Authenticated ID-based cryptosystem with no key escrow

AUTHENTICATED ID-BASED CRYPTOSYSTEM WITH NO KEY ESCROW

RELATED APPLICATIONS

The present application is a division of U.S. patent application Ser. No. 10/185,889 filed on Jun. 28, 2002, which hereby claims priority under 35 U.S.C. § 119(e) to provisional U.S. patent application No. 60/366,292, filed on Mar. 21, 2002, and U.S. patent application No. 60/366,196, filed on Mar. 21, 2002, both of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

The present invention relates in general to cryptography and secure communication via computer networks or via other types of systems and devices, and more particularly to the detennination and use of a shared secret in an identitybased cryptosystem, for instance, to encode and decode communication between two entities without the disadvantage of key escrow.

Identity-based cryptosystems are public key cryptosystems in which the public key of an entity is derived from its identity (name, address, email address, IP address, etc.). An entity’s private key is generated and distributed by a trusted party. The trusted party uses a master secret to generated the private keys.

Protocols exist for two entities to agree upon a shared secret for encryption or authentication of communication between them. In identity-based key agreement protocols, each party typically constructs the shared secret by using its own private key and the other party’s public identity. For instance, supersingular elliptic curves and associated pairings have been used to construct relatively secure identitybased signature and key agreement protocols. In addition, more eflicient protocols have been developed using supersingular abelian varieties in place of elliptic curves. Because the shared secret is based in part upon the other party’s private key, authentication may be provided indirectly by the trusted authority.

Existing identity-based cryptosystems have been limited, however, because they have involved key escrow. The trusted authority knows all secrets in the cryptosystem because it knows the private keys of all parties. As a result, existing identity-based cryptosystems have been vulnerable to passive attacks in which the shared secret used by the two parties can be determined by the trusted authority, or by any other party that discovers the master secret.

Accordingly, there is a need for a secure identity-based key agreement protocol without the disadvantage of key escrow. It therefore is an object of the present invention to provide an secure, authenticated identity-based cryptosystem including key agreement protocols that do not require key escrow. It is a further object of the present invention to provide a key agreement protocol that is secure against a passive attack based on interception of messages between two communicating parties.

BRIEF SUMMARY OF THE PREFERRED EMBODIMENTS

In accordance with the present invention, methods and systems are provided for determining a shared secret between two entities in a cryptosystem. The methods and systems avoid key escrow and are secure against passive attacks based on interception of messages between the two entities.

According to one aspect of the present invention, a method is provided for encoding and decoding a digital message communicated between a first entity and a second entity, both of which know a non-interactive shared secret. A first random secret is selected that is known to the first entity and unknown to the second entity. A first intermediate shared secret component is detennined using the first random secret and a system parameter. The first intermediate shared secret component is communicated to the second entity. A second random secret is selected that is known to the second entity, but unknown to the first entity. A second intermediate shared secret component is detennined using the second random secret and the system parameter. The second intennediate shared secret component is communicated to the first entity. It is confirmed that both entities know the non-interactive shared secret. An interactive shared secret is determined using the first random secret, the second random secret, and the system parameter. A symmetric key is detennined using at least the interactive shared secret. The digital message is then encoded and decoded using the symmetric key.

According to another aspect of the present invention, a method is provided for authenticating a digital message communicated between a first entity and a second entity, both of which know a non-interactive shared secret. A first random secret is selected that is known to the first entity and unknown to the second entity. A first intermediate shared secret component is determined using the first random secret and a system parameter. The first intennediate shared secret component is communicated to the second entity. A second random secret is selected that is known to the second entity, but unknown to the first entity. A second intermediate shared secret component is determined using the second random secret and the system parameter. The second intermediate shared secret component is communicated to the first entity. It is confimied that both entities know the non-interactive shared secret. An interactive shared secret is determined using the first random secret, the second random secret, and the system parameter. A symmetric key is detennined using at least the interactive shared secret. The digital message is then authenticated and confirmed using the symmetric key.

According to another aspect of the present invention, a system is provided for encoding and decoding a digital message communicated between a first entity and a second entity, both of which know a non-interactive shared secret. The system includes a first memory associated with the first entity and operable to store at least a first random secret that is not known to the second entity, a system parameter, a first intermediate shared secret component, a second intermediate shared secret component, an interactive shared secret, and a symmetric key. A second memory associated with the second entity is provided, and is operable to store at least a second random secret that is not known to the first entity, the system parameter, the first intermediate shared secret component, the second intennediate shared secret component, the interactive shared secret, and the symmetric key. The system also includes a first processor associated with the first entity and operable to select the first random secret, to determine the first intennediate shared secret component using the first random secret and the system parameter, to communicate the first intennediate shared secret component to the second entity, to receive the second intermediate shared secret component from the second entity, to determine the interactive shared secret using the first random secret and the second intennediate-shared secret component, to confirm that the second entity knows the non-interactive shared secret, to detennine the symmetric key using at least

3

the interactive shared secret, to encode the message using the symmetric key, and to communicate the encoded message to the second entity. A second processor associated with the second entity also is provided, and is operable to select the second random secret, to detennine the second intennediate shared secret component using the second random secret and the system parameter, to communicate the second intermediate shared secret component to the first entity, to receive the first intermediate shared secret component from the first entity, to determine the interactive shared secret using the second random secret and the first intermediate shared secret component, to confinn that the first entity knows the non-interactive shared secret, to detennine the symmetric key using at least the interactive shared secret, to receive the encoded message from the first entity; and to decode the encoded message using the symmetric key.

According to another aspect of the present invention, a system is provided for authenticating a digital message communicated between a first entity and a second entity, both of which know a non-interactive shared secret. The system includes a first memory associated with the first entity and operable to store at least a first random secret that is not known to the second entity, a system parameter, a first intermediate shared secret component, a second intennediate shared secret component, an interactive shared secret, and a symmetric key. A second memory associated with the second entity is provided, and is operable to store at least a second random secret that is not known to the first entity, the system parameter, the first intennediate shared secret component, the second intennediate shared secret component, the interactive shared secret, and the symmetric key. The system also includes a first processor associated with the first entity and operable to select the first random secret, to determine the first intennediate shared secret component using the first random secret and the system parameter, to communicate the first intennediate shared secret component to the second entity, to receive the second intermediate shared secret component from the second entity, to determine the interactive shared secret using the first random secret and the second intermediate shared secret component, to confinn that the second entity knows the non-interactive shared secret, to determine the symmetric key using at least the interactive shared secret, to generate a message authentication code using the symmetric key, and to communicate the message authentication code to the second entity. A second processor associated with the second entity also is provided, and is operable to select the second random secret, to determine the second intermediate shared secret component using the second random secret and the system parameter, to communicate the second intermediate shared secret component to the first entity, to receive the first intermediate shared secret component from the first entity, to determine the interactive shared secret using the second random secret and the first intennediate shared secret component, to confinn that the first entity knows the non-interactive shared secret, to detennine the symmetric key using at least the interactive shared secret, to receive the message authentication code from the first entity; and to confinn the message authentication code using the symmetric key.

BRIEF DESCRIPTION OF THE DRAWINGS

The subsequent description of the preferred embodiments of the present invention refers to the attached drawings, wherein:

4

FIG. 1 shows a flow diagram illustrating a method of determining a shared secret between two entities according to one presently preferred embodiment of the invention;

FIG. 2 shows a flow diagram illustrating a method of encoding and decoding a message between two entities according to another presently preferred embodiment of the invention;

FIG. 3 shows a flow diagram illustrating a method of authenticating a message between two entities according to another presently preferred embodiment of the invention;

FIG. 4 shows a flow diagram illustrating a method of determining a shared secret between two entities according to another presently preferred embodiment of the invention;

FIG. 5 shows a flow diagram illustrating a method of determining a shared secret between two entities according to another presently preferred embodiment of the invention; and

FIG. 6 shows a block diagram depicting a cryptosystem including key agreement protocols with no key escrow according to another presently preferred embodiment of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The presently preferred methods of the invention are based on pairings, such as, for instance, the Weil or Tate pairings associated with elliptic curves or abelian varieties. The methods also are based on the Bilinear Diflie-Hellman problem. They use two cyclic groups F and H, preferably of the same large prime order 7». The first group F preferably is a group of points on an elliptic curve or abelian variety, and the group law on F preferably is written additively. The second group H preferably is a multiplicative subgroup of a finite field, and the group law on H preferably is written multiplicatively. However, other types of groups may be used as F and H consistent with the present invention.

The methods also use a generator P of the first group F. In addition, a function e:l7><l7%H is provided for mapping two elements of the first group F to one element of the second group H. The function e preferably satisfies two conditions. First, the function e preferably is bilinear, such that if Q and R are in F and a and b are integers, then e(aQ, bR):e(Q, R)“b. Accordingly, e(aP, bP):e(P, P)“b:e(bP, aP). Second, the function e also preferably is efliciently computable.

The Bilinear Diflie-Hellman problem is that of finding e(P, P)“b” if P, aP, bP, and cP are known, but a, b, and c are not known. Solving the Diflie-Hellman problem in F solves the Bilinear Diflie-Hellman problem because e(P, P)“b”:e (abP, cP). Similarly, solving the Diflie-Hellman problem in H solves the Bilinear Diflie-Hellman problem because, if g:e(P, P), then g“b”:(g“b)” where g“b:e(aP, bP) and g”:e(P, cP). For instance, suppose E is a supersingular elliptic curve or abelian variety over a finite field F; suppose PTME(F) is a point of order 7» (relatively prime to the characteristic of F); and suppose e is the Weil pairing on the 7»-torsion on E. Let F be the group generated by P, and let H be the group of 7»-th roots of ur1ity in the algebraic closure of F. If f is an automorphism of E such that f(P) EF, then defining e:F>< l7%H by e(Q, R):e(Q,f(R)) gives a function e that satisfies the two conditions set forth above. Further, this e is nondegenerate. For instance, if é(aP, bP):e(P, cP), then abP:cP.

The presently preferred methods of the invention include a third party private key generator (PKG) that has a master secret sTMZ/7»Z. The master secret s preferably is randomly chosen. The public key P A of a first entity preferably is the

5

result of applying a hash function h:{0,1}*—>F to the first entity’s identity to yield the element P A of the first group F. The PKG detennines the first entity’s private key S A:sP A and provides the private key to the first entity. Similarly, a second entity’s public key P BTMF is the image of the second entity’s identity under the hash function h, and the PKG provides the second entity with the appropriate private key S B:sPB. Accordingly, without any interaction, the first and second entities share a non-interactive shared secret S A B::é (P A, S B):é(P A, PB)°:é(SA, PB):SBA. This may be referred to as a non-interactive shared secret. The PKG also knows this shared secret component because the PKG knows both s and the entities’ private keys S A and S B.

The non-interactive shared secret S AB is secure if the Bilinear Diflie-Hellman problem is hard. For instance, if h(IDA):PA:01P and h(IDB):PB:[3P for some random 01, BTMZ/AZ, it is diflicult to detennine S A B:é(P, P)°"°S without knowing 01, [3, or s.

Referring now to the accompanying drawings, FIG. 1 shows a flow diagram illustrating a method of detennining a shared secret between two entities according to one presently preferred embodiment of the invention. The first entity selects a first random secret (step 102), and determines a first intermediate shared secret component using the first random secret and a system parameter (step 104). The first random secret may be a random number, a random collection of numbers, or some other random infonnation. The first entity then communicates the first intermediate shared secret component to the second entity (step 106). The second entity selects a second random secret (step 108), and detennines a second intennediate shared secret component using the second random secret and the system parameter (step 110). The second random secret may be a random number, a random collection of numbers, or some other random information. The second entity then communicates the second intermediate shared secret component to the first entity (step 112). Both entities then detennine an interactive shared secret using the first random secret, the second random secret, and the system parameter (step 114). The first entity determines the interactive shared secret using the first random secret and the second intermediate shared secret component. Similarly, the second entity determines the interactive shared secret using the second random secret and the first intennediate shared secret component. Both entities also confinn the other entity’s identity by confinning the other entity’s knowledge of a non-interactive shared secret (step 116), such as, for instance, S AB. Both entities then determine a symmetric key using at least the interactive shared secret (step 118).

This method avoids key escrow, and is secure against passive interception attacks, because it uses two random secrets, each of which is known to only one of the two communicating entities, and is not known to the PKG. The first random secret is not known to the second entity, and the second random secret is not known to the first entity. Neither random secret is known to the PKG, or to anyone else. Moreover, neither random secret is communicated directly between the parties. Instead, the parties communicate intermediate shared secret components that are based on the random secrets. Because it is diflicult to determine the random secrets from the intennediate shared secret components, the random secrets remain secure. Accordingly, this key agreement protocol is secure because, without knowing at least one of the random secrets, it is diflicult for an attacker to detennine the interactive shared secret or, ultimately, the symmetric key.

6

The step of confirming the other entity’ s knowledge of the non-interactive secret (step 116) may be accomplished in a number of ways. For instance, the symmetric key may be determined using both the non-interactive shared secret and the interactive shared secret. Alternatively, the first entity may prove that it knows the non-interactive shared secret by generating a message authentication code (“MAC”) for the first intermediate shared secret component using the noninteractive shared secret as the key, and communicating this first MAC to the second entity. The second entity may then confinn that the first entity knows the non-interactive shared secret by confirming the message authentication code using the non-interactive shared secret as the key. Likewise, the second entity may prove that it knows the non-interactive shared secret by generating a MAC for the second intennediate shared secret component in a similar mamrer, and by communicating the second MAC to the first entity. By confinning the second MAC using the non-interactive shared secret as the key, the first entity confirms that the second entity knows the non-interactive shared secret.

The symmetric key derived according to the method of FIG. 1 may be useful in many applications. For instance, FIG. 2 shows a flow diagram illustrating a method of encoding an decoding a message between two entities using the symmetric key. First, the entities detennine a symmetric key (step 118) according to the method of FIG. 1. The first entity then encodes the message using the symmetric key (step 202). The first entity may use any known symmetric encryption scheme, such as the Advanced Encryption Standard (“AES”) to encode the message. The first entity then communicates the encoded message to the second entity, and the second entity decodes the encoded message (step 204) using the same symmetric key and encryption scheme that the first entity used to encode the message.

Another useful application of the symmetric key derived according to the method of FIG. 1 is authentication of the content of a message. For instance, FIG. 3 shows a flow diagram illustrating a method of authenticating a message using the symmetric key. Again, the entities first detennine the symmetric key (step 118) according to the method of FIG. 1. The first entity generates a MAC of the message using the symmetric key (step 302). The first entity may generate the MAC using any known authentication scheme, such as a hash function based on the content of the message. The first entity then communicates the encoded message and the MAC to the second entity, and the second entity confinns the MAC (step 304) using the same symmetric key and authentication scheme that the first entity used to generate the MAC.

FIG. 4 shows a flow diagram illustrating a method of determining a shared secret between two entities according to another presently preferred embodiment of the invention. The first entity selects a first random integer a (step 402), and calculates a first intermediate shared secret component g“ (step 404), where g is a generator of the second cyclic group H. The generator g preferably is either é(PA, PB) or é(P, P), where P is given as a public system parameter. The first entity then communicates the first intermediate shared secret component g“ to the second entity (step 406). The second entity selects a second random integer b (step 408), and calculates a second intermediate shared secret component gb (step 410). The second entity then communicates the second intermediate shared secret component gb to the first entity (step 412). Both entities then calculate an interactive shared secret gab (step 414). Because neither entity knows the other entity’s chosen random integer, the first entity calculates g“":(g“)°, and the second entity calculates g“":(g")“. Both