Agreement scheme that has been proposed by
Wang [20]. The phases of this proposed scheme are as followed:
_________________________________________________________________________________________________
Page -26

ISSN: 2393-9842
www.irjcs.com
SETUP: In this phase, the proposed SETUP algorithm takes the security parameter and generates the Masterkey and Params:
Here,
such as one of the generators.
EXTRACT: In this phase, assume that a user who possesses the identity
, refers to the PKG to take the
corresponding private-key. Moreover, assume that

and
are the notations of corresponding public-key and privatekey, respectively. These values are computed like (Eq.12) and (Eq.13):
(Eq.12)
(Eq.13)
MATERIAL-EXCHANGE: In the first step of this phase, the first and the second communicating parties, A
and B, randomly choose the values
and
second one, while the second party sends

parties compute the value
SESSION-KEY-COMPUTATION:
respectively. Then, the first party sends
to the
to the first party. It is necessary to point out that the communicating

before performing the next phase.
In
,while the second one computes
this
phase,
the
first
communicating
party
computes
. As a result, the final value of the shared
session key would be

.
It is worth noting that the author could prove that this scheme is secure under assuming that solving the
Decisional Bilinear Diffie-Hellman (DBDH) problem is hard in the utilized algebraic groups.
VI. CONCLUSION
The goal of this paper is to represent an integrated document in order to introduce the position of Identity-Based
cryptosystems beside of their importance in cryptographic literatures. To reach this goal, this paper Paid particular
attention to the fundamental cryptographic primitives, which are Encryption, Digital Signature, Identification, and Key
Agreement. In order to make the functionality of this category of cryptosystems more understandable, a separate section
represents a subset of Provably Secure samples in mentioned scientific area.
REFERENCES
[1] A. Shamir, (1984). Identity-Based Cryptosystems And Signature Scheme, In Advances In CryptologyCrypto
1984, Lecture Notes In Comput.Sci. 196, Springer-Verlag, Berlin, 1984.
[2] A. Menezes, T. Okamoto, S. Vanstone. (1993). Reducing Elliptic Curve Logarithms to Logarithms In A Finite
Field. IEEE, Transaction of Information Theory.
[3] G. Frey, H. Ruck. (1994). A Remark Concerning M-Divisibility And The Discrete Logarithm In The Divisorclass
Group Of Curves. Mathematics of Computation.
[4] Joux, A. (2000). A One-Round Protocol for Tripartite DiffieHellman. Algorithmic Number Theory
SymposiumAnts-IV.
[5] Boneh, D., Franklin, M. (2001). Identity Based Encryption From The Weil Pairing. Advances In Cryptology
Crypto.
[6] N.P. Smart, (2002). An identity based authenticated key agreement protocol based on the Weil pairing. Electro.
Lett. 38, 630632.
[7] L. Chen, C. Kudla. (2003). Identity based authenticated key agreement from pairings. In: IEEE Computer
Security Foundations Workshop, pp.219233.
[8] Q. Yuan, S.A. Li, (2005). A new efficient ID-based authenticated key agreement protocol. Cryptology ePrint
Archive, Report 2005/309.
[9] L. Chen, Z. Cheng, NP. Smart. (2007). Identity-Based Key Agreement Protocols From Pairings .International
Journal Of Information Security Springer.
[10] M. Joy, G. Neven. (2008). Identity-Based Cryptography. Cryptology and Information Security Series. Volume2.
IOS Press.
[11] V. Miller, (1986). Short Programs For Functions On Curves, Unpublished Manuscript.
[12] J. Tate, (1963), "Duality Theorems In Galois Cohomology Over Number Fields", Proceedings Of The International
Congress Of Mathematicians (Stockholm, 1962), Djursholm: Inst. Mittag-Leffler.
[13] J. Capco, (2003). " Weil Pairings On Elliptic Curves"
_________________________________________________________________________________________________
Page -27

ISSN: 2393-9842
www.irjcs.com
[14] NIST Recommendation For Key Management Part 1: General, Nist Specialpublication 800-57. August, (2005).
[15] ECRYPT Yearly Report On Algorithms And Keysizes (2004).
[16] A. Fiat And A. Shamir. (1987). How To Prove Yourself: Practical Solutions To Identification And Signature
Problems. Advances In Cryptology Crypto 86, Lncs 263, Springer-Verlag.
[17] F. Hess. (2002). Efficient Identity Based Signature Schemes Based on Pairings. SAC 2002, LNCS 2595, pp. 310324, Springer-Verlag.
[18] K. Kurosawa and S.-H. Heng. (2005). Identity-based identification without random oracles. Information Security
and Hiding ISH 05 (in conjuction with ICCSA 05), LNCS 3481, pp. 603613, Springer-Verlag.
[19] D. Boneh and X. Boyen. (2004). Short signatures without random oracles. Advances in Cryptology
EUROCRYPT 04, LNCS 3027, pp. 5673, Springer-Verlag.
[20] Y.Wang. (2013). Efficient Identity-Based And Authenticated Key Agreement Protocols. Transactions On
Computational Science XVII.
_________________________________________________________________________________________________
Page -28

A Review On Security Primitives in The Basis of Identity-Based Cryptosystems

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

A Review On Security Primitives in The Basis of Identity-Based Cryptosystems

Încărcat de

Drepturi de autor:

Formate disponibile

International Research Journal of Computer Science (IRJCS)

Issue 1, Volume 2 (January 2015)