From: ichudov@algebra.com (Igor Chudov @ home)
To: nobody@cypherpunks.ca (John Anonymous MacDonald)
Message Hash: 73937f3d9861b8a605450a416ca2a8f3903617a034c0e80f55caa5a5f6ab44a0
Message ID: <199610200253.VAA03170@manifold.algebra.com>
Reply To: <199610192303.QAA11812@abraham.cs.berkeley.edu>
UTC Datetime: 1996-10-20 02:48:58 UTC
Raw Date: Sat, 19 Oct 1996 19:48:58 -0700 (PDT)
From: ichudov@algebra.com (Igor Chudov @ home)
Date: Sat, 19 Oct 1996 19:48:58 -0700 (PDT)
To: nobody@cypherpunks.ca (John Anonymous MacDonald)
Subject: Re: FWD: Binding crypto
In-Reply-To: <199610192303.QAA11812@abraham.cs.berkeley.edu>
Message-ID: <199610200253.VAA03170@manifold.algebra.com>
MIME-Version: 1.0
Content-Type: text
see below...
John Anonymous MacDonald wrote:
>
>
> FORWARDED MESSAGE
>
> =++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=++=+=
>
>
> In this message, we introduce binding cryptography, a new proposal for
> establishing an information security infrastructure that does not
> hamper law enforcement. We present an alternative that can give
> law-enforcement agencies access to session keys, without users having
> to deposit private keys. Unilateral fraud in this scheme is easily
> detectible. We outline the proposal below, and announce two articles
> which will describe the proposal in more detail and which will provide
> the legal and the technical context.
> Metaphorically speaking, our solution consists of equipping public-key
> encryption systems used for confidentiality with a (car) governor (a
> speed-limiting device). The specifications of this governor are rather
> general, and so many systems can probably be equipped with them. It is
> inspired by the proposal of Bellare and Rivest [BR], in which users'
> encrypted messages consist of three components:
> 1. the (actual) message encrypted with any symmetric system, using a random session
> key;
> 2. the session key encrypted with the public key(s) of the addressee(s);
> 3. the session key encrypted with the public key of a Trusted Retrieval Party (TRP).
> In effect, the TRP is treated as a virtual addressee, although the
> message is not sent to it. When a law-enforcement agency is conducting
> a lawful intercept and strikes upon an enciphered message, they take
> the third information component to the TRP. If shown an appropriate
> warrant, the TRP decrypts the information component and hands over the
> session key, so that the law-enforcement agency has access to the
> message. Observe that users are not obliged to escrow their (master)
> keys, they only give access to the (temporary) session keys used in
> the communication. The concept of "virtual escrow" has been the base
> of several escrow products (AT&T Crypto, RSA Secure, TIS Commercial
> Key Escrow).
>
> The main drawback of this concept is that it offers no possibility, at
> least for others than the TRP, to check whether the third component
> actually contains the (right) session key; moreover, the TRP will only
> discover fraud after a lawful wiretap. This renders the solution
> almost entirely unenforceable.
>
> Therefore, we propose a binding alternative, which adds a fourth
> component to the encrypted message:
> 4. binding data.
>
> The idea is that any third party, e.g., a network or service provider,
> who has access to components 2, 3 and 4 (but not to any additional
> secret information) can:
> a. check whether the session keys in components 2 and 3 coincide;
> b. not determine any information on the actual session key.
What prevents me from superenciphering the body of the message?
That would render the whole "fraud prevention" useless, wouldn't it?
thanks
igor
> In this way, fraud is easily detectible: a sender that attempts to
> virtually address a session key to the TRP (component 3) that is
> different from the real one he uses on the message (or just nonsense)
> will be discovered by anyone checking the binding data. If such
> checking happens regularly, fraud can be properly discouraged and
> punished. The binding concept supports the virtual addressing of
> session keys to several TRPs (or none for that matter), for instance,
> one to a TRP in the country of the sender and one in the country of
> the addressee. The solution therefore offers the same advantage for
> worldwide usability as the Royal Holloway [Holl] concept. We also
> remark that the concept supports the use of controllable key splitting
> in the sense of Micali [Mica] as well: a sender can split the session
> key and virtually address all the shares separately to the addressee
> and various TRPs using the binding concept. Moreover, the number of
> shares and the TRPs can - in principle - be chosen freely by each
> user. Finally we remark that the time-boundedness conditon (the
> enforceability of the timelimits of a warrant) can be fulfilled by
> additionally demanding that encrypted information (or all components)
> be timestamped and signed by the sender; a condition that can be
> publicly verified by any third party (e.g., monitor) as well.
>
> A PKI that incorporates binding data hence has the following four
> players:
> - Users, i.e., governments, businesses, and citizens,
> - TTPs offering trusted services (e.g., time-stamping and certification of
> public keys),
> - TRPs aiding law-enforcement agencies with decrypting legally intercepted messages,
> - Monitors, monitoring communications encrypted via the PKI on compliance with
> binding regulations. For instance, these could be network operators or (Internet) service
> providers.
>
> In [VKT], we explain how we envision the framework in which the
> binding concept could present a security tool in the information
> society. We think the concept is flexible enough (e.g., in the choice
> of TRPs) to be incorporated into almost any national crypto policy, on
> both the domestic and foreign use of cryptography.
>
> In a mathematical paper [VT], Verheul and Van Tilborg propose a
> technical construction for binding data for an important public-key
> encryption system: ElGamal. This construction is compatible with
> Desmedt's [DESM] traceable variant of ElGamal. The construction is
> based on the techniques used in zero knowledge proofs. We expect that
> these constructions can be improved and that various other public-key
> encryption systems can be equipped with binding data. We present this
> as a challenge to the cryptographic research community.
>
> An outline of the mathematical construction of binding ElGamal can be
> found at http://cwis.kub.nl/~frw/people/koops/bindtech.htm.
>
>
> _3. References_
>
> [BR]
> M. Bellare, R.L. Rivest, "Translucent Cryptography. An Alternative to
> Key Escrow, and its Implementation via Fractional Oblivious Transfer",
> see http://theory.lcs.mit.edu/~rivest
>
> [Desm]
> Y. Desmedt, "Securing Traceability of Ciphertexts - Towards a Secure
> Key Escrow System", Advances in Cryptology - EUROCRYPT'95 Proceedings,
> Springer-Verlag, 1995, pp.147-157.
>
> [Holl]
> N. Jefferies, C. Mitchell, M. Walker, "A Proposed Architecture for
> Trusted Third Party Services", Royal Holloway, University of London,
> see http://platon.cs.rhbnc.ac.uk
>
> [Mica]
> S. Micali, "Fair Public-key Cryptosystems'", Advances in Cryptology -
> CRYPTO '92 Proceedings, Springer-Verlag, 1993, pp. 113-138.
>
> [VKT]
> E. Verheul, B.J. Koops, H.C.A. van Tilborg, "Binding Cryptography. A
> fraud-detectible alternative to key-escrow solutions", Computer Law
> and Security Report, January-February 1997, to appear. [*]
>
> [VT]
> E. Verheul, H.C.A. van Tilborg, "Binding ElGamal. A fraud-detectible
> alternative to key-escrow solutions", will be submitted to
> Eurocrypt97.
>
> [*] For the Computer Law and Security Report, send subscription
> enquiries, orders and payments to:
>
> Pam Purvey
> The Oxford Fulfilment Centre
> PO Box 800, Kidlington
> Oxford 0X5 1DX UK
> Tel: +44 1865 843373
> Fax: +44 1865 843940
>
> For the United States:
> Elsevier Advanced Technology
> Fulfilment (enquiries)
> 660 White Plains Road, Tarrytown
> New York, NY 10591-5153
> USA
> Tel: 914 333 2458
>
> ---------------------------------------------------------------------
> Bert-Jaap Koops tel +31 13 466 8101
> Center for Law, Administration and facs +31 13 466 8149
> Informatization, Tilburg University e-mail E.J.Koops@kub.nl
> --------------------------------------------------
> Postbus 90153 | This world's just mad enough to have been made |
> 5000 LE Tilburg | by the Being his beings into being prayed. |
> The Netherlands | (Howard Nemerov) |
> ---------------------------------------------------------------------
> http://cwis.kub.nl/~frw/people/koops/bertjaap.htm
> ---------------------------------------------------------------------
>
> --
> " The way to combat noxious ideas is with other ideas.
> The way to combat falsehoods is with truth. "
>
> -- Justice William O. Douglas, 1958
>
>
>
- Igor.
Return to October 1996
Return to “nobody@cypherpunks.ca (John Anonymous MacDonald)”