- Email: [email protected]
Authentication and protection of public keys
Computers & Security, 13 (1994) 581-585
Authentication protection of public keys Chi-Sung Laihl, Wen-Hong Chin-Chen Chang*
and
Chioul and
‘Department ofElectricalEngineering, National Cheng Kung University, Tainan, Taiwan, Republic of China ZInstitute of Computer Science and Information Engineering, National Chung Cheng University, Chiayi 62107, Taiwan, Republic of China
We propose a model, which is a hybrid of an ID-based scheme and a certificate-based scheme, to solve the authenticadon problem for users’ public keys. Our model is used to improve the scheme presented by Girault at EUROCRYFTO ‘91. Keywords: ID-based scheme, Certificate-based tication.
scheme, Authen-
1. Introduction
I
n a conventional public-key cryptosystem, each user has a key pair (s, P), where s is a secret key only known to this user and P is the user’s public key. The public keys of users in the system are always stored in a public file of the system and are vulnerable to active attacks, such as the substitution of a forged key for an original one, if they are in an open environment. Thus, the authentication and protection of the public keys stored in a public file are very important in that an intruder may impersonate any intended user in the system by forging the user’s public key. Some researchers have therefore suggested that these public keys should be authenticated by a key authentication centre (KAC). However, the security of the system completely depends on the honesty
0167-4048/94/$7.00
0 1994, Elsevier Science
Ltd
of the KAC; i.e., the users must completely trust the KAC. In [l], Girault discussed this topic in detail and defined three levels of ‘trust’. In Section 2, we will review some results obtained by Girault. Then a more powerful scheme than Girault’s will be presented in Section 3 and discussed in Section 4. Finally, in Section 5, we will give some conclusions. 2. Recent research Recent research results on the topic of key authentication were summarized in [l]. Firstly, three levels of ‘trust’ are introduced, as follows. Level 1 (ID-based scheme) In ID-based schemes introduced by Shamir [2] in 1984, the public key is nothing but the identity I (i.e. P= I); t h us t h e SCh emes do not require a public file to store users’ public keys. Although the schemes have no key authentication problem, the authority (called trusted centre, TC) can impersonate any user at any moment since secret keys are calculated by the TC itself Therefore, the trust level of such systems is the lowest.
581
Chi-Sung Laih et aI.lAuthentication
It can beseen that the weakness ofLevel I is that the TC knows (or can easily compute) the users’ secret keys and therefore can impersonate any user at any time without being detected. Level 2 (certificate-based scheme) In certificate-based schemes [3, 41, each user (say, user i) sends his public key, Pi, to the authority (called the key authentication centre, KAC). After the identity of user i has been verified by the KAC, the KAC signs user i’s public key Pi and Pis signature, S(Pi), which is often called the certificate. Then the KAC stores the certificate along with Pi in the public file. When someone needs, for example, to access the public key, Pi, of user i, he can use user i’s certificate, S(P,), to check whether pi is forged or not, with the help of the KAC’s public key that everybody is supposed to know. The schemes also have no key authentication problem since an intruder cannot forge the certificate. In this level, the KAC does not know users’ secret keys. Nevertheless, the KAC can still impersonate a user by generating false certificates. We can see that the weakness of Level 2 is that the KAC can still impersonate a user bygeneratingfalse cert$cates, even ifit has no idea at all of users’secret keys. Level 3 (self-certi6ed public keys) Due to the weaknesses of Level 1 and Level 2, Girault [l] recently proposed a new concept, ‘selfcertified public keys’, and defined that a public scheme is said to be at Level 3 if the authority (also called KAC) cannot compute the users’ secret keys, and if it can be proven that it generates false certificates of users if it does so. Schemes using self-certified public keys are intermediate between certificate-based and ID-based ones. That is, they are neither certificate-based nor ID-based. This is because there is no separate
582
and protection of public keys
certificate and the public key is not restricted to the identity. An example in [l] gave a clear concept of such schemes. The key authentication process of that example is described as follows: 1. The authority (KAC) generates some parameters for RSA public key cryptosystem [5]. They are a large integer n which is the product of two large prime factors p and 4, an integer e coprime to p - 1 and the inverse, d, of e modulo and q-1, (p - l)(q - 1). Then KAC computes an integer g of maximal order in the multiplicative group (Z/nZ)*, with usual notations. The parameters n, e and g are published by KAC while p, q and d are kept secret. 2. A user, say A, generates a random number, s,, as his secret key and computes a =g’” mod n. 3. A sends ID, and a to the KAC. 4. After verifying the identity of A, KAC sends the new public key PA to A, where PA = (g’” - ID,)d (mod n) If a user, say B, wants to access A’s original public information (key) a, then A sends PA to B (or B directly accesses PA from a public file). Thus, B can obtain A’s original public key by computing only Pi + ID, (mod W)=g’” (mod rz) The public key itself in such a scheme is a certificate. This is why it is called a ‘self-certified public key’. An intruder cannot forge the public key since he does not know the secret key, d, of KAC. When we want to access the users’ original public key, it can be easily obtained by using the public key, e, of KAC. the schemes contribute to As a consequence, reducing the amount of storage ( = half that of the certificate-based scheme) while secret keys are still chosen by the users themselves and remain unknown to the authority.
Computers & Security, Vol. 73, No. 7
If we do not need cryptographic protocols to be noninteractive, then the public files in these schemes can be removed since the self-certified public keys are related to the users’ identities. In this case, the storage needed is equal to that of IDbased schemes. If there exist two (or more) KACs in the schemes and hence two (or more) self-certified public keys for the same user, then the cheat of KAC(s) can be easily detected if there exists at least one honest KAC and, thus, the schemes reach Level 3. Of course, the certified-based schemes can reach Level 3 if two (or more) KACs exist in the schemes. However, this leads to additional parameters to store and more computations to perform, so it would be helpful to design schemes which are not certificate-based but can still achieve Level 3. 3. Our proposed strategy If all authorities conspire to forge the users’ public keys in the schemes defined in Level 3, then they can also impersonate any user at any time. As a consequence, we can absolutely claim that there does not exist a system which is secure under the conspiracy of all authorities. However, a system which is served by two (or more) authorities is more secure since, if there exists an honest authority, the system can detect whether other authorities cheat or not. Therefore, our proposed strategy is based on the system with two (or more) authorities. Schemes defined in Level 3 have the ability that a cheating authority can be detected if there exists at least one honest authority, but the schemes cannot know which authority is dishonest. In some cases (to be discussed later), our proposed scheme can detect which authority is untrustworthy. The scheme proposed by us is a hybrid of ID-based and certificate-based schemes. For more clarity, we call the authority of the ID-based scheme IDC (identity centre) and the authority of the certifi-
cate-based scheme KAC (key authentication centre). Now, we give an example to describe our strategy as follows (note that the system proposed by Okamoto and Tanaka [6] acts as the ID-based scheme in the hybrid scheme and KAC uses the RSA scheme to sign users’ public keys as a certificate). 1. Both IDC and KAC generate RSA key-pairs. The parameters of IDC are (1) public key: (e,, n,); (2) secret key d,. The parameters of KAC are (1) public key. (e,, n,); (2) secret key: d,; where n2 > n,. They also compute an integer g of maximal order in the multiplicative group (Z/trZ)+, with usual notations. 2. A user, say A, with ID,, registers to IDC. 3. After the identity of A has been verified by IDC, the IDC generates A’s secret information sA as s*=LLidl mod n, and returns s, to A. 4. A generates a random number r,, and computes
then gelrA(mod nl) is A’s original public key and r, is A’s secret key. 5. A sends KA to KAC. 6. After verifying the identity of A, KAC sends the new public key, I’,,,, to A, where
If a user, say B, wants to key, g”” mod n,, then directly accesses PA from obtain A’s original public (1) Pz (mod rra)= KA
access A’s original public A sends PA to B (or B a public file). Thus, B can key by computing
Chi-Sung Laih et aI.lAuthentication and protection of public keys
(2) KZ.ID,
(mod n,) = (s~*$‘)~‘.ID~ (mod tli)
=g”‘* (mod MJ
CASE 3. IDC: honest, KACl: honest, KAC2: dishonest I
Here, we note that n2 > n, 4. Discussion For simplicity, we only consider two KACs (say, KACl and KAC2) in our proposed scheme or any scheme defined in Level 3. We note here that, in addition to two KACs, one IDC also exists in our scheme, but the total public information is just two and is the same as in the scheme proposed by Girault [l]. In some cases, our scheme can detect which KAC is dishonest.
CASE 1. (IDC: honest, KACl: honest)
honest, KAC2:
In this case, our scheme has absolutely no problem, nor does any scheme defined in Level 3 (denoted by scHEh4E-3).
CASE 2. (IDC: KAC~: honest)
honest,
key is forged and the dishonest KAC is thence disclosed. In SCHEME-3, on the other hand, both ID, who conspires with KACl and user L can pass the IP once; thus which KAC is dishonest cannot be detected.
KACl:
dishonest,
Suppose an intruder (ID,) conspiring with KACl wishes to impersonate someone in the system. Since IDC is honest, KACl cannot know the secret information of any user and thus cannot forge his public key. So, if a verifier uses an identification protocol (IP) to verify ID, twice (note that, since two KACs are supposed to exist and hence two public keys, the verifier will run the IP twice), then ID, cannot pass both these two identification processes. Therefore, IDi is unable to impersonate anybody in the system. If a verifier uses an IP to verify a truly legal user (say, user L) and suppose the original public key pair (PLI, PLL1)of user L is forged as (PL,, PJ, since KACl is dishonest, then user L will pass the IP only once. The failure of user L shows that the public
The discussion CASE 2.
of this case is similar to that of
CASE 4. (IDC: honest, KAC6 dishonest)
KACl:
dishonest,
Even if ID, conspires with KACl and KAC2, he still cannot pass both these two identification processes. If a verifier uses an IP to verify user L, then user L also fails to pass any one identification process and therefore KACl and KAC2 are both proven to be dishonest.
CASE KAC2:
5. @DC: honest)
dishonest,
KACl:
honest,
If ID, conspires with IDC and gets secret information, then he is still unable to pass any one identification process since he does not know the real secret keys of the public key pair.
CASE 6. (IDC: dishonest, KACl: KAC2: honest)
dishonest,
This case is opposite to CASE 2. The honest KAC is regarded as a dishonest one while the dishonest KAC becomes an honest one.
CASE 7. (JDC: dishonest, KAC2: dishonest)
KACl:
honest,
This case is opposite to CASE 3. The discussion is similar to that of CASE 6.
CASE 8. @DC: dishonest, KACl: KAC2: dishonest)
dishonest,
In this case, our scheme will break down. We have
Computers & Security, Vol. 13, No. 7
already claimed that no system can be secure under the conspiracy of all KACs. From the above discussions, in CASES 5, 6 and 7, the existence of cheating KAC(s) can be detected in our scheme while in CASES 2,3 and 4, our scheme has the ability to detect which KAC(s) has cheated. In addition, our proposed strategy is to impose the charge of ‘unequal conspiracy’ on IDC and KACs whenever they attempt to conspire to impersonate any user. Here ‘unequal conspiracy’ means that only KACs dominate the process of generating false certificates (and hence public keys) and IDC just plays a passive role. From the example described previously, if these two authorities (IDC and KAC) conspire to forge A’s public key, then KAC is a dominant one since IDC must leak A’s secret information, s,, to KAC while KAC discloses nothing but the false secret key, (say, ra, used only for this conspiracy. Therefore, if IDC leaks sA to KAC, then IDC loses the domination for the second-time conspiracy with KAC. After that KAC can forge A’s public key and sA without any help from IDC. Such unequal conspiracy possibly makes IDC more likely to be honest because it may not get any benefit from cooperating with KAC. Therefore, we believe that the ‘trust’ level of our proposed strategy is much higher than that of the schemes defined in Level 3. 5. Conclusions In our which makes scheme
proposed scheme, if IDC is honest, then KAC(s) is dishonest can be detected. This our scheme more powerful than Girault’s [I].
In Section 3, we claim that no system can still be secure under the conspiracy of a21 authorities. Since the
authorities in the schemes defined in Level 3 have equal domination when they conspire to generate false public keys, they may agree to cooperate together. Our proposed strategy makes the contradiction of unequal conspiracy exist between IDC and KAC. Thus it greatly reduces the possibility of cooperation between IDC and KAC. The trust level of our proposed strategy is believed to be much higher than that of the schemes defined in Level 3. Besides, the authorities in our proposed strategy cannot know the secret keys of users, as those in the schemes defined in Level 2 and Level 3 can. Further, our proposed strategy does not need a public file (as in the case of noninteractive cryptographic protocols) as the schemes defined in Level 1 and Level 3 do, since the public keys in our proposed strategy are also related to the users’ identities. This is so even if, in noninteractive cryptographic protocols, the required storage of is always slightly less than our proposed strate efined in Level 3. that of the schemes dgy
References [l] M. Girault, Self-certified public keys, in Proceedings of EUROCRYPT ‘91,1991, pp. 490-497. [2] A. Shamir, Identity-based cryptosystems and signature schemes, in Proceedingsof CRYPT0 ‘84, 1984, pp. 47-53. [3] G.J. Simmons, Confemporary Cytology: The Science oflntrmation Integrity, IFEE Press, New York, 1992, pp. 190- 195. [4] L.M. Kohnfelder, A Method& Certijcation, MIT Laboratory for Computer Science, Cambridge, MA, MIT Press, May 1978. [5] R.L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystem, CACM, 21 (Feb. 1978) 120-126. [6] E. Okamoto and K. Tanaka, Key distribution system based on identification information, IEEE J. Sel. Areas Commun., 7(4) (May 1989) 481-485.
585
Authentication protection of public keys Chi-Sung Laihl, Wen-Hong Chin-Chen Chang*
and
Chioul and
‘Department ofElectricalEngineering, National Cheng Kung University, Tainan, Taiwan, Republic of China ZInstitute of Computer Science and Information Engineering, National Chung Cheng University, Chiayi 62107, Taiwan, Republic of China
We propose a model, which is a hybrid of an ID-based scheme and a certificate-based scheme, to solve the authenticadon problem for users’ public keys. Our model is used to improve the scheme presented by Girault at EUROCRYFTO ‘91. Keywords: ID-based scheme, Certificate-based tication.
scheme, Authen-
1. Introduction
I
n a conventional public-key cryptosystem, each user has a key pair (s, P), where s is a secret key only known to this user and P is the user’s public key. The public keys of users in the system are always stored in a public file of the system and are vulnerable to active attacks, such as the substitution of a forged key for an original one, if they are in an open environment. Thus, the authentication and protection of the public keys stored in a public file are very important in that an intruder may impersonate any intended user in the system by forging the user’s public key. Some researchers have therefore suggested that these public keys should be authenticated by a key authentication centre (KAC). However, the security of the system completely depends on the honesty
0167-4048/94/$7.00
0 1994, Elsevier Science
Ltd
of the KAC; i.e., the users must completely trust the KAC. In [l], Girault discussed this topic in detail and defined three levels of ‘trust’. In Section 2, we will review some results obtained by Girault. Then a more powerful scheme than Girault’s will be presented in Section 3 and discussed in Section 4. Finally, in Section 5, we will give some conclusions. 2. Recent research Recent research results on the topic of key authentication were summarized in [l]. Firstly, three levels of ‘trust’ are introduced, as follows. Level 1 (ID-based scheme) In ID-based schemes introduced by Shamir [2] in 1984, the public key is nothing but the identity I (i.e. P= I); t h us t h e SCh emes do not require a public file to store users’ public keys. Although the schemes have no key authentication problem, the authority (called trusted centre, TC) can impersonate any user at any moment since secret keys are calculated by the TC itself Therefore, the trust level of such systems is the lowest.
581
Chi-Sung Laih et aI.lAuthentication
It can beseen that the weakness ofLevel I is that the TC knows (or can easily compute) the users’ secret keys and therefore can impersonate any user at any time without being detected. Level 2 (certificate-based scheme) In certificate-based schemes [3, 41, each user (say, user i) sends his public key, Pi, to the authority (called the key authentication centre, KAC). After the identity of user i has been verified by the KAC, the KAC signs user i’s public key Pi and Pis signature, S(Pi), which is often called the certificate. Then the KAC stores the certificate along with Pi in the public file. When someone needs, for example, to access the public key, Pi, of user i, he can use user i’s certificate, S(P,), to check whether pi is forged or not, with the help of the KAC’s public key that everybody is supposed to know. The schemes also have no key authentication problem since an intruder cannot forge the certificate. In this level, the KAC does not know users’ secret keys. Nevertheless, the KAC can still impersonate a user by generating false certificates. We can see that the weakness of Level 2 is that the KAC can still impersonate a user bygeneratingfalse cert$cates, even ifit has no idea at all of users’secret keys. Level 3 (self-certi6ed public keys) Due to the weaknesses of Level 1 and Level 2, Girault [l] recently proposed a new concept, ‘selfcertified public keys’, and defined that a public scheme is said to be at Level 3 if the authority (also called KAC) cannot compute the users’ secret keys, and if it can be proven that it generates false certificates of users if it does so. Schemes using self-certified public keys are intermediate between certificate-based and ID-based ones. That is, they are neither certificate-based nor ID-based. This is because there is no separate
582
and protection of public keys
certificate and the public key is not restricted to the identity. An example in [l] gave a clear concept of such schemes. The key authentication process of that example is described as follows: 1. The authority (KAC) generates some parameters for RSA public key cryptosystem [5]. They are a large integer n which is the product of two large prime factors p and 4, an integer e coprime to p - 1 and the inverse, d, of e modulo and q-1, (p - l)(q - 1). Then KAC computes an integer g of maximal order in the multiplicative group (Z/nZ)*, with usual notations. The parameters n, e and g are published by KAC while p, q and d are kept secret. 2. A user, say A, generates a random number, s,, as his secret key and computes a =g’” mod n. 3. A sends ID, and a to the KAC. 4. After verifying the identity of A, KAC sends the new public key PA to A, where PA = (g’” - ID,)d (mod n) If a user, say B, wants to access A’s original public information (key) a, then A sends PA to B (or B directly accesses PA from a public file). Thus, B can obtain A’s original public key by computing only Pi + ID, (mod W)=g’” (mod rz) The public key itself in such a scheme is a certificate. This is why it is called a ‘self-certified public key’. An intruder cannot forge the public key since he does not know the secret key, d, of KAC. When we want to access the users’ original public key, it can be easily obtained by using the public key, e, of KAC. the schemes contribute to As a consequence, reducing the amount of storage ( = half that of the certificate-based scheme) while secret keys are still chosen by the users themselves and remain unknown to the authority.
Computers & Security, Vol. 73, No. 7
If we do not need cryptographic protocols to be noninteractive, then the public files in these schemes can be removed since the self-certified public keys are related to the users’ identities. In this case, the storage needed is equal to that of IDbased schemes. If there exist two (or more) KACs in the schemes and hence two (or more) self-certified public keys for the same user, then the cheat of KAC(s) can be easily detected if there exists at least one honest KAC and, thus, the schemes reach Level 3. Of course, the certified-based schemes can reach Level 3 if two (or more) KACs exist in the schemes. However, this leads to additional parameters to store and more computations to perform, so it would be helpful to design schemes which are not certificate-based but can still achieve Level 3. 3. Our proposed strategy If all authorities conspire to forge the users’ public keys in the schemes defined in Level 3, then they can also impersonate any user at any time. As a consequence, we can absolutely claim that there does not exist a system which is secure under the conspiracy of all authorities. However, a system which is served by two (or more) authorities is more secure since, if there exists an honest authority, the system can detect whether other authorities cheat or not. Therefore, our proposed strategy is based on the system with two (or more) authorities. Schemes defined in Level 3 have the ability that a cheating authority can be detected if there exists at least one honest authority, but the schemes cannot know which authority is dishonest. In some cases (to be discussed later), our proposed scheme can detect which authority is untrustworthy. The scheme proposed by us is a hybrid of ID-based and certificate-based schemes. For more clarity, we call the authority of the ID-based scheme IDC (identity centre) and the authority of the certifi-
cate-based scheme KAC (key authentication centre). Now, we give an example to describe our strategy as follows (note that the system proposed by Okamoto and Tanaka [6] acts as the ID-based scheme in the hybrid scheme and KAC uses the RSA scheme to sign users’ public keys as a certificate). 1. Both IDC and KAC generate RSA key-pairs. The parameters of IDC are (1) public key: (e,, n,); (2) secret key d,. The parameters of KAC are (1) public key. (e,, n,); (2) secret key: d,; where n2 > n,. They also compute an integer g of maximal order in the multiplicative group (Z/trZ)+, with usual notations. 2. A user, say A, with ID,, registers to IDC. 3. After the identity of A has been verified by IDC, the IDC generates A’s secret information sA as s*=LLidl mod n, and returns s, to A. 4. A generates a random number r,, and computes
then gelrA(mod nl) is A’s original public key and r, is A’s secret key. 5. A sends KA to KAC. 6. After verifying the identity of A, KAC sends the new public key, I’,,,, to A, where
If a user, say B, wants to key, g”” mod n,, then directly accesses PA from obtain A’s original public (1) Pz (mod rra)= KA
access A’s original public A sends PA to B (or B a public file). Thus, B can key by computing
Chi-Sung Laih et aI.lAuthentication and protection of public keys
(2) KZ.ID,
(mod n,) = (s~*$‘)~‘.ID~ (mod tli)
=g”‘* (mod MJ
CASE 3. IDC: honest, KACl: honest, KAC2: dishonest I
Here, we note that n2 > n, 4. Discussion For simplicity, we only consider two KACs (say, KACl and KAC2) in our proposed scheme or any scheme defined in Level 3. We note here that, in addition to two KACs, one IDC also exists in our scheme, but the total public information is just two and is the same as in the scheme proposed by Girault [l]. In some cases, our scheme can detect which KAC is dishonest.
CASE 1. (IDC: honest, KACl: honest)
honest, KAC2:
In this case, our scheme has absolutely no problem, nor does any scheme defined in Level 3 (denoted by scHEh4E-3).
CASE 2. (IDC: KAC~: honest)
honest,
key is forged and the dishonest KAC is thence disclosed. In SCHEME-3, on the other hand, both ID, who conspires with KACl and user L can pass the IP once; thus which KAC is dishonest cannot be detected.
KACl:
dishonest,
Suppose an intruder (ID,) conspiring with KACl wishes to impersonate someone in the system. Since IDC is honest, KACl cannot know the secret information of any user and thus cannot forge his public key. So, if a verifier uses an identification protocol (IP) to verify ID, twice (note that, since two KACs are supposed to exist and hence two public keys, the verifier will run the IP twice), then ID, cannot pass both these two identification processes. Therefore, IDi is unable to impersonate anybody in the system. If a verifier uses an IP to verify a truly legal user (say, user L) and suppose the original public key pair (PLI, PLL1)of user L is forged as (PL,, PJ, since KACl is dishonest, then user L will pass the IP only once. The failure of user L shows that the public
The discussion CASE 2.
of this case is similar to that of
CASE 4. (IDC: honest, KAC6 dishonest)
KACl:
dishonest,
Even if ID, conspires with KACl and KAC2, he still cannot pass both these two identification processes. If a verifier uses an IP to verify user L, then user L also fails to pass any one identification process and therefore KACl and KAC2 are both proven to be dishonest.
CASE KAC2:
5. @DC: honest)
dishonest,
KACl:
honest,
If ID, conspires with IDC and gets secret information, then he is still unable to pass any one identification process since he does not know the real secret keys of the public key pair.
CASE 6. (IDC: dishonest, KACl: KAC2: honest)
dishonest,
This case is opposite to CASE 2. The honest KAC is regarded as a dishonest one while the dishonest KAC becomes an honest one.
CASE 7. (JDC: dishonest, KAC2: dishonest)
KACl:
honest,
This case is opposite to CASE 3. The discussion is similar to that of CASE 6.
CASE 8. @DC: dishonest, KACl: KAC2: dishonest)
dishonest,
In this case, our scheme will break down. We have
Computers & Security, Vol. 13, No. 7
already claimed that no system can be secure under the conspiracy of all KACs. From the above discussions, in CASES 5, 6 and 7, the existence of cheating KAC(s) can be detected in our scheme while in CASES 2,3 and 4, our scheme has the ability to detect which KAC(s) has cheated. In addition, our proposed strategy is to impose the charge of ‘unequal conspiracy’ on IDC and KACs whenever they attempt to conspire to impersonate any user. Here ‘unequal conspiracy’ means that only KACs dominate the process of generating false certificates (and hence public keys) and IDC just plays a passive role. From the example described previously, if these two authorities (IDC and KAC) conspire to forge A’s public key, then KAC is a dominant one since IDC must leak A’s secret information, s,, to KAC while KAC discloses nothing but the false secret key, (say, ra, used only for this conspiracy. Therefore, if IDC leaks sA to KAC, then IDC loses the domination for the second-time conspiracy with KAC. After that KAC can forge A’s public key and sA without any help from IDC. Such unequal conspiracy possibly makes IDC more likely to be honest because it may not get any benefit from cooperating with KAC. Therefore, we believe that the ‘trust’ level of our proposed strategy is much higher than that of the schemes defined in Level 3. 5. Conclusions In our which makes scheme
proposed scheme, if IDC is honest, then KAC(s) is dishonest can be detected. This our scheme more powerful than Girault’s [I].
In Section 3, we claim that no system can still be secure under the conspiracy of a21 authorities. Since the
authorities in the schemes defined in Level 3 have equal domination when they conspire to generate false public keys, they may agree to cooperate together. Our proposed strategy makes the contradiction of unequal conspiracy exist between IDC and KAC. Thus it greatly reduces the possibility of cooperation between IDC and KAC. The trust level of our proposed strategy is believed to be much higher than that of the schemes defined in Level 3. Besides, the authorities in our proposed strategy cannot know the secret keys of users, as those in the schemes defined in Level 2 and Level 3 can. Further, our proposed strategy does not need a public file (as in the case of noninteractive cryptographic protocols) as the schemes defined in Level 1 and Level 3 do, since the public keys in our proposed strategy are also related to the users’ identities. This is so even if, in noninteractive cryptographic protocols, the required storage of is always slightly less than our proposed strate efined in Level 3. that of the schemes dgy
References [l] M. Girault, Self-certified public keys, in Proceedings of EUROCRYPT ‘91,1991, pp. 490-497. [2] A. Shamir, Identity-based cryptosystems and signature schemes, in Proceedingsof CRYPT0 ‘84, 1984, pp. 47-53. [3] G.J. Simmons, Confemporary Cytology: The Science oflntrmation Integrity, IFEE Press, New York, 1992, pp. 190- 195. [4] L.M. Kohnfelder, A Method& Certijcation, MIT Laboratory for Computer Science, Cambridge, MA, MIT Press, May 1978. [5] R.L. Rivest, A. Shamir and L. Adleman, A method for obtaining digital signatures and public-key cryptosystem, CACM, 21 (Feb. 1978) 120-126. [6] E. Okamoto and K. Tanaka, Key distribution system based on identification information, IEEE J. Sel. Areas Commun., 7(4) (May 1989) 481-485.
585