To: cypherpunks@cyberpass.net Subject: non-interactive forward secrecy / identity based crypto From: Adam Back Date: Sun, 31 May 1998 12:24:01 +0100 Some time back I posed the problem of constructing a function exhibiting non-interactive forward secrecy. My earlier attempts at constructing such a function got as far as considering Diffie-Hellman with a composite modulus (ie like an RSA modulus n = p.q), to allow one to compute discrete logarithms using the knowledge of p and q, and then destroy p and q losing the advantage of computing discrete logarithms mod n. (Thanks to Lewis McCarthy for comments on this earlier). The advantage is not great enough to be practical because computing discrete logarithms in for example 512 bit fields is feasible, but pretty expensive, and yet we would like to use public keys 1024 bits or larger. It seemed plausbile that one could speed up the discrete logarithm operation mod n by giving p and q special forms which did not as a side effect weaken the hardness of factoring the resulting n. At this point I ran out of expertise. However in trying to come up to speed on discrete logarithm algorithms to work on this problem, I discover that the identity based crypto people have already used this very construct and solved the problem. There is a class of crypto called identity based crypto where one employs a Trusted Agent to compute private keys for users based on the users identity. This is useful because it removes the need for key distribution as the users identity _is_ their public key. However it has the killer disadvantage that the Trusted Agent can decrypt any traffic (yuck!) So all we have to do to convert such identity based schemes into non-interactive forward secrecy schemes is to act as our own identity based crypto protocol "trusted agent" during key generation, and destroy the trusted agents private keys after key generation. Generate ourselves as big a set of conveniently reproducable "identities" as we require, and generate the corresponding private keys. Then we can destroy private keys and no longer be able to re-create them. An example scheme is therefore: Choose primes p and q with special forms to speed up discrete log algorithm, n = p.q Key generation private information: p, q (destroyed after key generation) Public keys: n, y_0, g (g is not technically a generator as n is not prime) Private keys: x_i Where: x_i computed by discrete log from relation: y_i = g ^ x_i mod n using special form p and q Encryption (standard Elgamal with the current time period public key y_i): a = g ^ k mod n b = y_i ^ k M mod n Decryption: M = b / a ^ x_i mod n Forward secrecy is obtained by deleting x_i. y_0 could be any standardised shared constant. y_i any function to combine time value i with y_0 to arrive at unique y_i, for example: y_i = y_0 + i or y_i = h( y_0 || i ) The public key for this scheme is therefore no larger than typical for public key crypto systems not exhibiting forward secrecy. The recipient would delete x_i values after appropriate delay to allow for time taken for message delivery. Or the originator could delay deletion by selecting a public key for a period i further in the future. I think this should be practical enough to implement into mixmaster as a way to introduce forward secrecy. I also think it should be practical for for example a new algorithm for PGP. There are tradeoffs in reliability -- for high paranoia where the sender doesn't want the message to be recoverable even hours after sending the chances of the message being rendered unreadable due to delivery delays are increased. However time periods of a month or so are probably practical and likely introduce little extra unreliability based on typical delivery delays. Messages after a reply to a first message could be made more immediately forward secret using normal forward secrecy techniques if more immediate forward secrecy were deemed useful. Below are some references from Handbook of Applied cryptography which I would be interested on comments on, online referenes to, or summaries of. -Adam Handbook of Applied Cryptography: p114 references p536 on composite fields (Zn*,n=p.q) p537 references Shmuely [1127] and McCurley [825] consider composite Diffie-Hellman p538 says and references: Maurer and Yacobi [824] (modifying their earlier proposal [823]) propose an identity-based one-pass key pre-distribution scheme using composite modulus Diffie-Hellman, featuring implicitly-certified public key-agreement keys essentially consisting of a users identity (or email address); the corresponding private key is the discrete logarithm of this, computed by a trusted authority which, knowing the factorization of an appropriately chosen modulus n, can thereby compute logarithms. p538 says and references: Okamoto and Tanaka [946] propose identity-based key agreement protocols combining exponentail key agreement and RSA, including one using timestamps and providing entity authentication, anda simpler protocol providing (implicit) key authentication. [823] U Maurer and Y Yacobi "Non-interactive public key cryptography", Advances in Cryptology, Eurocrypt 91 (LNCS 547), 498-507, 1991 [824] U Maurer and Y Yacobi "A remark on a non-interactive public-key distribution system", Eurocrypt 92 (LNCS 658), 458-460, 1993 [825] K S McCurley "A key distribution system equivalent to factoring", Journal of Cryptology, 1 (1998), 95-105 [946] E Okamoto and K Tanaka "Key distribution system based on identification information", IEEE Journal on Selected Areas in Communications, 7 (1989), 481-485 [1127] T Okamoto, "A single public-key authentication scheme for multiple users", Systems and Computers in Japan, 18 (1987), 14-24. Translated from Denshi Tsushin Gakkai Ronbunshi vol 69-D no.10, October 1986, 1481-1489.