GB2331898A

GB2331898A - Fair escrow cryptosystem

Info

Publication number: GB2331898A
Application number: GB9725452A
Authority: GB
Inventors: Wenbo Mao
Original assignee: Hewlett Packard Co
Current assignee: HP Inc
Priority date: 1997-12-01
Filing date: 1997-12-01
Publication date: 1999-06-02
Anticipated expiration: 2017-12-01
Also published as: GB9725452D0; GB2331898B

Abstract

A fair escrow cryptosystem protocol is described which enables a user's private key to be divided into shares which are held by respective escrow agents such that the correctness of the shares can be ascertained without requiring the escrow agents to be on-line. The protocol is advantageously applied to the RSA cryptosystem wherein the user generates a public/private key pair and transmits a respective share of the private key to each of a plurality of escrow agents, each share being encrypted using the public key of the respective escrow agent. The protocol enables anyone to verify the correctness of the shares from the knowledge of the user's and the escrow agents' public keys.

Description

1 1 1 1 1 FAIR ESCROW CRYPTOSYSTEMS 2331898 The present invention relates

to fair escrow cryptosystems and find particular application in systems which make use of the difficulty of factorising very large numbers to provide a secure means of encrypting data. An example of such a system is the RSA cryptosystem developed by Rivest, Sharnir and Adleman.

In such cryptosystems, termed "public-kev svstems", a message is encrypted using as an encryption key a "public key" associated with the intended -recipient of the message. The recipient is then able to decrypt the message using his/her "private key". Public keys, as their name suggests, are public information, whereas private kevs are known only to their associated user.

in practice, a user will encrypt a secret message using as an encryption key the public key of the intended addressee, who is then able to decrypt the secret message using his/her private key, which of course is not known to the sender. However, the user can "sign" the message by encrypting a signature using his/her private key, which can then be decrypted by any addressee using the sender's public key. In this way, the true identity of the sender is established.

Such cryPtosystems therefore differ from "symmetric" systems where messages are encrypted and decrypted using the same encryption key, or where the decryption key can be readily ascertained from the encryption key. An example of such a symmetric cryptosystem is the Data Encryption Standard (DES).

The public key systems to which the present invention relates are based on the realisation that it is not possible, within a reasonable time- scale, to factorise a large number which is the product of two prime numbers P,Q of approximately equal magnitude.

The product N itself forms part of the public key, and a number derived from the two prime factors P,Q of this product forms the private key. In practice, the two prime numbers P,Q are each equal to 3 (mod 4), and the product N is then termed a Blum integer.

0 One main advantage of public key systems is that the private key is known only to one user. However, this presents the problem that, should that user lose the private key, then messages sent to that user which have been encrypted using his/her public key cannot ever be decrypted. Furthermore, it is not possible for third parties, in the event that this is considered desirable, to decrypt such messages. It would of course be possible for a single third party be 1 2 entrusted with a user's private key. However, this would defeat the object of having a private key, since the user could never be certain as to whether or not messages intended for him/her have been intercepted by that third party.

To overcome this problem, a system has been developed wherein a user's private key is split up into "shares" each of which is entrusted to a respective third party. In this way, it is possible, should the need arise, for a user's private key to be reconstructed 10 from such snares and used to decrypt messages addressed to that user.

Thus, eact trusted third party holds a share of a user's private key in escrow, and such systems are therefore termed "fair escrow" svstems, since they provide a balance between individual's privacy rights and the security of the public. Each third party is termed an escrow agent (FW.

-5 SA must verify the correctness of the share it receives to ensure that, if necessary, the user's private key, can be recovered by cooperation between the F.As. Such verifiable secret sharing WSS) 0 has to date involved EAs receiving and verifying messages on line.

In such an arrangement, a user transmits to each EA a respective;Dortion, or share, of its private key, together with that user's oublic key. Each EA then performs an algorithm involving both the user's public key and the received share of the user's private key to ascertain the correctness of the received share. Each EA subsequently confirms that its respective received share is correct by making a public announcement or by interacting with other F-As.

The user is then free to transmit and receive secret messages using his/her public/private key pair.

A number of such fair escrow systems have been proposed, for example in: M. Bellare and S. Goldwasser, Verifiable Partial Key Proceedings of 4th A CM Conference on Comp u t er and ommu n i ca t i o n s Security, Zurich, April 1997; J Kilian and T.

Leighton, Fair Cryptosystems, Revisited - A Rigorous Approach to KeyEscrow, Advances in Czyptology - Proceedings of CRYPTC'95 (LNCS 963), pages 208-221, Springer-Verlag, 1995; S. Micali, Fair Public Key Cryptosystems, Advances In Cry7Dtology - Proceedings of CRYPTO'92 (LNCS -1740), pages 113-138, Springer-Veriag, 1993; T. Okamoto, Threshold Key-Recovery System for RSA, Proceedings of 1997 Security Protocols Workshop, Paris, April, 1997; and D. Denning and D.

Branstad, A Taxonomy for Key Escrow Encryption Systems, Communications of the AcM, 39, 3, March 1996, pages 34-40.

A major problem with the above arrangement, wherein each escrow agent must verify its received share, is that the escrow agent must 1 1 1 1 3 necessarily be on-line whenever a new user wishes to establish a public/private kev pair, which can result in communication channels becoming blocked. This is true even in systems which do not require interaction between the EAs, as described bv: P. Feldman, A Practical Scheme for Non-Interactive Verifiable Secret Sharing, Proceedings of f C'omputer Science the 28th IEEE Symposium on the Foundations o.

(FOCS), pages 427-437, 1987 and T. Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing, Advances In Cryprology - Proceedings of CRYPTO'91 (LNCS 576), Springer-Verlag, 1992. In this case, shareholders need not exchange messages amcng them. What thev need to do is to receive and verify messages, and remain in silence if no error is detected. The messages are assLLMed to be correct if after a specified time no one claims error.

However, each FA must be trusted to provide the correct indication as to whether its received share is indeed correct. For example, a user may collude with an escrow agent to the effect that the escrow agent incorrectly claims to have received a correct share.

To overcome this security problem, additional techniques are required with associated additional cost.

These problems have been recognised in a UK Government proposal for licensing of trusted third parties for encryption services which stipulated a requirement for key escrow techniques using trusted third parties and that such a technique "should not require either regular or on-line communications between trusted third parties" (Department of Trade and Industry (UK), Licensing of Trusted Third Parties for the Provision of Encryption Services, Public Consultation Paper on Detailed Proposals for http://dtiinfoi.dti-.gov.uk/pubs, Annex E: Minimum Requirements for an International TTP Architecture).

Legislation, Functional VSS-based techniques that require EAs to receive and verify messages on line would not therefore qualify for application to a large system.

It would therefore be desirable to provide a fa-ir escrow cryptosystem which overcomes, or at least mitigates, these problems.

In accordance with a first aspect of the presentinvention, there is provided a fair escrow cryptosystem in which a user generates a public key/private key pair and wherein the private key is divided into shares each of which is to be retained by a respective escrow agent, the arrangement being such that when the private key shares are each encrypted using a public key of the respective escrow agent, the correctness of the private key can be determined from the encrypted private key shares without decryption.

1 1 4 In accordance with a second aspect of the present invention, there is provided a fair escrow crYPtosystem protocol for ensuring that data have been correctly encrypted, wherein a user encrYPts two prime numbers P, Q using one or more public encryption keys and 5 transmits the encrypted values of P and Q, together with N wherein N = PQ and a receiver verifies that N = PQ using said public encryntion kevs.

This arrangement enables any third party:: o verifv the correctness of the shares from a knowledge c-f the public keys of -he user and:he- F.As. such publicly verifiable encryption (EIVE) can achieve practical fair key escrow using inactive or off-line EAs, as described by M. Stadler, Publicly Verifiable Secret Sharing, Advances in Czyptology - Proceedings of EUROCRYPT'96 (LNCS 1070), pages 1190199, Springer-Verlag, 1996. In PVE, not only the recipient but everybody is able to verify the correctness of an encrypted message without knowing the message content. An escrowed kev can therefore be established without sending a message to any EA since any party, e.g. a key certification authority or a network suppiier, can receive and verify the messages for the EAs. An escrow cryptosystem using off-line EAs is termed an off-line escrow cryptcsystem.

-t has been considered by the inventor to provide an off-line escrow cryptosystem for the discrete logarithm based public-key 2S crvPtosvstems such as the ElGamal encryption scheme. To the 4nventor's knowledge so far no off-line escrow scheme for the factoring based cryptosystems such as RSA has been proposed.

The preferred embodiment of the present invention relates to an off-line escrow cryptosystem for the RSA system. A user generates an RSA modulus, proves it to be a Blum, integer and verifiably encr,-ypts the splits of the factors under the public keys of the F.As. A single party will suffice to interface the user and verify the correctness of the escrowed factors for the off-line EAs.

Although RSA is the most popular public-key cryptosystem, few fair escrow cryptosystems have been proposed for RSA. Two known schemes are: S. Micali, Fair Public Key Cryptosystems, Advances in Cryptology Proceedings of CRYPTO'92 (LNCS 740), pages 113-138, Springer-Verlag, 1993; and T. Okamoto, Threshold Key-Recoverv System for RSA, Proceedings of 1997 Security Protocols Workshop, Paris, April, 1997.

Micall's scheme for RSA theoretic facts:

is based on the following number 101 -, 5 there exist efficient protocols for showing probabilistic evidence that a composite number N is the product of two primes (Blum integer) (see M. Blum, Coin Flipping by Telephone: a Protocol for Solving Impossible Problems, Proceedings of 24th !ZEE Computez Conference (CompCon), pages 133-137, 1982; J. van der Graaf and R. Peralta, A Simple and Secure Way to Show the Validity of Your Public Key, Advances in Czyptology - Proceedings of CRYPTO'87 (LNCS 293), pages 128-134, Springer-Verlag, 1988; andS-. Micali, supza); for such a number, a quadratic residue in ZN different square roots with opposite Jacobi symbols 1 modulo N, and such a pair of square roots provide an efficient algorithm to factor N; and (iii)the product of several quadratic residues (or square roots) is itself a quadratic residue (or a square root) with Jacobi symbol as the multiplication of those of the individual values.

has Using these facts, an RSA private key as the factors cf a modulus N can be escrowed as follows. The user generates a quadratic residue (modulo N) which is the product of several other quadratic: residues; sends a square root (with Jacobi symbol -1) of the product to a key-management centre; sends a square root (with Jacobi symbol 1) of each individual quadratic residue to a respective trustee; each trustee verifies that the value received has the correct Jacob-; symbol. Thus, when all of the trustees disclose the square roots escrowed with them, N can be factored because two square roots of the 30 same quadratic residue with opposite Jacobi symbols are available.

Obviously, the method requires each trustee to stay on-line to check the correctness of the square root received.

-kamoto's schemes (there are three of them) for RSA are based on 35 combining bit-commitment protocols used in his electronic cash scheme (see T. Okamoto, An Efficient Divisible Electronic Cash Scheme, Advances in Cryptology -Proceedings of CRYPTO'91 (LNCS 963), pages 438-451, Springer-Verlag, 1995) and Pedersen's non-interactive - secret sharing T. Pedersen, Non- threshold verifiable technique (see interactive and Information-Theoretic Secure Verifiable Secret Sharing, Advances in Czyptology - Proceedings of CPYPT0191 (LNCS 576), pages 129- 120, Springer-Verlag, 1992). Although the verifiable secret sharing technique is non-interactive (in fact the noninteractive trustees must remain on-line, or active, to receive and verifv their shares), the bit-commitment protocols require 4nteractions between each of the trustees and the user who wants to I 1 1 Y 6 establish a public key. In addition, in two of the three schemes, the trustees must also prepare for several system parameters for each instance of key escrow, and these parameters are functions of the RSA modulus N that the user wants to establish as pUblj. c key. The S agreements has to be done through reall-time negotiations 6etween the user and the trustees, as well as among the trustees. Need of interaction between the user and eac,- of the zrustees -,s t'-e maDor disadvantage of Okamoto's schemes.

A preferred embodiment of the present invention wIll now be described.

The theoretical basis of the invention derives from the following two observations:

-,5 1) Opening E1Gamal homomorphz"c encryption zvztlz -c ro znfor-,natz'on leak- a the E1Ga=al ezcryption that en- pe. Let E,(n): G, ' G2 dClIOtC crypts the elernent n E G, to the ciphertext in E,,(n) E G, under the public keY y. Let further and C- denote the group operations in G, and G.2 respectively. Ther- EY(_111) e EY(TI.) = EV(711 - 7.12) and ni - -,: G, x G,. can be made public by operling n 1 - -1-) - 1 ES, ' - W; t 1 -Jon 3).

i hout disclosing ni or n2 in G, (Propos11.1 0 2) resul."rg 'n praduct ' ' ' 1 _For Z 1. Oj rnZ71'.7na.Z, 7(r-noda), the sumina, on of t c bit-lenj-,his of nj 2-nd -n,_ rCaCneS 'LbC M1111-MUM tO Chat Of 71 Whe-1 n 1 17Z alld n, n IM (Proposition 4).

A cornbined use or' these two obser"-,-t".ions for=ns the working p:lnclDle 0 a_n oF,!.,'ne escrow cryptosyste,--n for RSA.

1 1 L 7 Cryptographic Primitives Throughout this specification two public groups will be used, constructed as follows.

S Let r be a large prime such that q = 2r + I and p = kq + 1 are also nrime where k is any even number. Number theoretic researc_h (see J.A. Gordon, Strong Primes Are Easy to Find, Advances n Czyptoiogry Proceedings of EUROCRYPT'84 (LNCS 209), pages 216-223, Springer10 Verlag, 198S) has shown that it is not difficult to find such orimes.

Let h E=- Z,' be an element of order r. and H be the multiplicative group generated by h. Let further g E Zp' be an element of order q, and G be the multiplicative group generated by g. With t settings, the following two congruences hold: hr =_ 1 (moda) and 91 =_ 1 (Modp). It can be assumed that it is difficult to compute discrete logarithms to the bases h and g.

hese The present invention may make use of a variation of Stadler's 20 verifiable encryption of discrete logarithms which uses double exponentiation. By double exponentiation with bases g and h the function mapping of equation (1) from X E Z to y e G is intended.

The encryption will use the ElGamal cryptosystems (see T. ElGamal, A Public-Key Cryptosystem and A Signature Scheme Based on Discrete Logarithms. 1EEE Transactions on Infozmation Theory, IT 31(4), 469472, July 1985). Let X E Zr be the private key of someone other than the Verif ier and Y = (hx modq) be the matching public key. To encrypt a message M E Zq under the public key Y, the sender or Prover randomly chooses a session key K EFt Zr (the symbol s ER S means to choose s in S uniformly randomly) and calculates the following pair (h K, Y_ K M) (modq). The ciphertext pair (A,B) can be decrypted using the private key X as follows: M = (AxB modq).

A zero-knowledge protocol (herein called Protocol 2) will now be 35 described for proving and verifying that a pair (A,B) forms ciphertext in the ElGamal encryption mode that encrypts the discrete logarithm of a known value V to the base g and the encryption key is Y, the public key of a third party. The protocol presented here is a variation from Stadler's original version in that the ElGamal ciphertext resulted from this protocol encrviots the discrete logarithm of V rather than an inverse of it.

Protocol P The Prover and the Verifier both have the common input: A, B, V, I 8 Y. The Prover has the task of satisfying the Verifier that, 3K E Z-, 3M r= Zq: A = hK (modq), B = Y- K M (modq), V = g M (rnodp).

With Protocol 2, the Prover and the Verifier repeat the 5 fo-lowing steps I --imes:- The Prover: a) selects u Ep Z,; b) computes t?, = (h' mod q); c) computes equation (2); and d) provides th and t., to the Verifier.

The Verifier: e'; receives t, and t, from the Prover; f) se-'e=s {O, l and g) provides c to the Prover.

-- J computes a = u The Prbver: h) receives c from the Veriler; cK(modr); and j) provides a to the Verifier.

The Verifier: k) receives a from the Prcver; 1) tests whether t. (h',k ' mcda); and m) tests whether ecuation (3) holds true.

Propositicn 1 A first proposition, regarding completeness of Protocol P, states that when the Verifier accepts the result of a protocol run (i.e. each of the testing steps passes in each of the 1 rounds of proof), the Verifier accepts the following three equations: A = Iii -'M 1 - (modq); B= Y (modq; and V = gm (modiD), for some K E Z. and 1M E The proof of proposition 1 is as follows. In any ith round for 1 zq 1 < 1, the Verifier's choice of cj = 0 shows that the committed value is in the form of equation (4) for some ui e Zz. It follows that the Verifier's choice c.' c; = 1 will show that equation (5) holds true.

At the same time, for c = 0 the Verifier is shown that equation (6) holds true for some u E Z,,, and for c = 1 the Verifier is shown that =;U, E=Z, or equation (8) holds true. Note that A and V are constants regardless of the varying i. Therefore u, - cx, must be constant for different 1 < i < 1 when c; = 1 is chosen; namely, 3K E Z,, K = u- czfor c. = 1 and i = 1, 2,..., 1. The information that the Verifier gets shows them the two equations (9) and (10) hold true for some K E Z_. Furthermore, V must be a member in G since t, is. This means 3M EE Zq: V = 9 1M ImodiD.

for some M EE Z, Thus, the last equation becomes equation (11) Recall that h and g are generators of their respective groups H and G. So K E Z, and M EE Z. are unique elements satisfying the equations (9), (10) and (II). Thus, we reach: A (modq), B =Y-M (modq), V = g" (modp). To this end, it is known that (A, B) does indeed form a pair of ciphertext in ElGamal encryption mode that encrypts the discrete logarithm of V to the base g and the public key Y is used for the encryption.

9 Proposition 2 A second proposition, regarding soundness of Protocol P, states that, if any of the equations:

A = h. (modq), B =Y- K M (modq), V = g' (modp) does not hold, then the Verifier will accept: a protocol run with a probability of at most 2-1. The proof of this proposition is as f ollows In any round the Prover must prepare for t.-. and t. in such a way that they will be consistent to the challenge bit c E: 0, 11.

The Prover can only guess the challenge and the probabilit',.7 for a correct guess is 1/2. Using a hash function, interactive reasoning can be converted into noninteractive (using the techniques of: A. Flat and A. Shamir, How to Prove Yourself: Practical Solution to Identification and Signature Problems, Advances in Cryptology - Pz- oceedings of CRYPTO'86 (LNCS 263), pages 186-194, Springer-Ver-lag, 1987; or C. P. Schnorr, Efficient Signature Generation for Smart Cards, Jouxnal of cryptology, 4 (3): 161-174, 1991). Let H: fO,! _+ (0, 11' be a cryptographically strong hash function.

i = 1, 1, the Prover chooses ui E=.k Z_ and calculates equations (12) and (13). Then the Prover a = (a,,..., a,) = (u, - cjK (modr), the i-th bit of C in equation (14).

For computes the following 1-tuples:

ul - clK (modr)), where c, is The noniinteractive reasoning consists of pair (C(, C). The Verifier verifies by computing equations (15) and (16) (for i = 1, 1) and checking whether the equation (14) holds true.

I n the key escrow system of unconditionallv secure bit commitment Pedersen's scheme (T. Pedersen, supra) let g and f be elements of G where elements can be chosen by a trusted number that is used in the Protocol P.

unique subgroup of Z P. with order q = (p-!)/2, it is easy to find f E G.

the present invention, an scheme may be required, and may be used. In this scheme, nobody knows log,, (f. These centre. Here g is the same Note that because G is the The trusted centre can relate f and g using a cryptographically secure hash function and publish the hashed relationship to show that the multiplicative relationship between these two elements is not known (for details see e.g. M. Bellare and S. Goldwasser, supra).

The prover comnuts themself to an s ER Zq by choosing t Z, and computing equation (17). A commitment is opened by revealing sand It can be proved that W the commitment E(s, t) reveals no 1 information about s, and (ii) the prover cannot open E(s,t) with S' # S unless they can find log'(f) (see Pedersen, supra) described in more detail below).

The verifiable encryption protocol (the Protocol P) establishes a verifiable encryption of the discrete logarithm of a known value, and the encryption uses the public key of a party who need not participate in the prctocol run. The technique can be used to establish a discrete-logarithm-based escrow crvr)tosvstem and the escrcwing procedure can be completed without participation of the 10 escrow agents. In this section it is assumed that Y me d q a s is a public key where its discrete logarithm X has beenfairlv escrowed. This public key will be used to further escrow factors of an RSA modu-,us.

Two new observations are now introduced that form the underlying idea of the present invention.

Observation 1 The first observation should be referred to as the multiplicative property of opening E1Gamal with zero information leakage. Let eauations homomorphic encryption (18) and (19) be two pairs of ciphertext encrypting numbers n, and n2 respectively under (20).

the public key y. Multiplying A, and A,, and B- and B, we get equation The sender can disclose n,n2 modq) by revealing kl+k, (modr) because of equation (21).

The following proposition states that disclosing k - + no measurable information about nj and n. k, gives away Proposition 3 This states that the difficulty of deciding nj E Z., from -informaticn (A-, BI), B-) and ki-4-k,(modr) is exactly the same that of deciding it without using the information "Cl+k2 (modr) proof of this Proposition 3 is as follows. We show that whether as The or net using k-_+k, the task of deciding nj requires a decision of the Diffie-Hellman problem which is to decide whether (a, b, c) in H has the relationship defined by equation (22). This abilitv suffices to break the E1Gamal encryption in equations (18) and (19) without using the information k,+k-. Denoting kl+k2 by u, we can rewrite B-, B into eauations (23) and (24) for any a Z_ Note that when a ranges through Z., because y is a generator of H of order r =. (q-1)/2 (see above) we know d ranges the settings of h, H, r, -1 f,--- an y n,) 1 11 either through H if nj E H (if n- E=- H), or through Z, \H if n. e Z-\H (if n,, E= Z \H) So from the knowledge n-,n, (mod q) (a resul C; t cf knowing u) we merely know that y'nl and v-;'n- are uniformly distributed in Z- which means a is uniformly distributed in Z_ Thus, to decide n, (and n) we need to decide whether the express-i--r. (25) is a Diffie Hellman triple for a = 0 (modr), or it is not for otherwise. The knowledge of u plays no role in the decision.

he proof of Proposition 3 demonstrates that for the value n-,i10 (moder) revealed from opening the product of two E1Gamal encryptions using equation (11), there are r = (q-1)/2 different ways to set n- e H, or r different ways to set it in Z,'\H depending on whether B1 E H (whic.,i is easy to test). For each setting we will have a respective n2 (modq) tc satisfy the value revealed. It is computationally infeasible t25 decide what nj and n2 are.

Observation 2 Nevertheless, if we have a method to decide the biz-lengths of the messages encrypted, then under certain conditions we can decide whether the individual numbers encrypted in equations (18) and (19) will divide the value revealed (division in Z). Our second observation, called the minimal bit-length property of multiplication in Z resulting in product of minimal bit-length sets the conditions needed. Let bl(n) be the bit-length of n in the binary presentation (i.e. the integer part of log2(n)+1) We describe the observation in the following proposition.

Pronosition 4 Let nin = n (modq), 0 < n < q, and (bl (n) +2):5 L < bl (q).

Proposition 4 states that if (bl (ni) + bl (n,-)): (bl (n) + 1) then nexactly divides n and n, exactly divides n in Z. The proof of proposition 4 is as follows. Suppose to the contrary that n-- does net exact-y divide n or n- does not exactly divide n in Z, Then n-n, = n + lq for some integer 1 # 0. Noting 0 < n < q, then (bl (-il) + bl (n2)): bl (nln,) = bl (n + 1q) t bl (q) - 1 > L > (bl (n) + 1), contradicting the condition (bl (n_) + bl (n,)) (bl (n) + 1).

Verif'able encryption of Factors of a Composite We are now ready to present the new escrow cryptosystem for RSA in which the Verifier may be, for example, a key certification authority.

12 Protocol Q Escrowing Factors of RSA Modulus Task The Prover encrypts two primes P and Q under a public kev Y the formulation: Y = h' modq, where the private key X has been fair-ly escrowed by a number of off-line escrow agents. The Prover sends the encrvDted data and discloses N to the Verifier. The Verifier verifies PQ = N using the pub-ic key Y.

More specifically, the Prover: a) generates two primes P, Q such that 10 P = 3(mod4), Q = 3(mod4), N = PQ, and abs(bl(P) - bl(Q)) < c (e.g. c 10), where abs(bl(P) - bl(Q)) is the absolute value of (b-l(P) bl (Q); b) C0r11PUteS V1 92 MOdP/ V2 = g modD; c) encrypts P in A,, B-, and Q in A,, B, under the public key Y. Here equations (26) and (27) hold true for some K,, K Ep, Zr; d) prepares bit-commitment values (to be described below); and e) sends to the Verifier: A,, B,f V-, A,, B, V" (K, + K) (modr) and N.

The Verifier: f) receives from the Prover A-, B,, V1, A,, B2, V2, (KI K) (modr) and N; and g) verifies that equation (28) holds true.

The Prover: h) shows to the Verifier evidence that N consists of only 20 two distinct primes. Interactive or non-interactive protocols are available for showing such evidence (see M. Blum, supra; J. van de Graaf et al, supra; and S. Micali, supra). These methods require the 'ier roughly 100 integers modulo N for a Prover to send to the Verisimple procedural checking, and thus is very efficient. (Some special cases of N will be discussed later.) The Prover and the Veri4_'er: i) run the Protocol P (can use the noninteractive version) with input A,, encryption of P, and with input A2. encryption of Q.

is B,, Vi 1 Y to prove proper -321 V2, Y to prove proper The Prover: j) Proves to the Verifier (bl(P) + bl(Q)): (bi(N) + 1) and abs(bl(P) - bl(Q)) < c (e.g. c = 10) (to be described in detal below).

in step "j " the bit-length testing abs (bi (P) - bl (Q)) < 10 is to exclude the trivial factoring cases such as P = I and Q = N.

L Ths requirement follows the recommended procedure for RSA key settingup.

Upon successful termination of a run of the Protocol Q (i.e. the Verifier accepts the verification), the Verifier will certifv N as the Prover's public key and archive respective data for possible 4:

tuture use (key recovery).

We point out that if the Protocol P and of N's two-prime-product structurearerun versions (a likely situation in the the protocol for proof in the non-interactive reality), then the 13 crypt ographi call y strong hash functions used in the proofs act as publicly trustworthy challengers. In these cases, the verification procedures conducted by the Verifier (e.g. computing the right-hand sides of equations (15) and (16) and checking equation (14) in the 5 case of the Protocol P) can be repeated by any third party.

Collusion between the Prover and the Verifier is computat-ionally infeasible.

The bitcommitment details mentioned in step "j" above will now 10 be described in more detail. It suffices to describe how to commit to bl(P). Let m bl(P) - 1 and 2 = a2'3 + a-_2 - +.. + a,,2' fora; r= {O, 1} an,-;i=O, 1,...1 m 15 be the binary representation of P. The Prover chooses (A) U,,... ' U, E=-R Z,. The Prover computes:

u = u020 + u,21 + + u,2(modq) (B) and A, = E(aj, uj) for i =0, 1,..., m. The Prover sends A, and u to the Verifier. The verification step by the Verifier is as follows.

The Verifier checks whether equation (29) holds true.

Then, for each Ai (i = 0, 1,. ---- m), the Prover and the Verifier shall run a sub-protocol ("Protocol R") to prove the onebit-length of the committal ai. The protocol shows either A, = gf': or A, = f without revealing which one is the case. Such a proof of knowledge is called witness indistinguishable proof. Protocol R is obtained by applying the transformation described in R. Cramer, Damgird and B. Schoenmakers, Proofs of Partial Knowledge I. and Simplified Design of Witness Hiding Protocols, Advances in Cry tolog P _y - Proceedings of CRYPTO'94 (LNCS 839), pages 174-187, Springer- Verlag, 1994, on the Schnorr identification protocol of C.P. Schnorr, sup.ra, on the instance (A, A/g), with a one out of two threshold scheme to show that the prover knows the discrete logarithm of either of the inputs without revealing which. It has many useful applications, see for example, M. Bellare et al, supra, and R.

Cramer, R. Gennaro and B. Schoenmakers, A Secure and ODtimaliv Efficient Multi-Authority Election Scheme, Advances in Cryptology - Proceedings of CRYPT0197 (LNCS 1233), pages 103-118, Springer-Verlag, 1997.

Protocol R The Prover and the Verifier both have the common input: A, f, g G. Also, the Prover has the input: y E Z,. The task of the Prover is to satisfy the Verifier either that A fy, or that A = gf'.'.The Prover and the Verifier repeat the following steps m times:- I 14 The Prover:

4 f JA = f' is chosen: a) selects w, rj, c, El Z_; b) computes a = g'; and c) computes expression (30); or if A = gf.' is chosen d) selects w, r, c Ep, Z_; e) computes expression (31); and f) computes b = g'; and 9 provIdes a and b to the Verifier.

The Verifier: h receives a and b from the P--over; '-) selects c Es Z_; and) provides c: to the Prover. The Prover: k) receives c from the Verifier; if A = f. -'was chosen: 1 computes c, = c - c,_; and m) computes r- = w + clv; or if A = gf was chosen: n) computes c, = c - c.; and c) comoutes r, =w+c-v; and P provides ri, r, c. and c, to the Prover; The a) receives r- c, and c, -from the Verifier; r) tests 1 -, r2, - whether c = -- + c, (modq); and s) tests whether expressions (32) and 33) hcl-- true.

The Verifier will accept bl(P) q if the result of running Protocol R -'s accented for each A; (i 0, 1, - - -, m) in equation (29) passes. The security of the bit-corwrilitment scheme T. Pedersen, supra, and is given below.

and the checkinc First1v, if P and 'a are indeed the numbers that the Prover constructed in equations (A) and (B), then equation (34)holds true.

on the other hand, -i-- may be noted that Vif' modp) = E (P, u). so if the Prover is able to find a P', P (modq) such that E(P,u) = E (P', u'), then u':;-- u (modq) and log, (f) = (P - P') / M - u) mod q.

This means that the Prover knows log,(f), contradicting the assumption that it is known to nobody. Therefore, P in equation (A) and u in equation (B) g-Jve the on-ly way for the Prover to demonstrate V7-F'.modp = E(P,u).

-,,-inallv, mav be recalled from the above discussion of bit -omr.utmenthat the bitcommitment A;E(ai, U; protects the bit information a. in an unconditionally secure sense. Therefore the Verifier gets no knowledge about P from A. (for i = 0, 1 -he value bi(P).

r.... m), but Kev Recoverv We recall that the public key Y that has been used for encrypting P and Q has its private component fairly escrowed under an off-line escrow cryptosystem (dis-log based threshold scheme). Thus 1 1 j:

when a specified number of escrow agents co-operate, they can recover the private key of Y followed by recovering P and Q from (A-_, B-_) and (A2, B-). The Proposition 4 guarantees that the values recovered divide N.

We should point out that the protocols to prove N's two-primeproduct structure are up to showing that N = RS'" for some odd positive integers u, v and distinct primes R, 5 (see J. van de Graaf et al, supra; and S. Micali, supra). So it remains to comr)-, ete factoring N down to the primes R and S. Below we reason that it is easy to complete the factorisation.

The Prover could have constructed P (and Q) in such a wav that each of them consists of powers of both R and S. Then gcd(P, Q) will i J k return either R ' S ' or R S' for some positive integers i, _;, k and 1. For the first two cases, binary search for R from R- for each fixed i takes at most 1092 (P) steps and there are only at most log2 (P) manv i > 1 to search. In reality, i should be sufficiently small or else R will' be too small for the resulting key (the modulus N) to be secure.

Analogously we can efficiently search 5 out of S3.

Now we focus on the case of gcd(P, Q) = RI<S' for k, 1 > 1. In this case, N = PQ = f'S' where P is defined by equation (35) and Q is defined by equation (36). Let P, and QI be defined by equations (37) and '38) respectively. We can further assume that none of the exponents is zero because the binary searches of P, and Q, have failed to return a prime. Now let gcd (P1,Q1) be defined by equation (39) Repeat the same process for a finite number of steps and keeping on assuming that none of the exponents is zero, we will end up at RS which is still not prime.

New come back to observe equations (35) and (36). I f U-:# v!, then repeatedly divide P by RS, a power of R or a power of S will be returned within a finite number of steps of division, and we have done. We can obtain the same result by dividing Q if u z= v- 7,0 this end, the only remaining case of failing to obtain cower of a sing-i e crime is because u, = v, and U2 = V-2. Recall that u = u. + U, is odd, and so is v = v, + v2. Thus without loss of generality we reach P = QR'S' for some w > 1. For such P and Q, noting the bit- length condition abs(bl(P) - bl(Q)) < 1, we have bl (RwS) bl (Q) + bl (R'S) bl (Q):5 abs (bl (P) - bl (Q)) + 1 < 1 + 1. So even for w = 1 and 1 = 10, R and S are primes of less than 11 bits.

Efficiency Analysis 1 16 In this section we analyse the efficiency of the scheme.

in Protocol P Assume that the non-interactive proof is the case and that the output bit length of the cryptographic hash function is. Then for each EiGamal encryption, the prover should compute 0_,) modulo exponentiations mod p). So the time complexity can be expressed by C (1. log, ( P)) Setting 1 to be 80 should make the probability for the 1C Drover to succeed at cheating infeasibly small near 2 Careful examining the Protocol P we see -8" that the modulo exponentiations for the prover are independent from the message be-ng encrypted. This means that the prover can pre-compute this part of computationaliy heavy calculations. Thus, real time computation for the prover is negligible. The Verifier should compute O(l) modulo exponentiations. Since the Verifier is a key management centre, the computation load is trivial.

in Protocol Q and IR We will not consider computation for the RSA key establishment as that part is independent from the key escrow technique. T h e com-putat-on load is then mainlv in proof and verification of bl (p) and bl(Q) and of N's two-prime-product structure (Blum integer structure).

From the above we see that showing bl (P) mainly involves to compute A; = E(a;, uj and two modulo exponentiations in Protocol R for -... 1 (bl (P) -1)). The time complexity. can be i = 0, 1 ' expressed by () (1Cg2 (P) -1092 (P)) - Again we notice that for the prcver the calculation can be pre-computed. The verification recuires the same amount of computation.

The protocol for proof of Blum integer require the Prover send to the Verifier roughly 100 integers modulo N for a simple procedural checkina, and thus is verv efficient.

in key recovery All possible structures for P and Q have been analysed above.

We have shown that if P and Q recovered are not: prime, then to further factor them down to primes requires using finite steps of computations which are primality testing, computing the greatest common divisor and binarv search. The number of steps is bounded by log2 (N). Thus, we can use C (P (10CJ2 (N)) comnlexity, here P is a polynomial.

to express the t ime Finally we poInt cut that the fair off-line escrow cryptosystem 1 i 17 for establishing the dis-log-based public key Y in equation (7) is also efficient. It uses O(C. n. 1.1092(q)) to establish the public kev Y under a threshold secret sharing scheme, where n i's the number of escrow agents who share the private key X, t (<n) is the threshold, 1 is the bit- length of the secure hash function used in the Protocol P, and q is the prime used in this paper.

Conclusion

We have presented a fair off-line escrow cryptosystem for factorIng based cryptosystems (such as RSA). In addition to the effic'ency resulted from using off-line escrow agents, the protocols for establishing escrowed keys and the procedure for key recovery are efficient in their own right. From the result of the security analysis (Propositions 1-4) and efficiency analysis the technique proposed can realise a secure, practically low cost and scalable fair escrow cryptosystem.

18 Equations y = gh.%mOdq (modp) t-q = 9 (BY'modq) (niodp) t.9 = (e (1 C) V C) (V crnodg) (m o dp) t;,i = C(modq) A = hu;-cr(modr)(modg) -tgi = 9(3y,";",49)(modp) V = g (E y(u; - aj (m od r) mod,,) (mpdp) A = h-K(modq) V - g(BYKni5di) (MOCIP) (1) (-1) ú1 I (3) (4) (.5) (6) (8) (9) (10) 19 gm = q(pyKmodg) (modp) thi = hu; (rno d q) (12) t.91. = g(BY"modz)(w-odp) C = V(V, A. tl, B, ki, tgi, -.., tii, tg 1) thi = hcziAci(modq) (14) (15) (qs(l-Cr)vc;)(yoci)(modp) L6) E(.9, i) = gf(rnodp) A l = hkI, B, = y-Alni (moctq) A2 == h k2 i B2 - y-kIn.2 (niodq) A3 = h kI + 4^2, B3= y- (k t +42)nl% (-modq) nln2 = Y kl+A2 ("")Bi.B2(rtiodq) (mod q) p, = y-(ki+a) y ani(modq) (18-) (19) (20) (21) (22) (23) -82 Y-((kt+))y-'n2(modq) (24) M i ii Eil;_i=o ok 1 Y(= h'), Y-11i+a-,)(illodq) A, = hll B, = Y-T'P (modq) A2!::: hK21 8.2 = Y-"'Q (modq) h.K,+K-2 -A-A2, IV= YKI+K2 1, B,B2 (modq) v ? 771.

l 1 fu = II E" (mo d p) a i-0 b = fl (A/9) - (1 = f rIA -C2 fri = b(Alg)cl frI = aA-' 2 _q a020+a121 +...+rLm2"1juo2Q+ui 21±--+um21 P = R" S Q = R"S' P, = PI(RkS1) = R"-kSI-t (25) (26) (27) (28) (29) (30) (31) (32) (33) Y1f,(modp) (34) (35) (36) (37) 1 1 Qi = Q/(MS1) = Rul-'sv,-1-, gcd(PI, 1:,)) = R" S" (38) (39) 1 1 1 22

Claims

CLAIMS:

1. A fair escrow cryptosystem in which a user generates a public key/private key pair and wherein the private key is divided into shares each of which is to be retained by a respective escrow agent, the arrangement being such that when the private key shares are each encrypted using a public key of the respective escrow agent, the correctness of the private key can be cietermined from the encrypted private key shares without decryption.

2. A cryptosystem as claimed in Claim 1, in which the private key/public key pair is generated from two large prime numbers and the product thereof.

3. A er,,,ptcsystem as claimed in Claim 2, using the RSA system.

4. A cryptosystem as claimed in any preceding claim, wherein the user's public key comprises an integer N which is the product of two prime numbers P,Q which satisfy the relations: P = 3,mcd 4); Q = 3(mod 4); and abs(bl(P) - bl(Q)) < a predetermined number; where bl(P and bl(Q) are the b i t lengths of P and Q respectively and abs(X) is the absolute value of X.

5.

A fair escrow cryptosystem as claimed in any preceding claim, wherein the escrow agents remain off line.

6. A fair escrow cryptosystem protocol for ensuring that data have been correctly encrypted, wherein a user encrypts two prime numbers P, Q using one or more public encryption keys and transmits the encrypted values of P and Q, together with N wherein N = PQ and a receiver verifies that N = PQ using said public encryption keys.

A c-vptosvstem protocol 4) and Q = 3(mod 4).

as claimed in Claim 6, wherein P = 3(mod 8. A cryptosystem protocol as claimed in Claim 6, wherein the user:

(a) generates said two prime numbers P,Q such that P = 3(mod 4), Z? = 3 (mod 4), N = PQ, abs (bl (P) - bl (Q)) < 1; where the bit lengths of b P and bl (Q) are P and Q respectively, abs X) is the absolute value of X and 1 is a predetermined number.

(b) computes V - g 5, mod p, V = gn' mod p; and 4 5 (c) encrypts P in Al,B, and Q in A,B, under the public key Y, where:

1 23 A, = hK', B, = Y-1'-P (mociq), A, = hK2, B2 = Y-K^Q (moda), for some K1,K2 E:F Zr.

9. A cry ptosystem protocol as claimed 'n Claim 8, where-n the protocol steps are:

a) The user U sends to a verifier V:

A,, B,, VI, A2, B2, V2, (K1 + K2) (modr) and N; (b) V verifies that:

hK' -K2 = A1A7, N = Y KI,K2 B- B, (modq); (c) U shows to V evidence that N consists of only two distinct primes; (d) U and V nerform a protocol with input.7k,,B-,V,,Y to prove proper encryption of P, and with input A,,B2,V2,y to prove proper encryption of Q; and (e) U proves to V that:

bl(P) + bl(Q): bl(N)+1 and abs(bl(P) - bl(Q)) < 1.

10. A cryptosystem protocol as claimed in Claim 8, wherein step (c) 30 comprises U sending to V a plurality of integers modulo N.

11. A fair escrow cryptosystem as claimed in any one of claims 6 to 10, wherein the receiver remains off line.

12. A fair escrow cryptosystem substantially as hereinb-efore described.

13. A fair escrow cryptosystem protocol substant-'allv hereinbefore described.

as