FWD: Binding crypto

Igor Chudov @ home ichudov at algebra.com
Sat Oct 19 19:48:58 PDT 1996

see below...

John Anonymous MacDonald wrote:
> =++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=+=
> In this message, we introduce binding cryptography, a new proposal for
> establishing an information security infrastructure that does not
> hamper law enforcement. We present an alternative that can give
> law-enforcement agencies access to session keys, without users having
> to deposit private keys. Unilateral fraud in this scheme is easily
> detectible. We outline the proposal below, and announce two articles
> which will describe the proposal in more detail and which will provide
> the legal and the technical context.

> Metaphorically speaking, our solution consists of equipping public-key
> encryption systems used for confidentiality with a (car) governor (a
> speed-limiting device). The specifications of this governor are rather
> general, and so many systems can probably be equipped with them. It is
> inspired by the proposal of Bellare and Rivest [BR], in which users'
> encrypted messages consist of three components:
> 1. the (actual) message encrypted with any symmetric system, using a random session
> key; 
> 2. the session key encrypted with the public key(s) of the addressee(s);
> 3. the session key encrypted with the public key of a Trusted Retrieval Party (TRP).

> In effect, the TRP is treated as a virtual addressee, although the
> message is not sent to it. When a law-enforcement agency is conducting
> a lawful intercept and strikes upon an enciphered message, they take
> the third information component to the TRP. If shown an appropriate
> warrant, the TRP decrypts the information component and hands over the
> session key, so that the law-enforcement agency has access to the
> message. Observe that users are not obliged to escrow their (master)
> keys, they only give access to the (temporary) session keys used in
> the communication. The concept of "virtual escrow" has been the base
> of several escrow products (AT&T Crypto, RSA Secure, TIS Commercial
> Key Escrow).
> The main drawback of this concept is that it offers no possibility, at
> least for others than the TRP, to check whether the third component
> actually contains the (right) session key; moreover, the TRP will only
> discover fraud after a lawful wiretap. This renders the solution
> almost entirely unenforceable.
> Therefore, we propose a binding alternative, which adds a fourth
> component to the encrypted message: 
> 4. binding data.
> The idea is that any third party, e.g., a network or service provider,
> who has access to components 2, 3 and 4 (but not to any additional
> secret information) can: 
> a. check whether the session keys in components 2 and 3 coincide; 
> b. not determine any information on the actual session key.

What prevents me from superenciphering the body of the message?

That would render the whole "fraud prevention" useless, wouldn't it?


> In this way, fraud is easily detectible: a sender that attempts to
> virtually address a session key to the TRP (component 3) that is
> different from the real one he uses on the message (or just nonsense)
> will be discovered by anyone checking the binding data. If such
> checking happens regularly, fraud can be properly discouraged and
> punished. The binding concept supports the virtual addressing of
> session keys to several TRPs (or none for that matter), for instance,
> one to a TRP in the country of the sender and one in the country of
> the addressee. The solution therefore offers the same advantage for
> worldwide usability as the Royal Holloway [Holl] concept. We also
> remark that the concept supports the use of controllable key splitting
> in the sense of Micali [Mica] as well: a sender can split the session
> key and virtually address all the shares separately to the addressee
> and various TRPs using the binding concept. Moreover, the number of
> shares and the TRPs can - in principle - be chosen freely by each
> user. Finally we remark that the time-boundedness conditon (the
> enforceability of the timelimits of a warrant) can be fulfilled by
> additionally demanding that encrypted information (or all components)
> be timestamped and signed by the sender; a condition that can be
> publicly verified by any third party (e.g., monitor) as well.
> A PKI that incorporates binding data hence has the following four
> players: 
> - Users, i.e., governments, businesses, and citizens, 
> - TTPs offering trusted services (e.g., time-stamping and certification of
> public keys), 
> - TRPs aiding law-enforcement agencies with decrypting legally intercepted messages, 
> - Monitors, monitoring communications encrypted via the PKI on compliance with 
> binding regulations. For instance, these could be network operators or (Internet) service
> providers.
> In [VKT], we explain how we envision the framework in which the
> binding concept could present a security tool in the information
> society. We think the concept is flexible enough (e.g., in the choice
> of TRPs) to be incorporated into almost any national crypto policy, on
> both the domestic and foreign use of cryptography.
> In a mathematical paper [VT], Verheul and Van Tilborg propose a
> technical construction for binding data for an important public-key
> encryption system: ElGamal. This construction is compatible with
> Desmedt's [DESM] traceable variant of ElGamal. The construction is
> based on the techniques used in zero knowledge proofs. We expect that
> these constructions can be improved and that various other public-key
> encryption systems can be equipped with binding data. We present this
> as a challenge to the cryptographic research community.
> An outline of the mathematical construction of binding ElGamal can be
> found at http://cwis.kub.nl/~frw/people/koops/bindtech.htm.
> _3. References_
> [BR]	
> M. Bellare, R.L. Rivest, "Translucent Cryptography. An Alternative to
> Key Escrow, and its Implementation via Fractional Oblivious Transfer",
> see http://theory.lcs.mit.edu/~rivest
> [Desm]	
> Y. Desmedt, "Securing Traceability of Ciphertexts - Towards a Secure
> Key Escrow System", Advances in Cryptology - EUROCRYPT'95 Proceedings,
> Springer-Verlag, 1995, pp.147-157.
> [Holl]
> N. Jefferies, C. Mitchell, M. Walker, "A Proposed Architecture for
> Trusted Third Party Services", Royal Holloway, University of London,
> see http://platon.cs.rhbnc.ac.uk
> [Mica]
> S. Micali, "Fair Public-key Cryptosystems'", Advances in Cryptology -
> CRYPTO '92 Proceedings, Springer-Verlag, 1993, pp. 113-138.
> [VKT]
> E. Verheul, B.J. Koops, H.C.A. van Tilborg, "Binding Cryptography. A
> fraud-detectible alternative to key-escrow solutions", Computer Law
> and Security Report, January-February 1997, to appear. [*]
> [VT]
> E. Verheul, H.C.A. van Tilborg, "Binding ElGamal. A fraud-detectible
> alternative to key-escrow solutions", will be submitted to
> Eurocrypt97.
> [*] For the Computer Law and Security Report, send subscription
> enquiries, orders and payments to:
> Pam Purvey
> The Oxford Fulfilment Centre
> PO Box 800, Kidlington
> Oxford 0X5 1DX  UK
> Tel: +44 1865 843373
> Fax: +44 1865 843940
> For the United States:
> Elsevier Advanced Technology
> Fulfilment (enquiries)
> 660 White Plains Road, Tarrytown
> New York, NY 10591-5153
> USA 
> Tel: 914 333 2458
> ---------------------------------------------------------------------
> Bert-Jaap Koops                         tel     +31 13 466 8101
> Center for Law, Administration and      facs    +31 13 466 8149
> Informatization, Tilburg University     e-mail  E.J.Koops at kub.nl
>                   --------------------------------------------------
> Postbus 90153    |  This world's just mad enough to have been made  |
> 5000 LE Tilburg  |    by the Being his beings into being prayed.    |
> The Netherlands  |                (Howard Nemerov)                  |
> ---------------------------------------------------------------------
>          http://cwis.kub.nl/~frw/people/koops/bertjaap.htm
> ---------------------------------------------------------------------
> --
> " The way to combat noxious ideas is with other ideas.  
>   The way to combat falsehoods is with truth. " 
> 	-- Justice William O. Douglas, 1958

	- Igor.

More information about the Testlist mailing list