A k-th order Carmichael key scheme for shared encryption

Quantified Score

Visualization

Abstract

A generalization of a digital multisignature key schemepublished by Desmedt and Frankel is presented, with increasedprotection from line monitors and with a high degree of privacy ofmessage contents.The Desmedt/Frankel paper at Crypto'91 [1] presented thefollowing shared encryption Carmichael scheme:• An RSA cryptosystem with modulus n and private key KPriv.• Separate individual keys KPrivi are generated by some unspecifiedprocess with the sole requirement that ΣKPrivi ≡ (K Priv - 1) modλ(n), where λ(.) is the Carmichaelfunction.• Individual signatures ("partial results") of amessage m are calculated as si ≡mK Privi mod n.• A "Combiner" produces the final signature S from thepartial results and the plain text message as S ≡ mIIsi mod n. The combiner is specified as"not necessarily trusted".Desmedt/Frankel specify that the message m is being signed, nota message digest value derived from the message. The limitation isapparently imposed to meet the requirement that it must beimpossible for the combiner to substitute a different message for agiven set of partial results. This requirement is met if the plaintext message rather a message digest is used in the calculations.This requirement is practical only when the length of the messageis less than the length of the RSA modulus. Many users wouldprobably prefer to use the message digest rather than the messageas the basis for the signature, for example as specified in the RSAPublic Key Cryptographic Standards (PKCS) [2] and Internet PrivacyEnhanced Mail [4]. Using the PKCS minimum modulus size of 328 bitsand PKCS padding of a minimum of 11 octets limits the message sizeto 30 bytes.A wire tapper who intercepts the partial results sent to theCombiner will not be able to forge a signature without knowing theoriginal message. The power of this feature depends entirely on thesecrecy applied to the message inside the enterprise. If the wiretapper is able to intercept the partial values sent to theCombiner, the wire tapper will presumably be able to intercept theoriginal message sent to the Combiner. The wire tapper will thenhave sufficient information to produce a signature. Forgery is morelikely in the more practical case where a message digest is signedrather than a short message. If a message digest were used, it ispossible (but computationally difficult) to substitute a differentmessage which has the same message digest as the original [3], andtherefore obtain a verifiable signature for a fraudulent message.For the Desmedt/Frankel system to be secure, the message must belimited to those with high security clearances.Most enterprises limit access to sensitive plain textinformation on a "need to know" basis. The Combiner in theDesmedt/Frankel scheme does not need to know the contents of theplain text messages to combine the partial values. Moreover, the("not necessarily trusted") Combiner is not provided with anyconfidential exponent, but certainly does have access to the plaintext message. Thus, the combiner may be considered as notsufficiently trustworthy to be provided with an exponent, butnevertheless does have access to the plain text document.Management may regard this as a security anomaly and wish thedocument to be unreadable by the Combiner. To meet thisrequirement, we extend the Desmedt/Frankel key scheme into what wecan name a k-th order Carmichael key scheme for RSA:• An RSA cryptosystem with modulus n and private key KPriv.• Individual keys K Privi aregenerated by some unspecified process with the sole specificationthat ΣK Privi ≡ (K Priv- k) mod λ(n), where λ(.) is the Carmichaelfunction.• Individual signatures of a message m are calculatedas si ≡ mKPrivi mod n.• The combiner produces the final signature S as S≡ mk IIsimod n.Now the combiner is provided with mk modn rather than m, and the confidentiality of the document ispreserved. Using this terminology, the Desmedt/Frankel scheme isclassified as a first order Carmichael key scheme.