Auto-recoverable auto-certifiable cryptosystems (A survey)

Abstract

In this paper we survey the recent work on Auto-Recoverable Auto-Certifiable Cryptosystems. This notion has been put forth to solve the “software key escrow” problem in an efficient manner within the context of a Pubic Key Infrastructure (PKI). This survey presents the exact specification of the problem which is based on what software key escrow can hope to achieve. The specification attempts to separate the truly difficult technical issues in the area from the ones that are only seemingly difficult. We then review the work in Eurocrypt’98 and PKC’99, which gives an efficient reduction to a software key escrow system from a certified public key system (PKI). Namely, we show how to construct an escrowed PKI for essentially the same cost and effort required for a regular PKI. More specifically, the schemes presented are as efficient for users to use as a PKI, do not require tamper-resistant hardware (i.e., they can be distributed in software to users), and the schemes are shadow public key resistant as defined in Crypto’95 by Kilian and Leighton (namely, they do not allow the users to publish public keys other then the ones certified). The schemes enable the efficient verification of the fact that a given user’s private key is escrowed properly. They allow the safe and efficient recovery of keys (and plaintext messages) which is typical in emergency situations such as in the medical area, in secure file systems, and in criminal investigations. We comment that we do not advocate nor deal with the policy issues regarding the need of governments to control access to messages; our motivation is highly technical: in cases that escrow is required or needed we would like to minimize its effect on the overall PKI deployment. We then briefly mention forthcoming developments in the area which include further flexibility/compatibility requirements for auto-recoverable cryptosystems, as well as design of such systems which are based on traditional public key methods (RSA and discrete logs).