Professional Documents
Culture Documents
Cryptography
Thibault Candebat
School of Computing
Dublin City University
Dublin, Ireland
candebat@computing.dcu.ie
Cameron Ross Dunne
School of Computing
Dublin City University
Dublin, Ireland
cameron@computing.dcu.ie
David T. Gray
School of Computing
Dublin City University
Dublin, Ireland
dgray@computing.dcu.ie
ABSTRACT
Mobile Location-Based Services (LBS) have raised privacy
concerns amongst mobile phone users who may need to sup-
ply their identity and location information to untrustworthy
third parties in order to access these applications. Widespread
acceptance of such services may therefore depend on how
privacy sensitive information will be handled in order to re-
store users condence in what could become the killer app
of 3G networks. In this paper, we present a proxy-based
public key infrastructure that allows LBS mobile users to
shield their identities using pseudonyms and protect their
communications using mediated identity-based encryption.
In particular, we propose the rst identity-based signature
scheme applicable in a mediated environment. Furthermore,
we introduce a process whereby a mobile user is only re-
quired to own one private key in order to protect her commu-
nications when accessing LBS under dierent pseudonyms.
The identity-based character of the PKI simplies signi-
cantly key management by removing the need for digital
certicates. Its mediated architecture makes key revocation
easier and more ecient as it allows for instant revocation
of security capabilities.
Categories and Subject Descriptors
E.3 [Data Encryption]: Public key cryptosystems; K.4.1
[Computers and Society]: Public Policy IssuesPrivacy;
C.2.1 [Computer-communication Networks]: Network
Architecture and DesignWireless communication
General Terms
Algorithms, Design, Security
Keywords
SEM architecture, identity-based encryption, location-based
services, pseudonymity
.
- H2 : V {0, 1}
len
1
where len1 is the length of the
plaintext to be encrypted.
- H3 : G
{0, 1}
len
1
G
- H4 : {0, 1}
len
2
V Z
l
.
- U = rP
- k = e(H1(ID), Y
pkg
)
r
, where ID is the identity of the
corresponding receiver.
- V = H2(k) M, where M is the message to be en-
crypted.
- W = rH3(U, V )
The ciphertext C = (U, V, W) is now ready to be sent to
the SEM for assisted decryption
1
.
Decryption. The decryption process occurs in two phases.
- The SEM rst checks whether the user identity ID has
been revoked. If this is the case, it forwards a message
to the recipient of the original message, stating that
he could not decrypt the ciphertext since ID has been
revoked. On the contrary, if the identity has not been
revoked, the SEM performs the following operations:
- h3 = H3(U, V )
- Check of whether the ciphertext received is valid
by computing e(P, W) = e(U, h3). If the cipher-
text is invalid, a message is forwarded to the re-
cipient of the original message in order to inform
him of the status of the decryption. If it is valid,
the SEM computes ksem = e(DID,sem, U) and
forwards it to the recipient of the message, to-
gether with C.
- The Receiver performs the same check as the SEM
in order to verify whether the ciphertext received is
valid. She then computes kuser = e(DID,user, U), re-
constitutes k = kuser ksem and recovers the message
M by computing M = H2(k) V .
1
In the scenario depicted in [3], the receiver is rst given the
ciphertext and interacts with the SEM in order to decrypt
it. In our architecture, the SEM is implemented on the
Orient Platform proxy server and performs transparently
the key pair revocation status verication and ciphertext
decryption.
5
3.4.2 Signature Algorithm
In [16], Libert and Quisquater detail an approach to pro-
vide a SEM architecture with pairing-based signature ca-
pabilities. The authors point out that only a few signature
schemes can be practically adapted to the SEM architecture.
The rst reason is that such signature schemes must allow
for a secure threshold version to be derived from them, i.e,
a scheme whereby neither of the private key shares of the
parties involved are disclosed. The second reason reects
the practicability of the deployment of such a scheme in the
SEM architecture. Indeed, most threshold-based signature
schemes are probabilistic in the sense that they require sign-
ers to collaborate in order to perform a distributed random
number generation. Such a secret sharing protocol intro-
duces communication overheads and would indeed, in our
context, be clearly unacceptable as the SEM must remain
as transparent as possible to its Users. As a solution, the
authors propose a mediated version of the GDH signature
scheme. However, this scheme is not identity-based which
means that using it would complicate key management and
defeat the purpose of using the identity-based encryption
algorithm detailed in this section.
In this section, we propose to extend Hess identity-based
signature scheme [14] in order to provide the SEM architec-
ture with identity-based signature capabilities. Considering
the interesting fact that two Hess identity-based signatures
can easily be combined and still form a valid signature pro-
vided the corresponding public key exists, we derived a me-
diated version of the scheme that does not involve multi-
party random number computation. As a result, this new
identity-based signature scheme does not qualify as a thresh-
old identity-based signature scheme, but rather as a server
aided signature generation scheme (the SEM does not pro-
cess the message to be signed but rather its signature). The
signer produces a signature using her private key share, and
this token is then processed by the SEM upon verication of
the signer credentials in order to generate a signature veri-
able by the corresponding public key identier. This section
is divided as follows: we start by a description of Hess orig-
inal scheme and then describe our contributions. Security
considerations are discussed in Section 5.
3.4.2.1 Hess Identity-based Signature Scheme.
SystemParameters Generation. The PKG is in charge
of generating and making the public parameters available to
the other entities. The PKG rst picks uniformly at random
a number x in Z
l