Full-Text PDF    Submission   Back

曹珍富   (上海交通大学 计算机科学与技术系,上海 200030)
第一作者: 曹珍富(1962－),男,江苏盐城人,博士,教授,博士生导师,主要研究领域为数论和现代密码学,信息安全理论与技术.
联系人: 曹珍富  Telephone: 86-21-62835602, Fax: 86-21-62932902, E-mail: zfcao@cs.sjtu.edu.cn
Received 2002-05-13; Accepted 2002-08-14

Abstract
The definition of robust threshold key escrow scheme (RTKES) is proposed in this paper. Namely, in RTKES, malice escrow agency fail to obtain the system secret key or user's secret key, even if the number of malice escrow agency is more than or equal to the value of threshold. Clearly, the problem of "user's secret key completely depends on the trusted escrow agency" is solved if RTKES exists. In this paper, it is proved that the RTKES does exist, and some concrete designs of two classes of RTKES are given. In these schemes, the problem of "once monitor, monitor for ever" is solved effectively, every escrow agency can verify correctness of the secret shadow that he escrows during secret shadow distribution and monitor agency can exactly decide which escrow agency forges or tampers secret shadow during monitor procedure. Since the proposed RTKES is also threshold key escrow scheme, when an escrow agency or few agencies is not cooperating, monitor agency can easily reconstruct session key to monitor as long as there are other k effective escrow agencies. In addition, it also resists against LEAF feedback attack.

Cao ZF. Two classes of robust threshold key escrow schemes. Journal of Software, 2003,14(6):1164~1171.
http://www.jos.org.cn/1000-9825/14/1164.htm


摘要
提出了门限密钥托管方案强壮性的概念,即对于一个强壮的门限密钥托管方案(robust threshold key escrow scheme,简称RTKES),即使在恶意托管人数大于或等于门限值时仍然无法获取系统密钥或用户密钥.很明显,RTKES解决了"用户的密钥完全依赖于可信赖的托管机构"这一问题.证明了RTKES是存在的,并且还给出两类RTKES的具体设计.这些方案有效地解决了"一次监听,永久监听"的问题,每个托管人能够验证他所托管的子密钥的正确性,并且在监听阶段,监听机构能够确切地知道哪些托管人伪造或篡改了子密钥.由于提出的方案是门限密钥托管方案,所以在所有托管人中当有一个或几个托管人不愿合作或无法合作时,监听机构仍能够通过另外有效的k个托管人去重构会话密钥,从而实施监听.此外,RTKES还具有抵抗LEAF反馈攻击的特性..

基金项目：Supported by the National Natural Science Foundation of China under Grant No.60072018 (国家自然科学基金); the National Natural Science Foundation of China for Distinguished Young Scholars under Grant No.60225007 (国家杰出青年科学基金); the National Research Foundation for the Doctoral Program of Higher Education of China under Grant No.20020248024 (国家教育部高等学校博士点基金)


References: 

[1] Denning DE, Smid M. Key escrowing today. IEEE Communications Magazine, 1994,32(9):58~68.

[2] Shamir A. Partial key escrow: A new approach to software key escrow. In: Proceedings of the Key Escrow Conference. Washington, 1995.

[3] Lenstra AK, Winkler P, Yacobi Y. A key escrow system with warrant bound. In: Coppersmith D, ed. Proceedings of the Crypto'95. LNCS 963, Berlin: Springer-Vrelag, 1995. 197~207.

[4] Micali S. Fair cryptosystems. Technique Report, MIT/LCS/TR-579.c, Cambridge: Massachusetts Institute of Technology, 1994.

[5] Micali S, Ney R. A simple method for generating and sharing pseudo-random functions with application to clipper-like key escrow system. In: Coppersmith D, ed. Proceedings of the Crypto'95. LNCS 963, Berlin: Springer-Vrelag, 1995. 184~196.

[6] Yang Bo, Ma WP, Wang, YM. A new secret sharing threshold scheme and key escrow system. Acta Electronica Sinica, 1998, 26(10):1~3 (in Chinese with English abstract).

[7] Nechvatal J. A public-key-based key escrow system. Journal of Systems Software, 1996,35(1):73~83.

[8] Denning DE. Description of key escrow system. 1997. http://www.cs.georgetown.edu/~denning/crypto/Appendix.html/.

[9] Desmedt Y, Frankel Y. Threshold cryptosystems. In: Brassard G, ed. Proceedings of the Crypto'89. LNCS 435, Berlin: Springer-Verlag, 1990. 307~315.

[10] Desmedt Y, Frankel Y. Shared generation of authenticators and signatures. In: Feigenbaum J, ed. Proceedings of the Crypto'91. LNCS 576, Berlin: Springer-Verlag, 1992. 457~469.

[11] Santis AD, Desmedt Y, Frankel Y, Yung M. How to share a function securely. In: Proceedings of the 26th ACM Symp. on Theory of Computing. ACM Press, 1994. 522~533.

[12] Gennaro R, Jarecki S, Krawczyk H, Rabin T. Robust and efficient sharing of RSA functions. In: Koblitz N, ed. Proceedings of the Crypto'96. LNCS 1109, Berlin: Springer-Verlag, 1996. 157~172.

[13] Cao ZF. A threshold key escrow scheme based on public key cryptosystem. Science in China (Series E), 2001,44(4):441~448 (in Chinese with English abstract).

[14] Cao ZF, Li JG. A threshold key escrow scheme based on ElGamal cryptosystem. Chinese Journal of Computers, 2002,25(4): 346~350 (in Chinese with English abstract).

[15] Wang GL, Qing SH. Weaknesses of some threshold group signature schemes. Journal of Software, 2000,11(10):1326~1332 (in Chinese with English abstract).

[16] Cerecedo M, Matsumoto T, Imai H. Efficient and secure multiparty generation of digital signatures based on discrete logarithms. IEICE Transactions on Fundamentals, 1993,E76-A(4):532~545.

[17] Frankel Y, Gemmell P, Yung M. Witness-Based cryptographic program checking and robust function sharing. In: Proceedings of 28th the ACM Symposium on Theory of Computing. ACM Press, 1996. 499~508.

[18] Gennaro R, Jarecki S, Krawczyk H, Rabin T. Robust threshold DSS signatures. In: Maurer U, ed. Advances in Cryptology- Eurocrypt'96. LNCS 1070, Springer-Verlag, 1996. 354~371.

[19] Cao ZF. Public Key Cryptology. Harbin: Heilongjiang Education Press, 1993. 158~185 (in Chinese).

[20] Shamir A. How to share a secret. Communications of the ACM, 1979,22(11):612~613.

[21] Rivest RL, Shamir A, Adleman L. A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 1978,21(2):120~126.

[22] ElGamal T. A public-key cryptosystem and a signature scheme based on discrete logarithm. IEEE Transactions on Informtion Theory, 1985,31(4):469~472.

附中文参考文献:
[6] 杨波,马文平,王育民.一种新的密钥分割门限方案及密钥托管体制.电子学报,1998,26(10):1~3.

[13] 曹珍富.基于公钥密码的门限密钥托管方案.中国科学(E辑),2000,30(4):360~366.

[14] 曹珍富,李继国.基于ElGamal体制的门限密钥托管方案.计算机学报,2002,25(4):346~350.

[15] 王贵林,卿斯汉.几个门限群签名方案的弱点.软件学报,2000,11(10):1326~1332.

[19] 曹珍富.公钥密码学.哈尔滨:黑龙江教育出版社,1993.158~185.