Sakai–Kasahara scheme

The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003.{{cite journal|last1=Sakai|first1=Ryuichi|last2=Kasahara|first2=Masao|title=ID Based cryptosystems with pairing on elliptic curve|journal=Cryptography ePrint Archive|year=2003|volume=2003/054|url=https://eprint.iacr.org/2003/054.pdf}} Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng.{{cite journal|last1=Chen|first1=L.|last2=Cheng|first2=Z.|title=Security proof of Sakai-Kasahara's identity-based encryption scheme|journal=Cryptography ePrint Archive|volume=2005/226|url=http://eprint.iacr.org/2005/226.pdf}} SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.{{cite IETF|last=Groves|first=M.|title = Sakai-Kasahara Key Encryption (SAKKE) | rfc = 6508 |date=February 2012 | publisher = IETF}}

As a specific method for identity-based encryption, the primary use case is to allow anyone to encrypt a message to a user when the sender only knows the public identity (e.g. email address) of the user. In this way, this scheme removes the requirement for users to share public certificates for the purpose of encryption.

Description of scheme

The Sakai–Kasahara scheme allows the encryption of a message $\mathbb{M}$ to an receiver with a specific identity, $\textstyle I_U$ . Only the entity with the private key, $\textstyle K_U$ , associated to the identity, $\textstyle I_U$ , will be capable of decrypting the message.

As part of the scheme, both the sender and receiver must trust a Private Key Generator (PKG), also known as a Key Management Server (KMS). The purpose of the PKG is to create the receiver's private key, $\textstyle K_U$ , associated to the receiver's identity, $\textstyle I_U$ . The PKG must securely deliver the identity-specific private key to the receiver, and PKG-specific public parameter, $\textstyle Z$ , to all parties. These distribution processes are not considered as part of the definition of this cryptographic scheme.

=Preliminaries=

The scheme uses two multiplicative groups $\textstyle E$ and $\textstyle G$ . It is assumed:

The Diffie-Hellman problem is hard in $\textstyle E$ . Meaning that given two members of the group $\textstyle P$ and $\textstyle Q$ , it is hard to find $\textstyle x$ such that $\textstyle [x].P = Q$ .
The Diffie-Hellman problem is hard in $\textstyle G$ . Meaning that given two members of the group $g$ and $t$ , it is hard to find $\textstyle x$ such that $\textstyle g^x = t$ .
There is a bilinear map, a Tate-Lichtenbaum pairing, $\textstyle e(,)$ from E to G. This means that for $\textstyle P$ a member of $\textstyle E$ :

:::: $\textstyle e(P,[x].P) = e([x].P,P) = e(P,P)^x$

Frequently, $\textstyle E$ is a supersingular elliptic curve, such as $\textstyle E: y^2 = x^3 - 3x$ (over a finite field of prime order $\textstyle p$ ). A generator $\textstyle P$ of prime order $\textstyle q$ is chosen in $\textstyle E$ . The group $\textstyle G$ is the image due to the pairing of the group generated by $\textstyle P$ (in the extension field of degree 2 of the finite field of order p).

Two hash functions are also required, $\textstyle H_1$ and $\textstyle H_2$ . $\textstyle H_1$ outputs a positive integer, $\textstyle x$ , such that $\textstyle 1 . \textstyle H_2 outputs \textstyle n bits, where \textstyle n is the length of the message \mathbb{M} .$

=Key generation=

The PKG has a master secret $\textstyle z$ where $1, and a public key \textstyle Z=[z].P which is a point on \textstyle E . The PKG generates the private key, \textstyle K_U, for the user with identity \textstyle ID_U as follows:$

:::: $\textstyle K_U = [\frac{1}{z + H_1(ID_U)}].P$

=Encryption=

To encrypt a non-repeating message $\mathbb{M}$ , the sender requires receiver's identity, $\textstyle ID_U$ and the public PGK value $\textstyle Z$ . The sender performs the following operation.

Create: $\textstyle id = H_1(ID_U)$
The sender generates $\textstyle r$ using $\textstyle r = H_1(\mathbb{M} || id)$
Generate the point $\textstyle R$ in $\textstyle E$ :
:::: $\textstyle R = [r].([id].P + Z)$
Create the masked message:
:::: $\textstyle S = \mathbb{M} \oplus H_2(g^r)$
The encrypted output is: $\textstyle (R,S)$

Note that messages may not repeat, as a repeated message to the same identity results in a repeated ciphertext. There is an extension to the protocol should messages potentially repeat.

=Decryption=

To decrypt a message encrypted to $\textstyle ID_U$ , the receiver requires the private key, $\textstyle K_U$ from the PKG and the public value $\textstyle Z$ . The decryption procedure is as follows:

Compute $\textstyle id = H_1(ID_U)$
Receive the encrypted message: $\textstyle (R,S)$ .
Compute:
:::: $\textstyle w = e(R,K_U)$
Extract the message:
:::: $\textstyle \mathbb{M} = S \oplus H_2(w)$
To verify the message, compute $\textstyle r = H_1(\mathbb{M}||id)$ , and only accept the message if:
:::: $\textstyle [r].([id].P + Z) \equiv R$

=Demonstration of algorithmic correctness=

The following equations demonstrate the correctness of the algorithm:

: $\textstyle w = e(R,K_U) = e([r].([id].P + Z),K_U) = e([r].([id].P + [z].P),K_U) = e([r(id+z)].P,K_U)$

By the bilinear property of the map:

: $\textstyle w = e([r(id+z)].P,K_U)= e([r(id+z)].P,[\frac{1}{(id+z)}].P) = e(P,P)^{\frac{r(id+z)}{(id+z)}} = g^r$

As a result:

: $\textstyle S \oplus H_2(w) = (\mathbb{M} \oplus H_2(g^r)) \oplus H_2(w) = \mathbb{M}$

Standardisation

There are four standards relating to this protocol:

Initial standardisation of scheme was begun by IEEE in 2006.{{cite web|last=Barbosa|first=M.|display-authors=etal|title=SK-KEM: An Identity-Based KEM [IEEE P1363.3 submission]|date=January 2006| url=https://www.researchgate.net/publication/253371235}}
The scheme was standardised by the IETF in 2012 within RFC 6508.
A key-exchange algorithm based on the scheme is the MIKEY-SAKKE protocol developed by the UK's national intelligence and security agency, GCHQ, and defined in RFC 6509.
Sakai-Kasahara, as specified in MIKEY-SAKKE, is the core key-exchange algorithm of the Secure Chorus encrypted Voice over IP standard.{{cite web |url=https://www.securechorus.org/common-technology-standards/ |title=Common Technology Standards |author= |date=2019 |publisher=Secure Chorus |access-date=4 February 2020 |archive-url=https://web.archive.org/web/20200204180436/https://www.securechorus.org/common-technology-standards/ |archive-date=2020-02-04}}

Security

In common with other identity-based encryption schemes, Sakai-Kasahara requires that the Key Management Server (KMS) stores a master secret from which all users' private keys can be generated. Steven Murdoch has criticised MIKEY-SAKKE for creating a security vulnerability through allowing the KMS to decrypt every users' communication.{{cite journal |last1=Murdoch |first1=Steven J. |author-link1=Steven Murdoch |date=March 2016 |title=Insecure by Design: Protocols for Encrypted Phone Calls |journal=Computer |publisher=IEEE |volume=49 |issue=3 |pages=25–33 |doi=10.1109/MC.2016.70 |s2cid=10072519 |url=https://discovery.ucl.ac.uk/id/eprint/1476827/ }}{{cite news |last=Murgia |first=Madhumita |date=22 January 2016 |title=GCHQ-developed software for secure phone calls open to 'eavesdropping' |url=https://www.telegraph.co.uk/technology/2016/01/26/gchq-developed-software-for-secure-phone-calls-open-to-eavesdrop/ |url-status=live |work=The Telegraph |archive-url=https://web.archive.org/web/20190709035853/https://www.telegraph.co.uk/technology/2016/01/26/gchq-developed-software-for-secure-phone-calls-open-to-eavesdrop/ |archive-date=2019-07-09 |access-date=2020-02-04}}{{cite news |last=Baraniuk |first=Chris |date=23 January 2016 |title=GCHQ-developed phone security 'open to surveillance' |url=https://www.bbc.com/news/technology-35372545 |work=BBC News |access-date=2020-02-04 }} Murdoch also noted that the lack of forward secrecy in MIKEY-SAKKE increases the harm that could result from the master secret being compromised. GCHQ, the creator of MIKEY-SAKKE, disputed this analysis, pointing out that the some organisations may consider such monitoring capabilities to be desirable for investigative or regulatory reasons,{{cite web |url=https://www.ncsc.gov.uk/information/the-development-of-mikey-sakke |title=The development of MIKEY-SAKKE |last=Levy |first=Ian |date=26 January 2016 |publisher=GCHQ |access-date=2020-02-04}} and that the KMS should be protected by an air-gap.{{cite web |url=https://www.ncsc.gov.uk/guidance/mikey-sakke-frequently-asked-questions |title=MIKEY-SAKKE frequently asked questions |author= |date=7 August 2016 |publisher=GCHQ |access-date=2020-02-04}}