ANALYSIS ON THE TWO CLASSES OF ROBUST THRESHOLD KEY ESCROW SCHEMES*
Definition 4.2. (credible degree function TR) TR is such a function mapped from all parties of KES to [0,1], where the function value 1 represents believable
completely and 0 on the contrary.
Obviously the values of function TR denote the believable degree of the parties in KES and TR is not computable. But we think that any trusted third party may assess the value of it.
Axiom 1.
Obviously the axiom is reasonable. In fact, TR(KMC) is almost 1 in the two RTKES. So, the security of KES is the security degree under some distribution of TR. The analysis as follows all is based on the axiom.
Analysis on the two classes of Robust Threshold Key Escrow Schemes 141 5. Analysis on RTKES1
5.1 Analysis on Improved RSA
Firstly the Improved RSA is introduced.
is Blum integer and assume: Jacobi symbol Parameters N is public and is secret.
When encrypting message otherwise
The ciphertext is where,if is even, set
else otherwise Decrypting is obvious.
Our main result of analysis is as follows and the proof is omitted.
Theorem 5.1. For Improved RSA, we have:
1)For any message the the probability of equation holds true is 0.75 at least.
2) i.e. the least significant bit of message is leaked.
5.2 Analysis on escrow protocol
This is a sub protocol on distribution of shares generated by KMC. As pro-tocol finished, each escrow agency obtains the legal shares of secret key of user and each share can be verified.
We note that this is a non-interactive protocol and the information is trans-mitted through private secure channel([7, 8, 9]). So it is not easy to see that the only possible attack on the protocol is the cheating attack of KMC (It should be noted that the security goal of the protocol is escrow agencies can obtain their shares correctly.) However, by axiom 1, we have known that it is impossi-ble to imagine that KMC is dishonest. Therefore, we can give the conclusion:
authentication groupware of the protocol is not necessary. In trivial sense, the security of the protocol can be proved.
5.3 Subliminal channel attack on communication protocol
According to introduction of RTKES1, it can be seen that:
1) Receiver V does not need LEAF indeed when decrypting because the session key is only set up by U and V.
2) The part of private key of U, is not escrowed, i.e. subd1 is still controlled by U.
So, U and V can attack on it in the way as follows.
U may sends his message to receiver V in the way:
LEAF), C(U))
Where is some public secure one-way function, such as hash function), and assume the encrypting algo-rithm and decrypting one are same.
U can also send his message in such way: LEAF), C(U)) where
may be public and
We can see easily that in case of monitoring, W can only obtain false session key or from the escrow agencies and even if W verifies the signature in LEAF, it can not detect the existence of subliminal channel. In fact, the true session key of U and V is but under the assumption of one-way function or factorization problem, W can not derive from
Theorem 5.2. RTKES1 can not resist the subliminal channel attack launched by malicious users.
Considering of least value of TR(U), the conditions needed by such attack is very weak.
5.4 Analysis of monitor protocol
Theorem 5.3. In case of cahoot of malicious users and escrow agencies, integer N can be factorized.
The proof is easy and be omitted. In fact, considering of least value of TR(U), it is not suitable to take U as one escrow agency in order to solve the problem of depending on escrow agencies without measure.
6. Analysis on RTKES2
As we know, RTKES2 is similar to RTKES2 except that encrypting algorithm adopts EIGamal. Therefore the analysis conclusions above also hold true.
However, there exist another subliminal channel attack for both RTKES1 and RTKES2 and monitor protocol of the latter is not secure too.
6.1 Subliminal channel attack based on signature schemes
Here, we want to show the point that it is dangerous to prevent subliminal channel attack only by signature schemes.
According to [14, 15], there exists subliminal channel in EIGamal signature schemes.
Here we construct one kind of subliminal channel using the signature scheme based on improved RSA: Sender U leaks his private key for signing to receiver V on purpose previously, where the private key for signing
And They use as their session key where is a secure hash function.
Then U sends his message in the way as follows:
LEAF), S(H(M)) As a result, in case of monitor, W can only obtain the form the escrow agencies, i.e. recover some disguised messageM. Because of one-wayness of
Firstly we give a concise description of monitor protocol of RTKES2. The sub protocol is devised to make W verify the shares from escrow agencies, i.e.
W should have the ability of identifying malicious escrow agencies.
Parameters. KMC publicizes the public key of U where private key is sent to W through private channel previously , is divided into shares by secret sharing scheme and these shares are given to escrow agencies. In case of monitoring, escrow agency only refers to W, where is the first part of ciphertext of (Note that we adopts EIGamal public key algorithm to encrypt session key).
Protocol. For the steps as follows. 1) sends to W; 2) W chooses and in randomly and computes Then sends it to 3) computes and sends it to W; 4) W verifies if the equation holds true. If yes, W accepts the shares, otherwise, W alleges is dishonest.
Analysis. It should be noted that the verification equation is involved in We think it is not suitable because is generated by user U whose value of TR(U) is smallest. So two cheating protocols can be constructed as follows.
Case1. Some malicious sender U replaces used in LEAF with any and is given to In case of monitoring, some malicious can do so in the step 1) of the protocol: computes and sends (instead of to W. On the other hand, in step 3) answers the challenge of W with The readers can verify easily that by doing so, can cheat W with Note that the true share is
Case2. The malicious escrow agency is active and replaces in LEAF with chosen by itself. Note that this whould not affect the normal communication of users.
The reason for the success of cheating attack is that the communication channel of users is not secure, i.e. there are not private channel like KMC. In addition, the attack conditions are feasible according to axiom 1.
6.3 Analysis on Robustness
We can see that in fact RTKES2 realizes the robustness by regarding W as an agency with functions of escrow and monitor. Obviously this strengthens Analysis on the two classes of Robust Threshold Key Escrow Schemes 143 W can not derive from On the other hand, V can easily recover
the intended message by computing It should
be noticed that is set up only by U and V in both RTKES1 and RTKES2.
6.2 Cheating attack on monitor protocol
National Institute for Standards and Technology , Escrowed Encryption Standard, Federal Information Processing Standards Publication 185, U.S. Dept. of Commerce , 1994.
TAHER EIGAMAL, A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms, IEEE TRANS. On Information Theory, vol IT-31, NO.4,1985.
Lars R.Knudsen, Torben P.Pedersen, On the difficulty on software key escrow, EURO-CRYPT’96, p237-244.
S.Micali and R.Shamir, Partial Key Escrow, February 1996.
Nechvatal J.A, Public-key-based key escrow system, Journal of Systems Software, 1996, 35(1): 73-83.
Mike Burmster, Y.Desmedt and Jennifer Seberry, Equitable Key Escrow with Limited time span, AsiaCrypto’98, 1998.
Cao Zhen-Fu, Two classes of Robust Threshold Key Escrow Schemes. Journal of Software, Vol.14, No.6, 2003.
Cao Zhen-Fu, Li Jiguo, A Threshold Key Escrow Scheme Based on EIGamal Public Key Cryptosystem, Chinese Journal of Computers. 2002, 25(4):346-350.
Cao Zhen-Fu, A Threshold Key Escrow Scheme based on public key Cryptosystem. Science in China(Series E), 2001, 44(4):441-448.
Rivest,R.L., Shamir,A. and Adleman, L., A method for Obtaining Digital Signatures and Public-key Cryptosystem, Comm.ACM Vol.21(2), pp.120-126,FEB.1978.
Shamir A., How to share a secret, Communications of the ACM, 1979, 22(11):612-613.
Fen Dengguo, Pei Dingyi, Introduction of Cryptology, Science Press, 1999.
J.Kiliam, T.Leighton, Fair Cryptosystems, Revisited , AsiaCrypto’96, 1996.
Simmons,G.J., The Subliminal Channel and Digital Signatures, Advance in Cryptology-Eurocrypto’84, Springer-Verlag, 1985,pp.51-67.
Feng Dengguo etal.£¬Review of foreign key escrow systems£¬Technical Report£¬DCS Center, Chinese Academy of Sciences£¬Beijing£¬Nov., 1997.
the rights of W greatly. Considering the case of dishonest W[4], the method may be not worth the candle.
7.
Tag
Considering separately, we think that in some sense [7,8,9] solve the problem
“Monitoring once, Monitoring forever”. However, There exist some deficien-cies: Session key is chosen completely by users and master keys is escrowed in common ways. Therefore the method does not solve the problem above in the complete sense. We argue that the problem can be solved using key escrow scheme with Limited time span [6].
References