Diagram based on the identity

The diagram based on the identity (or identity-based ) is a concept which was introduced by Adi Shamir in 1984, at the time of International Conference CRYPTO' 84.

Why not to take as public key the identity of the user, (for example its name, first name, birth date, number of Social security…) ?

If one manages to create key S secret relative to these identities so that two different individuals cannot have the same secret key, then it is not useful any more to certify the public keys.

Principle

The diagrams based on the identity make it possible any person to regenerate the public key of an individual starting from a value of identity such as a chain ASCII.

A third of confidence, the generator of private keys, is in charge of the manufacture of the secret keys which correspond to these public keys.

For that, the generator of private keys publishes a public key “Master” and preserves for him the private key which corresponds.

One combines to the public key “Master” with the value of identity I in order to regenerate the public Clé which corresponds to this identity.

In order to obtain the private key which corresponds, the person with who corresponds this identity must contact the generator of private keys, which uses the private key “Master” to generate the private key which corresponds to its identity.

Consequently, it is possible to quantify messages (or to check signatures) without preliminary operation of exchange of key between the individuals.

This is extremely useful if the prédistribution of the keys is difficult, or impossible because of technical constraints.

The constraint of this approach is that the degree of confidence which must be granted to the generator of private keys is very high, because it is intrinsically able to regenerate the private key of any user, and thus to be able to realize without authorization of the signature or the deciphering. In fact a functionality of covering of key is present in a way inherent in the system.

A certain number of alternatives were proposed in order to avoid this problem such as the Chiffrement based on certificate, the Génération of protected key, and the Cryptographie without certificate.

Some diagrams were proposed between 1984 and 2000, but none has joins together two major qualities: safety and applicability.

2001 should be waited until, and the publications of nearly simultaneous Cocks and Franklin and Boneh to see really promising Cryptosystème S.

This page in detail describes only the diagram of Cocks, which with the advantage of the originality on its rival. It is nevertheless important to notice that the system of Boneh and Franklin is fully operational, and has an implementation for the figuring of email.

Classification of Shamir of the protocols of recognition

In 1986, FIAT and Shamir (still him) the various categories of protocols of recognition classified. They then distinguished three levels from protections. Let us suppose that Alice wants to prove her identity with Bob, the various levels are then:

1. protocol of Authentification : Alice can prove in Bob which it is truly Alice, but nobody other can prove in Bob which it is Alice.
2. protocol of identification : Alice can prove in Bob which it is truly Alice, and Bob cannot extract any information from this proof to try to make accept someone else which he is Alice.
3. protocol of signature (or Not-repudiation ): this protocol has the same properties as the precedent with, moreover:

Alice cannot say that it did not prove her identity with Bob, or that the message which it signed was different from that which Bob claims to have received (it cannot repudiate her signature). In other words, Bob cannot make believe that Alice proved her identity to him whereas it did not do it.

In fact, the protocol of authentification within the meaning of FIAT and Shamir will be used only when Alice and Bob have their interests in commun runs, to prevent an attack come from outside. On the other hand, when Alice and Bob have divergent interests, one of the two other types of diagram must be employed. With a protocol of authentification, Bob could a posteriori be made pass for Alice near a third speaker. This is not possible any more when one deals with diagram of identification. On the other hand, in this case, as in the case of the authentification, Bob can make believe that it received a message coming from Alice (to some extent in imitating its signature), while a protocol of signature in interdict.

We will however not use the vocabulary of Shamir, by not making distinction between authentification and identification. Indeed the authentification within the meaning of Shamir presupposes that Alice and Bob is not rival, which arrives rather often in practice, but also, which nobody cannot listen to a proof of authentification between Alice and Bob, because if not the indelicate character would be under the same conditions as Bob to restore the secret key of Alice, and could thus be made pass for Alice at the time of the later conversations. However, the physical confidentiality is generally far from being perfectly assured.

Protocol of Shamir

This diagram is subjacent with the protocol of signature published by Shamir in 1984. As for the preceding diagram, the authority creates one biclé RSA (the same notations will be used and from now, all calculations must be carried out modulo $n$, in this protocol and the following). The authority entrusts to Alice $V=I^\; \{D\}$, where $I$ is the identity of Alice. To prove which it is, Alice will have to show that it knows $V$, without revealing $V$.

For that, when it sends a message to Bob, it chooses a risk

However, one does not have a proof of the safety of this diagram.

Protocol of Cocks

That is to say $i$ the whole of information representing the identity of Alice. One supposes the existence of a process public $h$ containing functions of chopping such as $(\backslash \; frac\; \{H\; (I)\}\{M\})\; =1.$ One will regard in the continuation the expression $a=h\; (I)$ as being the identity of Alice.

Let us suppose that Bob wants to transmit a mail to Alice, of identity $a.$ the value $M$ is public. One will suppose moreover without loss of general information that $a$ is a square modulo $M.$ Bob will treat its message bit with bit:

Coding: Either $x$ the representation of a bit to be sent, $x=1$ or $-1.$ Bob chooses by chance an entirety $t$ such as $(\backslash \; frac\; \{T\}\; \{M\})\; =x.$ It can then send the cryptogram $s$ correspondent to $x:$ $s=\; (t+\; \backslash \; frac\; \{has\}\; \{T\})\; (\backslash \; bmod\; M)$

Deciphering: In accordance with the principle of the cryptosystèmes based on the identity, Alice interacts with the authority so as to obtain $r$ checking $r^\; \{2\}\; =a\; (\backslash \; bmod\; M).$ One saw that only the knowledge of $P$ and $Q$ makes it possible to calculate $r.$ This knowledge will be the secrecy of the authority and $r$ will be it key secret of Alice, provided by the authority. Thus, like $s+\; 2r\; =t\; (1+r/t)\; ^\; \{2\}\; (\backslash \; bmod\; M),$ Alice can find $x$ with: $(\backslash \; frac\; \{s+\; 2r\}\; \{M\})\; =\; (\backslash \; frac\; \{T\}\; \{M\})\; =x.$ If $-a$ is a square modulo $M,$ one uses $s=t-a/t\; (\backslash \; bmod\; M).$

Notes and references of the article

Random links:

Gabriel Nicolas of Reynie | Arnex-on-sphere | List bishops and archbishops of Jos | (83982) Crantor | International confederation of the students | Monogatari

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org