BEST MODE OF CARRYING OUT THE INVENTION

[0073] Three embodiments of the invention are described below, the first two embodiments concerning blinded, identifier-based (IB), mediated RSA methods and systems in which the value of the encryption exponent e is varied, and the third embodiment concerning a blinded, non-IB, mediated RSA method and system in which the value of e is kept constant and the value of the modulus n is made recipient specific.

[0074] The Identifier-Based Embodiments

[0075] The identifier-based RSA cryptographic method and system forming the first embodiment of the invention is illustrated in FIG. 4 and involves three parties, namely a message sender A acting through computing entity 10 , a message receiver B acting through computing entity 20 , and a trusted authority TA acting through computing entity 50 . The computing entities 10 , 20 and 50 are typically based around program-controlled processors though some or all of the cryptographic functions may be implemented in dedicated hardware. The entities 10 , 20 and 50 inter-communicate, for example, via the internet or other computer network though it is also possible that two or all three entities actually reside on the same computing platform. For convenience, the following description is given in terms of the parties A, B and TA, it being understood that these parties act through their respective computing entities.

[0076] The RSA method of the first embodiment is similar to the prior art method illustrated in FIG. 3 in that a predetermined identifier string ID _B of the intended message recipient B is used by the message sender A to compute the encryption exponent e for encrypting a message, and pre-computed decryption exponent components d _U and d _T are used to decrypt the encrypted message. However, the key generation center KGC and security mediator SEM of the FIG. 3 arrangement are now treated as combined into the single trusted authority TA thereby giving a three-party method and system. Furthermore, in the FIG. 4 method and system, the message recipient B blinds the encrypted message before passing it to the trusted authority for the latter to apply its decryption exponent component d _T , the recipient B cancelling the blinding after receiving back the message processed by the trusted authority

[0077] A more detailed description of the operational steps involved in the FIG. 4 method will now be given.

[0078] Initial Set Up Phase

[0079] This is the same as for the set up phase of the above-described identifier-based mediated RSA method depicted in FIG. 3 with the trusted authority TA carrying out the same steps 1 to 8 as performed by the key generation center KGC; in particular, a domain-specific modulus n is chosen, values of d _U agreed, and values of d _T computed for each recipient identifier string ID _B , these various values being distributed as required. However, because the trusted authority combines the roles of the key generation center and security mediator of the FIG. 3 arrangement, there is no longer a need to securely communicate the computed values of the decryption exponent component d _T , these values simply being kept secret by the trusted authority; in contrast, B now also needs to be provided with the predetermined function F used to compute encryption exponents from the identifier strings ID _B and this can be done in the same way as the function was provided to A or in any other suitable manner.

[0080] Message Transfer Phase

[0081] Encryption of Message by A

[0082] 9. A generates a message m.

[0083] 10. A chooses the identifier string ID _B of the intended recipient and computes the corresponding encryption exponent e _B using the same function F as used by the trusted authority during the set up phase.

[0084] 11. A computes m ^{e _B} mod n and sends this to B.

[0085] Message Blinding by B

[0086] 12. B chooses a secret random number r.

[0087] 13. B computes e _B from the identifier string ID _B using the same function F as used by the trusted authority during the set up phase. The identifier string ID _B may be passed to B by A along with the encrypted message or may be looked up by B using a recipient identifier provided by A (it being assumed that B has access to all identifier strings); alternatively, B can use its own identifier string on the basis that this will be the correct string to use if the message is intended for B (and if it isn't, use of the right or wrong string becomes irrelevant since B will not, in any event, be able to correctly decrypt the message as it does not have the correct d _U ).

[0088] 14. B computes r ^{e _B} mod n.

[0089] 15. B blinds the encrypted message by computing (r ^{e _B} ).(m ^{e _B} ) mod n and sends this to the trusted authority TA together with a recipient identifier (such as the string ID _B ).

[0090] Partial Decryption by the Trusted Authority TA

[0091] 16. The trusted authority TA uses the received recipient identifier to look up the value of d _T to apply and then computes x=((r.m) ^{e _B} ) ^{d _T} mod n and returns x to B.

[0092] Completion of decryption and cancellation of blinding by B

[0093] 17. B receives x which is equivalent to (r.m) ^{e _B (d−d _U )} mod n.

[0094] 18. B computes y=x ^{d _U} mod n.

[0095] 19. B computes y/r mod n to recover the message m.

[0096] It will be appreciated that the blinding applied by B to the encrypted message before passing it to the trusted authority ensures that the latter cannot read the message even if it has retained B's value of d _U from the set up phase. The blinding, which involved a multiplication of the encrypted message by a factor r ^{e _B} mod n, is cancelled in steps 19 and 20 by a multiplication by a factor r ^{(ed _U −1)} .

[0097] It may be noted that instead of recipient identifier strings ID _B being used as the basis for computing encryption exponents, any set of predetermined strings can be used with the corresponding values of d _T being computed during the set up phase (though now, assuming every string is potentially usable with every recipient, a respective value of d _T needs to be computed for every string/recipient combination as d _T is dependent both on the value of the string and on the value of d _U ). In this case, the sender A chooses an appropriate one of the predetermined strings when encrypting a message and the chosen string is passed from the sender to B and to the trusted authority to enable these entities to compute the correct value of e and to permit the trusted authority to look up the correct pre-computed value of d _T for the string having regard to the recipient concerned. One or both of the message recipient B and trusted authority can be arranged to store the set of predetermined strings and to retrieve the appropriate string from its store using a string indicator supplied to it in place of the string itself. The string indicator will generally have been initially provided by the sender A along with the encrypted message. It may also be noted that whilst the sender A could pass on the value of e for use by the other entities, the trusted authority should not rely on a value of e passed to it but should always compute e from the predetermined string used (this ensures that the sender has not chosen a specific value of e to gain cryptographic insights into private key data).

[0098] As already mentioned above, applying blinding to the encrypted message passed to the trusted authority, ensures that the latter cannot read the message. As a consequence, the trusted authority can be allowed to retain d _U after having used it in the set up phase to compute corresponding values of d _T for the predetermined strings. This opens up the possibility of the computation of the values of d _T being carried out after the set up phase; in particular, the computation of a value of d _T can now be deferred until the time it is needed for use in decrypting a message. In turn, this gives rise to the significant advantage that the string used as the basis for the encryption key no longer needs to be a predetermined string but can be any string that the sender chooses to use, provided the string used is made known to the trusted authority.

[0099] The second embodiment of the invention, which is illustrated in FIG. 5 , provides an identifier-based mediated RSA method in which the string chosen by A as the basis for the encryption exponent can be any string as the corresponding value of d _T for any particular recipient is subsequently computed by the trusted authority. More particularly, the operational steps of the second embodiment are as follows:

[0100] Initial Set Up Phase

[0101] 1. The trusted authority TA chooses distinct random primes p=2p′+1 and q=2q′+1 where both p′ and q′ are Sophie Germain primes. The primes p and q are specific to a particular domain/application/trusted-authority and are not recipient dependent.

[0102] 2. TA computes n=(p).(q) where n has a fixed value for the domain, this value being published in an appropriate certificate. TA also computes φ=(p−1).(q−1).

[0103] 3. For each B, the TA and B share a secret d _U generated by one or other party or jointly.

[0104] Message Transfer Phase

[0105] Encryption of Message by A

[0106] 4. A generates a message m.

[0107] 5. A chooses a string STR—this may be any string subject to any restrictions imposed, for example, by a particular application or by the trusted authority.

[0108] 6. A applies the predetermined function F to the string STR to compute a corresponding encryption exponent e, the function being such that e is odd.

[0109] 7. A computes m ^e mod n and sends this to B along with the string STR.

[0110] Message Blinding by B

[0111] 8. B chooses a secret random number r.

[0112] 9. B computes e from the string STR using the predetermined function F.

[0113] 10. B computes r ^e mod n.

[0114] 11. B computes (r ^e ).(m ^e ) mod n and sends this to the trusted authority TA together with the string STR and a recipient identifier.

[0115] Partial Decryption by the Trusted Authority TA

[0116] 12. B computes e from the string STR using the predetermined function F.

[0117] 13. TA computes decryption exponent d=1/e mod φ.

[0118] 14. TA computes d _T =(d−d _U ) mod φ.

[0119] 15. TA then computes x=((r.m) ^e ) ^{d _T} mod n and returns x to B.

[0120] Completion of Decryption and Cancellation of Blinding by B

[0121] 16. B receives x which is equivalent to (r.m) ^{e(d−d _U )} mod n.

[0122] 17. B computes y=x ^{d _U} mod n.

[0123] 18. B computes y/r mod n to recover the message m.

[0124] The FIG. 5 blinded, identifier-based, mediated RSA method thus ensures that the trusted authority cannot read the message m whilst guaranteeing its involvement in message decryption. In addition, any string STR can be used and the trusted authority is not required to store any data other than the values of p and q (and/or their derivatives n and φ) and the or each value of d _U .

[0125] As regards the string STR chosen by the sender, as already indicated, this string may be any string. The string can be based on a character string, a serialised image bit map, a digitised sound, or any other data including data input by the sender using any suitable input device such as a keyboard or keypad. However, in many cases restrictions will be placed on the strings selectable by the sender. For example, the string may be required to conform to a predetermined set of rules with regard to its formatting and/or content (e.g. the string STR may be required to comply with a particular XML schema); alternatively, the sender may be required to select a string from a set of predetermined strings provided by the trusted authority or by another party. In this latter case, the predetermined set of strings can be stored by the trusted authority and/or B and retrieved against a string indicator provider by the sender A, the retrieved string then being used in the computation of e.

[0126] Generally (though not necessarily), the string STR is used to convey to the trusted authority information concerning actions to be taken by the trusted authority when it receives the encrypted message for decryption. If a recipient B changes the information in the string before passing it to the trusted authority, the string will no longer be usable to compute the correct decryption exponent d _T in steps 12 to 14 of FIG. 5 .

[0127] The information in the string STR may relate to actions to be taken by the trusted authority that do not affect message decryption—for example, the trusted authority TA may be required to send a message to the message sender A at the time the TA decrypts the message concerned. However, the information in the string STR will frequently specify one or more conditions to be checked by the trusted authority as being satisfied before the trusted authority partially decrypts the related encrypted message (or before returning the corresponding partially decrypted message to the recipient B concerned).

[0128] For example, the string STR may comprise a recipient identity condition identifying a specific intended message recipient; in this case, the trusted authority carries out an authentication process with the recipient B presenting the related message for decryption to check that the recipient concerned meets the recipient-identity condition.

[0129] Rather than identifying an intended recipient as a particular individual, the string STR may comprise one or more conditions specifying one or more non-identity attributes that the recipient must possess; for example, a condition may specify that a recipient must have a certain credit rating. Again, it is the responsibility of the trusted authority to check out this condition before producing the decrypted message for a recipient presenting the encrypted message for decryption.

[0130] The string STR may additionally or alternatively comprise one or more conditions unrelated to an attribute of the intended recipient; for example, a condition may be included that the message concerned is not to be decrypted before a particular date or time.

[0131] Whatever the conditions relate to, the string STR may directly set out the or each condition or may comprises one or more condition identifiers specifying corresponding predetermined condition known to the trusted authority (in the latter case, the trusted authority uses the or each condition identifier to look up the corresponding condition to be checked).

[0132] In the FIG. 5 embodiment, the value of the public modulus n and of the corresponding private data p,q (or φ) held by the trusted authority is assumed to be fixed for the domain/application/trusted-authority concerned. However, it is possible for multiple different values of the modulus n and the corresponding private data to be in use together. For example, there may be multiple groups of recipients each of which has associated value of n and of the corresponding private data. In the extreme, each recipient B has its own associated values of n and p,q (or φ). Of course, where there are multiple values of n and p,q (or φ) in use, the trusted authority needs to be provided with an indication of the values to be used for any particular message; for example, a group or recipient indicator can be included in the string STR or provided by the recipient B presenting the encrypted message for decryption.

[0133] Non IB Embodiment

[0134] The third embodiment depicted in FIG. 6 concerns a blinded, non-IB, mediated RSA method and system in which the value of e is kept constant and the value of the modulus n is made recipient specific; this embodiment thus has similarities with the prior art four-party mediated RSA method of FIG. 2 . However, the FIG. 6 embodiment is a three-party method combining the key generation center and security mediator of FIG. 2 into a single trusted authority entity. The operational steps of the third embodiment are as follows:

[0135] Initial Set Up Phase

[0136] This is the same as for the set up phase of the prior art mediated RSA method depicted in FIG. 2 with the trusted authority TA carrying out the steps 1 to 8 performed by the key generation center KGC (with the result that no communication of d _T is required). B is now also provided with the encryption exponent e.

[0137] Message Transfer Phase

[0138] Encryption of Message by A

[0139] 9. A generates a message m.

[0140] 10. A computes m ^e mod n _B and sends this to B.

[0141] Message Blinding by B

[0142] 11. B chooses a secret random number r.

[0143] 12. B computes r ^e mod n _B using it's own value of n _B .

[0144] 13. B computes (r ^e ).(m ^e ) mod n _B again using it's own value of n _B and sends the result to the trusted authority TA together with a recipient identifier (such as n _B ).

[0145] Partial Decryption by the Trusted Authority TA

[0146] 14. The trusted authority TA uses the received recipient identifier to look up the value of d _T (and n _B if not supplied) to use and computes x=((r.m) ^e ) ^{d _T} mod n; TA then returns the computed value of x to B.

[0147] Completion of Decryption and Cancellation of Blinding by B

[0148] 15. B receives x which is equivalent to (r.m) ^{e(d−d _U )} mod n _B .

[0149] 16. B computes y=x ^{d _U} mod n _B .

[0150] 17. B computes y/r mod n _B to recover the message m.

[0151] Again, because of the blinding applied by B, the trusted authority is unable to read the message presented to it by B.

[0152] General

[0153] As is the case with all mediated RSA methods, in the embodiments of the invention described herein, the trusted authority TA will typically perform a control function (over and above that associated with implementing any conditions contained in the string STR) for ensuring that the recipient B presenting the trusted authority with a message for partial decryption, is only serviced if entitled to receive such a service; thus, for example, the trusted authority can provide for immediate implementation of a revocation list.

[0154] It may be noted that a consequence of the recipient B applying blinding to the encrypted message sent to the trusted authority is that it is no longer essential for the recipient's decryption exponent component d _U to be kept secret to ensure that a third party cannot read the message. However, keeping d _U secret has the benefit of ensuring that only the intended recipient can correctly decrypt the message thereby relieving the trusted authority of the need to check that the recipient B presenting it with the encrypted message corresponds to an intended recipient (as may have been indicated to the trusted authority, for example, in the string STR in the case of the FIG. 5 embodiment).

[0155] As is well known, in RSA methods the encryption exponent e must have no common factors with (p−1).(q−1). This can be checked by the trusted authority where e is known in advance to the trusted authority; however, in the identifier-based mediated RSA embodiments of the invention e may not be known to the trusted authority in advance of its use—for example, in the FIG. 5 embodiment the encryption exponent e may be based on a string created by the sender. In order to meet the requirement that the encryption exponent e have no common factors with (p−1).(q−1), where the trusted authority does not know e in advance, the following constraints (already stated in the description of the FIG. 5 embodiment) can be imposed:

[0156] the function F used to generate the encryption exponent is such that e is always odd; and

[0157] p=(2p′+1) and q=(2q′+1) where p′ and q′ are Sophie Germain primes.

[0158] These constraints together serve to ensure, with a very high probability, that the encryption exponent e and (p−1).(q−1) will have no common factors.

[0159] Whilst the above-described embodiments are adequate in some environments, for most environments certain constraints need to be applied to remove their vulnerability to a number of attacks.

[0160] Traffic Analysis: If the same encrypted message is seen twice, then it is likely that it is the same message being encrypted with the same key and transmitted. This gives information to the attacker. The cure is to use random padding to ensure that the same message is never encrypted twice. The basic message content is thus combined with random padding and a message-content length indicator to form the message m to be encrypted.

[0161] Active Attacker: In the described embodiments, B passes (r.m) ^e mod n to the trusted authority. A third party intercepting this message could compute:

(new m ^e /m ^e ).( r.m ) ^e mod n =( r .new m ^e ) mod n

[0162] thus changing the message m to newm. The channel between B and TA should therefore be able to detect any attempt to modify the message.

[0163] Common Modulus Attack: With RSA methods it is accepted that one should never encrypt the same message multiple times with different exponents that are coprime, since an attacker could then use the Extended Euclidean Algorithm to recover the original message. The embodiments of FIGS. 4 and 5 are vulnerable to this attack; however, various solutions are available:

[0164] Use random padding of the message, as described above, to ensure that the same message is never encrypted twice.

[0165] Ensure that the same message content is never re-sent—whilst this is possible to do in theory (for example, by storing all sent messages and checking any new message against the stored messages) in reality this solution is only practical in limited situations.

[0166] Ensure that the exponents are never coprime (that is, values of e derived from different strings having a common divisor greater than one). This can be achieved, for example, by making all exponents a multiple of 3; thus e can be derived from the string STR using a hash function # for which #(STR)≡3 mod 6—in other words:

e =3(2(#( STR ))+1)

[0167] More generally, successive values of e can be derived as:

e=z (2(#( STR ))+1)

[0168] where z is an odd integer ≧3, this value being fixed (that is, the same value is used for each successive calculation of e).

[0169] Another point to note regarding reducing vulnerability to cryptographic attacks is that the size of the message should, preferably, be similar to the value of the modulus n and this can be achieved by always adding an appropriate amount of random padding to the message content. Thus, for example, where the “message” is, in fact, a symmetric cryptographic key for encoding/decoding subsequent exchanges, the message can be padded by any suitable padding scheme such as OAEP (M. Bellare and P. Rogaway. Optimal Asymmetric Encryption—How to Encrypt with RSA. In Advances in Cryptology-Eurocrypt '94, pp. 92-111, Springer-Verlag, 1994).

[0170] With respect to the form of the blinding applied by the recipient B, in the described embodiments this has involved a modulo-n multiplication of the encrypted message by r ^e , the blinding being subsequently cancelled by a modulo-n division of the message returned by the trusted authority by r ^{(ed _U −1} ). It will be appreciated by persons skilled in the art that the factor r ^e mod n can be applied in other ways to blind the encrypted message. For example, the blinding operation can comprise a modulo-n division of the encrypted message by r ^e (that is, a modulo-n multiplication by r ^−e ) with the blinding being subsequently cancelled by a modulo-n multiplication of the blinded decrypted message by r ^{(1−ed _U )} . It will also be appreciated that cancellation of the blinding operation following return of the partially-decrypted message from the trusted authority, can be effected before, jointly with, or after application of the recipient's decryption exponent component d _U . As regards the random number r, this should have a large value and should be generated by a cryptographically-strong random number generator. The blinding operation and its subsequent cancellation are totally transparent to the trusted authority.

[0171] As is generally the case with mediated RSA methods, in all the embodiments described herein, unless the trusted authority only serves one recipient B, the trusted authority will need to be provided with an identifier, generally a recipient identifier, in order to able to determine, by computation or look up, the correct value of d _T to use in carrying out its partial message decryption. Such a recipient identifier will typically be one of:

[0172] an identifier provided by the recipient B that presents the message to the trusted authority;

[0173] the value of the encryption exponent e used by the sender or the value of all or part of a string upon which that encryption exponent is based, in cases where a different respective said value is associated with each of multiple recipients;

[0174] the value of the modulus n used by the sender where a different respective said value is associated with each of multiple recipients.

[0175] Embodiments are possible in which the value of d _U is made the same for all recipients rather than being a recipient-specific secret. Thus, the FIG. 5 embodiment and its variants, the value of d _U can be made the same for all recipients and the appropriate value of d _T is calculated using this fixed value of d _U . The fixed value of d _U can, for example, be 1 so that the calculation of d _T becomes d _T =(d−1) mod φ; advantageously, where the STR passed to the trusted authority includes conditions to be checked (such as the identity of recipient B), the condition-checking process is arranged to output a value of 0 or 1 for fail or pass and this value is then subtracted (mod φ) from d to produce d _T whereby the correct value of d _T is only produced when the conditions specified in STR have been met (alternatively, if the output from the condition-checking process is 0, d _T is not determined). Making the value of d _U fixed for all recipients can also be done in respect of the embodiments of FIGS. 4 and 6 . It will be appreciated that where the value of d _U is fixed, the trust authority can no longer rely on d _U to ensure that only the intended recipient can complete the decryption process; the trust authority should therefore check that the identity of the recipient requesting the partial decryption corresponds to that indicated either in the identity string STR (embodiments of FIGS. 4 and 5 ) or by a value of n indicated by the recipient requesting partial decryption ( FIG. 6 embodiment and also usable for the FIG. 5 variant where the value of n is recipient dependent).

[0176] In certain situations it may be required that a message should only be decryptable with the cooperation of multiple trusted authorities. One way of doing this with mediated RSA methods is to sub-divide the decryption exponent component d _T into multiple sub-components each of which is held (or computable) by a respective trusted-authority entity (in effect, the trusted authority of the described embodiments is divided into multiple sub-authorities). In this case, the recipient B must go to each trusted-authority entity to get a message decrypted, each such entity applying its sub-component of d _T to the message to be decrypted.

[0177] For the identifier-based mediated RSA methods, another approach is possible and involves each trusted authority having its own associated public modulus n and private data. Consider, for example, the situation where the sender wishes to impose multiple conditions but no single trusted authority is competent to check all conditions—in this case, different trusted authorities can be used to check different conditions. In one implementation, the sender organizes the message content as a number of data sets (say k data sets) by using Shamir's secret sharing scheme and then encrypts each data set using an associated string STR (for example, specifying a respective condition to be checked) and the public modulus of a respective one of the trusted authorities; in order to retrieve the message, a recipient B has to go to all of the trusted authorities in order to decrypt all of the data sets because any k−1 data sets or less cannot disclose any of the message contents.