Security Vulnerability in Identity-based Public Key Cryptosystems

from PairingsBy Jyh-haw Yeh

Boise State UniversityICIKM 2013

Identity-based Public Key Cryptosystems (IDPKC)How do you know the other party’s public

key is a valid one?Traditional PKC requires a certificate authority

(CA) to issue a public key certificate. With the certificate, the key can be verified.

IDPKC: all public keys are generated based on the owner’s identity. Thus, no CA required.

IDPKC from PairingsSetup: A PKG (public key generator)

Additive group , order , a generator Multiplicative group , order A bilinear map System private key s, system public key

),( 1 G

211: GGGe

),( 2 G

1GsPPpub **

21*

1 }1,0{:;}1,0{: qFHGH

q Pq

Bilinear Pairings BackgroundBilinearity:

Non-degeneracy:Computability: it’s efficient to compute

),(),(),(

),(),(),(

),(),(

,,,, *1

SQeRQeSRQe

aRbQeRQebRaQe

QReRQe

FbaGSRQ

ab

q

OQGRRQeGQ 11 ,1),(,

1,),,( GRQRQe

IDPKC from PairingsKey Generation: for each user

Public key , private keyBoth keys are points in

iU

)(1 ii IDHQ ii sQD

1G

IDPKC from PairingsSignature Generation: to sign a message

Pick a random numberCompute

, where is the x-

coordinate of the point The signature is

m*qi Fr

PrV ii

pubiixii PrDVmHS )][,(2 xiV ][

iV

),( ii SV

IDPKC from PairingsSignature Verification:

Verify signature on a messageUse the following equation

),(),(?),( )][,(2ipub

VmHipubi VPeQPeSPe xi

iU

Potential Security VulnerabilityTraditionally cryptographic hash function is

defined as Easy forwarding computationPre-image resistance: given a , it’s hard to

compute the pre-image Second pre-image resistance: given , it’s

hard to find another such that Collision resistance: it’s hard to find any pair of

and such that

)(mH

m

1m

2m )()( 21 mHmH 1m

2m

)()( 21 mHmH

Potential Security VulnerabilityThe hash function used to generate the

public key in IDPKC, , might be implemented incorrectly if only based on the traditional definition.

ii QIDH )(1

Potential Security VulnerabilityFor example, the implementer can construct

as follows: Use a traditional hash functionLet It can be proven that since satisfies the four

hash function properties, also satisfies the four hash properties.

Using such in IDPKC to generate public keys is not secure.

1H

**3 }1,0{: qFH

iii QPIDHIDH )()( 31

3H

1H

1H

Potential Security VulnerabilityAdversary can derive private key by

first computing

Since

can derive private key by computing

jU iU

qIDH

IDHc

j

i mod)(

)(

3

3

iiijj

ij

j

ij QIDHPIDHPIDH

IDH

IDHQ

IDH

IDHcQ )()()(

)(

)(

)(

)(133

3

3

3

3

jU

iijj DsQcsQcD iU

Contribution of the PaperPoints out the potential security vulnerability

of common IDPKC using pairings.To avoid the vulnerability, the paper defines

another property for the hash function used in IDPKC to generate the public key.Ratio resistance: Given any two public keys

, it’s hard to find the ratio such that ),( ji QQ

c ij QcQ