CA2156780A1 - Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit string - Google Patents
Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit stringInfo
- Publication number
- CA2156780A1 CA2156780A1 CA002156780A CA2156780A CA2156780A1 CA 2156780 A1 CA2156780 A1 CA 2156780A1 CA 002156780 A CA002156780 A CA 002156780A CA 2156780 A CA2156780 A CA 2156780A CA 2156780 A1 CA2156780 A1 CA 2156780A1
- Authority
- CA
- Canada
- Prior art keywords
- processor
- value
- mod
- sequence
- arbitrary information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G09—EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
- G09C—CIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
- G09C1/00—Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/065—Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
- H04L9/0656—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
- H04L9/0662—Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
- H04L9/0844—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols with user authentication or key authentication, e.g. ElGamal, MTI, MQV-Menezes-Qu-Vanstone protocol or Diffie-Hellman protocols using implicitly-certified keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/08—Randomization, e.g. dummy operations or using noise
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Abstract
Two users of a cryptographic system use the present invention when their respective processors need to get a jointly determined, secret, shared, and unique bit string. The present invention is effective and most useful when used over an insecure means of data transmission. After completion of the secret key exchange according to the present invention, the users proceed with further cryptographic exchanges which may use the jointly determined, secret, shared, and unique bit string produced by the present invention. The shared bit string produced by the present invention is a simple transformation of a sequence x0, x1, x2, ..., xt-1 produced by the "x2 mod N" pseudo-random number generator. Secrecy is achieved by disclosing selected information about this sequence, in such a way that the sequence can be computed by both participants in the secret key exchange but by no one else. It is a distinctive characteristic of the present invention to provide a means of cryptographic authentication of user A to the benefit of user B with no more processing and little more precautions than what is required for the secret key exchange only.
Description
-1- 2ls~78o APPARATUS AND METHOD FOR ~Y~lOGRAPHIC SYSTEM USERS TO O~TAIN
A JOINTLY DETERMINED, SECRET, SHARED, AND UNIQUE BIT STRING
Field of the Invention The present invention relates to a method for cryptographic system users to obtain a jointly determined, secret, shared, and unique encryption key, and apparatus for obtaining such a key.
Description of the Prior Art Each cryptosystem is easily classified as either a secret key cryptosystem or a public key cryptosystem. The Data Encryption Standard (DES) is a well known secret key cryptosystem and offers significantly better performance than all known public key cryptosystems. On the other hand, public key cryptosystems offer distinctive advantages. They provide confidentiality protection without prelim'n~ry exchange of secret keys before a digital conversation. They offer the undeniable digital signature capability, a function that renders cryptographic authentication data significant not only to participants in -the digital conversation but to third parties as well.
In the field of cryptography, a subtle but important distinction is made between "secret" information and "private"
information. Secret information is shared between two or more users of a cryptosystem and the security is based on none of them disclosing the information to a user not part of the group. Private information is known by a single user of a cryptosystem, and is associated with some public information.
Usually, private information is the private key and the corresponding public information is the public key of a private/public key pair. In public key cryptography, security is based on not disclosing the private key and making sure that the public key is indeed the one of the intended user.
Many improvements to public key cryptography are aimed at ., benefiting from its distinctive advantages while avoiding its typical deceptive performance. Most practical public key cryptosystems are hybrid in the sense that a public key cryptographic method is used to establish secret keys of a DES
or equivalent cryptosystem, a technique referred to as secret key exchange. The Diffie-Hellman cryptosystem described in USA
patent document 4,200,770 Hellman, Martin E., Diffie, Bailey W., Merkle, Ralph C., Cryptographic Apparatus and Method, April 29, 1980 (the Canadian equivalent to this patent is patent number 1,121,480), hereinafter referred to as [dh], is the foremost example of a secret key exchange cryptosystem.
Practical digital signatures are also hybrid in the sense that a cryptographic hash function is first applied to a message to reduce the input data size for the digital signature algorithm, without noticeably reducing the difficulty of forging the digital signature affixed to a message. In these two cases, for a given general purpose numerical processor, the non-public key method (DES or the hash function) is typically over 100 times faster than the public key method.
The significance of the 100-fold performance disadvantage for public key cryptosystems can be illustrated by a very crude estimate of typical processor performance requirements. The public key method is usually applied to input data of a fixed size between 512 to 1024 bits long, so we will use 768 bits of input per use of cryptographic method. Let's assume a typical application where a first cryptographic method (e.g. [dh]) is used once for secret key exchange and a second cryptographic method (e.g. USA patent document 4,405,829 Rivest, Ronald L., Shamir, Adi, Adleman, Leonard M., Cryptographic Communications System and Method, September 20, 1983, hereinafter referred to as [rsa]) is used once for a digital signature, each with input size of 768 bits. Let's assume a message size of 30 K-bytes. Finally, let's assume that the processor power was designed so that the two non-public key methods (DES and the hash function) could be performed with 20% processor utilization at the nominal transmission data rate (a conservative yet realistic design factor given the declining prices of digital electronic components). Then what is the implication of the deceptive public key performance? For the first 768 bit times of the digital conversation, the system would be missing a lOOx20%=2000~ more powerful processor (for the initial secret key exchange). The same thing would happen for the 768 bit times at the end of the digital conversation (for the digital signature). Assuming the processor is not upgraded to a 20 times more powerful one, an initial delay and a final delay each of 15,360 bit times will be incurred. The public key cryptography overhead doubles the transmission time.
This situation is most critical for the smart card application of cryptography. The smart card application is meant to be a low-cost, mass production "electronic currencyn device. In this case, one participant in the digital conversation is a smart card with very limited computing power while the other one is a service provider system with reasonable computing power. In this context, the relative performance load of cryptographic algorithms may significantly affect the usefulness of a cryptosystem. For instance, if the service provider must digitally sign a message sent to the smart card, good use can be made of a digital signature algorithm where signature verification is fast compared with signature generation.
The Schnorr cryptosystem described in USA patent document 4,995,082, Schnorr, Claus P., Method for Identifying Subscribers and for Generating and Verifying Electronic Signatures in a Data Exchange System, February 19, 1991, hereinafter referred to as [sch], is an attempt to resolve the performance issue for digital signatures in the context of smart card applications. It is based on a different mathematical foundation (the discrete logarithm problem) than the present invention which is based on the ~x2 mod N"
cryptographically strong pseudo-random number generator. The security of the "x mod N" generator is based on the difficulty of finding square roots modulo N where N is the _4_ 21 5 6 780 product of two large prime numbers.
While the Schnorr cryptosystem addresses the performance issue of digital signatures for smart cards, it is not suitable for secret key exchange. The present invention is aimed at solving the performance issue of public key cryptosystems for secret key exchange. In this sense, it can be viewed as a replacement for either the Diffie-Hellman cryptosystem [dh] or the RSA
cryptosystems [rsa] for the purpose of secret key exchange.
Neither [dh] nor [rsa] use the ~x2 mod N" generator.
The Diffie-Hellman cryptosystem has been disclosed at the inception of the public key cryptography, and is well known to the specialists in the trade. Practice of the Diffie-Hellman cryptosystem is illustrated in annexes C and H of ISO/IEC
11577:1994, Information Technology - Open Systems Interconnection - Network Layer Security Protocol, hereinafter referred to as [nlsp]. This public disclosure of a Diffie-Hellman cryptosystem application is not easily accessible as the cryptographically significant facts are dispersed in extensive and detailed protocol specifications. Before the - improvements made by [nlsp]/ the Diffie-Hellman cryptosystem is well explained by the following excerpt from Brassard, Gilles, Modern Cryptology, a Tutorial, Lecture Notes in Computer Science, no. 325, Springer-Verlag, 1988, hereinafter referred to as [br] (pages 23-25):
"We have seen that one of the major difficulties with large scale multi-user secret-key cryptosystems is that each pair of users must share a secret key. Assume to the contrary that two given users initially share no secret information, and that they suddenly wish to establish secure communications between them. The conventional solution would be for them to meet physically in order to exchange a secret key, or to make use of some sort of trusted courier. Both these solutions are slow and expensive, and they may not be all that safe. The purpose of a public-key distribution system is to allow two such users to come up with a secret key as a result of a discussion over 21567~0 '_ an insecure channel, in a way that an eventual eavesdropper cannot figure out the key after listening to the entire discussion.
"More precisely, we wish a protocol in which A and B exchange messages m1 (from A to B), m2 (from B to A), ..., until eventually A and B agree on some key k, in a way that it is infeasible to infer k from knowledge of m1, m2, ... alone. Let us stress again that this must be achieved even though A and B
share no information beforehand that is unknown to the eavesdropper.
"The first protocol to achieve this seemingly impossible goal was proposed by Diffie and Hellman [dh] in 1976. It is based on the discrete logarithm problem introduced in section 4.1, Let p be some large integer and let a be another integer strictly between 1 and p-1. As a first step of the protocol, A
and B agree on p and a over the insecure channel (alternatively, p and a could be standard parameters used by all users of the system). Then, A chooses some large integer x and computes X=a mod p. Similarly, B chooses y and computes Y=aY mod p. At this point, A and B exchange X and Y over the insecure channel but they keep x and y secret (only A knows x and only B knows y). Finally, A computes Y mod p; similarly, B computes XY mod p. Both these values are equal since it amounts to aXY mod p either way. This is the key k they wished to establish in common.
"The eavesdropper is faced with the task of figuring out k from the information sent over the insecure channel: a, p, X, and Y. The obvious approach for the eavesdropper would be to figure out y from a, p, and Y (or at least some y such that aY mod p=Y as any such y would yield XY mod p=k). However, this is precisely the discrete logarithm problem, which is believed to be infeasible. No one has yet figured out a way of computing k efficiently from a, p, X, and Y, but no one has either been able to prove that this is not possible or even that there is no better way to do so than to first compute a -6- ~1567~0 discrete logarithm. It is hence conceivable that the computation of k could be carried out efficiently even if the discrete logarithm problem should be genuinely infeasible."
The above explanation ignores the impersonation attack. The impersonation attack is the case where an adversary C
intercepts X from A and replaces it with V=aV mod ~ which is sent to B (the adversary C selects v). The unsuscpicious B
uses VY mod p as if it was XY mod p. In the reverse direction, the adversary intercepts Y and replaces it with W=aW mod p which is sent to A. The unsuspicious A uses wX mod p as if it was yX mod p. From then on, the digital conversation from A to B passes through C which is then an active eavesdropper.
To counter the impersonation attack, [nlsp] annexes C and H
- specify an optional security association protocol. The security association protocol starts with a data exchange according to [dh] and is followed by the transmission of a digital signature in each direction of communication. The digital signature is affixed to a challenge message implicitly dependent on the jointly determined value k=XY mod p=yx mod p.
In verifying the signature received from the other participant in the digital conversation, A authenticates B as the genuine other participant. The adversary C can not replace a digital signature of VY mod p by a signature of XY mod p since C can not sign on béhalf of B. For a more academic treatment of the impersonation attack in the context of the Diffie-Hellman cryptosystem, see C.H. Lim, P.J. Lee, Several Practical Protocols for Authentication and Key Exchange, in Information Processing Letters, 53 (1995) pp 91-96, hereinafter referred to as ~11].
In summary, the Diffie-Hellman cryptosystem produces a secret value k=XY mod p=yx mod p which is jointly determined by the participants in a digital conversation, and secret from a passive eavesdropper. If the application of the Diffie-Hellman cryptosystem uses a random selection process for the choice of values x and y, the secret value k is unique to a given _7_ 21S67%0 instance of a digital conversation. When the Diffie-Hellman process is followed by authentication based on the unique value k, impersonation attacks by an active eavesdropper can be detected. By itself, the Diffie-Hellman cryptosystem does not provide authentication. Anyone can select an exponent x and compute a mod p.
The Diffie-Hellman cryptosystem is compute intensive. The processing load is the same for either participant. Even when the value ax mod p is pre-computed by a participant, the computation of yX mod p must be done during the digital conversation and may thus create a protocol delay or latency.
Although the length of a single secret value k may accommodate the key size of the DES cryptosystem, it is conceivable for an application to require more than one secret value k because a single one does not contain enough secret bits. In this case, the Diffie-Hellman cryptosystem computations are made more than once and the performance deteriorates.
~0 The present invention is aimed at alleviating some of the difficulties with the Diffie-Hellman cryptosystem for secret key exchange. By contrast to the latter, the present invention is not symmetric: the computations and procedures are different for the initiator of the secret key exchange than for the responder. This asymmetry in computation requirements reduces the processing load for the responder of the secret key exchange. Moreover, the present invention has the capability to authenticate the initiator of the secret key exchange to the benefit of the responder, further reducing the processing load when the overall cryptographic application is considered. When the present invention is used for authentication, the prior art reported in J.J. Tardo, K.
Alagappan, SPX: Gl obal Authenti ca ti on Using Publi c Key Certificates, in Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, 1991, pp 232-244, hereinafter referred to as [spx], is relevant to the present invention.
21~6780 -The present invention makes use of the ~x2 mod N" pseudo-random number generator which is described in L. Blum, M.
Blum, and M. Shub, A Simple Unpredictable Pseudo-random Number Generator, SIAM Journal of Computing, vol. 15, no. 2, May 1986, pp 364-383, hereinafter referred to as [bbs].
Mathematical properties of the "x mod N" generator were further studied in U.V. Vazirani and V.V. Vazirani, Efficient and Secure Pseudo-random Number Generation, Proceedings of the - 25th IEEE Symposium on the Foundations of Computer Science, 1984, pp 458-463, hereinafter referred to as [w]. The "x mod N" generator generates a sequence of numbers with an interesting property for public key cryptosystems: computing the sequence in the forward direction is easy for any user from the knowledge of the parameter N while the computations are infeasible in the reverse direction, unless some private information about N is known. The ~x2 mod N" generator is used for the Blum-Goldwasser cryptosystem reported in M. Blum and S. Goldwasser, An Efficient Probabilistic Public-key Encryption Scheme which Hides All Partial Information, In Advances in Cryptology: Proceedings of Crypto'84, Springer-Verlag, 1985, pp 289-299, hereinafter referred to as [bg], which is important prior art to the present invention. The Blum-Goldwasser cryptosystem is well explained in [br], pages 32-39.
Summary of the Invention Two users of a cryptographic system use the present invention when their respective processors need to get a jointly determined, secret, shared, and unique bit string. The overall process is called the secret key exchange. A secret key exchange typically occurs at the beginning of a digital conversation. In the following description, when a user is - said to do something, this user's processor is implicitly involved. The user A is the initiator of the secret key exchange. The user B is the responder of the secret key exchange. In one instance of the secret key exchange, one message is sent from the user A to the user B and then one 215678~
message is sent from user B to user A. The present invention is effective and most useful when these messages are sent using an insecure means of data transmission. After completion of the secret key exchange according to the present invention, the users A and B proceed with further cryptographic exchanges in the same digital conversation, or a subsequent one. These subsequent cryptographic exchanges may use the jointly determined, secret, shared, and unique bit string produced by the present invention. In doing so, the subsequent cryptographic exchanges enforce the information security provided by the present invention. For instance, the successful decipherment of a message using a secret key extracted from the resulting bit string is a confirmation that no breach of security occurred. More examples of subsequent cryptographic exchanges are given in the prior art, notably [nlsp].
The shared bit string produced by the present invention is a simple transformation of a sequence xo, x1, X2, ..-, Xt-1 produced by the "x mod N" generator. Secrecy is achieved by disclosing selected information about this sequence, in such a way that the sequence can be computed by both participants in the secret key exchange but by no one else. The value xt=xt_1 mod N is a first piece of information that can be disclosed without breach of confidentiality as long as the private information about N is known only by the user A, the initiator of the secret key exchange. The other piece of information disclosed is partial information about x which determines the sequence by equation xo=x2 mod N. This partial disclosure should be inconsequential to the security of the system. It is reasonable to expect the present invention to be practiced by disclosing from 2 to 15 digits of x while complete knowledge of x requires between 150 and 200 digits.
The present invention incorporates means to ensure that the disclosed part of x is diffused in x itself.
It is a distinctive characteristic of the present invention to provide a means of cryptographic authentication of user A to -lO- 2156780 the benefit of user B with no more processing and little more precautions than what is required for the secret key exchange only. This comes from the fact that user A is the only one to have the private knowledge about N.
According to the invention, there is provided a method for cryptographic communication between a first data processor in commllnication with a second data processor using a jointly determined, secret, shared, and unique encryption key, comprising the steps of:
a) providing some first arbitrary information at both the first processor and the second processor, the first arbitrary information being determined by the first processor to be sufficiently unique;
b) determin;ng at the second processor a first value using in part the first arbitrary information and in part second arbitrary information known only to the second processor, in such a manner that a use of the first arbitrary information in determ;n;ng the first value can be confirmed by analysis without knowing the second arbitrary information;
c) generating at the second processor a sequence of values starting with the first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which the first processor knows a private key for determ;ning preceding values of the sequence;
d) sending from the second processor to the first processor a message including a second value from the sequence;
e) determ;n;ng at the first processor at least one value for the first value using the private key and the second value;
f) confirming at the first processor that the at least one first value was determined using in part the first arbitrary information;
g) generating the encryption key using at least a part of the sequence other than the second value at the second processor and generating a same the encryption key at the first processor; and h) commllnicating data between the first processor and the second processor using the encryption key if the confirming in the step ~f) is positive.
Preferably, the first arbitrary information is selected by the first processor and communicated to the second. Also, the first value is determined in step (b) using bit shuffling.
The bit shuffling may be carried out using shuffling parameters also sent by the first processor to the second.
The one-way function is preferably the x2 mod N function, in which N is a large number having factors P and Q, with P and Q
being the private key. P and Q are preferably prime numbers respecting P mod 4 = 3 and Q mod 4 = 3. The encryption key is preferably a bit string calculated by transforming the sequence values using the mod 2k function, where k is a number of least significant bits to be retained from each value of the sequence.
According to the invention, there is also provided an apparatus for cryptographic communication with a first data processor using a jointly determined, secret, shared, and unique encryption key. The apparatus comprises a second data processor including:
means for commllnicating with the first processor;
means for calculating a sequence of values starting with a first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which the first processor knows a private key for determining preceding values of the sequence;
means for generating second arbitrary information and determ;ning the first value using in part some first arbitrary information and in part the second arbitrary information known only to the second processor, in such a manner that a use of the first arbitrary information in determining the first value can be confirmed by analysis without knowing the second arbitrary information, the first arbitrary information being at least one of generated by the second processor, transmitted to the first processor and then confirmed as being acceptable by the first processor, and being generated by the first processor and then sent to the second processor;
means for transmitting a second value from the sequence to the first processor;
means for generating the encryption key using at least a part of the sequence other than the second value; and means for encrypting and decrypting data using the encryption key. In this way, creation of the sequence and the encryption key in the second processor is relatively easy to compute, while confirmation of the first value containing the first arbitrary information starting with the second value is relatively compute intensive, thus allowing the encryption key to be mutually and secretly determined using a first value which is in part arbitrarily determined by the second processor alone and without requiring the apparatus to possess significant computing power.
Brief Description of the Drawing The drawing is a schematic block diagram providing a logical representation of a preferred embodiment of the present invention.
Detailed Description of the Preferred Emko~ t There are a number of numerical parameters associated with the present invention.
A first parameter is the number L of bits in the required shared bit string. The context where the present invention is used will normally dictate an appropriate value for the parameter L and users A and B will normally have a priori knowledge of this value.
Another parameter is a large number N equal to the product of two distinct prime numbers, each of them giving 3 as a remainder when divided by 4 (N=PxQ where P and Q are prime, P~
Q, P mod 4=3, Q mod 4=3). The prior art about the ~x2 mod N"
generator should be taken into account when selecting the prime numbers P and Q. Notably, it was suggested that (P-1)/2, (P-3)/4, (Q-1)/2, and (Q-3)/4 should all be prime numbers.
The parameter N is selected by the user A and the prime numbers P and Q are never disclosed. The prime numbers P and Q
are the private key of user A for the present invention. If the present invention is not used to authenticate user A to the benefit of user B, it is sufficient for the prime numbers P and Q to be kept private and the parameter value N to be carried to user B by any means (e.g. as part of the first message 301 from user A to user B). If the present invention is used to authenticate user A to the benefit of user B, then the parameter N is the public key of user A for the present invention and the data integrity protection should be applied to the distribution of the parameter N value as with any public key used for authentication (e.g. with the use of a security certificate). With the known factorization algorithms, the parameter N may need to exceed 150 digits for the present invention to be provide effective security.
Another parameter is a small number k which represents the number of least significant bits to be retained at each iteration of the "x mod N" computation. The parameter k is at least 1 and much smaller than the number of bits required to represent N. The parameter k may be selected according to the number theoretical analysis of the ~x2 mod N" generator found in the prior art, notably [w]. The present invention is insensitive to the means of distributing the value of the parameter k to the users A and B.
,, The last two parameters are numbers S and S used to shuffle the bits of two numbers, and such that 4/S is an acceptable upper limit to the probability that a replay or impersonation attack targeting user A would remain undetected by the present invention. The parameter S and S can be as small as 1 but if S is very small, some protection is lost. The parameters .. ..
S and S must be selected such that S xS <N.
-14- ~ 21~6780 The bit shuffling 202 proceeds as follows. In the secret key exchange, XA-~B is a random integer selected by user A and transmitted in the clear to user B. The valid range for XA-~B
is 0<~ >~<S . The integer XBI is also random, but selected by user B and never disclosed. The valid range for xgl is O<xgl<
N/S . Together, XA-~B and xgl jointly determine a number x . . .
computed as x= (LXB I /S ~XS XS ) + (XA-~BXS ) + (XB I mod S ), where La/b~ is the integer division of a by b. As a simple example, ,, , let S =16 and S =16. Then XA-~B represents the before last digit in the hexadecimal representation of x, and XBI
determines all other digits of x. Intuitively, the number x is a "mostly secret" number. The number of "disclosed bits" is ,, , the size of (S -1) in bits. The size of (S -1) in bits represents the "left shift" of the disclosed bits from the least significant bit positions. This explanation holds when ,, S and S are exact powers of 2. With unrestricted values of ,, S and S , the shuffling of XA-~B bits in x is more cryptic.
,, The parameters S and S can be changed from time to time to increase the secret key exchange security. The magnitude of the parameter S indicates the size of the partial information disclosed about x. Even a small change in the parameter values alters the bit shuffling 202. It is thus possible to practice the present invention by selecting new values for parameters S and S at each occurrence of a secret key exchange when the number XA-~B is randomly selected 101 and sending them along with XA-~B in the first message 301 of the secret key exchange.
The secret key exchange begins with the user A selecting 101 the random number XA-~B- The user A sends XA-~B to user B as the first message 301 in the secret key exchange. Depending on the application details, any or all of the parameters L, N, k, ,, S and S may accompany the value XA-~B in this first message 301. The user B then selects 201 a random number XBI~ computes x from XA-~B and XBI using the bit shuffling 202, and checks that l<x<N-1 (otherwise a new XBI is selected). The number XB
is never disclosed. Let t be L(L+k-1)/k~ (thus, t21). Then, -15- 21 ~ 6 780 user B computes the sequence 203, xo, x1, x2, ..., xi, ..., xt-l~ and xt with the following equations:
- 5 x1 = xo mod N
X2 = x1 mod N
. . .
Xi = xi_12 mod N
. . .
xt_1 = xt_22 mod N
Xt = xt_1 mod N
All xi values in the sequence 203 are kept secret. The user B
sends Xt to the user A as the second message 302 in the secret key exchange.
Upon receipt of the second message 302, the user A performs the inverse x2 (t 1) mod N computation 102 based on the private knowledge of the prime factors P and Q (** stands for the exponentiation operation).
To make the inverse x2 (t 1) mod N computation 102 more efficient, the user A may pre-compute integers a and b such that axP+bxQ=1 (using the generalized Euclid algorithm), and integers a and ~:
a = ((P+1)/4)(t+1) mod (P-1), and ~ = ((Q+1)/4)(t+1) mod (Q-1) In the inverse x2 (t 1) mod N computation 102, the user A
recovers the four possible values for x and the exact value for xo. This recovery starts with the following computations:
~ = ~Xt mod P)a mod P, and v = (Xt mod Q)~ mod Q.
The user A may then compute the four possible values for x:
e = (bxQx~ + axpxv) mod N, f = (bXQX(P-~) + axPxv) mod N, g = (bXQX~ + axPx(Q-v)) mod N, and h = (bxQx(p-~) + axPx(Q-v)) mod N, and the exact value of xo:
-16- . 21 S 6 780 xo = e mod N.
In the bit shuffling test 103, the user A verifies that at least one of the following equality is true XA-~B = Le/S I mod S
XA-~B = Lf/S I mod S
XA ~B = Lg/s J mod S , or XA-~B = Lh/S I mod S
If none of the above equality holds, the received xt value was selected without due consideration of the xA_~g sent by the user A (possibly with a method or a device which is not practicing the present invention). Consequently, an error is detected and a later check of timeliness or detection of replay or impersonation attack will be unreliable (if based on the shared bit string).
From the recovered xo, the user A can recover the other secret Xi values using the same computations as the user B. This is - done in step 104.
The jointly determined, secret, shared, and unique bit string is the concatenation w of Bi values for i=0,1,2 ..., t-l where each Bi = Xi mod 2 (notation W-BolBllB2l.~lBt-l). This computation is made independently by user A and user B, 25- respectively in steps 105 and 204 which may be performed concomitantly with steps 104 and 203 respectively. Depending on the application details, the users A and B may subsequently use subsets of the bit string as encipherment keys, secret initial values for hash functions, and data to be digitally signed as part of cryptographic authentication procedures.
An example of source code in the C programming language for carrying out the above described calculations and steps is given in example 'A' hereinbelow.
It should be obvious to someone knowledgeable of the field of cryptology and applied cryptography that the processing load for user B is small compared to other methods for secret key -17- 21 S 6 78~
-exchange.
In reference to the prior art of public key cryptography theory, the present invention is based on the trap-door one-way function fN(xj=x2 mod N where N is a product of twodistinct primes numbers congruent to 3 modulo 4. The private trap-door information (the private key) is the factorization of N (the two distinct prime numbers) which allow efficient computation of "square roots" modulo N. With the present invention, an unpredictable-to-the-left pseudo-random number generating function is constructed from a trap-door one-way function. Mathematically, this is represented as a function g:SxZ~-~SxW where S is the set of possible seeds for the specific generator, Z+ is the set of integers greater than zero, and W is the set of bit strings. In the case of the "x2 mod N" generator, the function g is g(x,L)=(xt,w) where x, L, xt, and w are as described above.
Without departing from the spirit and intent of the present invention, many variations are possible as should be obvious to someone knowledgeable of the field of cryptology and applied cryptography. Observing that inputs S , S , and xA_~g to the bit shuffling 202 are effectively restricting the possible choices for x by a factor of S , any formulation of a restriction on x that can be conveyed in the first message 301 and verified by the bit shuffling test 103 falls within the spirit of the present invention. Yet another obvious variation to the present invention is to redefine xO=x2 t mod N for some additional parameter t 21 (the preceding disclosure of the present invention implicitly uses t =1). This variation introduces more "x mod N" pseudo-randomness into xo.
When the value x is output by the bit shuffling 202, a verification that x and N are relatively prime can be done.
This would make the present invention more conforming to the mathematical foundation of the ~x2 mod N" generator. But the usefulness of this verification should be weighted against the -infinitesimal probability (P+Q)/N of a failure and the processing requirement for this verification. In case x and N
are not relatively prime, a new XBI is selected.
In order to fully disclose the present invention, a detailed analysis of its security follows. The cryptographic security of the present invention is described in terms other than a formal mathematical development. It is a characteristic of the present invention that the bit shuffling from XA-~B into x is more of an heuristic nature than a result of formal mathematical deductions.
An eavesdropper can not recover any of the secret xi from the ,, knowledge of N, S , S , XA-~B~ xt, k, L, and t. With a large enough N, neither the user B nor an eavesdropper can find the - prime numbers P and Q. Without knowledge of the prime factors of N, finding an xi_1 value given xi = xi_12 mod N is known to be computationally infeasible. The sequence x, xo, x1, x2, ..., xt_1, xt is easy to compute from left to right, but computationally infeasible from right to left (the "x mod N" generator is said to be unpredictable to the left).
The knowledge of XA-~B should give the eavesdropper insufficient information for the computation of the secret xi values. In selecting the order of magnitude for the parameter S , a trade-off must be made between the quantity of information offered to the eavesdropper through XA-~B and the probability 4/S that a replay or impersonation attack targeting user A would remain undetected by the present ,, invention. If S and S were respectively 1 and N, the disclosed XA-~B value would completely determine x and the sequence xo, x1, x2, ..., xt-1. At the other extreme, if S =1, XA-~B is a constant, the secret xgl completely determines the sequence xo, x1, x2, ..., xt_1, but the same sequence can be used more than once ~e.g. by an impostor attempting a replay attack). A practical trade-off is possible considering 1) the magnitude of N, which accounts for the known factorization algorithms, 2) the plausibility of a - -lg- 2156780 replay or impersonation attack given that it is detected by the present invention with a probability 1-4/S , and 3) the ease with which the S magnitude can be increased after the detection of a first replay or impersonation attack.
Some principles of the Blum-Goldwasser probabilistic cryptosystem [bg] are applied by the present invention. In order to disclose the security built in the present invention, it is useful to relate the two cryptosystems. The Blum-Goldwasser cryptosystem is related to the present invention inthe following way:1) In the Blum-Goldwasser cryptosystem, the bit sequence w-BolBllB2l...lBt-l serves as a one-time-pad to encipher a message m with the bitwise exclusive-or operation, ~. The resulting ciphertext m~w is transmitted and thus available to the eavesdropper. With the intended usage of the present invention, it is unlikely that any portion of the bit sequence w is going to be available to the eavesdropper (since a portion of the bit sequence w is precisely intended as a secret key for the encipherment algorithm which protects the rem~in'ng of the digital conversation from the eavesdropper).
2) Both in the Blum-Goldwasser cryptosystem and in the present invention, Xt is transmitted in the clear and readily available to the eavesdropper.
A JOINTLY DETERMINED, SECRET, SHARED, AND UNIQUE BIT STRING
Field of the Invention The present invention relates to a method for cryptographic system users to obtain a jointly determined, secret, shared, and unique encryption key, and apparatus for obtaining such a key.
Description of the Prior Art Each cryptosystem is easily classified as either a secret key cryptosystem or a public key cryptosystem. The Data Encryption Standard (DES) is a well known secret key cryptosystem and offers significantly better performance than all known public key cryptosystems. On the other hand, public key cryptosystems offer distinctive advantages. They provide confidentiality protection without prelim'n~ry exchange of secret keys before a digital conversation. They offer the undeniable digital signature capability, a function that renders cryptographic authentication data significant not only to participants in -the digital conversation but to third parties as well.
In the field of cryptography, a subtle but important distinction is made between "secret" information and "private"
information. Secret information is shared between two or more users of a cryptosystem and the security is based on none of them disclosing the information to a user not part of the group. Private information is known by a single user of a cryptosystem, and is associated with some public information.
Usually, private information is the private key and the corresponding public information is the public key of a private/public key pair. In public key cryptography, security is based on not disclosing the private key and making sure that the public key is indeed the one of the intended user.
Many improvements to public key cryptography are aimed at ., benefiting from its distinctive advantages while avoiding its typical deceptive performance. Most practical public key cryptosystems are hybrid in the sense that a public key cryptographic method is used to establish secret keys of a DES
or equivalent cryptosystem, a technique referred to as secret key exchange. The Diffie-Hellman cryptosystem described in USA
patent document 4,200,770 Hellman, Martin E., Diffie, Bailey W., Merkle, Ralph C., Cryptographic Apparatus and Method, April 29, 1980 (the Canadian equivalent to this patent is patent number 1,121,480), hereinafter referred to as [dh], is the foremost example of a secret key exchange cryptosystem.
Practical digital signatures are also hybrid in the sense that a cryptographic hash function is first applied to a message to reduce the input data size for the digital signature algorithm, without noticeably reducing the difficulty of forging the digital signature affixed to a message. In these two cases, for a given general purpose numerical processor, the non-public key method (DES or the hash function) is typically over 100 times faster than the public key method.
The significance of the 100-fold performance disadvantage for public key cryptosystems can be illustrated by a very crude estimate of typical processor performance requirements. The public key method is usually applied to input data of a fixed size between 512 to 1024 bits long, so we will use 768 bits of input per use of cryptographic method. Let's assume a typical application where a first cryptographic method (e.g. [dh]) is used once for secret key exchange and a second cryptographic method (e.g. USA patent document 4,405,829 Rivest, Ronald L., Shamir, Adi, Adleman, Leonard M., Cryptographic Communications System and Method, September 20, 1983, hereinafter referred to as [rsa]) is used once for a digital signature, each with input size of 768 bits. Let's assume a message size of 30 K-bytes. Finally, let's assume that the processor power was designed so that the two non-public key methods (DES and the hash function) could be performed with 20% processor utilization at the nominal transmission data rate (a conservative yet realistic design factor given the declining prices of digital electronic components). Then what is the implication of the deceptive public key performance? For the first 768 bit times of the digital conversation, the system would be missing a lOOx20%=2000~ more powerful processor (for the initial secret key exchange). The same thing would happen for the 768 bit times at the end of the digital conversation (for the digital signature). Assuming the processor is not upgraded to a 20 times more powerful one, an initial delay and a final delay each of 15,360 bit times will be incurred. The public key cryptography overhead doubles the transmission time.
This situation is most critical for the smart card application of cryptography. The smart card application is meant to be a low-cost, mass production "electronic currencyn device. In this case, one participant in the digital conversation is a smart card with very limited computing power while the other one is a service provider system with reasonable computing power. In this context, the relative performance load of cryptographic algorithms may significantly affect the usefulness of a cryptosystem. For instance, if the service provider must digitally sign a message sent to the smart card, good use can be made of a digital signature algorithm where signature verification is fast compared with signature generation.
The Schnorr cryptosystem described in USA patent document 4,995,082, Schnorr, Claus P., Method for Identifying Subscribers and for Generating and Verifying Electronic Signatures in a Data Exchange System, February 19, 1991, hereinafter referred to as [sch], is an attempt to resolve the performance issue for digital signatures in the context of smart card applications. It is based on a different mathematical foundation (the discrete logarithm problem) than the present invention which is based on the ~x2 mod N"
cryptographically strong pseudo-random number generator. The security of the "x mod N" generator is based on the difficulty of finding square roots modulo N where N is the _4_ 21 5 6 780 product of two large prime numbers.
While the Schnorr cryptosystem addresses the performance issue of digital signatures for smart cards, it is not suitable for secret key exchange. The present invention is aimed at solving the performance issue of public key cryptosystems for secret key exchange. In this sense, it can be viewed as a replacement for either the Diffie-Hellman cryptosystem [dh] or the RSA
cryptosystems [rsa] for the purpose of secret key exchange.
Neither [dh] nor [rsa] use the ~x2 mod N" generator.
The Diffie-Hellman cryptosystem has been disclosed at the inception of the public key cryptography, and is well known to the specialists in the trade. Practice of the Diffie-Hellman cryptosystem is illustrated in annexes C and H of ISO/IEC
11577:1994, Information Technology - Open Systems Interconnection - Network Layer Security Protocol, hereinafter referred to as [nlsp]. This public disclosure of a Diffie-Hellman cryptosystem application is not easily accessible as the cryptographically significant facts are dispersed in extensive and detailed protocol specifications. Before the - improvements made by [nlsp]/ the Diffie-Hellman cryptosystem is well explained by the following excerpt from Brassard, Gilles, Modern Cryptology, a Tutorial, Lecture Notes in Computer Science, no. 325, Springer-Verlag, 1988, hereinafter referred to as [br] (pages 23-25):
"We have seen that one of the major difficulties with large scale multi-user secret-key cryptosystems is that each pair of users must share a secret key. Assume to the contrary that two given users initially share no secret information, and that they suddenly wish to establish secure communications between them. The conventional solution would be for them to meet physically in order to exchange a secret key, or to make use of some sort of trusted courier. Both these solutions are slow and expensive, and they may not be all that safe. The purpose of a public-key distribution system is to allow two such users to come up with a secret key as a result of a discussion over 21567~0 '_ an insecure channel, in a way that an eventual eavesdropper cannot figure out the key after listening to the entire discussion.
"More precisely, we wish a protocol in which A and B exchange messages m1 (from A to B), m2 (from B to A), ..., until eventually A and B agree on some key k, in a way that it is infeasible to infer k from knowledge of m1, m2, ... alone. Let us stress again that this must be achieved even though A and B
share no information beforehand that is unknown to the eavesdropper.
"The first protocol to achieve this seemingly impossible goal was proposed by Diffie and Hellman [dh] in 1976. It is based on the discrete logarithm problem introduced in section 4.1, Let p be some large integer and let a be another integer strictly between 1 and p-1. As a first step of the protocol, A
and B agree on p and a over the insecure channel (alternatively, p and a could be standard parameters used by all users of the system). Then, A chooses some large integer x and computes X=a mod p. Similarly, B chooses y and computes Y=aY mod p. At this point, A and B exchange X and Y over the insecure channel but they keep x and y secret (only A knows x and only B knows y). Finally, A computes Y mod p; similarly, B computes XY mod p. Both these values are equal since it amounts to aXY mod p either way. This is the key k they wished to establish in common.
"The eavesdropper is faced with the task of figuring out k from the information sent over the insecure channel: a, p, X, and Y. The obvious approach for the eavesdropper would be to figure out y from a, p, and Y (or at least some y such that aY mod p=Y as any such y would yield XY mod p=k). However, this is precisely the discrete logarithm problem, which is believed to be infeasible. No one has yet figured out a way of computing k efficiently from a, p, X, and Y, but no one has either been able to prove that this is not possible or even that there is no better way to do so than to first compute a -6- ~1567~0 discrete logarithm. It is hence conceivable that the computation of k could be carried out efficiently even if the discrete logarithm problem should be genuinely infeasible."
The above explanation ignores the impersonation attack. The impersonation attack is the case where an adversary C
intercepts X from A and replaces it with V=aV mod ~ which is sent to B (the adversary C selects v). The unsuscpicious B
uses VY mod p as if it was XY mod p. In the reverse direction, the adversary intercepts Y and replaces it with W=aW mod p which is sent to A. The unsuspicious A uses wX mod p as if it was yX mod p. From then on, the digital conversation from A to B passes through C which is then an active eavesdropper.
To counter the impersonation attack, [nlsp] annexes C and H
- specify an optional security association protocol. The security association protocol starts with a data exchange according to [dh] and is followed by the transmission of a digital signature in each direction of communication. The digital signature is affixed to a challenge message implicitly dependent on the jointly determined value k=XY mod p=yx mod p.
In verifying the signature received from the other participant in the digital conversation, A authenticates B as the genuine other participant. The adversary C can not replace a digital signature of VY mod p by a signature of XY mod p since C can not sign on béhalf of B. For a more academic treatment of the impersonation attack in the context of the Diffie-Hellman cryptosystem, see C.H. Lim, P.J. Lee, Several Practical Protocols for Authentication and Key Exchange, in Information Processing Letters, 53 (1995) pp 91-96, hereinafter referred to as ~11].
In summary, the Diffie-Hellman cryptosystem produces a secret value k=XY mod p=yx mod p which is jointly determined by the participants in a digital conversation, and secret from a passive eavesdropper. If the application of the Diffie-Hellman cryptosystem uses a random selection process for the choice of values x and y, the secret value k is unique to a given _7_ 21S67%0 instance of a digital conversation. When the Diffie-Hellman process is followed by authentication based on the unique value k, impersonation attacks by an active eavesdropper can be detected. By itself, the Diffie-Hellman cryptosystem does not provide authentication. Anyone can select an exponent x and compute a mod p.
The Diffie-Hellman cryptosystem is compute intensive. The processing load is the same for either participant. Even when the value ax mod p is pre-computed by a participant, the computation of yX mod p must be done during the digital conversation and may thus create a protocol delay or latency.
Although the length of a single secret value k may accommodate the key size of the DES cryptosystem, it is conceivable for an application to require more than one secret value k because a single one does not contain enough secret bits. In this case, the Diffie-Hellman cryptosystem computations are made more than once and the performance deteriorates.
~0 The present invention is aimed at alleviating some of the difficulties with the Diffie-Hellman cryptosystem for secret key exchange. By contrast to the latter, the present invention is not symmetric: the computations and procedures are different for the initiator of the secret key exchange than for the responder. This asymmetry in computation requirements reduces the processing load for the responder of the secret key exchange. Moreover, the present invention has the capability to authenticate the initiator of the secret key exchange to the benefit of the responder, further reducing the processing load when the overall cryptographic application is considered. When the present invention is used for authentication, the prior art reported in J.J. Tardo, K.
Alagappan, SPX: Gl obal Authenti ca ti on Using Publi c Key Certificates, in Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, 1991, pp 232-244, hereinafter referred to as [spx], is relevant to the present invention.
21~6780 -The present invention makes use of the ~x2 mod N" pseudo-random number generator which is described in L. Blum, M.
Blum, and M. Shub, A Simple Unpredictable Pseudo-random Number Generator, SIAM Journal of Computing, vol. 15, no. 2, May 1986, pp 364-383, hereinafter referred to as [bbs].
Mathematical properties of the "x mod N" generator were further studied in U.V. Vazirani and V.V. Vazirani, Efficient and Secure Pseudo-random Number Generation, Proceedings of the - 25th IEEE Symposium on the Foundations of Computer Science, 1984, pp 458-463, hereinafter referred to as [w]. The "x mod N" generator generates a sequence of numbers with an interesting property for public key cryptosystems: computing the sequence in the forward direction is easy for any user from the knowledge of the parameter N while the computations are infeasible in the reverse direction, unless some private information about N is known. The ~x2 mod N" generator is used for the Blum-Goldwasser cryptosystem reported in M. Blum and S. Goldwasser, An Efficient Probabilistic Public-key Encryption Scheme which Hides All Partial Information, In Advances in Cryptology: Proceedings of Crypto'84, Springer-Verlag, 1985, pp 289-299, hereinafter referred to as [bg], which is important prior art to the present invention. The Blum-Goldwasser cryptosystem is well explained in [br], pages 32-39.
Summary of the Invention Two users of a cryptographic system use the present invention when their respective processors need to get a jointly determined, secret, shared, and unique bit string. The overall process is called the secret key exchange. A secret key exchange typically occurs at the beginning of a digital conversation. In the following description, when a user is - said to do something, this user's processor is implicitly involved. The user A is the initiator of the secret key exchange. The user B is the responder of the secret key exchange. In one instance of the secret key exchange, one message is sent from the user A to the user B and then one 215678~
message is sent from user B to user A. The present invention is effective and most useful when these messages are sent using an insecure means of data transmission. After completion of the secret key exchange according to the present invention, the users A and B proceed with further cryptographic exchanges in the same digital conversation, or a subsequent one. These subsequent cryptographic exchanges may use the jointly determined, secret, shared, and unique bit string produced by the present invention. In doing so, the subsequent cryptographic exchanges enforce the information security provided by the present invention. For instance, the successful decipherment of a message using a secret key extracted from the resulting bit string is a confirmation that no breach of security occurred. More examples of subsequent cryptographic exchanges are given in the prior art, notably [nlsp].
The shared bit string produced by the present invention is a simple transformation of a sequence xo, x1, X2, ..-, Xt-1 produced by the "x mod N" generator. Secrecy is achieved by disclosing selected information about this sequence, in such a way that the sequence can be computed by both participants in the secret key exchange but by no one else. The value xt=xt_1 mod N is a first piece of information that can be disclosed without breach of confidentiality as long as the private information about N is known only by the user A, the initiator of the secret key exchange. The other piece of information disclosed is partial information about x which determines the sequence by equation xo=x2 mod N. This partial disclosure should be inconsequential to the security of the system. It is reasonable to expect the present invention to be practiced by disclosing from 2 to 15 digits of x while complete knowledge of x requires between 150 and 200 digits.
The present invention incorporates means to ensure that the disclosed part of x is diffused in x itself.
It is a distinctive characteristic of the present invention to provide a means of cryptographic authentication of user A to -lO- 2156780 the benefit of user B with no more processing and little more precautions than what is required for the secret key exchange only. This comes from the fact that user A is the only one to have the private knowledge about N.
According to the invention, there is provided a method for cryptographic communication between a first data processor in commllnication with a second data processor using a jointly determined, secret, shared, and unique encryption key, comprising the steps of:
a) providing some first arbitrary information at both the first processor and the second processor, the first arbitrary information being determined by the first processor to be sufficiently unique;
b) determin;ng at the second processor a first value using in part the first arbitrary information and in part second arbitrary information known only to the second processor, in such a manner that a use of the first arbitrary information in determ;n;ng the first value can be confirmed by analysis without knowing the second arbitrary information;
c) generating at the second processor a sequence of values starting with the first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which the first processor knows a private key for determ;ning preceding values of the sequence;
d) sending from the second processor to the first processor a message including a second value from the sequence;
e) determ;n;ng at the first processor at least one value for the first value using the private key and the second value;
f) confirming at the first processor that the at least one first value was determined using in part the first arbitrary information;
g) generating the encryption key using at least a part of the sequence other than the second value at the second processor and generating a same the encryption key at the first processor; and h) commllnicating data between the first processor and the second processor using the encryption key if the confirming in the step ~f) is positive.
Preferably, the first arbitrary information is selected by the first processor and communicated to the second. Also, the first value is determined in step (b) using bit shuffling.
The bit shuffling may be carried out using shuffling parameters also sent by the first processor to the second.
The one-way function is preferably the x2 mod N function, in which N is a large number having factors P and Q, with P and Q
being the private key. P and Q are preferably prime numbers respecting P mod 4 = 3 and Q mod 4 = 3. The encryption key is preferably a bit string calculated by transforming the sequence values using the mod 2k function, where k is a number of least significant bits to be retained from each value of the sequence.
According to the invention, there is also provided an apparatus for cryptographic communication with a first data processor using a jointly determined, secret, shared, and unique encryption key. The apparatus comprises a second data processor including:
means for commllnicating with the first processor;
means for calculating a sequence of values starting with a first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which the first processor knows a private key for determining preceding values of the sequence;
means for generating second arbitrary information and determ;ning the first value using in part some first arbitrary information and in part the second arbitrary information known only to the second processor, in such a manner that a use of the first arbitrary information in determining the first value can be confirmed by analysis without knowing the second arbitrary information, the first arbitrary information being at least one of generated by the second processor, transmitted to the first processor and then confirmed as being acceptable by the first processor, and being generated by the first processor and then sent to the second processor;
means for transmitting a second value from the sequence to the first processor;
means for generating the encryption key using at least a part of the sequence other than the second value; and means for encrypting and decrypting data using the encryption key. In this way, creation of the sequence and the encryption key in the second processor is relatively easy to compute, while confirmation of the first value containing the first arbitrary information starting with the second value is relatively compute intensive, thus allowing the encryption key to be mutually and secretly determined using a first value which is in part arbitrarily determined by the second processor alone and without requiring the apparatus to possess significant computing power.
Brief Description of the Drawing The drawing is a schematic block diagram providing a logical representation of a preferred embodiment of the present invention.
Detailed Description of the Preferred Emko~ t There are a number of numerical parameters associated with the present invention.
A first parameter is the number L of bits in the required shared bit string. The context where the present invention is used will normally dictate an appropriate value for the parameter L and users A and B will normally have a priori knowledge of this value.
Another parameter is a large number N equal to the product of two distinct prime numbers, each of them giving 3 as a remainder when divided by 4 (N=PxQ where P and Q are prime, P~
Q, P mod 4=3, Q mod 4=3). The prior art about the ~x2 mod N"
generator should be taken into account when selecting the prime numbers P and Q. Notably, it was suggested that (P-1)/2, (P-3)/4, (Q-1)/2, and (Q-3)/4 should all be prime numbers.
The parameter N is selected by the user A and the prime numbers P and Q are never disclosed. The prime numbers P and Q
are the private key of user A for the present invention. If the present invention is not used to authenticate user A to the benefit of user B, it is sufficient for the prime numbers P and Q to be kept private and the parameter value N to be carried to user B by any means (e.g. as part of the first message 301 from user A to user B). If the present invention is used to authenticate user A to the benefit of user B, then the parameter N is the public key of user A for the present invention and the data integrity protection should be applied to the distribution of the parameter N value as with any public key used for authentication (e.g. with the use of a security certificate). With the known factorization algorithms, the parameter N may need to exceed 150 digits for the present invention to be provide effective security.
Another parameter is a small number k which represents the number of least significant bits to be retained at each iteration of the "x mod N" computation. The parameter k is at least 1 and much smaller than the number of bits required to represent N. The parameter k may be selected according to the number theoretical analysis of the ~x2 mod N" generator found in the prior art, notably [w]. The present invention is insensitive to the means of distributing the value of the parameter k to the users A and B.
,, The last two parameters are numbers S and S used to shuffle the bits of two numbers, and such that 4/S is an acceptable upper limit to the probability that a replay or impersonation attack targeting user A would remain undetected by the present invention. The parameter S and S can be as small as 1 but if S is very small, some protection is lost. The parameters .. ..
S and S must be selected such that S xS <N.
-14- ~ 21~6780 The bit shuffling 202 proceeds as follows. In the secret key exchange, XA-~B is a random integer selected by user A and transmitted in the clear to user B. The valid range for XA-~B
is 0<~ >~<S . The integer XBI is also random, but selected by user B and never disclosed. The valid range for xgl is O<xgl<
N/S . Together, XA-~B and xgl jointly determine a number x . . .
computed as x= (LXB I /S ~XS XS ) + (XA-~BXS ) + (XB I mod S ), where La/b~ is the integer division of a by b. As a simple example, ,, , let S =16 and S =16. Then XA-~B represents the before last digit in the hexadecimal representation of x, and XBI
determines all other digits of x. Intuitively, the number x is a "mostly secret" number. The number of "disclosed bits" is ,, , the size of (S -1) in bits. The size of (S -1) in bits represents the "left shift" of the disclosed bits from the least significant bit positions. This explanation holds when ,, S and S are exact powers of 2. With unrestricted values of ,, S and S , the shuffling of XA-~B bits in x is more cryptic.
,, The parameters S and S can be changed from time to time to increase the secret key exchange security. The magnitude of the parameter S indicates the size of the partial information disclosed about x. Even a small change in the parameter values alters the bit shuffling 202. It is thus possible to practice the present invention by selecting new values for parameters S and S at each occurrence of a secret key exchange when the number XA-~B is randomly selected 101 and sending them along with XA-~B in the first message 301 of the secret key exchange.
The secret key exchange begins with the user A selecting 101 the random number XA-~B- The user A sends XA-~B to user B as the first message 301 in the secret key exchange. Depending on the application details, any or all of the parameters L, N, k, ,, S and S may accompany the value XA-~B in this first message 301. The user B then selects 201 a random number XBI~ computes x from XA-~B and XBI using the bit shuffling 202, and checks that l<x<N-1 (otherwise a new XBI is selected). The number XB
is never disclosed. Let t be L(L+k-1)/k~ (thus, t21). Then, -15- 21 ~ 6 780 user B computes the sequence 203, xo, x1, x2, ..., xi, ..., xt-l~ and xt with the following equations:
- 5 x1 = xo mod N
X2 = x1 mod N
. . .
Xi = xi_12 mod N
. . .
xt_1 = xt_22 mod N
Xt = xt_1 mod N
All xi values in the sequence 203 are kept secret. The user B
sends Xt to the user A as the second message 302 in the secret key exchange.
Upon receipt of the second message 302, the user A performs the inverse x2 (t 1) mod N computation 102 based on the private knowledge of the prime factors P and Q (** stands for the exponentiation operation).
To make the inverse x2 (t 1) mod N computation 102 more efficient, the user A may pre-compute integers a and b such that axP+bxQ=1 (using the generalized Euclid algorithm), and integers a and ~:
a = ((P+1)/4)(t+1) mod (P-1), and ~ = ((Q+1)/4)(t+1) mod (Q-1) In the inverse x2 (t 1) mod N computation 102, the user A
recovers the four possible values for x and the exact value for xo. This recovery starts with the following computations:
~ = ~Xt mod P)a mod P, and v = (Xt mod Q)~ mod Q.
The user A may then compute the four possible values for x:
e = (bxQx~ + axpxv) mod N, f = (bXQX(P-~) + axPxv) mod N, g = (bXQX~ + axPx(Q-v)) mod N, and h = (bxQx(p-~) + axPx(Q-v)) mod N, and the exact value of xo:
-16- . 21 S 6 780 xo = e mod N.
In the bit shuffling test 103, the user A verifies that at least one of the following equality is true XA-~B = Le/S I mod S
XA-~B = Lf/S I mod S
XA ~B = Lg/s J mod S , or XA-~B = Lh/S I mod S
If none of the above equality holds, the received xt value was selected without due consideration of the xA_~g sent by the user A (possibly with a method or a device which is not practicing the present invention). Consequently, an error is detected and a later check of timeliness or detection of replay or impersonation attack will be unreliable (if based on the shared bit string).
From the recovered xo, the user A can recover the other secret Xi values using the same computations as the user B. This is - done in step 104.
The jointly determined, secret, shared, and unique bit string is the concatenation w of Bi values for i=0,1,2 ..., t-l where each Bi = Xi mod 2 (notation W-BolBllB2l.~lBt-l). This computation is made independently by user A and user B, 25- respectively in steps 105 and 204 which may be performed concomitantly with steps 104 and 203 respectively. Depending on the application details, the users A and B may subsequently use subsets of the bit string as encipherment keys, secret initial values for hash functions, and data to be digitally signed as part of cryptographic authentication procedures.
An example of source code in the C programming language for carrying out the above described calculations and steps is given in example 'A' hereinbelow.
It should be obvious to someone knowledgeable of the field of cryptology and applied cryptography that the processing load for user B is small compared to other methods for secret key -17- 21 S 6 78~
-exchange.
In reference to the prior art of public key cryptography theory, the present invention is based on the trap-door one-way function fN(xj=x2 mod N where N is a product of twodistinct primes numbers congruent to 3 modulo 4. The private trap-door information (the private key) is the factorization of N (the two distinct prime numbers) which allow efficient computation of "square roots" modulo N. With the present invention, an unpredictable-to-the-left pseudo-random number generating function is constructed from a trap-door one-way function. Mathematically, this is represented as a function g:SxZ~-~SxW where S is the set of possible seeds for the specific generator, Z+ is the set of integers greater than zero, and W is the set of bit strings. In the case of the "x2 mod N" generator, the function g is g(x,L)=(xt,w) where x, L, xt, and w are as described above.
Without departing from the spirit and intent of the present invention, many variations are possible as should be obvious to someone knowledgeable of the field of cryptology and applied cryptography. Observing that inputs S , S , and xA_~g to the bit shuffling 202 are effectively restricting the possible choices for x by a factor of S , any formulation of a restriction on x that can be conveyed in the first message 301 and verified by the bit shuffling test 103 falls within the spirit of the present invention. Yet another obvious variation to the present invention is to redefine xO=x2 t mod N for some additional parameter t 21 (the preceding disclosure of the present invention implicitly uses t =1). This variation introduces more "x mod N" pseudo-randomness into xo.
When the value x is output by the bit shuffling 202, a verification that x and N are relatively prime can be done.
This would make the present invention more conforming to the mathematical foundation of the ~x2 mod N" generator. But the usefulness of this verification should be weighted against the -infinitesimal probability (P+Q)/N of a failure and the processing requirement for this verification. In case x and N
are not relatively prime, a new XBI is selected.
In order to fully disclose the present invention, a detailed analysis of its security follows. The cryptographic security of the present invention is described in terms other than a formal mathematical development. It is a characteristic of the present invention that the bit shuffling from XA-~B into x is more of an heuristic nature than a result of formal mathematical deductions.
An eavesdropper can not recover any of the secret xi from the ,, knowledge of N, S , S , XA-~B~ xt, k, L, and t. With a large enough N, neither the user B nor an eavesdropper can find the - prime numbers P and Q. Without knowledge of the prime factors of N, finding an xi_1 value given xi = xi_12 mod N is known to be computationally infeasible. The sequence x, xo, x1, x2, ..., xt_1, xt is easy to compute from left to right, but computationally infeasible from right to left (the "x mod N" generator is said to be unpredictable to the left).
The knowledge of XA-~B should give the eavesdropper insufficient information for the computation of the secret xi values. In selecting the order of magnitude for the parameter S , a trade-off must be made between the quantity of information offered to the eavesdropper through XA-~B and the probability 4/S that a replay or impersonation attack targeting user A would remain undetected by the present ,, invention. If S and S were respectively 1 and N, the disclosed XA-~B value would completely determine x and the sequence xo, x1, x2, ..., xt-1. At the other extreme, if S =1, XA-~B is a constant, the secret xgl completely determines the sequence xo, x1, x2, ..., xt_1, but the same sequence can be used more than once ~e.g. by an impostor attempting a replay attack). A practical trade-off is possible considering 1) the magnitude of N, which accounts for the known factorization algorithms, 2) the plausibility of a - -lg- 2156780 replay or impersonation attack given that it is detected by the present invention with a probability 1-4/S , and 3) the ease with which the S magnitude can be increased after the detection of a first replay or impersonation attack.
Some principles of the Blum-Goldwasser probabilistic cryptosystem [bg] are applied by the present invention. In order to disclose the security built in the present invention, it is useful to relate the two cryptosystems. The Blum-Goldwasser cryptosystem is related to the present invention inthe following way:1) In the Blum-Goldwasser cryptosystem, the bit sequence w-BolBllB2l...lBt-l serves as a one-time-pad to encipher a message m with the bitwise exclusive-or operation, ~. The resulting ciphertext m~w is transmitted and thus available to the eavesdropper. With the intended usage of the present invention, it is unlikely that any portion of the bit sequence w is going to be available to the eavesdropper (since a portion of the bit sequence w is precisely intended as a secret key for the encipherment algorithm which protects the rem~in'ng of the digital conversation from the eavesdropper).
2) Both in the Blum-Goldwasser cryptosystem and in the present invention, Xt is transmitted in the clear and readily available to the eavesdropper.
3) In the Blum-Goldwasser cryptosystem, xt is unrestricted, but for the fact that some value v exists where xt=v mod N.
In the present invention, xt is additionally restricted to a fraction 4/S of all possible values, as determined by XA-~B
which is transmitted in the clear and readily available to the eavesdropper.
In the present invention, xt is additionally restricted to a fraction 4/S of all possible values, as determined by XA-~B
which is transmitted in the clear and readily available to the eavesdropper.
4) Public knowledge is assumed for N, k and t. In the case of ,, the present invention, S and S are assumed public as well.
The Blum-Goldwasser cryptosystem is known to be secure against a cyphertext-only attack. Under this form of attack, the adversary is given the ciphertext m~w and the value Xt for a number of messages. Under a cyphertext-only attack, the present invention gives XA-~B and xt to the adversary for a number of digital conversations. The security of the present invention under the ciphertext-only attack is based on the shuffling of bits from XA-~B into x, and the pseudo-randomness of the sequence x, xo, x1, x2, ..., xt_1, xt. The theoretical foundation of the ~x2 mod N" generator indicates that the pseudo-randomness is as effective for t=1 (leading to a short sequence x, xo, x1) as for any other value of t.
The Blum-Goldwasser cryptosystem is known to be weak again~t a 10 chosen cyphertext attack. Under this form of attack, the adversary has temporary access to the deciphering equipment, is free to submit any cyphertext he wants and to observe the corresponding cleartext. With the chosen cyphertext attack, the adversary can decipher a previously observed ciphertext but this trivial case is not so relevant to the overaIl security of the Blum-Goldwasser cryptosystem. The prior art reports that under the chosen cyphertext attack, the adversary has the capability to find the prime factors P and Q of the parameter N, and thus he may decipher any message mfflw from Xt at any later time.
For the understanding of the security offered by the present invention, it is not necessary to understand exactly how the adversary can factor N from the information gathered by the chosen cyphertext attack of the Blum-Goldwasser cryptosystem.
It is sufficient to understand what information is gathered and to understand that the present invention does not provide the equivalent information. Under the chosen cyphertext attack, the adversary submits any cyphertext c with xt=v mod N for some selected value v. An intelligent selection process for the value v is an essential component of the successful factorization of N with the chosen cyphertext attack. The adversary then gets a deciphered meaningless message mC such that c=mcfflw and thus gets the bit sequence w-BolBllB2l~lBt-l for this xt. The theory shows that there are exactly four possible values for v, and only one of them, namely xt_1, is itself a quadratic residue of the form u mod N for some value u. Thus, with the Blum-Goldwasser cryptosystem, the ability to choose v without restriction and then get some information about the corresponding xt_1, namely the k least significant bits of xt_1, opens the door to the factorization of N.
With the present invention, Xt is partially determined by XA_~
B. Thus, if the adversary submits an arbitrary xt value, the present invention will detect something going wrong with a probability of 1-4/S . The shuffling of bits from XA-~B into x and the pseudo-randomness of the sequence x, xo, x1, x2, ..., xt_1, xt makes it impossible to find a value v satisfying both the said intelligent selection process and being correctly determined by XA-~B (unless the factors of N are already known). A skilled mathematician may see as an example of a selection process for v that the adversary may at some point look for a value v having a Jacoby symbol with respect to N equal to -1 and such that v2 mod N=xt for some Xt partially determined by XA-~B and compute gcd(v+xt_1,N)=P or Q
(see [bbs] on page 373).
Even if an appropriate value v could be found, the present invention does not disclose BolBllB2~ Bt-l as the Blum-Goldwasser cryptosystem does. An adversary could hope to select the value x satisfying the said intelligent selection process (after all, the adversary has N/S choices for x).
But then, the wanted information would be B_1 which is not even considered by the present invention.
With the preceding discussion of the chosen cyphertext attack, let's assume that the subsequent digital conversation does indeed reveal a portion of the sequence BolBllB2l..-lBt-l- For instance, say a digital signature of a portion of this sequence inadvertently discloses the least significant bit of Bt_1 (a case where the theory on the ~x2 mod N" generator is very useful to the adversary). Then a chosen cyphertext attack -could repeatedly submit an arbitrary Xt without regard to XA_~
B, and make use of the rare occasions (with a probability 4/S ) where the present invention would not detect the attack and disclose the least significant bit of Bt-1. In this case, increasing the magnitude of S may not be effective. Then, changing the parameter N may be the proper thing to do.
This last observation on the security of the present invention explains why it is more useful for secret key exchange than for public key encryption. The shuffling of bits from XA-~B
into x could be applied to the Blum-Goldwasser cryptosystems for messages sent from user B to user A (to detect chosen ciphertext attacks). But a combination of two objections may be raised. First, with public key encryption, the chosen cyphertext attack is a more than an academic threat. Second, with public key encryption, each user A must publish its parameter N. With the publication requirement, changing the parameter N can be a relatively costly operation. At the same time, changing the parameter N would be the appropriate countermeasure upon detection of repeated chosen cyphertext attack. On the contrary, for the secret key exchange, the chosen cyphertext attack is a very remote possibility. With a properly secured digital conversation following the secret key exchange using the present invention, no portion of the sequence BolBllB2l...lBt-l is ever disclosed and the chosen ciphertext attack threat disappear.
Subsequent to the successful secret key exchange according to the present invention, the user B will notice that user A
indeed knows the sequence BolBllB2l...lBt-l. Then, the user B
gets a cryptographic assurance that his correspondent in the digital conversation knows the factors P and Q. Hence user A
is authenticated by the present invention to the benefit of user B. In other words, if the user B has assurance that the specific parameter N used in a given secret key exchange is the public key of user A, impersonation attacks targeted at user B must be based on knowledge of the factors P and Q of this parameter N. This type of attack is typical of public key cryptography and relates to privacy of P and Q and to the integrity protection for the parameter N during its transmission to user B and storage in the user B's cryptographic device. If user B has doubts about the authenticity of the parameter N as the user Als public key, the security of the present invention for an impersonation attack targeted at user B is not different from the prior art of the Diffie-Hellman cryptosystem.
F.x~mrl e ~A~: Source Code in C
/* ********************************************************
- ________________ I Method for Cryptographic System Users to Obtain I a Jointly Determined, Shared, and Unique Bit String __________________________________________________ ______ Author: Thierry Moreau Date: July 28, 1995 Requirements: ANSI X3.159 "C" programming language compiler 32-bits representation of integers Caveats: 1) This is a "small-scale model", avoiding issues such as multi-precision arithmetic and real-life separation of initiator cryptographic processor from responder cryptographic processor.
2) The reader should not rely on this source code to introduce himself to modulo arithmetic and other concepts from the number theory.
******************************************************** */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <assert.h> /* assert(...) intended to raise confidence in the source code correctness. */
#if (UINT_MAX<0x~
#error This source code requires a 32-bit integer format #endif /* ************************
Utilities **** ********************* */
#define mod ~
#define and &&
#define or ll #define not !
________ __ Pseudo-random number generation from the C standard example _____________ /
static unsigned long int next = 1;
#undef RAND_MAX /* overrides the definition from <stdlib.h> */
#define RAND_MAX 32767 int rand(void) next = next * 1103515245 + 12345;
return (unsigned int)(next/65536) mod 32768;
}
void srand(unsigned int seed) next = seed;
}
_________ Linear distribution of random integers ---- ----------------- */
static unsigned int linear_distribution( unsigned int min , unsigned int max) unsigned int return_value;
assert(max>min);
{do /* get at least 32 random bits irrespective of RAND_MAX */
return_value = (rand()*(RAND_M~X+l)+rand()) *(RAND_MAX+l)+rand();
} /* but disregard any draw above an exact number of ranges, since such a draw would not make the distribution uniform *
while (return_value>=(UINT_MAX-UINT_MAX mod (max-min+1)));
return return_value mod (max-min+1) + min;
}
_________ Greatest common divisor _______ __ static unsigned int gcd(unsigned int a, unsigned int b) {
int i;
unsigned int x[4]; /* need x[0], x[1], x[i-1] */
if (a>b) {
x[0] = a; x[1] = b;
else {
x[0] = b; x[1] = a;
}
i = l;
/* mapping 0123456789... into 0123232323... (a trick to maintain "elegant" programming style with limited-size memory) */
#define w(x) ((x<4)?x:(2+(x&1))) while( x[w(i)] != 0 ) {
x[w(i+1)] = x[w(i-1)] mod x[w(i)];
i++;
return x[w(i-1)];
#undef w }
____________ Generalized Euclid algorithm static void generalized_euclid(unsigned int P, unsigned int Q
,int*a ,int*b) unsigned int x[4]; /* need x[0], x[1], x[i-1] */
int u[4], /* need u[i-1] */
v[4]; /* need v[i-1] */
int i;
if (P>Q) {
x[0] = P; x[1] = Q;
else {
x[0] = Q; x[1] = P;
}
u[O] = l; u[l] = O;
v[0] = 0; v[1] = 1;
i = l;
/~ mapping 0123456789... into 0123232323... (a trick to maintain "elegant" programming style with limited-size memory) #define w(x) ((x<4)?x:(2+(x&1))) while( x[w(i)] != 0 ) {
int y;
assert(x[w(i)]==u[w(i)]*x[O]+v[w(i)]*x[1]);
y = x[w(i-l) ]/x[w(i) ];
x[w(i+1)] = x[w(i-1)] mod x[w(i)];
u[w(i+1)] = u[w(i-1)] - (y*u[w(i)]);
v[w(i+1)] = v[w(i-1)] - (y*v[w(i)]);
i++;
assert(x[w(i)]==u[w(i)]*x[O]+v[w(i)]*x[1]);
if (P>Q) {
*a = u[w(i-1)];
*b = v[w(i-1)];
else *a = v[w(i-1)];
~ *b = u[w(i-1)];
#undef w }
/ ____ _____________ __ Modular Multiplication _________ __ /
/* this version is limited to 16 bits multiplicands a and b */
#define mult_modulo(a,b,m) (((a)*(b))mod(m)) __ _________ Modular Exponentiation __________ __ /
static unsigned int expmod(unsigned int base ,unsigned int exponent ,unsigned int prepmod) unsigned int mask;
unsigned int result = 1;
mask=UINT_MAX-UINT_MAX/2; /* only the highest bit is set */
while (mask) {
result = mult_modulo(result,result,prepmod);
if(exponent&mask) {
result=mult_modulo(result,base,prepmod);
mask >>= 1;
}
return result;
}
___________ Number theoretic signed modulo ___________ /
unsigned int number_theoretic_mod(int num, unsigned int denom) {
0 div_t d; /* a C portable construct for signed integer division */
d=div(num,denom);
if (d.rem>=0) return d.rem;
else return d.rem+denom;
}
/* ********************************************************
Definitions of Common Parameters ******************************************************** */
#define L (128) /* Number of bits in the resulting bit string */
#define k (4) /* Number of bits to retain in each step */
#define t ((L+k-1)/k) /* Number of steps of the x**2 mod N generator */
static unsigned int N;/* Public key of the Initiator, user A*/
/* ********************************************************
Code for the Responder (user B) in the Secret Key Exchange ******************************************************** */
/* the resulting jointly determined, secret, shared, and unique bit string as computed by the responder, user B
(one bit per byte) */
static char resp_secret_bit_string[L]; /* #204 */
40 / ___________________ Bit_Shuffling __________ _ /
static unsigned int Bit_Shuffling(unsigned int S_ /* #202 */
,unsigned int S
,unsigned int xA_B
,unsigned int xB_) {
return ((xB_/S_)*S _*S_) + (xA_B*S_) + (xB_ mod S_);
}
_________ responder_procedures ____________ _ /
-static unsigned int responder_procedures(unsigned int S_ ,unsigned int S _ ,unsigned int xA_B) {
unsigned int xi;
do int i_t;
do {
unsigned int xB_;
xB_ = linear_distribution(0,N/S _);/* #201 */
xi = Bit_Shuffling(S_,S _,xA_B,xB_);/* #202 */
} while (not((l<xi)and(xi<(N-1)) and(gcd(xi,N)==1) /* this gcd test should be omitted in a full-scale implementation */
);
for (i_t=0; i_t<t; i_t++) {
int i_bit;
xi = mult_modulo(xi,xi,N); /* #203 */
for (i_bit=0;i_bit<k;i_bit++) /* #204 */
resp_secret_bit_string[i_t*k+i_bit]= (xi~(l<<i_bit))!=0;
}
} while (xi == 1); /* unlikely event where the period of the x**2 mod N generator is 1 */
xi = mult_modulo(xi,xi,N);
return xi;
}
/* ********************************************************
Code for the Passive Eavesdropper Role in the Key Exchange ******************************************************** */
/* The passive eavesdropper is one who tries to break the system by exhaustive search. In this small scale model, the eavesdropper is allowed a fixed number of attempts on each message exchange. In a full-scale implementation, exhaustive search as illustrated here makes no more sense than with other cryptosystems. */
#define EAVESDROPPER_NB_OF_ATTEMPTS (40) static int count samples;
static int count_successes;
____________ eavesdropper_opportunity static void eavesdropper_opportunity(unsigned int S
,unsigned int S _ ,unsigned int xA_B
,unsigned int xt) /* nota bene: this function spoils the global variable resp_secret_bit_string */
{
int i;
count_samples++;
for (i=0;i<EAVESDROPPER_NB_OF_ATTEMPTS;i++) {
if (xt==responder_procedures(S_,S _,xA_B)) {
count_successes++;
break;
}
}
}
/* ********************************************************
Code for the Adversary role in the Secret Key Exchange ******************************************************** */
/* The adversary knows some algorithm to find the prime factors of N from information he hopes to gather using the following attack. Only the first step of the information search is illustrated. The next step of the information gathering process is to eavesdrop (either actively or passively) the subsequent cryptographic exchanges and extract some hints about the shared bit string. A
successful information gathering attack is an extremely remote possibility if the adversary process is considered during the cryptographic application design.
By contrast with the Blum-Goldwasser probabilistic encryption cryptosystem, this one has two advantages for this type of adversary:
1) there is a bit shuffling test to detect most information gathering attempts, 2) the resulting bit string is not used to encipher a message directly, but as secret cryptosystem keys, MAC
initial vectors, challenge data to be signed, and so on (none of which should disclose any bit of the bit string). *
____ ____ adversary_procedures __________ static unsigned int adversary_procedures(unsigned int S_ ,unsigned int S
,unsigned int xA_B) {
unsigned int xt_pred; /* xt predecessor */
do xt_pred = linear_distribution(2,N-2);
} while (not( (gcd(xt_pred,N)==1) and(mult_modulo(xt_pred,xt_pred,N)!=1) /* and other mathematical criteria such as Jacobi symbol */
);
return mult_modulo(xt_pred,xt_pred,N);
}
/* ********************************************************
Code for the Initiator (user A) in the Secret Key Exchange lS ******************
/* contents of the first message */ /* #301 */
static unsigned int xA_B;/* main item in first message sent */
static unsigned int S
,S _; /* dynamically selected parameters */
/* the resulting jointly determined, secret, shared, and unique bit string as computed by the initiator, user A
(one bit per byte) */
static char init_secret_bit_string[L]; /* #105 */
/* the private prime factors P and Q */
static unsigned int P, Q;
/* pre-computed values to make computations more efficient */
static unsigned int a_P, b_Q, alpha, beta;
/* internal variables: the four possible values for B's x */
static unsigned int e,f,g,h;
____________ initiator_pre_computations ______________ /
static void initiator_pre_computations(void) assert((P*Q)==N);
{
/* Find a, b such that a*P + b*Q = 1.
Since further computations are modulo N, "scale" signed a and b into positive numbers:
50 (b*Q*mu + a*P*nu) mod N
= ( b*Q*mu + a*P*nu ) mod N
= ( (b*Q)*mu mod N +(a*P)*nu mod N) mod N
= ( (b*Q mod N)*mu mod N +(a*P mod N)*nu mod N) mod N
= ((b*Q mod (P*Q))*mu mod N + (a*P mod (Q*P))*nu mod N) mod N
215678û
= ( ((b mod P)*Q)*mu mod N + ((a mod Q)*P)*nu mod N) mod N
pre-computed b_Q pre-computed a_P */
int a, b; generalized_euclid(P,Q,&a,&b);
assert((a*P+b*Q)==1);
b_Q = number_theoretic_mod(b,P)*Q;
a_P = number_theoretic_mod(a,Q)*P;
}
alpha=expmod((P+1)/4,t+1,P-1);
beta =expmod((Q+1)/4,t+1,Q-1);
}
15 / ___ ______________ initiator step 101 _______ __ /
static void initiator_step_101(void) /* #101 */
/* This function illustrates implementation decisions about S' and S'' parameters. Obviously, these should not be taken as recommended practice. */
/* select parameter S'' among~19,21,23,25 with respective probabilities 1/7, 2!7, 2/7, 2/7, 2/7 */
S _=linear_distribution(19,25);
S _-S _I1; /* makes it odd */
/* select parameter S' as a multiple of 17,between 17 and N/S'' {
unsigned int min = 17;
unsigned int max = N/S _;
if (max<min) max=min;
S_ =17*1inear_distribution(min/17,max/17);
40 }
assert((S _*S_)<N);
xA_B = linear_distribution(0,S _-1);
45 }
__ _________ inverse x 2 t 1 mod N
________ __ /
static unsigned int inverse_x_2_t _l_mod_N(unsigned int xt) { /* #102 */
unsigned int mu=expmod((xt mod P),alpha,P);
unsigned int nu=expmod((xt mod Q),beta ,Q);
e=(b_Q*mu +a_P*nu) mod N;
f=(b_Q*(P-mu)+a_P*nu) mod N;
g=(b_Q*mu +a_P*(Q-nu)) mod N;
h=(b_Q*(P-mu)+a_P*(Q-nu)) mod N;
assert( (mult_modulo(e,e,N)==mult modulo(f,f,N)) and(mult_modulo(f,f,N)==mult_modulo(g,g,N)) and(mult_modulo(g,g,N)==mult_modulo(h,h,N)) );
return mult_modulo(e,e,N);
-15 / ________ ______ bit shuffling test ____________ _ static int bit_shuffling_test(void) /* #103 */
20 /* returns non-zero when adversary attack detected */
{
return (not( (xA_B==(e/S_)mod S _) or(xA_B==(f/S_)mod S
or(xA_B==(g/S_)mod S =) or(xA_B==(h/S_)mod S _) ) ;
}
30 / _________________ initiator steps 102 onwards ____________ /
static int initiator_steps_102_onwards(unsigned int xt) /* returns non-zero when adversary attack detected */
{
unsigned int xi = inverse_x_2_t_1_mod_N(xt); /* #102 */
int i_t;
if (bit_shuffling_test()) /* #103 */
return 1;
for (i_t=O; i_t<t; i_t++) {
int i_bit;
for (i_bit=Oii_bit<kii_bit++) /* #105 */
{
init_secret_bit_string[i_t*k+i_bit]
= (xi&(l<<i_bit))!=O;
xi = mult_modulo(xi,xi,N); /* #104 */
50 }
if (xt!=xi) {
return 2; /* most probably the xt selected by the adversary was not relatively prime with N */
return O;
}
/* ************************* *
Main program section ******************************************************** */
#define DUPL_SAMPLE_SIZE (100) #define ADVERSARY_SAMPLE_SIZE (100) static int cmp_strings(const void *a, const void *b) /* defined here for a function argument to qsort function */
{
return m~m~mp(a~b/L);
}
static void print_bit_string(char *bit_string) 20 / --_-_________ _ *
{
/* packing and printing bits from an array */
int i;
int v;
for (i=O;i<L;i++) if (O==(i mod 8)) v = O;
if (bit_string[i]) v = v I (1<<(7-(i mod 8)));
if (7==(i mod 8)) printf("%2.2X",v);
}
if (O!=(i mod 8)) printf("%2.2X",v);
}
_________ The main program itself ________________________ *
int main(void) lnt l_param;
______________ Preprocessing of parameters _________ _ /
static struct {unsigned int P_sample, Q_sample; }
spec_numbers[]=
/* all special numbers of the prescribed forms where N<2**16 P * Q = N Ref. Blum Blum Shub, theorem 8 */
{{47 , 35g}/*16873*/
,{23 , 719}/*16537*/
,{23 , 359}/* 8257*/
,{47 , 167}/* 7849*/
`_ ,123 , 167}/* 3841*/
,{47 , 23}/* 1081*/
} ;
/* n.b. 2 is a quadratic residute with respect to (47-1)/2 and (719-1)/2, so all these N should give optimum periods */
for (i_param=0 ;i_param<2 /* first two entries of spec_numbers */
;i_param++) {
int i;
P = spec_numbers[i_param].P_sample;
Q = spec_numbers[i_param].Q_sample;
N = P*Q;
count_samples=0;/* for eavesdropper success rate statistic*/
count_successes=0;
initiator_pre_computations();
printf("\nTest results using the above program\n"
"with the x**2 mod %d generator\n\n",N);
25 / _ __ ________________ A small number of trial runs with printout ______ _____ /
for (i=O;i<4;i++) {
unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=responder_procedures(S_,S _,xA_B); /* #201 to #204 */
/* the second message is xt #302 */
if (initiator_steps_102_onwards(xt)) /* #102 to #105 */
{ assert(l); }
assert(!memcmp(init_secret_bit_string ,resp_secret_bit_string,L));
printf("Sample %d, secret bit string: ",i+1);
print_bit_string(resp_secret_bit_string);
printf("\n");
eavesdropper_opportunity(S_,S _,xA_B,xt);
45 }
_________ ___ A larger sample for accumulating statistics __________ _ _ /
{
static char sample_bit_strings[DUPL_SAMPLE_SIZE][L];
int count_duplicates;
for (i=O;i<DUPL_SAMPLE_SIZE;i++) {
-unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=responder_procedures(S_,S _,xA_B); /* #201 to #204 */
/* the second message is xt#302 */
if (initiator_steps_102_onwards(xt)) /* #102 to #105 */
{ assert(1); }
assert(!memcmp(init_secret_bit_string ,resp_secret_bit_string,L));
memcpy(sample_bit_strings[i],init_secret_bit_string,L);
eavesdropper_opportunity(S ,S _,xA_B,xt);
}
qsort(sample_bit_strings,DUPL_SAMPLE_SIZE,L,cmp_strings);
count_duplicates=0;
for (i=l;i<DUPL_SAMPLE_SIZE;i++) {
if (0=--memcmp(sample bit_strings[i-1]
,sample_bit_strings[i],L)) {
count_duplicates++;
printf("Duplicate secret bit string: ");
print_bit_string(sample_bit_strings[i]);
printf("\n");
}
}
printf("Found %d duplicates in %d samples\n"
,count duplicates,DUPL_SAMPLE_SIZE);
}
printf("Eavesdropping was successful %d times "
"out of %d opportunities\n"
,count_successes,count_samples);
___________ Countering the attack of a "sophisticated" adversary ______________ /
{
int count_detect 1=0, count_detect_2=0;
for (i=O;i<ADVERSARY_SAMPLE_SIZE;i++) unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=adversary_procedures(S_,S _,xA_B);/* unknown proc? */
/* the second message is xt #302 */
switch(initiator steps_102_onwards(xt)) /* #102 ... */
{
case 0: /* undetected attack, the adversary could, -if it was a general purpose probabilistic encryption application, gather some useful information to factorize N */
break;
case 1:
count_detect_1++; break;
case 2:
count_detect_2++; break;
default:
assert(1);
} ;
}
printf( 'IOut of %d attacks, %d were detected (%d special)\n"
,ADVERSARY_SAMPLE_SIZE
count_detect_l+count_detect_2 ,count_detect_2 ) ;
}
___________ Reaction to a non-sense responder action _______________ /
{
/* This test is similar to the previous one, but simply intended to check any bug when the responder does not give an xt response which is not mathematically conforming (either a number not relatively prime with N
or a number which is not a quadratic residute modulo N) */
int count_detect_1=0, count_detect_2=0;
for (i=O;i<ADVERSARY_SAMPLE SIZE;i++) {
unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=linear_distribution(2,N-2), /* non-sense is random */
/* the second message is xt #302 */
switch(initiator_steps_102_onwards(xt)) /* #102 .... */
{
case 0:
break;
case 1;
count_detect_1++; break;
case 2:
count_detect_2++; break;
default:
assert(1);
};
printf("Out of %d dumb responses, %d were detected "
"(%d special)\n"
,ADVERSARY_SAMPLE_SIZE
. -38- 2156780 -,count_detect_l+count_detect_2 ,count_detect_2 }
return EXIT_SUCCESS;
-Test results using the above program with the x**2 mod 16873 generator Sample 1, secret bit string: 44719864F65C4DFOBOFlCEEC972BC709 Sample 2, secret bit string: D23D79EDAC8C987389237097AEEF8C46 Sample 3, secret bit string: BC9CBF019C9ElBA4EAlF81721EBD5B77 Sample 4, secret bit string: CEB4A81173C0956818EB28A31E581D35 Duplicate secret bit string: 68F4CF8BBA09C8B4A617E5416DlCBBE1 Found 1 duplicates in 100 samples Eavesdropping was successful 3 times out of 104 opportunities Out of 100 attacks, 78 were detected ~O special) Out of 100 dumb responses, 94 were detected (9 special) Test results using the above program with the x**2 mod 16537 generator Sample 1, secret bit string: 7lA7A3465BC11107OBCOBD5F99D8063E
Sample 2, secret bit string: 5CEA600083195EOA373007722CA73282 Sample 3, secret bit string: 51C42FEA973C351BD58B1179C503BBF5 Sample 4, secret bit string: 7F32E95F3D7AD10047729566697AB3BB
Duplicate secret bit string: DEBAAC69FCE3F200DDDC7798FDF4A236 Duplicate secret bit string: F32E8EAB5D34F070CE6395BB8642F555 Found 2 duplicates in 100 samples Eavesdropping was successful 8 times out of 104 opportunities Out of 100 attacks, 81 were detected (O special) Out of 100 dumb responses, 95 were detected (12 special)
The Blum-Goldwasser cryptosystem is known to be secure against a cyphertext-only attack. Under this form of attack, the adversary is given the ciphertext m~w and the value Xt for a number of messages. Under a cyphertext-only attack, the present invention gives XA-~B and xt to the adversary for a number of digital conversations. The security of the present invention under the ciphertext-only attack is based on the shuffling of bits from XA-~B into x, and the pseudo-randomness of the sequence x, xo, x1, x2, ..., xt_1, xt. The theoretical foundation of the ~x2 mod N" generator indicates that the pseudo-randomness is as effective for t=1 (leading to a short sequence x, xo, x1) as for any other value of t.
The Blum-Goldwasser cryptosystem is known to be weak again~t a 10 chosen cyphertext attack. Under this form of attack, the adversary has temporary access to the deciphering equipment, is free to submit any cyphertext he wants and to observe the corresponding cleartext. With the chosen cyphertext attack, the adversary can decipher a previously observed ciphertext but this trivial case is not so relevant to the overaIl security of the Blum-Goldwasser cryptosystem. The prior art reports that under the chosen cyphertext attack, the adversary has the capability to find the prime factors P and Q of the parameter N, and thus he may decipher any message mfflw from Xt at any later time.
For the understanding of the security offered by the present invention, it is not necessary to understand exactly how the adversary can factor N from the information gathered by the chosen cyphertext attack of the Blum-Goldwasser cryptosystem.
It is sufficient to understand what information is gathered and to understand that the present invention does not provide the equivalent information. Under the chosen cyphertext attack, the adversary submits any cyphertext c with xt=v mod N for some selected value v. An intelligent selection process for the value v is an essential component of the successful factorization of N with the chosen cyphertext attack. The adversary then gets a deciphered meaningless message mC such that c=mcfflw and thus gets the bit sequence w-BolBllB2l~lBt-l for this xt. The theory shows that there are exactly four possible values for v, and only one of them, namely xt_1, is itself a quadratic residue of the form u mod N for some value u. Thus, with the Blum-Goldwasser cryptosystem, the ability to choose v without restriction and then get some information about the corresponding xt_1, namely the k least significant bits of xt_1, opens the door to the factorization of N.
With the present invention, Xt is partially determined by XA_~
B. Thus, if the adversary submits an arbitrary xt value, the present invention will detect something going wrong with a probability of 1-4/S . The shuffling of bits from XA-~B into x and the pseudo-randomness of the sequence x, xo, x1, x2, ..., xt_1, xt makes it impossible to find a value v satisfying both the said intelligent selection process and being correctly determined by XA-~B (unless the factors of N are already known). A skilled mathematician may see as an example of a selection process for v that the adversary may at some point look for a value v having a Jacoby symbol with respect to N equal to -1 and such that v2 mod N=xt for some Xt partially determined by XA-~B and compute gcd(v+xt_1,N)=P or Q
(see [bbs] on page 373).
Even if an appropriate value v could be found, the present invention does not disclose BolBllB2~ Bt-l as the Blum-Goldwasser cryptosystem does. An adversary could hope to select the value x satisfying the said intelligent selection process (after all, the adversary has N/S choices for x).
But then, the wanted information would be B_1 which is not even considered by the present invention.
With the preceding discussion of the chosen cyphertext attack, let's assume that the subsequent digital conversation does indeed reveal a portion of the sequence BolBllB2l..-lBt-l- For instance, say a digital signature of a portion of this sequence inadvertently discloses the least significant bit of Bt_1 (a case where the theory on the ~x2 mod N" generator is very useful to the adversary). Then a chosen cyphertext attack -could repeatedly submit an arbitrary Xt without regard to XA_~
B, and make use of the rare occasions (with a probability 4/S ) where the present invention would not detect the attack and disclose the least significant bit of Bt-1. In this case, increasing the magnitude of S may not be effective. Then, changing the parameter N may be the proper thing to do.
This last observation on the security of the present invention explains why it is more useful for secret key exchange than for public key encryption. The shuffling of bits from XA-~B
into x could be applied to the Blum-Goldwasser cryptosystems for messages sent from user B to user A (to detect chosen ciphertext attacks). But a combination of two objections may be raised. First, with public key encryption, the chosen cyphertext attack is a more than an academic threat. Second, with public key encryption, each user A must publish its parameter N. With the publication requirement, changing the parameter N can be a relatively costly operation. At the same time, changing the parameter N would be the appropriate countermeasure upon detection of repeated chosen cyphertext attack. On the contrary, for the secret key exchange, the chosen cyphertext attack is a very remote possibility. With a properly secured digital conversation following the secret key exchange using the present invention, no portion of the sequence BolBllB2l...lBt-l is ever disclosed and the chosen ciphertext attack threat disappear.
Subsequent to the successful secret key exchange according to the present invention, the user B will notice that user A
indeed knows the sequence BolBllB2l...lBt-l. Then, the user B
gets a cryptographic assurance that his correspondent in the digital conversation knows the factors P and Q. Hence user A
is authenticated by the present invention to the benefit of user B. In other words, if the user B has assurance that the specific parameter N used in a given secret key exchange is the public key of user A, impersonation attacks targeted at user B must be based on knowledge of the factors P and Q of this parameter N. This type of attack is typical of public key cryptography and relates to privacy of P and Q and to the integrity protection for the parameter N during its transmission to user B and storage in the user B's cryptographic device. If user B has doubts about the authenticity of the parameter N as the user Als public key, the security of the present invention for an impersonation attack targeted at user B is not different from the prior art of the Diffie-Hellman cryptosystem.
F.x~mrl e ~A~: Source Code in C
/* ********************************************************
- ________________ I Method for Cryptographic System Users to Obtain I a Jointly Determined, Shared, and Unique Bit String __________________________________________________ ______ Author: Thierry Moreau Date: July 28, 1995 Requirements: ANSI X3.159 "C" programming language compiler 32-bits representation of integers Caveats: 1) This is a "small-scale model", avoiding issues such as multi-precision arithmetic and real-life separation of initiator cryptographic processor from responder cryptographic processor.
2) The reader should not rely on this source code to introduce himself to modulo arithmetic and other concepts from the number theory.
******************************************************** */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
#include <assert.h> /* assert(...) intended to raise confidence in the source code correctness. */
#if (UINT_MAX<0x~
#error This source code requires a 32-bit integer format #endif /* ************************
Utilities **** ********************* */
#define mod ~
#define and &&
#define or ll #define not !
________ __ Pseudo-random number generation from the C standard example _____________ /
static unsigned long int next = 1;
#undef RAND_MAX /* overrides the definition from <stdlib.h> */
#define RAND_MAX 32767 int rand(void) next = next * 1103515245 + 12345;
return (unsigned int)(next/65536) mod 32768;
}
void srand(unsigned int seed) next = seed;
}
_________ Linear distribution of random integers ---- ----------------- */
static unsigned int linear_distribution( unsigned int min , unsigned int max) unsigned int return_value;
assert(max>min);
{do /* get at least 32 random bits irrespective of RAND_MAX */
return_value = (rand()*(RAND_M~X+l)+rand()) *(RAND_MAX+l)+rand();
} /* but disregard any draw above an exact number of ranges, since such a draw would not make the distribution uniform *
while (return_value>=(UINT_MAX-UINT_MAX mod (max-min+1)));
return return_value mod (max-min+1) + min;
}
_________ Greatest common divisor _______ __ static unsigned int gcd(unsigned int a, unsigned int b) {
int i;
unsigned int x[4]; /* need x[0], x[1], x[i-1] */
if (a>b) {
x[0] = a; x[1] = b;
else {
x[0] = b; x[1] = a;
}
i = l;
/* mapping 0123456789... into 0123232323... (a trick to maintain "elegant" programming style with limited-size memory) */
#define w(x) ((x<4)?x:(2+(x&1))) while( x[w(i)] != 0 ) {
x[w(i+1)] = x[w(i-1)] mod x[w(i)];
i++;
return x[w(i-1)];
#undef w }
____________ Generalized Euclid algorithm static void generalized_euclid(unsigned int P, unsigned int Q
,int*a ,int*b) unsigned int x[4]; /* need x[0], x[1], x[i-1] */
int u[4], /* need u[i-1] */
v[4]; /* need v[i-1] */
int i;
if (P>Q) {
x[0] = P; x[1] = Q;
else {
x[0] = Q; x[1] = P;
}
u[O] = l; u[l] = O;
v[0] = 0; v[1] = 1;
i = l;
/~ mapping 0123456789... into 0123232323... (a trick to maintain "elegant" programming style with limited-size memory) #define w(x) ((x<4)?x:(2+(x&1))) while( x[w(i)] != 0 ) {
int y;
assert(x[w(i)]==u[w(i)]*x[O]+v[w(i)]*x[1]);
y = x[w(i-l) ]/x[w(i) ];
x[w(i+1)] = x[w(i-1)] mod x[w(i)];
u[w(i+1)] = u[w(i-1)] - (y*u[w(i)]);
v[w(i+1)] = v[w(i-1)] - (y*v[w(i)]);
i++;
assert(x[w(i)]==u[w(i)]*x[O]+v[w(i)]*x[1]);
if (P>Q) {
*a = u[w(i-1)];
*b = v[w(i-1)];
else *a = v[w(i-1)];
~ *b = u[w(i-1)];
#undef w }
/ ____ _____________ __ Modular Multiplication _________ __ /
/* this version is limited to 16 bits multiplicands a and b */
#define mult_modulo(a,b,m) (((a)*(b))mod(m)) __ _________ Modular Exponentiation __________ __ /
static unsigned int expmod(unsigned int base ,unsigned int exponent ,unsigned int prepmod) unsigned int mask;
unsigned int result = 1;
mask=UINT_MAX-UINT_MAX/2; /* only the highest bit is set */
while (mask) {
result = mult_modulo(result,result,prepmod);
if(exponent&mask) {
result=mult_modulo(result,base,prepmod);
mask >>= 1;
}
return result;
}
___________ Number theoretic signed modulo ___________ /
unsigned int number_theoretic_mod(int num, unsigned int denom) {
0 div_t d; /* a C portable construct for signed integer division */
d=div(num,denom);
if (d.rem>=0) return d.rem;
else return d.rem+denom;
}
/* ********************************************************
Definitions of Common Parameters ******************************************************** */
#define L (128) /* Number of bits in the resulting bit string */
#define k (4) /* Number of bits to retain in each step */
#define t ((L+k-1)/k) /* Number of steps of the x**2 mod N generator */
static unsigned int N;/* Public key of the Initiator, user A*/
/* ********************************************************
Code for the Responder (user B) in the Secret Key Exchange ******************************************************** */
/* the resulting jointly determined, secret, shared, and unique bit string as computed by the responder, user B
(one bit per byte) */
static char resp_secret_bit_string[L]; /* #204 */
40 / ___________________ Bit_Shuffling __________ _ /
static unsigned int Bit_Shuffling(unsigned int S_ /* #202 */
,unsigned int S
,unsigned int xA_B
,unsigned int xB_) {
return ((xB_/S_)*S _*S_) + (xA_B*S_) + (xB_ mod S_);
}
_________ responder_procedures ____________ _ /
-static unsigned int responder_procedures(unsigned int S_ ,unsigned int S _ ,unsigned int xA_B) {
unsigned int xi;
do int i_t;
do {
unsigned int xB_;
xB_ = linear_distribution(0,N/S _);/* #201 */
xi = Bit_Shuffling(S_,S _,xA_B,xB_);/* #202 */
} while (not((l<xi)and(xi<(N-1)) and(gcd(xi,N)==1) /* this gcd test should be omitted in a full-scale implementation */
);
for (i_t=0; i_t<t; i_t++) {
int i_bit;
xi = mult_modulo(xi,xi,N); /* #203 */
for (i_bit=0;i_bit<k;i_bit++) /* #204 */
resp_secret_bit_string[i_t*k+i_bit]= (xi~(l<<i_bit))!=0;
}
} while (xi == 1); /* unlikely event where the period of the x**2 mod N generator is 1 */
xi = mult_modulo(xi,xi,N);
return xi;
}
/* ********************************************************
Code for the Passive Eavesdropper Role in the Key Exchange ******************************************************** */
/* The passive eavesdropper is one who tries to break the system by exhaustive search. In this small scale model, the eavesdropper is allowed a fixed number of attempts on each message exchange. In a full-scale implementation, exhaustive search as illustrated here makes no more sense than with other cryptosystems. */
#define EAVESDROPPER_NB_OF_ATTEMPTS (40) static int count samples;
static int count_successes;
____________ eavesdropper_opportunity static void eavesdropper_opportunity(unsigned int S
,unsigned int S _ ,unsigned int xA_B
,unsigned int xt) /* nota bene: this function spoils the global variable resp_secret_bit_string */
{
int i;
count_samples++;
for (i=0;i<EAVESDROPPER_NB_OF_ATTEMPTS;i++) {
if (xt==responder_procedures(S_,S _,xA_B)) {
count_successes++;
break;
}
}
}
/* ********************************************************
Code for the Adversary role in the Secret Key Exchange ******************************************************** */
/* The adversary knows some algorithm to find the prime factors of N from information he hopes to gather using the following attack. Only the first step of the information search is illustrated. The next step of the information gathering process is to eavesdrop (either actively or passively) the subsequent cryptographic exchanges and extract some hints about the shared bit string. A
successful information gathering attack is an extremely remote possibility if the adversary process is considered during the cryptographic application design.
By contrast with the Blum-Goldwasser probabilistic encryption cryptosystem, this one has two advantages for this type of adversary:
1) there is a bit shuffling test to detect most information gathering attempts, 2) the resulting bit string is not used to encipher a message directly, but as secret cryptosystem keys, MAC
initial vectors, challenge data to be signed, and so on (none of which should disclose any bit of the bit string). *
____ ____ adversary_procedures __________ static unsigned int adversary_procedures(unsigned int S_ ,unsigned int S
,unsigned int xA_B) {
unsigned int xt_pred; /* xt predecessor */
do xt_pred = linear_distribution(2,N-2);
} while (not( (gcd(xt_pred,N)==1) and(mult_modulo(xt_pred,xt_pred,N)!=1) /* and other mathematical criteria such as Jacobi symbol */
);
return mult_modulo(xt_pred,xt_pred,N);
}
/* ********************************************************
Code for the Initiator (user A) in the Secret Key Exchange lS ******************
/* contents of the first message */ /* #301 */
static unsigned int xA_B;/* main item in first message sent */
static unsigned int S
,S _; /* dynamically selected parameters */
/* the resulting jointly determined, secret, shared, and unique bit string as computed by the initiator, user A
(one bit per byte) */
static char init_secret_bit_string[L]; /* #105 */
/* the private prime factors P and Q */
static unsigned int P, Q;
/* pre-computed values to make computations more efficient */
static unsigned int a_P, b_Q, alpha, beta;
/* internal variables: the four possible values for B's x */
static unsigned int e,f,g,h;
____________ initiator_pre_computations ______________ /
static void initiator_pre_computations(void) assert((P*Q)==N);
{
/* Find a, b such that a*P + b*Q = 1.
Since further computations are modulo N, "scale" signed a and b into positive numbers:
50 (b*Q*mu + a*P*nu) mod N
= ( b*Q*mu + a*P*nu ) mod N
= ( (b*Q)*mu mod N +(a*P)*nu mod N) mod N
= ( (b*Q mod N)*mu mod N +(a*P mod N)*nu mod N) mod N
= ((b*Q mod (P*Q))*mu mod N + (a*P mod (Q*P))*nu mod N) mod N
215678û
= ( ((b mod P)*Q)*mu mod N + ((a mod Q)*P)*nu mod N) mod N
pre-computed b_Q pre-computed a_P */
int a, b; generalized_euclid(P,Q,&a,&b);
assert((a*P+b*Q)==1);
b_Q = number_theoretic_mod(b,P)*Q;
a_P = number_theoretic_mod(a,Q)*P;
}
alpha=expmod((P+1)/4,t+1,P-1);
beta =expmod((Q+1)/4,t+1,Q-1);
}
15 / ___ ______________ initiator step 101 _______ __ /
static void initiator_step_101(void) /* #101 */
/* This function illustrates implementation decisions about S' and S'' parameters. Obviously, these should not be taken as recommended practice. */
/* select parameter S'' among~19,21,23,25 with respective probabilities 1/7, 2!7, 2/7, 2/7, 2/7 */
S _=linear_distribution(19,25);
S _-S _I1; /* makes it odd */
/* select parameter S' as a multiple of 17,between 17 and N/S'' {
unsigned int min = 17;
unsigned int max = N/S _;
if (max<min) max=min;
S_ =17*1inear_distribution(min/17,max/17);
40 }
assert((S _*S_)<N);
xA_B = linear_distribution(0,S _-1);
45 }
__ _________ inverse x 2 t 1 mod N
________ __ /
static unsigned int inverse_x_2_t _l_mod_N(unsigned int xt) { /* #102 */
unsigned int mu=expmod((xt mod P),alpha,P);
unsigned int nu=expmod((xt mod Q),beta ,Q);
e=(b_Q*mu +a_P*nu) mod N;
f=(b_Q*(P-mu)+a_P*nu) mod N;
g=(b_Q*mu +a_P*(Q-nu)) mod N;
h=(b_Q*(P-mu)+a_P*(Q-nu)) mod N;
assert( (mult_modulo(e,e,N)==mult modulo(f,f,N)) and(mult_modulo(f,f,N)==mult_modulo(g,g,N)) and(mult_modulo(g,g,N)==mult_modulo(h,h,N)) );
return mult_modulo(e,e,N);
-15 / ________ ______ bit shuffling test ____________ _ static int bit_shuffling_test(void) /* #103 */
20 /* returns non-zero when adversary attack detected */
{
return (not( (xA_B==(e/S_)mod S _) or(xA_B==(f/S_)mod S
or(xA_B==(g/S_)mod S =) or(xA_B==(h/S_)mod S _) ) ;
}
30 / _________________ initiator steps 102 onwards ____________ /
static int initiator_steps_102_onwards(unsigned int xt) /* returns non-zero when adversary attack detected */
{
unsigned int xi = inverse_x_2_t_1_mod_N(xt); /* #102 */
int i_t;
if (bit_shuffling_test()) /* #103 */
return 1;
for (i_t=O; i_t<t; i_t++) {
int i_bit;
for (i_bit=Oii_bit<kii_bit++) /* #105 */
{
init_secret_bit_string[i_t*k+i_bit]
= (xi&(l<<i_bit))!=O;
xi = mult_modulo(xi,xi,N); /* #104 */
50 }
if (xt!=xi) {
return 2; /* most probably the xt selected by the adversary was not relatively prime with N */
return O;
}
/* ************************* *
Main program section ******************************************************** */
#define DUPL_SAMPLE_SIZE (100) #define ADVERSARY_SAMPLE_SIZE (100) static int cmp_strings(const void *a, const void *b) /* defined here for a function argument to qsort function */
{
return m~m~mp(a~b/L);
}
static void print_bit_string(char *bit_string) 20 / --_-_________ _ *
{
/* packing and printing bits from an array */
int i;
int v;
for (i=O;i<L;i++) if (O==(i mod 8)) v = O;
if (bit_string[i]) v = v I (1<<(7-(i mod 8)));
if (7==(i mod 8)) printf("%2.2X",v);
}
if (O!=(i mod 8)) printf("%2.2X",v);
}
_________ The main program itself ________________________ *
int main(void) lnt l_param;
______________ Preprocessing of parameters _________ _ /
static struct {unsigned int P_sample, Q_sample; }
spec_numbers[]=
/* all special numbers of the prescribed forms where N<2**16 P * Q = N Ref. Blum Blum Shub, theorem 8 */
{{47 , 35g}/*16873*/
,{23 , 719}/*16537*/
,{23 , 359}/* 8257*/
,{47 , 167}/* 7849*/
`_ ,123 , 167}/* 3841*/
,{47 , 23}/* 1081*/
} ;
/* n.b. 2 is a quadratic residute with respect to (47-1)/2 and (719-1)/2, so all these N should give optimum periods */
for (i_param=0 ;i_param<2 /* first two entries of spec_numbers */
;i_param++) {
int i;
P = spec_numbers[i_param].P_sample;
Q = spec_numbers[i_param].Q_sample;
N = P*Q;
count_samples=0;/* for eavesdropper success rate statistic*/
count_successes=0;
initiator_pre_computations();
printf("\nTest results using the above program\n"
"with the x**2 mod %d generator\n\n",N);
25 / _ __ ________________ A small number of trial runs with printout ______ _____ /
for (i=O;i<4;i++) {
unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=responder_procedures(S_,S _,xA_B); /* #201 to #204 */
/* the second message is xt #302 */
if (initiator_steps_102_onwards(xt)) /* #102 to #105 */
{ assert(l); }
assert(!memcmp(init_secret_bit_string ,resp_secret_bit_string,L));
printf("Sample %d, secret bit string: ",i+1);
print_bit_string(resp_secret_bit_string);
printf("\n");
eavesdropper_opportunity(S_,S _,xA_B,xt);
45 }
_________ ___ A larger sample for accumulating statistics __________ _ _ /
{
static char sample_bit_strings[DUPL_SAMPLE_SIZE][L];
int count_duplicates;
for (i=O;i<DUPL_SAMPLE_SIZE;i++) {
-unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=responder_procedures(S_,S _,xA_B); /* #201 to #204 */
/* the second message is xt#302 */
if (initiator_steps_102_onwards(xt)) /* #102 to #105 */
{ assert(1); }
assert(!memcmp(init_secret_bit_string ,resp_secret_bit_string,L));
memcpy(sample_bit_strings[i],init_secret_bit_string,L);
eavesdropper_opportunity(S ,S _,xA_B,xt);
}
qsort(sample_bit_strings,DUPL_SAMPLE_SIZE,L,cmp_strings);
count_duplicates=0;
for (i=l;i<DUPL_SAMPLE_SIZE;i++) {
if (0=--memcmp(sample bit_strings[i-1]
,sample_bit_strings[i],L)) {
count_duplicates++;
printf("Duplicate secret bit string: ");
print_bit_string(sample_bit_strings[i]);
printf("\n");
}
}
printf("Found %d duplicates in %d samples\n"
,count duplicates,DUPL_SAMPLE_SIZE);
}
printf("Eavesdropping was successful %d times "
"out of %d opportunities\n"
,count_successes,count_samples);
___________ Countering the attack of a "sophisticated" adversary ______________ /
{
int count_detect 1=0, count_detect_2=0;
for (i=O;i<ADVERSARY_SAMPLE_SIZE;i++) unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=adversary_procedures(S_,S _,xA_B);/* unknown proc? */
/* the second message is xt #302 */
switch(initiator steps_102_onwards(xt)) /* #102 ... */
{
case 0: /* undetected attack, the adversary could, -if it was a general purpose probabilistic encryption application, gather some useful information to factorize N */
break;
case 1:
count_detect_1++; break;
case 2:
count_detect_2++; break;
default:
assert(1);
} ;
}
printf( 'IOut of %d attacks, %d were detected (%d special)\n"
,ADVERSARY_SAMPLE_SIZE
count_detect_l+count_detect_2 ,count_detect_2 ) ;
}
___________ Reaction to a non-sense responder action _______________ /
{
/* This test is similar to the previous one, but simply intended to check any bug when the responder does not give an xt response which is not mathematically conforming (either a number not relatively prime with N
or a number which is not a quadratic residute modulo N) */
int count_detect_1=0, count_detect_2=0;
for (i=O;i<ADVERSARY_SAMPLE SIZE;i++) {
unsigned int xt;
initiator_step_101(); /* #101 */
/* the first message is S_, S _, xA_B #301 */
xt=linear_distribution(2,N-2), /* non-sense is random */
/* the second message is xt #302 */
switch(initiator_steps_102_onwards(xt)) /* #102 .... */
{
case 0:
break;
case 1;
count_detect_1++; break;
case 2:
count_detect_2++; break;
default:
assert(1);
};
printf("Out of %d dumb responses, %d were detected "
"(%d special)\n"
,ADVERSARY_SAMPLE_SIZE
. -38- 2156780 -,count_detect_l+count_detect_2 ,count_detect_2 }
return EXIT_SUCCESS;
-Test results using the above program with the x**2 mod 16873 generator Sample 1, secret bit string: 44719864F65C4DFOBOFlCEEC972BC709 Sample 2, secret bit string: D23D79EDAC8C987389237097AEEF8C46 Sample 3, secret bit string: BC9CBF019C9ElBA4EAlF81721EBD5B77 Sample 4, secret bit string: CEB4A81173C0956818EB28A31E581D35 Duplicate secret bit string: 68F4CF8BBA09C8B4A617E5416DlCBBE1 Found 1 duplicates in 100 samples Eavesdropping was successful 3 times out of 104 opportunities Out of 100 attacks, 78 were detected ~O special) Out of 100 dumb responses, 94 were detected (9 special) Test results using the above program with the x**2 mod 16537 generator Sample 1, secret bit string: 7lA7A3465BC11107OBCOBD5F99D8063E
Sample 2, secret bit string: 5CEA600083195EOA373007722CA73282 Sample 3, secret bit string: 51C42FEA973C351BD58B1179C503BBF5 Sample 4, secret bit string: 7F32E95F3D7AD10047729566697AB3BB
Duplicate secret bit string: DEBAAC69FCE3F200DDDC7798FDF4A236 Duplicate secret bit string: F32E8EAB5D34F070CE6395BB8642F555 Found 2 duplicates in 100 samples Eavesdropping was successful 8 times out of 104 opportunities Out of 100 attacks, 81 were detected (O special) Out of 100 dumb responses, 95 were detected (12 special)
Claims (16)
1. A method for cryptographic communication between a first data processor in communcation with a second data processor using a jointly determined, secret, shared, and unique encryption key, the method comprising the steps of:
a) providing some first arbitrary information at both said first processor and said second processor, said first arbitrary information being determined by said first processor to be sufficiently unique;
b) determining at said second processor a first value using in part said first arbitrary information and in part second arbitrary information known only to said second processor, in such a manner that a use of said first arbitrary information in determining said first value can be confirmed by analysis without knowing said second arbitrary information;
c) generating at said second processor a sequence of values starting with said first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which said first processor knows a private key for determining preceding values of said sequence;
d) sending from said second processor to said first processor a message including a second value from said sequence;
e) determining at said first processor at least one value for said first value using said private key and said second value;
f) confirming at said first processor that said at least one first value was determined using in part said first arbitrary information;
g) generating said encryption key using at least a part of said sequence other than said second value at said second processor and generating a same said encryption key at said first processor; and h) communicating data between said first processor and said second processor using said encryption key if said confirming in said step (f) is positive.
a) providing some first arbitrary information at both said first processor and said second processor, said first arbitrary information being determined by said first processor to be sufficiently unique;
b) determining at said second processor a first value using in part said first arbitrary information and in part second arbitrary information known only to said second processor, in such a manner that a use of said first arbitrary information in determining said first value can be confirmed by analysis without knowing said second arbitrary information;
c) generating at said second processor a sequence of values starting with said first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which said first processor knows a private key for determining preceding values of said sequence;
d) sending from said second processor to said first processor a message including a second value from said sequence;
e) determining at said first processor at least one value for said first value using said private key and said second value;
f) confirming at said first processor that said at least one first value was determined using in part said first arbitrary information;
g) generating said encryption key using at least a part of said sequence other than said second value at said second processor and generating a same said encryption key at said first processor; and h) communicating data between said first processor and said second processor using said encryption key if said confirming in said step (f) is positive.
2. The method as claimed in claim 1, wherein said step (a) comprises selecting said first arbitrary information at said first processor and sending said first arbitrary information to said second processor.
3. The method as claimed in claim 1 or 2, wherein said step (b) comprises bit shuffling said first and said second arbitrary information.
4. The method as claimed in claim 3, wherein said step (a) further comprises sending at least one shuffling parameter in addition to said first arbitrary information, and said bit shuffling is carried out using said at least one shuffling parameter.
5. The method as claimed in claim 1,2 or 4, wherein said function used in said step (c) is an x2 mod N function, wherein N
is a large number having factors P and Q, said factors P and Q
being known to said first processor and constituting said private key.
is a large number having factors P and Q, said factors P and Q
being known to said first processor and constituting said private key.
6. The method as claimed in claim 5, wherein P and Q are two distinct prime numbers, each of said prime numbers giving 3 as a remainder when divided by 4.
7. The method as claimed in claim 3, wherein said function used in said step (c) is an x2 mod N function, wherein N is a large number having factors P and Q, said factors P and Q being known to said first processor and constituting said private key.
8. The method as claimed in claim 7, wherein P and Q are two distinct prime numbers, each of said prime numbers giving 3 as a remainder when divided by 4.
9. The method as claimed in claim 1, wherein said second value is a final value of said sequence, said encryption key being generated using all values of said sequence except said final value.
10. The method as claimed in claim 1 or 9, wherein said encryption key comprises a bit string composed of a key function of at least some of said sequence of values, said key function being mod 2k, where k is a number of least significant bits to be retained from each value of said sequence of values.
11. An apparatus for cryptographic communication with a first data processor using a jointly determined, secret, shared, and unique encryption key, comprising a second data processor including:
means for communicating with said first processor;
means for calculating a sequence of values starting with a first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which said first processor knows a private key for determining preceding values of said sequence;
means for generating second arbitrary information and determining said first value using in part some first arbitrary information and in part said second arbitrary information known only to said second processor, in such a manner that a use of said first arbitrary information in determining said first value can be confirmed by analysis without knowing said second -arbitrary information, said first arbitrary information being at least one of generated by said second processor, transmitted to said first processor and then confirmed as being acceptable by said first processor, and being generated by said first processor and then sent to said second processor;
means for transmitting a second value from said sequence to said first processor;
means for generating said encryption key using at least a part of said sequence other than said second value; and means for encrypting and decrypting data using said encryption key, whereby creation of said sequence and said encryption key in said second processor is relatively easy to compute, while confirmation of said first value containing said first arbitrary information starting with said second value is relatively compute intensive, thus allowing said encryption key to be mutually and secretly determined using a first value which is in part arbitrarily determined by said second processor alone and without requiring said apparatus to possess significant computing power.
means for communicating with said first processor;
means for calculating a sequence of values starting with a first value using a pseudo-random, unpredictable-to-the-left, trap-door one-way function for which said first processor knows a private key for determining preceding values of said sequence;
means for generating second arbitrary information and determining said first value using in part some first arbitrary information and in part said second arbitrary information known only to said second processor, in such a manner that a use of said first arbitrary information in determining said first value can be confirmed by analysis without knowing said second -arbitrary information, said first arbitrary information being at least one of generated by said second processor, transmitted to said first processor and then confirmed as being acceptable by said first processor, and being generated by said first processor and then sent to said second processor;
means for transmitting a second value from said sequence to said first processor;
means for generating said encryption key using at least a part of said sequence other than said second value; and means for encrypting and decrypting data using said encryption key, whereby creation of said sequence and said encryption key in said second processor is relatively easy to compute, while confirmation of said first value containing said first arbitrary information starting with said second value is relatively compute intensive, thus allowing said encryption key to be mutually and secretly determined using a first value which is in part arbitrarily determined by said second processor alone and without requiring said apparatus to possess significant computing power.
12. The apparatus as claimed in claim 11, wherein said means for generating and determining carry out bit shuffling of said first and said second arbitrary information.
13. The apparatus as claimed in claim 11, wherein said function used in said calculating means is an x2 mod N function, wherein N
is a large number having factors P and Q, said factors P and Q
being known to said first processor and constituting said private key.
is a large number having factors P and Q, said factors P and Q
being known to said first processor and constituting said private key.
14. The apparatus as claimed in claim 13, wherein P and Q are two distinct prime numbers, each of said prime numbers giving 3 as a remainder when divided by 4.
15. The apparatus as claimed in claim 11, wherein said second value is a final value of said sequence, said encryption key being generated using all values of said sequence except said final value.
16. The apparatus as claimed in claim 11,12,13,14 or 15, wherein said apparatus is provided in a smart card.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002156780A CA2156780A1 (en) | 1995-08-23 | 1995-08-23 | Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit string |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA002156780A CA2156780A1 (en) | 1995-08-23 | 1995-08-23 | Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit string |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2156780A1 true CA2156780A1 (en) | 1995-09-23 |
Family
ID=4156481
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002156780A Abandoned CA2156780A1 (en) | 1995-08-23 | 1995-08-23 | Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit string |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2156780A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6061791A (en) * | 1997-05-09 | 2000-05-09 | Connotech Experts-Conseils Inc. | Initial secret key establishment including facilities for verification of identity |
| CN102520908A (en) * | 2011-12-20 | 2012-06-27 | 大唐微电子技术有限公司 | Pseudo-random number generator and pseudo-random number generating method |
-
1995
- 1995-08-23 CA CA002156780A patent/CA2156780A1/en not_active Abandoned
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6061791A (en) * | 1997-05-09 | 2000-05-09 | Connotech Experts-Conseils Inc. | Initial secret key establishment including facilities for verification of identity |
| CN102520908A (en) * | 2011-12-20 | 2012-06-27 | 大唐微电子技术有限公司 | Pseudo-random number generator and pseudo-random number generating method |
| CN102520908B (en) * | 2011-12-20 | 2015-04-29 | 大唐微电子技术有限公司 | Pseudo-random number generator and pseudo-random number generating method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US5581616A (en) | Method and apparatus for digital signature authentication | |
| Biham et al. | Bug attacks | |
| Young et al. | Kleptography: Using cryptography against cryptography | |
| US5974144A (en) | System for encryption of partitioned data blocks utilizing public key methods and random numbers | |
| Young et al. | The prevalence of kleptographic attacks on discrete-log based cryptosystems | |
| EP0997016B1 (en) | Method and apparatus for fast elliptical encryption with direct embedding | |
| US20080240443A1 (en) | Method and apparatus for securely processing secret data | |
| US7221758B2 (en) | Practical non-malleable public-key cryptosystem | |
| EP1330702B1 (en) | Method and system of using an insecure crypto-accelerator | |
| US20020055962A1 (en) | Automatically solving equations in finite fields | |
| JP2004304800A (en) | Protection of side channel for prevention of attack in data processing device | |
| Suguna et al. | A study on symmetric and asymmetric key encryption algorithms | |
| Puthuparambil et al. | Freestyle, a randomized version of ChaCha for resisting offline brute-force and dictionary attacks | |
| US7248692B2 (en) | Method of and apparatus for determining a key pair and for generating RSA keys | |
| US11418334B2 (en) | Protecting modular inversion operation from external monitoring attacks | |
| Li et al. | Privacy-preserving large-scale systems of linear equations in outsourcing storage and computation | |
| JP4563037B2 (en) | ENCRYPTION APPARATUS, DECRYPTION APPARATUS, ENCRYPTION SYSTEM HAVING THEM, ENCRYPTION METHOD, AND DECRYPTION METHOD | |
| Kwon | Virtual software tokens-a practical way to secure PKI roaming | |
| Encinas et al. | Maple implementation of the Chor-Rivest cryptosystem | |
| Saarinen | The PASSERINE public key encryption and authentication mechanism | |
| CA2156780A1 (en) | Apparatus and method for cryptographic system users to obtain a jointly determined, secret, shared and unique bit string | |
| AU7659598A (en) | Pseudo-random generator based on a hash coding function for cryptographic systems requiring random drawing | |
| Upadhyay | Attack on RSA cryptosystem | |
| Diffie | New Directions in Cryptography Whitfield Diffie (Member, IEEE), Martin E. Hellman (Member, IEEE) | |
| El-Taib | HYBRID DIGITAL SIGNATURE SCHEME |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Discontinued |