A Digital Asset Inheritance Model to Convey Online Persona Posthumously

Abstract

The astounding growth of the Internet has generated digital asset extensively. Users are concerned about asset management so that the asset can be conveyed successfully to the descendent posthumously. Very few works have addressed designing and modeling of digital asset inheritance (DAI) from a technical design perspective. They have several inherent limitations such as incorrect death confirmation, high participation of nominee, the possibility of failure to obtain recovery key, and are based on many unreasonable assumptions, thus inefficient to design in the real life. In this paper, we have formalized the different categories of digital assets and defined the various security goals, required functionalities, and necessary entities to build an asset inheritance model. We have also proposed a new protocol named digital asset inheritance protocol (DAIP) using certificateless encryption (CLE) and identity-based system (IBS) to convey the user’s online persona efficiently to the descendent after his death. DAIP allows the nominee to successfully retrieve the asset after the user’s demise, even if a nominee is uninformed regarding the asset. We, then, provide rigorous security proofs of various properties using real–ideal worlds paradigm. Finally, we have implemented DAIP model using PBC and pycryptodome library. The simulation results affirm that it can be practically efficient to implement.

Appendices

Appendix A: Extended preliminaries

Definition 3

(Symmetric key Encryption Scheme [13]) A symmetric key encryption scheme \(\textsf {SKS}=(\textsf {SKS.Enc},\textsf {SKS.Dec})\) is a 2-tuple of algorithms over the setup algorithm \(\textsf {SKS.Setup}\) and the message space \({\mathcal {M}}\) that works as follows:

• \(\textsf {SKS.Setup}(1^\lambda )\rightarrow k\): On input the security parameter \(1^\lambda \), it returns sk, where k is the symmetric key to be used in encryption and decryption.

• \(\textsf {SKS.Enc}(k, m)\rightarrow ct\): On input the message m, it returns ciphertext ct corresponding to \(m\in {\mathcal {M}}\) under the symmetric key k.

• \(\textsf {SKS.Dec}(k,ct)\rightarrow m\): On input the symmetric key k and the ciphertext ct, it returns the message m.

The above algorithm satisfies the following property:

• Correctness: for every key \(k \in {\mathcal {K}}\) and for every \(m\in {\mathcal {M}}\), the following holds: \( Pr\big [ct=\perp OR\ SKS.Dec(k,ct)=m:\) \(ct\xleftarrow {\$} SKS.Enc(k,m)]=1 \)

Definition 4

(Signature Scheme [8, 14]) A signature scheme \(\varSigma =(\varSigma .\textsf {Sign},\varSigma .\textsf {Verify})\) is a 2-tuple of algorithms over the setup algorithm \(\varSigma .\textsf {Setup}\) and the message space \({\mathcal {M}}\) that works as follows:

• \(\varSigma .\textsf {Setup}(1^\lambda )\rightarrow (mpk,msk)\): On input the security parameter \(1^\lambda \), it returns (mpk, msk), where mpk is the verification key and msk is the signing key.

• \(\varSigma .\textsf {Sig}(msk, m)\rightarrow \sigma \): On input the message m, it returns signature \(\sigma \) corresponding to \(m\in {\mathcal {M}}\) under the signing key msk.

• \(\varSigma .\textsf {Verify}(mpk, m,\sigma )\rightarrow b\): On input the message m and signature \(\sigma \), it returns a bit \(b\in \{0,1\}\), where: \(b=1\) if the pair \((m,\sigma )\) is verified under the verification key mpk.

The above algorithm satisfies the following property:

• Correctness: For every pair (mpk, msk) and for every \(m\in {\mathcal {M}}\), the following holds:

  $$\begin{aligned} Pr\bigg [\varSigma .\textsf {Verify}(mpk, m,\sigma )\rightarrow 1\,\\ | \, \varSigma .\textsf {Sig}(msk, m)\rightarrow \sigma \bigg ]=1 \end{aligned}$$

• Unforgeability: A signature scheme is unforgeable under an adaptive chosen message attack, if for any PPT adversary \({\mathcal {A}}\), and a negligible function \(\mu \), the following holds:

  $$\begin{aligned} Pr\Big [\varSigma .\textsf {Setup}(1^\lambda )\rightarrow (mpk,msk)\\ \wedge \, {\mathcal {A}}^{\varSigma .\textsf {Sign}(msk,\cdot )}(pk)\rightarrow (m',\sigma ') \\ \wedge \, \varSigma .\textsf {Ver}(vk, m', \sigma ')\rightarrow 1\, |\, m'\notin M \Big ]&<\, \mu (1^\lambda ),\nonumber \end{aligned}$$

  where M is the set of messages submitted by \({\mathcal {A}}\) to the Sign oracle.

Definition 5

(Pseudo-random function [13]) A family of function \(F_K:\{0,1\}^n \rightarrow \{0,1\}^m\), indexed by a key \(K \in \{0,1\}^s\) is said to be a pseudo-random function (PRF) if it satisfies the following:

• Given a key \(K\in \{0,1\}^s\) and an input \(X\in \{0,1\}^n\) there is an efficient algorithm to compute \(F_K(X)\).

It satisfies the following property:

• Indistinguishability: For all probabilistic polynomial time distinguisher D, there exists a negligible function \(\mu (\cdot )\) such that:

  $$\begin{aligned} \Big |Pr_{K\leftarrow \{0,1\}^s}[D^{F_K(\cdot )}]-Pr_{f\in {\mathcal {F}}}[D^{f(\cdot )}]\Big |<\mu (\lambda ) \end{aligned}$$

  where \({\mathcal {F}}=\{f:\{0,1\}^n\rightarrow \{0,1\}^m\}\).

Definition 6

(Collision Resistant Hash Function [7]) A collision free hash function family \({\mathcal {H}}\) is an infinite family of finite sets \(\{H_m\}_{m=1}^{\infty }\) and a polynomially bounded function \(t: N\rightarrow N\).

A member \(H_m\) is a function \(h: \{0,1\}^* \rightarrow \{0,1\}^{t(m)}\), and is called an instance of \({\mathcal {H}}\) of size m.

\({\mathcal {H}}\) must satisfy the following:

• Given a value of m, there is a probabilistic polynomial (in m) time algorithm \(\Theta \) which on input m selects an instance of \({\mathcal {H}}\) of size m at random.

• For any instance \(h\in H_m\) and \(x\in \{0,1\}^*\), h(x) is easy to compute, i.e., computable in time polynomial both in m and |x|.

• Given an instance \(h\in {\mathcal {H}}\) selected randomly as in (1), it is hard to find \(x,y\in \{0, 1\}^*\), such that \(h(x) = h(y)\) and \(x\ne y\). More formally: For any probabilistic polynomial time algorithm \({\mathcal {A}}\), and any polynomial P, consider the subset of instances h of size m for which \({\mathcal {A}}\), with probability at least 1/P(m), outputs \(x\ne y\) such that \(h(x) = h(y)\). Let \(\epsilon (m)\) be the probability with which \(\Theta \) selects one of these instances. Then as a function of m, \(\epsilon (m)\) vanishes faster than any polynomial fraction.

Appendix B: Construction of certificateless encryption (CLE) scheme

The concrete instantiation of the CLE scheme (as defined in Def. 1) is as follows [2]:

• CLE.Setup(\(1^\lambda )\rightarrow (mpk,msk)\): It works as follows:

  1. 1.

     Generate \((q, {\mathbb {G}}_1, {\mathbb {G}}_2,g,e, H_1, H_2)\). [Here, \({\mathbb {G}}_1\), \({\mathbb {G}}_2\) are groups of some prime order q, \(e: {\mathbb {G}}_1 \times {\mathbb {G}}_1 \rightarrow {\mathbb {G}}_2\) is a pairing, generator \(g \in {\mathbb {G}}_1\), \(H_1: \{0,1\}^* \rightarrow {\mathbb {G}}_1\), \(H_2: {\mathbb {G}}_2 \rightarrow \{0,1\}^n\), the message space \({\mathcal {M}} \in \{0,1\}^n \), and the ciphertext space \({\mathcal {C}} \in {\mathbb {G}}_{1} \times \{0,1\}^{n}\).]

  2. 2.

     Choose \(s \xleftarrow {\$} {\mathbb {Z}}^{*}_{q}\).

  3. 3.

     Set \(p_0:=s\cdot g\).

  4. 4.

     return \(mpk :=(q, {\mathbb {G}}_1, {\mathbb {G}}_2,e, H_1, H_2, g, n, p_0)\) and \(msk:=s\).

• CLE.KeyGen\((mpk, id)\rightarrow (pk, sk)\): For an \(id \in \{0,1\}^*\), the algorithm works as follows:

  1. 1.

     Choose \(s_k \xleftarrow {\$} {\mathbb {Z}}^{*}_{q}\).

  2. 2.

     Set \(pk:=(X,Y)\). [Here, \(X:=sk\cdot g, Y:=sk\cdot p_{o}=sk\cdot s\cdot g\).]

  3. 3.

     return (pk, sk).

• CLE.Enc(\(mpk, pk, id, {\mathbb {M}}\))\(\rightarrow {\mathbb {C}}\): For a message \({\mathbb {M}} \in {\mathcal {M}}\), the algorithm works as follows:

  1. 1.

     Check \(X,Y \in {\mathbb {G}}^{*}_1\). [Here, \(pk= (X,Y)\).]

  2. 2.

     Check \(e(X, p_0) {\mathop {=}\limits ^{?}} e(Y, g)\).

  3. 3.

     Compute \(Q=H_{1}(id)\).

  4. 4.

     Choose a random number \(r \xleftarrow {\$} {\mathbb {Z}}^{*}_{q}\).

  5. 5.

     Compute \({\mathbb {C}}= \{ r.g, {\mathbb {M}} \oplus H_{2}(e(Q,Y)^{r} ) \}\).

  6. 6.

     return \({\mathbb {C}}\).

• CLE.Extract(mpk, msk, id)\(\rightarrow sk'\): It works as follows:

  1. 1.

     Compute \(Q=H_{1}(id)\).

  2. 2.

     Set \(sk'= s\cdot Q\).

  3. 3.

     return \(sk'\).

• CLE.Dec(\(mpk, sk, sk', {\mathbb {C}}\))\(\rightarrow {\mathbb {M}}\): For a received cipher text \({\mathbb {C}}= (U,V)\), the algorithm works as follows:

  1. 1.

     Compute the private key \(S_{id}=(sk\cdot sk') = sk\cdot s\cdot Q\).

  2. 2.

     Decrypt message as follows: \(V \oplus H_{2}(e(S_{id},U))\)

     \(=V \oplus H_{2}(e(sk\cdot s\cdot Q,r\cdot g))\)

     \(=V \oplus H_{2}(e(H_{1}(ID),g)^{s\cdot sk\cdot r})\)

     \(={\mathbb {M}} \oplus H_{2}(e(Q,Y)^r) \oplus H_{2}(e(H_{1}(ID),g)^{s\cdot sk\cdot r})\)

     \(={\mathbb {M}} \oplus H_{2}(e(H_{1}(ID), g^{s\cdot sk})^r) \oplus H_{2}(e(H_{1}(ID),g)^{s\cdot sk\cdot r}) = {\mathbb {M}}\).