System and method for computing private keys for self certified identity based signature schemes

Abstract

A system and method generate private keys for devices participating in a self-certified identity based encryption scheme. A private key is used by the devices to establish a common session key for encoding digital communications between devices.

Claims

1. A system, comprising: a secure server; and a device; wherein the secure server is configured to: compute parameters for the device based on a second random number r.sub.i2 generated by the secure server, a first set of components received from the device, a master secret key x, and parameters associated with a master public key mpk, wherein the first set of components comprises a first random number r.sub.i1 generated by the device, an arbitrary first value R.sub.i, and an identity id.sub.i of the device, and wherein the arbitrary first value R.sub.i is generated based on the first random number r.sub.i1; and transmit the computed parameters to the device; and wherein the device is configured to compute a private key sk based on the received computed parameters and the first random number r.sub.i1, wherein the private key sk is for the device to participate in a self-certified identity based signature system, wherein computing the parameters for the device comprises: retrieving the arbitrary first value R.sub.i1, the identity id.sub.i of the device, and a homomorphic encryption value c from the first set of components, wherein the homomorphic encryption value c is generated by providing the first random number r.sub.i1 and a prime number q obtained from the parameters associated with the master public key mpk to an additive homomorphic encryption function HEnc( ); and setting an arbitrary value R.sub.i of the device and a first integer s.sub.i1 as the parameters for the device, wherein the arbitrary value R.sub.i of the device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed by providing the second random number r.sub.i2, the homomorphic encryption value c, the master secret key x, the arbitrary value R.sub.i of the device, the identity id.sub.i of the device and the prime number q to the additive homomorphic encryption function HEnc( ).

2. The system according to claim 1, wherein computing the private key sk comprises: computing an integer s.sub.i by applying a complementary homomorphic decryption function to the first integer s.sub.i1 as retrieved from the computed parameters transmitted from the secure server; and forming the private key sk based on the arbitrary value R.sub.i of the device and the integer s.sub.i.

3. The system according to claim 1, wherein the arbitrary value R.sub.i of the device is defined by R.sub.i=(R.sub.i1).sup.r.sup.i2, the arbitrary first value R.sub.i1 is defined by R.sub.i1=g.sup.r.sup.i1, the homomorphic encryption value c is defined by c=HEnc(r.sub.i1.sup.−1 mod q), and the first integer s.sub.i1 is defined by s.sub.i1=HEnc(r.sub.i2).Math.c.sup.xH(R.sup.i.sup.,id.sup.i.sup.) mod q, where HEnc( ) is the additive homomorphic encryption function.

4. The system according to claim 1, wherein the arbitrary value R.sub.i of the device is defined by R.sub.i=(R.sub.i1).sup.r.sup.i2.sup.−1, the arbitrary first value R.sub.i1 is defined by R.sub.i1=g.sup.r.sup.i1, the homomorphic encryption value c is defined by c=HEnc(r.sub.i1.sup.−1), and the first integer s.sub.i1 is defined by s.sub.i1=HEnc(r.sub.i2.sup.−1).Math.c.sup.xH(R.sup.i.sup.,id.sup.i.sup.) mod q, where HEnc( ) is the additive homomorphic encryption function.

5. The system according to claim 2, wherein the integer s.sub.i is defined by s.sub.i=r.sub.i1HDec(s.sub.i1), where HDec( ) is the complementary homomorphic decryption function.

6. The system according to claim 1, wherein the arbitrary value R.sub.i of the device is defined by R.sub.i=(R.sub.i1).sup.r.sup.i2, the arbitrary first value R.sub.i1 is defined by R.sub.i=g.sup.r.sup.i1.sup.−1, the homomorphic encryption value c is defined by c=HEnc(r.sub.i1), and the first integer s.sub.i1 is defined by s.sub.i1=HEnc(r.sub.i2).Math.c.sup.xH(R.sup.i.sup.,id.sup.i.sup.) mod q, where HEnc( ) is the additive homomorphic encryption function.

7. The system according to claim 2, wherein the integer s.sub.i is defined by s.sub.i=r.sub.i1.sup.−1HDec(s.sub.i1), where HDec( ) is the complementary homomorphic decryption function.

8. A system, comprising: a secure server; a first device; and a second device; wherein the secure server is configured to: instruct the first device to compute a private key sk.sub.i based on a first set of parameters received from the secure server and based on a first random number r.sub.i1 generated by the first device, wherein the first set of parameters is generated by the secure server based on a second random number r.sub.i2 generated by the secure server, a first set of components, a master secret key x, and parameters associated with a master public key mpk, wherein the first set of components is generated by the first device and transmitted to the secure server, wherein the first set of components comprises the first random number r.sub.i1, an arbitrary first value R.sub.i1, and an identity id.sub.i of the first device, and wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1; and instruct the second device to compute a private key sk.sub.j based on a second set of parameters received from the secure server and based on a first random number r.sub.j1 generated by the second device, wherein the second set of parameters is generated by the secure server based on a second random number r.sub.j2 generated by the secure server, a second set of components, the master secret key x, and the parameters associated with a master public key mpk, wherein the second set of components is generated by the second device and transmitted to the secure server, wherein the second set of components comprises the first random number r.sub.j1, an arbitrary first value R.sub.j1, and an identity id.sub.j of the second device, and wherein the arbitrary first value R.sub.j1 is generated based on the first random number r.sub.j1; and wherein the first and second devices are configured to use a self-certified identity based signature scheme to generate a common session key SK for encoding digital communications between the first and second devices with respect to an extended Transport Layer Security (TLS) protocol or an extended Datagram Transport Layer Security protocol (DTLS), wherein the identity id.sub.i of the first device is included in a certificate message of the first device and the identity id.sub.j of the second device is included in a certificate message of the second device, and wherein the self-certified identity based signature scheme is dictated by the private keys sk.sub.i and sk.sub.j, wherein the secure server is configured to generate the second set of parameters for the second device, wherein generating the second set of parameters for the second device comprises: retrieving the arbitrary first value R.sub.i and the identity id.sub.i of the second device from the second set of components; computing an arbitrary value R.sub.j of the second device and a first integer s.sub.j1; and setting the computed arbitrary value R.sub.j of the second device and the first integer s.sub.j1 as the second set of parameters for the second device, wherein the arbitrary value R.sub.j of the second device is computed based on the arbitrary first value R.sub.j and the second random number r.sub.j2, and wherein the first integer s.sub.j1 is computed based on the second random number r.sub.j2, the master secret key x, the arbitrary value R.sub.j of the second device, the identity id.sub.j of the second device, and a prime number q obtained from the parameters associated with the master public key mpk.

9. The system according to claim 8, wherein the secure server is configured to generate the first set of parameters for the first device, wherein generating the first set of parameters for the first device comprises: retrieving the arbitrary first value R.sub.i1 and the identity id.sub.i of the first device from the first set of components; computing an arbitrary value R.sub.i of the first device and a first integer s.sub.i1; and setting the computed arbitrary value R of the first device and the first integer s.sub.i1 as the first set of parameters for the first device, wherein the arbitrary value R.sub.i of the first device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed based on the second random number r.sub.i2, the master secret key x, the arbitrary value R.sub.i of the first device, the identity id.sub.i of the first device, and a prime number q obtained from the parameters associated with the master public key mpk.

10. The system according to claim 9, wherein the first device is configured to compute the private key sk.sub.i, wherein computing the private key sk.sub.i comprises: computing an integer s.sub.i based on the first integer s.sub.i1 as retrieved from the first set of parameters, the first random number r.sub.i1, and a prime number q as obtained from the parameters associated with the master public key mpk; and forming the private key sk.sub.i based on the arbitrary value R.sub.i of the first device and the integer s.sub.i.

11. The system according to claim 8, wherein the second device is configured to compute the private key sk.sub.i, wherein computing the private key sk.sub.j comprises: computing an integer s.sub.j based on the first integer s.sub.j1 as retrieved from the second set of parameters, the first random number r.sub.j1, and a prime number q as obtained from the parameters associated with the master public key mpk; and forming the private key sk.sub.j based on the arbitrary value R.sub.j of the second device and the integer s.sub.j.

12. A system, comprising: a first secure server; a second secure server; a first device; and a second device; wherein the first secure server is configured to instruct the first device to compute a private key sk.sub.i based on a first set of parameters received from the first secure server and based on a first random number r.sub.i1 generated by the first device, wherein the first set of parameters is generated by the first secure server based on a second random number r.sub.i2 generated by the first secure server, a first set of components, a master secret key x.sub.i, and parameters associated with a master public key mpk.sub.i, and wherein the first set of components is generated by the first device and transmitted to the first secure server, wherein the first set of components comprises the first random number r.sub.i1, an arbitrary first value R.sub.i1, and an identity id.sub.i of the first device, and wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1; wherein the second secure server is configured to instruct the second device to compute a private key sk.sub.j based on a second set of parameters received from the second secure server and based on a first random number r.sub.j1 generated by the second device, wherein the second set of parameters is generated by the second secure server based on a second random number r.sub.j2 generated by the second secure server, a second set of components, the master secret key x.sub.j and the parameters associated with a master public key mpk.sub.j, wherein the second set of components is generated by the second device and transmitted to the second secure server, wherein the second set of components comprises the first random number r.sub.j1, an arbitrary first value R.sub.j1, and an identity id.sub.j of the second device, and wherein the arbitrary first value R.sub.j1 is generated based on the first random number r.sub.j1; wherein the first secure server is located in a different domain from the second secure server; wherein the first and second devices are configured to use a self-certified identity based signature scheme to generate a common session key SK.sub.ij for encoding digital communications between the first and second devices with respect to an extended Transport Layer Security (TLS) protocol or an extended Datagram Transport Layer Security protocol (DTLS), wherein the identity id.sub.i of the first device is included in a certificate message of the first device and the identity id.sub.j of the second device is included in a certificate message of the second device, and wherein the self-certified identity based signature scheme is dictated by the private keys sk.sub.i and sk.sub.j; wherein the first secure server is configured to generate the first set of parameters for the first device, wherein generating the first set of parameters for the first device comprises: retrieving the arbitrary first value R.sub.i1 and the identity id.sub.i of the first device from the first set of components; computing an arbitrary value R.sub.i of the first device and a first integer s.sub.i1; and setting the computed arbitrary value R.sub.i of the first device and the first integer s.sub.i1 as the first set of parameters for the first device, wherein the arbitrary value R.sub.i of the first device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed based on the second random number r.sub.i2, the master secret key x.sub.i, the arbitrary value R.sub.i of the first device, the identity id.sub.i of the first device and a prime number q obtained from the parameters associated with the master public key mpk.sub.i.

13. The system according to claim 12, wherein the first device is configured to compute the private key sk.sub.i, wherein computing the private key sk.sub.i comprises: computing an integer s.sub.i based on the first integer s.sub.i1 as retrieved from the first set of parameters, the first random number r.sub.i1, and a prime number q as obtained from the parameters associated with the master public key mpk.sub.i; and forming the private key sk.sub.i based on the arbitrary value R.sub.i of the first device and the integer s.sub.i.

14. The system according to claim 12, wherein the second secure server is configured to generate the second set of parameters for the second device, wherein generating the second set of parameters for the second device comprises: retrieving the arbitrary first value R.sub.j1 and the identity id.sub.j of the second device from the second set of components; computing an arbitrary value R.sub.j of the second device and a first integer s.sub.i1; and setting the computed arbitrary value R.sub.j of the second device and the first integer s.sub.j1 as the second set of parameters for the second device, wherein the arbitrary value R.sub.j of the second device is computed based on the arbitrary first value R.sub.j1 and the second random number r.sub.j2, and wherein the first integer s.sub.j1 is computed based on the second random number r.sub.j2, the master secret key x.sub.j, the arbitrary value R.sub.j of the second device, the identity id.sub.j of the second device and a prime number q obtained from the parameters associated with the master public key mpk.sub.j.

15. The system according to claim 14, wherein the second device is configured to compute the private key sk.sub.i, wherein computing the private key sk.sub.j comprises: computing an integer s.sub.j based on the first integer s.sub.j1 as retrieved from the second set of parameters, the first random number r.sub.j1, and a prime number q as obtained from the parameters associated with the master public key mpk.sub.j; and forming the private key sk.sub.j based on the arbitrary value R.sub.j of the second device and the integer s.sub.j.

16. The system according to claim 12, wherein the secure server is configured to: receive a zero-knowledge proof result from a respective device, wherein the zero-knowledge proof result is generated by the respective device using the first random number r.sub.i1 and a system parameter λ; determine from the zero-knowledge proof result whether or not the first random number r.sub.i1 is less than or equal to the system parameter λ; and based on the first random number r.sub.i1 being less than or equal to the system parameter λ, compute parameters for the respective device based on the second random number r.sub.i2 generated by the secure server.

17. A secure server, comprising: a processor; and a non-transitory medium readable by the processor having processor-executable instructions stored thereon, wherein the processor-executable instructions, when executed by the processor, facilitate: computing parameters for a device based on a second random number r.sub.i2 generated by the secure server, a first set of components received from the device, a master secret key x, and parameters associated with a master public key mpk, wherein the first set of components comprises a first random number r.sub.i1 generated by the device, an arbitrary first value R.sub.i1, and an identity id.sub.i of the device, and wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1; and transmitting the computed parameters to the device to facilitate the device computing a private key sk based on the received computed parameters and the first random number r.sub.i1, wherein the private key sk is for the device to participate in a self-certified identity based signature system, wherein computing the parameters for the device comprises: retrieving the arbitrary first value R.sub.i and the identity id.sub.i of the device from the first set of components; computing an arbitrary value R.sub.i of the device and a first integer s.sub.i1; and setting the computed arbitrary value R.sub.i of the device and the first integer s.sub.i1 as the parameters for the device, wherein the arbitrary value R.sub.i of the device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed based on the second random number r.sub.i2, the master secret key x, the arbitrary value R.sub.i of the device, the identity id.sub.i of the device, and a prime number q obtained from the parameters associated with the master public key mpk.

18. The secure server according to claim 17, wherein computing the parameters for the device comprises: retrieving the arbitrary first value R.sub.i, the identity id.sub.i of the device, and a homomorphic encryption value c from the first set of components, and wherein the homomorphic encryption value c is generated by providing the first random number r.sub.i1 and a prime number q obtained from the parameters associated with the master public key mpk to an additive homomorphic encryption function HEnc( ); and setting an arbitrary value R.sub.i of the device and a first integer s.sub.i1 as the parameters for the device, wherein the arbitrary value R.sub.i of the device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed by providing the second random number r.sub.i2, the homomorphic encryption value c, the master secret key x, the arbitrary value R.sub.i of the device, the identity id.sub.i of the device and the prime number q to the additive homomorphic encryption function HEnc( ).

19. The secure server according to claim 17, wherein the processor-executable instructions, when executed by the processor, further facilitate: receiving a zero-knowledge proof result from a respective device, wherein the zero-knowledge proof result is generated by the respective device using the first random number r.sub.i1 and a system parameter λ; determining from the zero-knowledge proof result whether or not the first random number r.sub.i1 is less than or equal to the system parameter λ; and based on the first random number r.sub.i1 being less than or equal to the system parameter λ, computing parameters for the respective device based on the second random number r.sub.i2 generated by the secure server.

20. A method, comprising: computing, by a secure server, parameters for a device based on a second random number r.sub.i2 generated by the secure server, a first set of components received from the device, a master secret key x, and parameters associated with a master public key mpk, wherein the first set of components comprises a first random number r.sub.i1 generated by the device, an arbitrary first value R.sub.i1, and an identity id.sub.i of the device, and wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1; and transmitting, by the secure server, the computed parameters to the device to facilitate the device computing a private key sk based on the received computed parameters and the first random number r.sub.i1, wherein the private key sk is for the device to participate in a self-certified identity based signature system, wherein computing the parameters for the device comprises: retrieving the arbitrary first value R.sub.i1, the identity id.sub.i of the device, and a homomorphic encryption value c from the first set of components, wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1 and the homomorphic encryption value c is generated by providing the first random number r.sub.i1 and a prime number q obtained from the parameters associated with the master public key mpk to an additive homomorphic encryption function HEnc( ); and setting an arbitrary value R.sub.i of the device and a first integer s.sub.i1 as the parameters for the device, wherein the arbitrary value R.sub.i of the device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed by providing the second random number r.sub.i2, the homomorphic encryption value c, the master secret key x, the arbitrary value R.sub.i of the device, the identity id.sub.i of the device, and the prime number q to the additive homomorphic encryption function HEnc( ).

21. The method according to claim 20, wherein computing the parameters for the device comprises: retrieving the arbitrary first value R.sub.i1 and the identity id.sub.i of the device from the first set of components; computing an arbitrary value R.sub.i of the device and a first integer s.sub.i1; and setting the computed arbitrary value R.sub.i of the device and the first integer s.sub.i1 as the parameters for the device, wherein the arbitrary value R.sub.i of the device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed based on the second random number r.sub.i2, the master secret key x, the arbitrary value R.sub.i of the device, the identity id.sub.i of the device and a prime number q obtained from the parameters associated with the master public key mpk.

22. A method, comprising: receiving, by a first device, instructions from a secure server to compute a private key sk.sub.i based on a first set of parameters received from the secure server and based on a first random number r.sub.i1 generated by the first device, wherein the first set of parameters is generated by the secure server based on a second random number r.sub.i2 generated by the secure server, a first set of components, a master secret key x, and parameters associated with a master public key mpk, wherein the first set of components is generated by the first device and transmitted to the secure server, wherein the first set of components comprises the first random number r.sub.i1, an arbitrary first value R.sub.i1, and an identity id.sub.i of the first device, and wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1; and communicating, by the first device, with a second device to generate a common session key SK by using a self-certified identity based signature scheme, wherein the common session key SK is for encoding digital communications between the first and second devices with respect to an extended Transport Layer Security (TLS) protocol or an extended Datagram Transport Layer Security protocol (DTLS), wherein the identity id.sub.i of the first device is included in a certificate message of the first device and an identity id.sub.j of the second device is included in a certificate message of the second device, wherein the self-certified identity based signature scheme is dictated by the private key sk.sub.i and a private key sk.sub.j computed by the second device, wherein the first set of parameters is generated based on: retrieving the arbitrary first value R.sub.i1 and the identity id.sub.i of the first device from the first set of components; computing an arbitrary value R.sub.i of the first device and a first integer s.sub.i1; and setting the computed arbitrary value R.sub.i of the first device and the first integer s.sub.i1 as the first set of parameters for the first device, wherein the arbitrary value R.sub.i of the first device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed based on the second random number r.sub.i2, the master secret key x, the arbitrary value R.sub.i of the first device, the identity id.sub.i of the first device, and a prime number q obtained from the parameters associated with the master public key mpk.

23. A first device, comprising: a processor; and a non-transitory medium readable having processor-executable instructions stored thereon, wherein the processor-executable instructions, when executed by the processor, facilitate: receiving instructions from a secure server to compute a private key sk.sub.i based on a first set of parameters received from the secure server and based on a first random number r.sub.i1 generated by the first device, wherein the first set of parameters is generated by the secure server based on a second random number r.sub.i2 generated by the secure server, a first set of components, a master secret key x, and parameters associated with a master public key mpk, wherein the first set of components is generated by the first device and transmitted to the secure server, wherein the first set of components comprises the first random number r.sub.i1, an arbitrary first value R.sub.i1, and an identity id.sub.i of the first device, and wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1; and communicating with a second device to generate a common session key SK by using a self-certified identity based signature scheme, wherein the common session key SK is for encoding digital communications between the first and second devices with respect to an extended Transport Layer Security (TLS) protocol or an extended Datagram Transport Layer Security protocol (DTLS), wherein the identity id.sub.i of the first device is included in a certificate message of the first device and an identity id.sub.j of the second device is included in a certificate message of the second device, wherein the self-certified identity based signature scheme is dictated by the private key sk.sub.i and a private key sk.sub.j computed by the second device, wherein the first set of parameters is generated based on: retrieving the arbitrary first value R.sub.i1, the identity id.sub.i of the first device, and a homomorphic encryption value c from the first set of components, wherein the arbitrary first value R.sub.i1 is generated based on the first random number r.sub.i1 and the homomorphic encryption value c is generated by providing the first random number r.sub.i1 and a prime number q obtained from the parameters associated with the master public key mpk to an additive homomorphic encryption function HEnc( ); and setting an arbitrary value R.sub.i of the first device and a first integer s.sub.i1 as the parameters for the first device, wherein the arbitrary value R.sub.i of the first device is computed based on the arbitrary first value R.sub.i1 and the second random number r.sub.i2, and wherein the first integer s.sub.i1 is computed by providing the second random number r.sub.i2, the homomorphic encryption value c, the master secret key x, the arbitrary value R.sub.i of the first device, the identity id.sub.i of the first device, and the prime number q to the additive homomorphic encryption function HEnc( ).

Description

BRIEF DESCRIPTION OF THE DRAWINGS

(1) The above advantages and features in accordance with this application are described in the following detailed description and are shown in the following drawings:

(2) FIG. 1 illustrates a block diagram representative of an entity-pair authentication and a common session key generation system for the authenticated entity-pair in accordance with embodiments of the application;

(3) FIG. 2 illustrates a block diagram representative of components in an electronic device or server for implementing embodiments in accordance with embodiments of the application;

(4) FIG. 3 illustrates a timing diagram for the generation of a private key sk for a device in a self-certified identity based signature scheme in accordance with embodiments of the application;

(5) FIG. 4 illustrates a timing diagram for the authentication of an entity-pair and for the generation of a common session key for the authenticated entity-pair in accordance with embodiments of the application;

(6) FIG. 5 illustrates a flow diagram of a process for verifying the authenticity of a second entity and for generating a common session key in accordance with embodiments of the application.

DETAILED DESCRIPTION OF THE EMBODIMENT

(7) This application relates to a system and method for generating private keys for devices participating in a self-certified identity based signature scheme whereby the private key is used by the devices to establish a common session key for encoding digital communications between devices. In particular, the private keys generated in accordance with the system and methods of the application are only known to the devices themselves and not by any other third parties.

(8) Further, before the common session key is calculated, an entity-pair or device-pair will first verify the veracity of each entity or device. Once each of these entities has been authenticated, the entity-pair will then proceed to generate a common session key that is then utilized to encode digital communications between these entities.

(9) FIG. 1 illustrates a block diagram of an entity-pair authentication and a common session key generation system in accordance with embodiments of the application. One skilled in the art will recognize that the term entity and device may be used interchangeably throughout the description without departing from the application.

(10) The system illustrated in FIG. 1 comprises devices or entities 105, 110, that are wirelessly connected to secure server 120. Entities 105 and 110 each may comprise, but is not limited to, any device that is able to carry out wireless communicative functions such as a smart phone, a tablet computer, a mobile computer, a netbook, a wearable electronic device such as smart watch, smart plugs, or transceivers that may be found in smart devices or Internet of Things (IoT) enabled devices, and etc.

(11) As for secure server 120, this server may comprise a secure cloud server or a remotely located secure server which is able to communicate wirelessly with entities 105 and 110 either through Internet 115 or directly with entities 105 and 110. If server 120 is configured to communicate with entities 105 and 110 through Internet 115, server 120 may do so via wired networks or wireless networks 125 such as, but are not limited to, cellular networks, satellite networks, telecommunication networks, or Wide Area Networks (WAN). Alternatively, if server 120 is configured to communicate directly with entities 105 and 110, this may be accomplished through wireless networks 130 such as, but not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, or Near Field Communication (NFC). It should be noted that entities 105 and 110 may utilize either one of wireless network 125 (via the Internet) or wireless network 130 (direct communication) to exchange data messages with one another.

(12) FIG. 2 illustrates a block diagram representative of components of an electronic device 200 that is provided within entities 105, 110 and server 120 for implementing embodiments in accordance with embodiments of the application. One skilled in the art will recognize that the exact configuration of each electronic device provided within the entities or the server may be different and the exact configuration of electronic device 200 may vary and FIG. 2 is provided by way of example only.

(13) In embodiments of the application, device 200 comprises controller 201 and user interface 202. User interface 202 is arranged to enable manual interactions between a user and electronic device 200 and for this purpose includes the input/output components for the user to enter instructions to control electronic device 200. A person skilled in the art will recognize that components of user interface 202 may vary from embodiment to embodiment but will typically include one or more of display 240, keyboard 235 and track-pad 236.

(14) Controller 201 is in data communication with user interface 202 via bus 215 and includes memory 220, Central Processing Unit (CPU) 205 mounted on a circuit board that processes instructions and data for performing the method of this embodiment, an operating system 206, an input/output (I/O) interface 230 for communicating with user interface 202 and a communications interface, in this embodiment in the form of a network card 250. Network card 250 may, for example, be utilized to send data from electronic device 200 via a wired or wireless network to other processing devices or to receive data via the wired or wireless network. Wireless networks that may be utilized by network card 250 include, but are not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, Near Field Communication (NFC), cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN) and etc.

(15) Memory 220 and operating system 206 are in data communication with CPU 205 via bus 210. The memory components include both volatile and non-volatile memory and more than one of each type of memory, including Random Access Memory (RAM) 220, Read Only Memory (ROM) 225 and a mass storage device 245, the last comprising one or more solid-state drives (SSDs). Memory 220 also includes secure storage 246 for securely storing secret keys, or private keys. It should be noted that the contents within secure storage 246 are only accessible by a super-user or administrator of device 200 and may not be accessed by any user of device 200. One skilled in the art will recognize that the memory components described above comprise non-transitory computer-readable media and shall be taken to comprise all computer-readable media except for a transitory, propagating signal. Typically, the instructions are stored as program code in the memory components but can also be hardwired. Memory 220 may include a kernel and/or programming modules such as a software application that may be stored in either volatile or non-volatile memory.

(16) Herein the term “CPU” is used to refer generically to any device or component that can process such instructions and may include: a microprocessor, microcontroller, programmable logic device or other computational device. That is, CPU 205 may be provided by any suitable logic circuitry for receiving inputs, processing them in accordance with instructions stored in memory and generating outputs (for example to the memory components or on display 240). In this embodiment, CPU 205 may be a single core or multi-core processor with memory addressable space. In one example, CPU 205 may be multi-core, comprising—for example—an 8 core CPU.

(17) Generation of a Private Key

(18) Referring back to FIG. 1, prior to adding entities 105 and 110 to the entity-pair authentication and the common session key generation system in accordance with embodiments of the application, server 120, which is configured as a Key Generation Centre, will first initiate a setup procedure based on a discrete-logarithm type signature scheme to generate a master secret key “x” and a master public key “y”. In the setup procedure, server 120 will first determine an appropriate cyclic group, G, with a prime order q, and a generator g of G. In embodiments of the application, the cyclic group, G, will be based on finite fields or elliptic curves defined over a finite field.

(19) Server 120 will then select a cryptographic collision-resistant hash function H: {0,1}*.fwdarw.{0,1}.sup..Math., whereby .Math. is an appropriate integer known to a person skilled in the art. Server 120 will also select an Authentication Data Deriving Function and a Key Deriving Function that is to be adopted for use in the system. In embodiments of the application, the Authentication Data Deriving Function (AdDF) may include any algorithm or scheme for verifying the authenticity of a message such as a message authentication code (MAC), a message integrity code or a keyed hash function while the Key Deriving Function (KDF) may include any scheme for deriving a secret key from a secret value such as a collision-resistant hash function.

(20) Once that is done, server 120 then proceeds to select the master secret key “x” from an allowed set of integers (xϵZ.sub.q), sets y=g.sup.x and the master public key “mpk” is set as mpk={G, g, q, y, H, AdDF, KDF}.

(21) It should be noted that the setup procedure described above is similar to the initiation procedures for setting up a discrete-logarithmic type of self-certified identity based signature scheme such as, but not limited to, the lightweight identity based signature scheme as defined in ISO/IEC 29192-4 or elliptic curve-based certificate-less signature scheme as defined in IETF RFC 6507. In such self-certified Identity Based Signature Schemes, signatures generated by a particular user always contains a fixed component that is specific to that user's private signing key or private key. Hence, the fixed component is termed key-specific data (KSD) in this application whereby the KSD may be utilized to verify the generated signatures. For illustration purposes, the identity based signature scheme defined in ISO/IEC 29192-4 is adopted in all embodiments below, but for one skilled in the art, the system and method is easily applied to other self-certified identity based signature schemes such as the scheme specified in IETF RFC 6507, with due changes in a straightforward way.

(22) When entity 105 or 110 joins the system, a private key unique to each of these entities will be issued by secure server 120, i.e. the Key Generation Centre. These unique private keys once generated will then be communicated to each of these entities whereby the respective private keys will then be stored in the secure memory within each of entities 105 and 110.

(23) The generation of a private key for entity 105 is illustrated in FIG. 3. In particular, when entity 105 registers itself with server 120, at step 305, entity 105 will first generate a random number r.sub.i1ϵZ.sub.q* where Z.sub.q* are non-zero residuals of modular q. Entity 105 will then utilize the random number r.sub.i1 to compute an arbitrary value R.sub.i1 as R.sub.i1=g.sup.r.sup.i1. At step 310, entity 105 then communicates the arbitrary value R.sub.i1 and its identity, id.sub.i, to server 120. The identity, id.sub.i, of entity 105 may comprise its user name, email address, telephone number, IP address, MAC address, or any alphanumeric combination that may be utilized to uniquely identify entity 105.

(24) At step 315, server 120 will receive the arbitrary value R.sub.i1 and the identity of entity 105, id.sub.i. Server 120 then selects a random number random number r.sub.i2 E Z.sub.q* where Z.sub.q* are non-zero residuals of modular q. Based on the selected random number r.sub.i2 and the received information, server 120 then computes an arbitrary value R.sub.i that is to be accorded to entity 105 as R.sub.i=R.sub.i1g.sup.r.sup.i2 or R.sub.i=R.sub.i1/g.sup.r.sup.i2 and also computes an integer s.sub.i1 as s.sub.i1=r.sub.i2+xH(R.sub.i, id.sub.i)(mod q) or s.sub.i1=−r.sub.i2+xH(R.sub.i, id.sub.i)(mod q) where x is the previously generated master secret key “x” and H( ) is the hash function as contained in the parameters of the mpk.

(25) Server 120 then transmits the arbitrary value R.sub.i and the integer s.sub.i1 to entity 105 at step 320. Upon receiving this information, entity 105, will at step 325 proceed to compute integer s.sub.i as s.sub.i1=s.sub.i1+r.sub.i1(mod q). Entity 105 then sets its private key sk.sub.i as sk.sub.i=(R.sub.i, s.sub.i).

(26) In another embodiment of the application, at step 315, based on the selected random number r.sub.i2 and the information received at this step, server 120 will compute the arbitrary value R.sub.i that is to be accorded to entity 105 as R.sub.i=g.sup.r.sup.i2/R.sub.i1 instead and also computes the integer s.sub.i1 as s.sub.i1=r.sub.i2+xH(R.sub.i, id.sub.i)(mod q) where x is the previously generated master secret key “x” and H( ) is the hash function as contained in the parameters of the mpk.

(27) Server 120 then transmits the arbitrary value R.sub.i and the integer s.sub.i1 to entity 105 at step 320. Upon receiving this information, entity 105, will at step 325 proceed to compute integer s.sub.i as s.sub.i=s.sub.i1−r.sub.i1(mod q). Entity 105 then sets its private key sk.sub.i as sk.sub.i=(R.sub.i, s.sub.i).

(28) In yet another embodiment of the application, when entity 105 registers itself with server 120, at step 305, entity 105 will first generate a random number r.sub.i1ϵZ.sub.q* where Z.sub.q* are non-zero residuals of modular q. Entity 105 will then utilize the random number r.sub.i1 to compute an arbitrary value R.sub.i1 as R.sub.i1=g.sup.r.sup.i1. Further, entity 105 will also generate a homomorphic encryption value c defined by c=HEnc(r.sub.i1.sup.−1 mod q) where HEnc( ) denotes an additive homomorphic encryption function and HDec( ) denotes a corresponding decryption function. In embodiments of the application, the additive homomorphic encryption/decryption functions are based on Paillier's cryptosystem whereby HEnc(m.sub.1).Math.HEnc(m.sub.2)=HEnc(m.sub.1+m.sub.2); and HEnc(m.sub.1.sup.m.sup.2=HEnc(m.sub.1m.sub.2).

(29) At step 310, entity 105 then communicates the arbitrary value R.sub.i1, its identity, id.sub.i, and the generated homomorphic encryption value c and the additive homomorphic encryption function to server 120. Similarly, the identity, id.sub.i, of entity 105 may comprise its user name, email address, telephone number, IP address, MAC address, or any alphanumeric combination that may be utilized to uniquely identify entity 105.

(30) At step 315, server 120 will receive the homomorphic encryption value c, the arbitrary value R.sub.i1 and the identity of entity 105, id.sub.i. Server 120 then selects a random number random number r.sub.i2ϵZ.sub.q* where Z.sub.q* are non-zero residuals of modular q. Based on the selected random number r.sub.i2 and the received information, server 120 then computes an arbitrary value R.sub.i that is to be accorded to entity 105 as R.sub.L=(R.sub.i1).sup.r.sup.i2 and also computes an integer s.sub.i1 as s.sub.i1=HEnc(r.sub.i2).Math.c.sup.xH(R.sup.i,.sup.id.sup.i.sup.) mod q where x is the previously generated master secret key “x” and H( ) is the hash function as contained in the parameters of the mpk. The integer s.sub.i1 may be further expanded to s.sub.i1=HEnc(r.sub.i2+r.sub.i1.sup.−1xH(R.sub.i, id.sub.i) mod q).

(31) Server 120 then transmits the arbitrary value R.sub.i and the integer s.sub.i1 to entity 105 at step 320. Upon receiving this information, entity 105, will at step 325 proceed to compute integer s.sub.i as s.sub.i=r.sub.i1HDec(s.sub.i1)=r.sub.i1r.sub.i2+xH(R.sub.i, id.sub.i)(mod q). Entity 105 then sets its private key sk.sub.i as sk.sub.i=(R.sub.i, s.sub.i).

(32) In still yet another embodiment of the application, when entity 105 registers itself with server 120, at step 305, entity 105 will first generate a random number r.sub.i1ϵZ.sub.q* where Z.sub.q* are non-zero residuals of modular q. Entity 105 will then utilize the random number r.sub.i1 to compute an arbitrary value R.sub.i1 as R.sub.i1=g.sup.r.sup.i1.sup.−1. Further, entity 105 will generate the homomorphic encryption value c as defined by c=HEnc(r.sub.i1) where HEnc( ) denotes an additive homomorphic encryption function and HDec( ) denotes a corresponding decryption function.

(33) At step 310, entity 105 then communicates the arbitrary value R.sub.i1, its identity, id.sub.i, and the generated homomorphic encryption value c to server 120.

(34) At step 315, server 120 will receive the homomorphic encryption value c, the arbitrary value R.sub.i1 and the identity of entity 105, id.sub.i. Server 120 then selects a random number random number r.sub.i2ϵZ.sub.q* where Z.sub.q* are non-zero residuals of modular q. Based on the selected random number r.sub.i2 and the received information, server 120 then computes an arbitrary value R.sub.i that is to be accorded to entity 105 as R.sub.i=(R.sub.i1).sup.r.sup.i2 and also computes an integer s.sub.i1 as s.sub.i1=HEnc(r.sub.i2).Math.c.sup.xH(R.sup.i.sup.,id.sup.i.sup.) mod q where x is the previously generated master secret key “x” and H( ) is the hash function as contained in the parameters of the mpk. The integer s.sub.i1 may be further expanded to s.sub.i1=HEnc(r.sub.i2+r.sub.i1.Math.xH(R.sub.i, id.sub.i) mod q).

(35) Server 120 then transmits the arbitrary value R.sub.i and the integer s.sub.i1 to entity 105 at step 320. Upon receiving this information, entity 105, will at step 325 proceed to compute integer s.sub.i as s.sub.i=r.sub.i1.sup.−1HDec(s.sub.i1)=r.sub.i2/r.sub.i1+xH(R.sub.i, id.sub.i)(mod q). Entity 105 then sets its private key sk.sub.i as sk.sub.i=(R.sub.i, s.sub.i).

(36) In another embodiment of the application, when entity 105 registers itself with server 120, at step 305, entity 105 will first generate a random number r.sub.i1 E Z.sub.q* where Z.sub.q* are non-zero residuals of modular q. Entity 105 will then utilize the random number r.sub.i1 to compute an arbitrary value R.sub.i1 as R.sub.i1=g.sup.r.sup.i1. Further, entity 105 will generate the homomorphic encryption value c as defined by c=HEnc(r.sub.i1.sup.−1) where HEnc( ) denotes an additive homomorphic encryption function and HDec( ) denotes a corresponding decryption function.

(37) At step 310, entity 105 then communicates the arbitrary value R.sub.i1, its identity, id.sub.i, and the generated homomorphic encryption value c to server 120.

(38) At step 315, server 120 will receive the homomorphic encryption value c, the arbitrary value R.sub.i1 and the identity of entity 105, id.sub.i. Server 120 then selects a random number random number r.sub.i2ϵZ.sub.q* where Z.sub.q* are non-zero residuals of modular q. Based on the selected random number r.sub.i2 and the received information, server 120 then computes an arbitrary value R.sub.i that is to be accorded to entity 105 as R.sub.i=(R.sub.i1).sup.r.sup.i2.sup.−1 and also computes an integer s.sub.i1 as s.sub.i1=HEnc(r.sub.i2.sup.−1).Math.c.sup.xH(R.sup.i.sup.,id.sup.i.sup.)mod q where x is the previously generated master secret key “x” and H( ) is the hash function as contained in the parameters of the mpk. The integer s.sub.i1 may be further expanded to s.sub.i1=HEnc(r.sub.i2.sup.−1+r.sub.i1.sup.−1.Math.xH(R.sub.i, id.sub.i) mod q).

(39) Server 120 then transmits the arbitrary value R.sub.i and the integer s.sub.i1 to entity 105 at step 320. Upon receiving this information, entity 105, will at step 325 proceed to compute integer s.sub.i as s.sub.i=r.sub.i1 HDec(s.sub.i1)=r.sub.i1/r.sub.i2+xH(R.sub.i, id.sub.i)(mod q). Entity 105 then sets its private key sk.sub.i as sk.sub.i=(R.sub.i, s.sub.i).

(40) It should be noted that private key sk.sub.i generated in accordance with the embodiments set out above may only be computed by entity 105 alone. In other words, server 120 is not empowered to compute private keys for entities in this self-certified identity based signature scheme.

(41) Generation of Private Key with Zero-Knowledge Proof

(42) The above embodiments eliminate the escrow of devices' private keys to the Key Generation Centre. A more general embodiment may require the Key Generation Centre to be provided with adjustable difficulty levels of key escrow generation whereby the difficulty level is governed by a system parameter λ. In order to incorporate some form of adjustability into the system, a system parameter λ is introduced to set the length of random number r.sub.i1 that may be generated and utilized by entity 105. In this embodiment, which may be applied to any one of the previously described embodiments, a zero-knowledge proof function, ZKP( ) is applied to random number r.sub.i1 and the system parameter λ resulting in ZKP(|r.sub.i1|, λ) which shows in a zero-knowledge manner that the length of r.sub.i1, |r.sub.i1|≤λ. The detailed workings of the function ZKP( ) are omitted for brevity as this function is known to those skilled in the art. In general, the function ZKP( ) will generate a zero-knowledge proof result using the random number r.sub.i1 and the system parameter λ. The zero-knowledge proof result is then transmitted together with id.sub.i and arbitrary R.sub.i1 from entity 105 to server 120.

(43) When server 120 receives the arbitrary value R.sub.i1, server 120 will then check the validity of the zero-knowledge proof result before proceeding further. If server 120 determines from the zero-knowledge proof result that the length of r.sub.i1 is less or equal to the system parameter λ, system 120 will proceed as normal. Conversely, system 120 will abort the private key generation process.

(44) It should be noted that steps 305-325 as described in the various embodiments above may also be repeated for other entities including entity 110 to generate private key sk.sub.j for entity 110 as sk.sub.j=(R.sub.j, s.sub.j). Further, one skilled in the art will recognize that the embodiments above may be applied to any number of devices or entities to generate private keys for each of the entities in the system.

(45) Generation of Private Key with Cross-Domain KGCs

(46) In another embodiment of the application, another secure server (not shown) may be utilized in place of server 120 to generate private key sk.sub.j for entity 110 as sk.sub.j=(R.sub.j, s.sub.j). This means that steps 305-325 along with the various embodiments as described above may take place in the other secure server with entity 110 instead of with server 120. In this cross-domain authenticated key exchange approach, the private signing key for entity 105 is generated using secure server 120 while the private signing key for entity 110 is generated using another separate secure server (not shown). In such an embodiment, each secure server would have its own set of master secret key “x” and a master public key “y”.

(47) Once the private keys have been stored in the secure memory of the respective entities, the entity-pair, i.e. entity 105 and 110, may then commence authentication procedures. Upon successfully authenticating each other, the entity-pair may then proceed to generate a common session key for encoding or signing digital communications sent between each other.

(48) Static Diffie Hellman-based Authenticated Key Exchange Protocol

(49) In embodiments of the application, a static Diffie Hellman-based authenticated key exchange protocol is adopted to generate a common session key between participants 105 and 110. With reference to FIG. 4, entity 105 initiates the authentication process with entity 110 by first selecting a cryptographic nonce, N.sub.i. The selected cryptographic nonce may comprise any random or pseudo-random number. Entity 105 then computes a signed cryptographic nonce c.sub.i whereby signed cryptographic nonce c.sub.i is defined by c.sub.i=SC-IBS.Sign(sk.sub.i, N.sub.i) where SC-IBS.Sign( ) is a signing function for a Self-Certified Identity Based Signature Scheme and sk.sub.i is a private key of entity 105 that was generated using the steps set out in FIG. 3. In other words, cryptographic nonce N.sub.i is signed using the function SC-IBS.Sign( ) and private key sk.sub.i.

(50) Entity 105 then proceeds, at step 405, to transmit the identity of entity 105, id.sub.i, the value of signed cryptographic nonce c.sub.i, and the pseudo-random nonce, N.sub.i, to entity 110.

(51) Upon receiving the transmitted information, entity 110 will then proceed to verify c.sub.i using a corresponding Verification function/algorithm associated with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 105, id.sub.i. This is done by entity 110 applying the verification function to c.sub.i and the identity id.sub.i thereby producing SC-IBS.Verify(id.sub.i, c.sub.i) and if the verification fails, entity 110 will abort the process. Else, upon successfully verifying the signed cryptographic nonce c.sub.i, entity 110 will then proceed to select a random nonce N.sub.j and will proceed to sign the cryptographic nonce N.sub.j as c.sub.j=SC-IBS.Sign(sk.sub.j, N.sub.i∥N.sub.j) where sk.sub.j is a private key of entity 110 that was generated using the steps set out in FIG. 3.

(52) Entity 110 then proceeds, at step 410, to transmit the value of signed cryptographic nonce c.sub.j, and the pseudo-random nonce, N.sub.j, to entity 105

(53) Upon receiving the transmitted information, entity 105 will then proceed to verify c.sub.j using a corresponding Verification function associated with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 110, id.sub.j. This is done by entity 105 applying the verification function to c.sub.j together with the identity id.sub.j thereby producing SC-IBS.Verify(id.sub.j, c.sub.j) and if the verification fails, entity 110 will abort the process. Else, entity 105 will calculate the shared secret k.sub.ij where k.sub.ij=g.sup.s.sup.j.sup..Math.s.sup.i whereby g.sup.s.sup.j=R.sub.jy.sup.H(R.sup.j.sup.,id.sup.j.sup.) and R.sub.j is part of c.sub.j, calculate a first key vk.sub.i=KDF(k.sub.ij) and calculate a first authentication data Ad.sub.i=AdDF(vk.sub.i, N.sub.j). Once this is done entity 105 then calculates common session key SK as SK=KDF(k.sub.ij, N.sub.i, N.sub.j).

(54) Entity 105 then proceeds, at step 415, to transmit the first authentication data Ad.sub.i to entity 105.

(55) Upon receiving the first authentication data Ad.sub.i, entity 110 will calculate the shared secret k.sub.ji where k.sub.ji=g.sup.s.sup.i.sup..Math.s.sup.j whereby g.sup.s.sup.i=R.sub.iy.sup.H(R.sup.i.sup., id.sup.i.sup.) and R.sub.i is part of c.sub.i, calculate a second key vk.sub.j=KDF(k.sub.ji) and calculate a second authentication data Ad.sub.j=AdDF(vk.sub.j, N.sub.j). Once this is done entity 105 then determines whether second authentication data Ad.sub.j matches with the received first authentication data Ad.sub.i. If a match is not found, the process aborts. Alternatively, if a match is found, entity 110 will calculate common session key SK as SK=KDF(k.sub.ji, N.sub.i, N.sub.j).

(56) In another embodiment of the static Diffie Hellman-based authenticated key exchange protocol, option fields op_f1, op_f2, op_f3, op_f4, op_f5, op_f6 and op_f7 are used and may comprise identities of entities of the system where applicable or any application specific data as determined by the entities themselves.

(57) With reference to FIG. 4, entity 105 initiates the authentication process with entity 110 by first selecting a cryptographic nonce, N.sub.i. Entity 105 then computes a signed cryptographic nonce c.sub.i whereby signed cryptographic nonce c.sub.i is defined by c.sub.i=SC-IBS.Sign(sk.sub.i, N.sub.i∥op_f.sub.1) where SC-IBS.Sign( ) is a signing function for a Self-Certified Identity Based Signature Scheme and sk.sub.i is a private key of entity 105 that was generated using the steps set out in FIG. 3. In other words, cryptographic nonce N.sub.i is signed using the function SC-IBS.Sign( ) and private key sk.sub.i.

(58) Entity 105 then proceeds, at step 405, to transmit an option field op_f2, the identity of entity 105, id.sub.i, the value of signed cryptographic nonce c.sub.i, and the pseudo-random nonce, N.sub.i, to entity 110.

(59) Upon receiving the transmitted information, entity 110 will then proceed to verify c.sub.i using a corresponding Verification function associates with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 105, id.sub.i. This is done by entity 110 applying the verification function to c.sub.i and the identity id.sub.i thereby producing SC-IBS.Verify(id.sub.i, c.sub.i) and if the verification fails, entity 110 will abort the process. Else, upon successfully verifying the signed cryptographic nonce c.sub.i, entity 110 will then proceed to select a random nonce N.sub.j and will proceed to sign the cryptographic nonce N.sub.j as c.sub.j=SC-IBS.Sign(sk.sub.j, N.sub.i∥N.sub.j∥op_f3) where sk.sub.j is a private key of entity 110 that was generated using the steps set out in FIG. 3.

(60) Entity 110 then proceeds, at step 410, to transmit an option field op_f4, the value of signed cryptographic nonce c.sub.j, and the pseudo-random nonce, N.sub.j, to entity 105

(61) Upon receiving the transmitted information, entity 105 will then proceed to verify c.sub.j using a corresponding Verification function associated with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 110, id.sub.j. This is done by entity 105 applying the verification function to c.sub.j together with the identity id.sub.j thereby producing SC-IBS.Verify(id.sub.j, c.sub.j) and if the verification fails, entity 110 will abort the process. Else, entity 105 will calculate the shared secret k.sub.ji where k.sub.ji=g.sup.s.sup.j.sup..Math.s.sup.i calculate a first key vk.sub.i=KDF(k.sub.ji, op_f5) and calculate a first authentication data Ad.sub.i=AdDF(vk.sub.i, N.sub.j, op_f6). Once this is done entity 105 then calculates common session key SK as SK=KDF(k.sub.ji, N.sub.i, N.sub.j, op_f7).

(62) Entity 105 then proceeds, at step 415, to transmit the first authentication data Ad.sub.i to entity 110.

(63) Upon receiving the first authentication data Ad.sub.i, entity 110 will calculate the shared secret k.sub.ji where k.sub.ji=g.sup.s.sup.i.sup..Math.s.sup.j, calculate a second key vk.sub.j=KDF(k.sub.ji, op_f5) and calculate a second authentication data Ad.sub.j=AdDF(vk.sub.j, N.sub.j, op_f6). Once this is done entity 105 then determines whether second authentication data Ad.sub.j matches with the received first authentication data Ad.sub.i. If a match is not found, the process aborts. Alternatively, if a match is found, entity 110 will calculate common session key SK as SK=KDF(k.sub.ji, N.sub.i, N.sub.j, op_f7).

(64) In yet another embodiment of the application, in the steps described above, the cryptographic nonces N.sub.i and N.sub.j may be replaced with ephemeral Diffie Hellman (DH) public values g.sup.a and g.sup.b, and k.sub.ij, k.sub.ji are derived from both g.sup.s.sup.i.sup..Math.s.sup.j and g.sup.ab. Such an embodiment would inherit all the features of an ephemeral DH-based protocol and is more secure.

(65) Static Diffie Hellman-based Authenticated Key Exchange Protocol Extended to TLS

(66) In still yet another embodiment of the application, the above idea of static Diffie-Hellman key exchange may be extended to Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). In particular, the steps above in generating the shared secret k.sub.ij (as well as k.sub.ji) between entity 105 and entity 110 are actually in the same spirit as the static DH-based cipher-suites contained in TLS v1.2. It is thus easy for those skilled in the art to extend conventional TLS such as TLS v1.2 to include a set of static DH-based cipher-suites based on self-certified IBS as above. In this embodiment of the application, the Server Certificate message in the TLS protocol is set to be entity 110's id.sub.j and its key specific data R.sub.j; and the Client Message in the TLS protocols is set to be the entity 105's id.sub.i and its key specific data R.sub.i; other steps and operations of the TLS protocol follow the specification of TLS with the accommodation of the corresponding changes due to the use of self-certified Identity Based Signature in a straightforward way.

(67) Ephemeral Diffie Hellman (DH)—based Authenticated Key Exchange Protocol

(68) In yet still another embodiment of the application, an ephemeral Diffie Hellman (DH)-based authenticated key exchange protocol is adopted to generate a common session key between participants 105 and 110. Entities 105 and 110 will each have private keys that correspond to a self-certified IBS scheme of either ISO/IEC 29192-4 or IETF RFC 6507.

(69) With reference to FIG. 4, entity 105 initiates the authentication process with entity 110 by first selecting a random value a ϵZ.sub.q* and by computing a signed c.sub.i whereby c.sub.i is defined by c.sub.i=SC-IBS.Sign(sk.sub.i, g.sup.a) where SC-IBS.Sign( ) is a signing function for a Self-Certified Identity Based Signature Scheme, sk.sub.i is a private key of entity 105 that was generated using the steps set out in FIG. 3 and g.sup.a is the group element. In other words, group element g.sup.a is signed using the function SC-IBS.Sign( ) and private key sk.sub.i.

(70) Entity 105 then proceeds, at step 405, to transmit the identity of entity 105, id.sub.i, the value of signed c.sub.i, and the group element g.sup.a, to entity 110.

(71) Upon receiving the transmitted information, entity 110 will then proceed to verify c.sub.i using a corresponding Verification function associated with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 105, id.sub.i. This is done by entity 110 applying the verification function to c.sub.i and the identity id.sub.i thereby producing SC-IBS.Verify(id.sub.i, c.sub.i) and if the verification fails, entity 110 will abort the process. Else, upon successfully verifying c.sub.i, entity 110 will then proceed to select a random value b, where b ϵZ.sub.q* and will proceed to compute c.sub.j=SC-IBS.Sign(sk.sub.j, g.sup.a∥g.sup.b) where sk.sub.j is a private key of entity 110 that was generated using the steps set out in FIG. 3.

(72) Entity 110 then proceeds, at step 410, to transmit the value of signed group element c.sub.j, and the group element g.sup.b to entity 105.

(73) Upon receiving the transmitted information, entity 105 will then proceed to verify c.sub.j using a corresponding Verification function associated with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 110, id.sub.j. This is done by entity 105 applying the verification function to c.sub.j together with the identity id.sub.j thereby producing SC-IBS.Verify(id.sub.j, c.sub.j) and if the verification fails, entity 105 will abort the process. Else, entity 105 will calculate the shared secret k.sub.ij where k.sub.ij=g.sup.a.Math.b calculate a first key vk.sub.i=KDF(k.sub.ij) and calculate a first authentication data Ad.sub.i=AdDF(vk.sub.i). Once this is done entity 105 then calculates common session key SK as SK=KDF(k.sub.ij).

(74) Entity 105 then proceeds, at step 415, to transmit the first authentication data Ad.sub.i to entity 110.

(75) Upon receiving the first authentication data Ad.sub.i, entity 110 will calculate the shared secret k.sub.ji where k.sub.ji=g.sup.a.Math.b, calculate a second key vk.sub.j=KDF(k.sub.ji) and calculate a second authentication data Ad.sub.j=AdDF(vk.sub.j). Once this is done entity 110 then determines whether second authentication data Ad.sub.j matches with the received first authentication data Ad.sub.i. If a match is not found, the process aborts. Alternatively, if a match is found, entity 110 will calculate common session key SK as SK=KDF(k.sub.ji).

(76) Ephemeral DH—based Authenticated Key Exchange Protocol for Cross-Domain KGCs

(77) In another embodiment of the ephemeral Diffie Hellman-based authenticated key exchange protocol, the key generation centres of entities 105 and 110 are from different domains (i.e. the two key generation centres have their own respective master secret keys and master public keys). In this embodiment, prior to transmitting the identity of entity 105, id.sub.i, the value of signed c.sub.i, and the group element g.sup.a, to entity 110 at step 405, entity 105 will share the master public key of its key generation centre with entity 110 and similarly, entity 110 will share the master public key of its key generation centre with entity 105. In addition, entity 105 may negotiate with entity 110 to determine a generator g of an appropriate finite field group that is to be used. Regardless, the master public keys to be adopted by both entities must be known to each other and g must be determined prior to step 405 so that entities 105 and 110 are able to subsequently verify each other's' signatures and carry out ephemeral Diffie Hellman key exchange. Steps 410-415 then proceeds as described above.

(78) Ephemeral DH—based Authenticated Key Exchange Protocol extended to TLS Protocol

(79) In still yet another embodiment of the application, the idea above may be used to extend Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS). In particular, the steps above may be fitted to the TLS protocol between entity 105 and entity 110, based on the use of a self-certified Identity Based Signature scheme. In this embodiment of the application, a self-certified IBS scheme is used in place of the DSS/ECDSA or RSA digital signature schemes in the conventional TLS handshake protocol; besides, set the Server Certificate message and the Client Message in the TLS protocol to be the entity 110's id.sub.j and the entity 105's id.sub.i, respectively, while the key specific data (KSDs) of entity 110 and the entity 105 are part of the respective entity's signature; other steps and operations in the TLS protocol follow the TLS specification with the accommodation of the straightforward due changes because of the use of self-certified Identity Based Signature. In this embodiment of the application, entity 105′ private key sk.sub.i and entity 110's private key sk.sub.j may be generated as per any above embodiment of generation of a private key, or as per the key generation process of existing self-certified IBS schemes such as ISO/IEC 29192-4 and IETF RFC, or as per the above embodiment of generation of private key with cross-domain KGCs.

(80) In another embodiment of the ephemeral Diffie Hellman-based authenticated key exchange protocol option fields op_f1, op_f2, op_f3, op_f4, op_f5, op_f6 and op_f7 are used and may comprise identities of entities of the system where applicable or any application specific data as determined by the entities themselves.

(81) With reference to FIG. 4, entity 105 initiates the authentication process with entity 110 by first selecting a random value aϵZ.sub.q* and by computing a signed group element c.sub.i whereby signed group element c.sub.i is defined by c.sub.i=SC-IBS.Sign(sk.sub.i, g.sup.a∥op_f.sub.1)) where SC-IBS.Sign( ) is a signing function for a Self-Certified Identity Based Signature scheme, sk.sub.i is a private key of entity 105 that was generated using the steps set out in FIG. 3 and g.sup.a is the group element. In other words, group element g.sup.a is signed using the function SC-IBS.Sign( ) and private key sk.sub.i.

(82) Entity 105 then proceeds, at step 405, to transmit an option field op_f2, the identity of entity 105, id.sub.i, the value of signed c.sub.i, and the group element g.sup.a, to entity 110.

(83) Upon receiving the transmitted information, entity 110 will then proceed to verify c.sub.i using a corresponding Verification function associated with the Self-Certified Identity Based Signature scheme, SC-IBS.Verify( ) and the identity of entity 105, id.sub.i. This is done by entity 110 applying the verification function to c.sub.i and the identity id.sub.i thereby producing SC-IBS.Verify(id.sub.i, c.sub.i) and if the verification fails, entity 110 will abort the process. Else, upon successfully verifying the signed cryptographic nonce c.sub.i, entity 110 will then proceed to select a random value b, where bϵZ.sub.q* and will proceed to compute c.sub.j=SC-IBS.Sign(sk.sub.j, g.sup.a∥g.sup.b∥op_f3) where sk.sub.j is a private key of entity 110 that was generated using the steps set out in FIG. 3.

(84) Entity 110 then proceeds, at step 410, to transmit an option field op_f4, the value of signed c.sub.j, and the group element g.sup.b to entity 105.

(85) Upon receiving the transmitted information, entity 105 will then proceed to verify c.sub.j using a corresponding Verification function associated with the Self-Certified Identity Based Signature Scheme, SC-IBS.Verify( ) and the identity of entity 110, id.sub.j. This is done by entity 105 applying the verification function to c.sub.j together with the identity id.sub.j thereby producing SC-IBS.Verify(id.sub.j, c.sub.j) and if the verification fails, entity 110 will abort the process. Else, entity 105 will calculate the shared secret k.sub.ij where k.sub.ij=g.sup.a.Math.b calculate a first key vk.sub.i=KDF(k.sub.ij, op_f5) and calculate a first authentication data Ad.sub.i=AdDF(vk.sub.i, op_f6). Once this is done entity 105 then calculates common session key SK as SK=KDF(k.sub.ij, op_f7).

(86) Entity 105 then proceeds, at step 415, to transmit the first authentication data Ad.sub.i to entity 110.

(87) Upon receiving the first authentication data Ad.sub.i, entity 110 will calculate the shared secret k.sub.ji where k.sub.ji=g.sup.a.Math.b calculate a second key vk.sub.j=KDF(k.sub.ji, op_f5) and calculate a second authentication data Ad.sub.j=AdDF(vk.sub.j, op_f6). Once this is done entity 110 then determines whether second authentication data Ad.sub.j matches with the received first authentication data Ad.sub.i. If a match is not found, the process aborts. Alternatively, if a match is found, entity 110 will calculate common session key SK as SK=KDF(k.sub.ij, op_f7).

(88) In accordance with an embodiment of the application, a method for generating a private key sk for a device participating in a self-certified identity based signature system comprises the following three steps: Step 1, computing, by a secure server, parameters for the device based on a second random number r.sub.i2 generated by the secure server, a first set of components received from the device, a master secret key x and parameters associated with a master public key mpk, wherein the first set of components comprises a first random number r.sub.i1 generated by the device; Step 2, transmitting, by the secure server, the computed parameters to the device; and Step 3, computing, by the device, the private key sk based on the received computed parameters and the random number r.sub.i1.

(89) In order to provide such a system or method, a process is needed for generating secret private keys for entities of the system, and for authenticating an entity of an entity-pair before a common session key is generated for encoding or signing digital messages between the entity-pair. The following description and FIGS. 3-5 describe embodiments of processes in accordance with this application.

(90) FIG. 5 illustrates process 500 that is performed by a secure server configured as a Key Generation Centre, a first entity “i” and a second entity “j” for generating secret private keys for entities of the system, and for authenticating an entity of an entity-pair before a common session key is generated for encoding or signing digital messages between the entity-pair. Process 500 begins at step 505 with the secure server generating a master secret key “x” and a master public key “y”. When first entity, i, registers itself with the secure server, the secure server will carry out the steps as illustrated in FIG. 3 and as described in the description above to generate a private key, sk.sub.i, for the first entity using the first entity's identity, id.sub.i. All this takes place at step 510.

(91) At step 515, when the next entity, that is when second entity, j, registers itself with the secure server, the secure server will carry out the steps as illustrated in FIG. 3 and as described in the description above to generate a private key, sk.sub.j, for the second entity using the second entity's identity, id.sub.j.

(92) The first and second entities then verifies information sent between entities using signing functions and corresponding verification functions associated with self-certified identity based signature schemes at step 520.

(93) Once both entities are verified, a secret is then shared between entities at step 523. The shared secret is then utilized to generate a common session key for the entities. The generated common session key may then be used to sign or encode any digital messages that are exchanged between the first and second entities. Process 500 then ends.

(94) The above is a description of embodiments of a system and process in accordance with the present application. It is envisioned that others may and will design alternatives that fall within the scope of the present application.

System and method for computing private keys for self certified identity based signature schemes

Assignee

Inventors

Cpc classification

Classification Explorer

H04L9/0869

ELECTRICITY

Classification Explorer

H04L9/3247

ELECTRICITY

Classification Explorer

H04L9/008

ELECTRICITY

Classification Explorer

H04L9/0847

ELECTRICITY

Classification Explorer

H04L9/3263

ELECTRICITY

International classification

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

H04L9/32

ELECTRICITY

Classification Explorer

H04L9/00

ELECTRICITY

Abstract

Claims

Description