Discrete Logarithm and Integer Factorization Using ID-based Encryption

Shamir proposed the concept of the ID-based Encryption (IBE) in [1]. Instead of generating and publishing a public key for each user, the ID-based scheme permits each user to choose his name or network address as his public key. This is advantageous to public-key cryptosystems because the public-key verification is so easy and direct. In such a way, a large public key file is not required. Since new cryptographic schemes always face security challenges and many integer factorization and discrete logarithm based cryptographic systems have been deployed, therefore, the purpose of this paper is to design a transformation process that can transfer the entire discrete logarithm and integer factorization based cryptosystems into the ID-based systems rather than re-invent a new system. We consider the security against a conspiracy of some entities in the proposed system and show the possibility of establishing a more secure system.


Introduction
In 1984, Shamir [1] introduced the concept of an identity-based cryptography. In this system, each user needs to visit key authentication center (KAC) and identify himself before joining the network. Once a user's identity is accepted, the KAC will provide him with a secret key. In this way, a user needs only to know the "identity" of his communication partner and the public key of the KAC, together with his secret key, to communicate with others. There is no public file required in this system. However, Shamir did not succeed in constructing an ID-based cryptosystem, but only in constructing an ID-based signature scheme. Since then, much research has been devoted, especially in Japan, to various kinds of ID-based cryptographic schemes. Okamoto et al. [2] proposed an identity-based key distribution system in 1988, and later, Ohta [3] extended their scheme for user identification. These schemes use the RSA public key cryptosystem [4] for operations in modular N, where N is a product of two large primes, and the security of these schemes is based on the computational difficulty of factoring this large composite number N. Tsujii and Itoh [5] have also proposed an ID-based cryptosystem based on the discrete logarithm problem with single discrete exponent which uses the ElGamal public key cryptosystem.
In 1991, Maurer and Yacobi [6] developed a non-interactive ID-based public-key distribution system. In their scheme, the public keys are self-authenticated and require no further authentication by certificates. However, some problems with this scheme were found, the scheme was modified and the final version was presented [7]. In 1998, Tseng and Jan [8] improved the scheme proposed by Maurer and Yacobi, and provided a non-interactive ID-based public-key distribution system with multi-objectives such as an ID-based signature scheme, an identification scheme, and a conference key distribution system. In their scheme, the computational complexity of the system is heavy. Therefore, it is necessary to have a powerful computational capability. Harn [9] proposed public key cryptosystem design based on factoring and discrete logarithm whose security is based factoring and discrete logarithm. In 2001, Bonehet. al [10] used a variant of integer factorization problem to construct his ID-based encryption scheme. However, the scheme is inefficient in that a plain-text message is encrypted bit-by-bit and hence the length of the output ciphertext becomes long.  [11] design a transformation process that can transfer all of the discrete logarithm based cryptosystems into the ID-based systems rather than reinvent a new system .After 2004 several ID-based cryptosystems [12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27] have been proposed. But in these schemes, the public key of each entity is not only an identity, but also some random number selected either by the entity or by the trusted authority. In 2009 Bellare et al. [28] provides security proof or attacks for a large number of IDbased identification and signature schemes. Underlying these is a framework that on the one hand helps explain how these schemes are derived and on the other hand enables modular security analyses, thereby helping to understand, simplify, and unify previous work. Based on the observation that new cryptographic schemes always face security challenges and confidentiality concerns and many integer factorization & discrete logarithm-based cryptographic systems have been deployed. The major contribution of our scheme is the key generation phase, which is just a simple transformation process with low computational complexity. No modification of the original design of the discrete logarithm and integer factorization based cryptosystems is necessary. Therefore, the new scheme has the same security as the original one, and retains all of the advantages of the ID-based system.

Bulletin of EEI
As outlined in the above, unfortunately we found that the entire existing IBE scheme based on discrete logarithm and integer factorization cannot be regarded as secure. Therefore, we design IBE for discrete logarithm with distinct discrete exponent and integer factorization (the basic idea of the proposed system comes on the public key cryptosystem based on discrete logarithm and integer factorization) because we face the problem of solving integer factorization and distinct discrete logarithm simultaneously in the multiplicative group of finite fields as compared to the other public key cryptosystem, where we face the difficulty of solving simultaneously the integer factoring and discrete logarithm in the common group. Here we describe further considerations such as the security of the system, the identification for senders. etc. our scheme does not require any interactive preliminary communications in each message transmission and any assumption except the intractability of the discrete logarithm and integer factorization.(this assumption seems to be quite reasonable) Thus the proposed scheme is a concrete example of an ID-based cryptosystem which satisfies Shamir's original conept [1] in a strict sense.
The remainder of this paper is organized as follows: Section 2, presented proposed PKC based on disecrete logarithm and integer factorization. Section 3, explains consistency of the algorithm. Section 4, describes implementation of the IBE.Section 5 describes protocol of the proposed IBE. Section 6, discussed security analysis and discussion of the IBE. Section 7, discussed enhancement of security and processing cost. Conclusion is given in the final section8.

PKC based on DL and IF
In this section, we introduce some notation and parameters, which will be used throughout this paper: Two large prime numbers and are safe primes and set ,one may use methodin [29] to generate strong random primes. A function 1 1 is a phi-Euler function and an integer is primitive element in * with order such that ≡ 1 . The algorithm consists of three subalgorithm, key generation, encryption and decryption

Key generation:
The key generation algorithm runs as follows (entity 1 should do the following) 1. Pick random an integer from * such that , 1.
2. Select a random integer and Compute . 3. Use the extended Euclidean algorithm to compute the unique integer , 1 such that ≡ 1 . The public key is formed by , , and the corresponding private key is given by , .
Encryption: A entity 2 to encrypt a message to entity 1 should do the following: 1. Obtain public key , , .

Preparation for the center and each entity
Step 1. Each entity generates a k-dimensional binary vector for his ID. We denote entity ' ID by ID as follows: Each entity registers his ID with the center, and the center stores it in a public file.
Step 2.: The center generates two random prime numbers and ,compute Then the center chooses an arbitrary random number , 1 such that gcd , 1 where 1 1 is the Euler function of , then the center publishes , as the public key. Any entity can compute the entity i's extended ID, EID by the following: , , , , … … … . , , ∈ 0,1 , 1 where | | is the number of bits of .
Step 3. Center's secrete information: The center chooses an arbitrary large prime and computes and also generate n-dimensional vector over * which satisfies , , , … … , where and are n-dimensional binary vector and stores it as the centers secret information.
The condition of equation (5) is necessary to avoid the accidental coincidence of some entities secrete keys. A simple way to generate the vector is to use the Merkle and Hellman scheme [30]. The center chooses a super-increasing sequences corresponding to as 1 satisfies ∑ Step 4: The center also chooses such that gcd , 1, and computes n-dimensional vector as follows
Step 5: The center also chooses a unique integer , 1 such that ≡ 1 ( 9 ) Step 6: Center public information: The center chooses an arbitrary generator of * and computes n-dimensional vector using generator corresponding to the vector.
The center informs each entity , , , as public information.
Step 7: Each entity secrete key: Entity ′ secrete keys is computed by inner product of (the centre's secret information) and EID (entity ′ extended ID, see Eq.3)

Protocol of the proposed IBE
Without loss of generality, we suppose that entity 2 sends message to entity 1.

Encryption
Entity 2 generatesEID (entity 1′ extended ID, see Eq.3) from ID . It then computes from corresponding public information and EID : ∑ ( 1 3 ) Entity 2 will use in our propose scheme. Let 1 be a message to be transmitted. Entity 2 is select a random integer and computes the cipher text as follows The cipher text is given by ,

Decryption
To recover the plaintext from the cipher text Entity 1 does the following: Computes ≡ (16) Using his secrete key , recovered entity 2's the message M by Eqs. (13) and (16) to computes ≡ ≡ ≡ ≡

Security Analysis and Discussion
In this section, we shall show six possible attacks by which an attacker may try to take down the new encryption scheme. For each attack, we define the attack and give reason why this attack could be failed.
The security of ID-based cryptosystem based on the index problem in the multiplicative cyclic group * , where (The factorization of Nis known only to the center.) where Euler function of . In this system Coppersmith showed an attacking method [31] such that 1 entities conspiracy can derive the center's secret information.
Attack 1 [31]: The 1 entities , 1 1 can derive an n-dimensional vector a' over * which is equivalent (not necessarily identical) to the original center's secret information. Proof: When 1 entities' , 1 1 conspire, they have the following system of linear congruences: Since each EID is an n-dimensional binary vector, there exists an 1 -dimensional vector over the integer ring such that 0 (18) And then (20) If 0, the 1 entities can have an integer multiple of , and they can find out the factorization of .Then, a similar method with attack 1 is applicable. Hence, the center's secret information can be derived by 1 entities conspiracy. Furthermore, Shamir developed a more general attacking method [32] for the modified system such that 2 entities conspiracy can derive the center's secret information with high probability.

Bulletin of EEI
Assuming that the matrix includes n linearly independent column vectors over the integer ring, there exist some positive integers 1 1 such that Thus, Eq. (23) can be rewritten by the following: From the assumption that the matrix in Eq. (22) includes n linearly independent column vectors over the integer ring, it follows that the matrix ′ is nonsingular over the integer ring (i.e., det ′ 0 with overwhelming probability, and thus, we have ′ .On the other hand, we have the following system of linear congruence's: If the matrix is nonsingular over * , then , and this contradicts the above results. Thus, the matrix is singular over * , and we have det 0 with high probability. Hence, det ′ is divisible by with high probability. Furthermore, consider the case where the other 1 entities among 2 conspire, and define the matrix in a way similar to the above. Then, det is divisible by with high probability. Hence, GCD (det , det ) gives where e is a small positive integer. By the above procedure, we can evaluate efficiently. An additional procedure to find the center's secret information is completely the same as attack 1.

Attack 3:
Anattacker wishes to obtain all secrete keys using all information available from the system. In this case, attacker needs to solve integer factorization problem and discrete logarithm problem simultaneously. The best way to factorize is by using the number field sieve method (NFS) [33]. But this method is just dependent on the size of modulus .It is computationally infeasible to factor a 1024-bit integer and to increase the security of our scheme; we should select strong primes [4] to avid attacks using special purpose factorization algorithms. To maintain the same security level for discrete logarithm problem with double without knowing however trying to obtain from is equivalent to compute the discrete logarithm problem.

Enhancement of Security and Processing Cost
The center's secret information for the original system in Section 4 is derived by n entities conspiracy. In this subsection, we consider the practical countermeasure for the enhancement of the security of the system. (For simplicity, assume that n = 512 throughout this subsection.) The center partitions a 512-dimensional binary vector Binto 256 segments, every two bits, such as from EID and the published table. Entity 2 uses γ ′ as γ in the original system (in Section 4) to encrypt the message .

Decryption
This is exactly the same as in the original system in Section 4. In the original system in Section 4, the center's secret information is derived by 512 entities conspiracy, while in the above system it is derived by 1024 (= 4 x 256) entities conspiracy. Furthermore, the running 167 cost for encryption-key generation in the above system is about half of the original system. However, the center's public information in the above system is about twice than the original system. Further generalizations, e.g., each EID is partitioned into 128 segments every four bits, etc., are possible.

Conclusion
In this present paper an ID-based cryptosystem for integer factorization problem and discrete logarithm problem in the multiplicative group of finite fields. The proposed scheme satisfies Shamir's original concepts in a strict sense, i.e. it does not require any interactive preliminary communications in each data transmission and has no assumption that tamper free modules are available. This kind of scheme definitely provides a new scheme with a longer and higher level of security than the schemes that based on a factoring and discrete logarithm problem. The proposed scheme also requires minimal operations in encryption and decryption algorithms and thus makes it very efficient. Based on the fact that re-inventing a new scheme involves many uncertain and unknown threats, and integer factorization problem and discrete logarithm problem based schemes are widely deployed, our goal is to construct an ID-based transformation model for integer factorization problem and discrete logarithm problem based scheme rather than re-invent a new one. The concept of the ID-based system can be easily embedded into the entire integer factorization problem and discrete logarithm problem based cryptosystems without changing their original design. This solution can be directly deployed in the currently used system with very low cost. Therefore, our new scheme is more practical and has the same security as the original integer factorization problem and discrete logarithm problem based system.