Forward-secure public-key encryption eprint
Anonymous
nobody at remailer.privacy.at
Wed May 29 22:03:05 PDT 2002
David Hopwood writes:
> Forward-secure public-key encryption has been discussed here, on
> sci.crypt, and elsewhere. To recap - the goal is that an adversary who
> breaks into your computer today can't read messages sent/received
> yesterday. In the interactive case, you use ephermal Diffie-Hellman. The
> non-interactive case is more complicated and has had some ideas considered
> by Ross Anderson, Adam Back, and David Hopwood (among others). Cypherpunks
> relevance: forward security is nice for remailers.
>
> Anyway, there's a new eprint up which shows how to construct such a scheme
> starting from an ID-based encryption scheme by Boneh + Franklin.
>
> "A Forward-Secure Public-Key Encryption Scheme"
> Jonathan Katz
> http://eprint.iacr.org/2002/060/
>
> It's worth noting that the scheme this is based on has code available.
> http://crypto.stanford.edu/ibe/download.html
Adam Back noted several years ago that identity-based encryption systems
could be converted into forward-secure PK encryption methods. At the
time it did not appear that any of the identity-based encryption systems
were very secure.
In the past few years a number of cryptographic results have been
achieved by using the Weil and Tate pairings, which are mappings among
groups associated with supersingular elliptic curves. These mappings
have special mathematical properties which give a new slant to a number
of cryptographic problems. For example it can be shown that in the
appropriate group, the Decision Diffie-Hellman problem is easy while
the Diffie-Hellman problem is still thought to be hard. On coderpunks
this was discussed as a possible approach to ecash. The Weil pairing
can also be used to create short signatures, only 20 bytes long for the
same security as a DSA sig taking 40 bytes.
At Crypto 2001, Boneh and Franklin showed how to use the Weil pairing
to create an identity based PK system. Unlike earlier constructions,
this one seems to have a good security margin. Following Adam Back's
earlier idea, this means a forward-secure PKCS can be constructed,
and the new paper does so, using the Weil and Tate pairings.
One concern is that these mathematical techniques are new in cryptography
and so it is possible that new attacks will be found against them.
While the underlying math is old, the specific application is new and
so weaknesses may still be discovered. Another problem is that the
math is really advanced and not many implementors or users are likely
to understand it very well. Sure we've got a library but the kind of
people who want forward security would like to understand the principles
a little better.
More information about the cypherpunks-legacy
mailing list