Distributed Threshold Certificate based Scheme with No Trusted Dealer∗

Apostolos P. Fournaris Electrical and Computer Engineering Department,University of Patras, Rion Campus, Patras, Greece

Keywords: Threshold , Certificate based Encryption, Elliptic Curve Cryptography, Pairing based Cryptography, Distributed System, Certificate Authority.

Abstract: Generating certified keys and managing certification information in a fully distributed manner can find a wide range of applications in the increasingly distributed IT environment. However, the prohibition of trusted enti- ties within the distributed system and the high complexity certificate management and revocation mechanism, hinder the adoption of this approach in a large scale. Threshold cryptography offers an elegant solution to these issues through Shamir’s scheme, where a secret (the Certificate Authority’s (CA) mas- ter ) is split and shared among all participants. Combining this approach with the reasonable certificate service requirements of Certificate based encryption (CBE) schemes could result in a functional and efficient distributed security scheme. However, centralized entities, denoted as trusted dealers, are needed in most threshold cryptography schemes even those few that support CBE, while the static way in which the system’s functionality is viewed, considerably limits possible applications (i.e. dynamic environments like p2p, Ad- Hoc networks, MANETS). In this paper, we explore the potentials of combining the latest developments in distributed threshold cryptography schemes with efficient yet highly secure certificate based encryption schemes in order to provide a solution that matches the above concerns. We draft a fully distributed Threshold Certificate Based Encryption Scheme that has no need for any centralized entity at any point dur- ing its operating cycle, has few requirements concerning certificate management due to CBE and does not need any trusted dealer to create, and split secrets or distribute certificates. The proposed scheme has an easy participant addition-removal procedure to support dynamic environments.

1 INTRODUCTION licious (up to a certain degree) the information as a whole can remain safe, the CA’s honesty can be pre- The idea of a Trusted Third party authority (i.e. a Cer- served and the corrupted entities can be detected and tificate Authority, CA) that is distributed among sev- removed. Since modern trends in IT systems favor eral different entities, capable of vouching about user the distributed paradigm, the described CA approach credentials, keys (certificates) in a distributed way, can find many real applications. P2p systems, Ad- offers a high degree of flexibility - scalability and Hoc networks, MANETS or even Cloud computing can have many advantages. Since the CA is not re- and Future Internet applications could greatly favor stricted to a single machine it cannot constitute a sin- from such an endeavor. gle point of failure. A malfunction of a CA engaged Distributing the certificate authority’s trust to entity won’t result in the CA system crash-down. The many entities may be achieved either through a ”web distributed CA is more secure than a centralized one of trust” (WOT) approach where a number of enti- since an attacker would have to target many entities ties communicate with each other using a trust graph concurrently to compromise it. This makes the sys- path in a chain-like fashion to sign a requester’s pub- tem more resistant to Denial of Service related at- lic/private key information or through a fully dis- tacks. Furthermore, since the CA sensitive informa- tributed approach where the CA’s information is split tion, secret keys, are distributed among many entities, into shares and send to all involved entities forcing even if some of those entities become dishonest, ma- them to collaborate in order to reconstruct these infor- mation. The WOT approach, primarily used for pri- ∗This work is supported by the SECRICOM FP7 Euro- vacy purposes, strongly relies on creating, maintain- pean project (contract FP7 SEC 218123)

314 P. Fournaris A.. Distributed Threshold Certificate based Encryption Scheme with No Trusted Dealer. DOI: 10.5220/0004075803140320 In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 314-320 ISBN: 978-989-8565-24-2 Copyright c 2012 SCITEPRESS (Science and Technology Publications, Lda.) DistributedThresholdCertificatebasedEncryptionSchemewithNoTrustedDealer

ing and discovering trust paths between a distributed (IBE) or his certificate (CBE) as a key, has man- system’s participants and cannot easily be applied in a aged to reduce the role and work load of the cen- large scale fashion since the path discovery introduces tralized CAs, minimizing the need for certificate re- a considerable performance overhead as the number vocation. The CBE scheme, introduced by Gentry of participants escalates. The path discovery has an in (Gentry, 2003) combines the advantages of both unbound latency that is not easily contained. Also, IBE and tradition Public key Encryption (PKE). As WOT is susceptible to treachery and even one (or a in traditional PKE, each user in CBE generates his few) dishonest participants can harm the system. The own public/private key pair and requests a Certificate fully distributed approach, based on secret sharing, from the CA responsible for its generation and infor- can solve the above issues since there is no require- mation freshness. The issued certificate in CBE has ment of trusted paths. In this approach, all partici- all functionalities of PKE but acts as a partial decryp- pants have equal responsibilities to handle secret keys tion key. Combining the certificate with his private and certificates and the security balance of the system key, the user can have a fully functional decryption is maintained by following wholly applicable crypto- key that is verifiable and legitimate. When the cer- graphic rules, following (mostly) threshold cryptog- tificate expires or is revoked, the user is compelled to raphy principles. While the performance overhead on seek a new one because he can no longer decrypt any the fully distributed approach is not negligible, it is with it. From its introduction in 2003, CBE bounded for a given participant number and fits very has been widely studied by many researchers (Boyen, well to fully distributed systems like p2p and adhoc 2008) (Galindo et al., 2008)(Shao, 2011)(Lu and Li, networks. For this reason, this concept is adopted in 2009)(Lu, 2011) its security have been enhanced by our distributed system model and constitute the focus solving key escrow issues and have reached a strong point from this point on in this paper. security status. However, CBE mainly still relies on A distributed CA (dCA) must be able to issue le- centralized CAs that have a master secret key capable gitimate certificates of an entity’s characteristics, like of signing the issued certificates and constitute a sin- his identity and his keys (following a specific certifi- gle point of failure. cate format) by collaboration of the various entities Threshold cryptography, another branch of mod- comprising it. Each dCA’s engaged entity (denoted as ern cryptography, can be very useful in distribut- participant) must hold a share of the dCA secret in- ing secrets. This approach is based on the work of formation which by itself cannot be used to deduce Shamir (Shamir, 1979), who proposed the concept of the whole secret. Questions that arise on this as- (t,n) threshold scheme. Later, Desmedt and Frankel pect is how to generate and distribute such shares and (Desmedt and Frankel, 1989)(Frankel et al., 1997) more importantly who is responsible to do this with- were among the first to use the idea of Shamir’s se- out knowing the whole secret. Furthermore, CAs have cret share to design threshold based on a heavy load to handle especially when they service a ElGamal. Using Shamir’s idea, a methodology is de- high number of involved participants since apart form veloped for splitting a secret into n shares, so that, for issuing a certificate, a CA is responsible for its man- a certain threshold t < n, any t components-parts of agement, providing services like certificate reissuing the secret can be combined to reconstruct the secret, and revocation. Certificate revocation is becoming a whereas any combination of t − 1 or less shares is in- very complex problem for CAs since the needed in- capable of reconstructing the secret. This idea, pro- formation about revoked certificates are so many that viding a way to save a secret in a distributed manner, they have a considerably negative impact on the CA is very attractive to systems where no centralized con- efficiency. In the dCA case, this problem can be- trol is administered and has been used by several re- come very potent since revocation information would searchers to provide strong security potentials to such have to be maintained in more than one places, spare an environment. However, Shamir’s scheme, requires copies of this information should be kept and com- a trusted entity that must generate the secret value, plex distributed revocation management mechanisms split it into shares and distribute them to all the sys- would have to be devised. The last decade, progressin tem’s participants. This entity, usually denoted as a theoretic public key cryptography have provided the trusted dealer, has additional functionality compared means to solve several of the above issues indepen- to the rest of the system participants and most impor- dently. tantly it needsto be always trusted as well as protected Identity Based cryptography/encryption (IBE) because it has knowledge of the secret. Compromise (Boneh and Franklin, 2001) and its extension to Cer- of the trusted dealer constituted a single point of fail- tificate Based Encryption (CBE) (Gentry, 2003), by ure for the distributed system, very much like what a offering to the user the tools to utilize his identity centralized CA would be.

315 SECRYPT2012-InternationalConferenceonSecurityandCryptography

Distributed key generation (DKG) is an obvious for special purpose entities in order to issue certifi- application of Threshold cryptography. It allows a cates and use them for encryption/decryption,is intro- set of n entities to generate jointly a pair of public- duced. The proposed approach explores the combina- private key pair according to a distribution defined tion of a Threshold cryptography - DKG scheme that by the underlying cryptographic concept without ever has no trusted dealer and a highly secure and efficient having to compute, reconstruct or store the secret key CBE scheme based on bilinear pairing and Elliptic in any single location and (ideally) without assuming Curve cryptography as drafted by the most promising a trusted dealer. During 1991, Pedersen (Pedersen, related research works. The proposed scheme is ca- 1991) was among the first to present a DKG thresh- pable of certificate issuing for encryption/decryption old scheme based on Shamir’s idea and the ElGamal in a totally distributed way since the CA master se- and made the first attempt to avoid the cret key is constructed and distributed with the con- need for a trusted dealer. The above work have been tribution of all involved participants. This master se- complemented by many other publications expanding cret key is not known nor stored by any participant. the DKG scheme functionality (Park and Kurosawa, Also, t out of n participants must collaborate in or- 1996) (Shoup, 2000) (Gennaro et al., 2001) (Wang, der to use it and issue a CBE certificate following 2003). Of interest is the work of Shoup (Shoup, the approach in (Noack and Spitz, 2008) and (Shao, 2000), where the trusted dealer problem was further 2011). The proposed scheme supports easy partici- addressed. This work was expanded by Damgard et al pant addition-removal while retaining the issued cer- in (Damgard and Koprowski, 2000) where the trusted tificates unchanged and usable. System compromise dealer was replaced by a honest dealer, with mini- is very difficult as long as less than t participants are mal intervention to the system. The above schemes susceptible to secret information leakage and behave have managed to avoid trusted dealer entities, but in a honest way. have also introduced security (Wang, 2003), (Gen- The rest of the paper is organized as follows. In naro et al., 2007) and functionality problems espe- section 2 the proposed scheme is presented and ana- cially when new participants are added or removed lyzed and the scheme’s various stages are described. to the system. Such operations are either not sup- In section 3, participant addition and removal is pre- ported or are very difficult to deal with. Noack et al in sented in detail while the mechanism for issuing a (Noack and Spitz, 2008) offer a solution on threshold new certificate after addition is commented. Finally, cryptography key distribution schemes for discrete section 4 concludes the paper. logarithm systems where no trusted dealer is neces- sary and participants addition-removal is performed fairly easy. This work was extended in (Fournaris, 2011) to distributed Threshold cryptography certifi- 2 PROPOSED THRESHOLD CBE cation scheme in order to demonstrate the possibil- SCHEME WITH NO TRUSTED ity of such endeavor. However, the certificate revo- DEALER cation problem was not addressed and traditional, al- ready existing, revocation methods where suggested. There has been some attempts to combine Threshold The proposed scheme methodology is based on pair- cryptography with CBE, like the work of Libert and ing based cryptography principles and more specif- Quisquater (Libert and Quisquater, 2003) who dis- ically on pairings based on Elliptic Curve additive cuss the use of Threshold IBE schemes requiring a Groups and Finite field multiplicative groups, like G trusted dealer and the work in (Boneh et al., 2006) Weil pairing, Tate pairing, Ate pairing e.t.c. Let 1, G G that proposed a threshold encryption scheme without 2 be additive cyclic groups of prime order q and T , random oracles yet still with a trusted dealer or the a multiplicative cyclic group where each element has work of Lu et al (Lu et al., 2009) that adapts the CBE order dividing q. Then, we can define the mapping G G G scheme of Galindo et al in (Galindo et al., 2008) to e : 1 × 2 → T as a pairing if it satisfy the follow- propose a highly secure threshold based CBE scheme ing properties: with trusted dealer. 1. Bilinear: e(P1 + P2,Q) = e(P1,Q) e(P2,Q) In this paper, an attempt is made to design a fully and e(P,Q1 + Q2) = e(P,Q1) e(P,Q2) and distributed certification and encryption solution that a b e(ahP,bhQ) = e(P,Q) h h for all P1,P2,P ∈ does not suffer from complex certificate revocation, G1,Q,Q1,Q2 ∈ G2, and ah,bh ∈ Z participant addition/removalmechanisms nor requires G trusted entities. The notion of a fully distributed 2. Non-degenerate:e(P,Q)= 1GT for all Q ∈ 2 if Certification - encryption scheme that has no need and only if P = 1G1 and similarly e(P,Q)= 1GT G for all P ∈ 1 if and only if Q = 1G2

316 DistributedThresholdCertificatebasedEncryptionSchemewithNoTrustedDealer

3. Computable: There is an efficient algorithm to In the first step of this process each participant compute the pairing mapping e(P,Q) for any P ∈ U ( j) generates a local public - private key pair sim- G1,Q ∈ G2 ilar to the ElGamal Elliptic Curve scheme as follows: G G We assume that the groups 1 and 2 are iden- 1. Choose randomly pr j ∈ Fp G G tical ( 1 ≡ 2) (admissible pairing) and defined by F G Elliptic curve E of prime order q determined by its 2. Compute point Pu j = pr j G ∈ E( p) ≡ 1 parameters {p,a,b,G,q,h}. In that case, the e map- This local key pair constitutes, at this stage, U ( j)'s ping will be based on the EC based pairing approach contribution to the master secret generation. When (like Weil, Tate or Ate pairing e.t.c.). We require completed, each participant issues a broadcast request the Decisional Bilinear Diffie Hellman (DBDH) to the remaining participants requesting a master key assumption to remain strong in G and therefore 1 secret share and provides his local public key Pu j. assume that the elliptic curve is non-supersingular When requests from every participant k and associ- or special case supersingular with high embedding ated local public keys are received, each participant factor. To fully describe the needed parameters U (i) performs the following steps: for the proposed scheme we define the EC param- F eters {e,G1,GT ,H0(),H1(),H2(),H3(),H4()}. 1. Choose t random elements {s1,s2,...st } ∈ p The full set of parameters, denoted as pub- 2. Construct a t degree secret polynomial lic parameters, of the proposed scheme T = t t−1 {p,GT ,a,b,G,q,h,e,H0(),H1(),H2(),H3(),H4()} fi (x)= st x + st−1x + + s1x + s0 are described below: F where s0 = privi,0 = pri and denote as privi,0 the 1. p: specifies p defining the Elliptic Curve E participant’s partial key share (at this point it is iden- 2. q: the order of the Fp tical to local private key).

3. a,b ∈ Fp specify the Elliptic Curve. (k) 1. Generate for all U ∈ U, privi,k = fi (k) where 4. G : (xG,yG) ∈ E (Fp) ≡ G1 is a generator point in k ∈{0,1,...t | k = i} G1 of order q 2. Qi = privi,0 G = pri G = Pui 5. Integer h = #E(Fp)/q called cofactor 3. Send to each participant U ( j) the following: 6. e is the bilinear mapping e : G1 × G1 → GT ∗ F∗ ∗ G noncei,Qi, EncrQ j (privi, j,H0(Qi, privi, j, noncei) 7. H0 : {0,1} → p, H1() : {0,1} → 1, H2() : G n n n F∗ where j is one specific participant number out of the T → {0,1} , H3() : {0,1} ×{0,1} → p, n n k requesting participants. H4() : {0,1} →{0,1} The above actions are performed by each partici- We assume that a set U = U (1),U (2),..U (n) of pant of the system. When the requesting participant n o U ( j) receives n − 1 messages (one for each remaining n participants U (i) wish to cooperate in order to es- (i) participant U ) he archives all privk, j values, where tablish a common Public Key Pub = T,Qpub and k ∈{1,2,...n}, k = j and performs the following op- a corresponding private key priv (master secret) for erations to construct the global public key Qpub and providing Identity Based Encryption functionality in his master key share priv j: a distributed manner. To recover priv, at least t+1 n participants need to cooperate (threshold cryptogra- ∑ phy principle) where t < n using the Lagrange In- Qpub = Qk = k=1 de f x−g ∏ n n (1) terpolation equation LI(x,y) = g∈U,g=y y−g where ∑ priv G ∑ pr G priv G x,y ∈ 1,2...n representing a participant U (x) or U (y). = k,0 = k = k=1 k=1 2.1 Setup Stage n n priv j = ∑ privk, j = ∑ fk( j) ∈ Fp (2) Initially, all participants that care to establish the pro- k=1 k=1 posed distributed system, must generate local public- The outcome of the Setup stage is the full setup of private key pairs (one for each participant) and agree Threshold Certificate based encryption scheme, that on a global public private key pair (QPub - priv). This consists of the public parameters T and the global stage, denoted as Setup, performs key generation, es- public key Qpub along with the set of master key se- tablishment and distribution, is based on distributed cret shares Spriv = {priv1, priv2,...privi...privn} dis- secret sharing schemes (Shoup, 2000) tributed securely to each participant U (i). Note that

317 SECRYPT2012-InternationalConferenceonSecurityandCryptography

each master secret key share privi is known only to 2.3 Encryption Stage participant U i. The Setup stage parameters are: When the certificate is established by the coopera- {p,G ,a,b,G,q,h,e,H (),H (), T 0 1 tion of t + 1 participants, U ( j) can use it as a pri- H2(),H3(),H4(),Spriv,Qpub (3) vate key in order to perform encryption/ decryption

operations. If a participant wants to send securely a 2.2 Certificate Extraction Stage message M ∈{0,1}n, where n is an integer indicating M’s bit length, to U ( j), he uses U ( j)’s identity charac- At this stage each participant requests from t+1 par- teristics CIj including the local public key (Pr j), the ticipants to vouch for his identity and certify it along identification validity period and the global public key with its public key. To achieve that, each participant Qpub and needs to perform the following steps: ( j) U chooses an identifying value ID j and concate- 1. Compute gID = nates it with a identification validity period v j, his lo- j cal public key Pu j and any other info he wish to in- e(Cert ,G)= e( f pr Q + d ,G)) clude is his certification. The resulting concatenation j ID j j ID ID j is (IDD j)= Pu j v j ID j other . Using the (IDD j) = e(( fID j pr j + s) QID j ,G) (8) ( j ) value, participant U can issue a certificate request, = e(H1(CIj),H0(CIj) Q j + Qpub) performing the following procedure: σ n 1. Participant U ( j) chooses randomly t+1 partici- 2. choose a random number ∈{0,1} 3. Set sk = H (σ), c = EE (M), h = H (σ,c), e = pants and constructs Ucert subset of U of these j 4 sk j 1 3 1 participants. h G, e = σ ⊕ H (gh1 ) 1 2 2 ID j 2. Participant U ( j) sends to each participant U (k) ∈ 4. The encrypted message is C = (e1|e2|c) Ucert the following: 2.4 Decryption Stage IDD j|Ucert |signpr (IDD j|Ucert ) (4) j (k) 3. Upon receipt, each participant U ∈ Ucert veri- When an encrypted message C reaches participant ( j) fies the signature (apart from message integrity, U , he uses his certificate Cert j, acting as a private the signature verification acts as a proof of knowl- key, and performs the following: ( j) edge of U ’s private key) and calculates QID j = 1. Assign values to the variables e1,e2,c from C H1(IDD j|Ucert |Qpub) as well as PCj = privk ( j) 2. Compute e3 = e(Cert j,e1) and σ´ = e2 ⊕ H2(e3) LI(0,k) QID j and sends to U the following: n 3. Check if σ´ ∈{0,1} and if true compute sk´ j = σ QID |PC |g1) (5) H4( ´ ) j k where g1 = e(prk QID j , privk, j G) 4. Compute h´1 = H3(σ´ ,c) ( j) 4. The requesting participant U collects all an- 5. Perform validity check using equations (e1 = h´1 ´ swers from the Ucert set and for each re- σ h1 (k) G) and (e2 = ´ ⊕ H2(gID ) ply, validates the U ’s knowledge of the prk j ( j) and priv j,k (it was transmitted to U from 6. If validity check is passed successfully, compute (k) ´ m = ED (c). Then, M = m. U during setup stage) by calculating QID j = sk´ j H1(IDD j|Ucert |Qpub) and evaluating if the equa- ? ´ privk, j 2.5 Algorithm Analysis tion g1 = e(QID j ,Qk) is true. ( j) 5. When the above validation is successful then U The verification of the encryption/decryption validity performs is straightforward. Taking into account that gID j = dID j = ∑ PCk = priv QID j (6) e(Cert j,G)= e(H1(CIj),H0(CIj) Q j + Qpub) the va- k∈Ucert lidity of decryption is as follows: ( j) 6. Participant U calculates fID j = H0(CIj), where CIj = (IDD j|Ucert |Qpub) and computes its full certificate Cert j of his identification characteris- tics CIj by performing:

Cert j = fID j pr j QID + dID j (7)

318 DistributedThresholdCertificatebasedEncryptionSchemewithNoTrustedDealer

e3 = e(Cert j,e1) = e(Cert j,h1 G) tained as far as less than t participants are susceptible

h1 h1 to secret information leakage. In our approach it is = e(Cert j,G) = g ID j assumed that the system’s participants act in a honest σ´ = e ⊕ H (e ) = σ ⊕ H (gh1 ) ⊕ H (gh1 ) 2 2 3 2 ID j 2 ID j way. The lack of trusted dealer guarantees that the = σ (9) master secret key will not be compromised. The sys- tem’s security is based on the CBE and DKG thresh- ´ σ σ sk j = H4( ´ ) = H4( ) old cryptography schemes, inherited by the work of and (Noack and Spitz, 2008) and (Shao, 2011). The m = ED = ED = M CBE scheme of the proposed approach is semanti- sk´ sk j j cally secure against adaptive Chosen Cipher text At- E D The notations Esk j () and Esk j () refer to the en- tacks (IND-CB-CCA2) based on Type I and Type II cryption and decryption functions of a one-time se- Adversary challenges as indicated in (Shao, 2011). cure symmetric encryption scheme, as is referred in Type I adversary is defined as an uncertified entity (Shao, 2011), (Fujisaki and Okamoto, 1999). Instead impersonating a legitimate participant by using forged of this, we can also use an one-time signature scheme credentials (key pairs or certificate) while Type II ad- as is suggested in (Galindo et al., 2008). The per- versary is defined as a malicious CA, who wants to formance cost of the symmetric scheme is trivial in impersonate a legitimate participant with a given lo- comparison with the bilinear pairing or point multi- cal public key. In both cases, the DKG scheme inte- plication operations required during the execution of grated in the proposed approach makes impossible for the proposed approach. the adversaries to gain an advantage over the system’s security. In all possible attacks, a Type I adversary cannot provide some legitimate master key share and 3 PARTICIPANT therefore is exposed after his first attempt to perform ADDITION - REMOVAL an encryption/decryption operation with his creden- tials. Type II adversary has no foothold on the system since no participant can act as an individual CA un- One of the important benefits of the proposed cer- less we assume that each participant of the system is tification scheme is its ability to easily add and re- a CA of itself. In that case, it will have to act dishon- move Participants in the group U. To achieve that, we orably from the setup phase which by default is not employ a mechanism similar to the one proposed in considered as an attack option. (Noack and Spitz, 2008). For these actions to function correctly, we assume that the certification scheme has The above security reasoning is accurate as long been already established, that every participant has as the DKG CBE based scheme is considered secure. his local public-private key pair, his partial public key The Threshold cryptography DKG scheme is inher- pair as well as his legitimate certificate and that he ited from (Noack and Spitz, 2008) where the security has contributed successfully to the generation of the of this scheme is proven. Even if dishonest participant global public-private key pair of the distributed CA. are included as an option, the system’s security can In other words, we can assume without loss of gen- be retained by modifying the Threshold cryptography erality that all operations described in section 2 have DKG scheme into a Verifiable Secret Sharing DKG been concluded successfully. scheme like the ones described in (Pedersen, 1991) We employ the share renewal technique described and (Gennaro et al., 2007). in (Noack and Spitz, 2008), based on the PSS scheme of (Herzberg et al., 1995). PSS updates already dis- tributed shares of all n members to provide proactive 5 CONCLUSIONS security. While adding a participant, t + 1 members of U forming a subset Usplt , split off a part of their In this paper, we introduced the notion of a fully de- secret and share this part with the new member. Re- centralized Threshold CBE Scheme that is capable of moving a participant is done by computing and redis- certificate issuing for encryption and decryption with tributing the participant’s secret to some remaining U not trusted dealer entity, easy participant addition- members. removal and CBE inherited simple certificate revoca- tion mechanism. It can be concluded that the use of CBE schemes in combination with non trusted dealer, 4 SECURITY ANALYSIS threshold cryptography, DKG schemes can result in a fully decentralized - distributed system. Such a sys- The security of the proposed system is always re- tem can be used in applications where no centraliza-

319 SECRYPT2012-InternationalConferenceonSecurityandCryptography

tion is required like p2p networks, ad hoc networks or Herzberg, A., Jarecki, S., Krawczyk, H., and Yung, M. MANETs thus offering a strong security backbone to (1995). or: How to cope with those applications and simplifying their security func- perpetual leakage. In Proceedings of the 15th Annual International Cryptology Conference on Advances in tionality with small compromises (mostly in perfor- Cryptology, CRYPTO ’95, pages 339–352, London, mance). Our future goal is to expand the proposed UK. Springer-Verlag. solution so as to include better malicious participant Libert, B. and Quisquater, J.-J. (2003). Efficient revocation discovery and provide formalization of the system’s and threshold pairing based cryptosystems. In Pro- security characterization. ceedings of the twenty-second annual symposium on Principles of distributed computing, PODC ’03, pages 163–171, New York, NY, USA. ACM. Lu, Y. (2011). An efficient and provably secure certificate- REFERENCES based encryption scheme. In Zhou, Q., editor, The- oretical and Mathematical Foundations of Computer Boneh, D., Boyen, X., and Halevi, S. (2006). Chosen ci- Science, volume 164 of Communications in Com- phertext secure public key threshold encryption with- puter and Information Science, pages 54–61. Springer out random oracles. In Pointcheval, D., editor, CT- Berlin Heidelberg. RSA, volume 3860 of Lecture Notes in Computer Sci- Lu, Y. and Li, J. (2009). Forward-secure certificate-based ence, pages 226–243. Springer. encryption. In Proceedings of the 2009 Fifth Interna- Boneh, D. and Franklin, M. K. (2001). Identity-based en- tional Conference on Information Assurance and Se- cryption from the weil pairing. In Proceedings of the curity - Volume 02, IAS ’09, pages 57–60, Washing- 21st Annual International Cryptology Conference on ton, DC, USA. IEEE Computer Society. Advances in Cryptology, CRYPTO ’01, pages 213– Lu, Y., Li, J., and Xiao, J. (2009). Threshold Certificate- 229, London, UK. Springer-Verlag. Based Encryption: Definition and Concrete Construc- Boyen, X. (2008). A tapestry of identity-based encryption tion. In 2009 International Conference on Networks : practical frameworks compared. International Jour- Security, Wireless Communications and Trusted Com- nal of Applied Cryptography, 1(1):3–21. puting, pages 278–282. IEEE. Damgard, I. and Koprowski, M. (2000). Practical threshold Noack, A. and Spitz, S. (2008). Dynamic threshold cryp- signatures without a trusted dealer. pages 152–165. tosystem without group manager. Cryptology ePrint Springer Verlag. Archive, Report 2008/380. http://eprint.iacr.org/. Desmedt, Y. and Frankel, Y. (1989). Threshold cryptosys- Park, C. and Kurosawa, K. (1996). New ElGamal Type tems. In Brassard, G., editor, CRYPTO, volume 435 of Threshold Scheme. IEICE Trans- Lecture Notes in Computer Science, pages 307–315. actions on Fundamentals of Electronics, Communica- Springer. tions and Computer Sciences, E79-A(1):86–93. Fournaris, A. P. (2011). Distributed threshold cryptography Pedersen, T. P. (1991). A threshold cryptosystem without certification with no trusted dealer. In Lopez, J. and a trusted party. In Proceedings of the 10th annual Samarati, P., editors, SECRYPT 2011, pages 400–404. international conference on Theory and application SciTePress. of cryptographic techniques, EUROCRYPT’91, pages Frankel, Y., Gemmell, P., MacKenzie, P. D., and Yung, M. 522–526, Berlin, Heidelberg. Springer-Verlag. (1997). Optimal resilience proactive public-key cryp- Shamir, A. (1979). How to share a secret. Commun. ACM, tosystems. In FOCS, pages 384–393. IEEE Computer 22:612–613. Society. Shao, Z. (2011). Enhanced certificate-based encryption Fujisaki, E. and Okamoto, T. (1999). Secure integration from pairings. Comput. Electr. Eng., 37:136–146. of asymmetric and symmetric encryption schemes. In Proceedings of the 19th Annual International Cryptol- Shoup, V. (2000). Practical threshold signatures. In Pro- ogy Conference on Advances in Cryptology, CRYPTO ceedings of the 19th international conference on The- ’99, pages 537–554, London, UK. Springer-Verlag. ory and application of cryptographic techniques, EU- ROCRYPT’00, pages 207–220, Berlin, Heidelberg. Galindo, D., Morillo, P., and Rfols, C. (2008). Improved Springer-Verlag. certificate-based encryption in the standard model. Journal of Systems and Software, 81(7):1218 – 1226. Wang, G. (2003). On the security of the li-hwang-lee- tsai threshold group signature scheme. In Lee, P. and Gennaro, R., Jarecki, S., Krawczyk, H., and Rabin, T. Lim, C., editors, Information Security and Cryptology (2001). Robust threshold dss signatures. Inf. Com- ICISC 2002, volume 2587 of Lecture Notes in Com- put., 164(1):54–84. puter Science, pages 75–89. Springer Berlin / Heidel- Gennaro, R., Jarecki, S., Krawczyk, H., and Rabin, T. berg. 10.1007/3-540-36552-4-6. (2007). Secure distributed key generation for discrete- log based cryptosystems. Journal of Cryptology, 20:51–83. 10.1007/s00145-006-0347-3. Gentry, C. (2003). Certificate-based encryption and the certificate revocation problem. In Biham, E., editor, Advances in Cryptology EUROCRYPT 2003, volume 2656 of Lecture Notes in Computer Science, pages 641–641. Springer Berlin / Heidelberg.

320