Progress in Cryptology - INDOCRYPT 2002

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis, and J. van Leeuwen 2551 3 Berlin Heidelberg New Y...

Author: Alfred Menezes | Palash Sarkar

35 downloads 1138 Views 3MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!

Report copyright / DMCA form

DOWNLOAD PDF

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis, and J. van Leeuwen

2551

3

Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo

Alfred Menezes Palash Sarkar (Eds.)

Progress in Cryptology – INDOCRYPT 2002 Third International Conference on Cryptology in India Hyderabad, India, December 16-18, 2002 Proceedings

13

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors Alfred Menezes University of Waterloo Department of Combinatorics and Optimization Waterloo, Ontario, Canada N2L 3G1 E-mail: [email protected] Palash Sarkar Indian Statistical Institute Applied Statistics Unit 203, B.T. Road, Kolkata 700108, India E-mail: [email protected]

Cataloging-in-Publication Data applied for Bibliographic information published by Die Deutsche Bibliothek Die Deutsche Bibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data is available in the Internet at .

CR Subject Classification (1998): E.3, G.2.1, D.4.6, K.6.5, F.2.1-2, C.2 ISSN 0302-9743 ISBN 3-540-00263-4 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. Springer-Verlag Berlin Heidelberg New York a member of BertelsmannSpringer Science+Business Media GmbH http://www.springer.de © Springer-Verlag Berlin Heidelberg 2002 Printed in Germany Typesetting: Camera-ready by author, data conversion by DA-TeX Gerd Blumenstein Printed on acid-free paper SPIN 10871712 06/3142 543210

Preface

The third successful completion of the INDOCRYPT conference series marks the acceptance of the series by the international research community as a forum for presenting high-quality research. It also marks the coming of age of cryptology research in India. The authors for the submitted papers were spread across 21 countries and 4 continents, which goes a long way to demonstrate the international interest and visibility of INDOCRYPT. In the previous two conferences, the submissions from India originated from only two institutes; this increased to six for the 2002 conference. Thus INDOCRYPT is well set on the path to achieving two main objectives – to provide an international platform for presenting high-quality research and to stimulate cryptology research in India. The opportunity to serve as a program co-chair for the third INDOCRYPT carries a special satisfaction for the second editor. Way back in 1998, the scientiﬁc analysis group of DRDO organized a National Seminar on Cryptology and abbreviated it as NSCR. On attending the seminar, the second editor suggested that the conference name be changed to INDOCRYPT. It is nice to see that this suggestion was taken up, giving us the annual INDOCRYPT conference series. Of course, the form, character, and execution of the conference series was the combined eﬀort of the entire Indian cryptographic community under the dynamic leadership of Bimal Roy. There were 75 submissions to INDOCRYPT 2002, out of which one was withdrawn and 31 were accepted. The invited talks were especially strong. Vincent Rijmen of AES fame gave a lecture on the design strategy for the recently accepted AES standard. Manindra Agrawal, Neeraj Kayal, and Nitin Saxena recently achieved a breakthrough by obtaining a polynomial time deterministic algorithm for primality testing. This was presented at an invited talk by the authors. GuoZhen Xiao, an eminent researcher in the theory of sequences and Boolean functions, presented a lecture on eﬃcient algorithms for computing the linear complexity of sequences. The reviewing process for INDOCRYPT was very stringent and the schedule was very tight. The program committee did an excellent job in reviewing the papers and selecting the ﬁnal papers for presentation. These proceedings include the revised versions of the selected papers. Revisions were not checked and the authors bear the full responsibility for the contents of the respective papers. Program committee members were assisted in the review process by external reviewers. The list of external reviewers is included in the proceedings. Our thanks go to all the program committee members and the external reviewers who put in their valuable time and eﬀort in providing important feedback to the authors. Organizing the conference involved many individuals. We would like to thank the general chairs V.P. Gulati and M. Vidyasagar for taking care of the actual

VI

Preface

hosting of the conference. They were ably assisted by the organizing committee, whose names are included in the proceedings. Additionally, we would like to thank Kishan Chand Gupta, Sandeepan Chowdhury, Subhasis Pal, and Amiya Kumar Das for substantial help on diﬀerent aspects of putting together this proceedings in its ﬁnal form. Finally we would like to thank Springer-Verlag for active cooperation and timely production of the proceedings.

December 2002

Alfred Menezes Palash Sarkar

INDOCRYPT 2002 was organized by the Institute for Development and Research in Banking Technology (IDRBT) and is an annual event of the Cryptology Research Society of India.

General Co-chairs Ved Prakash Gulati M. Vidyasagar

IDRBT, Hyderabad, India Tata Consultancy Services, Hyderabad, India

Program Co-chairs Alfred Menezes Palash Sarkar

University of Waterloo, Canada Indian Statistical Institute, India

Program Committee Akshai Aggarwal Manindra Agrawal V. Arvind Simon Blackburn Colin Boyd ZongDuo Dai Anand Desai Ved Prakash Gulati Anwar Hasan Sushil Jajodia Charanjit Jutla Andrew Klapper Neal Koblitz Kaoru Kurosawa Chae Hoon Lim Subhamoy Maitra C.E. Veni Madhavan Alfred Menezes Rei Safavi-Naini David Pointcheval Bart Preneel A.K. Pujari Jaikumar Radhakrishnan Bimal Roy Palash Sarkar Vijay Varadharajan Stefan Wolf Chaoping Xing Amr Youssef

University of Windsor, Canada Indian Institute of Technology, India Institute of Mathematical Sciences, India Royal Holloway, University of London, UK Queensland University of Technology, Australia Academia Sinica, China NTT MCL, USA IDRBT, India University of Waterloo, Canada George Mason University, USA IBM, USA University of Kentucky, USA University of Washington, USA Ibaraki University, Japan Sejong University, Korea Indian Statistical Institute, India Indian Institute of Science, India University of Waterloo, Canada University of Wollongong, Australia ENS Paris, France Katholieke Universiteit Leuven, Belgium University of Hyderabad, India Tata Institute of Fundamental Research, India Indian Statistical Institute, India Indian Statistical Institute, India Macquarie University, Australia University of Montreal, Canada National University of Singapore, Singapore Cairo University, Egypt

VIII

Organization

Organizing Committee S. Sankara Subramanian Rajesh Nambiar V. Visweswar Ashutosh Saxena V. Ravi Sankar B. Kishore

IDRBT, India TCS, India IDRBT, India IDRBT, India IDRBT, India TCS, India

External Referees Kazumaro Aoki Alexandra Boldyreva Shiping Chen Olivier Chevassut Sandeepan Choudhury Tanmoy K. Das Matthias Fitzi Steven Galbraith Sugata Gangopadhyaya Craig Gentry Indivar Gupta Alejandro Hevia

Michael Jacobs Rahul Jain Shaoquan Jiang Meena Kumari Yingjiu Li Sin’ichiro Matsuo Mridul Nandi Laxmi Narain Satomi Okazaki Kapil Hari Paranjape Rajesh Pillai Matt Robshaw

Selwyn Russell Takeshi Shimoyama M.C. Shrivastava Jason Smith Alain Tapp Ayineedi Venkateswarlu Lingyu Wang Bogdan Warinschi Yiqun Lisa Yin Sencun Zhu

Sponsoring Institutions Acer India Pvt. Ltd., Bangalore Cisco Systems India Pvt. Ltd., New Delhi e-commerce magazine, New Delhi HP India, New Delhi IBM India Ltd., Bangalore Infosys Technologies Ltd., Bangalore Rainbow Information Technologies Pvt. Ltd. New Delhi Society for Electronic Transactions and Security, New Delhi Tata Consultancy Services, Mumbai

Table of Contents

Invited Talks Security of a Wide Trail Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Joan Daemen and Vincent Rijmen Fast Algorithms for Determining the Linear Complexity of Period Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Guozhen Xiao and Shimin Wei

Symmetric Ciphers A New Class of Stream Ciphers Combining LFSR and FCSR Architectures 22 Fran¸cois Arnault, Thierry P. Berger, and Abdelkader Necer Slide Attack on Spectr-H64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Sel¸cuk Kavut and Melek D. Y¨ ucel On Diﬀerential Properties of Pseudo-Hadamard Transform and Related Mappings (Extended Abstract) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Helger Lipmaa

New Public-Key Schemes A Variant of NTRU with Non-invertible Polynomials . . . . . . . . . . . . . . . . . . . . . . . 62 William D. Banks and Igor E. Shparlinski Tree Replacement and Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 S.C. Samuel, D.G. Thomas, P.J. Abisha, and K.G. Subramanian

Foundations Never Trust Victor: An Alternative Resettable Zero-Knowledge Proof System . . . . . . . . . . . . . . . . . . 79 Olaf M¨ uller and Michael N¨ usken Asynchronous Unconditionally Secure Computation: An Eﬃciency Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 B. Prabhu, K. Srinathan, and C. Pandu Rangan

X

Table of Contents

Public-Key Infrastructures QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI) . . . . 108 Ravi Mukkamala Towards Logically and Physically Secure Public-Key Infrastructures . . . . . . 122 Kapali Viswanathan and Ashutosh Saxena

Fingerprinting and Watermarking Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW) and a Modiﬁed Robust Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Tanmoy Kanti Das and Subhamoy Maitra A 2-Secure Code with Eﬃcient Tracing Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 149 Vu Dong Tˆ o, Reihaneh Safavi-Naini, and Yejing Wang Reed Solomon Codes for Digital Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Ravi Sankar Veerubhotla, Ashutosh Saxena, and Ved Prakash Gulati

Public-Key Protocols A Note on the Malleability of the El Gamal Cryptosystem . . . . . . . . . . . . . . . . 176 Douglas Wikstr¨ om Authentication of Concast Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Mohamed Al-Ibrahim, Hossein Ghodosi, and Josef Pieprzyk Self-certiﬁed Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Byoungcheon Lee and Kwangjo Kim Identity Based Authenticated Group Key Agreement Protocol . . . . . . . . . . . . 215 K.C. Reddy and D. Nalla

Boolean Functions Construction of Cryptographically Important Boolean Functions . . . . . . . . . . 234 Soumen Maity and Thomas Johansson Evolving Boolean Functions Satisfying Multiple Criteria . . . . . . . . . . . . . . . . . . 246 John A. Clark, Jeremy L. Jacob, Susan Stepney, Subhamoy Maitra, and William Millan Further Results Related to Generalized Nonlinearity . . . . . . . . . . . . . . . . . . . . . . 260 Sugata Gangopadhyay and Subhamoy Maitra

Table of Contents

XI

Eﬃcient and Secure Implementations Modular Multiplication in GF (pk ) Using Lagrange Representation . . . . . . . . 275 Jean-Claude Bajard, Laurent Imbert, and Christophe N`egre Speeding up the Scalar Multiplication in the Jacobians of Hyperelliptic Curves Using Frobenius Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 YoungJu Choie and Jong Won Lee Improved Elliptic Curve Multiplication Methods Resistant against Side Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Tetsuya Izu, Bodo M¨ oller, and Tsuyoshi Takagi Applications The Design and Implementation of Improved Secure Cookies Based on Certiﬁcate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Jong-Phil Yang and Kyung-Hyune Rhee A Certiﬁed E-mail System with Receiver’s Selective Usage of Delivery Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Kenji Imamoto and Kouichi Sakurai Spending Oﬄine Divisible Coins with Combining Capability . . . . . . . . . . . . . . 339 Eikoh Chida, Yosuke Kasai, Masahiro Mambo, and Hiroki Shizuya Eﬃcient Object-Based Stream Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Yongdong Wu, Di Ma, and Changsheng Xu Anonymity The Security of a Mix-Center Based on a Semantically Secure Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Douglas Wikstr¨ om New Identity Escrow Scheme for Anonymity Authentication . . . . . . . . . . . . . . 382 Yong-Ho Lee, Im-Yeong Lee, and Hyung-Woo Lee Secret Sharing and Oblivious Transfer On Unconditionally Secure Distributed Oblivious Transfer . . . . . . . . . . . . . . . . 395 Ventzislav Nikov, Svetla Nikova, Bart Preneel, and Joos Vandewalle Non-perfect Secret Sharing over General Access Structures . . . . . . . . . . . . . . . . 409 K. Srinathan, N. Tharani Rajan, and C. Pandu Rangan On Distributed Key Distribution Centers and Unconditionally Secure Proactive Veriﬁable Secret Sharing Schemes Based on General Access Structure . . . . . . . . . . . . . . . . . . . . . . 422 Ventzislav Nikov, Svetla Nikova, Bart Preneel, and Joos Vandewalle Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437

Security of a Wide Trail Design Joan Daemen1 and Vincent Rijmen2,3 1

3

ERG Group — ProtonWorld, Belgium [email protected] 2 Cryptomathic, Belgium [email protected] IAIK, Graz University of Technology, Austria

Abstract. The wide trail design strategy claims to design ciphers that are both eﬃcient and secure against linear and diﬀerential cryptanalysis. Rijndael, the AES, was designed along the principles of this strategy. We survey the recent results on Rijndael and examine whether the design strategy has fulﬁlled its promise.

1

Introduction

In October 2000, the US National Institute of Standards and Technology (NIST) announced that Rijndael was selected as Advanced Encryption Standard (AES). Since then, Rijndael has probably become the best-known block cipher that was designed according to the wide trail design strategy. The ﬁndings that have been obtained as a result of the increased attention that was devoted to Rijndael, allow to evaluate the soundness of the wide trail design strategy. In Section 2, we present brieﬂy the principles of the wide trail design strategy. The resulting security and performance are explained in Section 3 and Section 4. Subsequently, in Section 5 we give an overview of the most important cryptanalysis performed on Rijndael since its submission to the AES process. In Section 6, we discuss the improvements in performance of dedicated hardware implementations. This paper doesn’t contain a full description of Rijndael. For a complete speciﬁcation, we refer the reader to [DR02a].

2

The Wide Trail Design Strategy

The wide trail design strategy can be used to design a variety of symmetric cryptographic primitives such as hash functions and stream ciphers, and block ciphers. Its best known application is the design of Rijndael, which is an example of a particular class of block ciphers, the key-alternating block ciphers. A keyalternating block cipher is an iterative block cipher with the following properties: – Alternation: the cipher is deﬁned as the alternated application of key-independent round transformations and the application of a round key. The ﬁrst round key is applied before the ﬁrst round and the last round key is applied after the last round. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 1–11, 2002. c Springer-Verlag Berlin Heidelberg 2002

2

Joan Daemen and Vincent Rijmen

– Binary Key Addition: the round keys are applied by means of a simple XOR: to each bit of the intermediate state a round key bit is XORed. In the following, we will explain the principles of the wide trail design strategy, applied to the design of key-alternating block ciphers. In the wide trail strategy, the round transformations are composed of two invertible steps: – γ: a local non-linear transformation. By local, we mean that any output bit depends on only a limited number of input bits and that neighboring output bits depend on neighboring input bits. – λ: a linear mixing transformation providing high diﬀusion. What is meant by high diﬀusion will be explained in the following sections. We will now discuss both steps in some more detail. 2.1

The Non-linear Step

A typical construction for γ is the so-called bricklayer mapping consisting of a number of invertible S-boxes. In this construction, the bits of input vector a are partitioned into nt m-bit bundles ai ∈ Z2m by the so-called bundle partition. The block size of the cipher is given by nb = mnt . In the case of the AES, the bundle size m is 8, hence bundles are bytes. In the early 1990’s, many block cipher designs concentrated solely on the design of large nonlinear S-boxes. In contrast, the wide trail strategy imposes very few requirements on the S-box. The only criteria are the upper bound for input-output correlations and the upper bound for the diﬀerence propagation. Instead of spending most of the resources on the S-boxes themselves, the wide trail strategy aims at designing the round transformation so that the eﬀect of the S-boxes is maximised. In ciphers designed by the wide trail strategy, a relatively large amount of resources is spent in the linear step to provide high multiple-round diﬀusion. 2.2

The Linear Steps

The transformation λ combines the bundles linearly: each bundle at the output is a linear function of bundles at the input. λ can be speciﬁed at the bit level by a simple nb × nb binary matrix M . We have λ : b = λ(a) ⇔ b = M a

(1)

λ can also be speciﬁed at the bundle level. For example, the bundles can be considered as elements in GF(2m ) with respect to some basis. In most instances a simple linear function is chosen that can be expressed as follows: λ : b = λ(a) ⇔ bi = Ci,j aj (2) j

Security of a Wide Trail Design

3

In the case of the AES, λ is composed of two types of mappings: – θ: a linear bricklayer mapping that provides high diﬀusion within 32-bit columns, and – π: a byte transposition that provides high dispersion in between the columns. By imposing some simple requirements on θ and π, it is possible to achieve both a high diﬀusion and a good performance.

3

Security

We assume that the reader is familiar with the principles of diﬀerential cryptanalysis [BS91, LMM91, DR02a]. The wide trail design strategy allows upper bounds to be proved on the probability of characteristics. Here characteristics are called trails. Alas, as we explain below, these bounds can’t be used to construct a proof of the security against diﬀerential cryptanalysis. Subsequently, we explain why restricting the probability of diﬀerence propagations remains a sound design strategy. 3.1

Probability of Trails and Diﬀerence Propagations

For a successful classical diﬀerential cryptanalysis attack, the cryptanalyst needs to know an input diﬀerence pattern that propagates to an output diﬀerence pattern over all but a few (2 or 3) rounds of the cipher, with a probability that is signiﬁcantly larger than 21−nb . We call this the diﬀerence propagation probability. Clearly, the ﬁrst step to provable security against diﬀerential cryptanalysis is to specify a number of rounds large enough so that all diﬀerential trails have a probability below 21−nb . This strategy does not guarantee that there exist no diﬀerence propagations with a high probability. In principle, many trails each with a low probability may add up to a diﬀerence propagation with high probability. For every Boolean mapping, every diﬀerence pattern at the input must propagate to some diﬀerence pattern at the output. There are 2nb −1 non-zero output diﬀerences. We deﬁne a pair to be an unordered set of texts: the pair {P1 , P2 } equals the pair {P2 , P1 }. For a ﬁxed non-zero input diﬀerence, there are 2nb −1 pairs. Each of the pairs goes to one of the non-zero output diﬀerences. For every pair that results in a given output diﬀerence, the probability of that output diﬀerence increases with 21−nb . Hence, a propagation probability is always a multiple of 21−nb . The sum of the diﬀerence propagation probabilities over all possible output diﬀerences is 1. Hence, there must be diﬀerence propagations with a diﬀerence propagation probability equal to or larger than 21−nb . It is commonly accepted that a strong block cipher should behave as a random Boolean permutation for each ﬁxed value of the cipher key. We assume that in a random Boolean permutation, the 2nb −1 pairs with a given input diﬀerence are distributed over the 2nb − 1 non-zero output diﬀerences according to the Poisson

4

Joan Daemen and Vincent Rijmen

distribution. Then, we expect to ﬁnd many output diﬀerences that occur for more than one pair or, equivalently, many diﬀerence propagations with propagation probabilities that are larger than 21−nb . 3.2

Motivation for the Propagation Probability Bounds

As explained in the previous section, the presence of diﬀerence propagations with a ‘high’ propagation probability can’t be avoided by decreasing the probability of trails. We explain here why it still makes sense to make sure that there are no trails with a high probability. Consider a diﬀerence propagation with probability y for a given key value. A diﬀerence propagation probability y means that there are exactly y2nb −1 pairs of texts with the given input diﬀerence pattern and the given output diﬀerence pattern. Each of the y pairs follows a particular diﬀerential trail. We will now examine these trails. For a well-designed cipher, all trails have a low probability, and we can assume that the pairs are distributed over the trails according to a Poisson distribution. In a Poisson distribution, the expected number of pairs that follow a diﬀerential trail with propagation probability 2−z , is 2nb −1−z . Consider a diﬀerential trail with a propagation probability 2−z 21−nb . A value below 21−nb for the probability of the trail, means that the trail will be followed by a pair for a fraction of the possible keys only. The probability that this trail is followed by more than one pair for the given key value, equals approximately 2nb −1−z 1 (under the Poisson assumption). Consequently, if there are no diﬀerential trails with a propagation probability above 21−nb , the y2nb −1 pairs that have the correct input diﬀerence pattern and output diﬀerence pattern, are expected to follow almost y2nb −1 diﬀerent diﬀerential trails. Concluding, if there is no diﬀerential trail with a high diﬀerence propagation probability, a diﬀerence propagation with a relatively large probability is the result of multiple diﬀerential trails that are followed by a pair for the given key value. For another key value, each of these individual diﬀerential trails may be followed by a pair, or not. This makes predicting the input diﬀerence patterns and output diﬀerence patterns that have large diﬀerence propagation probabilities diﬃcult. 3.3

Proven Bounds

For the AES, we can prove [DR02a] that the number of active S-boxes in a fourround diﬀerential trail is lower bounded by 25. Since the diﬀerence propagation probability over an active S-box is at most 2−6 , the probability of an 8-round diﬀerential trail is below 2−300 . A similar reasoning applies to the case of linear cryptanalysis, where we can show that the amplitude of the correlation contribution of a linear 8-round trail is below 2−150 .

Security of a Wide Trail Design

4

5

Performance

Rijndael can be implemented to run eﬃciently on a wide range of platforms. Some of the key factors for the eﬃcient implementation are: 1. On 32-bit processors with a reasonable cache size, the diﬀerent steps of the round transformation can be combined in a single set of look-up tables. This is made possible by the division of the linear step λ into a diﬀusion step θ and a dispersion step π. 2. On 8-bit processors, the diﬀerent steps have to be implemented explicitly. The step θ has been designed to be eﬃcient on this type of processors. 3. The parallelism in the round transformation allows multiple pipelines to be utilized. We observe that the performance in software is almost not inﬂuenced by the particular choice of S-box. Once the dimensions of the S-box have been ﬁxed, it makes no diﬀerence how the S-box is speciﬁed, since the γ step is always implemented by means of a look-up table.

5

Attempts at Cryptanalysis of Rijndael

In this section we discuss recent observation on the structural properties of Rijndael and their impact on the security of the design. 5.1

Diﬀerential and Linear Cryptanalysis

Because of the proven upper bounds on the probability of diﬀerential trails and the correlation contribution of linear trails, classical linear and diﬀerential attacks are not applicable to Rijndael. However, linear and diﬀerential attacks have been extended in several ways and new attacks have been published that are related to them. The best known extension is known as truncated diﬀerentials. This attack has also been taken into account in the design of Rijndael from the start. Other attacks use diﬀerence propagation and correlation in diﬀerent ways. This includes impossible diﬀerentials [BBS99], boomerang attacks [BDK02] and rectangle attacks [BDK02]. Thanks to the upper bounds for 4-round trails and the actual number of rounds, none of these methods of cryptanalysis have led to shortcut attacks in Rijndael. 5.2

Saturation Attacks

The most powerful cryptanalysis of Rijndael to date is the saturation attack. This is a chosen-plaintext attack that exploits the byte-oriented structure of the cipher and works on any cipher with a round structure similar to the one of Rijndael. It was ﬁrst described in the paper presenting a predecessor of Rijndael, the block cipher Square [DKR97] and was often referred to as the Square attack.

6

Joan Daemen and Vincent Rijmen

The original saturation attack can break round-reduced variants of Rijndael up to 6 (128-bit key and state) or 7 rounds faster than exhaustive key search. N. Ferguson et al. [FKS+ 00] proposed some optimizations that reduce the work factor of the attack. In [Luc00], S. Lucks proposes the name ‘saturation attack’ for this type of attacks. More recently, these attacks have been called ’Structural attacks’ by A. Biryukov and A. Shamir [BS01] and ’Integral Cryptanalysis’ by L. Knudsen and D. Wagner [KW02]. 5.3

Algebraic Structure

Decomposition of the Round Transformation The round transformation of Rijndael can be decomposed into a sequence of steps in several diﬀerent ways. S. Murphy and M. Robshaw observed that the decomposition can be deﬁned in such a way that the steps of the round transformation have a low algebraic order [MR00]. The algebraic order of a transformation f equals the number of diﬀerent transformations that can be constructed by repeated application of f : f , f ◦ f , f ◦ f ◦ f , . . . Until now, this observation on some of the components of the round transformation hasn’t led to any cryptanalytical attack. On the contrary, R. Wernsdorf proved recently that the full round transformation of Rijndael generates the alternating group [Wer02]. This shows that the algebraic order of the round transformation isn’t low. Structure within the S-Box Any 8 × 8-bit S-box can be considered as a composition of 8 Boolean functions sharing the same 8 input bits. J. Fuller and W. Millan observed that the S-box of Rijndael can be described using one Boolean function only [FM02]. The 7 other Boolean functions can be described as fi (x1 , . . . , x8 ) = f1 (gi (x1 , . . . , x8 )) + ci ,

i = 2, . . . , 8,

(3)

where the functions gi are aﬃne functions and the ci are constants. This means that the Rijndael round transformation is even more regular than anticipated: not only does it use 16 instances of the same S-box in every round, but additionally —in some sense— this S-box uses 8 instances of the same Boolean function. While this is an interesting observation, it remains to be seen if and how it has an impact on the security of the design. 5.4

Algebraic Attacks

The transparent algebraic structure of Rijndael has encouraged several teams of researchers to investigate the security of Rijndael against algebraic solving methods. Typically, an algebraic attack consists of two steps. 1. Collecting step: The cryptanalyst expresses the cipher as a set of simple equations in a number of variables. These variables include bits (or bytes)

Security of a Wide Trail Design

7

from the plaintext, ciphertext and the key, and typically also of intermediate computation values and round keys. The term ‘simple’ can be deﬁned very loosely as ‘suitable for the next step’. 2. Solving step: the cryptanalyst uses some data input such as plaintextciphertext pairs, substitutes these values in the corresponding variables in the set of equations collected in step 1 and tries to solve the resulting set of equations, thereby recovering the key. It doesn’t come as a big surprise that Rijndael can be expressed with elegant equations in several ways. Whereas in many other cipher designs the structure is obscured by the addition of many complex operations, in Rijndael the inner structure is very simple and transparent, clearly facilitating the expression of the cipher as a set of simple equations. The key issue to be judged however, is whether equations that look elegant to the mathematician’s mind, are also simple to solve. Several attempts have been made to construct algebraic attacks for Rijndael. None have resulted in shortcut attacks as yet, and most of the papers conclude that more research is required. In the following sections we discuss a number of attempts. Continued Fractions Ferguson, Schroeppel and Whiting [FSW01] derived a closed formula for Rijndael that can be seen as a generalisation of continued fractions. Any byte of the intermediate result after 5 rounds can be expressed as follows. C1 x=K+ (4) C2 ∗ K + C3 K∗ + C4 ∗ K + C5 K∗ + K ∗ + p∗∗ Here every K is some expanded key byte, each Ci is a known constant and each ∗ is a known exponent or subscript, but these values depend on the summation variables that enclose the symbol. A fully expanded version of (4) has 225 terms. In order to break 10-round Rijndael, a cryptanalyst could use 2 equations of this type. The ﬁrst one would express the intermediate variables after 5 rounds as function of the plaintext bytes. The second equation would cover rounds 6–10 by expressing the same intermediate variables as a function of the ciphertext bytes. Combining both equations would result in an equation with 226 unknowns. By repeating this equation for 226 /16 known plaintext/ciphertext pairs, enough information could be gathered to solve for the unknowns, in an information-theoretic sense. It is currently unknown what a practical algorithm to solve this type of equations would look like. XSL Courtois and Pieprzyck [CP] observe that the S-box used in Rijndael can be described by a number of implicit quadratic Boolean equations. If the 8 input

8

Joan Daemen and Vincent Rijmen

bits are denoted by x1 , . . . x8 , and the 8 output bits by y1 , . . . y8 , then there exist equations of the form f (x1 , . . . , x8 , y1 , . . . y8 ) = 0,

(5)

where the algebraic degree of f equals two. In principle, 8 equations of the type (5) suﬃce to deﬁne the S-box, but Courtois and Pieprzyck observe that more equations of this type can be constructed. Furthermore, they claim that these extra equations can be used to reduce the complexity of the solving step. In the ﬁrst step of the XSL method, equations are collected that describe the output of every sub-block of the cipher as a function of the input of the same sub-block. As a result, the cryptanalysts get a system of 8000 quadratic equations in 1600 unknowns, for the case of Rijndael, where the linear steps are ignored for sake of simplicity. The most diﬃcult part of the XSL method is to ﬁnd an eﬃcient elimination process. Courtois and Pieprzyck estimated that for Rijndael the complexity would be 2230 steps. For Rijndael with 256-bit keys, the complexity would be 2255 steps. As an extension, they propose to use cubic equations as well. For that case, the complexity for Rijndael with 256-bit keys may drop to 2203 steps in their most optimistic estimation. All these complexity estimations are made under the assumption that the Gaussion elimination method for linear equations can be implemented in a complexity O(n2.4 ). Embedding Murphy and Robshaw [MR02] deﬁned the block cipher BES, which operates on data blocks of 128 bytes instead of bits. According to Murphy and Robshaw, the algebraic structure of BES is even more elegant and simple than that of Rijndael. Furthermore, Rijndael can be embedded into BES. There is a map φ such that: Rijndael(x) = φ−1 (BES (φ(x))) .

(6)

Murphy and Robshaw proceed with some observations on the properties of BES. However, these properties of BES do not translate to properties of Rijndael. Murphy and Robshaw believe that when the XSL method is applied to BES, the complexity of the solving step could be signiﬁcantly smaller than in the case where XSL is directly applied to Rijndael (cf. Section 5.4).

6

Eﬃcient Hardware Implementations

The main challenge for compact or high-speed hardware implementations of Rijndael seems to be the eﬃcient implementation of the S-box. The S-box is a nonlinear function with 8 input bits and 8 output bits. Commercially available optimisers are incapable of ﬁnding the optimal circuit fully automatically. For compact implementations, the S-box can’t be implemented as a 256-byte table. Instead a dedicated logical circuit has to be designed. In order to achieve maximal

Security of a Wide Trail Design

9

performance, 16 instances of the S-box have to be hardwired (neglecting the key schedule). Since 16 256-byte tables would occupy too much area, a dedicated logical circuit is also required here. The S-box is deﬁned as the inverse map in the ﬁnite ﬁeld GF(256), followed by an aﬃne transformation: S[x] = f (x−1 ).

(7)

Diﬀerent representations for the ﬁeld elements can be adopted. It is well known that the representation of the ﬁeld elements inﬂuences the complexity of the inverse map I(x) = x−1 over the ﬁeld. In [Rij00], we described how a change of representation could decrease the gate complexity of a combinatorial implementation of I(x). This technique has been worked out in [WOL02, SMTM01]. In these implementations, I(x) is replaced by three operations: I(x) = φ−1 (i [φ(x)]) .

(8)

The change of representation is denoted by φ(x), and the more eﬃciently implementable inverse map is denoted by i(x). The maps φ and φ−1 have to be repeated in every round. Although the implementation of φ−1 can be combined with the implementation of the aﬃne map f (x), there is still a considerable amount of overhead involved. The resulting improvements can be veriﬁed in Table 1. A lookup implementation of the S-box [KV01] is compared with several implementations using a diﬀerent representation for the ﬁeld elements [SMTM01]. Besides the raw performance measures throughput, clock frequency and gate count, the table also lists an eﬃciency indicator that is computed as follows [Jan01]: Indicator =

Throughput Clock frequency × Gate count

(9)

Note that the design of [KV01] implements the encryption operation only. Since the decryption operation of Rijndael uses diﬀerent hardware for some parts of the round transformation, the number of gates for a full implementation would be signiﬁcantly higher. The authors of [RDJ+ 01] proposed to do the change of ﬁeld element representation only once, at the beginning of the cipher. Subsequently, all steps of the cipher are redeﬁned to work with the new representation. At the end of the encryption, the data is transformed back to the original representation. This eliminates the overhead in every round. The resulting improvements are shown in Table 1.

7

Conclusions

The main feature of the wide trail design strategy is not the choice for the nonlinear components of the round function (the S-box), but rather the way in which

10

Joan Daemen and Vincent Rijmen

Table 1. Performance of hardware Rijndael implementations (ASIC) Throughput Frequency # gates Indicator (Gb/s) (MHz) (103 ) (10−3 b/gate) 1.82 100 173 0.11 0.12 100 5.7 0.21 0.3 131 5.4 0.42 2.6 224 21 0.55 0.8 137 8.8 0.66 [RDJ+ 01] 7.5 32 256 0.92

Reference [KV01] [WOL02] [SMTM01]

the linear diﬀusion layers are used to achieve elegant constructions with easily provable properties. This survey of recent results reveals that the described hardware performance improvements for Rijndael are based on the properties of the S-box, rather than the linear components. Also most attempts to cryptanalyze Rijndael are mainly motivated by the algebraic structure in the S-box. No observations have been made that question the core principles of the wide trail design strategy.

References [AES00] [BBS99]

[BDK02]

[BS91] [BS01]

[C ¸ KKP01]

[CP]

[DKR97]

Proceedings of the third AES candidate conference, New York, April 2000. 11 Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of Skipjack reduced to 31 rounds using impossible diﬀerentials. In Jacques Stern, editor, Advances in Cryptology, Proceedings of Eurocrypt ’99, volume 1592 of Lecture Notes in Computer Science, pages 12–24. Springer-Verlag, 1999. 5 Eli Biham, Orr Dunkelmann, and Nathan Keller. New results on boomerang and rectangle attacks. In Daemen and Rijmen [DR02b], pages 1–16. 5 Eli Biham and Adi Shamir. Diﬀerential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. 3 Alex Biryukov and Adi Shamir. Structural cryptanalysis of SASAS. In Birgit Pﬁtzmann, editor, Advances in Cryptology, Proceedings of Eurocrypt ’01, volume 2045 of Lecture Notes in Computer Science, pages 394–405. Springer-Verlag, 2001. 6 David Naccache C ¸ etin K. Ko¸c and Christophe Paar, editors. CHES 2001, volume 2162 of Lecture Notes in Computer Science. Springer-Verlag, 2001. 11 Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overdeﬁned systems of equations. Available from IACR’s e-Print server. 7 Joan Daemen, Lars R. Knudsen, and Vincent Rijmen. The block cipher Square. In Eli Biham, editor, Fast Software Encryption ’97, volume 1267 of Lecture Notes in Computer Science, pages 149–165. Springer-Verlag, 1997. 5

Security of a Wide Trail Design

11

Joan Daemen and Vincent Rijmen. The design of Rijndael, AES — the advanced encryption standard. Springer-Verlag, 2002. 1, 3, 4 [DR02b] Joan Daemen and Vincent Rijmen, editors. Fast Software Encryption ’02, volume 2365 of Lecture Notes in Computer Science. Springer-Verlag, 2002. 10, 11 [FKS+ 00] Niels Ferguson, John Kelsey, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting. Improved cryptanalysis of Rijndael. In AES3 [AES00], pages 213–231. 6 [FM02] Joanne Fuller and William Millan. On linear redundancy in the AES S-box. draft, 2002. 6 [FSW01] Niels Ferguson, Richard Schroeppel, and Doug Whiting. A simple algebraic representation of Rijndael. draft, 2001. 7 [Jan01] Cees Jansen. Personal communication, 2001. 9 [KV01] Henry Kuo and Ingrid Verbauwhede. Architectural optimization for a 1.82gbit/sec vlsi implementation of the AES Rijndael algorithm. In C ¸ etin K. Ko¸c and Paar [C ¸ KKP01], pages 51–64. 9, 10 [KW02] Lars Knudsen and David Wagner. Integral cryptanalysis. In Daemen and Rijmen [DR02b], pages 112–127. 6 [LMM91] Xuija Lai, James Massey, and Sean Murphy. Markov ciphers and diﬀerential cryptanalysis. In Donald W. Davies, editor, Advances in Cryptology, Proceedings of Eurocrypt ’91, volume 547 of Lecture Notes in Computer Science, pages 17–38. Springer-Verlag, 1991. 3 [Luc00] Stefan Lucks. Attacking 7 rounds of Rijndael under 192-bit and 256-bit keys. In AES3 [AES00], pages 215–229. 6 [MR00] Sean Murphy and Matt J. B. Robshaw. New observations on rijndael. http://www.isg.rhbnc.ac.uk/~sean/rijn newobs.pdf, August 2000. 6 [MR02] Sean Murphy and Matt J. B. Robshaw. Essential algebraic structure within the aes. In Moti Yung, editor, Advances in Cryptology, Proceedings of Crypto 2002, Lecture Notes in Computer Science. Springer-Verlag, 2002. 8 [RDJ+ 01] Atri Rudra, Pradeep K. Dubey, Charanjit S. Jutla, Vijay Kumar, Josyula R. Rao, and Pankaj Rohatgi. Eﬃcient Rijndael encryption implementation with composite ﬁeld arithmetic. In C ¸ etin K. Ko¸c and Paar [C ¸ KKP01], pages 171–184. 9, 10 [Rij00] Vincent Rijmen. Eﬃcient implementation of the Rijndael S-box. http://www.esat.kuleuven.ac.be/~rijmen/rijndael/sbox.pdf, 2000. 9 [SMTM01] Akashi Satoh, Sumio Morioka, Kohji Takano, and Seiji Munetoh. A compact Rijndael hardware architecture with S-box optimization. In Colin Boyd, editor, Advances in Cryptology, Proceedings of Asiacrypt 2001, volume 2248 of Lecture Notes in Computer Science, pages 239–254. SpringerVerlag, 2001. 9, 10 [Wer02] Ralph Wernsdorf. The round functions of Rijndael generate the alternating group. In Daemen and Rijmen [DR02b], pages 143–148. 6 [WOL02] Johannes Wolkerstorfer, Elisabeth Oswald, and Mario Lamberger. An ASIC implementation of the AES S-boxes. In Bart Preneel, editor, Topics in Cryptology — CT-RSA 2002, Lecture Notes in Computer Science, pages 67–78. Springer-Verlag, 2002. 9, 10 [DR02a]

Fast Algorithms for Determining the Linear Complexity of Period Sequences Guozhen Xiao1 and Shimin Wei2 1

2

National Key Lab of ISN, Xidian University Xi’an 710071, China [email protected] Department of Computer Science and Technique, Peking University Beijing 100871, China [email protected]

Abstract. We introduce a fast algorithm for determining the linear complexity and the minimal polynomial of a sequence with period p n over GF(q) , where p is an odd prime, q is a prime and a primitive root modulo p 2 ; and its two generalized algorithms. One is the algorithm for determining the linear complexity and the minimal polynomial of a sequence with period p m q n over GF(q), the other is the algorithm for determining the k -error linear complexity of a sequence with period p n over GF(q), where p is an odd prime, q is a prime and a primitive root modulo p 2 . The algorithm for determining the linear complexity and the minimal polynomial of a sequence with period 2p n over GF(q) is also introduced. where p and q are odd prime, and q is a primitive root (mod p 2 ). These algorithms uses the fact that in these case the factorization of xN − 1 is especially simple for N = pn , 2pn , pn q m . Keywords: cryptography, periodic sequence, linear complexity, k-error linear complexity, fast algorithm.

1

Introduction

In [5], R. A. Games and A. H. Chan presented a fast algorithm for determining the linear complexity of a binary sequence with period 2n . C. S. Ding [4] generalized the algorithm to sequences over a ﬁnite ﬁeld GF (pm ) with period pn . S. R. Blackburn [2] generalized the algorithm to sequences over a ﬁnite ﬁeld GF (pn ) with period upr , where u and p are co-prime. In Section 2, we introduce a fast algorithm proposed by Xiao, Wei, Lam and Imamura in [19] for determining the linear complexity of a sequence with period pn over GF(q), where p is an odd prime, q is a prime and a primitive root (mod p 2 ). This algorithm is a generalization of the algorithm proposed by Xiao, Wei, Imamura and Lam in [18]. Generalizations of these two algorithms also are introduced. Section 3 introduce

The work was supported in part by 973 Project(G1999035804) and the Natural Science Foundation of China under Grant 60172015 and 60073051.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 12–21, 2002. c Springer-Verlag Berlin Heidelberg 2002

Fast Algorithms for Determining the Linear Complexity of Period Sequences

13

the algorithm presented by Wei, Xiao and Chen in [15] for determining the linear complexity and the minimal polynomial of a sequence with period 2p n over GF(q), where p and q are odd prime, and q is a primitive root (mod p 2 ). Although linear complexity is a necessary index for measuring the unpredictability of a sequence, it is not suﬃcient. The linear complexity has a typical unstable property as a fast change (increase or decrease) by only a few bit change within one period of the original sequence, hence it is cryptographically weak. Ding,Xiao and Shan [4] introduced some measure indexes on the security of stream ciphers. One of them is the sphere complexity of periodic sequences. Stamp and Martin [12] proposed a measure index analogous with the sphere complexity, the k-error linear complexity. In Section 4, we introduce an eﬃcient algorithm for determining the k-error linear complexity of a sequence with period pn over GF(q) presented by Wei, Xiao and Chen in [16], where p is a odd prime, and q is a prime and a primitive root modulo p2 . This algorithm is a generalization of the algorithm presented by Wei, Chen and Xiao [14] for determining the k-error linear complexity of a binary sequence with period pn . In this article we will consider sequences over GF (q), where q is a prime. Let s = {s0 , s1 , s2 , s3 , · · ·} be a sequence over GF (q). The sequence s is called an L-order linear recursive sequence if there exist a positive integer L and c1 , c2 , · · · , cL in GF (q) such that sj + c1 sj−1 + · · · + cL sj−L = 0 for any j ≥ L; and the minimal order is called the linear complexity of s, and denoted by c (s). If there exists a positive number N such that si = si+N for i = 0, 1, 2, · · ·, then s is called a periodic sequence, and N is called a period of s. The generating function of s is deﬁned as s (x) = s0 + s1 x + s2 x2 + s3 x3 + · · ·. Let s be a periodic sequence with the ﬁrst period sN = {s0 , s1 , · · · , sN −1 }. Then sN (x) /gcd sN (x) , 1 − xN sN (x) g (x) s (x) = = , = N N N N 1−x (1 − x ) /gcd (s (x) , 1 − x ) fs (x) where

fs (x) = 1 − xN gcd sN (x) , 1 − xN , g (x) = sN (x) gcd sN (x) , 1 − xN .

Obviously, gcd (g (x) , fs (x)) = 1,degg (x) < degfs (x) ,the polynomial fs (x) is the minimal polynomial of s, and degfs (x) = c (s) (see [4, page 86 and 87]). We recall some results in ﬁnite ﬁeld theory and number theory (see [8], [10] and [11]). Let p be a prime number. Then φ (pn ) = pn − pn−1 , where n is a positive integer, φ is the Euler φ-function. Let K be a ﬁeld of characteristic q,n a positive integer not divisible by q, and ζ a primitive n-th root of unity over K. Then the polynomial Φn (x) =

n

(x − ζ s )

s=1,gcd(s,n)=1

is called the n-th cyclotomic polynomial over K. The degree of Φn (x) is φ (n)and its coeﬃcients obviously belong to the n-th cyclotomic ﬁeld over K. A simple argument will show that they are actually contained in the prime subﬁeld GF (q)

14

Guozhen Xiao and Shimin Wei

of K, and Φn (x) is irreducible in GF (q), if and only if q is a primitive root (mod n), i.e. if q has order φ (n)modulo n. Let p be an odd prime, q a primitive root (mod p2 ). Then q is also a primitive root (mod pn )(n ≥ 1). If q is an odd number, then q is also a primitive root (mod 2pn )(n ≥ 1). Hence, if q is a prime, then Φpn (x) (n ≥ 1) is irreducible in GF (q); if q is an odd prime, then Φ2pn (x) (n ≥ 1) is irreducible in GF (q).

2

Fast Algorithms for Computing the Linear Complexity of Sequences with Period p n and p mq n

Let s = (s0 , s1 , · · ·) be a sequence with period N = pn over GF(q), where p is an odd prime, q is a prime and a primitive root (mod p 2 ). Set a = (A1 , A2 , · · · , Ap ), where Ai = a(i−1)pn−1 , a(i−1)pn−1 +1 , · · · , aipn−1 −1 , i = 1, 2, · · · , p. Xiao, Wei, Imamura and Lam [19] proposed a fast algorithm for determining the linear complexity and the minimal polynomial of s as follows: Algorithm 1[19] . Initial values: a ← sN , l ← pn , c ← 0, f ← 1. (1) If l = 1, go to (2); otherwise l ← l/p, go to (3). (2) If a = (0), stop; otherwise c ← c + 1, f ← (1 − x) f , stop. (3) If A1 = A2 = · · · = Ap , a ← A1 , go to (1); otherwise b ← A1 + A2 + · · · + Ap , c ← c + (p − 1) l, f ← f Φpl (x), go to (1). Finally, we have that c (s) = c and fs (x) = f . The following theorem is the foundation of Algorithm 1. Theorem 1[19] . Let q be a primitive root (mod p 2 ), s = (s0 , s1 , · · ·) a sequence with periodN = pn over GF (q), and let sN = (s0 , s1 , · · · , sN −1 ) be the ﬁrst period of s. Set Ai = s(i−1)pn−1 , · · · , sipn−1 −1 ,i = 1, · · · , p. Then (1) If A1 = A2 = · · · = Ap , then fs (x) = f(A1 ) (x), hence c (s) = c ((A1 )); (2) Otherwise, fs (x) = f(b) (x) ΦN (x), hence c (s) = c ((b)) + (p − 1) pn−1 . Where b = A1 + A2 + · · · + Ap , (A1 )(or (b)) denotes the periodic sequence with the ﬁrst periodA1 (or b). In [18], Xiao, Wei, Imamura and Lam presented a special version of Algorithm 1 for q = 2. This special version was generalized to a fast algorithm for determining the linear complexity and the minimal polynomial of a binary sequence with period N = 2n pm , where 2 is a primitive root (mod p2 ) ([17]). Theorem 2[17] . Let a = (a0 , a1 , · · · , aN −1 ) be a ﬁnite binary sequence, 2 a primitive root (mod p2 ) and N = 2n pm . Denote M = 2n−1 pm−1 , Ai = (a(i−1)M i, a(i−1)M+1 , · · · , aiM−1 ), i = 1, 2, · · · , 2p. Then n−1

(1) Φpm (x)2

|a (x) if and only if A1 + Ap+1 = A2 + Ap+2 = · · · = Ap + A2p ;

Fast Algorithms for Determining the Linear Complexity of Period Sequences

(2) If Φpm (x)

2n−1

15

|a (x) , then 2n gcd a (x) , Φpm (x)

2n−1

= Φpm (x)

2n−1

gcd Φpm (x)

,

p

(Ai (x) + Ai+1 (x)) x(i−1)M

;

i=1

(3) If Φpm (x)

2n−1

|a (x) doesn’t hold, then 2n 2n−1 = gcd a (x) , Φpm (x) gcd a (x) , Φpm (x) p 2n−1 , (Ai (x) + Ap+i (x)) x(i−1)M ; = gcd Φpm (x) i=1

p p 2M 2M M = gcd 1 − x , A2i−1 (x) + x A2i (x) ; (4) gcd a (x) , 1 − x i=1 i=1 2n (5) gcd a (x) , 1 − xN = gcd a (x) , 1 − x2M · gcd a (x) , Φpm (x) . Theorem 3[17] . Let s be a binary sequence with period N = 2n pm , sN = (s0 , s1 , · · · sN −1 ) the ﬁrstperiod of s, and 2 a primitive root modulo p2 . Denote M = 2n−1 pm−1 , Ai = s(i−1)M , · · · , siM−1 , i = 1, 2, · · · , 2p. Then fs (x) = z f(a) (x) · Φpm (x) , hence, c (s) = c ((a)) + (p − 1) pm−1 z; where M = 2n−1 pm−1 , a = (A1 + A3 + · · · + A2p−1 A2p ), , A2 + A4 + · · · + 2n

z

2n

gcd Φpm (x) , sN (x) , (a) presents the sequence with Φpm (x) = Φpm (x) n the ﬁrst period a, hence, z= 2 −t, t is the multiple number of the factor Φpm (x) 2n

in gcd Φpm (x) , sN (x) . By Theorem 2 and 3 we have the following algorithm. Algorithm 2[17] .i Initial: a ← sN , l ← 2n , k ← pm , c ← 0, f ← 1.

(1) If k = 1, go to (2); otherwise k ← k/p, go to (5). (2) If l = 1, go to (3); otherwise l ← l/2, L = (a0 , a1 , · · · , al−1 ), R = (al , al+1 , · · · , a2l−1 ), b ← L + R, go to (4). (3) If a = (0), stop; otherwise c ← c + 1, f ← f (1 − x), stop. l (4) If b = 0, then a ← L, go to (2); otherwise a ← b,c ← c + l,f ← f (1 − x) , go to (2). (5) If l = 1, then Ai = a(i−1)k , a(i−1)k+1 , · · · , aik−1 , i = 1, 2, · · · , p, go to (6); = a(i−1)kl , a(i−1)kl+1 , · · · , aikl−1 , i = 1, 2, · · · , 2p, otherwise Ai

p l ← l/2, p b← A2i−1 , A2i , go to (7). i=1

i=1

(6) If A1 = A2 = · · · = Ap , then a ← A1 , go to (1); otherwise a ← A1 + A2 + · · · + Ap , c ← c + (p − 1) k, f ← f Φpk (x), go to (1) (7) If A1 + Ap+1 = A2 + Ap+2 = · · · = Ap + A2p , then a ← (A1 + A2 , A2 + A3 , · · · , Ap + Ap+1 ), go to (8); otherwise, a ← (A1 + Ap+1 , A2 + Ap+2 · · · Ap +A2p ), c ← c + (p − 1) lk,f ← f Φpk (x)l , go to (8).

16

Guozhen Xiao and Shimin Wei

(8) If l = 1, then Ai = a(i−1)k , a(i−1)k+1 , · · · , aik−1 ,i = 1, 2, · · · , p,go to (9); otherwise l ← l/2Ai = a(i−1)kl , a(i−1)kl+1 , · · · , aikl−1 ,i = 1, 2, · · · , 2p, go to (7). (9) If A1 = A2 = · · · = Ap , then a ← b,l ← 2n , go to (1); otherwise c ← c + (p − 1) k, f ← f Φpk (x), a ← b, l ← 2n , go to (1). Finally, we have that the linear complexity c (s) = c and the minimal polynomial fs (x) = f of s. In [13], The algorithm above was generalized to one for determining the linear complexity of a sequence with period p m q n over GF(q), where p is an odd prime, q is a prime and a primitive root (mod p 2 ). The algorithm is as follows. Algorithm 3[13] . Initial value: a ← sN , l ← q n , k ← pm , c ← 0, f ← 1. (1) If k = 1, go to (2); otherwise k ← k/p, go to (6). (2) If l = 1, go to (3); otherwise l ← l/q, Ai = a(i−1)l , a(i−1)l+1 , · · · , ail−1 , i = 1, 2, · · · , q, b ← A1 + · · · + Aq , h ← q − 1, go to (4). (3) If a = (0), stop; otherwise c ← c + 1,f ← f (1 − x), stop. (4) If b = (0, · · · , 0), then Ai ← A1 +· · ·+Ai , i = 1, 2, · · · , h, go to (5); otherwise hl a ← b, c ← c + hl, f ← f (1 − x) , go to (2). (5) If h = 1, then a ← A1 , go to (2); otherwise b ← A1 + · · · + Ah , h ← h − 1, go to (4). (6) If l = 1, Ai = a(i−1)k, a(i−1)k+1 , · · · , aik−1 , i = 1,2, · · · , p, go to (7); otherwise l ← l/q, Ai = a(i−1)kl , a(i−1)kl+1 , · · · , aikl−1 , i = 1, 2, · · · , pq,

p−1 p−1 p−1 Aqi+1 , Aqi+2 , · · · , Aqi+q , go to (8). b← i=0

i=0

i=0

(7) If A1 = A2 = · · · = Ap , a ← A1 , go to (1); otherwise a ← A1 +A2 +· · ·+Ap , c ← c + (p − 1) k, f ← f Φpk (x), go to (1). i/p q−1 q−1 Aip+1 = · · · = Aip+p , then Ai ← (Ai−jp − Ai−jp−1 ) for (8) If i=0

i=0

j=0

i = 1, 2, · · · , (q − 1) p + 1, r ← 1, go to (9); q−1 q−1 q−1 otherwise a ← Aip+1 Aip+2 , · · · , Aip+p , i=0

i=0 (q−1)l

i=0

c

←

c +

(p − 1) (q − 1) lk, f ← f Φpk (x) , go to (6). (9) If Ai = Ai = · · · = Ai , then r ← r + 1, go to (10); othi∈I1,r i∈I2,r i∈Ip,r erwise a ← Ai , · · · , Ai , c ← c + (p − 1) (q − r − 1) lk, f ← i∈I1,r (q−r−1)l

f (Φpk (x))

i∈Ip,r

, r ← 0, go to (6).

(10) If r = q, a ← b, go to (1); otherwise Ai ← i = 1, 2, · · · , (q − r) p + r, go to (9). Finally, we have that c (s) = c and fs (x) = f .

i/p j=0

(Ai−jp − Ai−jp−1 ) for

Fast Algorithms for Determining the Linear Complexity of Period Sequences

3

17

Fast Algorithms for Computing the Linear Complexity of Sequences with Period 2p n

In this section we introduce the algorithm proposed by Wei, Xiao and Chen [15] for determining the linear complexity of a sequence with period 2p n over GF(q), where pand q are odd prime, q is a primitive root modulo p 2 . Theorem 4[15] . Let pand q be odd prime, q a primitive root (mod p2 ), s = (s0 , s1 , · · ·) a sequence with period N = 2pn over GF (q), and let sN = (s0 , s1 , · · · , sN −1 ) be the ﬁrst period of s. Set Ai = a(i−1)pn−1 , a(i−1)pn−1 +1 , · · · , aipn−1 −1 ,

i = 1, 2, · · · , 2p,

and Bj = (A2j−1 , A2j ), j = 1, 2, · · · , p. Then (1) If B1 = B2 = · · · = Bp , then fs (x) = f((B1 )) (x), hence c (s) = c ((B1 )). (2) If the condition of (1) does not hold, we have one of three cases as follows. Case 1. If A1 +Ap+1 = A2 +Ap+2 = · · · = Ap +A2p , then fs (x) = f(b) (x) Φ2pn (x). Hence c (s) = c ((b)) + (p − 1) pn−1 ; i+1 Ap+i − Ai , i = 1, 2, · · · , p, then fs (x) = Case 2. If Ap+1 − A1 = (−1) f(b ) (x) Φpn (x), hence c (s) = c ((b )) + (p − 1) pn−1 ; Case 3. If neither of Case 1 and Case 2 holds, then fs (x) = f(b”) (x) Φpn n−1 (x) Φ 2pn (x), hence c (s) = c ((b”)) +2 (p − 1) ip

; where p p p p i+1 i+1 (−1) Ai , (−1) Ai+1 , b = Ai , Ai+1 , and b= i=1

i=1

i=1

b” = B1 + B2 + · · · + Bp .

i=1

Let s = (s0 , s1 , · · ·) be a sequence with period N = 2pn over GF(q), sN = (s0 , s1 , · · · , sN −1 ) the ﬁrst period of s. If pand q are odd prime, and qis a primitive root (mod p2 ), then we have a fast algorithm proposed in [15] for computing the linear complexity of s as follows. Algorithm 4[15] . Initial values: a ← sN , l ← 2pn , c ← 0, f ← 1. (1) If l = 2, go to (2); otherwise l ← l/p, Ai = a(i−1)pn−1 , a(i−1)pn−1 +1 , · · · , aipn−1 −1 , i = 1, 2, · · · , 2p, Bj = (A2j−1 , A2j ), j = 1, 2, · · · , p. go to (5). (2) If a = (0, 0), stop; otherwise go to (3). (3) If a0 = a1 , then c ← c + 1, f ← (1 − x) f , stop; otherwise go to (4). (4) If a0 + a1 =0, then c ← c + 1, f ← (1 + x) f , stop; otherwise c ← c + 2, f ← 1 − x2 f , stop. (5) If B1 = B2 = · · · = Bp , b ← B1 , go to (8); otherwise go to (6). (6) If A1 +Ap+1 = A c ← c+(p − 1) pn−1 , f ←

2 p+Ap+2 = · · · =pAp +A2p , then i+1 i+1 (−1) Ai , (−1) Ai+1 , go to (8); otherwise go f Φ2pn (x), b ← to (7).

i=1

i=1

18

Guozhen Xiao and Shimin Wei

(7) If Ap+1 − A1 = Ap+2 · · · = A2p − Ap , then c ← c + (p − 1) pn−1 ,

p− A2 = p Ai , Ai+1 , go to (8); otherwise f = f Φpn (x), b ← i=1

i=1

f ← f Φpn (x) Φ2pn (x), c ← c + 2 (p − 1) pn−1 , b ← B1 + B2 + · · · + Bp , go to (1). Finally, we have that c (s) = c and fs (x) = f .

4

Fast Algorithms for Computing the k -Error Linear Complexity of Sequences with Period p n

Definition 1. Let s = (s0 , s1 , · · ·) be a binary sequence with period N. The smallest linear complexity that can be obtained when any k (0 ≤ k ≤ N ) or fewer of the s i ’ s are altered in every period of s is called the k-error linear complexity of s [12], and denoted by ck (s), i.e. ck (s) = min {c (s + t)}, where tis a binary wH (t)≤k

sequence with period N, wH (t) is the number of non-zero elements of the ﬁrst period of t, c (s) is the linear complexity of s. Stamp and Martin [12] gave an algorithm for determining the k-error linear complexity of binary sequences with period 2 n . Kaida, Uehara and Imamura [7] generalized the algorithm to an algorithm for determining the k-error linear complexity of sequences over GF (pm ) with period pn . This algorithm is also a generalization of the algorithm presented by Ding [4]. In this section, we introduce an eﬃcient algorithm for determining the k-error linear complexity of a sequence with period pn over GF(q) presented by Wei, Xiao and Chen in [16], where p is a odd prime, and q is a prime and a primitive root modulo p2 . This algorithm is a generalization of Algorithm 1. Let sN = (s0 , s1 , · · · , sN −1 ) be the ﬁrst period of a sequence s over GF (q), q a primitive root modulo p2 . In Algorithm 1, c only increases when A1 = A2 = · · · = Ap doesn’t hold. Therefore, in the following algorithm, if A1 = A2 = · · · = Ap doesn’t hold, we should force A1 = A2 = · · · = Ap under the change permitted of the original sequence. Algorithm 6[16] . Initial value: a ← sN , l ← pn , c ← 0, cost [i, ai ] ← 0, cost [i, h] ← 1, 0 ≤ h ≤ q − 1 and h = ai ,i = 0, 1, 2, · · · , l − 1, K ← k. (1) If l = 1, then go to (2); otherwise l ← l/p, Ai = a(i−1)l , a(i−1)l+1 , · · · p−1 cost [i + jl, h], h = 0, 1, 2, · · · , q − 1 , Ti = , ail−1 ), i = 1, 2, · · · , p, Tih = min {Tih }, T =

0≤h≤q−1

l−1 i=0

j=0

Ti , go to (4).

(2) If a = 0, then stop; otherwise go to (3). (3) If cost [0, 0] ≤ K, then stop; otherwise c ← c + 1, stop. (4) If T ≤ K, then K ← K − T , cost [i, h] ← Tih − Ti , i = 0, 1, 2, · · · , l − 1, go to (5); otherwise, a ← A1 + A2 + · · · + Ap , c ← c + (p − 1) l,

cost [i, h] ←

i = 0, 1, 2, · · · , l − 1, go to (1).

min

d0 +···+dp−1 =h−ai

{

p−1 j=0

cost [i + jl, ai+jl + dj ]},

Fast Algorithms for Determining the Linear Complexity of Period Sequences

19

(5) For i = 0, 1, 2, · · · , l − 1, if Tih = Ti then ai = h. a ← A1 , go to (1). Finally, the k-error linear complexity ck (s) of s is equal to c. In Algorithm 6, cost [i, h] is the minimal number of changes in the initial sequence sN necessary and suﬃcient for changing the current element ai into h without disturbing the results A1 = A2 = · · · = Ap of any previous steps. When q = 2, we obtain the algorithm presented by Wei, Chen and Xiao in [14] for determining the k-error linear complexity of a binary sequence with period pn , where 2 is a primitive root modulo p2 . Algorithm 7[14] . Initial: a ← sN , l ← pn , c ← 0, cost [i] ← 1, i = 0, 1, 2, · · · , l − 1, K ← k. (1) If l = 1, go to (2); otherwise, l ← l/p, Ai = a(i−1)l , a(i−1)l+1 , · · · , ail−1 , p−1 p−1 ai+jl cost [i + jl], Ti0 = cost [i + jl] − Ti1 ,Ti = i = 1, 2, · · · , p, Ti1 = min{Ti0 , Ti1 },T =

j=0 l−1 i=0

j=0

Ti , go to (4).

(2) If a = 0, stop; otherwise go to (3). (3) If cost [0] ≤ K, stop; otherwise c ← c + 1, stop. (4) If T ≤ K, K ← K − T , cost [i] ← max{Ti0 , Ti1 } − Ti , i = 0, 1, · · · , l − 1, go to (5); otherwise, a ← A1 + A2 + · · · + Ap ,c ← c + (p − 1) l, cost [i] ← min {cost [i + jl]}, i = 0, 1, 2, · · · , l − 1, go to (1). 0≤j≤p−1

(5) For i = 0, 1, 2, · · · , l − 1, if Tih = Ti then ai ← h. a ← A1 , go to (1). Finally, the k-error linear complexity ck (s) of s is equal to c. In Algorithm 7, cost [i] is the minimal number of changes in the initial sequence sN necessary and suﬃcient for changing the current element ai without disturbing the results A1 = A2 = · · · = Ap of any previous step.

5

Conclusion

In this article, we introduce some algorithms for determining the linear complexity and the minimal polynomial of periodic sequences. Our algorithms makes up for the shortcoming that Games-Chan algorithm cannot compute the linear complexity of sequences with period N ( = q m )over GF(q) in part. The time complexity and the space complexity of the algorithm are both O (N ). We have also shown that it is possible to give linear algorithms for periods other than those of [2],[4] and [5]. Finding fast algorithms to compute the linear complexity of periodic sequences is of great signiﬁcance. The Berlekamp-Massey algorithm [9] may have to run through more than one period of length N of the sequence before it stabilizes on the correct connection polynomial. The algorithm given in this article works only one period for a sequence with period N (= pn , 2pn , pm q n ) and computes the minimum polynomial in n steps. The Berlekamp-Massay algorithm must store a segment of length 2c

20

Guozhen Xiao and Shimin Wei

of the sequence, where c is the linear complexity of the sequence, while the algorithms given must always store a period of the sequence. The time complexity and the space complexity of our algorithms are both O (N ). There is a fast version of the Euclidean algorithm (see [1]) that can be used to calculatethe minimal 2

polynomial of a sequence of length N using O N (logN ) loglogN operations. A paper of Blackburn [3] shows that the Berlekamp-Massay algorithm can be adapted to work with essentially the same number of operations, and returns a linear complexity proﬁle as well as the minimal polynomial of the sequence. These algorithms can beused to compute the minimal polynomial of a sequence 2 with period N using O N (logN ) loglogN operations. Our algorithm can be used to determine the linear complexity and the minimal polynomial of a periodic sequence with period N (= pn , 2pn , pm q n ) using O (N ) operations. an eﬃcient algorithm for determining the k-error linear complexity of a sequence s over GF (q) with period pn is introduced, where q is a prime and a primitive root modulo p2 . The algorithm computes the k-error linear complexity of s in n steps. When q = 2, the algorithm solves partially the open problem by Stamp and Martin [12].

References [1] A. V. Aho, J. E. Hopcroft, J. D. Ullman, The Design and Analysis of Computer Algorithms. Reading, MA: Addision-Wesley, 1974. [2] S. R. Blackburn, ”A generalisation of the discrete Fourier transform: determining the minimal polynomial of a periodic sequence”, IEEE Trans. Inform. Theory, Vol. 40, pp.1702-1704, 1994. [3] S. R. Blackburn, ”Fast rational interpolation, Reed-Solomon decoding, and the linear complexity proﬁles of sequences”, IEEE Trans. Inform. Theory, Vol. 43, pp. 537-548, 1997. [4] C. Ding, G. Xiao and W. Shan, The stability theory of stream ciphers, SpringerVerlag, Berlin Heidelberg, 1991. [5] R. A. Games, A. H. Chan, ”A fast algorithm for determining the complexity of a binary sequence with period 2n ”, IEEE Trans. Inform. Theory, vol. 29, pp. 144-146, 1983. [6] K. Ireland and M. Rosen, A classical introduction to modern number theory, Graduate Texts in Mathematics No. 84, Springer, New York, 1982. [7] T. Kaida, S. Uehara and K. Imamura, ”An algorithm for the k-error linear complexity of sequences over GF(pm ) with period p n , p a prime”, Information and Computation, Vol. 151, pp.134-147, 1999. [8] R. Lidl and H. Niederreiter, Finite Fields, Addison-Wesley Publishing Company, 1983. [9] J. L. Massay, ”Shift-register synthesis and BCH decoding”, IEEE Trans. Inform. Theory, Vol. 15, pp. 122-127, 1969. [10] R. J. McEliece, Finite fields for computer scientists and engineers, Kluwer Academic Publishers, 1987. [11] K. H. Rosen, Elementary number theory and its applications, Addison-Wesley Publishing Company, 1988.

Fast Algorithms for Determining the Linear Complexity of Period Sequences

21

[12] M. Stamp, C. F. Martin, ”An algorithm for k-error linear complexity of binary sequences with period 2 n , IEEE Trans on Inform. Theory, vol. 39, pp. 1398-1401, 1993. [13] S. Wei, An eﬃcient algorithm for the linear complexity of a class of periodic sequences, Proceeding of ChinaCrypto’2002, Publishing House of Electronics Industry, Beijing, 2002. [14] S. Wei, Z. Chen and G. Xiao, A fast algorithm for k -error linear complexity of a binary sequence. 2001 International Conferences on Info-tech and Info-net Proceedings, IEEE Press, 2001, No Conferences E, 152-157. [15] S. Wei, G Xiao and Z. Chen, A Fast Algorithm for Determining the Minimal Polynomial of a Sequence with Period 2p n over GF(q) IEEE Trans. On Information Theory, 2002, 48(9). (to appear) [16] S Wei, G Xiao and Z Chen, An Eﬃcient Algorithm for k -Error Linear Complexity. Chinese Journal of Electronics 2002 11( 2):265-267. [17] S. Wei, G. Xiao and Z. Chen, A fast algorithm for determining the linear complexity of a binary sequence with period 2n pm , Science in China, Series F, 2001, 44(6):453-460. [18] G. Xiao, S. Wei, K. Imamura and K. Y. Lam, Algorithms for Determingning the Liner complexity Proceeding of International workshop on Cryptographic andCommerce (CrypTEC’99), July 1999 ,Hong Kong, 31-36. [19] G. Xiao, S. Wei, K. Y. Lam, and K. Imamura, ”A fast algorithms for determining the linear complexity of a sequence with period pn over GF (q)”, IEEE Trans. Inform. Theory, 2000, 46(6): 2203-2206.

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures Fran¸cois Arnault, Thierry P. Berger, and Abdelkader Necer LACO, University of Limoges, 123, av. A. Thomas, Limoges 87060, France

Abstract. We propose a new pseudorandom generator based on Linear Feedback Shift Registers (LFSR) and Feedback with Carry Shift Registers (FCSR). We then present a variant of this generator which can used for a selfsynchronizing stream cipher. Keywords: Feedback shift registers, 2-adic expansion, Pseudorandom generators, Self-synchronizing stream ciphers.

Introduction The generation of pseudorandom binary sequences is of primary importance for cryptography. LFSRs are simple, very fast devices which produce pseudorandom bits with good statistical properties. Unfortunately, the sequences obtained this way are very weak for cryptographic purposes because they are easily predictable. Berlekamp-Massey algorithm enables to recover the feedback polynomial and the initial state of any LFSR of length n from the knowledge of 2n consecutive bits of the output sequence. Feedback Shift Registers with Carry operation (FCSRs) are similar fast devices, which have been introduced by Klapper and Goresky. However, there exists a synthesis algorithm (analogous to Berlekamp-Massey algorithm) which makes these devices also insecure [3]. Therefore, the key point in the design of a pseudorandom generator is to ﬁnd a good trade-oﬀ between the implementation cost of the generator, its speed and the complexities of synthesis algorithms. A commonly used technique for increasing the complexities of synthesis algorithms consists in combining several LFSRs (or FCSRs). This method leads to several classical families of pseudorandom generators: nonlinear combination generators, nonlinear ﬁlter generators, clock-controlled generators... Here, we propose a new class of pseudorandom generators, which is obtained by combining both LFSR and FCSR architectures. We point out that this new technique makes the generator resistant to synthesis algorithms and that it has a low implementation cost. We also describe a new family of self-synchronizing stream ciphers which are obtained by a similar method.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 22–33, 2002. c Springer-Verlag Berlin Heidelberg 2002

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

1

23

Generation of Eventually Periodic Binary Sequences with Feedback Shift Registers

We shall give in this section a review of some results concerning feedback shift registers and binary recurrence sequences (eventually periodic sequences). The two architectures (Fibonacci and Galois) of a Linear Feedback Shift Register are introduced as in [3]. We shall also recall some deﬁnitions and basic properties of 2-adic numbers and the circuits which generate them, the Feedback with Carry Shift Register (FCSR). For most details the reader could see [3] or [4]. 1.1

The LFSR Architectures for Eventually Periodic Binary Sequences

Linear Feedback Shift Registers are the most commonly used devices for generating eventually periodic sequences, i.e., sequences (sn )n∈N for which there exist nonnegative integers t and n0 such that sn+t = sn for all n ≥ n0 . An eventually periodic binary sequence S = (sn )n∈N satisﬁes a minimal linear recurrence over d−1 GF (2): sn+d = i=0 qd−1−i sn+i for all n. Such a sequence can be generated by the well-known Fibonacci architecture of Linear Feedback Shift Registers (LFSR). For example the following circuit generates the sequence satisfying the relation sn+4 = sn+3 + sn with initial conditions s0 = s1 = s3 = 1 and s2 = 0. ✲1 ✲0 ✲1 ✲1 ❝❄ ✛

✲

In this diagram, boxes represent cells (or stages), whose content is a bit an which are controlled by a clock. At each cycle of the clock, each cell outputs the bit value present at is input during the preceding cycle. The symbol ⊕ denotes the addition in GF (2) i.e., the xor operation. An equivalent way to generate such a sequence is to use the Galois ∞architecture for LFSR. If S = (sn )n∈N is a binary sequence, then S(X) = n=0 sn X n ∈ GF (2)[[X]] denotes its generating function. The sequence S is eventually periodic if and only if the series S(X) is rational, i.e. if and only if there exist two polynomials P and Q, Q(0) = 0, such that S(X) = P (X)/Q(X). Moreover if deg(P ) < deg(Q), then S(X) is strictly periodic (cf. [13]). Then, using the classical electronic circuit for polynomial division, it is easy to generate S: r−1 r If r = max(deg(P )+1, deg(Q)), P (X) = i=0 pi X i and Q(X) = i=0 qi X i , q0 = 1, then S(X) = P (X)/Q(X) is generated by the following circuit: ✲pr−1 ✲ ❝ pr−2 ✻ p qr−1 ✲ ❝p q✲ r ❝ ✻ ✻

✲ ❝ p1 ✲ ❝ p0 ✻ ✻ p q✲ p q✲ 2 ❝ 1 ❝ ✻ ✻

✲

24

Fran¸cois Arnault et al.

Here ❝p denotes the binary multiplication. The pseudorandom sequences obtained this way have been extensively studied. The most interesting case is when the polynomial Q is primitive, as the period of the obtained sequence is guaranteed to be large (precisely 2deg Q − 1). We obtain this way so-called m-sequences which are sequences with number of good statistical properties (uniform distribution of non-zero words of small length, good distribution of run lengths, low autocorrelation, etc. . . ). Definition 1. The linear complexity (or the LFSR complexity) of a binary eventually periodic sequence S is the length (i.e., the number of cells) of the smallest LFSR generating S. If S(X) = P (X)/Q(X), with P and Q coprime in GF (2)[X], then the LFSR complexity ΛL of S is the maximum of deg(P ) + 1 and deg(Q). For a cryptographic use, given S, it would be diﬃcult to recover the polynomials P and Q. Unfortunately, Berlekamp-Massey Algorithm [7] or Extended Euclidean Algorithm [6] enable to recover P and Q in O(Λ2L ) operations from the knowledge of 2ΛL consecutive bits of S. In the sequel, such a circuit is symbolized by 1.2

P (x)/Q(x)

✲

The 2-adic FCSR Architectures for Eventually Periodic Binary Sequences

First, we will recall brieﬂy some basic properties of 2-adic numbers. For more theoretical approach the reader can refer to [5]. ∞ n A 2-adic integer is formally a power series s = n=0 sn 2 , sn ∈ {0, 1}. Clearly, such a series does not always converge in the classical sense, however, it can be considered as a formal object. Actually, this series always converges if we consider the 2-adic topology. The set of 2-adic integers is denoted by Z2 . The addition and multiplication in Z2 can be performed by reporting the carries to the higher order term, i.e. 2n + 2n = 2n+1 for all n ∈ N. If there exists an integer N such that sn = 0 for all n ≥ N , then s is a positive integer. n An important remark is the fact that −1 = ∞ n=0 2 , which is easy to verify ∞ n by computing 1+ n=0 2 = 0. This allows us to compute the negative of a 2fact ∞ ∞ adic integer very easily: if s = 2n + i=n+1 si 2i , then −s = 2n + i=n+1 (1−si )2i . In particular, this implies that s is a negative integer if and only if there exists an integer N such that sn = 1 for all n ≥ N . Moreover, every odd integer q has an inverse in Z2 which can be computed ∞ by the formula q −1 = n=0 q n , where q = 1 − q . The following theorem gives a complete characterization of eventually periodic 2-adic binary sequences in terms of 2-adic integers (see [2] for the proof). n Theorem 1. Let S = (sn )n∈N a binary sequence and S2 = ∞ n=0 sn 2 be the associated 2-adic integer. The sequence S is eventually periodic if and only if there exist two numbers p and q in Z, q odd, such that S2 = p/q. Moreover, S is strictly periodic if and only if pq ≤ 0 and |p| ≤ |q|.

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

25

An important fact is that the period of the rational number p/q is known since Gauss (cf. [2]): Theorem 2. Let S be an eventually periodic binary sequence, let S2 = p/q, with q odd and p and q coprime, be the corresponding 2-adic number in its rational representation. The period of S is the order of 2 modulo q, i.e., the smallest integer t such that 2t ≡ 1 (mod q). The 2-adic division p/q can be easily performed by a Galois architecture using Feedback with Carry Shift Register. For simpliﬁcation, we will only consider p ≥ 0 and odd q = 1 − q < 0. If pq > 0, it is easy to compute −p/q and then to ∞ obtain p/q by the formula −s = 2n + i=n+1 (1 − si )2i . r i i=0 pi 2 and q = 1 − r Underi the hypothesis q < 0 ≤ p, p < −q, p = i=1 qi 2 , the 2-adic division p/q is performed by the following circuit: ✲ pr−1

✲ pr−2 ✻

✲ ✻

p qr ✲ p❡ qr−1 ✲ ❡ ✻ ✻

q2 ✲ p❡ ✻

p1

✲ ✻

✲

p0

q1 ✲ p❡ ✻

Where the symbol denotes the addition with carry, i.e., it corresponds to the ✛ following scheme:

❍ ❍ cn = ab ⊕ acn−1 ⊕ bcn−1 cn−1 ✲ ✲ ba ✲ s = a ⊕ b ⊕ cn−1 ✲ ✟ ✟

Definition 2. The 2-adic complexity of a binary eventually periodic sequence is the length (i.e., the number of cells) of the smallest FCSR generating S. Remark 1. Let S be a binary sequence. If S2 = p/q with p and q coprime integers, then the 2-adic (or FCSR) complexity Λ2 of S is the maximum of bitlengths of |p| and |q| (cf. [2]). As for the LFSR case, such a 2-adic divisor is symbolized by

2

p/q

✲

Pseudo-random Generator with Compound FCSR and LFSR Architecture

For random generation and stream ciphers, using linear registers alone, or feedback registers alone is weak, because there are algorithms which can easily exploit the algebraic structures carried by these devices.

26

Fran¸cois Arnault et al.

On the other hand, using devices without apparent structure, such as random non-linear register leads to systems which are diﬃcult to analyze and very often completely insecure. A seemingly good method to make a good generator or stream cipher is to use two diﬀerent structures so that tools which can attack either structure are stopped by the presence of the other structure. However, care must be taken in the way the two structures are interleaved so that some results about the security of the whole system can be deduced from the structure of each part. In our stream cipher we purposely separate the linear part and the 2-adic part. Each part is constructed such that its intrinsic period will be maximal. Moreover the size of each part must resist to an exhaustive attack, i.e. each generator (linear and 2-adic) must have at least 80 registers. The idea to mix GF (2) linearity with 2-adic linearity as yet been used in pseudorandom generation with the “Summation Generator” of Rueppel [11]. The original proposal was found insecure because of relatively small parameters which made a cryptanalysis by 2-adic tools feasible. Also a weakness involving correlation properties was found by J.W. Meier and O. Staﬀelbach [9] when only two LFSR are summed. However with suitable parameters, this generator seems to be one of the better at the moment. Here, we present another way to mix both these linearities which avoids this problem. 2.1

Concatenation of LFSR and FCSR

The Galois architecture of LFSR (or FCSR) corresponds to the division of a polynomial (an integer) by another polynomial Q(X) (or another integer q) (cf. [3]). A slight modiﬁcation of these architectures leads to the division of a series by a polynomial or a 2-adic number by an integer. For example, if the input of the following circuit is S(X), then the output is S (X) = S(X)/Q(X). . . . , sr+2 , sr+1 ✲ ❡✲ ✻

sr

❡✲ sr−1 ✻

p qr ✲ p❡ qr−1 ✲ ❡ ✻ ✻

❡✲ ✻ q2 ✲ p❡ ✻

s1

❡✲ ✻

s0

✲

q1 ✲ p❡ ✻

Definition 3. We call such a circuit a LFSR (resp. FCSR) divisor-box with divisor Q(X) (resp. q). The number of cells in a box is called the size of the box. The period of the divisor-box is the order of the divisor Q(X) for the LFSR case, and the order of 2 modulo q for the FCSR case. Such a circuit is symbolized by S(x) and by S2

✲

/q

✲

✲

/Q(x)

for the FCSR case.

✲ for the LFSR case,

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

27

The principle of our pseudo-random generator is to use the output of a LFSR box P (X)/Q(X) as an input of a 2-adic divisor box. 2.2

Design of the Pseudorandom Generator

Public key: • an irreducible primitive polynomial Q(X) of degree k, where k is a prime such that 2k − 1 is also a prime. For practical application and examples , we propose k = 89. Private key: • a polynomial P (X) of degree less than k • A negative prime q of size k, i.e. q 2k , satisfying the two following conditions: 2k − 1 is co-prime to |q| − 1. The order of 2 modulo q is exactly |q| − 1. For example, this condition is satisﬁed by |q| = 2r + 1 with r a prime congruent to 1 modulo 4. Compute S(X) = P (X)/Q(X) using a LFSR generator. Set S the 2-adic sequence corresponding to S(X). The output is the pseudorandom sequence S = S/q generated by a FCSR divisor. P(x) /Q(x)

LFSR generator 0

S ✲

/q

✲ S

FCSR divisor

Statistic Quality of the Sequence S. Set T = 2k − 1 and N = 2T − 1. Since T is prime, if Q(X) is an irreducible polynomial of degree k, then it is a primitive polynomial. This implies that, except for the initialization P (X) = 0, the sequence S generated by the LFSR generator P (X)/Q(X) has the following properties: 1. The period of S is exactly T = 2k − 1. 2. For each run of 89 successive bits of S, the 2k −1 possible values are equiprobable. 3. The sequence S contains 2k−1 bits equal to 1 and 2k−1 − 1 bits equal to 0 in one period T . Some Statistical Properties of 2-adic Division Boxes. Consider the general situation where a binary sequence S is fed to a 2-adic division box by a prime q. Let S denote the output sequence, so that S = qS .

28

Fran¸cois Arnault et al.

If the length of the division box is k, then the prime q satisﬁes 2k ≤ q ≤ 2k+1 and there are π(2k+1 ) − π(2k ) such primes where π(x) = #{p ≤ x|p prime}. In the case k = 89, this gives approximately 283 possible values for q. For each input sequence, there are approximately 283 possible output sequences. Consider < 83 consecutive bits of the output sequence, when the divisor is fed with ﬁxed input bits. As, by Dirichlet density theorem, the number of 89-bit primes in each residue class modulo 2 is expected to be approximately constant, the consecutive output bits are expected to take any of the 2 possible value with approximately equal probability. −1 2-adic Complexity of S . Let ST = Ti=0 si 2i . Then the 2-adic expression of S is S = ST /N . Let d be the greatest common divisor of ST and N . Set p = ST /d and q = N/d. The 2-adic reduced form of S is S = p /q . From S = S/q, we deduce S = p /q q. Proposition 1. The sequence S is periodic of period T = (2k − 1)(|q| − 1) with a heuristic probability p greater than 1 − 2−k . Proof. Under the hypothesis q |p , the 2-adic reduced form of S is S = p /q q. Note that the period of S is T . This implies that the order of 2 modulo q is T . The order of 2 modulo q is |q| − 1, which is coprime to T . The order of 2 modulo q q is then T = (2k − 1)(|q|− 1). Since q is greater than 289 , the heuristic probability of q divides p is less than 2−k . For k = 89 this gives a period T 2178 . Lemma 1. The 2-adic complexity of S is Size(q)+Size(q ) = k +2k −Size(d), where Size(a) = log2 (|a|) is the bitlength of a. Proof. This result is the direct consequence of the fact that p /q q is the reduced form of S and q q = (2k − 1)q/d. Lemma 2. If p is a prime divisor of N then p ≥ 2k . Proof. Such a p divides N = 2T − 1, so the order of 2 modulo p divides T . As T is prime this order is exactly T . Hence T divides p − 1. This implies p ≥ T + 1. Lemma 3. The number s of prime divisors (counting multiplicities) of N satisfies s ≤ log(N )/ log(T + 1) < T /k. t 1 Lemma 4. For t ≥ 2, we have the inequality 1 − t ≥ exp(−1 − 1/t). Proof. The function u → ln(1 − u) + (u + u2 ) is increasing and positive in the range [0, 1/2] so that, for t ≥ 2 we have ln(1 − 1/t) ≥ −(1/t + 1/t2). Multiplying by t and taking exponential of both sides gives the result.

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

29

Proposition 2. For x ∈ {0, 1, . . . , N − 1}, the expected value of gcd(x, N ) is upper bounded by σ(N ), the number of divisors of N . Proof. For all d dividing N , the probability ρd that gcd(x, N ) = d is upper bounded by 1/d. Hence the expected value of gcd(x, N ) satisﬁes E(gcd(x, N )) = d|N dρd ≤ d|N 1 = σ(N ). Corollary 1. The expected value of gcd(x, N ) for x ∈ {0, . . . , N − 1} is less √ than k N + 1. Proof. From the previous lemmas, we√get E(gcd(x, N )) ≤ σ(N ) ≤ 2s < 2T /k = k N + 1. In consequence, for k = 89, the expected 2-adic complexity of S is 289 + 89 − 2 /89 288 . 89

Linear Complexity of S . The main principle of this pseudorandom generator is the fact that 2-adic operations and linear operations are not related. This fact is used in most hash functions: such a function is a succession of linear (or aﬃne) operations such as permutations of bits, XOR operations, and multiplication by a number modulo R, where R is generally a power of 2. This operation is simply a truncated 2-adic multiplication. In our work, we use the inverse of a non-truncated 2-adic multiplication. Under this assumption, the attempted linear complexity of S is the attempted linear complexity of a random sequence of length T . Following [12], it is about 22k−2 ( 2176 for k = 89). Modeling of the Pseudo-random Generator by a System of Equations. In this paragraph, we try to express the outputs sr of the generator as functions of the secret key values. After a short times of initializations of the registers, the size and the degree of non-linearity of such functions increase very quickly. In consequence, it is not possible to use these ∞ relations to break the system. k−1 Set P (x) = i=0 pi X i and 1/q = i=0 bi 2i . We know that the size of q is k, then it is easy to check that the knowledge of q is equivalent to the knowledge of the bi ’s for i = 0, . . . , k − 1: the integer q is the inverse modulo 2k of b = k−1 i i=0 bi 2 . Moreover, we know that q and b are odd, and then b0 = 1. Since Q(X) is known, the sequence S is completely known from the knowledge of pi and bi for i = 0, . . . , k − 1. For each r from 0 to T − 1, there exists a boolean function Fr such that sr = Fr (p0 , . . . , pk−1 , b0 , . . . , bk−1 ). Breaking the generator is equivalent to solve the system of equations Fr (p0 , . . . , pk−1 , b0 , . . . , bk−1 ) = sr for r = 0, . . . , T Note that it is theoretically possible to compute exactly the boolean functions Fr from the knowledge of Q(X). The aim of this paragraph is to determine the degree of non-linearity of these boolean functions and the reason for that it

30

Fran¸cois Arnault et al.

is necessary to eliminate the ﬁrst values of S . If not, it will be possible to recover some information about a few bits of P (X) and a few bits of b. For a maximum of security, we propose si for i < k − 1. ∞to eliminate i Set 1/Q(X) = i=0 ai X . For i greater than 89, the coeﬃcient ai can be expressed linearly from a0 , . . . , a88 . In the sequel, we are interested by the 89 ﬁrst coeﬃcients of S(X) and S . ∞ Set S(X) = P (X)/Q(X) = i=0 si X i . We obtain the following equations: s0 = a0 p0 = L0 (p0 ) s1 = a1 p0 ⊕ a0 p1 = L1 (p0 , p1 ) s2 = a2 p0 ⊕ a1 p1 ⊕ a0 p2 = L2 (p0 , p1 , p2 ) .. .. . . si = i−1

=0 ai− p = Li (p0 , . . . , pi−1 ) for i ≤ k − 1 The boolean functions Li are linear, since the ﬁrst part of the generator is a LFSR. Note that, since 1/Q(X) is well balanced, the average number of null coeﬃcients in the linear boolean functions Li is equals to the average of coeﬃcient equals to 1. We can notice that the diﬀusion of the pi ’s becomes maximal for i greater than k − 1. Now, we are interested by the action of the 2-adic division of S by q. For the k ﬁrst values of S , our divisor box can be replaced by the multiplication by b = q −1 (mod 2k ). In fact the i-th bit of S is obtained from the multiplication of S by b (mod 2i+1 ). First, we will recall some results on the linear complexity of the addition of integers witha ﬁxed size. k−1 k i i i Set α = k−1 i=0 αi 2 and β = i=0 βi 2 . Let σ = α + β = i=0 σi 2 . We have: σ0 = α0 ⊕ β0 , carry c0 = α0 β0 σ1 = α1 ⊕ β1 ⊕ cO , carry c1 = α1 β1 ⊕ α0 β0 (α1 ⊕ β1 ) σ2 = α2 ⊕ β2 ⊕ c1 , carry c2 = α2 β2 ⊕ α1 β1 (α2 ⊕ β2 ) ⊕ α0 β0 (α2 ⊕ β2 )(α1 ⊕ β1 ) ...... In our situation, the product S = qS can be considered as some successive additions: S = b0 S + 2b1 S + 22 b2 S + . . . + 2k bk S + . . .. This gives the relations (the degree is the degree of non-linearity of the boolean functions): s0 = b0 s0 = a0 b0 p0 = F0 (p0 , b0 ), degree: 1 (linear!). s1 = b0 s1 ⊕ b1 s0 = F1 (p0 , p1 , b0 , b1 ), degree 2. Carry c1 = b0 s1 b1 s0 = c1 (p0 , p1 , b0 , b1 ), degree 4. s2 = b0 s2 ⊕ b1 s1 ⊕ b2 s0 ⊕ c1 = F2 (p0 , p1 , p2 , b0 , b1 , b2 ), degree 4. The carry c2 is of degree 5. Etc. . . In fact, it can be checked that, for i > 1, the degree of non-linearity of Fi is 2i if i is even or 2i − 1 if i is odd. The most important fact is that the number of active variables in Fi is not suﬃcient for i small. It is the reason for that we preconize to use the k − 1 ﬁrst

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

31

bits for the initialization of the cells. Under this assumption, our problem can be modelized by a system of equations of expected degree at least 2k − 1, and 2k unknowns. For comparison the public-key cryptosystem HFE consists to solve a system of degree 2 with about 80 unknowns (cf. [10]). Cryptanalysis of the Pseudorandom Generator. Attack on the keys. This generator is broken as soon as P (X) or q are recovered. Indeed, if P (X) is known, it is possible to generate S. Computing the quotient S /S on k bits gives q. If q is known, it is easy to recover 89 bits of S from S = qS . The polynomial P (X) is recovered from P (X) = Q(X)S(X). This generator must be resistant to exhaustive attacks on each key. The size of key for P (X) is 2k − 1 (P (X) = 0 is prohibited. . . ). The size of key for q is the number of prime numbers of size k. For k = 89, it is greater then 283 . Moreover, there exist many algorithms to generate such prime number. 2-adic attack. This attack needs the knowledge of 2Λ2 (S ) + 1 bits, that is about 2176 bits for k = 89. FCSR-Linear attack. This attack needs the knowledge of 2ΛL(S ) + 1 bits, that is about 290 bits for k = 89. Boolean functions attack. The modeling of the generator by boolean functions Fk described previously arises to a very large polynomial system with very hight degree. Moreover, the exact computation of only one equation Fi for i ≥ k is a very diﬃcult problem.

3

A New Self-synchronizing Stream Cipher

It is possible to modify the previous generator to produce a self-synchronizing stream cipher (cf. [8]). The principle is very simple: we need • a LFSR divisor-box, whose divisor is a primitive irreducible polynomial Q(X) of degree k, and then of period 2k − 1, • a FCSR divisor-box, whose divisor is a negative prime q such that Size(q) = k and N = ordq (2) = |q| − 1 is co-prime to 2k − 1. Let S be the message to encrypted. The encryption scheme is the following: • Compute S (X) = S(X)/Q(X) by the LFSR divisor-box. • Convert S (X) into the 2-adic integer S2 . • Compute the output S2 = S2 /q by the FCSR divisor-box. S

✲

/Q(x)

LFSR divisor

✲

/q

FCSR divisor

✲ S

32

Fran¸cois Arnault et al.

The decryption scheme follows easily from the encryption scheme: • Compute S (2) = qS (2). • Convert S (2) into the series S (X). • Compute the input S by S(X) = Q(X)S (X). Remark 2. The circuits to compute eﬀectively these converse operations are wellknown. They correspond to the reverse of divisor circuits. The complexity are the same that whose of divisor circuits. If the size of each divisor-box is k, this scheme is self-synchronized after a delay of length just little more than 2k bits. Indeed, suppose we know the cipher stream S only from the n-th bit sn onwards. Multiplying the known part of the stream by q gives the correct bits of S’ from sn+k + r onwards, where r is the length of a possible propagated carry. A carry may occur after the n + k bits of S as far as the bits of S are all equal to 1. Note that this carry propagation extends to no more than 2 bits with probability 0.75, and no more than 20 bits with probability greater than 0.999 999. We ﬁnally can recover a part of the sequence S by multiplication by Q(X). This induces one more delay of k bits for the initializations of the cells of the second multiplicator box. For a practical implementation, we propose k = 89. This implies in particular that every irreducible polynomial Q(X) is primitive. The attempted synchronization delay is about 200 bits. Moreover, for avoiding the problems of the initialization of cells, it is preferable to add a random preamble to S of size 89, or to initialize all the cells randomly. Analysis of the Stream Cipher. • As noticed previously, if we know k consecutive values of the input and output of a LFSR or FCSR divisor-box, it is possible to recover the divisor Q(X) or q of the box. However, when we use a serial composition of FCSR and LFSR divisor-boxes, this attack does not work: such a system cannot be simulated by a simple LFSR or FCSR box. • Every plaintext bit aﬀects the entire following ciphertext. For example, suppose that two plaintexts diﬀer by only one bit: S2 (X) = S1 (X) + X n . After the division by Q(X), this gives S2 (X) = S1 (X) + X n /Q(X). Note that X n /Q(X) is an inﬁnite sequence of period 2k − 1. Moreover, setting T (X) = X n /Q(X), then S2 (2) = S1 (2) + T (2), since the ﬁrst addition is without carry, and the second is with carries. • To achieve an attack on this stream cipher is strongly related to achieve an attack on the pseudorandom generator proposed in the previous section. Indeed, the plaintext can be represented by a polynomial P (X). The ciphertext we get is exactly the output of the sequence generated by the LFSR

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

33

generator P (X)/Q(X) followed by a FCSR divisor-box by q. To recover the plaintext, we need to ﬁnd part of the structure of the pseudorandom generator.

4

Conclusion

We considered LFSR and FCSR architectures for pseudorandom generators. We proposed a new pseudorandom generator combining both architectures, being very fast and well suited for hardware implantation. The presence of two parts of diﬀerent algebraic nature makes this generator diﬃcult to synthesize by algebraic methods. We also proposed a self-synchronizing stream cipher derived from our pseudorandom generator, which inherits of its speed and resistance to known attacks. The authors wish to acknowledge Anne Canteaut and the anonymous referees for their suggestions and remarks.

References [1] D. Coppersmith, H Krawczyk, Y. Mansour. The Shrinking Generator, Lecture notes in computer science (773), Advances Cryptology, CRYPTO’93. Springer Verlag 1994, 22-39 [2] M. Goresky, A. Klapper Fibonacci and Galois Representation of Feedback with Carry Shift Registers, preprint, October 27, 2000. 24, 25 [3] A. Klapper, M. Goresky, Feedback Shift Registers, 2-Adic Span, and Combiners With Memory, Journal of Cryptology (10), (1997) 111-147. 22, 23, 26 [4] M. Goresky, A. Klapper Cryptanalysis based on 2-adic Rational Approximation, Lecture notes in computer science (963), Advances in Cryptology, CRYPTO’95, Springer Verlag 1995, 262-274. 23 [5] N. Koblitz p-adic Numbers, p-adic analysis and Zeta-Functions, Springer-Verlag 1997. 24 [6] F. J. Macwilliams, N. J. A. Sloane The theory of Error Correcting Codes, North-Holland 1986. 24 [7] J. L. Massey Shift register synthesis and BCH decoding, IEEE Trans. Inform. Theory, vol IT-15, 122-127, 1969. 24 [8] U. M. Maurer New approaches of the Design of Self-Synchronizing Stream Ciphers, Lecture Notes in Computer Science (547), Advances in Cryptology, EUROCRYPT’91, Springer-Verlag 1991, 458-471. 31 [9] J. W. Meier, O. Staffelbach Correlation properties of combiners with memory in stream ciphers, Journal of Cryptology, vol.5, n.1, 1992, 67-86. 26 [10] J. Patarin Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms, Advances in Cryptology, Eurocrypt 96, Springer LNCS 1070, 33–48 31 [11] R. A. Rueppel, Correlation immunity and the summation generator, Lecture Notes in Computer Science (218), Advances in Cryptology, CRYPTO’85, Springer-Verlag 1985, 260-272. 26 [12] R. A. Rueppel, Linear complexity of random sequences, Lecture Notes in Computer Science (219, Proc. of Eurocrypt’85, 167–188) 29 [13] N. Zierler, Linear recurring Sequences, J. Soc. Indust. Appl. Math., Vol. 7, 1958. 23

Slide Attack on Spectr-H64 Selçuk Kavut and Melek D. Yücel Electrical & Electronics Eng. Dept., Middle East Technical University TÜBİTAK-BİLTEN, Information Technologies and Electronics Research Institute 06531, Ankara, Turkey {kavut,melek-yucel}@metu.edu.tr

Abstract. We compare one round diffusion characteristics of the block cipher Spectr-H64 to those of AES-Rijndael and Safer K-64, in terms of the Avalanche Weight Distribution (AWD) criterion and observe a weakness in the round transformation of Spectr-H64. We exploit this weakness to break one round of Spectr-H64 extracting half of the key bits, and develop a chosen plaintext slide attack against the overall encryption algorithm, which works for 232 elements of the key space (out of 2256). We also observe 2128 weak keys, for which encryption becomes the same function as decryption, and 232 fixed points for each weak key. Keywords: Slide attack, Spectr-H64, Avalanche Weight Distribution (AWD).

1

Introduction

Spectr-H64 is a 12-round Feistel-like cipher, which is designed by N. D. Goots, A. A. Moldovyan and N. A. Moldovyan [1]. It is based on data-dependent permutations and data-dependent transformation of round keys, with 64-bit input block length and 256r r r bit key length as explained in Appendix A. The output P = (PL , PR ) of the rth round -1 -1 r r is found using the 32-bit left and right halves PL and PR of the previous round output as r r-1 r-1 (1) PL = f (PR , PL , Qr), r r-1 (2) PR = PL , where the round keys Q1, …, and Q12 are derived from the original key K∈{0,1}256 (see Table A-1 in Appendix A). The transformation f in (1) has a weak diffusion property such that, if k bits in the r-1 r-1 r-1 r-1 right half PR of the rth round input P = (PL , PR ) are complemented to obtain r-1 r-1 r-1 P = (PL , P R ), then corresponding round outputs differ in the left half exactly by k bits, hence the Hamming weight of the difference vector remains the same, i.e., k =wt (P

r-1

⊕ P

r-1

r-1

r-1

r

r

r

r

)= wt (PR ⊕ P R ) = wt (PL ⊕ P L ) = wt (P ⊕ P ).

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 34-47, 2002.  Springer-Verlag Berlin Heidelberg 2002

(3)

Slide Attack on Spectr-H64

35

In Section 2, we describe the experimental work that leads us to notice the weakness given by (3), and use it to break one round of Spectr-H64. We then propose a slide attack [2, 3] against the overall algorithm in Section 3, which works for 232 weak keys of the form K = (K1, K1, K1, K1, K1, K1, K1, K1) and K1∈{0,1}32. This attack requires 217 chosen plaintexts and 232 comparisons. We describe the slide attack on a modified variant of Spectr-H64, and implement it by using 217 chosen plaintexts and 216 comparisons in a sorted list. Finally, we discuss in Section 4 that for the 2128 keys of the form K = (K1, K1, K2, K2, K3, K3, K4, K4), which also include the above mentioned 232 weak keys, encryption is the same function as decryption; thus, double encryption reveals the plaintext. For each key in this set of size 2128, we observe that there are 232 fixed points.

2

Breaking One Round of Spectr-H64

Our idea to break one round of Spectr-H64 is based upon the influential work on differential cryptanalysis [4, 5]. We utilise the weak diffusion property described by (3) to extract 128 key bits after one round of the algorithm, using a single known plaintext and 32 adaptively chosen plaintexts. To demonstrate the weakness given by (3), we compare one round diffusion characteristics of Spectr-H64 [1] to those of AES-Rijndael [6] and Safer K-64 [7]. The latter two algorithms are compared in [8] with respect to their Avalanche Weight Distribution (AWD) curves, which are defined as the Hamming weight histograms of ciphertext difference vectors [9]. Calling an encryption function F, the avalanche vector for an input P is the output difference vector A = F(P) ⊕ F(P ⊕ ei), where ei is a unit vector with a 1 in position i. The AWD curves are defined simply as “the number of occurrences (in the sample space of all inputs) of the Hamming weight wt(A) sketched versus wt(A)”; and they are expected to be binomially distributed in the ideal case [9]. In Fig.1, we sketch Spectr-H64

Number of Occurences of wt(Avalanche vector)

AES

Safer K-64

0

10

20

30

40

50

60

wt(A)

Fig. 1. One round AWD curves of Spectr-H64, Safer K-64 and AES corresponding to the worst case single bit input differences

36

Selçuk Kavut and Melek D. Yücel

one round AWD curves corresponding to a (worst case) single bit plaintext difference for the block ciphers AES-Rijndael, Safer K-64, and Spectr-H64, using 1.000.000 randomly chosen plaintext pairs for AES-Rijndael, and 10.000 such pairs for Safer K-64 and Spectr-H64. (The graphs in the figure are normalized in order to make them comparable. Notice that since there are 2128 elements in the input vector space of Rijndael, as compared to 264 elements of the other two ciphers, AWD curve of Rijndael is more fluctuating than others. This is so, because the experimental set of 10.000 random plaintexts divided by 264 is a much higher fraction than 1.000.000 / 2128. Hence, presented AWD curves of Safer K-64 and Spectr-H64 are relatively more reliable than that of Rijndael.) We observe that although perfect diffusion cannot be obtained in a single round of these ciphers; yet Safer K-64, and Rijndael are quite successful in diffusing single bit changes, whereas Spectr-H64 is not if the complemented bit is in the right half. The reason why a right half difference vector propagates without any weight change in a given round is that, for the input vectors P and P with identical left half parts, all control bits of the data-dependent permutations P32/80 and P-132/80 and the output of the nonlinear function G remain the same under the same key (See Fig. A-1). Hence, the difference between the right half parts of P and P is only permuted and reflected to the first round output. It is possible to prove the weak diffusion property given by (3) starting from the round description equation (A-5) given in Appendix A. The initial transformation does not improve this weakness, since its bit permutations between adjacent pairs cannot mix separate halves of the plaintext with each other. Hence, as far as the propagation of the right half input difference is concerned, the first round of the algorithm can be modelled as a cascade connection of P32/80 and P-132/80 boxes, as shown in Fig.2. The first 5 layers in this figure belong to the permutation P32/80 and the last 5 layers belong to the inverse permutation P-132/80. The XOR boxes between P32/80 and P-132/80 boxes are not included in Fig.2 since they do not have any effect on difference vectors. Another weakness of the round transformation, exploited to extract the key bits after the first round, is the fact that the control vector V1 used in Layer 1 of P32/80 and Layer 10 of P-132/80 boxes is completely known. Initially, V1 is equal to the 16-bit right half of the rotated 32-bit left half of the input vector (see equation (A-2a) and Fig. A-1). In the following, we use these two weaknesses of Spectr-H64 to describe how the control bits of one permutation layer are found using all control bits of the previous permutation layer and propagation of one bit input differences. Calling one round encryption of Spectr-H64, F(P), for a single bit input difference vector ei, F(P ⊕ ei) = F(P) ⊕ ej, for all i ∈ {33, 34, …, 64}, and j ∈ {1, 2, …, 32}. Knowing the output difference bits (ej) caused by the input difference bits (ei), the control vector bits are found completely, which are then used to obtain 32 × 4 key bits K1, K2, K3 and K4 by applying the inverse of the extension transformation. In Fig.2, we sketch the first round propagation of one bit input difference vector e33 (corresponding to the state of all zero control bits at the first and last layers) without considering the initial transformation. Notice that only the right halves of propagating differences are shown in the figure since the left half differences are all zero vectors. All control bits of Layer 1 and Layer 10 are known since the plaintext is known (we

Slide Attack on Spectr-H64

37

Fig. 2. The combination of the transformations P32/80 and P-132/80, illustrating the propagation of one bit input difference (e33) after one round encryption of the algorithm without the initial transformation

38

Selçuk Kavut and Melek D. Yücel

assume vi = vi` = 0 for i = 1, 2, ..., 16). The first control bit v17 of Layer 2 is found using the propagation of input difference e33. If one of the output bits indicated by bold lines in Fig.2 is complemented in response to the input difference e33, then v17 = 0; otherwise v17 = 1. As a second step, the value of v18 is found similarly, considering the propagation of either e37 or e39, which are controlled by v18. Knowing the positions of the output bits in response to each single input bit difference, one can then obtain all control bits of Layer 2. Now since we know all the control bits of Layer 2, we can also obtain the input vectors of Layer 3 and corresponding output vectors of Layer 10; therefore the control bits of Layer 3 are found similarly. In this way all control bits and the key bits K1, K2, K3 and K4 are obtained using a known plaintext-ciphertext pair (P, C) and 32 adaptively chosen plaintext-ciphertext pairs (Pi, Cj) of one round encryption for each value of i (Pi = P ⊕ ei, Cj = C ⊕ ej, i ∈ {33, 34, …, 64}, j ∈ {1, 2, …, 32}). If the initial transformation is included, we observe a similar distribution of output difference bits, as for one round of Spectr-H64 without the initial transformation, in response to a single input bit difference. Therefore, the propagation of one bit input difference can also be exploited similarly to extract the key bits K1, K2, K3 and K4 after one round of Spectr-H64 with the initial transformation.

3

Applying Slide Attack on Spectr-H64

In this section, firstly the slide attack is applied to a modified variant of Spectr-H64, without the initial and final transformations for the 232 weak keys, and then it is shown how the initial and final transformations affect the number of operations necessary to break the algorithm for the same keys. The first step in “sliding” direction can be dated back to a 1978 paper by Grossman and Tuckerman [10]. Afterwards, Biham’s work on related-key cryptanalysis [11], and Knudsen's early work [12] are the milestones in this direction. Slide attacks are, in general, independent of the exact properties of the iterated round function and the number of rounds, which is not the case for the conventional cryptanalytic tools such as differential and linear cryptanalysis for which each additional round requires an exponential effort from the attacker [2, 3]. A typical slide attack exploits the self similarity of a block cipher and views the cipher as a product of identical transformations FQ (P), where Q is the round key (here F might include more than one round of the cipher). The only requirement on F is that it can be broken easily once an input-output pair is obtained. Calling the identical transformation FQ = r F, and the overall encryption function E = F ο F ο … ο F = F , the crucial observation leading to the slide attack [2, 3] is r

r

r

r

P′ =F(P) and C=F (P) implies C′= F (P′)=F (F (P))=F(F (P))=F (C). Hence, a standard slide attack tries to find plaintext-ciphertext pairs (P, C) and (P′, C′) with C′ = F (C). Such pairs are called slid pairs, and once a slid pair is found, an extra relation P′ = F (P) is obtained. In order to find the degree of self similarity in Spectr-H64, we first examine the key schedule given in Table A-1. It is observed that Spectr-H64 has 2128 weak keys

Slide Attack on Spectr-H64

39

of the form K = (K1, K1, K2, K2, K3, K3, K4, K4) for which encryption is the same function as decryption, and thus double encryption reveals the plaintext (see Section 4). However, in this case, the key scheduling does not yield periodic round keys. More specifically, all round keys are different with the exception that Q1 = Q9, Q3 = Q10 and Q4 = Q12, therefore slide attack does not apply. On the other hand, it is observed that if all Ki’s (i ∈ {1, 2, ..., 8}) are equal to each other, the same round keys are produced for each round, and Q1 = Q2 = ... = Q12 = Q (see Table A-1). Spectr-H64 can then be viewed as a product of identical permutations for this key subspace of 232 weak keys in which all Ki’s are equal to each other. Our attack is applicable for only these keys. The overall algorithm consists of the initial transformations, 12 identical round transformations and the final transformation for the mentioned 232 weak keys. Because of the weakness described in Section 3, once we obtain a pair (P, P′) of one round encryption where P′ = F (P), 128 key bits of K1, K2, K3 and K4 can be extracted in a negligible time. Therefore the easy cryptanalysis requirement on F is satisfied. We implement the slide attack on a modified variant of Spectr-H64 without the initial and final transformations, as illustrated in Fig.3 in simplified form, where f denotes the transformation applied to the right half of the round input.

Fig. 3. Illustration of the slide attack on Spectr-H64, applicable for the 232 keys, without initial and final transformations; if C′L = CR, then P′ is the one round encrypted form of P

A chosen plaintext slide attack encrypts two pools of chosen plaintexts P = (PL, PR) and P′ = (P′L, P′R ), where PL = P′R is fixed, and PR and P′L both take 216 random values. Then, checking whether C′L = CR, we expect to find a vector P′ in the second pool which is one round encrypted form of the element P from the first pool with high probability, by the birthday paradox. We identify such a slid pair by using a lookup table (or sorted list) with 216 comparisons [2] in a negligible time. After finding a slid pair, other adaptively chosen 32 plaintext-ciphertext pairs of the first round are easily found with the help of the procedure explained below:

40

1.

2.

Selçuk Kavut and Melek D. Yücel

Encrypt 32 plaintexts Pi = P ⊕ ei, and 32 plaintexts P′j = P′ ⊕ ej corresponding to the slid pair (P, P′); for all i ∈ {33, 34, …, 64}, j ∈ {1, 2, …, 32}, and obtain 32 × 32 ciphertext pairs Ci and C′j . (Notice that the r subscript of the ciphertext simply indicates the corresponding plaintext, F (Pi)= Ci, and it does not imply that Ci = C ⊕ ei .) Check whether C′iL = CjR for each ciphertext pair; if they are equal, corresponding plaintext pair Pi and P′j satisfy the equation F (Pi) = P′j.

Notice that since one bit input differences cause one bit output differences after one round encryption of Spectr-H64, the above procedure works. Now, one can extract the 128 key bits used for the first round, as explained in Section 3. Since our attack works for the 232 weak keys in which all Ki’s (i ∈ {1, 2, ..., 8}) are equal to each other, knowing the extracted key bits is equivalent to knowing all the key bits. The attack is independent of the number of rounds of the cipher, and requires 217 chosen plaintexts and 216 comparisons. Next, we consider the effect of the initial and final transformations on the cryptanalysis of Spectr-H64. One can observe from Fig.A-1 that, if successive bits of the plaintext entering the same P2/1 boxes are chosen the same, the initial transformation output is independent of the control bits. Hence, in the attempt of finding a slid pair, where one assigns the plaintexts P = (PL, PR) and P′ = (P′L, P′R) such that PL = P′R , we can choose PL and P′R in the above mentioned form that the initial transformation cannot affect. For example, if PL and P′R are chosen as all zero vectors (see Fig.4), the effect of the initial transformation is removed; however, the final transformation still remains effective unless QFTL = QFTR.

Fig. 4. Illustration of the effect of the initial and final transformations on the slide attack shown in Fig.3

Slide Attack on Spectr-H64

41

If QFTL = QFTR, the left and right halves of the final transformation inputs are

subject to the same permutation; and one can find a match for the vectors C′L and CR, with 216 comparisons. On the other hand, if QFTL ≠ QFTR, we have to guess all possible

(2 × 216) input vectors of the final transformation in order to find a match between C′L and CR. The slide attack on Spectr-H64 also requires 217 chosen plaintexts, as for the slide attack on the modified variant of Spectr-H64. However, in this case, since we have 2 × 232 possible vectors C′L and CR due to the different left and right halves of the vector QFT, time complexity increases remarkably from 216 to 232. In addition, there may be some false matches between the vectors C′L and CR while guessing the vectors QFTL and QFTR, which can be checked immediately during the process of extracting the key bits.1 After finding a slid pair, 32 adaptively chosen plaintexts can be found using a similar procedure, which is explained for the attack on the modified variant. The key bits are extracted after breaking one round of Spectr-H64 with the initial transformation, as explained in Section 3.

4

Weak Keys and Fixed Points

The analysis of fixed points in DES weak keys and cycle structure of DES using these keys are explained by Coppersmith [13]. Moore and Simmons published more extensive work later on DES weak keys [14]. We observe that Spectr-H64 also has a set of 2128 weak keys of the form K = (K1, K1, K2, K2, K3, K3, K4, K4), for which encryption is the same function as decryption. Since the round keys for decryption become the same as the round keys for encryption (see Table 1), double encryption reveals the plaintext. Table 1. The round keys of Spectr-H64 used for both encryption and decryption, for the keys of the form K = (K1, K1, K2, K2, K3, K3, K4, K4) QIT K1

Q1 K1 K1 K3 K4 K2 K2

Q2 K4 K3 K1 K2 K3 K4

Q3 K3 K4 K1 K2 K3 K4

Q4 K2 K2 K3 K4 K1 K1

Q5 K1 K1 K4 K3 K2 K2

Q6 K3 K4 K2 K1 K4 K3

Q7 K4 K3 K2 K1 K3 K4

Q8 K2 K3 K4 K3 K1 K1

Q9 K1 K1 K3 K4 K2 K2

Q10 K3 K4 K1 K2 K3 K4

Q11 K3 K4 K1 K2 K4 K3

Q12 K2 K2 K3 K4 K1 K1

QFT K1

Notice that, the final transformation is the inverse of the initial transformation, and the ith (i = 1, 2, …, 12) round key (A, B, C, D, E, F) of the decryption process is used to decrypt the (13-i)th round key (E, F, C, D, A, B) of the encryption process. If all round keys of the encryption and decryption are equal as in Table 1, the last six rounds of encryption can decrypt the intermediate cipher result obtained after the first 1

The correctness for the guesses of the left and right halves of the vector QFT can also be checked by a trial encryption if we exploit the restriction on the key bits. In this case, the secret-key can be found directly without the cryptanalysis process explained in Section 3.

42

Selçuk Kavut and Melek D. Yücel

six rounds of encryption, whenever the left and right halves of the intermediate cipher result are equal to each other. Hence, there are 232 fixed points for each weak key, which may cause some problems in using Spectr-H64 to build secure hash functions.

5

Conclusion

In this paper, we first describe an attack on single round of Spectr-H64, which exploits the diffusion weakness of the algorithm described by (3). This one round attack extracts 128 bits of the 256-bit key by using 1 known and 32 chosen plaintexts. Easy cryptanalysis of the first round then leads us to propose a slide attack against the overall algorithm, which uses 217 chosen plaintexts. The described slide attack requires 232 comparisons of 32-bit blocks, which takes much less work than 232 encryption operations needed for a brute force attack in a subset of 232 keys. The same attack is implemented on the modified variant of Spectr-H64 (only excluding initial and final transformations), and unknown key is identified using 217 chosen plaintexts and 216 comparisons. Since the attack is applicable for a small key subspace (one out of 2192), it does not indicate that Spectr-H64 is weak, but it should be interpreted as an independent confirmation of the observation in [2], which states that auto-key ciphers and data-dependent transformations are potentially vulnerable to conventional slide attacks. On the other hand, 2128 weak keys and 232 fixed points for each weak key that we observe, indicate that the key scheduling of the algorithm should be improved. As a final remark, we should mention that the key scheduling of Spectr-H64 yields four round periodicity for 264 weak keys of the form K = (K1, K1, K1, K1, K2, K2, K2, K2), which makes the cipher vulnerable to a similar slide attack [2], where the identical transformation F includes four rounds of the cipher. Although one may suspect that this periodicity makes Spectr-H64 also a candidate for advanced slide attacks [3], we think that this is not possible. Because, a suitable advanced slide attack with four round periodicity would be a combination of “complementation slide” and “sliding with a twist”; however, the complementation slide is not applicable because of data-dependent permutations of the round keys.

References [1]

[2] [3]

N.D. Goots, A.A. Moldovyan, and N.A. Moldovyan, Fast Encryption Algorithm Spectr-H64. In: V.I. Gorodetski, V.A. Skormin, L.J. Popyack (Eds.), Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security. Lecture Notes in Computer Science, Vol. 2052, pp. 275-286, Springer-Verlag, 2001. Biryukov and D. Wagner, Slide Attacks. In: L.R. Knudsen (Ed.), Fast Software Encryption – FSE’99. Lecture Notes in Computer Science, Vol. 1636, pp. 245259, Springer-Verlag, 1999. Biryukov and D. Wagner, Advanced Slide Attacks. In: B. Preneel (Ed.), Advances in Cryptology – EUROCRYPT’2000. Lecture Notes in Computer Science, Vol. 1807, pp. 589-606, Springer-Verlag, 2000.

Slide Attack on Spectr-H64

[4] [5] [6] [7] [8]

[9] [10] [11] [12] [13] [14]

43

S. Murphy, The Cryptanalysis of FEAL-4 with 20 Chosen Plaintexts. Journal of Cryptography, Vol.2, No.3, pp.145-154, 1990. Shamir and E. Biham, Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, Vol.4, No.1, pp.3-72, 1991. J. Daemen and V. Rijmen, The Design of Rijndael, AES-The Advanced Encryption Standard. Springer-Verlag, 2002. J.L. Massey, Safer K-64: A Byte Oriented Block-Ciphering Algorithm. In: R.J. Anderson, Fast Software Encryption – FSE’93. Lecture Notes in Computer Science, Vol. 809, pp.1-17, Springer-Verlag, 1994. S. Kavut, and M.D. Yücel, On Some Cryptographic Properties of Rijndael. In: V.I. Gorodetski, V.A. Skormin, L.J. Popyack (Eds.): Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security. Lecture Notes in Computer Science, Vol. 2052, pp.300-311, Springer-Verlag, 2001. E. Aras and M.D. Yücel, Performance Evaluation of Safer K-64 and S-Boxes of Safer Family. Turkish Journal of Electrical Engineering & Computer Sciences, Vol.9, No.2, pp. 161-175, 2001. E.K. Grossman and B. Tuckerman, Analysis of a Weakened Feistel-like Cipher. Proc. International Conference on Communications, pp.46.3.1-46.3.5, Alger Press, 1978. E. Biham, New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology, Vol.7, pp.229-246, 1994. L.R. Knudsen, Cryptanalysis of LOKI91. In: J. Seberry and Y. Zheng (Eds.): Advances in Cryptology – ASIACRYPT’92. Lecture Notes in Computer Science, Vol. 718, pp.196-208, Springer-Verlag, 1993. D. Coppersmith, The Real Reason for Rivest's Phenomenon, Proc. CRYPTO’85, pp.535-536, Springer-Verlag, 1986. J.H. Moore and G.J. Simmons, Cycle Structure of the DES with Weak and Semi-Weak Keys, Proc. CRYPTO'86, pp.9-32, Springer-Verlag, 1987.

Appendix A: Description of Spectr-H64 The algorithm [1] is designed as a sequence of the initial transformation IT, 12 iterative rounds, and the final transformation FT. The overall encryption structure is shown in Fig.A-1. Round keys Q1, …, and Q12 are derived from the original key K∈{0,1}256, as shown in each column of Table A-1. Notice that in Table A-1, L 1, L 2, …, L 8 ∈ {0,1}32 indicate segments of the original key K=(L1, …, L8) and A, B, C, D, E, F (which are also used in Fig.A-1) correspond to 32-bit segments of each round key Qi ∈ {0,1}192. The initial and final transformations use the 32-bit keys, QIT = L1 and QFT = L 2. In Fig.A-1, qi and qi`, indicate the elements of QIT = (q1, q2, …, q32) and QFT = (q1`, q2`, …, q32`), respectively.

44

Selçuk Kavut and Melek D. Yücel Table A-1. Key scheduling for Spectr-H64 encryption

Round key segment A B C D E F

Q1

Q2

Q3

Q4

Q5

Q6

Q7

Q8

Q9

Q1 0

1

2

L1 L2 L6 L7 L3 L4

L8 L6 L1 L4 L5 L7

L5 L7 L2 L3 L6 L8

L4 L3 L5 L8 L2 L1

L1 L2 L7 L6 L4 L3

L6 L8 L3 L1 L7 L5

L7 L5 L4 L2 L6 L8

L4 L3 L8 L5 L1 L2

L2 L1 L6 L7 L4 L3

L6 L8 L1 L4 L5 L7

L5 L7 L2 L3 L8 L6

L3 L4 L5 L8 L1 L2

Fig. A-1. Overall encryption scheme of Spectr-H64

Q1

Q1

Slide Attack on Spectr-H64

45

The only difference between encryption and decryption of Spectr-H64 results from the key scheduling of the algorithm. If for i ∈ {1, 2,…, 12}, the ith round key of the encryption process is Qi = (A, B, C, D, E, F), then the (13-i)th round key of the decryption process is Q13-i = (E, F, C, D, A, B). Similarly, the final vector QFT used for encryption is equal to the initial vector QIT of the decryption. In each round of Spectr-H64, the following operations are used: • cyclic rotation “>>>k” by fixed amount k, • XOR operation “⊕”, • nonlinear function GCD, • data-dependent permutations P32/80, P-132/80, and • extension operation EAB (or ECD and EEF), where the subscripts A, B,…, F denote 32-bit segments of the 192-bit round key Qi = (A, B, C, D, E, F) used by the boxes G and E. The initial and final transformations also perform data-dependent permutations. The nonlinear function GCD uses the central segments C and D of the round key, and yields a 32-bit output vector Y, for a 32-bit input vector X, as Y = GCD(X) = M0⊕M1⊕(M2⊗C)⊕(M2⊗M5⊗D)⊕(M3⊗M5)⊕(M4⊗ D), where the vectors M0, …, M5 are obtained recursively through X as follows: M0 = (m1(0), m2(0), …, m32(0)) = X, Mj = (m1 , m2(j), …, m32(j)) = (1, m1(j-1), …, m31(j-1)), (j)

(A-1a) (A-1b)

where j = 1, …, 5. The extension operation EAB shown in Fig.A-1 is used to form an 80-bit control vector, which is represented as EAB (U) = (V1, V2, V3, V4, V5) = V, 32

where U ∈ {0,1} , V1, V2, …, V5 ∈ {0,1}16 and V ∈ {0,1}80. The vectors V1, V2,…,V5 are determined according to V1 = UR, V2 = π ((U ⊕ A)R), V3 = π ′ ((U ⊕ B)R), V4 = π ′ ((U ⊕ B)L), V5 = π ((U ⊕ A)L),

(A-2a) (A-2b) (A-2c) (A-2d) (A-2e)

where the subscripts L and R denote left and right half of the vectors respectively and the fixed permutations π and π ′ are defined for Z ∈ {0, 1}32 as

π (Z) = (ZR>>>1 , ZL>>>1), π ′ (Z) = (ZR>>>5 , ZL>>>5).

(A-3) (A-4)

The data-dependent permutation applied on the input X ∈ {0, 1}32 by the P32/80 box (Fig.A-2) produces the output Y ∈ {0, 1}32: Y = P32/80(X,V), where V = (v1, v2, …, v80) is the control vector formed by the extension operation.

46

Selçuk Kavut and Melek D. Yücel

The P32/80 box consists of the 80 P2/1 boxes arranged in 5 layers. Each P2/1 box has one control bit vi ( i ∈ {1, …, 80}), 2-bit input vector and 2-bit output vector. If the control bit vi = 0, then the input vector is directly carried to the output, otherwise the input bits are interchanged. From Fig.A-2 it is seen that the P32/80 box applies four permutations after the first 4 layers. It is important to observe that the initial values of the control bits (v1, v2, …, v16) of the first layer are equal to the right half part of 11bit cyclically rotated form of the left half plaintext (see Fig.A-1 and equation (A-2a)). The operation performed by P-132/80 box is the inverse of the operation applied by the P32/80 box. Therefore, the control bits of the last layer of P-132/80 box are also equal to the right half part of 11-bit cyclically rotated form of the left half plaintext.

Fig. A-2. P32/80 box

We can now describe the round transformation of Spectr-H64, for r = 0, 1, …, 11, as follows: Let r (A-5a) X = EEF(PL >>>11), and r r r r (A-5b) V = GCD(PL ⊕C)⊕P32/80(ECD(PL >>>17), D)⊕P32/80(EAB(PL >>>11), PR ) then, r (A-5c) PL +1 = P-132/80(X,V), and r r (A-5d) PR +1 = PL , r

r

where (PL , PR ) is the intermediate result after the rth round of encryption.

Slide Attack on Spectr-H64

47

The initial (IT) and final (FT) transformations of the algorithm are represented as: Y = IT(X, QIT); 64

Y` = FT(X`, QFT),

where X, X`, Y, Y` ∈ {0,1} , and QIT, QFT ∈ {0,1}32. As shown in Fig.A-1, the initial transformation uses 32 bits of QIT = (q1, q2, …, q32) as the control bits of its 32 P2/1 boxes, which interchange the two input bits with indices 2i-1 and 2i whenever qi = 1. Each even indexed bit at the P2/1 box output is then inverted. The final transformation becomes the inverse of the initial transformation, if QFT = QIT, i.e., each even indexed bit of the input block is first inverted and then each pair of bits with indices 2i-1 and 2i are interchanged whenever the control bit qi` = 1, where QFT = (q1`, q2`, …, q32` ).

On Diﬀerential Properties of Pseudo-Hadamard Transform and Related Mappings (Extended Abstract) Helger Lipmaa Laboratory for Theoretical Computer Science Department of Computer Science and Engineering Helsinki University of Technology P.O.Box 5400, FI-02015 Espoo, Finland [email protected]

Abstract. In FSE 2001, Lipmaa and Moriai proposed eﬃcient log-time algorithms for computing some functions that are related to the diﬀerential probability of modular addition. They posed it as an open question whether their algorithms can be generalized to more complex functions. In this paper, we will give a fundamentally diﬀerent proof of their main result by using a more scalable linear-algebraic approach. Our proof technique enables us to easily derive diﬀerential probabilities of some other related mappings like the subtraction and the Pseudo-Hadamard Transform. Finally, we show how to apply the derived formulas to analyse partial round mapping of Twoﬁsh. Keywords: diﬀerential probability, linear functions, Pseudo-Hadamard Transform, Twoﬁsh.

1

Introduction

To measure the success of ﬁrst-order diﬀerential cryptanalysis [BS91] against cryptographic primitives like block ciphers, one must be able to eﬃciently calculate the diﬀerential probability of various functions. For example, one might need to bound the maximum diﬀerential probability, or the percentage of impossible diﬀerentials. Several well-known block ciphers were constructed so as their diﬀerential probabilities are easy to compute. This has enabled to bound the relevant maximum diﬀerential probabilities and prove the security against the impossible diﬀerential cryptanalysis. While this design methodology has been very productive (for example, AES and KASUMI are based on such an approach), practice has shown that ciphers that are speciﬁcally constructed to thwart the diﬀerential attacks are sometimes “simple enough” to be attackable by other cryptanalytic methods [JK97]. By this reason, the majority of modern block ciphers are still designed in a way that makes it rather diﬃcult to estimate their security against diﬀerential A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 48–61, 2002. c Springer-Verlag Berlin Heidelberg 2002

On Diﬀerential Properties of Pseudo-Hadamard Transform

49

cryptanalysis. This diﬃculty is mostly caused by the hardness of computing diﬀerential probabilities of corresponding ciphers, not even talking about the maximum diﬀerential probabilities or many other diﬀerential properties. This situation is may be best demonstrated by the fact that until lately it was still not known how to eﬃciently compute exact diﬀerential probabilities of very simple and widely used mappings like the addition modulo 2n . Only recently Lipmaa and Moriai made a breakthrough in the last respect, by showing in [LM01] how to compute the diﬀerential probability of addition modulo 2n , for n > 1. Their algorithms are surprisingly eﬃcient, working in worstcase time Θ(log n) when a RAM model of computation is assumed. By contrast, the best previous algorithms for related problems worked often in time 2Ω(n) . In the same paper, Lipmaa and Moriai suggested the next “bottom-up” cryptanalysis principle: start with exhaustive analysis of the simplest primitives and then gradually work upwards toward the analysis of the whole ciphers. The current paper is a further extension of the methods from [LM01]. We compute diﬀerential probabilities of a special class of practically important mappings. All such mappings can be represented as F (x1 , x2 ) = (x1κ11 ± x2κ12 , x1κ21 ± x2κ22 ) with κjk ≥ 0. Here, xk denotes the left shift of x by k bits (i.e., xk = 2k · x mod 2n ), and ± denotes either addition or subtraction in Z2n , where n ≥ 1. We call the class of such mappings Quasi-Hadamard Transforms. We show that for all Quasi-Hadamard Transforms, the formula for diﬀerential probability dpF of F can be transformed to a simple matrix equation in the inputs x and the carries c that occur in additions x1κj1 ± x2κj2 . It is valid to assume that c is a constant in the special case when κ11 = κ21 , κ12 = κ22 and κ11 ≤ κ12 + 1. This gives us a matrix equation in x, with 22n · dpF (∆x → ∆y) being equal to the number of solutions to this matrix equation, which can be found by using standard methods from linear algebra. This results, in particular, in a closed form formula and log-time algorithms for the diﬀerential probability of all functions that have the form F (x1 , x2 ) = 2κ1 x1 ± 2κ2 x2 . Our formula for addition is equivalent to the formula from [LM01] but our proof technique is very diﬀerent and allows to obtain us a more general result after a relatively compact proof. Apart from addition and subtraction, only a few Quasi-Hadamard Transforms are used in real block ciphers. The most important one, the PHT (PseudoHadamard Transform) is employed in SAFER [Mas93] and Twoﬁsh [SKW+ 99]. The PHT is deﬁned as PHT(x1 , x2 ) = (2x1 + x2 , x1 + x2 ). Another example is Schnorr’s FFT-hash [Sch92] that employs several functions F of type F (x1 , x2 ) = (4j x1 + x2 , x1 + x2 ). The mappings of both type are invertible. In the current paper, we present a formula for dpPHT . We show that a diﬀerential δ = (∆x1 , ∆x2 → ∆y1 , ∆y2 ) is PHT-possible iﬀ corresponding projections of δ are possible under both coordinate mappings of both PHT and PHT−1 . We also describe a log-time algorithm for dpPHT . Therefore, this paper ﬁrst solves completely the case when F (x1 , x2 ) = x1κ11 ± x2κ12 for κ1 ≤ κ2 + 1, and second, solves the important case of the Pseudo-Hadamard Transform.

50

Helger Lipmaa

We conclude the current paper with some applications of our results to Twoﬁsh [SKW+ 99] that was one of the leading AES candidates. In particular, we present a short proof that certain diﬀerentials described by Robshaw and Murphy in [MR02] (that were originally obtained by extensive computer experiments) are optimal under their conditions. Our proof only needs an exhaustive search over ≤ 210 diﬀerentials. We present a few new diﬀerentials that are optimal under some more general conditions and might result in other applications of the methods from [MR02]. Road-Map. In Section 2, we introduce preliminaries and notation that are necessary for reading the rest of this paper. In Section 3, we present a linear-algebraic framework for computing the diﬀerential probability of a large class of interesting mappings. In particular, in Section 3.2 we derive a formula for the diﬀerential probability of any mapping of the form F (x1 , x2 ) = x1κ11 ± x2κ12 . In Section 4, we present a formula for the diﬀerential probability of Pseudo-Hadamard Transform. In Section 5, we apply our results to the partial round function of Twoﬁsh. We end the paper with conclusions.

2

Preliminaries and Notation

Notation. Throughout this paper, we will denote by n the bit-length of basic variables. We will equivalently consider these variables as bit-strings of length n, members of group (Z2n , +) or members of ring (Zn2 , ·, ⊕). The variables x (the input variable) and y (the output variable) will have a special meaning. For any bit-vector α ∈ Z2n 2 , let α1 (resp., α2 ) denote its least signiﬁcant (resp., most signiﬁcant) half. For any bit-vector α ∈ Zm 2 , m ≥ 1, let α = α 0 20 +· · ·+ α m−1 2m−1 be the binary representation of corresponding integer, with α i ∈ {0, 1} being the ith bit of α. That is, we start counting bits from zero. We use the special notation α i to distinguish individual bits of α from n-bit sub-vectors of a 2n-bit vector.We assume that α i = 0 when i ∈ [0, m − 1]. Let wh (α) be the Hamming weight of α, that is, if α ∈ Zm 2 then wh (α) = α 0 + · · · + α m−1 . Hamming weight of an α ∈ Zm can be computed in time 2 Θ(log m) in a RAM model. Let ntz(x) be the number of trailing zeros of x; that is, ntz(x) = k iﬀ 2k | x but 2k+1 x. For example, ntz(48) = 4 and ntz(0) = n. The function ntz can then be computed in time O(log2 n) as ntz(x) := wh (x − (x ∧ (x − 1)) − 1). Let α·β denote the component-wise multiplication in Zm 2 . Let maj(α, β, γ) := α·β⊕α·γ⊕β·γ be the bitwise majority function, xor(α1 , . . . , αm ) := α1 ⊕· · ·⊕αm and eq(α, β, γ) := (1 ⊕ α ⊕ β) · (1 ⊕ α ⊕ γ) be the bitwise equality function. (The xor function is solely introduced to make some formulas more readable.) Clearly, maj(α, β, γ) i = 1 iﬀ α i + β i + γ i ≥ 2 and eq(α, β, γ) i = 1 iﬀ α i = β i = γ i . Observe that matrix indexes (denoted as Aij ) start with 1, while vector indexes (denoted as α i ) start with 0. Diﬀerential cryptanalysis. Let ∂x = x ⊕ x∗ be the diﬀerence between two inputs 1n 2n x, x∗ ∈ Z2m1 n to a ﬁxed mapping F : Zm → Zm . For every intermediate 2 2

On Diﬀerential Properties of Pseudo-Hadamard Transform

51

node Q in the computation graph of F , let q (or q ∗ ) denote the value in this node when the input was x (or x∗ ). Let ∂q = q ⊕ q ∗ be the corresponding diﬀerence with concrete inputs x and x∗ usually understood from the context. In particular, let ∂F (x) = F (x) ⊕ F (x∗ ) be the output diﬀerence. With ∆q we will denote the “desired” diﬀerence in node Q. That is, this is the diﬀerence the cryptanalyst is “aiming for”, but which is not necessarily the actual diﬀerence for every choice of x and x∗ with ∂x = ∆x. The cryptanalyst is successful when the probability Prx [∂F = ∆F ] is high. We always assume that ∆x = ∂x since ∂x can be controlled by the adversary in all relevant attack models. The pair (∆x, ∆F ) is usually denoted as (∆x → ∆F ). 1n 2n 1n For any mapping F : Zm → Zm , the diﬀerential probability dpF : Zm × 2n 2 2 m2 n F Z2 → [0, 1] of F is deﬁned as dp (δ) := Prx [F (x) ⊕ F (x ⊕ ∆x) = ∆y], F 1n where x is chosen uniformly and randomly from Zm 2n . Equivalently, dp (δ) = m1 n m1 n {x ∈ Z2 : F (x) ⊕ F (x ⊕ ∆x) = ∆y}/Z2 . We say that δ is F -possible if dpF (δ) = 0. Linear algebra. Let Matk× (R) be the group of k× matrices over a commutative ring R. Let Matk (R) := Matk× (R) when k = . We will mostly need n × n and 2n × 2n matrices. In the latter case, let Aij , i, j ∈ {0, 1}, denote the n × n sub-matrix in A that starts from the row i · n + 1 and the column j · n + 1. For any binary matrix (or vector) A, let ¬A denote the bit-inverse of A, that is, ¬Aij = 1 ⊕ Aij where Aij ∈ Z2 . To simplify reading, we will denote matrices with capital letters, while we denote vectors with lower-case letters. Let J be the binary m × m Toeplitz matrix with Jij = 1 iﬀ i = j + 1; m is k usually understood from the context. Clearly, for any k and α ∈ Zm 2 , J · α i = k α i−k . Thus, J · α corresponds to the shifting the bits of α to left k times (when α is seen as a bit-string), or to the modular multiplication 2k · α in the ring Z2n . For any α ∈ Zm 2 , let [[α]] be the unique diagonal matrix, such that [[α]]ii = α i−1 . (Recall that by our convention, the matrix indexes start from 1 but the vector indexes start from 0.) Note that [[α]]·β = α·β, where on the right hand side “·” denotes component-wise multiplication in Zn2 . That is, α · β i = α i · β i . m Also, J · [[α]] · β = m−1 i=1 α i−1 β i = [[Jα]] · β = (Jα) · β for any α, β ∈ Z2 . Now, let A · α = β be an arbitrary non-homogeneous matrix equation with A ∈ Matm (Z2 ) and α, β ∈ Zm equation has a solution in α ∈ Zm 2 . This 2 iﬀ rank(A) = rank A β , where A β is a m × (m + 1) matrix. If there is at least one solution, the solution space is a subspace of Zm 2 of dimension m − rank(A). Hence, it has 2m−rank(A) elements. As an example, if A is the identity matrix then A · α = β has a solution iﬀ m = rank(A) = rank A β = m. (I.e., always.) Since 2m−rank(A) = 2m−m = 20 = 1, there is only one solution α ← β. Bit-level operations. Let αk := 2k α mod 2n be the left shift of α by k bits. If the variables are seen as bit-vectors of length m then the next operations have natural Boolean analogues: α·β = α∧β (multiplication in Zm 2 corresponds to the Boolean AND), J k α = αk (multiplication by J k corresponds to the left shift by k positions) and ¬α corresponds to bit-negation. While we use the algebraic

52

Helger Lipmaa

x1

x2

a)

✲ κ1 ✲ κ2

z1

z2

❙ ✇ ± ✲ y1 ❙ ✼

x1

x2

b)

✲ κ11

z11

✲ κ21

z21

✲ κ12

z12

✲ κ22

z22

❍ ❥± ✲ y ❍ 1 ✁✕ ❆✁ ✁❆ ❆ ✲ y 2 ✯± ✟ ✟

Fig. 1. Computational graph of a function a) F ∈ L1 with three internal nodes and of a function b) F ∈ L2 with 6 internal nodes notation during this paper, keeping these few equivalences in mind should make it fairly simple to transform our formulas to eﬃcient algorithms in any modern computer language. Carry and borrow. For any α, β ∈ Zn2 , let carry(α, β) := α ⊕ β ⊕ (α + β) be the carry and borrow(α, β) := α ⊕ β ⊕ (α − β) be the borrow of α and β. We often denote carry by carry1 and borrow by carry0 . Diﬀerential Probability of Addition. Let δ = (∆x1 , ∆x2 → ∆y) and e = eq(J∆x1 , J∆x2 , J∆y). In [LM01], Lipmaa and Moriai showed that, reformulated in our notation, dp+ (δ) = 0 when e · (xor(∆x1 , ∆x2 , ∆y) ⊕ J∆x2 ) = 0, and dp+ (δ) = 2−wh (¬e) , otherwise.

3 3.1

Linear-Algebraic Viewpoint to Diﬀerential Probability Diﬀerential Probability in Language of Matrix Equations

We proceed with computing the diﬀerential probabilities of some mappings of form (x1κ11 ± x2κ12 , x1κ21 ± x2κ22 ). We call such functions Quasi-Hadamard Transforms. In this section, we develop a general framework for handling all mappings of form F (x1 , x2 ) = x1κ1 + x2κ2 . In particular, we show that the diﬀerential probability of such a mapping is equal to 2−2n times the number of solutions to a certain matrix equation. (The next section will concentrate on other mappings.) For σ ∈ {0, 1}, let z1 +σ z2 := z1 + (−1)σ z2 , and ∂cσ = ∂cσ (z1 , z2 ) := carryσ (z1 , z2 ) ⊕ carryσ (z1∗ , z2∗ ). Consider the set A := {J k : 0 ≤ k < n} ⊂ T Matn (Z2 ). Let x = x1 x2 . Let L1 ⊂ Mat1×2 (Z2n ) be such that F ∈ L1 iﬀ for some σ ∈ {0, 1}, F1 ∈ A and F2 ∈ (−1)σ A. Equivalently, F (x) = 2κ1 x1 ± 2κ2 x2 . Such a function F can alternatively be seen as a ±-operation applied to the results of some left shift operations, with z1 = x1κ1 , z2 = x2κ2 and y = z1 +σ z2 . (See Fig. 1.) With this representation in mind, we will consistently denote ∆zk := xkκk ⊕ κ κ (x∗k ) k and ∂y := y ⊕ y ∗ . Since the diﬀerential xk −→k zk has probability 1 then ∆zk = ∆xkκk and zk∗ = zk ⊕ ∂zk . As usual, we denote x := (x1 , x2 ) and

On Diﬀerential Properties of Pseudo-Hadamard Transform

53

∆x := (∆x1 , ∆x2 ). Let F ∈ L1 . By deﬁnition, dpF (δ) = Prx [(x1κ1 +σ x2κ2 ) ⊕ κ κ ((x∗1 ) 1 +σ (x∗2 ) 2 ) = ∆y] = Prx [(z1 +σ z2 ) ⊕ (z1∗ +σ z2∗ ) = ∆y] = Prx [∂y = ∆y]. Let σ ∈ Z2n be the vector of σ-s, that is, σ i = σ, ∀i. The main result of this subsection is the following: Theorem 1. Fix a function F ∈ L1 , and a diﬀerential δ = (∆x1 , ∆x2 → ∆y). For ﬁxed z = (z1 , z2 ), let cσ := carryσ (z1 , z2 ). Let ω = ω(δ), a = a(δ, x) ∈ Zn2 , M = M (δ) ∈ Matn×2n (Z2 ) be deﬁned as follows: ω :=J(σ · (∆z1 ⊕ ∆y) ⊕ ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y))⊕ xor(∆z1 , ∆z2 , ∆y) , M := J · [[∆z1 ⊕ ∆y]] · J κ1 J · [[∆z2 ⊕ ∆y]] · J κ2 , a :=ω ⊕ J · (∆z1 ⊕ ∆z2 ) · cσ .

(1)

Then dpF (δ) = Prx [M · x = a]. Equivalently, 22n · dpF (δ) is equal to the number of solutions to the matrix equation M · x = a in ring Z2 . Since a depends on cσ and hence in a nontrivial manner on x, we must ﬁrst get rid of the variable cσ in a to ﬁnd the number of solutions to the matrix equation M · x = a. We will deal with this in the next subsection. Rest of the current subsection will give a proof of Theorem 1. First, Lemma 1. Let F ∈ L1 and let x ∈ Z2n 2 be such that F (x) ⊕ F (x ⊕ ∆x) = ∆y. Denote q(α, β, γ) := (∂β ⊕∂γ)·α⊕(∂α⊕∂γ)·β ⊕(∂α⊕∂β)·γ and desired(δ, x) := J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(∆z1 , ∆z2 , ∂cσ ) ⊕ q(z1 , z2 , cσ )) ⊕ xor(∆z1 , ∆z2 , ∆y). Then desired(δ, x) = 0 . (2) In general, let D be the event that (2) holds for an uniformly random x. Then dpF (δ) = Pr[D]. Proof. Let c1 = c = carry(z1 , z2 ) and c0 = b = borrow(z1 , z2 ). By deﬁnitions of carry and borrow, c i+1 = 1 iﬀ z1 i + z2 i + c i ≥ 2 and b i+1 = 1 iﬀ z1 i < z2 i + b i . That is, c1 = c = J · maj(z1 , z2 , c) and c0 = b = J · (z2 ⊕ b ⊕ maj(z1 , z2 , b)). Thus, cσ = J · (¬σ · (z2 ⊕ cσ ) ⊕ maj(z1 , z2 , cσ )) and ∂cσ = J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(z1 , z2 , cσ ) ⊕ maj(z1 ⊕ ∂z2, z2 ⊕ ∂z2 , cσ ⊕ ∂cσ )) = J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(∆z1 , ∆z2 , ∂cσ ) ⊕ q(z1 , z2 , cσ )). But F (x) ⊕ F (x ⊕ ∆x) = ∆y iﬀ ∂cσ = xor(∆z1 , ∆z2 , ∆y) and therefore F (x) ⊕ F (x ⊕ ∆x) = ∆y iﬀ desired(δ, x) = 0. Thus, dpF (δ) = Pr[D]. Our next step is to eliminate the auxiliary variable ∂cσ = cσ ⊕ (c∗ )σ that introduces non-linearity to the equation (2). n−1 Proof (Proof of Thm. 1.). Deﬁne r(δ, x) := i=0 (1 − desired(δ, x) i ). By F 2n Lemma 1, dp (δ) = Pr[D], or equivalently, 2 · dpF (δ) = {x : r(δ, x) = 1}. Observe that desired(δ, x) = 0 iﬀ there is a (minimal) 0 , such that n−1 desired(δ, x) 0 = 1. Hence, for any λ(δ, x), r(δ, x) = i=0 (1 − λ(δ, x) i ), given that λ(δ, x) ≡ desired(δ, x) (mod 20 +1 ).

54

Helger Lipmaa

Now, r(δ, x) = 1 iﬀ F (x) ⊕ F (x ⊕ ∆x) = ∆y iﬀ ∂cσ = xor(∆z1 , ∆z2 , ∆y). The same holds also for word lengths i−1 n < n with the variables that have been reduced n modulo 2 . Thus, when =0 (1 − desired(δ, x) ) = 1 then desired(δ, x) ≡ 0 (mod 2i ) and thus J · ∂cσ ≡ J · xor(∆z1 , ∆z2 , ∆y) (mod 2i+1 ). Therefore, we set λ i to be equal to desired(δ, x) i , except that we substitute every occurrence of J · ∂cσ i in desired(δ, x) i with an occurrence of J · xor(∆z1 , ∆z2 , ∆y) i . Since this applies for every i, what we do is that we substitute J · ∂cσ with J · xor(∆z1 , ∆z2 , ∆y) in desired(δ, x). Denote α = (∆z1 ⊕ ∆y) · z1 ⊕ (∆z2 ⊕ ∆y) · z2 ⊕ (∆z1 ⊕ ∆z2 ) · cσ . By the previous discussion, x is δ-possible iﬀ ∂cσ = desired(δ, x) ⊕ xor(∆z1 , ∆z2 , ∆y) = J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(∆z1 , ∆z2 , ∂cσ ) ⊕ q(z1 , z2 , cσ )) = J · (σ · (∆z1 ⊕ ∆y) ⊕ 1 ⊕ ∆z1 ⊕ eq(∆z1 , ∆z2 , ∆y) ⊕ α) is equal to xor(∆z1 , ∆z2 , ∆y). Therefore, dpF (δ) = Prx [J · α = ω] = Prx [J · α = ω] = Prx [J · ((∆z1 ⊕ ∆y) · J κ1 x1 ⊕ (∆z2 ⊕ ∆y) · J κ2 x2 ) = a]. The claim follows. 3.2

Algorithm for dpF for F ∈ L1

In the previous subsection we established that 22n ·dpF is equal to the number of solutions to a certain matrix equation M · x = a. Initially, this matrix equation depended on both ∂cσ and cσ . While we thereafter showed how to eliminate the dependency on ∂cσ , we still have a matrix equation that depends on the carry cσ . However, it is easy to show that this problem is not severe. Let again σ ∈ {0, 1} and let F ∈ L1 , F (x1 , x2 ) = 2κ1 x1 +σ 2κ2 x2 . As in the proof of Thm. 1, we can consider the matrix equation M · x = a as a system of equations in Z2 , starting with bit i = 0. Now, for every i, cσ i is already ﬁxed and known when we look at the row i, since it is a function of the “previous” bits of x1 and x2 . Hence, J · [[∆z1 ⊕ ∆z2 ]] · cσ = J · (∆z1 ⊕ ∆z2 ) · cσ is a constant (although, an a priori unknown) vector and therefore, a is a constant vector. Therefore, we have proven that 0 , rank(M ) =

rank , M a dpF (δ) = (3) − rank(M) , otherwise . 2 Next we will compute the ranks of associated matrices M and M a . (Note that here a = a(δ) does not depend on x anymore.) For this, we must introduce an additional assumption κ1 ≤ κ2 + 1. The reasoning behind this assumption will become obvious from the proof of Thm. 2. Theorem 2. Let Ek ∈ Zn2 be the vector with Ek i = 1 iﬀ i ≥ k. (That is, Ek = ¬(2k −1) when seen as an element of Z2n .) Let us denote ej := J((∆zj ⊕∆y)·Eκj ) and e := e1 ∨ e2 . Let F (x1 , x2 ) = z1 +σ z2 ∈ L1 be such that κ1 ≤ κ2 + 1. Then 0, ¬e · (J(¬σ · (∆z1 ⊕ ∆y) ⊕ ∆z2 ) ⊕ xor(∆z1 , ∆z2 , ∆y)) = 0, F dp (δ) = −wh (e) 2 , otherwise. Equivalently, Algorithm 1 computes dpF (δ) in time O(log n), given a RAM model of computation.

On Diﬀerential Properties of Pseudo-Hadamard Transform

55

Algorithm 1 An O(log n)-time algorithm for computing dpF (∆x1 , ∆x2 → ∆y) where F (x1 , x2 ) = 2κ1 x2 +σ 2κ2 x2 . Here we assume that κ1 ≤ κ2 + 1 INPUT: (∆x1 , ∆x2 → ∆y) and F as represented by κj and σ ∈ {0, 1} OUTPUT: dpF (∆x1 , ∆x2 → ∆y) 1. 2. 3. 4. 5.

Let ∆zj ← ∆xjκj for j ∈ {1, 2}; Let ej ← ((∆zj ⊕ ∆y) ∧ ¬(2κj − 1))1 for j ∈ {1, 2}; Let e ← e1 ∨ e2 ; If ¬e ∧ (((¬σ ∧ (∆z1 ⊕ ∆y)) ⊕ ∆z2 )1 ⊕ ∆z1 ⊕ ∆z2 ⊕ ∆y) then return 0 ; Return 2−wh (e) .

(Algorithm 1 works in time O(log n) since the Hamming weight wh can be computed in time O(log n) when working in the RAM model [LM01].) F Proof. Recall that by · x = a]. Therefore, dpF (δ) = 0 Thm. 1, dp F(δ) = Prx−[M rank(M) if rank(M ) = rank M a , and dp (δ) = 2 , otherwise. Next, for any vector v, (J[[v]]J κk )ij = v i−2 when j = i − 1 − κk and i > κk + 1, and (J[[v]]J κk )ij = 0, otherwise. (Recall that the bits v i are counted from i = 0 to i = n − 1.) Therefore, rank(M ) = rank J[[∆z1 ⊕ ∆y]]J κ1 J[[∆z2 ⊕ ∆y]]J κ2 = {i ∈ [1, n] : (J[[∆z1 ⊕ ∆y]]J κ1 )i,i−κ1 −1 = 1 ∨ (J[[∆z2 ⊕ ∆y]]J κ2 )i,i−κ2 −1 = 1} = {i ∈ [0, n − 1] : Eκ1 · J(∆z1 ⊕ ∆y) i = 1 ∨ Eκ2 J(∆z2 ⊕ ∆y) i = 1} = wh (Eκ1 ∨ Eκ2 ) = wh (e). That is, if δ is F -possible, then dpF (δ) = 2−wh (e) . Let us next establish when the equation M ·x = a does not have any solutions. Since M is an echelon matrix up to the permutation of rows, then rank M a = rank(M ) only if for some i ∈ [0, n − 1], (M1 )i+1,i−κ1 = (M2 )i+1,i−κ2 = 0 but a i = 1. This happens iﬀ for some i ∈ [0, n − 1], e1 i = e2 i = 0 (i.e., e1 ∨ e2 i = 0) but a i = ω ⊕ J(∆z1 ⊕ ∆z2 ) · cσ i = 1. Thus, δ is F -impossible iﬀ ¬(e1 ∨ e2 ) · (ω ⊕ J(∆z1 ⊕ ∆z2 ) · cσ ) = 0. (Recall that ω = J(σ · (∆z1 ⊕ ∆y) ⊕ ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y)) ⊕ xor(∆z1 , ∆z2 , ∆y).) We are only left to prove that the next two facts hold in the case e1 ∨ e2 i = 0, or equivalently, in the case e1 i = e2 i = 0. First, J(∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y)) i = J · xor(∆z1 , ∆z2 , ∆y) i . Really, if i ≥ κ1 then e1 i = 0 ⇒ ∆z1 i−1 = ∆y i−1 and therefore ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y) i = xor(∆z1 , ∆z2 , ∆y) i . Otherwise, if i ≥ κ2 then ∆z2 i−1 = ∆y i−1 and thus ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y) i = ∆y i . (Since κ1 ≤ κ2 + 1 we can ignore this case.) Finally, let i ≤ min(κ1 , κ2 ). Then ∆z1 i−1 = ∆z2 i−1 = 0 and therefore ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y) i = 1 ⊕ eq(0, 0, ∆y) i = xor(∆z1 , ∆z2 , ∆y) i . Second, J(∆z1 ⊕ ∆z2 ) · cσ i = 0. Really, ﬁrst assume σ = 1. If i ≤ κ1 then J κ1 x1 i−1 = x1 i−κ1 −1 = 0 and hence c1 i = 0, and therefore J(∆z1 ⊕ ∆z2 ) · c1 i = 0. The case i ≤ κ2 is dual. On the other hand, when i > max(κ1 , κ2 ) then J · (∆z1 ⊕ ∆z2 ) · cσ i = (e1 ⊕ e2 ) · cσ i = 0. Let us now consider the case σ = 0. If i ≤ κ2 then c0 i = (1 ⊕ z1 ) · c0 i−1 , which means that c0 ≡ 0 (mod 2κ2 ). Otherwise, if i ≤ κ1 then c0 i = 1 ⇐⇒

56

Helger Lipmaa

z2 ⊕ c0 i−1 = 1, which means that c0 ≡ (2ntz(z2 )+1 − 1) (mod 2κ1 ). (Since κ1 ≤ κ2 + 1 we can ignore this case.) If i ≥ max(κ1 , κ2 ) then J(∆z1 ⊕ ∆z2 )c0 i = 0 due to J(e1 ⊕ e2 ) i = 0. Corollary 1. Let +(x1 , x2 ) = x1 + x2 be the Z2n -addition mapping and let −(x1 , x2 ) = x1 − x2 be the Z2n -subtraction mapping. Recall that α ∨ β = α ⊕ β ⊕ α · β. First, the diﬀerential δ is +-impossible if ¬(J · (∆x1 ⊕ ∆y) ∨ J · (∆x2 ⊕ ∆y)) · (xor(∆x1 , ∆x2 , ∆y) ⊕ J · ∆x2 ) = 0. Otherwise, dp+ (δ) = 2−wh (J·(∆x1 ⊕∆y)∨J·(∆x2 ⊕∆y)) . Second, dp− (δ) = dp+ (δ) for any δ. Proof. First claim is trivial. For the proof of the second claim it is suﬃcient to observe that in this case, κ1 = κ2 = 0, and that in the third paragraph of the proof of Theorem 2, if e1 i = e2 i = 0 then ω i = J · (∆x1 ⊕ 1 ⊕ eq(∆x1 , ∆x2 , ∆y)) ⊕xor(∆x1 , ∆x2 , ∆y) i = J · ∆x1 ⊕xor(∆x1 , ∆x2 , ∆y) i = J · ∆x2 ⊕ xor(∆x1 , ∆x2 , ∆y) i for i > max(κ1 , κ2 ) = 0. The formula for dp+ , presented in Corollary 1, is equivalent to the formula from [LM01]. Its complete proof is somewhat longer than the one in [LM01]. However, our proof is based on a more scalable approach, that allows us to ﬁnd similar formulas for other related mappings like subtraction, without having to write down yet another, somewhat diﬀerent, proofs. Corollary 2. Let x, ∆x, ∆y ∈ Z2n . Let F = +α be the unary operation that adds the constant α to its single argument, F (x) = x + α. Let δ = (∆x → ∆y). Then, by deﬁnition, dp+α (δ) = Prx [(x + α) ⊕ ((x ⊕ ∆x) + α)]. Then δ is +α impossible iﬀ ¬(J ·(∆x1 ⊕ ∆y))·¬(J ·∆y)·(∆x1 ⊕ ∆y) = 0. Otherwise, dp+ (δ) = 2−wh ((J·(∆x1 ⊕∆y)∨J·∆y)) . Proof. Straightforward from Corollary 1.

4 4.1

The Pseudo-Hadamard Transform Generalization to 2 × 2 Matrices

Next, we will look at a slightly more general case. Namely, assume that L2 ⊂ Mat2 (Z2n ) is such that F11 F12 ∈ L2 F = F21 F22 iﬀ for some σ ∈ {0, 1}, Fj1 ∈ A and Fj2 ∈ (−1)σ A. Then F (x) = (2κ12 x1 +σ 2κ12 x2 , 2κ22 x1 +σ 2κ22 x2 ), for some κjk ≥ 0. Alternatively, such mappings F can be described by using a computation graph with zij = xjκij and yi = zi1 ± zi2 . (See Figure 1.) We call the mappings from L2 the QuasiHadamard Transforms. Next, let us state some generalizations of previous results.

On Diﬀerential Properties of Pseudo-Hadamard Transform

PHT−1 1 : x1 = y1 y2

∆x1

....................................................................... ... .... .... ... 1 ... ... ... ... ... ... ... ... ... ... ... ... ... 2 ... 1 ... ... ... ... ... ... ... ... 2 ... ... ... ... .. ... .........................................................................

q ∆x✲

∆x

PHT−1 2 : x2 = Jy2 y1

∆x2

✲ ❄∂y

57

∂y1

✻

✲ PHT1 : y1 = Jx1 x2

∂y

q

∂y2

✲ PHT2 : y2 = x1 x2

Fig. 2. Propagation of diﬀerences during the Pseudo-Hadamard Transform Lemma 2. [Generalization of Thm 1.] Let δ = (∆x → ∆y) with ∆x, ∆y ∈ Z2n 2 . For j ∈ {1, 2}, let ωj := J · (σ · (∆zj1 ⊕ ∆yj ) ⊕ ∆zj1 ⊕ 1 ⊕ eq(∆zj1 , ∆zj2 , ∆yj )) ⊕ xor(∆zj1 , ∆zj2 , ∆yj ). Let J · [[∆z11 + ∆y1 ]]J κ11 J · [[∆z12 + ∆y1 ]]J κ12 , M = M (δ) := J · [[∆z21 + ∆y2 ]]J κ21 J · [[∆z22 + ∆y2 ]]J κ22 ω1 ⊕ J · (∆z11 ⊕ ∆z12 ) · cσ1 . a = a(δ, x) := ω2 ⊕ J · (∆z21 ⊕ ∆z22 ) · cσ2 Then dpF (δ) = Prx [M · x = a]. Proof. Straightforward corollary of Theorem 1.

Note that Thm. 1 can additionally be generalized to more than 2-dimensional matrices. 4.2

Analysis of PHT

While Lemma 2 is a simple generalization of our previous result for F ∈ L1 , we cannot proceed by using exactly the same methodology as in Thm. 2. The reason is that here we cannot assume that the carries are constant so as to use simple linear algebra to derive the number of solutions to M · x = a. However, it comes out that at least in some special cases the value of dpF will depend on the values of dpF for some functions F in class L1 . If F ∈ L2 is an invertible mapping then det F = (−1)σ 2κ11 2κ22 − (−1)σ 2κ12 2κ22 = 0 and 1 (−1)σ 2κ22 −(−1)σ 2κ12 −1 , F = −2κ21 2κ11 det F or F −1 (y1 , y2 ) = det1 F ((−1)σ 2κ22 y1 −(−1)σ 2κ12 y2 , 2κ11 y2 −2κ21 y1 ). Let ∆x, ∆y ∈ Z22n . Clearly, δ = (∆x → ∆y) is F -possible iﬀ δ −1 = (∆y → ∆x) is F −1 possible. The most important of invertible mapping F ∈ L2 from a cryptographic viewpoint, 21 1 −1 −1 with PHT = , F = PHT = 11 −1 2

58

Helger Lipmaa

is called the Pseudo-Hadamard Transform (PHT, [Mas93]). The PHT is employed in block ciphers like SAFER [Mas93] and Twoﬁsh [SKW+ 99] for achieving better diﬀusion. (See Figure 2.) For j ∈ {0, 1}, let Fj (x) denote the projection of F (x) to the jth coordinate. That is, Fj (x1 , x2 ) = 2κj1 x1 +σ 2κj2 x2 . By deﬁnition, dpFj (∆x1 , ∆x2 → ∆y1 ) = Prx [(2κj1 x1 +σ 2κj2 x2 ) ⊕ ((2κj1 x1 ⊕ ∆x1 )+σ (2κj2 x2 ⊕ ∆x2 )) = ∆y1 ]. In particular, PHT1 (x1 , x2 ) = 2x1 + x2 and PHT2 (x1 , x2 ) = x1 + x2 . Theorem 3. Let us denote ekj := J((∆zkj ⊕ ∆yk ) · Eκkj ). Let ej := ej1 ∨ ej2 . (1) δ is PHT-possible iﬀ all next four diﬀerential probabilities are positive: −1 dpPHT1 (∆x1 , ∆x2 → ∆y1 ), dpPHT2 (∆x1 , ∆x2 → ∆y2 ), dpPHT1 (∆y1 , ∆y2 → −1 ∆x1 ), dpPHT2 (∆y2 , ∆y1 → ∆x2 ). (2) If δ is PHT-possible, then dpPHT (δ) = dp+ (∆x1 , ∆x2 → ∆y2 ) · 2−wh (e1 ·J(¬(eq(∆x1 ,∆y1 ,∆y2 )))·J(¬(eq(∆x2 ,∆y1 ,J∆y2 )))) . Proof (Sketch.). (1, ⇒) Straightforward: since PHT is invertible then δ = (∆x → ∆y) is PHT-possible iﬀ δ −1 = (∆y → ∆x) is PHT−1 -possible. Rest of the proof is omitted from the extended abstract. Equivalently, δ is PHT-possible iﬀ J∆x1 ⊕ ∆x2 ⊕ ∆y1 i = 0 and the next four diﬀerential probabilities are positive: dp+ (∆x1 , ∆x2 → ∆y1 ), dp+ (∆x1 , ∆x2 → ∆y2 ), dp+ (∆y1 , ∆y2 → ∆x1 ), dp+ (J∆y2 , ∆y1 , ∆x2 ). (Note that all four diﬀerential probabilities can be computed by using Algorithm 1.) Moreover, a computationally slightly less expensive formula for dpPHT is dpPHT (δ) = 2−wh (e2 ) · 2−wh (e1 )·J(¬(eq(∆x1 ,∆y1 ,∆y2 )))·J(¬(eq(∆x2 ,∆y1 ,J∆y2 )))) . Based on Theorem 3 one can build a Θ(log n)-time algorithm for computing the value of dpPHT in the RAM model by using the same ideas as in [LM01].

5

Application to Twoﬁsh

In their paper [MR02], Murphy and Robshaw proposed an interesting new methodology for attacking Twoﬁsh by ﬁrst ﬁnding a good characteristic and then ﬁxing such key-dependent S-boxes that satisfy this characteristic. However, their concrete approach is somewhat heuristic and based on computer experiments. For example, in [MR02, Section 4.1] they choose a diﬀerential (0, ∆z2 ), such that the diﬀerential probability of (0, ∆z2 → ∆z2 , ∆z2 ) w.r.t. the PHT and averaged sub-key additions (see Fig. 3) would be large. As they established experimentally, choosing ∆z2 = A0E080A0 results in a probability p = 2−14 , where p was determined experimentally averaged over random inputs and random additive round keys. No motivation was given in their paper why this concrete diﬀerential was chosen instead of some others. Based on our formula for dpPHT we are able to determine that Theorem 4. Let F be the part of the Twoﬁsh’s round that contains S-boxes, T MDS-s and the PHT. Let the input-to-F diﬀerence ∆x = ∆x1 0 be chosen such that only one of the four S-boxes becomes active. Then dpF (0, ∆z2 →

On Diﬀerential Properties of Pseudo-Hadamard Transform

59

F

∆x1

x1

∆x2 x2

✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲

S-box 0 S-box 1 S-box 2 S-box 3 S-box 0 S-box 1 S-box 2 S-box 3

✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲

K2r+8

PHT MDS

∂z1

z1

p ✲ ✻

∆x1

MDS

✲❄

∂z2

z2

✲ ❄∆y ✲1 y1 = 2z1 + z2

∆y1

K2r+9

p

✲ ❄∆y ✲2 y2 = z1 + z2

∆y2

Fig. 3. Propagation of diﬀerences within a partial round of Twoﬁsh Table 1. Optimal diﬀerences for the partial Twoﬁsh round function (∆x1 , ∆x2 ) (00000000, 00000080) (00000000, 00000400) (00000000, 00008000) (00000000, 00008900) (00000000, 00040000) (00000000, 00800000) (00000000, 04000000) (00000000, 80000000) (00000000, 00040004) (00000000, 004e00ed) (00000000, 00696900) (00000000, 04000004) (00000000, 08000008) (00000000, 10000010) (00000000, 20000020) (00000000, 40000040) (00000000, 69000069) (00000000, 80000080) (00000000, 69690000) (00000000, 0017eb43) (00000000, 3a00a6e8) (00000000, 53001d53) (00000000, 25a61f00)

δ = (0, ∆z2 → ∆z2 , ∆z2 ) 1 active S-box (00000000, e0e0a080 → e0e0a080, e0e0a080) (00000000, 04050707 → 04050707, 04050707) (00000000, 80a0e0e0 → 80a0e0e0, 80a0e0e0) (00000000, 89f10101 → 89f10101, 89f10101) (00000000, 07040705 → 07040705, 07040705) (00000000, e080e0a0 → e080e0a0, e080e0a0) (00000000, 05070405 → 05070405, 05070405) (00000000, a0e080a0 → a0e080a0, a0e080a0) Two active S-boxes (00000000, 00030201 → 00030201, 00030201) (00000000, 80004204 → 80004204, 80004204) (00000000, c0400080 → c0400080, c0400080) (00000000, 02000101 → 02000101, 02000101) (00000000, 04000202 → 04000202, 04000202) (00000000, 08000404 → 08000404, 08000404) (00000000, 10000808 → 10000808, 10000808) (00000000, 20001010 → 20001010, 20001010) (00000000, 80004040 → 80004040, 80004040) (00000000, 40002020 → 40002020, 40002020) (00000000, 80c0c000 → 80c0c000, 80c0c000) Three active S-boxes (00000000, 80000041 → 80000041, 80000041) (00000000, 80008000 → 80008000, 80008000) (00000000, 80400000 → 80400000, 80400000) (00000000, 01800000 → 01800000, 01800000)

dpF (δ) 2−13 2−13 2−12 2−13 2−13 2−13 2−13 2−12 2−6 2−6 2−6 2−5 2−6 2−6 2−6 2−6 2−4 2−6 2−6 2−3 2−2 2−2 2−3

∆z2 , ∆z2 ) ≥ 2−13 only in the 8 cases, depicted in Table 1. Therefore, the diﬀerential with ∆z2 = A0E080A0 chosen in [MR02] is optimal for F under the given constraints, and there is only one another diﬀerential with ∆z2 = 80A0E0E0

60

Helger Lipmaa

that has the same diﬀerential probability. Analogously, if two S-boxes are allowed to be active then there are 11 diﬀerent diﬀerentials (0, ∆z2 ), such that dpF (0, ∆z2 → ∆z2 , ∆z2 ) ≥ 2−6 . If three S-boxes are active then there are 4 diﬀerentials (0, ∆z2 ), such that dpF (0, ∆z2 → ∆z2 , ∆z2 ) ≥ 2−3 . Proof. One can prove this by doing by exhaustive search over 210 = 1024 (in the one active S-box case), 3 · 217 (in the two active S-boxes case) or 32 · 226 (in three active S-boxes case) diﬀerentials. In all cases, one spends Θ(log n) steps for computing the corresponding diﬀerential probability. Thus, our method is still eﬃcient with 3 active S-boxes. One of the conclusions of this lemma is that if two active S-boxes can be tolerated then it is possible to ﬁnd a diﬀerential that is 28 times more probable— this sharp growth might, in some situations, compensate the need for the second active S-box, and therefore potentially lead to some attack against Twoﬁsh.

6

Conclusions

We extended the previous results of Lipmaa and Moriai [LM01] by developing a linear-algebraic framework for proving the diﬀerential properties for addition (in Z2n ) and related functions w.r.t. the XOR (or addition in Zn2 ). While [LM01] exhaustively analysed the addition itself but gave no guidelines for how to analyse related functions, we were able to compute diﬀerential probabilities of different functions like the subtraction and the Pseudo-Hadamard transformation as the special cases of our general approach. Our proof methods might be of independent interest. For example, we showed that the diﬀerential probability of 2α x ± 2β y, α ≤ β + 1, is equal to the number of solutions to a certain matrix equation. Due to the lack of space, this extended abstract has been shortened by omitting the complete solution for dpF for any F ∈ L2 and several proofs. Corresponding formulas will appear in the full version. We ended the paper by presenting optimal diﬀerentials for the partial Twoﬁsh round function. In particular, we were able to prove formally that a certain differential found by Murphy and Robshaw is really optimal under given conditions. We also presented other diﬀerentials that are optimal under somewhat general conditions. These results show that the results of the current paper are not only theoretical but might be directly applicable in practical cryptanalysis. Together with [LM01], the current paper presents a positive step forward in helping to construct ciphers that are secure against diﬀerential cryptanalysis. While until now, the diﬀerential properties of ciphers that include both modular addition and exclusive OR-s have only found experimentally by heuristic methods, our results make it possible to prove rigorously lower bounds on diﬀerential attacks of at least some ciphers. As compared to [LM01], our paper stepped signiﬁcantly closer to the reality, since we were able to prove that some diﬀerentials used in an actual attack are optimal. Finally, all results of this paper have been implemented in the C language and veriﬁed by using a computer. In particular, it took about 30 seconds for a 1.4 GHz Athlon to produce the numbers in Table 1.

On Diﬀerential Properties of Pseudo-Hadamard Transform

61

Acknowledgments and Further Work This work was partially supported by the Finnish Defense Forces Research Institute of Technology. We would like to thank Stefan Lucks, Markku-Juhani Olavi Saarinen and anonymous referees for useful comments. An interesting open question is whether our methods can be applied to a more general class of mappings than L2 . We hope that more applications of our results to the real ciphers will be found in the future. The need for partial exhaustive search in Thm. 4 was caused by the nontrivial preconditions on the inputs. When there are no such preconditions (that is, all 232 values ∆z2 are allowed), we hope that an analytic formula can be derived for optimal diﬀerentials, akin to the ones presented in [LM01] for optimal differentials of additions. It might even be true that there is a closed-form formula for optimal diﬀerentials when ∆z2 is restricted.

References [BS91]

Eli Biham and Adi Shamir. Diﬀerential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. 48 [JK97] Thomas Jakobsen and Lars Knudsen. The Interpolation Attack on Block Ciphers. In Eli Biham, editor, Fast Software Encryption ’97, volume 1267 of Lecture Notes in Computer Science, pages 28–40, Haifa, Israel, January 1997. Springer-Verlag. 48 [LM01] Helger Lipmaa and Shiho Moriai. Eﬃcient Algorithms for Computing Differential Properties of Addition. In Mitsuru Matsui, editor, Fast Software Encryption ’2001, volume 2355 of Lecture Notes in Computer Science, pages 336–350, Yokohama, Japan, 2–4 April 2001. Springer-Verlag, 2002. 49, 52, 55, 56, 58, 60, 61 [Mas93] James L. Massey. SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. In Ross Anderson, editor, Fast Software Encryption ’93, volume 809 of Lecture Notes in Computer Science, pages 1–17, Cambridge, UK, 9–11 December 1993. Springer-Verlag. 49, 58 [MR02] S. Murphy and M. J. B. Robshaw. Key-dependent S-boxes and Diﬀerential Cryptanalysis. Designs, Codes and Cryptography, 27(3):229–255, 2002. 50, 58, 59 [Sch92] Claus-Peter Schnorr. FFT-Hash II, Eﬃcient Cryptographic Hashing. In Rainer A. Rueppel, editor, Advances in Cryptology — EUROCRYPT ’92, volume 658 of Lecture Notes in Computer Science, pages 45–54, Balatonf¨ ured, Hungary, 24–28 May 1992. Springer-Verlag. ISBN 3-540-56413-6. 49 [SKW+ 99] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. The Twofish Encryption Algorithm: A 128-Bit Block Cipher. John Wiley & Sons, April 1999. ISBN: 0471353817. 49, 50, 58

A Variant of NTRU with Non-invertible Polynomials William D. Banks1 and Igor E. Shparlinski2 1

Department of Mathematics, University of Missouri Columbia, MO 65211, USA [email protected] 2 Department of Computing, Macquarie University Sydney, NSW 2109, Australia [email protected]

Abstract. We introduce a generalization of the NTRU cryptosystem and describe its advantages and disadvantages as compared with the original NTRU protocol. This extension helps to avoid the potential problem of ﬁnding “enough” invertible polynomials within very thin sets of polynomials, as in the original version of NTRU. This generalization also exhibits certain attractive “pseudorandomness” properties that can be proved rigorously using bounds for exponential sums.

1

A Generalization of NTRU

In this generalization of the original NTRU cryptosystem [5, 6], one selects integer parameters (N, p, q) and four sets Lf , Lg , Lϕ , Lm of polynomials in the ring R = ZZ[X]/(X N − 1) as in the standard version of NTRU. We denote by the operation of multiplication in the ring R. The parameters q and p are distinct prime numbers such that gcd(N, q) = 1, and the sets Lf , Lg , Lϕ , Lm are chosen to satisfy the “width condition” p ϕ g + f m < q for all polynomials f ∈ Lf , g ∈ Lg , ϕ ∈ Lϕ , m ∈ Lm , where for any polynomial F (X) = F0 + F1 X + . . . + FN −1 X N −1 , we deﬁne the width of F by F =

max

0≤ν≤N −1

Fν −

min

0≤ν≤N −1

Fν .

Our extension of the original NTRU scheme can be described as follows. Key Creation. Alice randomly selects polynomials f ∈ Lf , g ∈ Lg and G ∈ R such that G has an inverse modulo q and f has an inverse modulo p. This is easily accomplished since G is allowed to range over all of R, and p will be very small A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 62–70, 2002. c Springer-Verlag Berlin Heidelberg 2002

A Variant of NTRU with Non-invertible Polynomials

63

in any practical implementation of this scheme. Alice ﬁrst computes inverses G∗q and fp∗ that satisfy G G∗q ≡ 1 (mod q),

f fp∗ ≡ 1

(mod p),

(1)

H ≡ G∗q f

(mod q).

(2)

then Alice computes the products h ≡ G∗q g

(mod q),

Alice publishes the pair of polynomials (h, H) as her public key, retaining (f, g, G) as her private key. The polynomial fp∗ is simply stored for later use, and the polynomial G∗q may be discarded. Encryption. Suppose Bob (the encrypter) wants to send a secret message to Alice (the decrypter). Bob selects a message m from the set of plaintexts Lm . Next, Bob selects a random polynomial ϕ ∈ Lϕ and uses Alice’s public key (h, H) to compute e ≡ p ϕ h + H m (mod q). Bob then transmits e to Alice. Decryption. Alice has received e from Bob. To decrypt the message, she ﬁrst computes a ≡ G e ≡ p ϕ g + f m (mod q), choosing the coeﬃcients of a to lie in the interval from −q/2 to q/2. The remainder of our procedure now follows the standard version of NTRU; that is, Alice treats a as a polynomial with integer coeﬃcients and recovers the message by computing m ≡ fp∗ a (mod p). One easily veriﬁes that the case G = f corresponds to the classical NTRU cryptosystem (in this case, H = 1, so the public key consists solely of the polynomial h). Moreover, if f (and therefore H) is invertible modulo q, then this generalization is equivalent to the original scheme. Indeed, instead of decrypting e the attacker can try to decrypt e Hq∗ ≡ p ϕ Hq∗ h + m (mod q), where Hq∗ H ≡ 1 (mod q). On the other hand, if f is a zero-divisor in the ring R, then our construction seems to produce a new scheme. The main disadvantage of this scheme versus the classical NTRU scheme is that the public key size and the encryption time are roughly doubled. The advantages are: ◦ This scheme provides more ﬂexibility in the choice of parameters. In particular, it is likely that this generalization is more robust against some of the known attacks on classical NTRU. In particular, for a lattice attack (which is by far the most “dangerous” threat to NTRU), in this setting one must work with more general lattices than in the original scheme.

64

William D. Banks and Igor E. Shparlinski

◦ One can prove some theoretical results about the set of inverses G∗q . In particular, although the issue has never been doubted in practice, it is not clear how to prove rigorously that there exist “enough” invertible polynomials f ∈ Lf in the NTRU scheme. In our scheme, G is selected from the entire ring R, and the density of invertible polynomials has been explicitly evaluated in [11]. One can also prove some rigorous statements concerning the distribution of h and H, and also about the distribution of e (thus showing that the ciphertext e and the plaintext message m are uncorrelated ). ◦ One can select G to have very small degree, which will speed-up the decryption procedure as compared with the original NTRU scheme. ◦ It is possible to select h once and for all as a universal quantity (thus reducing the public key size), or it can be selected to have a certain special form (to speed-up the encryption), although it is not clear whether or not these choices might compromise the security of this scheme; this question should be studied in more detail. With such a modiﬁcation, G would be computed in terms of f , g, and h, and the public key size be roughly the same as for classical NTRU. In what follows, we present rigorous proofs of some of the theoretical results alluded to above. In particular, we show that for almost all G ∈ R∗ , the set of polynomials {p ϕ h}, where h is deﬁned by (1) and (2) and ϕ runs over the set Lϕ (which can be rather arbitrary), is uniformly distributed. This means that for almost all G, the message m (or, equivalently, the product H m) is reliably concealed by adding {p ϕ h}.

2

Character Sums

Let Rq be the reduction of R modulo q, and let R∗q be the set of invertible polynomials in Rq . We use for multiplication in the ring Rq . Recall that the cardinality of R∗q is given by an analogue of the Euler function |R∗q | = q N

r

(1 − q −nj )

(3)

j=1

where n1 , . . . , nr are the degrees of the r ≥ 1 irreducible divisors of X N − 1. Though we will not need this, a more explicit expression for nj ’s (hence also for |R∗q |) is given in [11]; see also Section 6.5 of [3] and Section 7.5 of [10]. Let X N − 1 = Ψ1 (X) . . . Ψr (X) be the complete factorization of X N − 1 into irreducible polynomials in the ring Rq . Because gcd(N, q) = 1, we see that X N −1 is square-free in Rq , hence all of these factors are pairwise distinct. We recall that IFq [X]/Φ(X) ∼ = IFqm for any irreducible polynomials Φ(X) ∈ IFq [X] with deg Φ = m. For each j = 1, . . . , r, we ﬁx a root αj of Ψj (X), and denote (4) IKj = IFqnj = IFq (αj ) ∼ = IFq [X]/Ψj (X).

A Variant of NTRU with Non-invertible Polynomials

65

where nj = deg Ψj . For each j, let nj −1

Trj (z) =

zq

k

k=0

be the trace of z ∈ IKj to IFq . We denote by A the direct product of ﬁelds A = IK1 × . . . × IKr , and we have a natural isomorphism Rq ∼ = IK1 × . . . × IKr = A

(5)

given by the map that sends f ∈ Rq to af = (f (α1 ), . . . , f (αr )) ∈ A. In particular, the relation (3) from immediately from (5). For every vector a = (a1 , . . . , ar ) ∈ A, let χa be the character of Rq given by χa (f ) =

r

e (Trj (aj f (αj ))) ,

f ∈ Rq ,

j=1

where e(z) = exp(2πiz/q). It is easy to shown that {χa | a ∈ A} is the complete set of additive characters of Rq . In particular, for any polynomial f ∈ Rq , one has 0, if f = 0, χa (f ) = (6) q N , if f = 0. a∈A

Our main results rely on an upper bound for character sums of the form a ∈ A. Wa (L) = χa (Q ϕ) , Q∈R∗ q ϕ∈L To estimate these sums, we need the following identity (see Section 1 of Chapter 5 of [9]) 0, if c = 0, e(Trj (xj c)) = (7) q nj , if c = 0, xj ∈IKj

which holds for any c ∈ IKj , j = 1, . . . , r. Lemma 1. Let a = (a1 , . . . , ar ) ∈ A and let J ⊆ {1, . . . , r} be the set of j with aj = 0. Then the bound Wa (L) ≤ |R∗q |1/2 |L|1/2 q N/2 q nj /2 j ∈J

holds.

66

William D. Banks and Igor E. Shparlinski

Proof. Using the Cauchy inequality and extending the summation over all polynomials Q ∈ Rq , we derive 2 2 ∗ Wa (L) ≤ |Rq | χa (Q ϕ) Q∈Rq ϕ∈L = |R∗q | χa (Q (ϕ1 − ϕ2 )) Q∈Rq ϕ1 ,ϕ2 ∈L

≤ |R∗q |

r

e (Trj (aj Q(αj ) (ϕ1 (αj ) − ϕ2 (αj )))) .

ϕ1 ,ϕ2 ∈L Q∈Rq j=1

From the isomorphism (5), we see that as Q runs over the set Rq the vector (Q (α1 ) , . . . , Q (αr )) runs through the set IK1 × . . . × IKr . Therefore Wa (L)2 ≤ |R∗q |

r

e (Trj (aj xj (ϕ1 (αj ) − ϕ2 (αj ))))

ϕ1 ,ϕ2 ∈L j=1 xj ∈IKj

= |R∗q |

q nj

j ∈J

e (Trj (aj xj (ϕ1 (αj ) − ϕ2 (αj )))) .

ϕ1 ,ϕ2 ∈L j∈J xj ∈IKj

From (7) we see that the product vanishes if ϕ1 (αj ) = ϕ2 (αj ) for some j ∈ J , and e (Trj (aj xj (ϕ1 (αj ) − ϕ2 (αj )))) = q nj j∈J xj ∈IKj

j∈J

otherwise. Since {Ψj | j = 1, . . . , r} are irreducible polynomials, the condition ϕ1 (αj ) = ϕ2 (αj ) is equivalent to Ψj (ϕ1 − ϕ2 ). Hence Wa (L)2 ≤ |R∗q |q N M (J ), where M (J ) is the number of pairs ϕ1 , ϕ2 ∈ L with Ψj ). ϕ1 ≡ ϕ2 (mod j∈J

For each ϕ1 ∈ L there are at most qN q −nj = q nj j∈J

j ∈J

such values for ϕ2 . Consequently M (J ) ≤ |L|

q nj ,

j ∈J

and the lemma follows.

A Variant of NTRU with Non-invertible Polynomials

3

67

Uniformity of Distribution

If we assume for simplicity that g ∈ Lg is invertible modulo q, it follows that Q = p G∗q g runs through the entire set R∗q together with G. Thus it suﬃces to study the distribution of {Q ϕ | ϕ ∈ L} “on average” for Q ∈ R∗q . We remark that the condition g ∈ R∗q is equivalent to gcd(g, X N − 1) = 1, and we will always need a condition of this type in any case; otherwise, the number of possible values for h becomes too small, and the cryptosystem is then vulnerable to a brute force attack. Given polynomials S ∈ Rq and Q ∈ R∗q , a set L ⊆ Rq , and an integer d, we denote by Nd (S, Q, L) the number of polynomials ϕ ∈ L such that the inequality deg(S − Q ϕ) < d holds. Thus, roughly speaking, Nd (S, Q, L) counts how many products Q ϕ with ϕ ∈ L are “close” to the given polynomial S. Our main result claims that this number is very close to the expected value for almost all polynomials Q ∈ R∗q . In particular, this means that for almost all polynomials Q ∈ R∗q , the encryptions e (of the same message m) in our modiﬁcation of NTRU, obtained with randomly chosen polynomials ϕ ∈ Lϕ , are uniformly distributed in R. Theorem 1. For q ≥ 5, the bound −1/2 1 |L| Nd (S, Q, L) − N −d ≤ 3N q |L|1/2 ∗ |Rq | q ∗ Q∈Rq

holds. Proof. Clearly, Nd (S, Q, L) = q −d Td (S, Q, L), where Td (S, Q, L) is the number of representations Q ϕ = S + ψ1 − ψ2 with ϕ ∈ L and polynomials ψ1 , ψ2 ∈ Rq of degree at most d − 1. From the identity (6) we derive 1 Td (S, Q, L) = N χa (Q ϕ − S − ψ1 + ψ2 ) q ψ ,ψ ∈Rq ϕ∈L

=

1 2 deg ψ1 ,deg ψ2 ≤d−1

a∈A

1 χa (−S) χa (Q ϕ) N q a∈A

ϕ∈L

χa (ψ2 − ψ1 )

ψ1 ,ψ2 ∈Rq deg ψ1 ,deg ψ2 ≤d−1

2 1 χa (−S) χa (Q ϕ) χa (ψ) . = N ψ∈R q q a∈A ϕ∈L deg ψ≤d−1 The term corresponding to a = 0 is equal to q 2d−N |L|. For any nonempty set J ⊆ {1, . . . , r}, let AJ be the subset of A consisting of all a = (a1 , . . . , ar ) such that aj = 0 whenever j ∈ J . Then we obtain 2 1 |L| ≤ Td (S, Q, L) − χa (Q ϕ) χa (ψ) . N −2d N q q J ⊆{1,...,r} a∈A ψ∈Rq ϕ∈L J J =∅ deg ψ≤d−1 a =0

68

William D. Banks and Igor E. Shparlinski

Applying Lemma 1, it follows that Td (S, Q, L) − |L| q N −2d Q∈R∗ q

J ⊆{1,...,r} J =∅

j ∈J

≤ |R∗q |1/2 |L|1/2 q −N/2

q nj /2

2 χa (ψ) . a∈AJ ψ∈Rq deg ψ≤d−1 a =0

It is easy to see that 2 χa (ψ) a∈AJ ψ∈Rq deg ψ≤d−1 a =0 2 2d = −q + χa (ψ) ψ∈R q a∈AJ deg ψ≤d−1 = −q 2d + χa (ϕ − ψ) ϕ,ψ∈Rq deg ϕ,deg ψ≤d−1

a∈AJ

ϕ,ψ∈Rq deg ϕ,deg ψ≤d−1

a∈AJ j∈J

= −q 2d + = −q 2d + U

e (Trj (aj (ϕ (αj ) − ψ (αj ))))

q nj ,

j∈J

where U is the number of pairs of ϕ, ψ ∈ Rq with deg ϕ, deg ψ ≤ d − 1 and such that ϕ (αj ) = ψ (αj ) for all j ∈ J . Since this condition is equivalent to the polynomial congruence Ψj (X)), ϕ(X) ≡ ψ(X) (mod j∈J

we derive that U=

  q 2d q −nj , 

qd ,

j∈J

Hence, in either case 0 ≤ −q 2d + U

nj ,

j∈J

otherwise. j∈J

and consequently

if d ≥

q nj ≤ q d

q nj ,

j∈J

2 χa (ψ) ≤ q d q nj . a∈AJ ϕ∈Rq j∈J deg ϕ≤d−1 a =0

A Variant of NTRU with Non-invertible Polynomials

69

Therefore, we have 1 |L| (S, Q, L) − T d |R∗q | q N −2d Q∈R∗ q ≤ |R∗q |−1/2 |L|1/2 q d−N/2

J ⊆{1,...,r} J =∅

J ⊆{1,...,r} J =∅

j∈J

= |R∗q |−1/2 |L|1/2 q d  = |R∗q |−1/2 |L|1/2 q d 

r

q nj /2

j ∈J

q nj

j∈J

q nj /2



1 + q nj /2 − 1

j=1

< |R∗q |−1/2 |L|1/2 q d

1 + q nj /2

r j=1

r

−1/2 = |L|1/2 q d−N/2 1 + q nj /2 1 − q −nj j=1

r

−1/2 = |L|1/2 q d 1 + q −nj /2 . 1 − q −nj j=1

Since (1 − x2 )−1/2 (1 + x) < 3x for every x in the open interval 0 < x < 1/2, and each term q −nj /2 lies in this interval since q ≥ 5, we have r r r

−1/2 −1/2 −nj −1/2 −nj /2 q−nj /2 1+q < 3 ≤ 3q ≤ 3N q . 1−q j=1

j=1

j=1

Consequently −1/2 1 |L| Td (S, Q, L) − N −2d < q d 3N q |L|1/2 , ∗ |Rq | q ∗ Q∈Rq

and the theorem follows immediately.

4

Remarks

We remark that for the special set Lϕ considered in [5], the bound on M (J ) in Lemma 1 can be improved, which leads to a stronger bound in Theorem 1. We have already mentioned that using polynomials G of small degree can speed up the decryption procedure. It has been shown in [1] that using the method of [7, 8] (see also [4]), one can obtain an analogue of Theorem 1 for polynomials G of the form G = G1 G2 where G1 , G2 are irreducible polynomials of very small degree; see also [2].

70

William D. Banks and Igor E. Shparlinski

The above result is just one out of many other statements of similar nature which can be proved for the generalization of NTRU introduced in this paper. Finally, we remark that an analogue of Theorem 1 can be obtained in any polynomial ring of the form IFq [X]/F (X), where F (X) ∈ IFq [X] is a square-free polynomial.

Acknowledgement We thank Jeﬀrey Hoﬀstein, Daniel Lieman and Joe Silverman for attracting our interest in this problem and for many fruitful discussions. Work supported in part by NSF grant DMS-0070628 (W. Banks) and by ARC grant A00000184 (I. Shparlinski).

References [1] W. Banks, A. Harcharras and I. E. Shparlinski, ‘Short Kloosterman sums for polynomials over ﬁnite ﬁelds’, Canad J. Math., (to appear). 69 [2] W. Banks and I. E. Shparlinski, ‘Distribution of inverses in polynomial rings’, Indag. Math., 12 (2001), 303–315. 69 [3] E. R. Berlekamp, Algebraic coding theory, McGraw-Hill, New York, 1968. 64 [4] J. Friedlander and H. Iwaniec, ‘The Brun–Titchmarsh theorem’, Analytic Number Theory, Lond. Math. Soc. Lecture Note Series 247, 1997, 363–372. 69 [5] J. Hoﬀstein, J. Pipher and J. H. Silverman, ‘NTRU: A ring based public key cryptosystem’, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1433 (1998), 267–288. 62, 69 [6] J. Hoﬀstein and J. H. Silverman, ‘Optimizations for NTRU’, Proc. the Conf. on Public Key Cryptography and Computational Number Theory, Warsaw, 2000 , Walter de Gruyter, 2001, 77–88. 62 [7] A. A. Karatsuba, ‘Fractional parts of functions of a special form’, Izv. Ross. Akad. Nauk Ser. Mat. (Transl. as Russian Acad. Sci. Izv. Math.), 55(4) (1995), 61–80 (in Russian). 69 [8] A. A. Karatsuba, ‘Analogues of Kloosterman sums’, Izv. Ross. Akad. Nauk Ser. Mat. (Transl. as Russian Acad. Sci. Izv. Math.), 55(5) (1995), 93–102 (in Russian). 69 [9] R. Lidl and H. Niederreiter, Finite fields, Cambridge University Press, Cambridge, 1997. 65 [10] F. J. MacWilliams and N. J. A. Sloane, The theory of error-correcting codes, North-Holland, Amsterdam, 1977. 64 [11] J. H. Silverman, ‘Invertibility in truncated polynomial rings’, NTRU Cryptosystem Tech. Report 9 , 1998, 1–8. 64

Tree Replacement and Public Key Cryptosystem S.C. Samuel1 , D.G. Thomas2 , P.J. Abisha2 , and K.G. Subramanian2 1

2

Department of Mathematics, Voorhees College Vellore - 632 001, India Department of Mathematics, Madras Christian College, Tambaram Chennai - 600 059, India [email protected]

Abstract. In this paper, a public key cryptosystem based on tree replacement system is proposed. Keywords: public key cryptosystem (PKC), tree replacement system, Church-Rosser tree replacement system, word problem.

1

Introduction

There has been a lot of interest in the construction of safe and eﬀective public key cryptosystems, which ensure secrecy of data. The basic idea of a public key cryptsystem (PKC) is due to Diﬀe and Hellman [1]. In a PKC, the encryption key is made public but the decryption key with a trapdoor is kept secret. Both encryption and decryption are made ‘easy’ but cryptanalysis, breaking the code without the knowledge of the trapdoor, is made ‘hard’. Several public key cryptosystems based on diﬀerent principles are known. Knapsack system and RSA system are two well known public key cryptosystems that are widely studied. Recently, some public key cryptosystems have been designed as interesting applications of formal language theory to cryptography [3,6]. One such PKC based on word problem is to use a Churh-Rosser Thue system T , for which the word problem [4,7] is solvable and convert it into a general Thue System S, (for which the word problem is unsolvable), using a morphism g, which is the trapdoor function. Encryption of plaintext is done with S and decryption with T . Trees are one of the data structures used frequently for organizing information. Their applications include sorting and pattern matching. The importance of trees is reﬂected in the fact that many studies on strings are extended to trees, yielding fruitful results. Messages such as picture messages can be encoded as trees. It is therefore natural to think of construction of PKCs to take care of such messages in the form of trees. Here we consider tree rewriting [2] instead of string rewriting and extend the notions of encryption and decryption to trees. Basically the idea is to consider a Church-Rosser tree rewriting system and convert it into a general tree rewriting system for which the word problem is unsolvable using a morphism. The latter is used in encryption part and the former is used in decryption part. The trapdoor, which is kept secret, helps to convert the speciﬁc A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 71–78, 2002. c Springer-Verlag Berlin Heidelberg 2002

72

S.C. Samuel et al.

tree rewriting system to a general tree rewriting system. Hence the encryption and decryption are easy.

2

Preliminaries

We recall the deﬁnitions of ranked alphabets, trees, tree composition, tree replacement systems and related results [2,5] in this section. 2.1 Definition A ranked alphabet Σ is a set together with a rank function r : Σ → N , where N denotes the set of nonnegative integers. Every symbol f in Σ of rank r(f ) = n is said to have arity n. Symbols of arity zero are also called constants. 2.2 Definition A tree domain D is a non empty subset of strings over N satisfying the following conditions : 1. for each u in D, every preﬁx v of u is also in D. 2. For each u in D, for every positive integer i, if ui is in D then, for every j, 1 ≤ j ≤ i, uj is also in D. 2.3 Definition A Σ-tree (for short, a tree) is a function t : D → Σ such that: 1. D is a tree domain. 2. For every u in D, if n = card({i ∈ N |ui ∈ D}), then n = r(t(u)) the arity of the symbol labeling u in t. Given a tree t, its domain is denoted as dom(t). The elements of the domain are called nodes or tree addresses. A node u is a leaf if card({i ∈ N |ui ∈ D}) = 0. The node corresponding to the empty string is the root of the tree and is denoted by . The null tree is denoted as λ. Given a tree t, two addresses u, v in dom(t) are indepdendent if u is not a preﬁx of v and v is not a preﬁx of u (that is, there is no w such that u = vw or v = uw). Otherwise u and v are dependent and if, say v = uw, u is an ancestor of v. 2.4 Definition Given a tree t and a tree address u in dom(t), the subtree of t at u, denoted as t/u, is the tree whose domain is the set dom(t/u) = {v ∈ N ∗ |uv ∈ dom(t)} and such that t/u(v) = t(uv) for every v in dom(t/u). A tree is ﬁnite if its domain is ﬁnite. The set of ﬁnite Σ-trees is denoted as TΣ . 2.5 Definition Let X = {x1 , x2 , ...} be a countable set of variables, and let Xm = {x1 , x2 , ..., xm }. Adjoining the set X to the constants in Σ, we obtain the set of trees TΣ (X) with variables and similarly adjoining Xm , we obtain TΣ (Xm ). The set (TΣ (Xm ))n of n-tuples of trees with variables from Xm is denoted as TΣ (m, n). Hence TΣ (Xm ) and TΣ (m, 1) denote the same set of trees. In particular let the variable set contains a single variable x then TΣ (1, 1) denotes the set of trees over the singleton set X.

Tree Replacement and Public Key Cryptosystem

73

We now introduce two operations composition and tree replacement on trees. 2.6 Definition Given t = (t1 , t2 , ..., tn ) in TΣ (m, n) and s in TΣ (n, 1), their composition is the tree denoted by s ◦ t = s(t1 , t2 , ..., tn ) and deﬁned by the set of pairs {(v, s(v))|v ∈ dom(s), s(v) ∈ Xm }∪ {(uv, ti (v))|u ∈ dom(s), v ∈ dom(ti ), s(u) = xi , 1 ≤ i ≤ n}. Tree composition is extended to tuples as follows : Given t = (t1 , t2 , ..., tn ) in TΣ (m, n) and s = (s1 , s2 , ..., sp ) in TΣ (n, p), then s ◦ t = (s1 (t1 , t2 , ..., tn ), s2 (t1 , t2 , ..., tn ), ..., sp (t1 , t2 , ..., tn )) We can extend this notion for three trees t1 , t2 , t3 in TΣ (n, n) as t1 ◦ t2 ◦ t3 = t1 ◦ (t2 ◦ t3 ) and similarly for n trees t1 , t2 , ..., tn in TΣ (n, n) as t1 ◦ t2 ◦ ... ◦ tn = t1 ◦ t2 ◦ ... ◦ (tn−1 ◦ tn ) For the trees t and s in TΣ (1, 1), their composition is thus deﬁned as s ◦ t = {(v, s(v))|v ∈ dom(s), s(v) = x} ∪ {(uv, t(v))|u ∈ dom(s), v ∈ dom(t), s(u) = x} For convenience s ◦ t is denoted as st. 2.7 Definition Given a tree t1 , an address u in dom(t1 ), and another tree t2 , the tree obtained by replacement of t2 for u in t1 is the tree denoted as t1 [u ← t2 ] deﬁned by the set of pairs {(v, t1 (v))|v ∈ dom(t1 ), u is not a preﬁx of v}∪ {(uv, t2 (v)|v ∈ dom(t2 )}. 2.8 Definition A substitution is any function h : X → TΣ (X). Since TΣ (X) is the free algebra over the set X, every substitution extends uniquely to a unique ¯ : TΣ (X) → TΣ (X), that is to a function h ¯ such that homomorphism h ¯ h(x) = h(x) for every x in X, ¯ h(f (t1 , t2 , ..., tn )) = f (h(t1 ), ..., h(tn )) if r(f ) ≥ 1, ¯h(a) = h(a) for a constant a. 2.9 Definition A set of rules S over TΣ (X) is a subset of TΣ (X) × TΣ (X). Each pair (s, t) in S is called a rule.

74

S.C. Samuel et al.

2.10 Definition The congruence generated by S is the reﬂexive transitive closure ↔∗ of the relation ↔ deﬁned as follows: for any two trees t1 and t2 in TΣ (X), t1 ↔ t2 if and only if there is some tree T in TΣ (X), some tree address u both in dom(t1 ) and dom(t2 ), some pair (s, t) such that either (s, t) or (t, s) is a rule in S, some substitution h : V ar(s) ∪ V ar(t) → TΣ (X), and t1 = ¯ ¯ T [u ← h(s)], t2 = T [u ← h(t)] where V ar(t) = {xi ∈ X|∃u ∈ dom(t), t(u) = xi }. 2.11 Definition Two trees t1 and t2 are congruent (modS) if t1 ↔∗ t2 . The class of trees that are congruent to t1 is [t1 ] = {ti |t1 ↔∗ ti }. 2.12 Definition Given a set of rules S over a set of trees TΣ (X) the relation → is deﬁned as t → s if and only if t ↔ s and size(t) > size(s), ∀t, s ∈ TΣ (X) where size(t) denotes the number of nodes in the tree domain of t. →∗ is the reﬂexive transitive closure of →. (S, →) is called a tree replacement system. 2.13 Definition Given a tree replacement system (S, →), a tree t is irreducible (modS) if there is no tree t such that t → t . 2.14 Definition A tree replacement system (S, →) is Church-Rosser if, for all t1 , t2 with t1 ↔∗ t2 , there exists t3 such that t1 →∗ t3 and t2 →∗ t3 . 2.15 Word problem The word problem for a tree replacement system (S, →) is that given any two trees s, t in TΣ (X) to decide whether s and t are congruent to each other or not. The word problem is undecidable in general for many tree replacement systems but it is proved in [2] that the word problem for any Church-Rosser tree replacement system is decidable in linear time.

3

Construction of PKC

We now propose a public key cryptosystem based on trees. Consider a Church-Rosser tree replacement system (S, →) over an alphabet Σ. Choose n trees t1 , t2 , ..., tn in TΣ (X) such that no two trees are congruent to each other and each tj is irreducible with respect to S. Let ∆ be a new alphabet of cardinality much greater than that of Σ. Let g : ∆ → Σ ∪ {λ} be a morphism. It can be extended to morphism in which every tree of T∆ (X) is mapped onto a tree of TΣ (X) or to the null tree. ¯ →) over the alphabet 3.1 Encryption Consider a tree replacement system (S, ∗ ¯ ∆ where S ⊆ {(s, t)/g(s) ↔ g(t) with respect to S}. The rules (s, t) in S¯ are selected with the following condition : If a node in t is labelled by a dummy symbol (i.e., a symbol in ∆ which is mapped to λ ∈ Σ by g) then atmost one of its children is labelled by a symbol which is not a dummy symbol. i.e., either all of its children are labelled by dummy symbols or excepting one child, other

Tree Replacement and Public Key Cryptosystem

75

children are labelled by dummy symbols. This requirement enables the correct decryption by merging all the children with the father in g(t) (See Decryption procedure). Choose n trees s1 , s2 , ..., sn ∈ T∆ (X) so that each sj ∈ g −1 ([tj ]), for ¯ s1 , s2 , ..., sn ). some j = 1, 2, ..., n. The public encryption key is (S, The encryption of a plain text is done as follows : Let the plaintext be any word over {1, 2, ..., n}. For example, let p = p1 p2 ...pk where each pj ∈ {1, 2, ..., n}. The tree T corresponding to the plain text p is sp1 sp2 ...spk . Then the encryption of T is done by taking the encryption for each spj and making the composition of the encrypted trees preserving the order of composition in T . Here the encryption of spj is a tree spj ∈ [spj ] where spj is a member of g −1 ([tpj ]). This yields the ciphertext of the tree T in the form Q = sp1 sp2 ...spk . Decryption The secret decryption key is (S, t1 , t2 , ..., tn , g). If Q is a tree in the encrypted form, then g(Q) = tp1 tp2 ...tpk where tpj ∈ [tpj ]. It should be noted that if λ is the label of a node which is not a leaf, it is replaced by the label of its child, which is not λ, and if λ is the label of a leaf node, then this node is neglected. Since S is Church-Rosser, tpj can be computed from tpj . Hence the tree tp1 tp2 ...tpk can be recovered yielding the plain text message p1 p2 ...pk . Example: Let Σ = {a, b, c, d, e, f, g} and X = {x} with r(e) = 2, r(a) = r(b) = r(c) = 1, r(d) = r(f ) = r(g) = 0. Consider the Church-Rosser tree replacement system S, with the following three rules : (See Fig. 1) The above trees can be expressed in the form of functions as a(d) ↔ a(a(d)) b(d) ↔ e(f, b(d)) c(d) ↔ e(g, b(d)) Let t1 and t2 be two trees in TΣ (X) such that they are irreducibles (modS) and t1 is not congruent to t2 with respect to S. Two such trees are given in Fig. 2. The above trees can be expressed as t1 = e(a(d), e(x, c(d)) and t2 = e(e(x, c(d)), b(d)). Now we consider the alphabet ∆ = {c1 , c2 , ..., c17 } and deﬁne the morphism g as follows : g(c1 ) = f, g(c17 ) = g, g(c4 ) = g(c14 ) = c, g(c7 ) = g(c13 ) = d, g(c3 ) = g(c8 ) = g(c11 ) = a, g(c6 ) = g(c10 ) = g(c15 ) = b g(c5 ) = g(c9 ) = g(c16 ) = λ, g(c2 ) = g(c12 ) = e. Now a general tree replacement system S¯ corresponding to the above ChurchRosser system S is given by c3 (c7 ) ↔ c8 (c8 (c7 )) ↔ c11 (c5 (c3 (c13 ))) ↔ c5 (c3 (c13 )) ↔ c16 (c9 , c8 (c8 (c7 ))) c6 (c13 ) ↔ c2 (c1 , c10 (c7 )) ↔ c12 (c1 , c5 (c6 (c13 )))

76

S.C. Samuel et al.

a a a d d

e

b

b

f

d

d e

c

d

b

g

d

Fig. 1. Rules of S c4 (c7 ) ↔ c12 (c17 , c6 (c13 )) ↔ c5 (c9 , c4 (c7 )) c9 ↔ c5 (c16 , c9 ), c16 ↔ c9 (c5 ) The trees s1 and s2 given below are selected such that g(s1 ) ∈ [t1 ] and g(s2 ) ∈ [t2 ]. s1 = c5 (c12 (c3 (c7 ), c2 (x, c4 (c7 ))), c9 (c16 )) s2 = c5 (c2 (c12 (x, c4 (c7 )), c6 (c13 )), c5 (c16 , c9 )) If the plain text is p = 212, then consider the tree T = s2 s1 s2 . After the application of the tree replacement rules in S¯ several times in s1 , s2 respectively, we get s1 ↔∗ s1 where s1 = c5 (c12 (c16 (c9 , c11 (c16 (c9 , c11 (c3 (c7 ))))),

Tree Replacement and Public Key Cryptosystem

tree t 1

tree t 2

e

e

a

e

x

d

e

c

d

b

c

x

d

d

Fig. 2. Irreducible trees which are not congruent c2 (x, c5 (c9 , c12 (c17 , c6 (c13 ))))), c9 (c16 )); ∗

s2 ↔

s2

77

where s2 = c5 (c2 (c12 (x, c5 (c9 , c4 (c7 ))), c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))), c5 (c9 (c5 ), c5 (c16 , c5 (c16 , c5 (c9 (c5 ), c9 )))))

and s2 ↔∗ s2 where s2 = c5 (c2 (c12 (x, c5 (c9 , c12 (c17 , c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))))), c12 (c1 , c5 (c6 (c13 )))), c5 (c16 , c9 )) The composition is done as follows : s2 s1 = c5 (c2 (c12 (c5 (c12 (c16 (c9 , c11 (c16 (c9 , c3 (c7 )))), c2 (x, c5 (c9 , c12 (c17 , c16 (c13 ))))), c9 (c16 )), c5 (c9 , c4 (c7 ))), c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))), c5 (c9 (c5 ), c5 (c16 , c5 (c16 , c5 (c9 (c5 ), c9 ))))) and Q = s2 s1 s2 = c5 (c2 (c12 (c5 (c12 (c16 (c9 , c11 (c16 (c9 , c3 (c7 ))))), c2 (c5 (c2 (c12 (x, c5 (c9 , c12 (c17 , c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))))), c12 (c1 , c5 (c6 (c13 )))), c5 (c16 , c9 )), c5 (c9 , c12 (c17 , c6 (c13 ))))),

78

S.C. Samuel et al.

c9 (c16 )), c5 (c9 , (c4 (c7 ))), c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))), c5 (c9 (c5 ), c5 (c16 , c5 (c16 , c5 (c9 (c5 ), c9 ))))) Applying the morphisms g on Q the above expression becomes g(Q) = λ(e(e(λ(e(λ(λ, a(λ(λ, a(d))))), e(λ(e(e(x, λ(λ, e(g, e(f, λ(e(f, b(d))))))), e(f, λ(b(d)))), λ(λ, λ)), λ(λ, e(g(b(d))))), λ(λ)), λ(λ, c(d))), e(f, λ(e(f, b(d))))), λ(λ(λ), λ(λ, λ(λ, λ(λ(λ), λ))))) Neglecting the null trees, the expression reduces to the form e(e(e(a(a(d))))), e(e(e(x, e(g, e(f, e(f, (b(d))))), e(f, b(d))))), e(g, b(d)))))), c(d), e(f, e(f, b(d)))))) Applying the Church-Rosser congruence relations the above expression reduces to e(e(e(a(d))), e(e(e(x, c(d))))), b(d), c(d), c(d), b(d))))) which is the composition t 2 t1 t2 of trees t1 , t2 and hence the required message 212 is received.

References [1] Diﬃe, W., and Hellman, M. E., New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. IT - 22, No. 6, (1976), 644-654. [2] Gallier, J. H., and Book, R. V., Reductions in tree replacement systems, Theo. Comp. Sci. 37 (1985), 123-150. [3] Niemi, V., Cryptology: Language Theoretic Aspects, Handbook of Formal Languages, Vol. 2 (Editors : G. Rozenberg and A. Salomaa), Springer Verlag (1997), 507-524. [4] Oleshchuk, V. A., On public key cryptosystems based on Church-Rosser string rewriting systems, Proceedings of Computing and Combinatorics ’95 conference, LNCS 959, Springer-Verlag, (1995), 264-269. [5] Rosen, B. K., Tree-manipulating systems and Church-Rosser theorem, J. ACM 20 (1973), 160-187. [6] Salomaa, A., Computation and Automata, Cambridge University Press, 1985. [7] Siromoney, G., Siromoney, R., Subramanian, K. G., Dare, V. R., and Abisha, P. J., Generalised Parikh vector and public key cryptosystems in “A perspective in Theoretical Computer Science – Commemorative volume for Gift Siromoney”, Ed. R. Narasimhan, World Scientiﬁc, (1989), 301-323.

Never Trust Victor: An Alternative Resettable Zero-Knowledge Proof System Olaf M¨ uller and Michael N¨ usken Faculty of Computer Science, Electrical Engineering and Mathematics, University of Paderborn {olafmue,nuesken}@upb.de http://www.olaf-mueller.net/ http://www-math.upb.de/~nuesken/

Abstract. We present a new resettable zero-knowledge proof system for graph 3-colorability with round complexity O(u(n) log2 n), where u : N → R>0 is any unbounded function and n denotes the number of vertices in the graph. Furthermore, we present a new formulation of the definition of resettable zero-knowledge and define and implement a knowledgeable commitment scheme: after the commitment phase the receiver is convinced that the sender knows a valid decommitment. This remains true even if the receiver is resettable, albeit with the drawback of non-constant round complexity. This is achieved by appending a resettable perfect witness-indistinguishable proof of knowledge of a decommitment to the original commit phase. We base all our constructions on a standard intractability assumption: the hardness of one of the many variants of the discrete logarithm problem.

The starting point of our investigation is the constant-round zero-knowledge proof system for graph 3-colorability by Goldreich & Kahan (1996). Canetti, Goldreich, Goldwasser & Micali (2000b) show that it is resettable witness-indistinguishable if the prover obtains its random bits by applying a pseudo-random function to all previous messages. But they did not succeed in proving that it is resettable zero-knowledge. The crux of the problem is this: we cannot rule out the possibility that a malicious veriﬁer does not know decommitments to its own commitments until after a lengthy conversation with the prover. Richardson & Kilian (1999) improve on an idea by Feige, Lapidot & Shamir (1999), the so-called FLS-paradigm, and prepend a preliminary phase to the protocol by Goldreich & Kahan (1996) that allows the simulator to obtain an alternative witness for a slightly weakened N P statement. This way they obtain a concurrent zero-knowledge proof with nε rounds. During the preliminary phase the prover and the veriﬁer exchange commitments to random bit strings. A witness for the weakened N P statement can be obtained by matching a pair of strings, which is often possible for the simulator but no prover can cause this to happen with more than negligible probability. Richardson & Kilian (1999) have this to say about their own protocol:

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 79–92, 2002. c Springer-Verlag Berlin Heidelberg 2002

80

Olaf M¨ uller and Michael N¨ usken

Finally, it is paradoxical that such seemingly meaningless alterations in the protocol can restore zero-knowledge. Intuitively, it seems implausible that the protocol has been made more secure in practice. Canetti et al. (2000b) also use such a preliminary phase to obtain a resettable zero-knowledge proof system. Recent investigations on lower bounds culminated in the proof that “black˜ box concurrent zero-knowledge requires Ω(log n) rounds” by Canetti, Kilian, Petrank & Rosen (2001). Thus the latest improvement by Kilian, Petrank & Richardson (2001), who construct a reﬁned simulator which allows them to reduce the length of the preliminary phase to O(u(n) log2 n) rounds, is nearly optimal concerning the number of rounds. Yet, this protocol still suﬀers from the lack of intuitive comprehensibility. Barak (2001) discovered “How to Go Beyond the Black-Box Simulation Barrier”. His protocol needs only a constant number of rounds and allows simulation in strict polynomial time. However, it is only computationally sound and bounded-concurrency zero-knowledge. The idea of our protocol is quite simple: We observe that in the resettable witness-indistinguishable protocol by Canetti et al. (2000b), the prover trusts the veriﬁer (Victor!) to know valid decommitments to its edge query commitments. Consequently, in our protocol, after committing to its edge queries the veriﬁer has to prove that it knows valid decommitments for its message by participating in a “resettable” proof of knowledge with negligible knowledge error. The simulator uses a “resettable” knowledge extractor to obtain the queried edges before it has to commit to colorings and may thus commit to locally correct ones. This way the simulator achieves the same kind of faked 3-colorings as the one in Goldreich & Kahan (1996). It is hardly surprising that the simulation techniques from Kilian et al. (2001) can be made to work for our protocol, since the structure with respect to message rounds is very similar. However, the semantics of the messages is completely diﬀerent, both in the ﬁrst and the second part of the proofs. Like Kilian et al. (2001) we obtain a resettable zero-knowledge proof system with O(u(n) log2 n) rounds, which is the state of the art for black-box resettable zero-knowledge proof systems without setup assumptions. In contrast to its predecessors our protocol is fully speciﬁed and makes no use of the fact that every N P statement has a constant-round resettable witnessindistinguishable proof. Consequently, we can easily count the number of bit operations and transferred bits. So far no explicit reduction of the weakened N P statement back to 3-colorability has been presented, but the size of the formula alone allows us to conclude that the Richardson & Kilian type protocols are more expensive than ours. A disadvantage of our protocol is the fact that it is based on the hardness of the discrete logarithm problem modulo primes rather than the hardness of any function. It can be generalized, for example easily to elliptic curves. Yet, the choice of the discrete logarithm problem is not arbitrary. Our proof of knowledge of a decommitment is not easily generalized to non-homomorphic commitment schemes.

Never Trust Victor

1

81

Resettable Zero-Knowledge

In this section, the deﬁnition of resettable zero-knowledge is presented. It is equivalent to the one by Canetti et al. (2000b) but takes a diﬀerent view and seems a bit simpler. We assume that the reader is familiar with the basics, in particular the deﬁnitions of interactive Turing machine (ITM), zero-knowledge and witness-indistinguishability, as presented in Goldreich (2001). 1.1

Case History

The standard notions of security that are represented by the deﬁnitions of zeroknowledge and witness-indistinguishability do not take into consideration the possibility that several interactive proof systems might be run concurrently. We cannot rule out the possibility that, e.g. on the Internet, a malicious veriﬁer gains knowledge by interacting with several provers that are not aware of one another. The notion of resettable zero-knowledge was invented by Canetti, Goldreich, Goldwasser & Micali (1999). A resettable zero-knowledge proof system stays zero-knowledge even if the prover can be reset by the veriﬁer. The prover can be viewed as a chip-card with volatile memory, i.e. the power supply can be interrupted by the veriﬁer, forcing the prover to use the same random coins again. Note however, that a black-box proof of knowledge for a language outside BPP cannot be resettable zero-knowledge, because the knowledge extractor is a very successful malicious veriﬁer in that setting. Hence the use of such systems for identiﬁcation is limited. Also most existing zero-knowledge protocols, being also proofs of knowledge, cannot be resettable zero-knowledge. We emphasize that resettable zero-knowledge implies concurrent zero-knowledge. 1.2

Our Definition of Resettable Zero-Knowledge

In the literature resettable zero-knowledge is deﬁned by giving the malicious veriﬁer V ∗ extra power and specifying a framework for the algorithm it may use. This seems somewhat paradoxical in a context where we allowed arbitrary behaviors for malicious parties and formerly did not have to think about specific strategies. What happens here is that V ∗ no longer needs to use P as a black box but may, though in a very limited way, manipulate P directly, namely by resetting it. Our view of this same situation is somewhat converse: we deﬁne a weaker prover P that is a resettable version of P and (P, V ) to be resettable zero-knowledge if (P , V ) is zero-knowledge. This new formulation of the standard deﬁnition seems quite advantageous to us since it relates resettable zero-knowledge to ordinary (computational) zero-knowledge more directly. Definition 1 (Resettable ITM). Let P be an ITM. We define a new interactive machine P : it has numbered infinite sequences of common input, auxiliary input and random tapes. It uses the same algorithm as P , but in addition it reacts to a distinguished message “reset” together with two indices i1 , i2 ∈ N by using

82

Olaf M¨ uller and Michael N¨ usken

the i1 th common and auxiliary input tapes and the i2 th random tape, blanking its work and communication tapes, resetting all heads to their initial positions and setting the identity bit to its initial value. Initially it uses the first input and random tapes each, so that its behavior is identical to the original prover if no “reset” messages are sent. We call P the resettable ITM corresponding to P . Clearly, such a machine can be simulated by a standard ITM. Definition 2. For a language L ⊆ {0, 1}∗ and a polynomial Q we write LQ := (x1 , . . . , xm ) ∈ L∗ m ≤ Q max {|xi |} . 1≤i≤m

Now we simply deﬁne (P, V ) to be resettable zero-knowledge if and only if (P , V ) is zero-knowledge: Definition 3 (Resettable Zero-Knowledge). Let (P, V ) be an argument or interactive proof system for some language L and let P be the resettable ITM corresponding to P . The pair (P, V ) of linked ITMs is said to be resettable zeroknowledge on L, if (P , V ) is (computational) zero-knowledge on LQ for every polynomial Q.

2 2.1

Commitment Schemes Based on Exponentiation DLP Assumption

For our protocol we will use an assumption about the hardness of the discrete logarithm problem modulo prime numbers. Essentially we assume that exponentiation modulo suitable primes is a non-uniformly one-way function. We present a simple construction that yields a novel feature for a previously known perfectly hiding commitment scheme: the commitment sender can prove to the commitment receiver that it actually knows a decommitment without revealing any information about the committed value. Another way of looking at this hints at further applications: we obtain a commitment scheme so that it is infeasible for the sender to successfully ﬁnish the commitment phase without knowing a decommitment. DLP Assumption 4. There exists a probabilistic polynomial-time algorithm G that on input 1n outputs a prime p of length at most 2n together with the set pf(p − 1) of prime factors of p − 1 containing an (n + 1)-bit prime, and for every probabilistic polynomial-size circuit family (Cn )n∈N the function (p, pf(p − 1)) ← G(1n ), g a random x n → prob Cn p, pf(p − 1), g, g = x generator of Z× p , x ∈R Zp−1 is negligible. Note that a random prime p can be generated together with the factorization of p − 1 due to Bach (1988).

Never Trust Victor

2.2

83

A Knowledgeable Perfectly Hiding Commitment Scheme

We employ a perfectly hiding bit commitment scheme with trapdoor: knowledge of some trapdoor allows to decommit own commitments to the opposite bit eﬃciently. The scheme is also described in Canetti et al. (1999). For bits, it can already be found in Boyar, Kurtz & Krentel (1990) and Chaum, Damg˚ ard & van de Graaf (1987), and for strings it can be found in Pedersen (1992), Chaum, van Heijst & Pﬁtzmann (1992) and Bos, Chaum & Purdy (1988). Commitment Scheme 5 (Perfectly hiding commitment scheme). The security parameter is some integer number n ∈ N. In the first step, the commitment receiver uses G to select randomly a prime q of length at most 2n together with pf(q − 1), an element h of Z× q of prime order of length n + 1, the trapdoor y ∈R Zord(h) and computes Y ← hy in Z× q . We call (q, h, Y ) an n-size instance of the commitment scheme. The receiver sends the commitment instance (q, h, Y ) along with pf(q − 1) to the commitment sender. In the second step, the commitment sender checks the instance (q, h, Y ) using pf(q − 1). After that, the commitment and decommitment phases can be done as follows: (i) To commit to a value b ∈ Zord(h) , randomly select r ∈R Zord(h) and output B := commq,h,Y (b, r) = Y b hr in Z× q . (ii) To decommit output (b, r). Committing to arbitrary long bit strings is done by cutting the strings into pieces with n bits which we interpret as elements of Zord(h) and committing to each one using independent randomness. The commitment receiver may not need the trapdoor. In that case Y may be chosen “directly” as a random element of h without knowing the discrete logarithm of Y ; note that Z× q has a unique subgroup of order ord(h). The basic tool for the construction of our main protocol will be a perfect zero-knowledge proof of knowledge with knowledge error 12 for one possible decommitment of a commitment made using Commitment Scheme 5. We call a commitment scheme with such a proof of knowledge knowledgeable. Dolev, Dwork & Naor (1991) use a similar concept, called ‘bit commit with knowledge’, based on a perfectly binding commitment scheme to build a non-malleable commitment scheme. Yet, it seems impossible to adapt their construction for perfectly hiding commitment schemes. The idea for the protocol is as follows: the prover computes a random commitment to a random value and sends it to the veriﬁer. One option for the veriﬁer is to ask the prover to decommit that commitment. The other option is to ask the prover to decommit the product of the input and the random commitment. It is easy to see that this proof is in fact perfect zero-knowledge and that answers to both questions by the veriﬁer yield a decommitment of the common input.

84

Olaf M¨ uller and Michael N¨ usken

Interactive Protocol 6. PZK POK of a decommitment. Common input to P and V : A Commitment Scheme 5 instance (q,h, ord(h), Y ), i.e. a prime q, a prime-order element h of Z× q , an element Y ∈ h, and a commitment E ∈ Z× . q Auxiliary input to P : A decommitment (e, s) of E, i.e. a value e ∈ Zord(h) and a randomness s ∈ Zord(h) satisfying E = commq,h,Y (e, s). (P1) Select b ∈R Zord(h) , t ∈R Zord(h) , compute B ← commq,h,Y (b, t) and send B to V . (V1) Select a challenge c ∈R {0, 1} and send c to P . (P2) Set (b , t ) ← (b + ce, t + cs). Send (b , t ) to V . (V2) Check that BE c = commq,h,Y (b , t ). 2.3

A Perfectly Binding Commitment Schemes

In fact, we can use any perfectly binding commitment scheme in our protocol. For example, it is easy to come up with a perfectly binding commitment scheme based on DLP Assumption 4: The receiver chooses a prime p and an element g in Z× p of large, even order. To commit to a bit b, the sender chooses a randomness ord(g)

− 1} and computes B := commp,g (b, r) = g r+b 2 in Z× r ∈R {0, . . . , ord(g) p . It 2 is well known that b is a hard-core bit in this situation and thus the scheme is computationally hiding. Note that the same instance (p, g, ord(g)) can be used polynomially many times.

3

A new rZK Proof for Graph 3-Colorability

In this section we present our resettable zero-knowledge proof system. For every bit of the edge query we will do R = u(n) log22 n proofs where u : N → R>0 is any unbounded function and n denotes the number of vertices in the graph. The encoding of an edge can be done using Θ(log n) bits, so that the size λ of the entire edge query is in Θ(mn log n), where m denotes the number of edges in the graph. We use a hybrid strategy: our proof of knowledge proceeds in R rounds and in each round, we execute Interactive Protocol 6 for groups of n of the λ edge query bits in “lock-step” parallel. However, in the very ﬁrst message the veriﬁer sends all initial proof of knowledge messages in one go. This ensures that the veriﬁer’s actions during the proof of knowledge are more or less ﬁxed right at the start. This is quite analogous to the aforementioned protocols of Canetti et al. (2000b) and Kilian et al. (2001). It is easy to see that this preliminary action is perfectly witness-indistinguishable and thus yields no information about the veriﬁer’s edge query. The only diﬃcult question that remains is how to simulate this and, along the same line, why we chose the number R of rounds to be u(n) log22 n . These questions will be answered shortly, but ﬁrst we write down the protocol in full.

Never Trust Victor

85

Interactive Protocol 7. rZK Proof System for Graph 3-Colorability. Common input to P and V : A 3-colorable graph G = (V, E) with vertex set V , edge set E, n = #V , m = #E, the number R ∈ N of rounds. Auxiliary input to P : A 3-coloring ϕ : V → {1, 2, 3} of G. Random input to P : A random tape w ∈R {0, 1}∞ . Output: P (ϕ), V (G) ∈ {0, 1}. The prover P uses a polynomial part of the random tape to specify a pseudorandom function fw : {0, 1}∗ → {0, 1}∗ . To simplify notation, we make the following convention: when the prover has to make a random choice, it uses as coin tosses the outcome of fw applied to the common input and all previous messages by the veriﬁer. Furthermore, a failed check leads to an aborting execution of the protocol, i.e. the checking party halts. (P1) Select an n-size instance (p, g, ord(g)) of the perfectly binding commitment scheme together with the set pf(p−1) and an n-size instance(q,h, ord(h), Y ) of Commitment Scheme 5 together with the set pf(q − 1). Send (p, g, ord(g)), pf(p − 1) and (q, h, ord(h), Y ), pf(q − 1) to V. (V1) Check that (p, g, ord(g)) and (q, h, ord(h), Y ) are valid. For j = 1, . . . , mn randomly select an edge {uj , vj } ∈R E. These edges are encoded by λ := 2m log2 (n) strings ej consisting of n bits each, j ∈ {1, . . . , λ}. For j = 1, . . . , λ select a randomness sj ∈R Zord(h) and compute the commitment Ej ← commq,h,Y (ej , sj ). Send E := (E1 , . . . , Eλ ) to P . Now follows, in steps (V2)–(P3), the proof of knowledge that V knows decommitments for E1 , . . . , Eλ . (V2) For i = 1, . . . , R do For j = 1, . . . , λ do Select bj,i ∈R Zord(h) , tj,i ∈R Zord(h) , compute Bj,i ← commq,h,Y (bj,i , tj,i ). Send B to P . For i = 1, . . . , R do (P2),(V3),(P3) (P2) (V3)

(P3)

Select a challenge c ∈R {0, 1}λ and send c to V . For j = 1, . . . , λ do Set (bj , tj ) ← (bj,i + cj ej , tj,i + cj sj ). Send (b , t ) to P . For j = 1, . . . , λ do c Check that Bj,i Ej j = commq,h,Y (bj , tj ).

We proceed with the parallel standard zero-knowledge proof for graph 3-colorability, yet bound to the edge queries committed to in (V1).

86

Olaf M¨ uller and Michael N¨ usken

(P4) For j = 1, . . . , mn choose πj ∈R S3 , set ψj ← πj ◦ ϕ and for all v ∈ V choose rj,v ∈R {0, . . . , ord(g) − 1}2 , send Ψj,v ← commp,g (ψj (v), rj,v ) to V . 2 (V4) Decommit all edge queries {uj , vj }j=1,...,mn by sending (e, s) to P . (P5) For j = 1, . . . , λ check ej ∈ {0, 1}n , sj ∈ Zord(h) , commq,h,Y (ej , sj ) = Ej . Denote by {uj , vj }j=1,...,mn the edges encoded by e. For j = 1, . . . , mn decommit the colors ψj (uj ) and ψj (vj ) by sending (ψj (uj ), rj,uj ) and (ψj (vj ), rj,vj ) to V . (V5) For j = 1, . . . , mn verify ψj (uj ), ψj (vj ) ∈ {1, 2, 3}, ψj (uj ) = ψj (vj ), rj,uj , rj,vj ∈ {0, . . . , ord(g) − 1}2 , Ψj,uj = commp,g (ψj (uj ), rj,uj ), and Ψj,vj = 2 commp,g (ψj (vj ), rj,vj ). Accept if and only if all checks succeeded. Theorem 8. Under the DLP Assumption 4, Interactive Protocol 7 is a resettable zero-knowledge interactive proof system for graph 3-colorability. It uses Θ(u(n)mn log3 n) transferred bits in the POK and Θ(mn3 ) transferred bits in the remaining steps. Proof. Perfect completeness is obvious, supposing we have already shown perfect completeness of the proof of knowledge Interactive Protocol 6, which is easy. Now let us consider soundness. We need to show that even a malicious prover P ∗ cannot get V to accept a no-instance with more than negligible probability. The only information that V wants hidden from P ∗ is the edge query it commits to in step (V1). The interaction in steps (V2)–(P3) is perfect witnessindistinguishable for the knowledge veriﬁer, i.e. P ∗ learns nothing, even in the information theoretical sense, about the values committed to by V . Without steps (V2)–(P3) the veriﬁer coincides with the veriﬁer in the original protocol of Goldreich & Kahan (1996), which is an interactive proof system and thus sound. In conclusion Interactive Protocol 7 is also sound. What remains to be shown is that the protocol is resettable zero-knowledge. We now move on to describe the simulation. We will assume that an upper bound L for the number of messages that the possibly malicious veriﬁer V ∗ will send is known in advance. This is not usually the case, but we can always start with a small L and double it as often as necessary without producing an unfaithful simulation. This only increases the running time bound by the constant factor 24 + 1. The original idea of Richardson & Kilian (1999) is to do suﬃciently many, suﬃciently long lookaheads every time we have to choose a proof of knowledge query. A lookahead is a shorter simulation starting at a certain point during the simulation or, recursively, during a longer lookahead. This approach works if the proof of knowledge has O(nε ) rounds for some ε > 0. Because we use a much smaller number of rounds, it would yield a non-polynomial running-time and/or an unfaithful simulation. The root of the problem here is that the lookaheads are too long and thus too much is lost if one of them fails, i.e. gets stuck in the middle because the preliminary phase of an unsolved proof ends there. The new idea by Kilian et al. (2001) involves very short lookaheads of lengths 2 or 4 and very long rewinds of length up to half the entire simulation. This way not much

Never Trust Victor

87

Fig. 1. The simulation schedule. The simulator’s time passes along the zigzag line starting in the upper left corner, whereas the verifier’s time passes from left to right. So the slopes tending to the left correspond to rewinds of V ∗ . The lowest horizontal lines will eventually enter the faked transcript

harm is done if a lookahead is not ﬁnished, and when we learn something, there often is a rewind that takes us back far enough to be able to use that knowledge. Moreover, the lookaheads do not start in every round when the simulator needs to choose a query but only in certain rounds, following a ﬁxed pattern. The simulator schedules its lookaheads and rewinds like this: the entire simulation is split into two halves, each of which is simulated twice. We say that we do twin lookaheads for each of the two halves of the simulation, the ﬁrst of twin lookaheads being called the test run and the second one the real run. It is essential that the simulator does not use the knowledge from a test run in the corresponding real run but only after both are ﬁnished. This way test and real run are identically distributed from V ∗ ’s point of view. The four lookaheads involved in the simulation are in turn executed using exactly the same strategy as the simulation itself. When we have reached size 2 simulations, the two rounds are simulated only once, without any rewinds. It is easy to see that the running time of the simulator is L4 nO(1) = nO(1) . Another point worth mentioning is the way we choose our queries: whenever we encounter a situation where we need to choose the ith proof of knowledge message for a proof Π identiﬁed by the message tuple (i1 , i2 ), (p, g, ord(g), q, h, ord(h), Y ), (E, B) , we do a table look-up and check whether this round of Π has occurred before. If this was not the case, we choose a uniformly random query that we will ask in this situation if and when it occurs during the real time line. This is just as if we had randomly chosen all possible queries for the real time line in advance. But what about the other time lines? The best thing to do is the following: we make sure that the queries in the transcripts of twin lookaheads are complementary. From this condition we can easily compute the query in any situation once we have decided on the query for the real time line. This way, whenever the veriﬁer answers a question in a test run and the corresponding real run, we learn the entire edge query. In fact, it suﬃces if the second answer occurs somewhere in the “future” of the real run. As long as the simulator does not output “fail”, the distribution of preﬁxes of transcripts generated is computationally indistinguishable from interactions of the honest prover P and V ∗ . The proof system without the initial (2R + 1)round proof of knowledge is computational zero-knowledge and we obtain the same quality simulated messages even though our simulator pretends to be a

88

Olaf M¨ uller and Michael N¨ usken

resettable device. In the proof of knowledge, our messages are uniformly random and independent of all other messages in V ∗ ’s view. Furthermore, we never discard any prover messages we choose for the real transcript. All that remains now is to bound the probability that the simulator ever outputs “fail”, i.e. ﬁnishes any proof of knowledge without having learned the edge query. We will show that the probability for this event is negligible. Our proof is an adaptation of the proof in Kilian et al. (2001) that their proof is resettable zero-knowledge. We note two diﬀerences: Kilian et al. are satisﬁed whenever they have obtained one valid answer by the veriﬁer during the preliminary phase and are still in a position to change the previous prover message. Concerning our protocol, the usefulness even of correct veriﬁer messages crucially depends on our challenges, but by using opposite queries in twin lookaheads we have eﬀectively annihilated this disadvantage. The other diﬀerence works in our favor: because their simulator needs to commit to highly improbable values in some real runs, these are only computationally indistinguishable from test runs, whereas our real runs and test runs are distributed identically. 3.1

Bounding the Probability of Failure

First, we break down the calculation to the decisive point. Suppose the simulator fails. We are to bound the probability of this event. Recall that a protocol is composed of interleaved proofs Π that are identiﬁed by the tuple of the ﬁrst three messages. Of course, in case of failure there is a proof that breaks the simulator’s neck and the failure occurs on the real time line. Yet, we consider the ﬁrst proof that forces the simulator to say “fail” even if this happens only in a test. In the actual simulation we then still have a chance, but we show that the probability even for this more probable event is negligible. We will prove the following claim. Claim. The probability that the simulator fails in a proof

it does not Π given R−2 −α fail earlier and Π occurs is bounded by 2 where α = log L+1 . 2

Using this we can bound the probability of failure as follows: prob (The simulator fails.) ≤ 2−α · 1 · prob (Proof Π occurs.)

Π

Now note that Π prob (Proof Π occurs.) is the expected number of occurring 2 proofs which is clearly bounded by the number L2 of message exchanges performed by the simulator. Note that we allow Π to occur anywhere during the simulation and not only on the real time line, thus we cannot bound the latter expected number by L. Since V ∗ is polynomial-time bounded, we have an integer k such that L ≤ nk for almost all n. Then choosing R to be u(n) log22 n yields prob (The simulator fails.) ≤ which is negligible since u is unbounded.

L2 −α 2 ≤ n−Ω(u(n)) , 2

Never Trust Victor

89

For our estimate we look at the entire simulation as a game. A game round is a time interval identifying a pair of twin lookaheads. In Fig. 2 you can easily identify the game rounds, each of them looks like a more or less fuzzy Z. As you can see, a game round consists of four game rounds of half the size unless we are at the bottom of the recursion. At any given point in simulation time, the game rounds touching the current veriﬁer time line form the vertices of the game tree, containment deﬁnes the game tree edges. See Fig. 2 for an example; the game tree corresponds to the right most point in the simulation time line. The game tree is always a certain kind of truncated binary tree. We classify game rounds ν according to their signiﬁcance to a given proof Π: a game round consists of a test lookahead and a real lookahead. Each of the two lookaheads returns a piece of transcript. Note that a certain round of Π may occur several times since V ∗ may repeat some messages after a reset to get to the same point in Π as in an earlier execution. But these repetitions contain no new information. Thus we completely ignore them, and when we say “round j is here and there” we always mean that its ﬁrst occurrence is “here and there”. We say that a lookahead is good for Π iﬀ for some j ∈ {2, . . . , R − 1} – round j − 2 of Π’s proof of knowledge has happened before, – round j − 1 of Π’s proof of knowledge is in the ﬁrst half of the returned transcript, – round j of Π’s proof of knowledge is in the second half of the returned transcript, and – round j + 1 of Π’s proof of knowledge is not in the returned transcript. Now we say that the simulator – wins the game round ν for Π iﬀ the test lookahead is good, – gets a pass in the game round ν for Π iﬀ neither the test nor the real lookahead is good, and – loses the game round ν for Π iﬀ the test lookahead is not good but the real lookahead is good.

lose win

pass

Fig. 2. Incomplete simulator time line and corresponding game tree

90

Olaf M¨ uller and Michael N¨ usken

If the simulator wins a single round of a proof Π then, whenever V ∗ ﬁnishes the proof, the simulator can calculate V ∗ ’s edge queries and thus produce a locally correct coloring. If the simulator gets a pass then the decision is delayed. Only if the simulator loses all game rounds for a proof Π and the proof is ﬁnished then the simulator may fail. The rounds of a given proof are distributed over the simulator time line. Transfer the so-given marks that are on the current time line to the game tree so that some of its leaves are marked. There are now R − 2 such marks and the tree depth is at most log2 L. The following lemma is proven in Kilian et al. (2001). A node in a binary tree is called good iﬀ each of its two sub-trees contains exactly one marked leaf. Tree Lemma 9. In a binary tree of height at most h with exactly r marked r leaves, r ≥ 2, there exist at least h+1 good nodes.

good lookaThe Tree Lemma 9 guarantees that there are at least α = logR−2 L+1 2 heads on the current time line. Thus there are at least α non-pass game rounds. Before any game round the veriﬁer chooses a strategy to make a lookahead good. Then both lookaheads are “played” with this same strategy. This is because in V ∗ ’s view there is nothing which distinguishes these two lookaheads. Thus if we exchange the two lookaheads we still have the very same chances to win or lose or pass the corresponding round. In fact, whatever strategy V ∗ chooses the simulator’s chance to win is at least as large as its chance to lose. Failure in Π means that all non-pass game rounds are lost. If there are at least α non-pass game rounds the probability of this event is at most 2−α , which we will prove now. To come down to the point of interchanging test and real lookahead, we have to split the failure event a little further. First, note that two lost game rounds cannot overlap. In that case a small lookahead S and a large lookahead L containing S would be good, which is impossible. Clearly, to fail in a proof Π implies to win no game round for Π. A game schedule γ is any set of tree nodes. To a proof Π we associate the game schedule γ(Π) consisting of all non-pass game rounds for Π. So any game round in γ(Π) is either won or lost. In fact, it only remains to bound the probability of winning no game round for Π given additionally the game schedule γ(Π) = γ of Π. This event is now equivalent to losing the game rounds in γ. In case γ contains overlapping game rounds this probability is 0. Otherwise, we can decompose the probability one further step: The simulator loses all γ(Π) = γ. ∧ The simulator does not fail prob game rounds in γ for Π. before Π terminates. ∧ Proof Π occurs. 

All rounds in γ before ν are lost. ∧ The simulator loses the γ(Π) = γ. ∧ The simulator does not = prob  . fail in another proof before Π termigame round ν for Π. ν∈γ nates. ∧ Proof Π occurs. =: Cν

Never Trust Victor

91

What does it mean to lose a game round ν? It means that the test lookahead is not good but the real lookahead is good. Once we have shown that each factor is at most 12 we are done. Indeed, by the Tree Lemma 9 γ(Π) consists of at least α rounds and so we obtain a bound of 2−α as stated in the Claim. So consider the probability to win this game round. To win means that the test lookahead is good. Now, we have prob (The simulator wins ν for Π. Cν ) = prob (The test lookahead ν is good for Π. Cν ) The test lookahead ν is good for Π and ≥ prob Cν the real lookahead is not good for Π. The real lookahead ν is good for Π and Cν = prob the test lookahead is not good for Π. = prob (The simulator loses ν for Π. Cν ) . Since winning and losing exclude each other, the probability to lose ν for Π can be at most 12 .

Acknowledgments We thank the anonymous referees for helpful comments.

References Eric Bach (1988). How to generate factored random numbers. SIAM Journal on Computing 17(2), 179–193. ISSN 0097-5397. Special issue on cryptography. Boaz Barak (2001). How to Go Beyond the Black-Box Simulation Barrier. In Proceedings of the 42nd Annual IEEE Symposium on Foundations of Computer Science, Las Vegas NV. IEEE Computer Society Press. ISBN 0-7695-1390-5. URL http://www.wisdom.weizmann.ac.il/mathusers/boaz/Papers/nonbb.html. Preliminary full version. Jurjen Bos, David Chaum & George Purdy (1988). A Voting Scheme. Presented at the rump session of CYRPTO’88 (does not appear in the proceedings). Joan F. Boyar, Stuart A. Kurtz & Mark W. Krentel (1990). A Discrete Logarithm Implementation of Perfect Zero-Knowledge Blobs. Journal of Cryptology 2(2), 63–76. ISSN 0933-2790. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (1999). Resettable Zero-Knowledge. Electronic Colloquium on Computational Complexity TR99-042, 1–64. ISSN 1433-8092. ftp://ftp.eccc.uni-trier.de/pub/eccc/reports/1999/TR99-042/Paper.ps. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (2000a). Resettable Zero-Knowledge. In Proceedings of the Thirty-second Annual ACM Symposium on the Theory of Computing, Portland OR, 235–244. ACM Press. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (2000b). Resettable Zero-Knowledge. Electronic Colloquium on Computational Complexity TR99-042(Revision 1), 1–60. ISSN 1433-8092. ftp://ftp.eccc.uni-trier.de /pub/eccc/reports/1999/TR99-042/revisn01.ps.

92

Olaf M¨ uller and Michael N¨ usken

Ran Canetti, Joe Kilian, Erez Petrank & Alon Rosen (2001). Black-Box Con˜ current Zero-Knowledge Requires Ω(log n) Rounds. In Proceedings of the Thirtythird Annual ACM Symposium on the Theory of Computing, Hersonissos, Crete, Greece, 570–579. ACM Press, 1515 Broadway, New York, New York 10036. ISBN 1-58113-349-9. David Chaum, Ivan Damg˚ ard & Jeroen van de Graaf (1987). Multiparty Computations Ensuring Privacy of Each Party’s Input and Correctness of the Result. In Advances in Cryptology: Proceedings of CRYPTO ’87, Santa Barbara CA, Carl Pomerance, editor, number 293 in Lecture Notes in Computer Science, 87–119. Springer-Verlag. ISBN 3-540-18796-0. ISSN 0302-9743. D. Chaum, E. van Heijst & B. Pfitzmann (1992). Cryptograhically strong undeniable signatures, unconditionally secure for the signer. In Feigenbaum (1992), 470– 484. http://link.springer.de/link/service/series/0558/tocs/t0576.htm. Danny Dolev, Cynthia Dwork & Moni Naor (1991). Non-Malleable Cryptography. In Proceedings of the Twenty-third Annual ACM Symposium on the Theory of Computing, New Orleans LA, 542–552. ACM Press. http://citeseer.nj.nec.com/dolev91nonmalleable.html. Uriel Feige, Dror Lapidot & Adi Shamir (1999). Multiple noninteractive zero knowledge proofs under general assumptions. SIAM Journal on Computing 29(1), 1–28. ISSN 0097-5397, 1095-7111. http://epubs.siam.org/ sam-bin/dbq/article/23001. J. Feigenbaum (editor) (1992). Advances in Cryptology: Proceedings of CRYPTO ’91, Santa Barbara CA, number 576 in Lecture Notes in Computer Science. Springer-Verlag, Berlin. ISBN 3-540-55188-3. ISSN 0302-9743. http://link.springer.de/link/service/series/0558/tocs/t0576.htm. Oded Goldreich (2001). Foundations of Cryptography. Cambridge University Press, Cambridge. ISBN 0-521-79172-3. Oded Goldreich & Ariel Kahan (1996). How to construct constant-round zeroknowledge proof systems for NP. Journal of Cryptology 9(3), 167–189. Joe Kilian, Erez Petrank & Charles Rackoff (1998). Lower Bounds for Zero Knowledge on the Internet. In Proceedings of the 39th Annual IEEE Symposium on Foundations of Computer Science, Palo Alto CA, 484–492. IEEE Computer Society Press, Palo Alto, CA. Joe Kilian, Erez Petrank & Ransom Richardson (2001). On Concurrent and Resettable Zero-Knowledge Proofs for NP. http://www.cs.technion.ac.il /~erez/czkub-full.ps. Preprint. Torben Pryds Pedersen (1992). Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Feigenbaum (1992), 129–140. http://link.springer.de/link/service/series/0558/bibs/0576/ 05760129.htm. Ransom Richardson & Joe Kilian (1999). On the concurrent composition of zeroknowledge proofs. In Advances in Cryptology: Proceedings of EUROCRYPT 1999, Prague, Czech Republic, Jacques Stern, editor, number 1592 in Lecture Notes in Computer Science, 415–431. ISBN 3-540-65889-0. ISSN 0302-9743. Alon Rosen (2000). A Note on the Round-Complexity of Concurrent ZeroKnowledge. In Advances in Cryptology: Proceedings of CRYPTO ’00, Santa Barbara CA, M. Bellare, editor, number 1880 in Lecture Notes in Computer Science, 451–468. Springer-Verlag. ISSN 0302-9743. http://link.springer.de/link/service/series/0558/bibs/1880/ 18800451.htm.

Asynchronous Unconditionally Secure Computation: An Eﬃciency Improvement B. Prabhu , K. Srinathan

, and C. Pandu Rangan

Department of Computer Science and Engineering Indian Institute of Technology Madras, Chennai – 600036, India {prabhu,ksrinath}@cs.iitm.ernet.in [email protected]

Abstract. Consider a set of n players who wish to compute the value of a commonly agreed multi-variate function on their local inputs, whilst keeping their local inputs as private as possible even when a non-trivial subset of players collude and behave maliciously. This is the problem of secure multiparty computation. In this work, we present an eﬃcient protocol for asynchronous secure computation tolerating a computationally unbounded Byzantine adversary that corrupts up to t < n4 players.

1

Introduction

Consider a fully connected asynchronous network of n players (processors), P = {P1 , P2 , . . . , Pn }, who do not trust each other. Nevertheless they want to compute some agreed function of their inputs in a secure way. Security here means maintaining correctness of the output while keeping the players’ inputs as private as possible. This task can be easily accomplished if there exists a trusted third party. But assuming the existence of such a trusted third party is unrealistic. The goal of secure multiparty computation (ﬁrst stated by Yao [10]) is to transform a given protocol involving a trusted third party into a protocol without need for the trusted third party, by simulating the trusted third party among the n players. An important point to note here is that since the communication is asynchronous, even the trusted third party cannot wait for more than n − t of the inputs, if up to t players could be actively faulty. This is so because the trusted third party cannot diﬀerentiate between a delayed message and an unsent message and therefore cannot (indeﬁnitely) wait for more than n − t of the inputs to be entered to the computation. Therefore, any real-life protocol can only simulate a trusted third party that approximates the function on some n − t of the inputs, with the rest set to a default value, say zero. The prominent properties of an asynchronous secure protocol that have been considered are (1) Correctness: The corrupted players should not be able to

This work was supported by Defence Research and Development Organization, India under project CSE01-02044DRDOHODX Financial support from Infosys Technologies Limited, India is acknowledged.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 93–107, 2002. c Springer-Verlag Berlin Heidelberg 2002

94

B. Prabhu et al.

prevent the honest (uncorrupted) players from obtaining the correct output. In certain settings, unconditionally secure protocols that have a probability of error that is exponentially small is suﬃcient[3]. (2) Privacy: The corrupted players should not obtain any information about the uncorrupted players’ inputs beyond what they learn from their local inputs and the output of the computation. (3) Independence: The inputs contributed to the protocol by the corrupted players should be independent of the inputs of the uncorrupted ones. (4) Fault Tolerance: The protocol should achieve the desired functionality in spite of worst case (malicious) behavior of a non-trivial subset of the players. The behaviour of the corrupted players is usually modeled via a centralized adversary that is assumed to have complete control over these players. Many diﬀerent adversary models have been considered and can be classiﬁed based on the adversary’s computational power, control over communication, control over corrupted players, adaptivity, and corruption capacity. We discuss the adversary model of this paper in Section 1.1. 1.1

The Model and Setting

Our model consists of a fully connected, asynchronous network of n players. Every pair of players is connected via a secure and reliable channel of communication. The network does not have broadcast capability; broadcast is simulated via a sub-protocol for Byzantine agreement (BA)1 among the players.2 Since the network is asynchronous, each message may have an arbitrary (ﬁnite) delay. Up to t of the players may become faulty at any time during the run of the protocol. To model the faulty players’ behavior, we use a computationally unbounded adversary. This adversary may statically3 choose any t players to corrupt. Once a player is picked by the adversary, the player hands over to him all his private data, and gives the adversary the control on all his subsequent moves. To model the network’s asynchrony, we further assume that the adversary can schedule the communication channel, i.e. he can determine the time delays of all the messages (however, he can neither read nor change those messages). We call such an adversary a t-adversary. It was shown in [2] that perfect asynchronous secure multi party computation is possible in the above setting if and only if t < n4 . In [3], an n3 − 1 -resilient protocol is described that securely computes any function f when exponentially small probability of error is allowed. Although theoretically impressive, the complicated exchanges of messages and zero-knowledge proofs in protocols like [2, 3] might render them impractical. Recently, in the synchronous model of communication [6] signiﬁcantly improved the message complexity of secure synchronous unconditional multiparty computation through a generic framework 1 2

3

For example, the asynchronous Byzantine Agreement protocol of [4] can be used. In an asynchronous environment, the termination property of broadcast could be much weaker than that of BA. However, in this work, since broadcast is used only as a black-box, we do not distinguish broadcast from BA. By a static adversary, we mean that the adversary decides on the set of players that it would corrupt before the protocol begins its execution.

Asynchronous Unconditionally Secure Computation

95

that strictly distinguishes between fault-detection and fault-correction and uses the techniques of player elimination [7] and circuit randomization [1] to eﬃciently transform a distributed protocol with fault detection into a fully resilient protocol. The problem of adapting these techniques to reduce the communication complexity of secure multiparty computation over an asynchronous network was left open in [6]. In this work, we concentrate on reducing the communication complexity of unconditional asynchronous secure protocols by incorporating the player elimination technique. We delve into the various concerns that arise while adapting the player elimination technique to the asynchronous setting and also propose ways to address these issues. We analyze the communication complexity (which is the bottleneck for such protocols) of our protocols. The protocols make extensive use of a BA primitive and hence their eﬃciency depends heavily on the communication complexity of the BA sub-protocol used. Therefore, we count the BA message complexity (BAC) and the message complexity (MC) separately.

2

The Protocol Construction

We assume that a ﬁnite ﬁeld F , with | F |> n, is used by all players. Without loss of generality, the arithmetic circuit computing f : F n → F is known to all the players. The circuit consists of linear combination and multiplication gates. The number of multiplication gates in the circuit is denoted by m. We adapt the player elimination framework of [6] to the asynchronous setting. Our top-level solution approach is similar to that of [6] and proceeds in two phases. In the ﬁrst phase called the preparation phase, the current set of players tshare m random triples (a(i) , b(i) , c(i) ) with c(i) = a(i) b(i) , for each multiplication gate i = 1, . . . , m. The circuit is divided into blocks each with multiplication gates and the triples in a block are generated in parallel. Veriﬁcation is done after each step of generation and if a fault is detected a set of players (of size at most three) of which at least one is faulty is identiﬁed and eliminated. The actual evaluation of the function takes place in the second phase called the computation phase. We make use of the strategy proposed in [1]: The function (circuit) is evaluated gate by gate making use of the triples generated in the preparation phase for multiplication gates (see Section 2.2). At the end of the computation phase, the players hold a t-sharing of the function output and any party desirous of the output can reconstruct it from these shares. The protocol oﬀers unconditional security with an arbitrarily small probability of error which arises when the adversary is able to modify his shares without being detected (see Section 4). We use the scheme of [8] as the underlying secret sharing scheme. To t-share a secret s among the players in the player set P, the dealer selects a random polynomial f (x) such that f (0) = s and sends f (αi ) as player Pi ’s share for i = 1, . . . , |P| where αi is a public value associated with player Pi . In an asynchronous network with t faulty players, whenever there is a communication of messages by all the players the recipient cannot wait indeﬁnitely for more than n − t messages to arrive. For example, in the triple generation phase, when the players share random values to generate a (and b), each player

96

B. Prabhu et al.

waits for shares of n − t of the random values and then computes his share of a from these values. But it has to be ensured that all the players use shares of the same set of random values. This is achieved by having the honest players agree on a common subset of at least n − t players who have successfully completed their sharing. The sharings of the players in the agreed set are then used in the computation of the shares of a. We make use of the protocol given in [3] to implement the Agreement on a Common Subset primitive (see Table 1). The idea is to execute a BA protocol for each player, to determine whether he will be in the agreed set. That is, n BA protocols are executed simultaneously, and each player enters his inputs to the BAs asynchronously. Let BAi denote the Byzantine Agreement protocol that determines whether player Pi will be in the agreed set. The input of player Pj , 1 ≤ j ≤ n, to the protocol BAi is a binary value based on whether Pj has received a message from player Pi . Notice that if Pj has received a message from Pi , then eventually all the players will know the same. Thus, we can suppose the existence of a predicate Q that assigns a binary value to each player Pi , denoted Q(i), based on whether Pi has communicated his messages. Note that all the honest players will eventually satisfy the predicate. The agreeset output of Table 1 will be the same for all the honest players. The AgreeSet protocol requires n BAs to be performed.

Table 1. Protocol AgreeSet[Q, P, t] for agreement on a common subset Code for player Pi : 1. For every player Pj for whom Pi knows that Q(j) = 1, Pi participates in the j th -Byzantine Agreement protocol BAj with input 1. 2. Upon completing (|P| − t) BA protocols with output 1, Pi enters input 0 to all BA protocols for which he has not entered a value yet. 3. Upon completing all |P| BA protocols let AgreeSeti be the set of all players Pj for whom protocol BAj had output 1. Output AgreeSeti .

Table 2. Protocol for randomizing the shares of a secret Let β be the t -shared secret whose shares βi , i = 1, . . . , n are to be randomized. 1. Every player Pi chooses n random t -degree polynomials f˜ ik (x) for k = 1, . . . , n such that ˜ (α ) = 0. P sends the share set {x = f (α )|k = 1, . . . , n } to player P . f˜ i j j ik k ikj ik 2. Every player Pj sends the share vector [yikj = βj + xikj |i = 1, . . . , n ] to player Pk for k = 1, . . . , n .

Asynchronous Unconditionally Secure Computation

97

Table 3. Share adjustment protocol Let CheckSet be the set of players whose shares have been verified to be in order. Let β be the t -shared secret whose shares have to be adjusted and let βi be player Pi ’s share of β. Let {yjik |Pk ∈ CheckSet} be a set of blinded shares that player Pi received in the randomization step. Pi has at least n − t such sets one each for each Pj ∈ CheckSet. Each player Pi ∈ P \ CheckSet computes his share of β as follows: 1. Pi reconstructs his values of βi from each set of blinded shares he received in Step 2 of the randomization protocol (Table 2). Pi now has a set of values {βij | Pj ∈ CheckSet}. 2. Pi finds a set G of players from CheckSet, such that |G| ≥ 2t + 1 and the values of βij reconstructed from all Pj ∈ G are same. This value is taken as the correct value of βi .

2.1

Preparation Phase

In this phase the players jointly generate m t-shared triples (a(i) , b(i) , c(i) ) of the form c(i) = a(i) b(i) such that the adversary gains no information about the triples. The triples are generated in blocks of = m n triples. The basic steps that are to be performed in this phase are similar to those of [6] viz. triple generation, fault detection and localization and fault elimination. But unlike the synchronous case, the veriﬁcation of the sharings used in the generation of (a, b) and c can not be clubbed together in the asynchronous model. This is due to the fact that the adversary may take advantage of the asynchrony of the network and schedule messages in such a way that the set of players (of size at least n − t) who contribute in the generation of c is diﬀerent from those involved in the generation of (a, b). Hence veriﬁcation has to be done separately for each set of sharings viz. the sharings in the generation of (a, b), the sharings in the generation of c and the sharings in the increase of degree to t. As already explained, in all of these sharings, the honest players have to execute the “agreement on a common subset” primitive to decide upon a common set of players who have successfully completed their sharings. In the veriﬁcation step, the polynomials used by all the players in this common set have to be veriﬁed for consistency. But the adversary may schedule messages in such a way that some of the faulty players get included in the common subset in the sharing phase. The adversary can then hold back these faulty players from participating in the veriﬁcation phase thereby leading to a state of inﬁnite wait. To overcome this, the players communicate the data needed for veriﬁcation (a random linear combination of the polynomials, as explained in the sequel) along with the shares during the sharing phase. The execution of the agree set primitive ensures that only those players who have communicated both the shares and the veriﬁcation data are part of the common subset. These polynomials can then be veriﬁed for consistency in the veriﬁcation step. Consequent to the above discussion, the generation of each block of triples consists of three steps: In the ﬁrst step + n t -shared pairs (a(i) , b(i) ), where n is the cardinality of the current player set and t is the current threshold, are robustly generated. The n pairs are used to verify the degree of sharing of the remaining pairs and are destroyed after veriﬁcation. In the second step + n products c(i) are generated such that c(i) = a(i) b(i) .

98

B. Prabhu et al.

The triples are then veriﬁed for consistency. That is, whether the shares of each of the c(i) s lie on a polynomial of degree t and whether the sharings are such that c(i) = a(i) b(i) . In the ﬁnal step, the players increase the degree of sharing of all the triples in the block from t to t. This step is needed to ensure that the triples from diﬀerent blocks have the same degree of sharing; else the circuit evaluation phase may not be executed properly. The degree of the polynomials used in this step are then veriﬁed. If a fault is detected in any of the veriﬁcation steps (see Section 4), the players localize the fault to a set D containing at most three players of which at least one is faulty. The set D is then eliminated and the block repeated. Since at most t blocks can fail, a total of n + t blocks need to be processed in the worst case. Yet another issue that arises due to the asynchrony of the network is that the shares of some of the honest players may go unveriﬁed. This can happen if the adversary schedules the shares communicated by these honest players to the veriﬁers behind those of the faulty players and hence preclude these honest players from being part of the agreed common subset. In such a case, these honest players can not be sure of the veracity of their shares. Hence, if the veriﬁcation steps were successful, the players left out of veriﬁcation reconstruct their shares from those of the rest of the players. This is possible since the shares of the players in the common subset have already been veriﬁed for consistency and there are enough honest players in the veriﬁed set to enable such a reconstruction. But in the presence of t faults, the shares of at least 3t + 1 players are needed for such a reconstruction. Since the veriﬁed subset is of cardinality n − t (= 3t + 1) in the worst case, the “left-out” players can get only 2t − 1 veriﬁed shares in the worst case. To overcome this, the players need to exchange their shares (after blinding, to ensure privacy) during the sharing phase. This is done using the share randomization protocol given in Table 2. The underlying idea of this protocol can be explained as follows: For a secret value β t -shared among the n players with βi being player Pi ’s share, Pi gets the set of blinded shares {β1 + x1 , . . . , βi−1 + xi−1 , βi+1 + xi+1 , . . . , βn + x n }, where xi s are shares of a random value x, from the rest of the players such that this set of shares along with βi lie on a polynomial of degree t . For n random values of x, one chosen by each player, Pi will get n such blinded sets of shares. After the application of the agreeset primitive, Pi will have at least n − t sets of blinded shares with the cardinality of each set being at least n − t with up to t faulty shares being present in each of the sets in the worst case. In this case, with a single set of blinded shares, error correction may not be possible. The n − t sets of shares are obtained to overcome this. Since there are at least 2t + 1 honest players in the agreed set, values reconstructed from at least 2t + 1 of the sets of blinded shares will be the same. This value is the correct share of player Pi (share adjustment protocol, Table 3). The randomization process requires 2n3 ﬁeld elements to be communicated while the reconstruction process does not require any communication. As players get eliminated, the player set and the threshold are modiﬁed to reﬂect the changes. We denote by P the original player set containing n players and by P the current player set containing n players. The original threshold

Asynchronous Unconditionally Secure Computation

99

is denoted by t and the current threshold by t . Without loss of generality we assume that P = {P1 , . . . , Pn }. Throughout the protocol the inequality 3t < n − t holds as an invariant. Initially P = P, n = n and t = t and the invariant is trivially satisﬁed since t < n4 . By player elimination, n will be decreased at most by 3 and t by 1. Hence the invariant is preserved. Step-1: Generating Random Pairs (a, b) In the ﬁrst step of the preparation phase the players jointly generate t -sharings of pairs (a(k) , b(k) ). The players also get enough information in this step to reconstruct their shares in case they were not veriﬁed for consistency. An additional n pairs, called blinding pairs, are generated for use in veriﬁcation. These additional pairs will be discarded at the end of the block. The protocol (Table 4) proceeds as follows: Every player ﬁrst distributes a random challenge vector of length over the ﬁeld F . This random vector will be used to verify the degree of each of the sharings in this step. The players then jointly generate t sharings of two random values a and b (one pair for each of the triples). Every player t -shares two random values, one each for a and b, among the players in the current player set P . In addition, each player sends to every other player (who will act as a veriﬁer) the randomized linear combination (corresponding to the veriﬁer) of the polynomials involved in each of the sharings over the triples. The random linear combination is blinded using the blinding polynomial corresponding to the veriﬁer. The players then randomize each of the sharings using the protocol in Table 2 so that every player has enough information to reconstruct his original share from the rest of the shares. The set of players who have successfully completed all these steps is agreed upon using the agreement on a common subset primitive. The degree of sharings of each of the dealers in the resultant set is veriﬁed for consistency using the veriﬁcation protocol in Table 7. If a fault is detected the localized set D consisting three players of which at least one is faulty is eliminated. Else the players whose shares have not been veriﬁed reconstruct their shares from those shares whose consistency have been veriﬁed (using the share adjustment protocol in Table 3). The players ﬁnally add the corresponding shares received from players in the agreed set to get his shares of a and b, which are the sum of the corresponding initial random values shared by the players. The degree of sharings of a and b should be less than one third the number of actual players. Hence each of the pairs (a, b) is t -shared. If at least one of the players has honestly selected random polynomials fi (x) and gi (x), then the adversary gets no information about a and b. Since the degree of each of the sharings is veriﬁed after generation, correctness is assured. As the adversary can not get more than t of the shares, privacy is guaranteed. The distribution of the random challenge vectors by all the players requires a total of n2 ﬁeld elements to be communicated. 2n( + n) sharings need to be done to generate the + n pairs (a, b). This requires 2n2 + 2n3 ﬁeld elements to communicated. The communication of randomized polynomials incurs O(2n3 ) ﬁeld elements. The randomization process requires a total of 4n4 ﬁeld elements to be communicated. The single AgreeSet execution calls for n BAs. The veriﬁ-

100

B. Prabhu et al.

Table 4. Protocol for generating random pairs (a, b)

1. Every player Pj ∈ P selects a random vector [rj1 , . . . , rj ] over the field F and sends it to each player Pi ∈ P . 2. The players jointly generate t -shared values a and b (in parallel for all the triples in the block): (a) For each of the + n triples, in parallel, every player Pi ∈ P selects two random degreet polynomials fi (x) and gi (x) and sends the shares aij = fi (αj ) and bij = gi (αj ) to (k) player Pj for j = 1, . . . , n . Let a˜i = fi (0) and b˜i = gi (0). Let fi (x) and gi (k) (x),

k ∈ {1, . . . , + n }, denote the polynomials used by player Pi for the kth pair. Similarly (k)

aij (k) and bij denote the shares in the kth pair. (b) Each player Pi who received a random vector from Pj in Step 1 sends to Pj the linear combinations fi (c) (d)

(e) (f)

(g)

(Σ)

(x) =

k=1

rjk fi

(k)

(x) + fi

(l+j)

(x) and gi (Σ) (x) =

k=1

rjk gi (k) (x) +

gi (l+j) (x). The players jointly randomize the shares of each of the secrets a˜i , b˜i for i = 1, . . . , n (for triples) using the randomization protocol given in Table 2. The players jointly execute protocol AgreeSet[Q, P , t ]. For i = 1, . . . , n , player Pi sets the predicate Q(j) = 1 if he has received messages from player Pj in each one of Steps 1,2a,2b and 2c. Let G1 be the resultant AgreeSet. The players jointly verify the degree of each of the random polynomials fi (x) and gi (x) (over triples) for each Pi ∈ G1 using the protocol in Table 7. If no fault was detected in Step 2e, each player Pj ∈ P \ CheckSet reconstructs his shares (k) of a˜i (k) and b˜i for Pi ∈ G1 and k = 1, . . . , using the protocol in Table 3. (CheckSet is the AgreeSet returned by the verification protocol.) computes his shares of a and b (for all the triples) as aj = Every player Pj ∈ P aij and bj = bij . Pi ∈G1

Pi ∈G1

cation step requires 2n3 + 4n2 ﬁeld elements to be communicated and at most 2n + 1 BAs. Hence the ﬁrst step of the preparation phase requires a maximum of 4n4 + 3n2 + 6n3 + 4n2 ﬁeld elements to be communicated and at most 3n + 1 calls to the BA protocol. Step2: Generating c such that c = ab In this step the players jointly generate t -sharings of products c(k) such that c(k) = a(k) b(k) using the technique proposed in [5]. The protocol (Table 5) proceeds as follows: Each player computes the product of his shares of a and b. These products deﬁne a 2t -sharing of c. Each player then t -shares his product shares. Similar to the pair generation step, the players exchange random linear combinations of the polynomials used so that they can be veriﬁed for consistency. The set of players who have successfully completed these steps is agreed upon using the agreement on a common subset primitive. The degree of sharings of each of the dealers in the resultant set is veriﬁed for consistency using the veriﬁcation protocol in Table 7. If this veriﬁcation is successful, the second veriﬁcation step (Table 8) is carried out to determine if the sharings are consistent with the equation c = ab. If a fault is detected in any of the veriﬁcation steps, the localized set D containing at least one faulty player is eliminated. Else the players whose shares have not been veriﬁed reconstruct their shares from those whose consistency has been veriﬁed (using

Asynchronous Unconditionally Secure Computation

101

Table 5. Protocol for generating values c such that c = ab

1. Every player Pj ∈ P selects a random vector [rj1 , . . . , rj ] over the field F and sends it to each player Pi ∈ P . 2. The players jointly generate t -shared value c such that c = ab (in parallel for all the triples in the block): (a) For each of the + n triples, in parallel, every player Pi in P computes his product share c˜i = ai bi . He then shares it among the players in P using a random degree-t polynomial hi (x) such that hi (0) = c˜i . That is, Pi sends c˜ij = hi (αj ) to player Pj for j = 1, . . . , n . (b) Each player Pi who received a random vector from Pj in Step 1 sends to Pj the linear combinations hi (+j)

(c) (d)

(e) (f) (g)

(h)

(Σ)

(Σ)

(x) =

k=1 (k)

rjk hi

(k)

(+j)

(x) + hi

(l+j)

(Σ)

(x), ai (Σ) =

(k)

rjk ai k=1 c˜i (+j) .

(k)

+

ai , bi = rjk bi + bi and c˜i = rjk c˜i + k=1 k=1 The players jointly randomize the shares of each of the secrets c˜i for i = 1, . . . , n (for triples) using the randomization protocol in Table 2. The players jointly execute protocol AgreeSet[Q, P , t ]. For i = 1, . . . , n , player Pi sets the predicate Q(j) = 1 if he has received messages from player Pj in each one of Steps 1,2a,2b and 2c. Let G2 be the resultant AgreeSet. The players jointly verify the degree of each of the random polynomials hi (x) (over triples) for each Pi ∈ G2 using the protocol in Table 7. If no fault was detected in Step 2e, the players jointly verify if correct values of c have been shared (that is, they verify if c = ab) using the protocol in Table 8. If no fault was detected in Steps 2e and 2f, each player Pj ∈ P \ CheckSet reconstructs his shares of c˜i (k) for Pi ∈ G2 and k = 1, . . . , using the protocol in Table 3. (CheckSet is the AgreeSet returned by the verification protocol.) Every player Pj ∈ P computes his share of c as cj = wi c˜ij where wi =

Pj ∈ G2 Pj = Pi

αj αj −αi

Pi ∈G2

.

the share adjustment technique described earlier). The players ﬁnally compute their t -shares of c as weighted sum of the share-shares received from players in the agreed set, where the weights are the Lagarange coeﬃcients computed over the players in the agreed set. The veriﬁcation steps ensure that each of the triples (a, b, c) are properly t -shared such that c = ab (with a small probability of error as explained in Section 4). From the 2t -shares of c, t -shares can be obtained using Lagrange interpolation and hence our protocol results in a correct sharing of c.4 Since the adversary cannot get more than t of the shares, privacy is guaranteed. The distribution of the random challenge vectors by all the players requires a total of n2 ﬁeld elements to be communicated. n( + n) sharings need to be done to generate the products c. This requires n2 + n3 ﬁeld elements to communicated. The communication of randomized polynomials incurs O(n3 ) ﬁeld elements. The randomization process requires a total of 2n4 ﬁeld elements to be communicated. The single AgreeSet execution calls for n BAs. The veriﬁcation steps together require n3 + 3n2 ﬁeld elements to be communicated and at most 3n + 2 BAs. Hence the second step of the preparation phase requires 4

Since, in our case, the agreed set is of size at least n − t which is greater than 3t , interpolation is possible.

102

B. Prabhu et al.

a maximum of 2n4 + 2n2 + 3n3 + 3n2 ﬁeld elements to be communicated and at most 4n + 2 calls to the BA protocol. Step-3: Increasing the Degree of Sharings In this step the players jointly increase the degrees of the sharings of each of the triples (a, b, c) from t to t. Consequently, this step needs to be evaluated only if t < t. The degree increase is done by generating three random t-sharings of 0 and adding one sharing each to the t -sharings of a,b and c respectively. Similar to the ﬁrst two steps, the degree increase protocol (Table 6) distributes enough information so that the players can verify the degree of each of the sharings and then obtain the correct shares of each of these sharings. In the protocol of Table 6, since the polynomials fi (x), gi (x) and hi (x) chosen by each player Pi are veriﬁed to be of degree t− 1, xfi (x), xgi (x) and xhi (x) have degree t and each shares the secret 0. Hence the sum of the shares of these polynomials with the t -shares of a, b and c produce t-shares of a, b and c. As in the previous steps, privacy is guaranteed since the adversary can not obtain more than t shares of any of the sharings. The distribution of the random challenge vectors by all the players requires a total of n2 ﬁeld elements to be communicated. 3n(+n) sharings need to be done in this step. This requires 3n2 + 3n3 ﬁeld elements to communicated. The communication of randomized polynomials incurs O(n3 ) ﬁeld elements. The randomization process requires a total of 6n4 ﬁeld elements to be communicated. The single AgreeSet execution calls for n BAs. The veriﬁcation step requires 3n3 + 6n2 ﬁeld elements to be communicated and at most 2n + 1 BAs. Hence the ﬁnal step of the preparation phase requires a maximum of 6n4 + 4n2 + 7n3 + 6n2 ﬁeld elements to be communicated and at most 3n + 1 calls to the BA protocol. Verification Two kinds of veriﬁcation are performed in the course of our protocol: the ﬁrst veriﬁes the degree of sharings of the secrets while the second checks if the triple (a, b, c) is shared such that c = ab. In the ﬁrst veriﬁcation step, every player veriﬁes the degree of a random linear combination of the polynomials used in the sharing of the triples in that block. This is done by having the players jointly reconstruct the linear combination towards the challenging player Pv using the random challenge vector [rv1 , . . . , rv ] that player Pv distributed in the corresponding generation phase. Pv then veriﬁes the degree of sharing of the resulting polynomial. In order to preserve the privacy of the involved polynomials (and hence the shares) a blinding polynomial is added for each veriﬁer. If a veriﬁer detects a fault, he chooses one of the sharings in which he found a fault. Let Pi be the owner of this sharing. From the linear combination of the polynomials that he received from Pi in the generation step, the veriﬁer identiﬁes one of the shares that is not consistent with the polynomial. Let Pj be the owner of this share. Pv communicates the indices i and j to all the players. In the synchronous setting, players Pi and Pj will communicate their values of the share in question and the suspect list can be narrowed down to two out of the three players Pi , Pj and Pv . In the asynchronous case, since the adversary has the power to arbitrarily schedule messages, the players can not diﬀerentiate

Asynchronous Unconditionally Secure Computation

103

Table 6. Protocol for increasing the degree of sharings of a, b and c from t to t

1. Every player Pj ∈ P selects a random vector [rj1 , . . . , rj ] over the field F and sends it to each player Pi ∈ P . 2. The players jointly increase the degree of the sharings of a, b and c from t to t (in parallel for all the triples in the block): (a) For each of the + n triples, in parallel, every player Pi ∈ P selects three random

i (x) and sends the shares a i (αj ), degree-(t − 1) polynomials fi (x), gi (x) and h ij = f

b i (αj ) and cij = hi (αj ) to player Pj for j = 1, . . . , n . Let ai , bi and ci represent ij = g the respective secrets. (b) Each player Pi who received a random vector from Pj in Step 1 sends to Pj the linear combinations fi gi

(l+j)

(Σ)

(x) and hi

(k) (l+j) (Σ) (k) rjk fi (x) + fi (x), gi (x) = rjk gi (x) + k=1 k=1 (k) (l+j) i (x) = rjk hi (x) + h (x). k=1 randomize the shares of each of the secrets ai , bi and ci for i =

(x) =

(Σ)

(c) The players jointly 1, . . . , n (for triples) using the randomization protocol in Table 2. (d) The players jointly execute protocol AgreeSet[Q, P , t ]. For i = 1, . . . , n , player Pi sets the predicate Q(j) = 1 if he has received messages from player Pj in each one of Steps 1,2a,2b and 2c. Let G3 be the resultant AgreeSet. (e) The players jointly verify the degree of each of the random polynomials fi (x), gi (x) and hi (x) (over triples) for each Pi ∈ G3 using the protocol in Table 7. (f) If no fault was detected in Step 2e, each player Pj ∈ P \ CheckSet reconstructs his

and ci for Pi ∈ G3 and k = 1, . . . , using the protocol in Table 3. shares of ai , bi (CheckSet is the AgreeSet returned by the verification protocol.) (g) Every player Pj ∈ P computes his t-shares of a, b and c as aj = aj + (k)

αj

Pi ∈G3

a ij ,

(k)

(k)

bj = bj + αj

Pi ∈G3

b ij ,

cj = cj + αj

Pi ∈G3

c ij , where

aj , bj and cj are respectively the t -shares of a, b and c computed in the first two steps (Tables 4 and 5).

between a faulty player who has not sent his value of the share and a honest player whose communication has been delayed. Hence the suspect list will include all three players Pv , Pi and Pj . After every veriﬁer has reported his result, the players agree on the set of completed veriﬁcations. If a fault was reported by any of the successful veriﬁers, then the localized set D consisting of the veriﬁer Pv , the dealer Pi and the owner of the faulty share Pj is eliminated. This veriﬁcation step requires at most n3 + 2n2 ﬁeld elements to be communicated and at most 2n + 1 invocations of the BA protocol. The second veriﬁcation step checks if the shares of a, b and c conform to the requirement that c = ab. The idea of this step is to verify if the product shares c˜i for i = 1, . . . , n lie on a polynomial of degree 2t . Each veriﬁer obtains the product share c˜i (Σ) from the share-shares received by him in the ﬁrst veriﬁcation step and then checks if they lie on a polynomial of degree 2t . If a fault is detected, the veriﬁer compares the product shares c˜i (Σ) with the linear combination of the (Σ) product of the shares of a and b, namely ai (Σ) and bi . He then identiﬁes one of the shares which is not consistent and communicates the index of this share to every other player. After every veriﬁer has reported his result, the players agree on the set of completed veriﬁcations. If a fault was reported in any of these veriﬁcations, then the localized set D consisting of the veriﬁer Pv and the

104

B. Prabhu et al.

Table 7. Protocol for verifying the degree of sharing of a secret (k)

(k)

Let {ˇ aij |j = 1, . . . , n} be the set of shares (corresponding to the secret a ˇi ) which are to be verified for each Pi ∈ G, where G is the agreed set of dealers, and for k = 1, . . . , . (k) Let a ˇ i , k = + 1, . . . , + n denote the blinding secrets. (k) (k) ˇ Let fi (x) denote the polynomial used to share the secret a ˇ i and let d be its degree. Let [rv1 , . . . , rv ] be the random vector communicated by verifier Pv .

1. Each player Pj computes and sends to each verifier Pv the following corresponding blinded (Σ)

2. 3. 4. 5.

6. 7.

(k)

(+v)

linear combinations for each Pi ∈ G: a ˇij = rvk a ˇij + a ˇ ij . k=1 The verifiers jointly execute protocol AgreeSet[Q, P , t ]. Verifier Pv inputs Q(j) = 1 if he has received a message from player Pj in Step 1. The resultant AgreeSet is denoted by CheckSet. (Σ) aij |Pj ∈ CheckSet} lie on a polynomial of Each Pv verifies for each Pi ∈ G if the shares {ˇ degree at most d. If no fault was detected (the polynomial is of required degree), Pv sends CheckMessage v = OK to all the players. Else Pv selects one of the players Pi for whom he has detected a fault. He then finds the smallest index j such that a ˇ ij received from player Pj in Step 1 does not lie on the polynomial (Σ) fˇi (x) received from Pi in the corresponding generation step. Pv sends the pair (i, j) as his check-message, CheckMessagev . The players jointly execute protocol AgreeSet[Q, P , t ]. Player Pi inputs Q(v) = 1 if he has received CheckMessagev from verifier Pv in Step 5. The resultant AgreeSet is denoted by H. If CheckMessage v = OK for all Pv ∈ H then no fault has been detected. Else the smallest index v for which CheckMessagev = OK is chosen. The players then execute a BA protocol to agree on a single pair (i, j) sent to them by Pv . The set of players to be eliminated, D, is set to {Pv , Pi , Pj }.

owner of the faulty share Pi is eliminated. This veriﬁcation step requires n2 ﬁeld elements to be communicated and at most n + 1 invocations of the BA protocol. In the veriﬁcation steps, if there is a fault, every honest player will detect it with probability at least 1 − |F1 | . For at least n − 2t ≥ n − 3t honest players (in a veriﬁer set of n − t ), this gives an overall error probability of |F |−(n−3t) . 2.2

Computation Phase

At the end of the preparation phase we will be left with a new set of n players P = {P1 , . . . , Pn } containing up to t faulty players. In the computation phase, the players ﬁrst veriﬁably share their inputs among all the players in the new player set. Then the circuit is evaluated as detailed below. At the end of the evaluation, the players in the set P will have t-shares of the value of the function f (x1 , . . . , xn ). Any player can now reconstruct the secret by getting the shares from the players in P . Our focus in this paper is to improve on the complexity of the circuit evaluation phase. For sharing the inputs we directly adopt the asynchronous veriﬁable input sharing protocol of [2]. This protocol requires O(n3 log(|F |)+n4 log(n)) ﬁeld elements to be communicated and n BA protocols to be executed. The evaluation of the circuit is done gate-by-gate using the triples generated in the previous phase for evaluating multiplication gates. Due to the linearity of the sharings used, linear gates in the circuit can be evaluated locally

Asynchronous Unconditionally Secure Computation

105

Table 8. Protocol for checking if the triples have been properly shared (is c = ab?)

1. Each verifier Pv computes the product shares c˜i (Σ) from the sub shares {c˜ij (Σ) |Pj ∈ CheckSet} received in the first verification step, for each Pi ∈ G2 (c˜i (Σ) s can be obtained by interpolating the corresponding sub shares). 2. Each Pv verifies if the product shares c˜i (Σ) , Pi ∈ G2 , lie on a polynomial of degree at most 2t . 3. If no fault was detected (the shares lie on a polynomial of degree at most 2t ), Pv sends CheckMessage v = OK to all the players. 4. Else Pv verifies if the shares {ai (Σ) |Pi ∈ G2 } lie on a polynomial of degree t . If not Pv applies error-correction and finds the smallest index i such that ai (Σ) must be corrected. Pv sends the index i as his check-message, CheckMessagev . Similar verification is done for the shares (Σ)

|Pi ∈ G2 }. If no fault was detected then Pv verifies for each Pi ∈ G2 if the values c˜i (Σ) {bi computed in Step 1 are consistent with the values c˜i (Σ) received in Step 2b of the protocol in Table 5. This test will fail for at least one Pi . Pv sends this index i as his check-message, CheckMessage v . 5. The players jointly execute protocol AgreeSet[Q, P , t ]. Player Pi inputs Q(v) = 1 if he has received CheckMessage v from verifier Pv in Step 5. The resultant AgreeSet is denoted by G. 6. If CheckMessagev = OK for all Pv ∈ G then no fault has been detected. Else the smallest index v for which CheckMessagev = OK is chosen. The players then execute a BA protocol to agree on a single index i sent to them by Pv . The set of players to be eliminated, D, is set to {Pv , Pi }.

by applying the linear function to the shares of the inputs. Multiplication gates can be evaluated using the technique of [1]. In essence, we do the following: let x and y be the inputs to the multiplication gates. Let dx = x − a and dy = y − b. The players in the new player set P reconstruct the values dx and dy . As a and b are random, this reconstruction does not reveal any information about x and y. The product xy can be rewritten as: xy = dx dy + dx b + dy a + c. This equation is linear in a, b and c and hence can be computed from the shares of a, b and c and the values dx and dy without any communication among the players. Each multiplication gate requires two secret reconstruction steps. For reconstructing a secret, each player in the player set P sends his shares to every other player. Hence this protocol requires 2n2 ﬁeld elements to be communicated. For output reconstruction, every player Pi ∈ P sends his share of the output to the player reconstructing the output. This step requires n ﬁeld elements to be communicated.

3

Complexity Analysis

We analyze the complexity of our protocol in this section. The message complexity(MC), expressed as number of ﬁeld elements, and the number of invocations of the BA protocol(BAC) for each of the sub-protocols is listed in Table 9. The table also speciﬁes the number of times each sub-protocol is invoked in the worst case. The number of players involved is denoted by n. t denotes an upper bound on the number of actively corrupted players. m is the total number of multipli-

106

B. Prabhu et al.

Table 9. Complexity Analysis of the protocol Protocol Step I Step II Step III Give Input Multiply Get Output

MC (ﬁeld elements) BAC # Calls (max) Preparation Phase 4n4 + 3n2 + 6n3 + 4n2 3n + 1 n+t 2n4 + 2n2 + 3n3 + 3n2 4n + 2 n+t 6n4 + 4n2 + 7n3 + 6n2 3n + 1 n+t Computation Phase (n3 log(|F|) + n4 log(n)) n nI 2n2 — m n — no

cation gates and = m n is the number of multiplication gates per block. nI is the total number of inputs to the function to be computed and no is the number of outputs of the function. The cumulative message complexity when m suﬃciently exceeds n is O(mn4 + 3 n nI log(|F | + no n) ﬁeld elements. The corresponding number of invocations of the BA protocol is O(n2 + nI n). Since BA protocols are very communication intensive (Ω(n2 ) bits communicated per bit of broadcast), the number of bits that are to be agreed upon has a governing inﬂuence on the overall communication complexity of the resultant protocol. It is known that protocols that are constructed in line of [2] require O(mn4 log n) bits of broadcast, while those in line of [9] require O(mn2 ) bits of broadcast. In this paper, we have shown that allowing a small error probability, it is possible to design protocols that have a broadcast complexity that is dependent on n rather than m (an improvement of O(m) over the existing protocols) while the message complexity remains unaﬀected.

4

Conclusion

Asynchrony of communication networks is quite realistic and hence asynchronous secure computation protocols will have substantial inﬂuence on real-life secure distributed systems. In a synchronous network, it was shown that secure protocols for computing any function could have a broadcast complexity that is independent of m. All known protocols for the problem in the asynchronous setting have impractical complexities and also depend on m that could be potentially large. In this work, we propose the ﬁrst protocol for unconditional asynchronous secure computation that has a broadcast complexity that depends only on the number of players. However, the resilience of the proposed protocol, viz. t < n4 , is sub-optimal. It would be interesting to extend the ideas and design eﬃcient protocols that have optimal fault-tolerance, viz. t < n3 .

Asynchronous Unconditionally Secure Computation

107

References [1] D. Beaver. Eﬃcient multiparty protocols using circuit randomization. In CRYPTO ’91, vol. 576 of LNCS, pp. 420–432. Springer-Verlag, 1991. 95, 105 [2] M. Ben-Or, R. Canetti, and O. Goldreich. Asynchronous secure computations. In 25th ACM STOC, pp. 52–61, 1993. 94, 104, 106 [3] M. Ben-Or, B. Kelmer, and T. Rabin. Asynchronous secure computation with optimal resilience. In 13th ACM PODC, pp. 183–192, 1994. 94, 96 [4] R. Canetti and T. Rabin. Optimal asynchronous byzantine agreement. In 25th ACM STOC, pp. 42–51, 1993. 94 [5] R. Gennaro, M. O. Rabin, and T. Rabin. Simpliﬁed VSS and fast-track multiparty computations with applications to threshold cryptography. In 17th ACM PODC, pp. 101–111, 1998. 100 [6] M. Hirt and U. Maurer. Robustness for free in unconditional multi-party computation. In CRYPTO’01, vol. 2139 of LNCS, pp. 101–118. Springer-Verlag, 2001. 94, 95, 97 [7] M. Hirt, U. Maurer, and B. Przydatek. Eﬃcient multi-party computation. In ASIACRYPT 2000, vol. 1976 of LNCS, pp. 143–161. Springer-Verlag, 2000. 95 [8] A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979. 95 [9] K. Srinathan and C. Pandu Rangan. Eﬃcient asynchronous secure multiparty distributed computation. In INDOCRYPT’00, vol. 1977 of LNCS, pp. 117–130. Springer-Verlag, 2000. 106 [10] A .C. Yao. Protocols for secure computations. In 23rd IEEE FOCS, pp. 160–164, 1982. 93

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI) Ravi Mukkamala Old Dominion University, Norfolk VA 23529, USA [email protected]

Abstract. With the ever-increasing growth in E-commerce and other internet applications, the need for secure transactions over the internet is also growing. In particular, more and more applications are demanding security services such as authentication, authorization, accounting, conﬁdentiality, and non-repudiation. Since there is a cost associated with each type of service, the applications are demanding a wide variety of quality-of-service (QoS) provisions so they can pick and choose the services based on the value of their transactions. In this paper, we concentrate on one particular element of the end-to-end internet security: the public-key infrastructure (PKI). In particular, we identify the weaknesses of the current PKI systems in meeting the QoS needs and propose QPKI—a new QoS-based PKI architecture. The architecture includes the concepts of recertiﬁcation and active certiﬁcates. The proposed architecture is shown to be much more ﬂexible and cost-eﬀective than the conventional PKI.

1

Introduction

With the ever-increasing need for secure transactions in a wide variety of E-commerce and other distributed applications, the need for systems that oﬀer a wide variety of quality-of-service (QoS) features is also growing. For example, most secure e-mail applications only guarantee conﬁdentiality, i.e., no one else besides the intended user can decipher and understand the mail contents. An access for a secure resource, on the other hand, may need to oﬀer the AAA (authentication, authorization, accounting) services along with non-repudiation [1,6]. Similarly, a resource server may be satisﬁed with an unexpired certiﬁcate for low-value transactions while demanding a strict policy checking, path validation, and certiﬁcate status checks for high-value transactions. Some relying parties may be satisﬁed with the information from a local CRL while others demand a stricter veriﬁcation with an RA or an OCSP responder [13]. Since digital certiﬁcates are the underlying security mechanism for all these schemes, it is necessary to design a public-key infrastructure that provides a wide variety of services. The traditional PKI architecture, however, is not designed with this ﬂexibility in mind [9,10,11,14]. Accordingly, it provides a system that is one-size ﬁts-all. For example, most applications seem to be using it for the purpose of authentication. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 108–121, 2002. c Springer-Verlag Berlin Heidelberg 2002

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

109

But there are several applications that need not only authentication but also authorization and accounting functions. While some eﬀort is under way to ﬁll the gap using attribute certiﬁcates [6], it falls short of the real needs [5,14]. For example, there is no way to modify the authorization amount after each use of an authorization certiﬁcate [11]. In this paper, we propose QPKI, a QoS-based PKI architecture, to overcome several of the limitations. The architecture employs two concepts: recertiﬁcation and active certiﬁcates. While recertiﬁcation combines the cost advantages of long-term certiﬁcates with the beneﬁts of increased trust with short-term duration certiﬁcates [8,10], active certiﬁcates allow more ﬂexibility in the use of a certiﬁcate. In addition, they help shifting some of the processing burden from a relying party to a certiﬁcate owner [4,11]. The paper is organized as follows. In section 2, we brieﬂy summarize the QoS requirements of diﬀerent stakeholders of PKI. Section 3 discusses the limitations of the current PKI architectures in meeting these QoS needs. In section 4, we describe the proposed QPKI architecture along with the recertiﬁcation and active certiﬁcate concepts. In section 5, we brieﬂy describe the diﬀerent QoS features of QPKI that are otherwise absent in current PKI systems. Finally, section 6 summarizes the contributions of the paper and discusses future work.

2

Quality-of-Service Requirements of PKI Stakeholders

To motivate the need for the proposed QoS-based PKI architecture, in this section, we brieﬂy summarize the QoS requirements of diﬀerent stakeholders of PKI: the relying party, the certiﬁcate owner, and the certiﬁcate issuer. 2.1

QoS Concerns of Relying Parties

A relying party (RP) is mainly concerned about the validity and trustworthiness of a certiﬁcate. In addition, it is concerned about the cost of achieving the required trust. In fact, it may demand diﬀerent degrees of trust depending on the value of a transaction t is servicing. The following ﬁve requirements summarize some of RP’s major QoS concerns. RP1: Certificate freshness. Depending on the application or the type of request, a relying party may desire diﬀerent degrees of freshness for a certiﬁcate to avoid the high cost of status checking. For example, for an identity check, it may accept an older certiﬁcate. But for an attribute checking such as verifying the worth of an investment portfolio of a user, it may require a certiﬁcate issued, say, within the last 24 hours. RP2: Path validation. Depending on the criticality or the value of demanded service, a relying party may place diﬀerent requirements on the trustworthiness of the CA that issued the user’s certiﬁcate. For example, it may insist that the CA be certiﬁed directly by one of its own trust-point CAs. Alternately, it

110

Ravi Mukkamala

may insist that a validation path (from the issuer CA to RP’s trust-point CA) be provided. As a default, it could accept the responsibility of discovering and verifying such a path. RP3: Status validation. A simple relying party may not do any certiﬁcate validation and, instead, insist on fresh certiﬁcates. Alternately, it may use an OCSP responder [13], if it is available. Otherwise, it may have to get a revocation list (CRL) from a directory provider or a distribution point and determine the status. RP4: Time for validation. Since a relying party is mainly interested in completing its own services related to users’ requests (for which certiﬁcates were submitted), it is important that the validation task be completed as quickly as possible, incurring as little cost as possible. However, the validation time itself is a function of the desired conﬁdence or trust that the RP demands. RP5: Cost of validation. In addition to time to validate, a relying party may also be interested in limiting the cost of validation. For example, if path validation requires it to send several messages and involves several computations, then the relying party may want to just be satisﬁed with what the certiﬁcate claims to be and do minimal validations. For high value transactions, however, it may want to do a thorough validation. 2.2

QoS Concerns of Certificate Owners

A certiﬁcate owner is primarily interested in a simple process to obtain, to revoke, and to use certiﬁcates. The owner wants to expend as few resources as possible in using certiﬁcates. Following are a few major QoS concerns of a certiﬁcate owner. CO1: Acceptability. The primary concern of certiﬁcate owners is the acceptability of a certiﬁcate at all relying parties of interest. In other words, the concern is whether or not a certiﬁcate and its issuer CA is trusted by a relying party to which it is submitted. CO2: Degree of freshness. An owner is also concerned whether or not a certiﬁcate is of a freshness required by a relying party. For example, some relying parties may require a certiﬁcate issued within 24-hours for it to be used. An employment certiﬁcate issued a year ago may not be acceptable to a mortgage company. Instead they may demand a certiﬁcate that was issued within the last one week. Whether or not a CA can reissue a certiﬁcate, with low overhead, with a new date of issue is of concern to certiﬁcate owners. CO3: Revocation. The third concern of an owner is whether or not a certiﬁcate can be revoked quickly. For example, owners may be less concerned of some certiﬁcates and, hence, tolerate a delay of a week for the revocation information to propagate. On the other hand, for some critical certiﬁcates, they may require

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

111

that the revocation information be immediately (e.g., within an hour) propagated to the appropriate validation entities. A CA should be able to provide this type of ﬂexibility in revocation. CO4: Cost. Finally, an owner is concerned about the cost of achieving each of the operations with a certiﬁcate: issue, validation, revocation, and reissue. 2.3

QoS Concerns of Certificate Issuers

As discussed above, the certiﬁcate owners and relying parties have a variety of requirements. Certiﬁcate issuers or Certiﬁcate authorities (CA) are concerned about oﬀering these services as eﬃciently as possible and with as little cost as possible. Following are a few of these concerns. CA1: Real-time certificate issue. Some users demand real-time issue of certiﬁcates from a CA. In other words, when a request is made on-line, the certiﬁcate should be issued with no further delays, in real-time. However, this may mean that the issuing CA be on-line. This may often contradict other users’ requirement that it be secure and not be accessible to an on-line hacker. CA2: Multiple attributes. Another issue of concern is the attributes stored within a certiﬁcate. While some relying parties may just need the public-key and the expiration period of the certiﬁcate, others may also need details such as the authorization limit, etc. This implies that a CA should be prepared to issue certiﬁcates with a variety of attributes varying in number and type. CA3: Varying validity periods. Some users may require certiﬁcates with long-term validity (e.g., a tenured faculty may be issued a long-term certiﬁcate) while others may require short-term validity (e.g., an hourly worker is issued a short-term certiﬁcate). A CA should be able to provide certiﬁcates of diﬀerent validity periods to diﬀerent users. CA4: Real-time revocation. Depending on the criticality and the importance of a certiﬁcate, some users may demand that a certiﬁcate be revoked immediately. Most others may be satisﬁed with a reasonable revocation period of a few hours or a day. Others may be satisﬁed with a weeklong delay. But the CA has to deal with all the variety of requirements. While the above QoS concerns are by no means exhaustive, they are suﬃcient to motivate us to work towards a QoS-based PKI architecture.

3

Limitations of Current PKI Architectures

Before describing the proposed QPKI architecture, we would like to brieﬂy mention why the current architectures are not suitable to meet the needs of its stakeholders.

112

Ravi Mukkamala

In a typical PKI architecture, the certiﬁcates themselves are static [1]. They contain certiﬁcate data along with the contact points for the CA and optionally for the directory provider. Certainly, there is a concept of diﬀerent categories of certiﬁcates depending on the content of a certiﬁcate. A certiﬁcate that is issued on-line (and for free) often contains little information since there was no veriﬁcation of user information. On the other hand, oﬀ-line issued certiﬁcates contain much more useful data that has been veriﬁed by the RA (registration authority). But, in general, the number of ﬁelds is limited. While almost all CAs provide certiﬁcate revocation lists (CRLs) as a means to publish certiﬁcate revocation information, very few provide OCSP services [1,13]. Even the OCSP service is designed to be on-line but not necessarily upto-date [5,9,12]. Thus, in almost all cases, a relying party has to download the CRLs and check the validity of a certiﬁcate. Similarly, in most cases a relying party itself needs to verify CA’s trust path. The concept of providing an SCVP (similar to OCSP) is beginning to emerge [7]. Due to the cost of issue of certiﬁcates, most certiﬁcates are issued for a long time (one or two years). But several applications would like to see short validity periods such as one or two hours or even a day. Unless, the cost of issuing certiﬁcates is signiﬁcantly reduced, short duration certiﬁcates are not economically feasible with the current architectures [8]. Revocation of certiﬁcates remains a problem for all stakeholders. In almost all cases, a CA needs to be contacted for all services on a certiﬁcate. In fact, there is no means to temporarily suspend a certiﬁcate [1]. More importantly, today’s PKI architectures place a signiﬁcant burden on relying parties, providing almost no options. It is RP’s burden to download the CRLs; it is its responsibility to discover a validation path and validate the path. Other deﬁciencies of the current architectures are also discussed in [9,10,11]. In this paper, our objective is to overcome some of these deﬁciencies and provide an architecture that has many more QoS options for all stakeholders.

4

Proposed QPKI Architecture

In order to oﬀer the needed QoS for various stakeholders, we propose a PKI architecture that is more ﬂexible. We achieve the needed ﬂexibility by introducing two new concepts: recertiﬁcation and active certiﬁcates. In the following, we will ﬁrst summarize the two concepts and then show how they are integrated to achieve the QoS objectives. 4.1

Recertification

The concept of recertiﬁcation aims to combine the beneﬁts of long-life certiﬁcates for a certiﬁcate issuer (CA) with the beneﬁts of short-lived certiﬁcates for revocation [10]. The main idea is to initially issue a certiﬁcate for the normal period of duration (e.g., 1 or 2 years) and then require the certiﬁcate-holder (or user) to get the certiﬁcate recertiﬁed/reissued at certain intervals during

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

113

its lifetime. A relying party not only looks for the lifetime of a certiﬁcate but also for its recertiﬁcation status at the time of veriﬁcation. To reduce the load on the CA, the recertiﬁcation task may be assigned to a diﬀerent entity called the recertiﬁcation authority (RCA). Certainly, RCA should have been delegated this authority by a CA, say by issuing an attribute certiﬁcate to this eﬀect. An RCA does not have to be as trusted and secure as a CA. However, it should be certiﬁed by the CA so the relying parties can trust its actions. Since both CA and RCA are involved in recertiﬁcation, the original PKI X.509 format needs a few changes. An example format is shown in Figure 1. Except for the three ﬁelds (shown in italics), along with the ﬁelds of RCA identity and its public key, the ﬁelds are identical to the X.509 format. The italicized ﬁelds are introduced due to recertiﬁcation and are ﬁlled by an RCA. CA signs the remaining ﬁelds and its digital signature is included in the certiﬁcate. Let us look at the italicized ﬁelds more closely. The period of validity has two dates: Not before date and Not after date. These are changed by the RCA when a certiﬁcate is initially issued as well as during every recertiﬁcation. (For further details on implementing recertiﬁcation, see [10].) As in traditional PKI, the user sends its request for a certiﬁcate to an RA/CA. After verifying the credentials, a certiﬁcate is issued with a longer expiration time (referred to as original validity period in Figure 1). The CA signs the certiﬁcate. The certiﬁcate is then forwarded to the assigned RCA (also speciﬁed in the certiﬁcate). The RCA sets the not before and not after dates for validation, digitally signs the entire certiﬁcate, and returns it to the user. The short-term validity period depends on the re-certiﬁcation frequency initially requested. After the initial issue, the user only needs to submit the certiﬁcate to the RCA for recertiﬁcation. In fact, a user needs to recertify a certiﬁcate when a it is to be used. In other words, an unused certiﬁcate may never need to be recertiﬁed. In order to get an intuitive idea about the beneﬁts of recertiﬁcation toward revocation, consider a CA that revokes 10,000 certiﬁcates each week. Suppose the lifetime of each certiﬁcate is 1-year or 52-weeks. Let us assume that a certiﬁcate is equally likely to be revoked in any week during its lifetime. So the maximum number of certiﬁcate identiﬁers in a CRL is 52*10,000 or 520,000. The average CRL size would be 260,000 certiﬁcates. Now, if we assume that a certiﬁcate needs to be recertiﬁed once in 4 weeks (that is 13 times during its lifetime) the maximum CRL size would only be 4*10,000 or 40,000. The average size would be 20,000 certiﬁcates. In other words, we can reduce the average CRL size from 260K to 20K. This is a signiﬁcant reduction achieved by requiring recertifying a certiﬁcate 13 times during its lifetime. In general, “p” periods of recertiﬁcation would reduce the CRL to 1/p of its original size. The reduction is possible since the CRL published under this scheme contains only those that have been revoked with valid recertiﬁcation dates. The additional load of recertifying each certiﬁcate p times during its lifetime is taken by an RCA with no involvement of the CA.

114

Ravi Mukkamala

Version Serial Number Signature Algorithm Issuer Name Period of Validity ·

Not Before Date

·

Not After Date

Subject Name Subject's Public Key ·

Algorithm

·

Public Key

Extensions: RCA Identity and Public Key Original Validity Period Re-certification Frequency CA Signature

RCA Signature Fig. 1. Certiﬁcate format with recertiﬁcation

In summary, CA issues the certiﬁcates; RCA manages recertiﬁcation and the publication of CRLs. The relying parties have the option of looking at not only the expiration time but also the status of recertiﬁcation of a certiﬁcate. 4.2

Active Certificates

Basically, an active certificate (AC) can be thought of as a combination of executable code and data [11]. The certiﬁcate, as in a conventional system, is prepared and issued by a CA to a user. The certiﬁcates may reside in a user space (e.g., user speciﬁed host machine) or alternately reside at a user-designated location (e.g., a selected secure certiﬁcate bank). Whenever a certiﬁcate is to be used, its code becomes active and starts running like any other process. The characteristics of an active certiﬁcate are as follows. • It contains both executable code and data. • The data has two parts: static (i.e., unchangeable) data and dynamic (i.e., modiﬁable) data. • The dynamic data is modiﬁable by the code when authorized by the issuing CA.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

• • • • •

115

It is capable of communicating with a relying party. It can communicate with its issuing CA. It can interact with the certiﬁcate-owner. Its code and data are secure. A certiﬁcate is capable of self-suspension, resumption, and revocation.

When a user wishes to submit a request to a relying party, the relying party may wish to authenticate the user with a certiﬁcate. Then, the user submits the location information of the certiﬁcate to the relying party. The relying party can now directly communicate with the certiﬁcate and get all the required information to authenticate the user. In this process, a relying party may ask the certiﬁcate to ﬁrst provide a proof of validation. In other words, instead of a relying party going everywhere to validate a user certiﬁcate, it is now demanding the certiﬁcate to provide the needed proof. It may also specify the degree of freshness of the proof. For example, a relying party may ask the certiﬁcate to provide proof of validation that has a freshness of 1-hour or less. It is up to the certiﬁcate agent to procure the needed information and submit it to the relying party. Sometimes, the certiﬁcate may have cached this information locally and hence provide it immediately. Other times, it may contact CA/RA/directory-servers to get the proof of validation. A user can communicate with its certiﬁcate. For example, if a user wishes to suspend a certiﬁcate, it could communicate the information to its local certiﬁcate. It could then take the appropriate actions. If a user wishes to extend the life of a certiﬁcate it could do so by communicating with the certiﬁcate itself. In summary, an active certiﬁcate is an executable code and data. It has several roles. As a certiﬁcate-owner’s proxy (or agent), it presents the necessary information to a relying party. As a CA’s proxy, it can handle certiﬁcate owner’s service requests regarding the certiﬁcate. It also has the ability to protect itself (code and data) from other’s actions including that of the user. 4.3

QPKI Architecture

We now describe the proposed QoS-based PKI (QPKI) architecture integrating the recertiﬁcation and active certiﬁcate concepts discussed above with the traditional PKI architecture [1,3]. In fact, the architecture includes all features of the traditional PKI (e.g., static certiﬁcates, revocation, and CRLs). The additional features oﬀered by recertiﬁcation and active certiﬁcates are optional and may be chosen by a certiﬁcate holder at the time of certiﬁcate creation. In that sense, it is compatible with the existing PKI systems. (Note: In the below description, when we indicate a set of components such as a set of RCAs as a single module, it is only a logical or functional module. In actual implementation, they are distributed among several autonomous nodes.) As shown in Figure 2, the architecture has six primary modules. 1. The CA/RA module issues certiﬁcates after verifying the credentials of a user. The functions of CA and RA are similar to that of any conventional

116

2.

3.

4.

5. 6.

Ravi Mukkamala

PKI system. This module also contains a certiﬁcate repository module (CR) that stores all certiﬁcates issued by a CA. An interface agent (IA) facilitates communication between other modules and this module. For example, when a relying party wishes to check the status of a certiﬁcate directly from the CA/RA, it communicates through the IA. Even requests for certiﬁcate creation and revocation are handled through the IA. More than one instance of IA could be created for a module to handle additional traﬃc to the module. The module with the set of recertiﬁcation authorities (RCA) is useful for recertiﬁcation as well as status veriﬁcation by the relying parties. Generally, each certiﬁcate is assigned a speciﬁc RCA for recertiﬁcation. But when fault-tolerance is demanded, alternate RCAs could also be speciﬁed within a certiﬁcate. The third module is a set of directory servers (DS). Each CA posts its CRL at one or more of the directory servers. This service is also available in a conventional PKI system. The module of certiﬁcate banks (CB) supports active certiﬁcate when a user is unable to host them on its own machine. An active certiﬁcate may be installed either at a user or at one of the certiﬁcate banks. The ﬁfth module is a set of relying parties (RP). This is typical of any PKI system. Finally, the sixth module is a set of users (U). They are also referred to as certiﬁcate holders or certiﬁcate owners. This is also typical of any PKI system.

The interactions between diﬀerent modules is indicated by numbers I to IX. Among these, the interactions I and IX are important and hence discussed below. I: It represents all communication between the user module and the CA/RA module. In particular, it consists of the following types of communication. • User→CA: This includes user requests for the issue of a new certiﬁcate and all related authorization messages. In addition, as an exception, when a user does not get any response from its local active certiﬁcate (proxy), it directly communicates with the CA to suspend/revoke/renew/reactivate a certiﬁcate. • AC→CA: The active certiﬁcate (executing in user space) communicates with the CA on behalf of the user (say to revoke a certiﬁcate or to renew a certiﬁcate) or to seek the needed validation information to satisfy a relying party. • CA→User: CA installs/reinstalls the user certiﬁcate at the user speciﬁed host. • CA→AC: CA directly communicates with the certiﬁcate proxies in response to their requests. IX: This represents all communication between a user and a relying party. It consists of the following types of communication. This takes place both for static and active certiﬁcates.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

117

• User→RP: User sends its requests for service to the relying parties and supplies all the required information. It also indicates to the RP regarding the certiﬁcate proxy to which it should communicate with for authentication/authorization. • RP→AC: A relying party directly communicates with the certiﬁcate proxy for any authentication/authorization of the user’s request. • RP→User: Once the authentication/authorization is successful, the relying party can directly communicate with the user to deliver the desired services. • AC→RP: The active certiﬁcate proxy interacts with the relying party to provide any needed information for authentication/authorization.

CA

RA

CA

CR

RA

CR

IA

IA

VI

VII

VIII

RCA

CB

DS RCA

CB

DS RCA

I

II

III RP

IV RP

RP

V RP

RP

IX

U

U

U

U

U

U

U

Fig. 2. Proposed QoS-based PKI architecture

II

I

118

Ravi Mukkamala

In addition, as an exception, a relying party may also communicate with CA/RA to conﬁrm the status of a certiﬁcate or to report any suspected behavior of an active certiﬁcate. As discussed in the next section, the addition of RCA and AC enable QPKI to oﬀer many more types of QoS than otherwise possible. Due to space limitations, we have omitted the discussion on the positive impact of the QPKI architecture on other characteristics of a PKI system such as scalability, availability, responsiveness, and communication costs.

5

QoS Features of the QPKI Architecture

As discussed earlier, the traditional system is too inﬂexible for most applications. In order to address some of these concerns, we have proposed the QPKI architecture. In this section, we shall show how QPKI overcomes the weaknesses of the traditional PKI. First, let us consider a conventional system that uses CRLs. Here, a relying party has two options: (i) Use the certiﬁcate expiration and other checks using data within the certiﬁcate itself to validate a certiﬁcate. (ii) Use the CRL provided by the CA at the directory service to conﬁrm that a certiﬁcate has not been revoked. (Alternately, it could use OCSP-like protocol also [13].) Given that the lifetime of conventional certiﬁcates is long, it is almost mandatory for a relying party to obtain the latest CRL and check for the submitted certiﬁcate status. This is an expensive process. Now, let us consider the options (or QoS) available due recertiﬁcation feature in the QPKI. Here, a relying party has four options. • Check the original certification expiration time. This is similar to the above option (i) of the conventional scheme. • Check the short-term expiration time (or the expiration of recertification). Since this is more recent (or current) than the original certiﬁcate, most relying parties can rely on this for veriﬁcation. • Check the CRL of RCA. Since RCA’s CRLs are more frequently updated and are much shorter, this is much cheaper than option (ii) in a conventional scheme. Those relying parties that are not satisﬁed with the above option can do this additional check. • Check the CRL of CA. This is similar to the default option in a conventional scheme. In addition to these general options, the following possibilities exist. • Degree of freshness based on relying party. A relying party can dictate the degree of freshness of a certiﬁcate. In other words, it can insist a certiﬁcate to have been renewed in the last 1-hour or in the last 24 hours. The user can go to RCA and get it renewed as per the relying party’s requirements. • Renewal frequency. Depending on the type of applications for which a certiﬁcate will be used, a user can request a certain period of renewal frequency for a certiﬁcate. Thus, a certiﬁcate that is used in highly secure or highvalued transactions can have more frequent renewals or shorter lifetimes.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

119

• Need-based renewal. More importantly, a user has the option of renewing a certiﬁcate only when needed (e.g., just-in-time). For example, suppose a user has been issued a certiﬁcate with a lifetime of 24-months and a renewal frequency of 56. Then, the recertiﬁcation is valid for only 1 week. This does not mandate a user to recertify it 56 times. Instead, as and when the user wishes to use the certiﬁcate to be submitted to a relying party for a service, he could send it to RCA, get it renewed, and submit it to the relying party. This greatly reduces the overhead placed on the user for recertiﬁcation at the same time oﬀering ﬂexibility to a relying party to dictate its own degree of freshness. • Temporary suspension. It is also possible to temporarily suspend a certiﬁcate. For example, if a manager is going to be on leave of absence for 4 weeks, his recertiﬁcation which is say done everyday, could be stopped during this time. This automatically suspends the certiﬁcate without involving any other entity. We ﬁnd this option to be one of the key advantages of the recertiﬁcation process not oﬀered by conventional certiﬁcates. Now, let us consider the ﬂexibility in QoS oﬀered by QPKI when active certiﬁcate feature is used. Clearly, one of the advantages due to AC concept is the ability to transfer the certiﬁcate validation responsibility from a relying party to the certiﬁcate holder. Following are a few QoS options oﬀered by QPKI due to ACs. • Proof of validation. A relying party can require the executing AC to provide a proof of validation. This may include providing the expiration time, validating the path of trust between the relying party’s trust CAs and the certiﬁcate issuing CA. The parent process could include some path information (with respect a selected set of popular CAs) into the AC itself, thus making this process more eﬃcient. This option may enable a relying party to handle more service requests and improve its throughput. • Temporary suspension. In conventional PKI, it is not possible to suspend a certiﬁcate temporarily. However, QPKI allows this option. For example, a user can simply communicate with its AC and suspend it for a speciﬁed time or until he resumes it again. This can be done with very little overhead. • AC and recertification. In cases where a relying party requires certiﬁcates with a speciﬁed degree of freshness (e.g., issued within 24-hours), the AC could communicate with the associated RCA and get the recertiﬁed data. All this can be achieved with no intervention from the user. • Authorization: One of the interesting applications of active certiﬁcates is for authorization. In a typical authorization system, a user may be permitted to use certain amount of a resource. For example, a bank may issue a certiﬁcate to a customer indicating a line-of-credit for a certain amount. The credit could be used any number of times at any merchant or service provide and after each use the credit should be reduced. This is not possible with a typical PKI unless the merchant contacts the CA each time to get authorization. An active certiﬁcate, on the other hand, obviates the need for this extra burden on the relying party and the CA. Since a relying party actually communicates with the certiﬁcate process, it is possible for the certiﬁcate

120

Ravi Mukkamala

process to take into account the current transaction and thereby reduce the permitted credit limit for future requests. • Custom-made certificates. In a traditional system, certiﬁcate formats are generally standard (e.g., X.509 certiﬁcates). While there is a provision for extension (or optional) ﬁelds, much more coordination is needed among the issuer, the user, and the relying parties to use the optional ﬁelds. In the current scheme, two facts make the process simpler: (i) the data portion of the certiﬁcate is in XML format where each ﬁeld is tagged with a label. Thus it is much easier to add user-speciﬁc or application speciﬁc labels in a certiﬁcate. (ii) The executable code part of the certiﬁcate makes the customization simpler. Since the executable code can be customized to speciﬁc domains or to speciﬁc users, the certiﬁcates are easily customizable. For example, a university may always want to add the student major into a student’s certiﬁcate ﬁeld. In addition, it may have ﬁelds to indicate the URL’s or IP addresses of student-speciﬁc services such as the registrar to verify student status. In summary, QPKI clearly extends the QoS options provided by the conventional PKI and, hence, is more suitable to handle the wide variety of today’s secure applications.

6

Conclusion and Future Work

The traditional X.509 PKI architecture suﬀers from many limitations in terms of the quality-of-service features that it oﬀers to its stakeholders. In order to overcome some of these deﬁciencies, we have proposed a new PKI architecture. The new architecture incorporates two new concepts: recertiﬁcation and active certiﬁcates. Recertiﬁcation helps reduce the size of revocation information (e.g., CRL). In addition, it enables a user to provide a degree of freshness of a certiﬁcate desired by a relying party. An active certiﬁcate, with executable code and data, transfers much of the responsibility of proof of validation from a relying party to the user. In addition, it provides additional features such as temporary suspension and resumption. It also provides a facility wherein a relying party can request for only the data that it requires from a certiﬁcate (need-to-know) rather than obtain an entire certiﬁcate. We are currently prototyping the proposed architecture using Java, XML, and XKML. We were able to clearly demonstrate the feasibility of the approach. However, a few problems of trust remain to be solved. We are especially looking into ways to improve the trust a relying party may have on the executable code and the data it receives from it. We are experimenting with several technologies to improve this trust. In summary, we have proposed a new QoS-based PKI (QPKI) architecture that oﬀers much more ﬂexibility to all the stakeholders—the certiﬁcation authority, the relying party, and the certiﬁcate owner. Clearly, QPKI is much better suited to the variety of applications in the real world today than PKI. Further work needs to be done to improve the trust in the system.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

121

References [1] Adams, C., Llyod, S., Kent, S.: Understanding Public-Key Infrastructure Concepts: Standards and Deployment Considerations. Macmillan Technical Publishing (1999) [2] Borisov, N., Brewer, E.: Active Certiﬁcates: A Framework for Delegation. Proc. Network and Distributed System Security Symposium, (2002) [3] Denker, G., Millen, J., Miyake, Y.: PKI and Revocation Survey. SRI Technical Report, SRI-CSL-2000-01, (2000) [4] DeTreville, J.: Making certiﬁcates programmable. Proc. First Annual PKI Research Workshop, Gaithersburg, MD, USA, (2002), 48-55 [5] Kocher, P. C.: On certiﬁcate revocation and validation. Proc. Second International Conf. Financial Cryptography (FC’98), Springer-Verlag, Lecture Notes in Computer Science, Vol. 1465, (1998), 172-177 [6] Laing, S. G.: Attribute certiﬁcates - a new initiative in PKI technology. Technical Report, Baltimore Technologies, http://www.baltimore.com/ library/whitepapers/acswp-hm.html, (2001) [7] Malpani, A., Hoﬀman, P., Housley, R., Freeman, T.: Simple Certiﬁcate Validation Protocol (SCVP). IETF PKIX Working Group Internet Draft, (2000) [8] Micali, S.: NOVOMODO: Scalable certiﬁcate validation and simpliﬁed PKI management. Proc. First Annual PKI Research Workshop, Gaithersburg, MD, USA, (2002), 9-19 [9] Mukkamala, R., Jajodia, S.: A novel approach to certiﬁcate revocation management. Proc. Fifteenth IFIP WG 11.3 Working Conf. Database and Applications Security, Niagara on the Lake, Ontario, Canada, (2001), 223-238 [10] Mukkamala, R., Das, S., Halappanavar, M.: Recertiﬁcation: A technique to improve services in public-key infrastructure. Proc. Sixteenth IFIP WG 11.3 Working Conf. Database and Applications Security, King’s College, Cambridge, England, (2002), 277-293 [11] Mukkamala, R., Balusani, S.: Active certiﬁcates: A new paradigm in digital certiﬁcate management. Proc. Workshop on Trusted Computing Paradigms, ICPP 2002, Vancouver, British Columbia, Canada, (2002), 30-37 [12] Myers, M.: Revocation: Options and challenges. Proc. Second International Conf. Financial Cryptography (FC’98), Springer-Verlag, Lecture Notes in Computer Science, Vol. 1465, (1998), 165-171 [13] The Online Certiﬁcate Status Protocol. http://www.baltimore.com/devzone/pki/ocsp.html [14] Rivest, R. L.: Can we eliminate certiﬁcate revocation lists? Proc. Second International Conf. Financial Cryptography (FC’98), Springer-Verlag, Lecture Notes in Computer Science, Vol. 1465, (1998), 178-183

Towards Logically and Physically Secure Public-Key Infrastructures Kapali Viswanathan1 and Ashutosh Saxena2 1

Information Security Research Centre, Queensland University of Technology GPO Box 2434, Brisbane, Australia, Q 4001 [email protected] 2 IDRBT, Castle Hills, Road No.1,Masab Tank, Hyderabad, (AP), INDIA [email protected]

Abstract. The bootstrapping of security mechanisms to large scale information systems is an important and critical exercise. It is conjectured that the design of bootstrapping procedure is eﬀective, if every such bootstrapping procedure aﬀects (or alters) the behaviour (represented by input data) of all system users (certiﬁcate authorities and the users of the public key infrastructure (PKI)). This paper aims to provide public veriﬁcation for every use of certifying private keys, which are assumed to be stored in multiple physical locations. It provides abstract descriptions of protocols to achieve eﬀective bootstrapping of security mechanisms to large scale PKIs. Keywords: PKI, critical keys, private keys, backup, controlled use.

1

Introduction

Application of cryptography to large-scale systems remains an important area for research. Cryptography provides conﬁdentiality and integrity mechanisms (or services) to transfer the conﬁdentiality or integrity properties of one value to another value. Such mechanisms can be speciﬁed using propositions as follows. Confidentiality mechanisms: If the key possesses conﬁdentiality property, then the message may possess the conﬁdentiality property. Integrity mechanisms: If the key possesses integrity and conﬁdentiality properties, then the message possesses the integrity property. Cryptosystems are information systems that use cryptography and suitable key-management infrastructures. KMIs are primarily concerned with storing trees or forests (collections of trees) of keys. KMIs must necessarily assume the conﬁdentiality and integrity properties of some keys, called critical keys, in the trees or forests before the conﬁdentiality and integrity properties of other

This work was carried out when the author was visiting ISRC, QUT, Australia, on a BOYSCAST fellowship from Ministry of Science and Technology, Government of India. The author acknowledges them.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 122–134, 2002. c Springer-Verlag Berlin Heidelberg 2002

Towards Logically and Physically Secure Public-Key Infrastructures

123

keys can be deduced using suitable cryptographic mechanisms. The conﬁdentiality and integrity properties of the critical keys must be maintained using out-of-band security techniques, which are usually some form of physical security. Cryptography is not, and cannot be, concerned with the protection of these properties of the critical keys. PKIs are a specialised form of KMI. PKIs are interested in the provision of integrity service for a collection of public values, which includes a public key. The critical keys in PKIs are called root keys or root public keys. The integrity properties of the root public keys are an assumption, which cannot be cryptographically veriﬁed. Similarly, the conﬁdentiality properties of the root private keys are also an assumption. Depending on the type of the PKI, there may be one or more root public keys. For the sake of clarity and without loss of generality, this paper will assume a PKI with the following structure. Root public key (Level 0): there exists a single root public key which is used for authorising the public keys of certiﬁcate issuers; Certificate issuer public keys (Level 1): there exists a set of certiﬁcateissuer public keys which are used for authorising the public keys of users; and, User public keys (Level 2): there exists a set of user public keys which are used for in conﬁdentiality and integrity mechanisms. 1.1

Background

Maurer and Schmid [6] present a lucid discussion on bootstrapping cryptographic mechanisms. They study the eﬀects of security bootstrapping on the conﬁdentiality and authenticity properties of various messages securely communicated using the resulting system. Section 4 of their paper has important implications for large-scale secure information systems. In that section, an Axiom (Axiom 1) clearly implies why an out-of-band integrity channel should be employed to communicate the critical keys. In this paper, there exists two such communications (Procedures 1 and 7 in Section 2.4). The model proposed in the next section speciﬁes generic signature and veriﬁcation algorithms. Therefore, the model can accommodate any general purpose signature systems [7, 9] or specialised signature systems [5, 2]. A concept that is central to model to be proposed is that of a trusted hardware device called a black-box. The model speciﬁes some of the functionalities that are expected of the black-box.

2

A Model for Improved Integrity Verification In PKIs

The veriﬁcation actions in the traditional PKI are as follows. Verification Action 1: One integrity veriﬁcation in the form of a signature veriﬁcation to verify if a certiﬁcate was issued by a certiﬁcate issuer.

124

Kapali Viswanathan and Ashutosh Saxena

Verification Action 2: Another integrity veriﬁcation in the form of a certiﬁcate path validation, which is a sequence of signature veriﬁcation operations, to verify if the certiﬁcate issuer is authorised to issue certiﬁcates. Note that the root certiﬁcate issuer authorises itself to authorise other certiﬁcate issuers. That is, the certiﬁcate for the root public key is a self-signed certiﬁcate, which can be veriﬁed using the same key1 . The proposed model extends the functionality of traditional PKI by including an additional integrity veriﬁcation mechanism as follows. Verification Action 3: An integrity veriﬁcation mechanism veriﬁes if the instance of a black-box, which generated a certiﬁcate, was authorised. In other words, the new model requires all users to verify three authorisations before accepting a certiﬁcate and the associated public key. The three authorisations are those for: (i) the public key to be used; (ii) the public key of the certiﬁcate issuer who issued the authorisation; and, (iii) the instance of the blackbox which was employed by the certiﬁcate issuer to generate the authorisation information (certiﬁcate). 2.1

Problem Statement

Since the concept of a black-box is central to the problem statement, its description will be presented ﬁrstly. Black-box: is a blue-print for the manufacture of a tamper resistant computing device, possibly conﬁrming to FIPS-140, level-3 [8]. Its instances can perform cryptographic operations, such as encryption, decryption, signature generation and signature veriﬁcation. The instances should have strong quality assurance guarantees. It has the capability to generate secure public-private key pairs and to store the corresponding private key securely. It must provide interfaces for permanently disabling all future conﬁguration actions. It is assumed that the instances of the black-box do not have any cryptographic identity after their manufacture and before their use. Non-secret values, such as serial numbers that the black-box reveals to the outside world, are not considered to be cryptographic identities. The instances of the black-box, after manufacture and before use, are considered to be operational clones. The model, to be proposed in Section 2.4, does not specify, but requires, the following black-box operations. 1. The black-box will re-initialise itself whenever a private key is set to it from the external world. It re-initialises by: 1) deleting any of its previously generated black-box private-public key pair; and, 2) creating a new black-box private-public key pair. It should also have mechanisms to export the newly created black-box public key to the external world. 1

This is the reason why an out-of-band, integrity channel between the root certiﬁcate issuer and all the certiﬁcate issuers and users of the PKI is essential. In other words, all participants must possess the same value of root public key.

Towards Logically and Physically Secure Public-Key Infrastructures

125

2. The black-box may have an interface to disable all future conﬁguration activities. This allows an initialised black-box to be frozen in time for a speciﬁc purpose. Based upon these assumptions for the black-box, the problem statement can be presented as follows. Problem Statement 1 By assuming the above properties of the black box, how can every participant of the system have the capability to distinguish the outputs from two clones of the black-box after their initialisation? The importance and relevance of the problem statements will be appreciated when considering the operational requirements for certiﬁcate issuers (certiﬁcate authorities) in a large-scale PKI. In such PKIs, it is fundamentally important to protect against the illegal use of certifying private keys. The certiﬁcate issuers are usually required, possibly by law, to maintain at least two sets of functionally identical and operational black-boxes — one set for the production systems and the other set for back-up systems. Such a requirement may increase the risk of misuse of the certifying private keys. Certiﬁcate issuers may want to restrict the use of the back-up systems in a veriﬁable fashion. Such a restriction may be useful to prevent the creation of parallel and malicious PKIs, which may be indistinguishable from the original PKI. Additionally, other motivations to pursue the problem statements exists. For example, it may be necessary to notify all users of a PKI whenever a certiﬁcate issuer’s black-box clone becomes inoperable, possibly due to hardware malfunction or otherwise. The certiﬁcate issuer need not necessarily be trusted to perform such notiﬁcations. 2.2

Goals of this Paper

The goal of this paper is expressed by the following equivalent statements. 1. To establish a unique, veriﬁable relationship between every certiﬁcate issued by a certiﬁcate issuer, including the root certiﬁcate issuer, and the black-box clones that were used to create the certiﬁcate. 2. To design a mechanism for uniquely tracing every certiﬁcate to the certiﬁcate issuer and the black-box clone, which generated the certiﬁcate. 2.3

Nomenclature

The paper employs a set-theoretic, state-based speciﬁcation to specify the proposed model for a PKI. Some notations which may require clariﬁcation are explained in this section. Schema N: The current protocol schema is numbered N . X := Y : X is deﬁned to be Y . y = F (x): This statement is true, if and only if y is the output of the function F when the input is x.

126

Kapali Viswanathan and Ashutosh Saxena

y ← f (x): The output of the function f , where x is the input, is assigned to y. y ← ∅: The value of y is initialised to null set. y new ← y old : The value of y after the successful completion of a procedure is y new . The value of y before the completion of and during the execution of every successful procedure is y old . 2.4

Specification of Procedures and Protocols

The model is speciﬁed to include ten core procedures. Each procedure has an associated protocol, whose abstract speciﬁcations are also included. Procedures 1, 2, 7, and 8 (in Section 2.4) are assumed to be implemented using black-box clones. The following function deﬁnitions will be employed in the speciﬁcation. 1. y = F (x) The one-way function to be employed in the PKI. The tuple of secret values is x and the tuple of public values is y. Without loss of generality, the speciﬁcation assumes the use of a single type of one-way function. 2. σ = Sigx (m) σ is the signature on m using x as the private key. Let Σ denote the range of the function Sig. It is important to choose a secure signature algorithm. Although the security of digital signature algorithms has not been concretely speciﬁed, there exists complexity theoretic speciﬁcations for the properties that a “secure” signature algorithm must possess [3]. 3. Very (m, σ) Outputs TRUE if, σ = Sigx(m) and y = F (x), and FALSE otherwise. Let Y be the set of all possible public tuple values (public keys). Y is determined by the choice for one-way function, F . For example, Y may represent the set Z∗n , where n is an RSA modulus [9], if F represents the RSA trapdoor one-way function. Let X be the set of all possible private tuple values (private key) satisfying the following speciﬁcation. X := {x | ∀y ∈ Y, y = F (x)} The following types of public keys will be employed in the speciﬁcation. The root certiﬁcate-issuer public key, yr ∈ Y A set of certiﬁcate issuer public keys, Y ⊇ Yc := {yc1 , yc2 , . . .} A set of user public keys, Y ⊇ Yu := {yu1 , yu2 , . . .} A set of certiﬁcate issuer production black-box public keys, Y ⊇ Ypbc {ypbc1 , ypbc2 , . . .} 5. A set of certiﬁcate issuer back-up black-box public keys, Y ⊇ Ybbc {ybbc1 , ybbc2 , . . .} 6. A set of root certiﬁcate issuer production black-box public keys, Y ⊇ Ypbr {ypbr1 , ypbr2 , . . .} 7. A set of root certiﬁcate issuer back-up black-box public keys, Y ⊇ Ybbr {ybbr1 , ybbr2 , . . .}

1. 2. 3. 4.

:= := := :=

Towards Logically and Physically Secure Public-Key Infrastructures

127

In the above types and in the following speciﬁcations, the following acronyms are used for convenience. BBR PBR BBC PBC

Back-up Black-box of Root certiﬁcate issuer Production Black-box of Root certiﬁcate issuer Back-up Black-box of Certiﬁcate Issuer Production Black-box of Certiﬁcate Issuer

The core procedures and the speciﬁcation for the associated protocols for the model are as follows. 1. Certificate generation for root public key This phase can be considered to be the bootstrap operation for the entire PKI. In this phase, every public key, such as the root public key and the public keys of all the black-box clones, certiﬁes all the other public keys and itself. The speciﬁcation2 for these operations can be stated as follows. Schema 1 yr ∈ Y, xr ∈ X : yr = F(xr ) Ypbr , Ybbr ⊆ Y αr ← Sigxr (yr , Ypbr , Ybbr ) Br := {βri | ((∃xi ∈ X, (yi ∈ Ypbr ∨ yi ∈ Ybbr ) | yi = F(xi ))) ∧ βri ← Sigxi (yr , Ypbr , Ybbr )}

The semantics for these equations can be stated as follows. The signature αr binds the root public key, yr , with the set of production black-box public keys, ypbri ∈ Ypbr , and the set of back-up black-box public keys, ybbri ∈ Ybbr . Each βri ∈ Br is meant to suggest that the ith black-box (which is either a production black-box or a back-up black-box) has been initialised with the root private key, xr , and: (a) has generated a black-box public-key pair, (xi , yi ); and, (b) is aware of the value yr and of the sets Ypbr and Ybbr . A black box that can achieve this goal could have the following interfaces: (a) SetCertifyingKey. The input would be a public key pair, which will be used for generating certiﬁcates. The output would be a randomly generate public key pair, which will be used to witness every such certiﬁcate generation. Every time this interface is used, the black box can overwrite the previously generated outputs. 2

Note that in this speciﬁcation and in all subsequent speciﬁcations, the sequence of logical operations for the protocol is not speciﬁed. All speciﬁed logical operations must evaluate to TRUE before the schema can be TRUE. The speciﬁcation language does not correspond to any programming language, rather it is a mathematical language.

128

Kapali Viswanathan and Ashutosh Saxena

(b) WitnessBlackBoxClones. The input would be a set of public keys, which is expected to be the public keys of other black box clones. The output would be a set of signature tuples. This interface could enforce the rule that it can be invoked exactly once after the SetCertifyingKey interface was invoked. The bootstrap information, (yr , Ypbr , Ybbr , αr , Br ), is published in an outof-band integrity channel that can be read by every participant, including the certiﬁcate issuers and the users, of the PKI. This information can be considered to be the only static information for the PKI. Note that the speciﬁcation suggests that Br is a set of signature tuples and not a single value. This does not constrain the possibility of using multisignature systems [1, 4] to reduce the size of the information contained in Br . This is because the speciﬁcation does not constrain the possible relationships between various instances of signature generation functions that could be used to implement Sigxi (). Such a design for the signature algorithm is an open problem. System Initialisation: After the bootstrap information is created by the root certiﬁcate authority, the following system initialisations can be performed. Ybbr ⊇ Wbbr ← ∅ Ybbc ⊇ Wbbc ← ∅ Σ × Σ ⊇ ∆r ← ∅ Σ × Σ ⊇ ∆c ← ∅ Σ × Σ ⊇ Σc ← ∅ Σ × Σ ⊇ Σu ← ∅ The sets Wbbr and Wbbc contain back-up black-box public keys that have become production public keys. The sets ∆r and ∆c contain authorisation information (tuples of signatures) for the elements in Wbbr and Wbbc , respectively. The sets Σc and Σu contain certiﬁcates (tuples of signatures) for the certiﬁcate issuers and the users, respectively. All these sets must be publicly available to all participants of the PKI in an appropriate fashion. 2. Certificate generation for the certificate issuer public key In this phase the root certiﬁes certiﬁcate-issuer public keys and the associated blackbox clones. The root is required to physically examine the black-box clones to be used by the certiﬁcate-issuer. The root must make sure that the sets of black-box public-keys, Ypbc and Ybbc , were in fact generated by the blackboxes. It is diﬃcult to specify such operations formally [6]. The speciﬁcation for these operations can be stated as follows.

Towards Logically and Physically Secure Public-Key Infrastructures

129

Schema 2 yr ∈ Y, xr ∈ X : yr = F(xr ) ypbr ∈ Ypbr ∪ Wbbr , xpbr ∈ X : ypbr = F(xpbr ) yc ∈ Y Ypbc , Ybbc ⊆ Y αc ← Sigxr (yc , Ypbc , Ybbc , ypbr ) βc ← Sigxpbr (αc ) Σcnew Ycnew

← Σcold ∪ {(αc , βc )} ← Ycold ∪ {yc }

3. Certificate generation for user public key In this phase the certiﬁcate issuer certiﬁes user public keys. The speciﬁcation for these operations can be stated as follows. Schema 3 yc ∈ Yc , ∃xc ∈ X : yc = F(xc ) ypbc ∈ Ypbc ∪ Wbbc , ∃xpbc ∈ X : ypbc = F(xpbc ) yu ∈ Y αu ← Sigxc (yu , ypbc ) βu ← Sigxpbc (αu ) Σunew Yunew

← Σuold ∪ {(αu , βu )} ← Yuold ∪ {yu }

4. Verification of certificate for root public key During this phase, every participant, including the certiﬁcate issuers and the users, of the PKI may be expected to retrieve the bootstrap information from the out-of-band integrity channel, which are published during Procedure 1. The bootstrap information is veriﬁed using the following protocol speciﬁcation. Schema 4 yr ∈ Y Ypbr , Ybbr ⊆ Y ∃αr ∈ Σ ∃Br ⊆ Σ TRUE = V eryr (yr , Ypbr , Ybbr , αr ) (∀βri ∈ Br , (∃yi ∈ Ypbr ∨ ∃yi ∈ Ybbr ) : TRUE = V eryi (yr , Ypbr , Ybbr , βri )) ∧ (|Br | = |Ypbr | + |Ybbr |)

130

Kapali Viswanathan and Ashutosh Saxena

The participants verify the signature on the root public key, yr , and all blackbox public keys using yr . Additionally, the participants verify the signatures by all the black-box public keys, yi , on the root public key and all black-box public keys. It is also expected that the participants verify that the number of signature tuples in Br is equal to the number of black-box public keys. This procedure may be executed once by every user before securely storing the bootstrap information locally. If such is not the case then the bootstrap information must be retrieved from the out-of-band integrity channel and veriﬁed during every path-validation activity (i.e. during Procedures 5 and 6). 5. Verification of certificate issuer public keys This procedure is employed to verify the certiﬁcate (αc , βc ) of a particular certiﬁcate issuer possessing the public key, yc . Schema 5 yc ∈ Y c (∃yr ∈ Y : Schema 4 = TRUE) (∃ypbr ∈ Ypbr : Schema 4 = TRUE) ∨ (∃ypbr ∈ Wbbr : Schema 9 = TRUE) Ypbc , Ybbc ⊆ Y ∃(αc , βc ) ∈ Σc TRUE = V eryr (yc , Ypbc , Ybbc , ypbr , αc ) TRUE = V erypbr (αc , βc )

The above protocol is meant to suggest the following, if it is executed successfully. The root certiﬁcate issuer, through the use of the root public key, yr , and one of the root production black-boxes, ypbr , has certiﬁed the particular certiﬁcate issuer’s public key to be yc , which is to be employed using the black-boxes represented by the public keys in the sets Ypbc and Ybbc . 6. Verification of certificate for user public key This procedure is employed to verify the user certiﬁcates. The speciﬁcation for the protocol to be followed for such a veriﬁcation is as follows. Schema 6 yu ∈ Y u ∃yc ∈ Yc : Schema 5 = TRUE (∃ypbc ∈ Ypbc : Schema 5 = TRUE) ∨ (∃ypbc ∈ Wbbc : Schema 10 = TRUE) ∃(αu , βu ) ∈ Σu TRUE = V eryc (yu , ypbc , αu ) TRUE = V erypbc (αu , βu )

Towards Logically and Physically Secure Public-Key Infrastructures

131

The above protocol veriﬁes the validity of the user’s certiﬁcate corresponding to the public key, yu . It veriﬁes if some certiﬁcate issuer public key, yc , using some certiﬁcate-issuer production black-box public key, ypbc , issued the certiﬁcate. Additionally, it veriﬁes if yc and ypbc are certiﬁed for use by the root public key, yr , and a root black-box public key, ypbr . 7. Induction of elements from BBR to PBR This procedure is employed to notify all the participants in the system that a root back-up black-box is to become a root production black-box. The speciﬁcation for the protocol to be employed for this procedure is as follows. Schema 7 yr ∈ Y, xr ∈ X : yr = F(xr ) ybbr ∈ Ybbr , xbbr ∈ X : ybbr = F(xbbr ) old δr = Sigxr (yr , ybbr , Wbbr ∪ {ybbr })

r = Sigxbbr (δr )

new old Wbbr ← Wbbr ∪ {ybbr }

← ∆old ∪ {(δr , r )} ∆new r r

The above speciﬁcation may suggest that a black-box, ybbr , announces itself to be a production black-box, Wbbr , by producing the self-signed tuples, (σr , r ). It is important that the updated PKI information, (Wbbr , ∆r ), are published securely in an out-of-band integrity channel, which can be publicly read by all the participants of the system. It is important that these information are not transmitted electronically. The root certiﬁcate issuer must notify all the participants of the PKI of every execution of this protocol. For an eﬃcient system operation, this procedure may be performed as seldom as possible. 8. Induction of elements from BBC to PBC This procedure is employed by the root certiﬁcate issuer to certify that a particular certiﬁcate issuer, yc , intends to make a particular back-up black-box, ybbc , as its production blackbox. Schema 8 yr ∈ Y, xr ∈ X : yr = F(xr ) ypbr ∈ Ypbr ∪ Wbbr , xpbr ∈ X : ypbr = F(xpbr ) yc ∈ Y c ybbc ∈ Ybbc old δc = Sigxr (yc , ybbc , Wbbc ∪ {ybbc }, ypbr )

c = Sigxpbr (δc ) new Wbbc ∆new c

old ← Wbbc ∪ {ybbc }

← ∆old ∪ {(δc , c )} c

132

Kapali Viswanathan and Ashutosh Saxena

The speciﬁcation for the protocol requires the root certiﬁcate issuer to sign the induction information (Wbbc , ∆c ), and electronically publish the resulting signature tuples,(δc , c ). 9. Verification of the Induction of elements from BBR to PBR All participants in the PKI are expected to respond to the notiﬁcation from the root certiﬁcate issuer during Procedure 7. They are expected to retrieve the update PKI information, (Wbbr , ∆r ), from the out-of-band integrity channel. The following protocol speciﬁcation should be used to verify the authenticity of the data. Note that the speciﬁcation uses data, such as yr and Ybbr , from the bootstrap information. Schema 9 ybbr ∈ Wbbr ybbr ∈ Ybbr : Schema 4 = TRUE ∃yr ∈ Y : Schema 4 = TRUE ∃(δr , r ) ∈ ∆r TRUE = V eryr (yr , ybbr , Wbbr , δr ) TRUE = V erybbr (δr , r )

After the successful execution of the above protocol speciﬁcation, the participants may update their local copies of the bootstrap information, which is assumed to be securely stored in their local cache. 10. Verification of the Induction of elements from BBC to PBC This procedures must be performed prior to Procedures 5 and 6. The speciﬁcation of the protocol for this phase is as follows. Schema 10 ybbc ∈ Wbbc ybbc ∈ Ybbc : Schema 5 = TRUE ∃yr ∈ Y : Schema 4 = TRUE (∃ypbr ∈ Ypbr : Schema 4 = TRUE) ∨ (∃ypbr ∈ Wbbr : Schema 9 = TRUE) ∃yc ∈ Yc : Schema 5 = TRUE ∃(δc , c ) ∈ ∆c TRUE = V eryr (yc , ybbc , Wbbc , ypbr , δc ) TRUE = V erypbr (δc , c )

The speciﬁcation is meant to suggest that the root public key, yr , and a root black-box, ypbr , have authorised the induction of a certiﬁcate issuer, yc , back-up black-box, ybbc , as a production black-box.

Towards Logically and Physically Secure Public-Key Infrastructures

3

133

Security Analysis

The goals stated in Section 2.2 are achieved by the above model. This section provides a sketch for this claim. Goal 1: The procedures for certiﬁcation activities, namely Procedures 1, 2, 3, 7 and 8, are designed to achieve this goal. 1. Procedure 1 cryptographically binds the root public key with the root black-box public keys by using the bootstrap information and the outof-band integrity channel. 2. Procedure 2 cryptographically binds the certiﬁcate-issuer public key with the corresponding black-box public keys by requiring the root signatures on these values that a root black-box generated. 3. Procedure 3 cryptographically binds the user public key with a certiﬁcate-issuer public key and a corresponding issuer black-box public key. 4. Procedures 7 and 8 allow the induction of back-up black-boxes into production at Level 0 and Level 1 of the PKI (refer to Section 1). Goal 2: The procedures for veriﬁcation activities, namely Procedures 4, 5, 6, 9 and 10, are designed to achieve this goal. 1. Procedure 4 traces the binding between the root public key and all the root black-boxes public keys. 2. Procedure 5 traces the binding between the certiﬁcate-issuer public key and all the certiﬁcate issuer black-box public keys by tracing all these information to the root public key and a corresponding root production black-box public key. Procedure 5 employs the information generated by Procedures 4 and 9. 3. Procedure 6 traces the binding between the user public key, the certiﬁcate-issuer public key, and a corresponding certiﬁcate-issuer production black-box public key. It additionally performs the tracing operation speciﬁed for Procedure 5. Procedure 6 employs the information generated by Procedures 4, 7, and 9. 4. Procedures 9 and 10 trace the induction information that signalled the move of a black-box from the back-up pool to the production pool. This was achieved by verifying either the information from the out-of-band integrity channel, in the case of Procedure 9, or the certiﬁcation information generated by Procedure 10. Procedure 10 employs the information generated by Procedures 4 and 9. Thus, the dependency between various veriﬁcation procedures allow any participant to uniquely trace all the certiﬁcates in the set of veriﬁable certiﬁcation links.

4

Conclusion

This paper presented a novel approach to bind cryptographically the certiﬁcates generated by every certiﬁcate issuer, including the root, to the black-box, which was used to generate that certiﬁcate. Such an approach allows any neutral

134

Kapali Viswanathan and Ashutosh Saxena

monitor to trace cryptographically all the certiﬁcates originating from an issuer organisation to the black-box which the organisation must have used to generate that certiﬁcate. Such a mechanism has the capability to uniquely pin-down the geographical location where the certiﬁcate was generated, by constraining the location of the black-box. This facilitates improved transparency of operations in the PKI. The most important aspect of the approach is that it, for the ﬁrst time, provides a cryptographic mechanism to gather evidence information in the case of misuse of certain certifying keys. Such a mechanism will be a very useful tool for the policy and legislative wings of PKI management activities. Although the proposed scheme is cryptographically functionally rich, its operations can be greatly optimised by designing suitable signature and veriﬁcation algorithms. The use of multi-signature schemes [1, 4] may provide valuable research data in this regard. We hope that the research community will verify the completeness and consistency of our formal speciﬁcation using formal veriﬁcation techniques.

Acknowledgements We thank the anonymous referees for their valuable feedback.

References [1] Colin Boyd. Digital multisignatures. In Henry J. Beker and F. C. Piper, editors, Cryptography and Coding - 1986, Oxford Science Publications, pages 241–246. Clarendon Press, Oxford, 1989. 128, 134 [2] David Chaum. Designated conﬁrmer signatures. In Alfredo De Santis, editor, Advances in Cryptology – EUROCRYPT’94, volume 950 of LNCS, pages 86–91. Springer-Verlag, 1994. 123 [3] S. Goldwasser, S.Micali, and R.Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM journal of computing, 17(2):281–308, April 1998. 126 [4] Patrick Horster, Markus Michels, and Holger Petersen. Meta-multisignature schemes based on the discrete logarithm problem. Technical Report TR-94-12-F, Department of Computer Science, University of Technology Chemnitz-Zwickau, September 1994. 128, 134 [5] Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto. Proxy signatures: Delegation of the power to sign messages. In IEICE Trans. Fundamentals, volume E79-A, September 1996. 123 [6] Ueli M. Maurer and Pierre E. Schmid. A calculus for security bootstrapping in distributed systems. Journal of Computer Security, 4(1):55–80, 1996. 123, 128 [7] National Institute of Standards and Technology, Federal Information Process. Standard FIPS Pub 186: Digital Signature Standard (DSS), 1991. 123 [8] NIST, National Institute of Standards and Technology, Gov. of the USA. Security Requirements for Cryptgraphic Modules, FIPS 140-1, January 1994. 124 [9] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978. 123, 126

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW) and a Modiﬁed Robust Scheme Tanmoy Kanti Das1 and Subhamoy Maitra2 1

Computer Vision and Pattern Recognition Unit, Indian Statistical Institute 203, B T Road, Calcutta 700 108, INDIA das [email protected] 2 Applied Statistics Unit, Indian Statistical Institute 203, B T Road, Calcutta 700 108, INDIA [email protected]

Abstract. In this paper we provide a cryptanalysis of the well known “Optimal Diﬀerential Energy Watermarking (DEW)” scheme. The DEW scheme divides the image into some disjoint regions (each region containing two subregions). The watermark is basically a secret binary string where each individual bit information is inserted in one of the regions by modifying the high frequency DCT (Discrete Cosine Transform) coeﬃcients. This modiﬁcation creates required energy diﬀerence between two subregions. We here modify the high frequency components so that this energy diﬀerence vanishes and in turn extraction of watermark signal becomes impossible, making the cryptanalysis successful. Moreover, we modify the DEW scheme by inserting the bit information in low frequency components instead of high frequency components and propose an oblivious robust watermarking strategy which can trace the buyer too. Keywords: Cryptanalysis, Digital Watermarking, Discrete Cosine Transform, Subset Sum.

1

Introduction

Over the last decade watermarking technologies have been developed to a large extent for protecting copyright of digital media. A lot of watermarking strategies have been proposed in this period. In the mean time, number of benchmark attacks have been proposed, which the robust watermarking strategies should pass. However, no attempt has been made to analyze each of the popular schemes individually and presenting customized attacks to highlight the weakness of each individual scheme. As it is generally done in cryptology, we here concentrate on a speciﬁc scheme, known as “Optimal Diﬀerential Energy Watermarking (DEW)” [7] and present a successful cryptanalysis. Further we provide necessary corrections to make the scheme robust. Let us now provide a brief description on images and the watermarking strategies in general. An image I can be interpreted as a two dimensional matrix. If A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 135–148, 2002. c Springer-Verlag Berlin Heidelberg 2002

136

Tanmoy Kanti Das and Subhamoy Maitra

it is a gray scale image, then the integer values stored in each location of the matrix presents the intensity, which is generally in the range of 0 to 255. Higher resolutions may also be achieved by increasing this range. Coloured images can generally be seen as an assorted set of three such matrices, which correspond to the intensity values of red, green and blue channels. These are called the representations in spatial domain. Diﬀerent transform domain representations are also available, which are Fast Fourier Transform (FFT), Discrete Cosine Transform (DCT) [3], Wavelet Transform etc [8]. These can also be seen as matrices containing either real or complex values. Thus, the best way to interpret an image is as a matrix of values. Note that, if we change the values of this matrix in some range, visually the image quality may not degrade. Given an image I, let us deﬁne the neighbourhood of I, N (I), which contains all the images which are visually indistinguishable from I. Even if the image is not in spatial domain, while interpreting the neighbourhood of the image, we must consider the image in the spatial domain (that is we need inverse transform to the spatial domain from the transformed domain) for visual indistinguishability. There are also some measures, e.g., Peak Signal to Noise Ratio (PSNR) [6, Page 112], which can be used as measure of visual indistinguishability. The concept of invisible digital watermarking works as follows. Given an image I, a signal si is added to I, which produces a watermarked image I (i) = I + s(i) ∈ N (I). The addition means some kind of element wise addition in the matrix. This image I (i) is given to the i-th buyer. Now the watermark retrieval algorithm works in two ways. 1. In the non-oblivious schemes (e.g., the CKLS scheme [1]), the original image is used in the retrieval process. The available image (may be attacked using image processing or cryptanalytic techniques) I # is compared to the original image I and a signal s# = I # − I is recovered. Finally from s# , the buyer i is suspected if s(i) possesses some signiﬁcant correlation with s# . 2. In the oblivious schemes (e.g., the DEW scheme [7]), the original image is not used in the retrieval process but some other information related to the image, generally known as image key, are available. From the available image (may be attacked using image processing or cryptanalytic techniques) I # and the image key, a signal s# is recovered. From s# , the buyer i is suspected if s(i) possesses some signiﬁcant correlation with s# . The robustness of the watermarking strategy depends on how well the proper buyer is identiﬁed (who has intentionally attacked the watermarked image) and how infrequently an honest buyer is wrongly implicated. By cryptanalysis of a digital watermarking scheme we mean the following. Let I (i) be a watermarked copy of I. One has to mount an attack to construct I # from I (i) such that there is no signiﬁcant correlation between s# and s(i) . Thus, the buyer i will not be identiﬁed. Moreover, I (i) , I # need to be visually indistinguishable. To the attacker, only I (i) is available, but I, s(i) are not known. Thus there is no facility for the attacker to directly test that the

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW)

137

watermarking signal has been removed. However, the attacker need to be convinced indirectly that the watermark is erased, i.e., the correlation between s(i) and s# has been removed. It is already known that existing correlation based watermarking techniques are susceptible to collusion attacks under a generalized framework [2]. This requires a suﬃcient number of watermarked copies. In particular, if the eﬀective document length is n, then at most O( n/ ln n) copies are required to defeat the watermarking scheme. Note that for an image of size 256 × 256 or 512 × 512, for a successful collusion attack, a large number of watermarked images may be required depending on the size of the key information. This may not be practical. On the other hand, we here concentrate on cryptanalytic attack based on a single watermarked copy. Before going for further details, let us highlight why such a cryptanalytic attack is important. 1. The watermarking strategies should survive some standard image transformations. These are cropping, rotation, resizing, JPEG compression [13], wavelet compression [8] etc. Note that most of the current schemes can easily survive these transformations. The existing methods can also survive the attacks related to insertion of random noise in the image, some ﬁltering attacks [5, 6] or nonlinear geometric attacks such as Stirmark [10, 11]. It is clear that once an attack, based on some image processing technique, is proposed then it is expected that there will be some (inverse) image processing methodology to resist such kinds of attack. Thus single copy attacks, based on image processing techniques, should not survive in a long run. 2. The existing watermarking models have never been analyzed using cryptanalytic techniques as it is done in case of any standard cryptographic schemes. We here look into the watermarking scheme as a cryptographic model and provide a very strong attack which can even be considered as a cipher text only attack (for diﬀerent kinds of cryptanalytic attacks, see [9]). Here we mount the attack on the DEW scheme [7] and provide successful results by removing the watermark. It is important to analyze each of the well known watermarking schemes in detail and it seems that the existing schemes are not robust with respect to customized cryptanalytic attacks on each of the schemes. 3. Further, the cryptanalytic attack motivates us to remove the weakness of the scheme and we propose a modiﬁcation of the DEW scheme which resists such cryptanalysis. The DEW scheme itself is an oblivious scheme and what we propose after the modiﬁcation is also an oblivious one. However, it is important to note that in the DEW scheme, the watermark was image speciﬁc and it was same for all the buyers. That means the identiﬁcation of the watermark can only prove the copyright, but it can not trace the buyer who has violated the copyright agreement. In our scheme we present buyer speciﬁc watermark, so that it is possible to identify the malicious buyer. In [12, Page 122], a statistical removal attack has been pointed out. The attack was based on a large number of rewatermarks on the watermarked image

138

Tanmoy Kanti Das and Subhamoy Maitra

and then trying to remove each of the rewatermarks using some image transformations. First of all, putting a lot of rewatermarks degrades the visual quality of the image. In the DEW scheme [7], with the standard experimental parameters, we have checked that putting consecutive watermarks degrades the quality of the image. Moreover, the exact image transformations that are required to remove the rewatermarks have not been discussed in [12]. In this paper we present a concrete watermark removal strategy on a speciﬁc scheme. We describe the DEW scheme in Subsection 1.1. In Section 2 we present the attack. We ﬁrst present the basic attack in Subsection 2.1 and then modify its limitation to mount a stronger attack which is described in Subsection 2.2. Next we modify the DEW scheme in Section 3 to present a robust watermarking strategy. 1.1

DEW Scheme

Optimal Diﬀerential Energy Watermarking (DEW) scheme [7] introduces the watermark in the DCT (Discrete Cosine Transform) domain. The scheme works on JPEG compressed image, and hence it is natural to interpret the image as a set of small blocks having size 8 × 8. In the DEW scheme, each block is interpreted as a collection of 64 re/pre quantized DCT coeﬃcients. The set is then divided into diﬀerent groups, each containing n blocks. Each such group is termed as “lc-region”. Now considering a particular lc-region, it can be divided into two “lc-subregions” A, B. The ﬁrst (respectively last) n2 blocks of lc-region constitute the lc-subregion A (respectively B). Let us now describe how to calculate the high frequency energy EA or EB corresponding to the lc-subregions A or B. We normally calculate energy over the subset S(c) of the 64 values of DCT coeﬃcients (indexed in the zigzag manner) of a particular 8 × 8 block b. This subset is determined by the cutoﬀ index c and given by S(c) = { i ∈ {0, 1, . . . , 63} | i > c}. Now the energy EA , EB can be expressed as n2 −1 EA (c, n, Qjpeg ) = b=0 ([θi,b ]Qjpeg )2 , n−1 i∈S(c) EB (c, n, Qjpeg ) = b= n i∈S(c) ([θi,b ]Qjpeg )2 , where [θi,b ]Qjpeg is the value 2 of DCT coeﬃcient of block b in lc-subregion either A or B, corresponding to frequency i which is quantized using standard JPEG quantization procedure, setting the quality as Qjpeg . When the parameter values c, n, Qjpeg are obvious, then EA (c, n, Qjpeg ) is represented by EA only. The value of energy diﬀerence D is given by D(c, n, Qjpeg ) = EA − EB . The watermark information is represented by an l length string of bits known as the label bit string L. The embedding of a label bit Lj (j = 0, 1, . . . , l − 1) is executed as follows. We concentrate on the j th lc-region. If Lj = 0, then all the DCT coeﬃcient value after cutoﬀ index c is set to zero for the blocks in lc-subregion B, i.e., EB

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW)

139

becomes 0. So the value of energy diﬀerence D becomes D(c, n, Qjpeg ) = EA − EB = EA . If Lj = 1, then all the DCT coeﬃcient value after cutoﬀ index c is set to zero for the blocks in lc-subregion A, i.e., EA becomes 0. So the value of energy diﬀerence D becomes D(c, n, Qjpeg ) = EA − EB = −EB . Thus each label bit is related to one lc-region consisting of n distinct 8 × 8 DCT blocks. A bit is encoded by introducing energy diﬀerence D between ﬁrst n n 2 DCT blocks (known as lc-subregion A) and next 2 DCT blocks (known as lc-subregion B) in an lc-region. Energy diﬀerence is created by removing high frequency coeﬃcient in either of the lc-subregion B or A depending on whether to embed 0 or 1. Now the value of D directly inﬂuence the perceptual quality of watermarked image. Larger the value of D smaller the value of c, so more and more high frequency DCT coeﬃcients get removed. As a result image quality degrades. So, cutoﬀ index c must be greater than certain minimum cutoﬀ index cmin . At this point let us describe the cutoﬀ index c in terms of D. The cutoﬀ index c is the largest index of the DCT coeﬃcients for which both EA and EB are greater than the required energy diﬀerence Dreq . Let us describe the DEW watermark insertion scheme in algorithmic form. Algorithm 1 1. Randomly arrange the 8 × 8 DCT blocks of the JPEG image using a pseudo random generator with an initial random seed S and group them in diﬀerent lc-regions. 2. FOR j = 0 to l − 1 DO (a) Select j th lc-region consisting of n blocks. (b) FOR cctr = cmin + 1 to 63 DO i. calculate EA (cctr ). ii. calculate EB (cctr ). (c) c = max(cT ) where cT = {cctr ∈ {cmin + 1, 63} | EA (cctr ) > Dreq , EB (cctr ) > Dreq }. (d) IF (Lj = 0) discard coeﬃcients after c in all blocks of lc-subregion B. (e) IF (Lj = 1) discard coeﬃcients after c in all blocks of lc-subregion A. 3. Arrange back the DCT blocks to it’s original position. Thus the seed of the pseudorandom generator S and the bit string L are the secret parameters. To extract a bit from a lc-region one have to ﬁnd the value of c used in time of embedding. To do this we calculate EA (cctr ) for all possible values of cutoﬀ index cctr such that EA < D (the value of D can be taken as equal to D) for blocks in lc-subregion A. Now among all the candidate cutoﬀ indices, we take the minimum one as the cutoﬀ index cA for lc-subregion A. Similarly we calculate cB . Now actual cutoﬀ index c = max(cA , cB ). If (cA < cB ) then label bit is 1 else if (cA > cB ) label bit is 0. If (cA = cB ) then we recalculate EA (c), EB (c). If EA (c) < EB (c) then the label bit is 1 else label bit is 0. Extraction procedure is described in detail below.

140

Tanmoy Kanti Das and Subhamoy Maitra

Algorithm 2 1. Arrange the 8 × 8 DCT blocks of the JPEG image as done in watermark insertion stage and use the same grouping of lc-regions available using the same pseudorandom generator and the same seed S in the Algorithm 1. 2. FOR j = 0 to l − 1 DO (a) Select j th lc-region consisting of n blocks (b) FOR cctr = cmin + 1 to 63 DO i. calculate EA (cctr ). ii. calculate EB (cctr ). (c) cA = min(cT ) where cT = {cctr ∈ {cmin + 1, 63}|(EA (ctr) < D )} (d) cB = min(cT ) where cT = {cctr ∈ {cmin + 1, 63}|(EB (ctr) < D )} (e) Lj = 0 (f ) IF (cA < cB ) Lj = 1 (g) IF ((cA = cB ) & (EA (cA ) < EB (cB ))) Lj = 1;

2

Attacks On DEW Scheme

Though the DEW scheme performs satisfactorily against known attacks as experimented in [7], it fails against the cryptanalytic attacks specially designed for it. In this section we will describe two strategies to defeat the DEW scheme. The second one is reﬁned version of the ﬁrst one. 2.1

Basic Attack

As in the DEW scheme we also use re/pre quantized DCT coeﬃcients which are available from each of the 8 × 8 blocks of watermarked image. For a particular block it is expected that some of the high frequency DCT coeﬃcients are absent due to two reasons. One is for the JPEG compression itself and another is for the watermark embedding by DEW algorithm. From the nature of the DEW scheme, it should be noted that if it is possible to compensate the removed coeﬃcients then the DEW scheme will fail. Thus our aim is to compensate the removed coeﬃcients (either for JPEG compression or for DEW algorithm) in each of the blocks. The basic algorithm is as follows. Algorithm 3 1. FOR each of the 8 × 8 block DO (a) Read re/pre quantized zigzag scanned DCT coeﬃcients θj (j = 0, . . . , 63). (b) Sort θj (j = 1, . . . , 63) to get θj (j = 1, . . . , 63) (not considering the DC value) and index vector V such that θj = θV j . (c) Fit a polynomial P of degree d over θ with the following points. i. Take the points (j, θj ) for which θj = 0. ii. Let s be the largest and t be the smallest values such that θs = θt = 0. Let k = s+t 2 . Take the point (k, θk ). (d) IF θj = 0 THEN θj = P (j) (j = 1, . . . , 63)

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW)

141

Table 1. Bit error after cryptanalysis Image WPS QJ P EG = 100% QJ P EG = 75% QJ P EG = 50% QJ P EG = 25% Lena WPS 1 50.7% 42.1% 42.3% 44% Lena WPS 2 47.1% 38.2% 27.1% 16.8%

(e) θj = θV j (j = 1, . . . , 63). (f ) Write back θ as the DCT values of the block. 2. Write back the image at 100% JPEG quality. We are actually extrapolating the eliminated values using the polynomial ﬁtting. These values, which are extrapolated, may be very small in some cases, thus they may get eliminated due to quantization while saving as the JPEG image. This is the reason we save the attacked image at 100% quality. Experimental Results We now present the experimental results using similar setup that of [7] using the 512 × 512 Lena image. First we take the watermarking parameters D = 40, cmin = 3, QJP EG = 75%, and n = 16. We call this Watermarking Parameter Set 1 (WPS 1). Next we use the watermarking parameter set D = 500, cmin = 3, QJP EG = 25%, n = 64, which we call WPS 2. Here the label bit pattern L is of size l = 256. The results of the cryptanalysis is given in the Table 2.1. The degree d of polynomial P used to be 3 in cryptanalysis. Note that the bit error is almost close to 50% when after cryptanalysis the image is saved at JPEG quality 100%. Thus the attack works successfully. Though in the cryptanalysis we suggest saving the image at 100%, the watermark detector may again like to save the attacked image at some JPEG quality which is used while embedding the watermark. To elaborate the experiment, we change the last step of cryptanalysis and save the attacked images at JPEG quality factors 100%, 75%, 50% and 25%. We ﬁnd that at lower quality factor, for WPS 2, the bit error is much less than 50%, which means the attack is not successful. This can be explained from the fact that due to quantization at lower JPEG quality, the coeﬃcients extrapolated by polynomial ﬁtting during cryptanalysis, get removed. Thus extraction procedure performs better. From experimental results it is clear the proposed technique needs modiﬁcation. We are going to present a modiﬁed version next. 2.2

Improved Cryptanalysis

Now we modify the previous strategy. So we have to show that after the cryptanalysis, even if the image is saved at any JPEG quality, the bit error should be close to 50%. Thus our motivation is to create such a situation, so that for any lc-region, the energy diﬀerence between EA and EB is minimized (very close to zero). Hence from the attacked image, extraction of label bit (the watermarking signal) is not possible. Towards this, we will select a global cut-oﬀ frequency fc

142

Tanmoy Kanti Das and Subhamoy Maitra

for the complete image. In the DCT domain of any 8 × 8 block of the image, we will remove all the frequency components which are greater than fc . Moreover, if some frequency components, having frequency ≤ fc are already zero (either due to JPEG compression or due to the watermark), we will try to extrapolate those values. Thus the DEW algorithm is attacked at two levels. At ﬁrst level we remove some frequency components and at the second level we add some. We intentionally remove some high frequency coeﬃcients, so that the blocks, which are unaﬀected by DEW algorithm, get aﬀected in a similar fashion as the blocks which are aﬀected by the algorithm itself. Note that, if removing some of the high frequency coeﬃcients from one set of blocks by DEW algorithm does not degrade the image quality, then it is expected that removing high frequency coeﬃcients from other set of blocks will not degrade the image too. Importantly, it will reduce the energy diﬀerence created by DEW algorithm and hence the watermark signal can not be extracted. The detailed algorithm is as follows. Algorithm 4 1. Set the value of fc . 2. FOR each of the block of the image DO (a) Read the zigzag scanned DCT coeﬃcients in θj (j = 0, . . . , 63). (b) Set θj = 0 for j > fc . (c) IF θfc = 0 i. Find f such that θk = 0 for all k, f < k ≤ fc . ii. Sort θj , j = 1 . . . f to get θj , j = 1 . . . f and maintain an index vector V such that θj = θV j . iii. Fit a polynomial P of degree d using the data points (k, θk ) for k = 1, . . . , f and (fc , θfc ). iv. θj = P (j) for j = f + 1, . . . , fc . v. θj = θV j for j = f + 1, . . . , fc . (d) Write back θ. It is to be noted that selection of fc is very important, as setting the value very small will degrade the image quality. On the other hand, if we set the value very high that may reduce the strength of the attack. As a hypothetical case, consider the situation when all the watermarking information are known for the watermark embedding process. Then for each lc-region, some cut-oﬀ c is selected in step 2c of Algorithm 1. It is the best to take fc = c for that lc-region. In that case, the energy diﬀerence created in that lc-region will be vanished. Since, the organization of the lc-regions are secret parameter, it is not possible to know the groups and hence, it is not possible to get c as in step 2c of Algorithm 1. Thus we have to estimate that and we estimate that globally for the complete image as follows. We select a random arrangement lc-regions and for each of the lc-region j, we calculate c and call it cj . Then we take the average of those cj ’s and set fc slightly less than that average.

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW)

143

Experimental Results Here also we use same experimental setup as in Subsection 2.1. The results are presented below. The watermarking parameter sets are also same as those in Subsection 2.1, which were identiﬁed by WPS 1 and WPS 2. Note that all the images are of size 512 × 512. The values of fc are presented in the Table 2.2. The degree d of polynomial P used to be 3 in cryptanalysis. The result in the table shows that in all the cases the bit error rate is close to 50%. Thus, the attack is successful. We present the images in Figure 1. Note that the attacked images are visually indistinguishable from the original or watermarked images.

Fig. 1. Attack on DEW scheme. Top-left : original image. Top-right : watermarked image at 75% JPEG quality. Bottom-left : Attacked image saved at 75% JPEG quality. Bottom-right : Attacked image saved at 25% JPEG quality

144

Tanmoy Kanti Das and Subhamoy Maitra

Table 2. Bit error after modiﬁed cryptanalysis Image Lena Baboon Pentagon Lena Baboon Pentagon

3

WPS WPS WPS WPS WPS WPS WPS

1 1 1 2 2 2

fc QJ P EG QJ P EG QJ P EG QJ P EG fc = 100% = 75% = 50% = 25% 23 51% 46% 49% 47% 23 57% 50% 52% 51% 50 55% 48% 48% 48% 21 50% 47% 46% 49% 19 54% 47% 51% 53% 35 48% 48% 48% 47%

Modiﬁed DEW Scheme

The vulnerability of DEW scheme comes from the fact that it eﬀectively introduces the watermark at high frequency DCT coeﬃcients. So they can be completely removed without loss of ﬁdelity. On the other hand, if one can introduce the watermark at low frequency region then it is not possible to remove the coeﬃcients and hence it will be very hard to erase or tamper with the watermark. Introduction of watermark at low frequency involves some other issues. For instance how to create energy diﬀerence within a lc-region using the low frequency components, because one can not remove the low frequency components without visual degradation of host image. If one decides to reduce the energy of low frequency components by a small percentage rather than removing them to create the energy diﬀerence, then that may not fetch the intended result. Consider a scenario where low frequency energy of lc-subregion A is much greater than low frequency energy of lc-subregion B, but one needs to enforce an energy diﬀerence in such way that low frequency energy of lc-subregion B has to be greater than that of A. One can not achieve that with small percentage change of low frequency components. So what we need is a proper reorganization of blocks within a lc-region in such manner that energy of lc-subregion A and that of B are close. In such a situation, required energy diﬀerence can be enforced with small percentage change of individual low frequency DCT coeﬃcients. Let us now formalize the scheme. 3.1

Watermark Embedding

We are presenting two major modiﬁcations of the DEW scheme here. One, energy diﬀerence is created by changes in low frequency DCT coeﬃcients. Another is random permutation of blocks such that in any lc-region low frequency energy of lc-subregion A and that of B diﬀer by less than some small quantity δ. Energy of a block b is the sum of absolute values of q many low frequency DCT coeﬃcients

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW)

145

excluding the DC coeﬃcient. Thus the energy of lc-subregion A, B is given by n 2 −1

EA (q, n) =

q b=0 j=1

|θj,b |, EB (q, n) =

n−1

q

|θj,b |

j=1 b= n 2

respectively. We are not at all interested about the JPEG quality, since the low frequency components are not seriously disturbed by the JPEG compression. We consider the organization of lc-subregions A, B in such a manner such that |EA − EB | < δ, i.e., EA ≈ EB . If we incorporate a bit 0 (respectively 1) in that region, then we want that EA (EA after the modiﬁcation) becomes substantially greater (respectively smaller) than EB (EB after the modiﬁcation). Let α be the fractional change required to enforce the required energy diﬀerence, EA −EB i.e., after the modiﬁcation we need | EA +EB | ≥ α. The exact scheme is presented below. Note that the l length binary pattern L is diﬀerent for each buyer and hence at the extraction phase, from the recovered bit pattern it is possible to identify the copyright infringer. Algorithm 5 1. Randomly arrange the 8 × 8 DCT blocks of the JPEG image using some pseudo random generator and group them in various lc-regions. Each lcregion should be divided in two lc-subregions such that EA ≈ EB . Store this group information which we call the image key K. 2. FOR j = 0 to l − 1 DO (a) Select the j th lc-region consisting of n blocks. (b) Let 2α = α1 + α2 (c) IF (Lj = 0) THEN i. θj,b = θj,b ∗ (1 + α1 ) for b = 1, . . . , n2 − 1, and j = 1, . . . , q. ii. θj,b = θj,b ∗ (1 − α2 ) for b = n2 , . . . , n − 1, and j = 1, . . . , q. (d) ELSE IF(Lj = 1) THEN i. θj,b = θj,b ∗ (1 − α1 ) for b = 1, . . . , n2 − 1, and j = 1, . . . , q. ii. θj,b = θj,b ∗ (1 + α2 ) for b = n2 , . . . , n − 1, and j = 1, . . . , q. 3. Arrange back the DCT blocks to their original positions and write the image. Note that the most important part of this algorithm is as described in the step 1 of Algorithm 5. We ﬁrst need to group diﬀerent blocks to get diﬀerent lcregions. However, just getting the lc-regions does not suﬃce. In fact, we further need to divide each lc-region into two lc-subregions A, B such that |EA −EB | < δ, i.e., EA ≈ EB . Getting such a grouping by itself is an NP-complete problem (basically subset sum problem) and hard to ﬁnd. Thus there are two issues. 1. Given a lc-region, to get two lc-subregions A, B such that EA and EB diﬀer by a very small amount. 2. Moreover, if such lc-subregions are not found, then we need to randomly rearrange the 8 × 8 DCT blocks of the JPEG image once again to group them in lc-regions of a diﬀerent conﬁguration.

146

Tanmoy Kanti Das and Subhamoy Maitra

However, in the experiments, we always succeeded in getting the lc-subregions with required closeness. qThis is expected for the image data since the energy of the individual blocks j=1 |θj,b | are in some speciﬁc range. Moreover, in one lcregion there are collection of blocks, where the energies of the blocks in each collection are very close to each other. The easy availability of such groupings make the watermark embedding procedure very fast even if the underlying problem is hard. Another extremely important advantage of plentiness of such grouping is that the image key space becomes very large. In step 1 of Algorithm 5, we store the group information and use that as image key K. Thus, the observation that almost any rearrangement of lc-regions provide lc-subregions with required closeness of EA , EB values, makes the choice of key K from an exponential space and keeps the system secure. 3.2

Watermark Extraction

Extraction of watermark does not require the original image. It is only dependent on the image key K. Once image key is known then one can reorganize the blocks of the watermarked image in the manner that was used at the time of watermark embedding. Now one can calculate EA , EB and if EA > EB then label bit = 0 else it is 1. Note that the binary patterns for each buyer can be selected from error correcting codes so that the malicious buyer can be identiﬁed even if there are some bit errors in the extraction process. 3.3

Experimental Results

We present a summarized result to highlight the robustness of our scheme. See Figure 2, where the images show that original and watermarked copies are visually indistinguishable. The watermarking parameters used in the experiments are as follows : α = .05, α1 = 0, α2 = 2α = 0.1, q = 5, n = 64, l = 64. In [7], re-encoding attack has been mentioned. Re-encoding attack basically means saving the image in diﬀerent JPEG quality. It has been found [7] that the DEW scheme does not survive if the image is saved at very low JPEG quality. This is due to the fact that the watermark information in the DEW scheme has been incorporated using the high frequency DCT coeﬃcients which can be easily disturbed at low quality JPEG compression. However, in our modiﬁed scheme, we propose incorporating the watermark signal in the low frequency components, which are least disturbed by JPEG compression. We have taken three images, Lena, Baboon and Pentagon, each of size 512 × 512 pixels. We incorporated 64 bit watermark (each lc-region contains 64 blocks of size 8 × 8) and saved the watermarked image at JPEG quality 100%. Then to simulate the re-encoding attack, we have saved the image at JPEG quality 90% to 10% at an interval of 10% and then extracted the watermark from the low JPEG quality images. We found no bit error at as low as 20% JPEG quality. At 10% we found a single bit error out of the 64 bits, which is < 2%. Thus our scheme is robust in this aspect. Refer to Figure 2 for the re-encoding attacked image saved at 10% JPEG quality.

Cryptanalysis of Optimal Diﬀerential Energy Watermarking (DEW)

147

Fig. 2. Modiﬁed DEW scheme. Top-left : original image. Top-right : watermarked image. Bottom-left : watermarked image saved at 10% JPEG quality. Bottom-right : stirmark 3 attack on the watermarked image

Even with that low quality image, our scheme can extract the watermark and identify the malicious buyer. We checked the standard image processing attacks like ﬁltering, cropping, addition of noise etc. The scheme survives all such attacks. However, we have checked that in case of rotation or when the pixel positions change, it may not be possible to extract the watermark. This is natural since the scheme is oblivious. However, if we consider that the original image is available during the extraction process (i.e., the scheme becomes non-oblivious), then we can use the original image to properly rotate back the attacked watermarked image. In that case one can successfully recover the watermark. In case of Stirmark attacks [10, 11], if the original image is available, then we can use the block based strategy [4]

148

Tanmoy Kanti Das and Subhamoy Maitra

to recover the watermark properly. In Figure 2, the image after the Stirmark 3 attack has been presented. We could successfully recover the watermark using block based strategy when the original image is available. It is a challenging question to successfully extract the watermark in the oblivious scheme, i.e., when the original image is not available.

References [1] I. J. Cox, J. Kilian, T. Leighton and T. Shamoon. Secure Spread Spectrum Watermarking for Multimedia. IEEE Transactions on Image Processing, 6(12):1673–1687, 1997. 136 [2] F. Ergun, J. Kilian and R. Kumar. A note on the limits of collusion-resistant watermarks. In Eurocrypt 1999, no 1592 in LNCS, pages 140–149, Springer Verlag, 1999. 137 [3] R. C. Gonzalez and P. Wintz. Digital Image Processing. Addison-Wesley Publishing (MA, USA), 1988. 136 [4] F. Hartung, J. K. Su and B. Girod. Spread Spectrum Watermarking : Malicious Attacks and Counterattacks. Proceedings of SPIE, Volume 3657 : Security and Watermarking of Multimedia Contents, January 1999. 147 [5] N. F. Johnson, Z. Duric and S. Jajodia. Information Hiding: Steganography and Watermarking – Attacks and Countermeasures. Kluwer Academic Publishers, USA, 2000. 137 [6] S. Katzenbeisser, F. A. P. Petitcolas (edited). Information Hiding Techniques for Steganography and Digital Watermarking. Artech House, USA, 2000. 136, 137 [7] G. C. Langelaar and R. L. Lagendijk. Optimal Diﬀerential Energy Watermarking of DCT Encoded Images and Video. IEEE Transactions on Image Processing, 10(1):148–158, 2001. 135, 136, 137, 138, 140, 141, 146 [8] S. G. Mallet. A theory of multi resolution signal decomposition : the Wavelet representation. IEEE Transactions on PAMI, 11:674–693, 1989. 136, 137 [9] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997. 137 [10] F. A. P. Petitcolas, R. J. Anderson, M. G. Kuhn and D. Aucsmith. Attacks on Copyright Marking Systems. In 2nd Workshop on Information Hiding, pages 218–238 in volume 1525 of Lecture Notes in Computer Science. Springer Verlag, 1998. 137, 147 [11] F. A. P. Petitcolas and R. J. Anderson. Evaluation of Copyright Marking Systems. In IEEE Multimedia Systems, Florence, Italy, June 1999. 137, 147 [12] J. O. Ruanaidh, H. Petersen, A. Herrigel, S. Pereira and T. Pun. Cryptographic copyright protection for digital images based on watermarking techniques. Theoretical Computer Science 226:117–142, 1999. 137, 138 [13] G. K. Wallace. The JPEG still picture compression standard. Communication of the ACM, April 1991. 137

A 2-Secure Code with Eﬃcient Tracing Algorithm Vu Dong Tˆ o, Reihaneh Safavi-Naini, and Yejing Wang School of Information Technology and Computer Science University of Wollongong, Wollongong 2522, Australia {dong,rei,yejing}@uow.edu.au

Abstract. Collusion secure ﬁngerprinting is used to protect against illegal redistribution of digital documents. Fingerprints are embedded in documents to identify diﬀerent copies. A group of colluders having access to multiple copies with diﬀerent ﬁngerprints may construct a pirate object with a ﬁngerprint that cannot be traced. We consider c-secure codes with ε error that allow one of the c possible colluders to be traced and the chance of incorrect tracing to be at most ε. We consider a two layer construction consisting of an inner code and an outer structure and give new constructions for each. Important properties of our new inner code is that innocent users will never be accused and the code can be constructed for any number of codewords. This is particularly important as the number of codewords is the alphabet size of the outer structure. We will show that for the outer structure a c-traceability code, or a perfect hash family can be used and obtain the parameters of the combined code in terms of the parameters of the inner code and those of the outer structure. We apply these constructions to our new inner code and give parameters of the resulting c-secure codes. Keywords: ﬁngerprinting codes, frameproof codes, secure codes, secure frameproof codes, traceability codes.

1

Introduction

Fingerprinting is used to distinguish diﬀerent copies of the same document or software. A ﬁngerprint is a q-ary mark sequence that is embedded in the object in an imperceptible and robust (hard to remove) way. Collusion secure ﬁngerprinting [3] aims at tracing pirate objects constructed by a collusion of users who have access to multiple copies of the same object, each with a diﬀerent ﬁngerprint. To construct a pirate object, colluders compare their objects to ﬁnd the places where their marks are diﬀerent, and construct a pirate object by using one of their marks in each detected position. Totally c-secure codes allow one of the colluders to be traced if the size of the collusion is at most c. Boneh et al showed that totally c-secure codes do not exist for c ≥ 2 and introduced c-secure codes with ε-error in which a member of collusion will be found with probability of at A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 149–163, 2002. c Springer-Verlag Berlin Heidelberg 2002

150

Vu Dong Tˆ o et al.

least 1 − ε. The ε-error refers to the error of the tracing algorithm. The error could be due to the failure of the algorithm to trace some of the pirate objects, or to output an innocent user in some cases. The latter case is undesirable for realistic scenarios and must be avoided. Important parameters of c-secure codes are the length and the number of codewords. Good codes have shorter length and higher number of codewords. The main construction of c-secure codes is due to Boneh et al. [3, 4] and consists of an outer code which is an error-correcting code, and an inner code. Other constructions retain this structure but give diﬀerent construction for the inner code. In this paper we present a number of new results on 2-secure codes. The main construction that we consider is a two level construction that consists of an inner code and an outer structure. The outer structure can be an error-correcting code, or a perfect hash family. The set of codewords of the inner code form the alphabet set of the outer code and so we require inner codes to be constructible for a wide range of alphabet sizes. In particular to compare two inner codes we will ﬁx the size of the alphabet. Firstly, we construct a new 2-secure inner code of length n2 with n codewords and give an upper bound on ε which shows that the probability of error decreases exponentially with n. We give an eﬃcient tracing algorithm for this code and show that the tracing algorithm never accuses an innocent user. That is either tracing algorithm fails and does not output, or else it outputs a colluder. An interesting property of the code is that for the same error probability it has shorter length when compared with the inner code in [3, 4], or [9] with the same number of codewords. Although the inner code in [3, 4] is only for c-secure codes with c ≥ 3 but since a c-secure code is also a c -secure for c < c we will compare our code with an instance of the code with the same number of codewords. Then we consider possible outer structures. First, we show that using a 2-TA code as the outer structure combined with a 2-secure code with ε error results in a 2-secure code with ε error and give the value of ε . 2-TA codes can be obtained from error-correcting codes whose minimum distance satisfy a lower bound. We will show that equi-distance codes with odd minimum distance are 2-TA codes and can always be used for the outer code. Next we show that perfect hash families (PHF) can be used as the outer structure to construct a c-secure code with more codewords from a smaller csecure code. We will obtain probability of failure of tracing as a function of ε and s, the number of functions in the perfect hash family. The tracing algorithm in the case of error-correcting codes consists of two stages: ﬁrst using the decoding algorithm of the outer code followed by the tracing algorithm of the inner code. In the case of PHF as outer code, tracing consist of ﬁnding a function in the family that satisﬁes certain property followed by the tracing of the inner code. Eﬃciency of the former stage of tracing depends on the structure of PHF.

A 2-Secure Code with Eﬃcient Tracing Algorithm

151

We will use both outer structures with our proposed inner code and obtain the parameters of the resulting codes. The ﬁnal code in all cases will have the property that only colluders will be captured. 1.1

Related Works

Secure ﬁngerprinting codes have been deﬁned with a range of security properties. Frameproof codes Frameproof codes are introduced in [3], and constructed in [3, 4, 12, 13]. A cframeproof code provides a property that any up to c colluders cannot create the ﬁngerprint of an innocent user. Constructions of frameproof codes are given by [3, 12, 10]. Secure frameproof codes A weak notion of secure codes is secure frameproof codes. A c-secure frameproof code is deﬁned and constructed by Stinson et al in [11] requires that two disjoint collusions not be able to create the same pirate word. c-Secure frameproof code do not provide tracing algorithm and only require the structure of the code to support unambiguous tracing. Traceability codes Traceability codes are introduced by Staddon et al in [10]. A c-TA code provide frameproofness and traceability property. That is a group of up to c colluders cannot frame another user and any pirate word that they construct is closet to the codeword of one of the colluders and so a colluder can always be found by ﬁnding the codeword with minimum Hamming distance to the pirate word. c-TA codes can be constructed from error-correcting codes. For these codes tracing algorithm is the same as decoding algorithm of the error-correcting code. This is particularly useful for codes that have eﬃcient decoding algorithm. Traitor tracing schemes Traitor tracing schemes are introduced in the context of broadcast encryption systems [6] and data ﬁngerprinting [3]. In a broadcast encryption system, the sender broadcasts an encrypted message through a broadcast channel such that only members of an authorised group of receivers can decrypt the message. To do so, each receiver has a decoder with a unique key set. A group of colluders may use their key information to construct a pirate decoder that can decrypt the broadcast. Traitor tracing schemes allow one of the colluders to be identiﬁed when a pirate decoder is found. Known constructions of traitor tracing systems use combinatorial designs [12, 13], and error-correcting codes [12]. Tracing traitors in public key encryption systems are proposed in [2]. It is shown [7] that tracing is impossible when the number of traitors exceeds a certain number. The rest of the paper is organised as follows. In Section 2 we recall the deﬁnitions and review the known results that will be used throughout the paper. In Section 3 we deﬁne a new inner code, provide an eﬃcient tracing algorithm and show the properties of the code. We construct 2-secure codes by combining our new inner code with error-correcting codes in Section 4, and with perfect hash families in Section 5. Finally, we compare our constructions with existing ones and conclude the paper in Section 6.

152

2

Vu Dong Tˆ o et al.

Preliminaries

Let Γ be a q-ary code of length and size n. We have Γ ⊆ Q , where Q is a set of alphabets, |Q| = q, and |Γ | = n. An element of Γ , called a codeword, can be written as w = (w1 , w2 , . . . , w ), where wi ∈ Q. Elements of Q in general are called words. Let C = {w(1) , w(2) , . . . , w(c) } ⊆ Γ . A position i is called an undetectable (1) (2) (c) position for C if wi = wi = . . . = wi ; otherwise, it is called a detectable position. We denote the set of all undetectable and detectable positions for C as U (C) and D(C). Deﬁne the descendant set of C as (1)

(2)

(c)

Desc(C) = {w ∈ Q : wi ∈ {wi , wi , . . . , wi }, ∀i}. Desc(C) is the set of all words that can be constructed by the coalition C. An element w of Desc(C) is called a descendant of C and elements of C are called parents of w. We use the following Marking Assumption and Embedding Assumption which were ﬁrst introduced in [3]. Marking Assumption: A collusion is only capable of modifying detectable positions. Embedding Assumption: A user has no knowledge of which mark in the object encodes which bit in the code. Colluders can modify the symbols at detectable positions and can replace them with any symbol in the alphabet or replace it with an unrecognizable symbol, denoted by ‘?’, that is not in the alphabet Q. We call Q = Q ∪ {?} as the extended alphabet. And we deﬁne the feasible set F (C) of C as F (C) = {w ∈ Q : wi = wi

(j)

∀i ∈ U (C), w(j) ∈ C}

If Γ is a binary code then Desc(C) contains precisely all the elements of F (C) that do not contain marks ‘?’. If an element of F (C) contains ‘?’ in some positions, if we substitute these marks ‘?’ by any symbol of Q, then the resulting word must belong to Desc(C). This is only true if the code Γ is binary. Lemma 1. Let Γ be a binary code, and C ⊆ Γ . For an element of F (C), substituting all the marks ‘?’ by 0 or 1 arbitrarily will result in an element of Desc(C). Frameproof codes introduced in [3], ensure that subset of colluders of size at most c cannot produce the codeword of another user not in their group. Definition 1. ([10]) A code Γ is called a c-frameproof code (c-FPC) if Desc(C) ∩ Γ = C for every subset C ⊆ Γ of size at most c. A code Γ is called a secure frameproof code if two disjoint coalitions cannot produce the same descendant word.

A 2-Secure Code with Eﬃcient Tracing Algorithm

153

Definition 2. ([10]) A code Γ is called a c-secure frameproof code (c-SFPC) if Desc(C1 ) ∩ Desc(C2 ) = ∅ for any two disjoint subsets C1 , C2 ⊆ Γ of sizes at most c. Obviously, a c-SFPC is a c-frameproof code. Definition 3. A code Γ is called totally c-secure if there exists a tracing algo rithm A : Q → Γ such that A(x) ∈ C for every C ⊆ Γ of size at most c and x ∈ F (C). It was proved in [3, 4] that totally c-secure codes do not exist when c ≥ 2 and n ≥ 3. A weakened form of totally secure codes is to allow the tracing to fail with a small chance. Definition 4. ([3]) Let ε > 0. A code Γ is called c-secure with ε-error if there exists a tracing algorithm A satisfying condition: if C ⊆ Γ , |C| ≤ c, creates a word x ∈ F (C), then P r[A(x) ∈ C] > 1 − ε. (1) Boneh et al [3, 4] gave a construction for c-secure codes which combines an inner c-secure code with an error-correcting code. The number of codewords of the inner code is much smaller than its length but in combination with the outer code results in a c-secure code whose length is logarithmic in the number of codewords. This is only an existence result and no explicit construction for the outer code with the required parameters has been given. A drawback of the inner code in Boneh et al’s construction is that an innocent user may be accused and this will hold for the ﬁnal construction as well. The chance of error can be made arbitrarily small but increasing the code length. Other constructions [5, 9] of c-secure codes use the same structure but employ diﬀerent inner codes. In [5] a family of 2-secure codes was proposed that uses the dual of the Hamming code as the inner code. The number of codewords of this inner code is nearly the same as its length and so the ﬁnal code will have higher rate (ratio of the logarithm of the number of codewords to the length) compared to the construction in [3, 4]. Another advantage of this code is that the tracing algorithm uses the decoding algorithm of the dual of the Hamming code, and never outputs an innocent user. The number of codewords is 2n and since the number of codewords of the inner code is the same as the alphabet size of the outer code, the higher rate is when the outer code is over GF (2n ). In [9] a construction of a 3-secure codes using a class of inner codes called scattering codes, and an outer code which is a dual of the Hamming code is given. The tracing algorithm may output an innocent user and the code is shown to outperforms the code in [3, 4] for some parameters. This construction results in false accusation. In all above constructions an ‘inner code’ is combined with an outer code which is an error-correcting code (dual Hamming code in that last construction). The inner code in the ﬁrst construction is a 2-secure code with n codewords and length (n − 1)d, and in the last one, is a scattering code with 2n codewords and

154

Vu Dong Tˆ o et al.

length (2n + 1)d and is the same as the ﬁrst construction with an added ﬁrst column. In Boneh et al construction, d = 2n2 log(2n/ε). That is for n codewords, the length of the inner code is ≈ n3 (log(2n/ε)) and the code is n-secure. In [4], with error ε, the inner code has n codeword and length O(n3 log n/ε), the tracing algorithm may output innocent users. In [5], using dual binary Hamming code, a code of size n length n and error 2n/2n is constructed. However, the code size must of the form n = 2i − 1. In [9], a 3-secure code is introduced with code size of the same form 2i − 1. The length of this code is (n − 1)(2t + 1)d. In the next section, we will construct a new 2-secure inner code with an arbitrary size n. Our tracing algorithm either fails or outputs a real colluder.

3

A New Inner Code

In this section we construct a binary code γ and prove that the code is a 2SFPC. We give an eﬃcient tracing algorithm and show that the code is a 2secure code and calculate the error probability in tracing. We show that if the pirate word contains at least one mark ‘?’ then the tracing algorithm correctly outputs a colluder. 2 The codewords are elements of the set {0, 1}n and can be represented by n × n binary matrices. To construct the code, we choose n base-points b1 , b2 , . . . , bn , each point being a position of the n × n matrix such that there is exactly one base-point on each row and on each column. That is, if we assume the basepoint bi is on the row ri and column ci , then (r1 , r2 , . . . , rn ) and (c1 , c2 , . . . , cn ) are permutations of (1, 2, . . . , n). For a square matrix M of order n, we denote by M (r, c) the entry in the rth row and the cth column. Now n codewords M1 , M2 , . . . , Mn are constructed as follows. For each i, 1 ≤ i ≤ n, Mi is an n × n binary matrix whose (r, c) entry is given by   1, if r = ri and c = ci Mi (r, c) = 1, if r = ri and c = ci  0, otherwise For two base-points bi1 , bi2 , deﬁne Rec(i1 , i2 ) = {(r, c) : r ∈ {ri1 , ri2 }, c ∈ {ci1 , ci2 }} Rec(i1 , i2 ) is the set of four vertices of the rectangle formed by the two basepoints bi1 , bi2 . We call the pair of vertices (ri1 , ci2 ) and (ri2 , ci1 ) opposite basepoints and denote by Opp(i1 , i2 ) = {(ri1 , ci2 ), (ri2 , ci1 )}. For any two codewords Mi1 and Mi2 , it is easy to see that the set of undetectable positions consists of four vertices of Rec(i1 , i2 ) together with all the positions that are not on rows ri1 , ri2 and not on columns ci1 , ci2 . The detectable positions are the positions on the rows ri1 , ri2 and columns ci1 , ci2 , except for the four positions of Rec(i1 , i2 ). The number of detectable positions is 4n − 8. D(C) = {(r, c) : r ∈ {ri1 , ri2 } or c ∈ {ci1 , ci2 }} \ Rec(i1 , i2 ) U (C) = {(r, c) : r = ri1 , ri2 , c = ci1 , ci2 } ∪ Rec(i1 , i2 )

A 2-Secure Code with Eﬃcient Tracing Algorithm

155

2

Theorem 1. For a matrix M ∈ {0, 1, ?}n , M is a member of F (Mi1 , Mi2 ) if and only if 1. M has the values 0 on the two base-points bi1 and bi2 M (ri1 , ci1 ) = M (ri2 , ci2 ) = 0 2. M has the values 1 on the two opposite base-points Opp(i1 , i2 ) M (ri1 , ci2 ) = M (ri2 , ci1 ) = 1 3. M has the values 0 on all the positions that are not on the row ri1 , ri2 , and not on the column ci1 , ci2 M (r, c) = 0 for all r = ri1 , ri2 , c = ci1 , ci2 Theorem 2. For any n ≥ 4, γ is a 2-secure frameproof code. Proof. Let Mi1 , Mi2 , Mi3 and Mi4 be four diﬀerent codewords. ¿From Theorem 1, for any descendant M of {Mi1 , Mi2 } and M of {Mi3 , Mi4 }, M (ri1 , ci2 ) = M (ri2 , ci1 ) = 1 and M (ri1 , ci2 ) = M (ri2 , ci1 ) = 0. This implies M = M . Definition 5. Let M be a binary matrix of size n. The set ColluderP air(M ) is defined as follows 1. a member of ColluderP air(M ) is a subset of {M1 , M2 , . . . , Mn } with two element 2. {Mi1 , Mi2 } ∈ ColluderP air(M ) if and only if (T1) M (ri1 , ci1 ) = M (ri2 , ci2 ) = 0, (T2) M (ri1 , ci2 ) = M (ri2 , ci1 ) = 1, and (T3) M (r, c) = 0, for all r = ri1 , ri2 , c = ci1 , ci2 . ColluderP air(M ) is the set of all pairs of colluders that could have generated M ColluderP air(M ) = {{Mi1 , Mi2 } : M ∈ Desc(Mi1 , Mi2 )} 3.1

Properties of ColluderP air(M )

In this section, we will look at the properties of the set ColluderP air(M ) which help us to derive tracing algorithm. We need the following lemma. Lemma 2. Suppose {S1 , S2 , . . . , Sk } is a collection of sets such that 1. Each set contains exactly two elements, 2. Any two sets have non-empty intersection, and 3. Union of all these sets contains more than three elements | ∪ki=1 Si | > 3 then ∩ki=1 Si = ∅

156

Vu Dong Tˆ o et al.

Proof. Assume S1 = {x1 , x2 }, S2 = {x1 , x3 }, x4 ∈ S3 . Since S3 has non-empty intersections with both S1 and S2 , we must have S3 = {x1 , x4 }. For any other set Sj , 4 ≤ j ≤ k, since Sj has non-empty intersections with all three sets S1 , S2 and S3 , Sj must contains x1 . Therefore, Lemma 3. Let M be given. If S1 , S2 ∈ ColludeP air(M ), then S1 ∩ S2 = ∅. Proof. Follows from Theorem 2. For any three base-points bi1 , bi2 and bi3 , let SM [i1 , i2 , i3 ] be the binary matrix whose entries are all zeros except for the six opposite base-points Opp(i1 , i2 ), Opp(i2 , i3 ) and Opp(i3 , i1 ). ¿From now on, these matrices SM [i1 , i2 , i3 ] are called special matrices. It is easy to check that the special matrix SM [i1 , i2 , i3 ] belong to all three descendant sets Desc(Mi1 , Mi2 ), Desc(Mi2 , Mi3 ) and Desc(Mi3 , Mi1 ). Special matrices are characterised by the following Lemma. Lemma 4. ColluderP air(M ) = {{Mi1 , Mi2 }, {Mi2 , Mi3 }, {Mi3 , Mi1 }} if and only if M = SM [i1 , i2 , i3 ]. Proof. Firstly, if {Mi1 , Mi2 }, {Mi2 , Mi3 }, {Mi3 , Mi1 } ∈ ColluderP air(M ) then it follows from Deﬁnition 5 that the matrix M has all entries equal to zero except for the six opposite base-points Opp(i1 , i2 ), Opp(i2 , i3 ) and Opp(i3 , i1 ). That means M = SM [i1 , i2 , i3 ]. Conversely, if M = SM [i1 , i2 , i3 ] is a special matrix, then the only pairs that satisfy the three conditions (T1), (T2), (T3) are {i1 , i2 }, {i2 , i3 } and {i3 , i1 }. Theorem 3. For any binary matrix M , if M is not a special matrix then {S : S ∈ ColluderP air(M )} = ∅ And if M = SM [i1 , i2 , i3 ] then ColluderP air(M ) = {{Mi1 , Mi2 }, {Mi2 , Mi3 }, {Mi3 , Mi1 }} Proof. Let Collude(M ) = {S : S ∈ ColluderP air(M )} where M is a nonspecial matrix. Since each member of ColluderP air(M ) is a set that contains two elements and any two members of ColluderP air(M ) have non-empty intersection (Lemma 3), if |Colluder(M )| > 3 it follows from Lemma 2 that intersection of all members of ColluderP air(M ) is not empty. If |Colluder(M )| = 3 then ColluderP air(M ) is either equal to {{i1 , i2 }, {i2 , i3 }} or {{i1, i2 }, {i2 , i3 }, {i3, i1 }}. The latter cannot happen by Lemma 4 because M is not a special matrix. If |Colluder(M )| = 2, then ColluderP air(M ) has only one member. In all cases, we have {S : S ∈ ColluderP air(M )} = ∅. Since the pair of the actual colluders is included in the set ColluderP air(M ), if M is not a special matrix then from the above theorem the intersection of all members of ColluderP air(M ) is not empty. This intersection is a subset of the colluders.

A 2-Secure Code with Eﬃcient Tracing Algorithm

3.2

157

Tracing Algorithm

Given a matrix M formed by two colluders. ¿From Theorem 3, we have the following trivial tracing algorithm. We consider two cases: Case 1: M does not have a mark ‘?’ If M is a special matrix, M = SM [i1 , i2 , i3 ], then the two colluders are among i1 , i2 , i3 ; in this case, the algorithm fails to identify them. If M is not a special matrix, then we form the set ColludeP air(M ) that contains all the pairs {i1 , i2 } that satisfy (T1), (T2), (T3) in Deﬁnition 5. A trivial method is to check all n2 pairs {i1 , i2 }. In section 3.3, we use the properties of the set ColludeP air(M ) to give a faster algorithm to search for such pairs. Theorem 3 ensures that the intersection of members of the set ColludeP air(M ) is not empty. This intersection is the colluders. Output this intersection. Case 2: M contains marks ‘?’ In this case, we always can ﬁnd a colluder. Firstly, we substitute all the marks ‘?’ by an arbitrary values 0 or 1 so that the resulting matrix M is not a special matrix. One way to make this substitution easy is by observing that all special matrices have weight equal to 6. Therefore, when we substitute the marks ‘?’ by 0 or 1, we need only to ensure that M has weight not equal to 6 to guarantee that it is not a special matrix. Since γ is a binary code, from Lemma 1, the binary matrix M is a descendant matrix formed by the two colluders. As in case 1, form the set ColludeP air(M ), and the colluder is in the intersection of all members of ColludeP air(M ). Tracing error: The only case when the tracing algorithm fails is when M is a special matrix. Suppose that the two users 1 and 2 collude and they know that the tracing algorithm is deterministic if the pirate matrix contains at least a mark ‘?’. The number of special matrices that they can form is n − 2. These matrices are SM [1, 2, 3], SM [1, 2, 4], . . . , SM [1, 2, n]. Since there are 4n − 8 detectable positions for {M1 , M2 }. ¿From Embedding Assumption, the best strategy that they have is replacing detectable positions with random marks correspond to 0 or 1. The total number of the matrices that they can form in this way is 24n−8 . It follows that the tracing error is not larger than 2n−2 4n−8 . However, if the colluders have no knowledge about the tracing algorithm then the tracing error is 3n−2 4n−8 . 3.3

Faster Tracing

The main step in tracing algorithm is to determine the set ColluderP air(M ) for a non-special matrix M . The trivial solution requires at most n2 steps. In this section, we present a faster tracing algorithm that use the weight of the matrices. The weight of a matrix is the number of ones in the matrix. Theorem 4. Let M ∈ Desc(Mi1 , Mi2 ). If weight(M ) > 6, then 1. there exist at least three 1’s on some row or some column;

158

Vu Dong Tˆ o et al.

2. if a row or a column consists of at least three 1’s then this row or column must contain one of the base-points bi1 , bi2 . Proof. The only places that we can ﬁnd entries 1 in M are rows ri1 , ri2 or columns ci1 , ci2 . We know that at the two opposite base-points (ri1 , ci2 ), (ri2 , ci1 ), we have two 1’s. Therefore, if there are at most two 1’s on each row and column of M then we have at most four other 1’s in these rows ri1 , ri2 and columns ci1 , ci2 . It follows that the weight of M cannot exceed 6. Now suppose that there are at least three 1’s in the same column. This column must be either column ci1 or ci2 as in the other columns there are at most two 1’s. Similarly, if there are at least three 1’s in the same row, this row must be either row ri1 or ri2 . This proves the second part of the theorem. From the above theorem, we can see that if weight(M ) > 6, we only need to identify a row or a column with three 1’s. Since there is exactly one base-point in each row or column, the colluder’s base-point will be identiﬁed. If weight(M ) ≤ 6, then to determine the set ColluderP air(M ), using condition (T2), we only need to check for at most 62 = 15 pairs. Theorem 5. The tracing algorithm either outputs a correct colluder or fails with probability 2n−2 4n−8 . If the pirate matrix contains at least one mark ‘?’ then the algorithm correctly outputs a colluder. 3.4

Reducing the Code Length

Since all codewords have the value 0 at base-points, we can remove n positions corresponding to the n base-points. Moreover, if we choose the n base-point to be bi = (i, i) then every codeword is a symmetric matrix. Therefore, we only need to record the lower part of the matrix and so the code has length n(n − 1)/2.

4

Construction from Traceability Codes

In this section we combine the code γ = {M1 , M2 , . . . , Mn } constructed in the above section with 2-traceability codes to have 2-secure codes with shorter length. c-Traceability codes are deﬁned as follows. Definition 6. ([10]) Let Γ be an n-ary code of length L, C = {u1 , · · · , ub } ⊆ Γ , where ui = (ai1 , ai2 , · · · , aiL ). Γ is called c-traceability code, or c-TA code for short, if the following condition is satisfied: for any C ⊆ Γ, |C| ≤ c, and any (x1 , · · · , xL ) ∈ desc(C), there is a ui ∈ C such that |{j : xj = aij }| > |{j : xj = aj }| for any (a1 , · · · , aL ) ∈ Γ \ C. c-TA codes can tolerate some erased positions (positions with ‘?’). The bound on the maximum number of erasures tolerated by a c-TA code was given in [8]. Let Γ be an n-ary code and C = {u1 , · · · , ub } ⊆ Γ, b ≤ c. Deﬁne a set F (C; e) = {(x1 , · · · , xL ) ∈ F (C) : |{j : xj =?}| ≤ e}.

A 2-Secure Code with Eﬃcient Tracing Algorithm

159

Theorem 6. Let Γ be an (L, N, D)q -ECC, and c be an integer. 1. ([10])) If D > (1 −

1 )L c2

(2)

then Γ is a c-TA code. 2. ([8]) If

1 e )L + 2 c2 c then Γ is c-TA code tolerating e erasures. D > (1 −

(3)

Let Γ be an n-ary code of length L and size N over an alphabet {a1 , a2 , . . . , an }. Deﬁne a binary code ∆(Γ, γ) in which each codeword has length L, and obtained in the following way U = Mi1 Mi2 . . . MiL , where ai1 ai2 . . . aiL ∈ Γ . Theorem 7. Suppose γ is an (, n) c-secure code with ε-error, and Γ is an (L, N, D)n c-TA code satisfying (3). Then ∆(Γ, γ) is a c-secure code with error at most (εL)e+1 . Proof. Denote by AO , AI the tracing algorithm for the outer code and the inner code. Deﬁne a tracing algorithm for code ∆(Γ, γ) as follows. Suppose a pirate word X = X1 X2 · · · XL is given. Step 1: Apply AI to each Xj , j = 1, 2, · · · , L. Suppose the output is Mij . Step 2: Apply AO to ai1 ai2 . . . aiL . The output U of AO is treated as a traitor. For this tracing, an error happens only if |{j : AI (Xj ) = ∅}| > e. While for AI the L e+1 ε < tracing error is ε, so the tracing error for the code ∆(Γ, γ) is at most e+1 e+1 (εL) . The following is an examples of the resulting 2-secure codes. Theorem 8. Let n be a prime power, e, k be positive integers such that k ≤ 1 4n−8 e+1 , 4 (n − e − 1). There exists a 2-secure code with error (n − 2)(n − 1)/2 the length of the code is n2 (n − 1) and the number of codewords is nk . Proof. Let Γ be a Reed-Solomon code of length L = n − 1 and dimension k over GF (n). Then from Theorem 7 ∆(Γ, γ) is a 2-secure code with error at most e+1 (n − 2)(n − 1)/24n−8 . The following is a family of 2-TA codes. A code Γ is called an equidistance code if the Hamming distances between any two codewords are all the same. Theorem 9. Equidistant code with odd distance is 2-TA code. Proof. Let X ∈ desc(U1 , U2 ), then d(X, U1 ) + d(X, U2 ) = d(U1 , U2 ) = d. Since d is odd, it follows that d(X, U1 ) ≤ (d − 1)/2 or d(X, U2 ) ≤ (d − 1)/2.

160

5

Vu Dong Tˆ o et al.

Construction from Perfect Hash Families

In this section we construct 2-secure codes with more codewords by combining a 2-secure code with a perfect hash family. Using this construction with the inner code given in Section 3 and a perfect hash family given in [1, 11] give a code k with 72 codewords and length 16 × 7k . Definition 7. Let N, n, t be integers, X and Y be sets of size N and n, respectively, F be a family of s functions f : X → Y . F is call a perfect hash family, denoted by PHF(s; N, n, t), if for any subset Z ⊆ X of size t, there exists an f ∈ F such that f |Z is one-to-one. Let γ be an (, n) code, F = {f1 , f2 , · · · , fs : fi : X → Y } be a PHF(s; N, n, t). Deﬁne a code Ω(γ, F ) consisting of N codewords of length s. Each codeword in Ω(γ, F ) is labelled by an element x ∈ X, and is deﬁned by uf1 (x) uf2 (x) · · · ufs (x) here means concatenation, and ufj (x) ∈ Γ for all j. 2 We consider a code Ω(γ, F ), where γ = {M1 , M2 , · · · , Mn } ⊆ {0, 1}n is the code constructed in Section 3, F = {f1 , f2 , · · · , fs : fi : X → Y } is a PHF(s; N, n, 4). Suppose C = {U1 , U2 } ⊆ Ω(γ, F ) is a collusion Ui = Mf1 (xi ) Mf2 (xi ) · · · Mfs (xi ) , i = 1, 2 Then the feasible set of C is given by, F (C) = {X1 X2 · · · Xs : Xj ∈ F (Mfj (x1 ) , Mfj (x2 ) ), 1 ≤ j ≤ s} 2

Every X ∈ {0, 1}sn is naturally represented by X = X1 X2 · · · Xs with Xj ∈ 2 2 {0, 1}n for each j. For a given X ∈ {0, 1}sn , deﬁne ColluderP air(X) = {S ⊆ Ω(γ, F ) : |S| = 2, X ∈ F (S)} 2

Lemma 5. Let X ∈ {0, 1}sn be given. If S1 , S2 ∈ ColluderP air(X), then S1 ∩ S2 = ∅. Proof. Assume Ui = Mf1 (xi ) Mf2 (xi ) · · · Mfs (xi ) and S1 = {U1 , U2 }, S2 = {U3 , U4 } are disjoint. Since F is a PHF(s; N, n, 4), there exists an fj ∈ F such that fj (x1 ), fj (x2 ), fj (x3 ), fj (x4 ) are distinct and so the two sets {Mfj (x1 ) , Mfj (x2 ) } and {Mfj (x3 ) , Mfj (x4 ) } are disjoint. It follows that the two descendant sets of S1 and S2 are disjoint. Lemma 6. Let X be given. Then either ∩{S : S ∈ ColluderP air(X)} = ∅ or there exists distinct U1 , U2 , U3 such that ColluderP air(X) = {{U1 , U2 }, {U2 , U3 }, {U3 , U1 }} Proof. Similar to the proof of Theorem 3.

A 2-Secure Code with Eﬃcient Tracing Algorithm

161

Lemma 7. If ColluderP air(X) = {{U1 , U2 }, {U2 , U3 }, {U3 , U1 }} 2 where X = X1 X2 · · · Xs ∈ {0, 1}sn and Ui = Mf1 (xi ) Mf2 (xi ) · · · Mfs (xi ) , then for each j = 1, 2, . . . , s, either Xj is a special matrix or a codeword matrix. Proof. We have Xj ∈ Desc(Mfj (x1 ) , Mfj (x2 ) ), Xj ∈ Desc(Mfj (x2 ) , Mfj (x3 ) ) and Xj ∈ Desc(Mfj (x3 ) , Mfj (x1 ) ) for each j = 1, . . . , s. If Mfj (x1 ) , Mfj (x2 ) and Mfj (x2 ) are three diﬀerent codeword matrices then from Lemma 4, Xj must be a special matrix. If Mfj (x1 ) , Mfj (x2 ) and Mfj (x2 ) are not distinct codewords, say Mfj (x1 ) = Mfj (x2 ) , then it follows from Xj ∈ Desc(Mfj (x1 ) , Mfj (x2 ) ) that Xj = Mfj (x1 ) = Mfj (x2 ) . In this case, Xj is a codeword matrix. s Lemma 8. The tracing error is ε = ( 22n−2 4n−8 ) .

Proof. For each j = 1, . . . , s, the number of special matrix that two colluders can produce is n − 2. Therefore, there are 2n − 2 possibilities that Xj is a special matrix or a codeword matrix. The probabilities of producing such a Xj is 22n−2 4n−8 . It follows that the probability to have ColluderP air(X) = s {{U1 , U2 }, {U2 , U3 }, {U3 , U1 }} is ( 22n−2 4n−8 ) . In the following we show the existence of the perfect hash family. k

Theorem 10. ([1, 11]) There exists a PHF(7k+1 ; 72 , 4, 4) for all k ≥ 0. Theorem 11. Let k be an integer. There exists a 2-secure code with error ε = 3 7k+1 k of length L = 16 × 7k+1 and consisting of N = 72 codewords. 27 k

Proof. Use Fk = P HF (7k+1 ; 72 , 4, 4) and the inner code γ with n = 4, Ω(γ, Fk ) 7k+1 3 7k+1 = 27 . is the 2-secure code with error 22×4−2 4×4−8

6

Comparison and Concluding Remarks

We considered 2-secure ﬁngerprinting codes and presented a number of new constructions. A c-Secures code provides a tracing algorithm and an estimate of the highest probability of incorrect tracing. Our main construction, similar to all other known ones, have two layers. A 2-secure code is used as the inner code and then an outer structure is used to increase the number of codewords. All previous inner codes have shortcomings. Our proposed inner codes, improves on all the known codes by having a number of desirable properties simultaneously. Most importantly, it ensures that no other innocent users will be accused. The only other inner code that satisfy this property can exist for very limited range of number of codewords. Noting that this number is the alphabet size of the outer structure means that a much wider range of outer structures can be used and so better c-secure codes can be obtained. We show two general form of outer structures, one based on 2-TA codes and the second on perfect hash families and in both cases obtained the probability of incorrect tracing in terms of the parameters of the inner code and the outer structures.

162

Vu Dong Tˆ o et al.

Acknowledgement The authors would like to thank anonymous referees for useful comments which make an improvement of Theorem 5 from the previous version and for a suggestion which is included in Section 3.4.

References [1] M. Atici, S. S. Magliveras, D. R. Stinson, and W. D. Wei. Some recursive constructions for perfect hash families. Journal of Combinatorial Designs, 4:353– 363, 1996. 160, 161 [2] D. Boneh and M. Franklin. An eﬃcient public key traitor tracing scheme. In Advances in Cryptology - CRYPTO’99, Lecture Notes in Computer Science, volume 1666, pages 338–353. Springer-Verlag, Berlin, Heidelberg, New York, 1999. 151 [3] D. Boneh and J. Shaw. Collusion-secure ﬁngerprinting for digital data. In Advances in Cryptology - CRYPTO’95, Lecture Notes in Computer Science, volume 963, pages 453–465. Springer-Verlag, Berlin, Heidelberg, New York, 1995. 149, 150, 151, 152, 153 [4] D. Boneh and J. Shaw. Collusion-secure ﬁngerprinting for digital data. IEEE Transactions on Information Theory, Vol. 44, No. 5:1897–1905, 1998. 150, 151, 153, 154 [5] J. Domingo-Ferrer and J. Herrera-Joancomarti. Short collusion-secure ﬁngerprints based on dual binary hamming codes. Electronics Letters, Vol. 36, No. 20:1697–1699, 2000. 153, 154 [6] A. Fiat and M. Naor. Broadcast encryption. In Advances in Cryptology – CRYPTO’93, Lecture Notes in Computer Science, volume 773, pages 480–491. Springer-Verlag, Berlin, Heidelberg, New York, 1994. 151 [7] A. Kiayias and M. Yung. Self protecting pirates and black-box traitor tracing. In Advances in Cryptology - CRYPTO’01, Lecture Notes in Computer Science, volume 2139, pages 63–79. Springer-Verlag, Berlin, Heidelberg, New York, 2001. 151 [8] R. Safavi-Naini and Y. Wang. Collusion secure q-ary ﬁngerprinting for perceptual content. In Security and Privacy in Digital Rights Management (SPDRM 2001), Lecture Notes in Computer Science, volume 2320, pages 57–75. Springer-Verlag, Berlin, Heidelberg, New York, 2002. 158, 159 [9] F. Sebe and J. Domingo-Ferrer. Short 3-secure ﬁngerprinting codes for copyright protection. In Proceedings of ACISP’02, Lecture Notes in Computer Science, volume 2384, pages 316–327. Springer-Verlag, Berlin, Heidelberg, New York, 2002. 150, 153, 154 [10] J. N. Staddon, D. R. Stinson, and R. Wei. Combinatorial properties of frameproof and traceability codes. IEEE transactions on information theory, Vol. 47, No. 3:1042–1049, 2001. 151, 152, 153, 158, 159 [11] D. Stinson, T. Trung, and R. Wei. Secure frameproof codes, key distribution patterns, group testing algorithms and related structures. Journal of Statistical Planning and Inference, 86(2):595–617, 2000. 151, 160, 161 [12] D. Stinson and R. Wei. Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM Journal on Discrete Mathematics, 11:41–53, 1998. 151

A 2-Secure Code with Eﬃcient Tracing Algorithm

163

[13] D. R. Stinson and R. Wei. Key preassigned traceability schemes for broadcast encryption. In Proceedings of SAC’98, Lecture Notes in Computer Science, volume 1556, pages 144–156. Springer-Verlag, Berlin, Heidelberg, New York, 1999. 151

Reed Solomon Codes for Digital Fingerprinting Ravi Sankar Veerubhotla, Ashutosh Saxena, and Ved Prakash Gulati Institute for Development and Research in Banking Technology Castle Hills, Masab Tank, Hyderabad 500057, AP, INDIA {vrsankar,asaxena,vpgulati}@idrbt.ac.in

Abstract. Reed Solomon codes are being widely used for errorcorrecting methods and in construction of fault tolerant systems such as RAID. Recent studies [2], [7], [8] revealed that these codes have a potential application in cryptography. The hardness in decoding Reed Solomon codes can be exposed to construct new cryptographic applications. It is in this scenario that we talk about the suitability of Reed Solomon codes for Digital Fingerprinting in particular and cryptography in general. We derive results for bounds on Fingerprint length, design tracing method for Boneh’s broadcast encryption system [2]; and discuss collusion attacks on fingerprint. Pirate strategies and performance issues are also presented.

1

Introduction

Fingerprinting digital data is a possible solution to the problem of copyright violations. By Digital Fingerprinting we refer to the act of embedding a unique identifier in a digital object, in such a way that it will be difficult for others to find, remove or destroy the identifier. Thus every user's copy is made unique, while still being close to the original. This ensures that an illegal copy stands out. Distribution of different copies to valid users will facilitate identifying the illegal users. The problem of Fingerprinting can be divided into two sub-problems, which can be addressed individually: the problem of Embedding and the problem of Coding. The Embedding problem states how to make the alterations by which we encode single digits into the object. The Coding problem describes how to choose the fingerprints in their abstract representation (as vectors of digits) such that the fingerprinting system becomes robust against different types of attacks. The embedding problem involves elements from steganography and watermarking [1], [6] while the coding part incorporates the Tracing methods, bounds on fingerprint length, choice of codes etc. Thus Fingerprinting contains various elements from the areas like steganography, watermarking, coding theory, traitor tracing etc. Here is a brief description of these elements: Steganography is about embedding a secret message in a cover message so that it is not visible and cannot be discovered. This is a means by which two or more parties may communicate using "invisible" or "subliminal" communication. The embedding A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 163-175, 2002.  Springer-Verlag Berlin Heidelberg 2002

164

Ravi Sankar Veerubhotla et al.

can be parameterized by a key that is used when retrieving the secret message. The secret message may be encrypted for added security. Watermarking is much similar to steganography, the only difference being that the scheme should be robust against active attackers, even if the attackers know that, an object not only contains a watermark, but also the algorithmic principle of the method. In Traitor tracing, a distributor broadcasts encrypted data that should be available only to a certain set of users. Each user has a unique decryption key that can be used to decrypt the broadcast data. It is possible that some users collude and create a new key, different from any of theirs, and still able to decrypt the broadcast data. In a traitor tracing scheme [2], [4], if the number of users colluding is less than some given threshold, it is possible, with low probability of error, to trace at least one of the creators of the pirate key.

2

Background

In this section we present some definitions and the terms related to Fingerprinting. -

-

-

-

-

2.1

An object is a collection of digital data. Digitally stored texts, images or audio files are examples of such objects. An object is close to another object if they are so similar that they serve the same purpose for normal use. An original is an object that somebody, who has the legal right to do so, wants to distribute. There is exactly one original in the fingerprinting system. A copy is an object close to the original. A copy in this meaning is not an exact digital copy (digit by digit). Instead, it is an object, which is very similar to the original for all practical purposes. The distributor is the sole entity that has the original, and the right to distribute it. For example, if the original is a book the distributor can be the publisher of that book, that is, the person/company that has the right to distribute the book. The distributor is the only one who is allowed to distribute the copies. Illegal distribution is the distribution of copies by somebody other than the distributor. Distributor considers all other forms of distribution as illegal and unwanted. Pirates are users performing illegal distribution. If the number of pirates is more than one, it is called collusion. Marking Assumption defined in [3] states that the colluding pirates can detect a specific mark if, and only if, it differs between their copies. They cannot change an undetected mark without destroying the fingerprinted object. Goals of Fingerprinting

If an illegal copy is discovered, there can be three different goals: -

To be able to identify the pirate or, in the case of several pirates working together, as many of the pirates as possible. To be able to test whether a certain, proposed user, or group of users, is guilty of having created the illegal copy.

Reed Solomon Codes for Digital Fingerprinting -

165

To be able to achieve a trade off between false alarm error and false dismissal error.

The false alarm error corresponds to accusing a user who is innocent and the false dismissal error corresponds to failing to accuse a user who is guilty. It is desirable to keep the probability of both of these errors to the minimum. Unfortunately they are conflicting goals, so a trade-off has to be made. As a special case when exactly one user is accused after every tracing, the two kinds of error coincide. A false alarm is always a false dismissal and vice versa and thus we get only one kind of error. 2.2

A Model for Fingerprinting

Using the definitions presented earlier we described the working of fingerprinting system [9] as follows: -

-

-

2.3

A public fingerprinting code Ψ is chosen by the distributor for usage in the fingerprinting system. Ψ is of length n and publicly known. The original digital object that is to be fingerprinted is prepared by locating marks in it, and making alterations in such a way that the object as a whole is slightly degraded or not at all. This is done in such a way that the marking assumption holds. A code Γ is chosen randomly, with equal probability, among all codes equivalent to Ψ . The numbering of the codewords is chosen such that Ψ = ψ α1 ,ψ α 2 ,...ψ α M , Γ = γ 1 , γ 2 ,..γ M and γ i is the coordinate-permuted and translated ψ i for all i . The objects that are to be distributed are fingerprinted by embedding the codewords of Γ into them. The fingerprinted objects are distributed to the users so that user i gets the object fingerprinted with codeword γ i . Attacks on Fingerprint

A pirate may try different types of attacks to remove the fingerprint, in order to distribute illegal copies anonymously. Assuming that the pirate has access to a single document copy, that has been marked for him, he may either try to restore the original document by identifying and removing the fingerprint, or try to corrupt the fingerprint by distorting the document. Majority Choice strategy attack requires that the number of pirates is odd and greater than two. Here in every detectable mark the pirates choose to output to the illegal copy the alternative that occurs the greatest number of times in the pirates’ objects. Minority Choice attack is carried out by inverting the result of the majority choice. The difference compared to majority choice is that the illegal fingerprint on an average will be as distant as possible to the fingerprints of the pirates. Binary Addition takes every detectable mark the pirates choose to output to the illegal copy the alternative that occurs an odd number of times in the pirate’s objects. This does not differ significantly from the “normal” binary addition. In Random Pirate Choice the pirates choose randomly every detectable mark, with equal probability among the possible

166

Ravi Sankar Veerubhotla et al.

alternatives, and decides what to output to the illegal copy. A stronger attack results if several pirates collude [4] and compare their independently marked copies. Then they can detect and locate the differences, and combine their copies into a new copy, the fingerprint of which differs from all the pirates. A good fingerprinting scheme should be resistant against all reasonable attacks, while keeping the marking distortion negligible. Fingerprinting should be robust against attacks and if several users collude and create a new object (corresponding to a new key in the traitor tracing scenario), it should be possible to find at least some of the users who colluded. 2.4

Properties of Reed Solomon Codes

Reed Solomon codes are codes over the alphabet F = GF (q) (the Galos field of order q ). Let n, k and q integers such that a finite field of size q exists. The code may be obtained by letting a message m = m0 ...mk −1 denote the coefficients of a degree k −1

polynomial

k −1

f ( x) = ∑ m j x j

and

letting

the

encoding

of

m be

j =0

C (m) = c1 ..cn where ci = f ( xi ) where x1 ,...xn are n distinct elements of F . A Reed Solomon code is specified as RS ( n, k ) with s -bit symbols. This means that the encoder takes k data symbols of s bits each and adds parity symbols to make an n symbol codeword. There are n − k parity symbols of s bits each. A Reed Solomon decoder can correct up to t symbols that contain errors in a codeword, where 2t = n − k . If we want to send a k -digit plaintext message, Reed Solomon code will send n = k + 2s digits, and guarantee that the correct message can be reconstructed at the other end if there are fewer than s corrupted digits. And for a linear [n, k , d ] code over GF (q) the singleton bound becomes

d ≤ n − k + 1 . A code is called Maximum Distance Separable if it attains the singleton bound with equality. Every Reed-Solomon code is Maximum Distance Separable (MDS).

3

Our Contribution

In our work we present the applicability of Reed Solomon codes for Digital Fingerprinting in particular and cryptography in general. We derive results for bounds on Fingerprint length and design a tracing method for a broadcast encryption system. We also discuss collusion attacks on fingerprint, pirate strategies and performance issues. The tracing method used in encryption scheme can be used as part of Fingerprinting applications to detect a pirate who use any linear combination of codewords.

Reed Solomon Codes for Digital Fingerprinting

3.1

167

Bounds for Collusions

Assume that given an illegal fingerprint z we want to find any collusion of at most c pirates among the total number of M users. For this to be possible there must be at least as many fingerprints as possible collusions of size at most c . The bound we would like to derive is based on the idea that different collusions must be able to generate different fingerprints in order to be distinguishable. This does not reveal about the performance of the tracing method, but it does constitute a lower bound on the size of the fingerprint space necessary for it. The bound requires exactly one unique fingerprint for each collusion, while in fact most collusions have a considerable freedom in their choice of fingerprints (i.e., their feasible sets are large). Consequently, the actual fingerprint length required is expected to be much greater than this lower bound. In binary fingerprinting schemes if the total number of users is M , the number of possible users of size almost c is

M  c M   = ∑   − 1 = V ( M , c) − 1 i =1  i  i =1  i  c

∑

where, V ( M , c) is the volume of a sphere of radius c in an M -dimensional Hamming space. This means that there have to be log(V ( M , c) − 1)  bits in the fingerprint for it to be possible to uniquely accuse each of the possible user sets. Let F be an alphabet of size q . Note that a sphere of radius t in F n is a set of words in F n at Hamming distance t or less, from a given word in

F n . The number of

t  n i words, or the volume, of such a sphere is given by Vq ( n, t ) = ∑   ( q − 1) . For the i i =0   asymptotic versions of the sphere packing bound and the Gilbert-Varshamov bound, we will need estimates for the value t  n i Vq ( n, t ) = ∑   ( q − 1) i i =0  

We know that the binary entropy function H 2 ( x ) given by

H 2 ( x ) = − x log 2 x − (1 − x) log 2 (1 − x) . Making use of the q -ary entropy function H q : [ 0,1] → [ 0,1] , which is defined as

H q ( x ) = − x log q x − (1 − x ) log q (1 − x ) + x log q ( q − 1) , where H q ( 0 ) = H q (1) = 0 , one can verify that the function x a H q ( x ) is strictly

concave, nonnegative, and attains a maximum value 1 at x = 1 − ( 1 q ) .

168

Ravi Sankar Veerubhotla et al.

Lemma 1. For

[n, t ] code over GF (q) if 0 ≤

t

n

Vq ( n, t ) ≤ q

≤ 1 − ( 1 q ) , then nH q ( t n )

Proof. Please see Appendix. Lemma 2. For [n, t ] code over GF (q ) , for 0 ≤ t ≤ n ,

n 1 t nH t .q q ( n ) . Vq ( n, t ) ≥   ( q − 1) ≥ n +1 t Proof. Please see Appendix. 3.2

The Length of Fingerprints

The number of different user sets that we have to point out is one less than the volume of an M -dimensional sphere with radius c . Thus we can say that to be able to identify any user set of at most size c , the length l of the fingerprints has to fulfill the following inequality:

 Vq ( M , c )  l ≥ log q (Vq ( M , c) − 1) > log q   q   = log q (Vq ( M , c) ) − log q q

 1 M .H ( c )  = log q  .q q M  − 1  M +1   1   c = log q   + M .H q   M +1 M  c = − log ( M + 1) − c log  M

  −1 

c    − ( M − c) log 1 − M  

  + c log ( q − 1) − 1 

This result shows that the choice of fingerprint length for all fingerprint applications must be higher than a certain value, inorder to identify any user set of at most size c . The choice of code length chosen for fingerprint should satisfy the above condition, for it should be possible to identify the collusion set. 3.3

Content Distribution Scheme

We first briefly present the elliptic analog Broadcast encryption technique proposed by Boneh [2] for content distribution where there is one public key and k corresponding private keys followed by our tracing method. The security of the

Reed Solomon Codes for Digital Fingerprinting

169

encryption scheme is based on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (EC-DLP). Our tracing scheme presented later defends against collusion of any number of parties. For tracing, we make use of a certain linear space k

tracing code Γ (Reed Solomon Code), which is collection of k codewords in F , F being a finite field. The construction of the set Γ and its properties are described later. I The Encryption Scheme

Let E be the elliptic curve and G the base point on it. The arithmetic in the following algorithm, which involves additions, subtractions and multiplications, is carried out on the Elliptic Curve E . Key Generation: Perform the following steps Step 1: Let G be the base point of order p on E . Step 2: For i

= 1,2,..., k choose an integer ri ∈ Ζ p and compute points

hi = ri G . k

Step 3: Compute

Y = ∑ (α i hi ) for random α1 , α 2 ,..., α k ∈ Ζ p . i =1

Step 4: The public key is

Y , h1 ,..., hk .

θ i γ (i ) is a representation of Y i th key, θ i , is derived from the i th code

Step 5: A private key is an element θ i ∈ Ζ p such that

with respect to base word

γ

(i )

h1 ,..., hk . The

= (γ 1 ,..., γ k ) ∈ Γ by k

k

j =1

j =1

θ i = (∑ rjα j ) /(∑ rjγ j )(mod p) We frequently refer to the private key as being the representation ever, it may be noted that however that that only code

θi

d i = θ i γ (i ) . How-

needs to be kept secret since the

Γ is public. One can verify that d i is indeed a representation of Y with respect

to base

h1 ,..., hk .

Encryption: To encrypt a message elliptic curve

m in F2n first embed the message m onto the

E . Let PM be the message point. Next pick a random element

a ∈ Z p . Then compute:

S = PM + (aY ) and H i = ahi for i = 1,..., k .

170

Ravi Sankar Veerubhotla et al.

Set the ciphertext

C to be C = S , H1 ,..., H k

Decryption: To decrypt a ciphertext key,

C = S , H1 ,..., H k using the i th user’s private

θ i , compute PM = S − (θ iU )

recovered as

k

where U = ∑ (γ j H j ) . The original message is j =1

M = ( x coordinate of PM ). Here γ (i ) = (γ 1 ,..., γ k ) ∈ Γ is the

codeword from which

i th user’s private key θ i is derived. Observe that any private

key θ i correctly decrypts the given ciphertext. II Tracing Scheme

In this section, we show how to get complete information about traitors involved in constructing a pirate decoder. Boneh showed that the efficient way of constructing pirate decryption box is only through convex combinations of existing private keys. The following tracing algorithm is simple, deterministic and traces all the traitors involved in creating a pirate decoder. Linear space tracing: Suppose that the pirate gets hold of m(≤ k ) decryption keys used to create a pirate box D . The decryption scheme is said to be m resistant if there is a tracing algorithm that can determine at least one of the di ’s in the pirate’s possession. The pirate decoder contains at least one representation of Y to correctly decrypt the encrypted content. Further, by examining the decoder, it is possible to obtain one of these representations,

d . Suppose that a pirate key d is constructed by

m keys d 1 ,..., d m . Since d found in the pirate decoder is a convex combination of d i ' s , it must lie in the linear span of d 1 ,..., d m . The construction of tracing algod , it outputs all d i ' s with corresponding weights. The Set Γ : We describe the set Γ containing k codewords over Ζ kp . Since p is large, we can assume p > 2k . We construct Γ with k code words by choosing a matrix B of order k × k as follows. rithm is such that given input

 1   1  12 B =  3  1   M  1k −1 

1

1

K

1

2

3

K

k

22

32

K

k2

3

3

K

k3

2

3

M

M

M

M

2 k −1

3 k −1

K

k k −1

         

Define Γ as the set of rows of matrix B such that Γ contains k codewords each of length k . We show that all the rows of B are linearly independent. If rows of B are Linearly Independent, so do the vectors of Γ . The private keys are constructed using the above set Γ ⊆ Ζ kp containing k codewords. Each of the k users is given a

Reed Solomon Codes for Digital Fingerprinting

private key di ∈ Ζ kp , which is multiple of a codeword in

171

Γ . Let d be the point in the

m codewords γ (1) ,..., γ ( m ) ∈ Γ . Then at least one γ in γ (1) ,..., γ ( m ) must be a member of the coalition that created d . This γ identifies one of the private keys that must have participated in the construction of the d . In fact,

linear span of some

our tracing algorithm will output every

γ (i )

(hence all the traitors) which contributed

d with the corresponding weights in the linear combination. Tracing algorithm: Let d ∈ Ζ kp be the vector formed by taking a linear combina-

to pirate decoder tion of

m (m ≤ k ) vectors from Γ . (Convex combination in d i means a linear

Γ ). We show that given d , one can efficiently determine the unique set vectors in Γ used to construct d . We know that there exists a vector ϖ ∈ Ζ kp of hamming weight (non-zero elements) exactly m such that

combination of the vectors in

ϖ BT = d

since the vector

also know that

d = θ .γ

ear combination of

γ

(i )

(θ )

d is linear combination of these rows of matrix B . We

for some

’s so is

γ (θ ) . Since γ (θ )

d . We show how to recover these γ (i ) ’s with their

corresponding weights for which we solve the system ϖ To show

BT = d .

B is linearly independent Consider the matrix

The matrix

is uniquely expressed as lin-

A

  =     

1

x1

x1

2

1

x2

x2

2

1

x3

x3

2

M

M

M

1

xt

xt

2

K

x1

t −1

K

x2

t −1

K

x3

t −1

M K

M xt

t −1

       

A is in Vandermonde form. One can observe that the matrix A is lineT

arly independent. We see that B is in “Vander Monde” form and we know det B = det BT (≠ 0) . Hence B is linearly independent. As

B is linearly independent matrix, we observe that R [ B T ] = R [ B T : d ]

R [ B T ] denotes the rank of the matrix B T (since d is spanned by rows of B ). T Thus we get k equations in k unknowns. Hence, the system ϖ B = d has a unique solution vector, which is simply ϖ . The i th element of ϖ gives the contribu(i ) tion of the i th user in terms of γ . If the element is zero the corresponding user has no contribution towards the pirate representation d . The tracing is possible since where

γ (i ) ’s are linearly independent.

172

Ravi Sankar Veerubhotla et al.

3.4

Pirate Strategies in Fingerprinting

By “strategy” we mean anything that the pirates choose to create their illegal Fingerprint with, under the restrictions imposed earlier in this paper. In practice this means that they can in each detected mark choose the alternative from among the q alphabets or something else not in the alphabet set, corresponding to an erasure, which we will denote with the symbol e . Given the codewords of the pirate group, a strategy is a mapping from the set of c -tuples of embedded codewords to the set of all possible fingerprints, possibly with erasures

e , f : Γc → ( GF (q) ∪ e )n . Without knowledge of

which codewords the pirates have, the exact result of the pirate’s strategy will in general be unknown to them. To the pirate collusion, a strategy is a random mapping from the set Λ of distinguishable sets of tuple equivalent c -tuples of public codewords to a subset of all possible fingerprints, possibly with erasures,

f : Λ → S ⊆ ( GF (q ) ∪ e ) where S is the set of words that can be created by some n

pirate group. A Reed Solomon code can correct

t errors and r erasures, when d min ≥ 2t + r + 1 .

For each code there are cases when this inequality holds with equality. d min tells us that the number of detectable marks in a group of two pirates in a RS code is at least d min . For the situation where the detectable marks can be put in an unreadable state, i.e. be erased, we can state the following lemma. Lemma 3. If colluding pirates create an illegal copy by making erasures in every detectable mark, it may be impossible to trace any of them by decoding the illegal word to the closest codeword.

Proof. Please see Appendix. For a fingerprinting scheme the testing method should counter the simple pirate strategies like binary addition, majority choice, random pirate choice on fingerprints. For tracing to be successful with high probability the fingerprinting method should control the pirate strategy. One such thing that puts limitation on pirate strategy is marking assumption. As per marking assumption there cannot be combining function which is c th order correlation immune. Similarly in Boneh’s encryption scheme the tracing method is successful because the pirate codeword (or privatekey) creation is limited to a convex combination (a sort of linear combination) of existing codewords. 3.5

Performance Measure

As per Marking Assumption users working together are assumed to be unable to make any changes in the objects, other than in places where their objects differ. They can construct a new object embedded with a word from the feasible set of their codewords. If the code is c -IPP and if there are at most c users working together, then with any such newly constructed object z , it is possible to trace to at least one of the users taking part in constructing it (since there is at least one codeword that is a member of all P such that z ∈ FS ( P) where FS ( P) is the feasible set of pirates P under Marking Assumption). c -IPP codes [5], [10], [11] would thus solve the fingerprinting

Reed Solomon Codes for Digital Fingerprinting

173

problem in this setting. However, to construct c -IPP codes with the alphabet size, q , it must be strictly greater than the maximum number of pirates, c. The performance of a fingerprinting scheme depends on tracing algorithm as well as the choice of code. The error correcting capabilities of Reed Solomon codes are already discussed earlier, which can handle modifications and erasures to the embedded fingerprints. The decoding techniques like Berlicamp’s algorithm, which can tolerate erasures and errors, are already used in Boneh’s scheme for tracing purpose.

4

Conclusion

We considered coding methods for fingerprinting digital information, with the aim to discourage users from copyright violation. Reed Solomon codes used to provide certain forms of traceability have been presented for fingerprinting applications that can protect intellectual property rights. Results for Reed Solomon codes related to fingerprinting are derived. A scheme for fingerprinting can make use of these codes with any known embedding methods along with the encryption scheme i.e. the fingerprinted object is encrypted first before broadcast. Different types of attacks are discussed, including attacks from colluding pirates. The tracing presented by us also works for a Digital Fingerprinting scheme when pirates use linear combinations of codewords.

Acknowledgement The first author would like to acknowledge the discussions with his colleague Sanjay Rawat.

References [1] [2] [3] [4] [5] [6]

R. Anderson, F. A. P. Petitcolas: On The Limits of Steganography IEEE Journal of Selected Areas in Communications, 16(4), 474-481, 1998 D. Boneh, M. Franklin: An Efficient Public Key Traitor Tracing Scheme, Proceedings of Crypto '99, Springer-Verlag, pp. 338-353, 1999 Boneh, J. Shaw: Collusion-Secure Fingerprinting for Digital Data, IEEE Trans. Inform. Theory, vol IT-44, pp. 1897-1905, 1998 Chor, A. Fiat, M. Naor: Tracing Traitors, Proceedings of Crypto '94, SpringerVerlag, pp. 257-270, 1994 H. D. L. Hollman, J. H. van Lint, J. P. Linnartz , L. M. G. M. Tolhui-zen: On Codes with the Identifiable Parent Property, Journal of Combinatorial Theory, pp. 121-133, Series 82, 1998 S. Katzenbeisser, F. A. P. Petitcolas (ed.) : Information Hiding Techniques for Steganography and Digital Watermarking, Artech House, 2000

174

Ravi Sankar Veerubhotla et al.

[7]

Kiayias, M. Yung: Cryptographic Hardness based on the Decoding of ReedSolomon Codes with Applications ECCC Technical Report TR02-017, 2002 Kiayias, M. Yung: Cryptographic Hardness based on the Decoding of Reed-Solomon Codes, Proceedings of ICALP 2002, Springer-Verlag, pp 232243 Löfvenberg, T. Lindkvist: A General Description of Pirate Strategies in a Binary Fingerprinting System, 2000, http://www.it.isy.liu.se/publikationer/LiTH-ISY-R-2259.pdf P. Sarkar, D. R. Stinson: Frameproof and IPP Codes, Indocrypt'01, SpringerVerlag, pp.117-126, 2001 R. Stinson, R. Wei: Combinatorial properties and constructions of traceability schemes and frameproof codes, SIAM Journal of Discrete Mathematics 11, pp. 41-53, 1998

[8] [9] [10] [11]

Appendix Lemma 1. For

[n, t ] code over GF (q) if 0 ≤

t

Vq ( n, t ) ≤ q Proof. Let

≤ 1 − ( 1 q ) , then

n

nH q ( t n )

τ = t n . Then,

From the definition of entropy function H q ( x ) we get q Thus

q

− nH q (τ )

.Vq ( n, t ) = τ t (1 − τ )

≤ τ (1 − τ ) t

n −t

( q − 1)

−t

n −t

− nH q (τ )

= τ t (1 − τ )

t

 n

i=0

 

( q − 1) .∑   ( q − 1) i −t

for τ ≤ 1 − (1 q )  n n −i = ∑  τ i (1 − τ ) i =0  i  n

= (τ + (1 − τ ) ) = 1 , n

Hence, we have the result

i

 n i  (1 − τ )( q − 1)  .∑   ( q − 1)   τ i =0  i    t

Vq ( n, t ) ≤ q

nH q (τ )

.

Lemma 2. For [n, t ] code over GF (q) , for 0 ≤ t ≤ n ,

 n 1 t nH ( t n ) Vq ( n, t ) ≥   ( q − 1) ≥ .q q . t + n 1  

n −t

t −i

.

Reed Solomon Codes for Digital Fingerprinting

175

 n n −i N i =  τ i (1 − τ ) . i We first show that N i is maximal when i = t. Since Proof. Let τ = t n and let

 n  i +1 n − i −1  τ (1 − τ ) N i + 1  i + 1 n−i τ = = . . Ni i + 1 1 −τ  n i n −i  τ (1 − τ ) i So, ( N i + 1) N i < 1 if and only if i ≥ t . It follows that n

( n + 1) .Nt ≥ ∑ N i = (τ + (1 − τ ) )

n

=1

i =0

and, so,

Hence,

Nt ≥

1 . On the other hand, n +1  n  n n −t t − nH ( t n ) N t =  τ t (1 − τ ) =   ( q − 1) .q q . t t

 n 1 t nH ( t n ) nH ( t n ) .q q ≥ Vq ( n, t ) ≥   ( q − 1) = Nt .q q t 1 n +  

Lemma 3. If colluding pirates create an illegal copy by making erasures in every detectable mark, it may be impossible to trace any of them by decoding the illegal word to the closes codeword. Proof. Consider exactly two pirates. For certain to be able to correct find one of the pirates, the number of erasures, e must not be greater than d min − 1 , if we are to be sure to be able to do a correct decoding. The minimum Hamming distance between two codewords is d min , which means that the number of detectable marks for the pi-

rates is at least d min . And e = d min ≥ d min − 1 , so it may be impossible to decode this correctly. This is true when the coalation size c = 2 , for any alphabet size q , and adding more pirates will not alter any of the detectable marks undetectable. So this holds for any number of pirates c ≥ 2 .

A Note on the Malleability of the El Gamal Cryptosystem Douglas Wikstr¨om Swedish Institute of Computer Science (SICS) [email protected]

Abstract. The homomorphic property of the El Gamal cryptosystem is useful in the construction of eﬃcient protocols. It is believed that only a small class of transformations of cryptotexts are feasible to compute. In the program of showing that these are the only computable transformations we rule out a large set of natural transformations.

1

Introduction

Several eﬃcient cryptographic protocols are based on the El Gamal cryptosystem. The reasons for this are mainly the algebraic simplicity of the idea, and the homomorphic property it possesses. The latter property makes the El Gamal system malleable, i.e. given c = E(m) it is feasible to compute c = E(f (m)), for some nontrivial function f . It is commonly conjectured that the El Gamal cryptosystem is malleable only for a small class of simple functions, and this is sometimes used implicitly in arguments about the security of protocols. Thus it is an important problem to characterize the malleability of the El Gamal cryptosystem. We take a ﬁrst step in this direction. We formalize the problem, and discuss why restrictions of the problem are necessary. Then we show that the only transformations that can be computed perfectly are those of a well known particularly simple type. Further on we give two examples that show that possible future results are not as strong as we may think. Finally we rule out a large set of natural transformations from being computable. 1.1

The El Gamal Cryptosystem

First we review the El Gamal cryptosystem and introduce some notation. All computations of the El Gamal cryptosystem [2] take place in a group G, such as a subgroup of Z∗p or an elliptic curve group. We assume that |G| = q is prime, and that there is a system wide generator g of G. Keys are generated by choosing x ∈ Zq uniformly and computing y = g x , where the private key is x and the public key is y. Encryption is deﬁned by Ey (m, r) = (g r , y r m) for a message m ∈ G and a random exponent r ∈ Zq chosen uniformly. Decryption is deﬁned by Dx (u, v) = vu−x . A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 176–184, 2002. c Springer-Verlag Berlin Heidelberg 2002

A Note on the Malleability of the El Gamal Cryptosystem

177

Above we described the system generically for any group of prime order, but to deﬁne security we need to consider families of groups. Let q1 , q2 , . . . be an increasing sequence of prime numbers, where log2 qn = n, and let q = {qn }. We denote the family {Zqn } by Zq . Let G = {Gn } be a family of groups such that |Gn | = qn . We use Zq and G generically to denote Zqn and Gn when no reference to n is made. We take n to be the security parameter. Finally we assume that the Decision Diﬃe-Hellman assumption (DDH) [1, 4] holds in G = {Gn }. Let g be a generator in G, and let a, b and c be uniformly and independently distributed in Zq . Then DDH states that (g a , g b , g ab ) and (g a , g b , g c ) are indistinguishable. Tsiounis and Yung [4] formally proves that this implies that the El Gamal cryptosystem is semantically secure over G. 1.2

Notation

Throughout we denote by PC the set of polynomial size circuit families. We abbreviate uniformly and independently distributed by u.i.d. . To simplify notation we avoid using the security parameter n. For example, if we consider a family of functions φ = {φn }, we use φ generically for φn and each appropriate n. 1.3

The Problem

For any message m ∈ G there exists a unique element me ∈ Zq such that m = g me . Thus any El Gamal encryption (g r , y r m) can be written (g r , y r g me ). The latter notation, is sometimes more natural and we use both conventions. There is a small and well know class of transformations of cryptotexts, used in many protocols, that we summarize in an observation. Observation 1. Set φ(r) = b1 r + b0 and ψ(me ) = b1 me + h0 . Then the map: (g r , y r g me ) → (g φ(r) , y φ(r) g ψ(me ) ) is feasible to compute. Some authors use the term homomorphic cryptosystem, since these transformations can be formulated as group homomorphisms. It is natural to ask what other transformations can or can not be computed “under encryption”. For simplicity we use the non-uniform computational model, i.e. feasible transformations are transformations that can be computed by a deterministic non-uniform circuit family. We restrict our attention to deterministic transformations, since given a probabilistic algorithm that computes a transformation there is a deterministic circuit family that performs at least as well. Given y = g x , each pair (u, v) ∈ G × G can be uniquely represented on the form (u, v) = (g r , y r g me ). This implies that for each function f : G×G → G×G, and y ∈ G, there are unique functions φy , ψy : Zq × Zq → Zq , such that: f (u, v) = f (g r , y r g me ) = (g φy (r,me ) , y φy (r,me ) g ψy (r,me ) ) .

178

Douglas Wikstr¨ om

Most general functions f are not what we intuitively would consider “transformations computed under encryption”, and it seems diﬃcult to prove anything useful if we consider any function f a transformation of cryptotexts. Our approach is therefore to require that a transformation is given by a ﬁxed pair (φ, ψ) of deterministic functions φ, ψ : Zq × Zq → Zq and parametrized by y, i.e. we deﬁne a map (y, φ, ψ) : G × G → G × G for each y by the following: (y, φ, ψ) : (g r , y r g me ) → (g φ(r,me ) , y φ(r,me ) g ψ(r,me ) ) . Such transformations act uniformly for all y, i.e. given (ui , vi ) = (g r , yir g me ) for φ(r,me ) ψ(r,me ) i = 1, 2 we have (yi , φ, ψ)(ui , vi ) = (g φ(r,me ) , yi g ). Our method can not be applied to general uniform transformations, and we are forced to further restrict the problem. We require that φ depends only on r, and that ψ depends only on me . Thus we study the special problem posed as follows: Problem 1. Given φ, ψ : Zq → Zq , let (y, φ, ψ)(g r , y r g me ) = (g φ(r) , y φ(r) g ψ(me ) ). For which φ and ψ is the transformation (y, φ, ψ) feasible to compute?

2

Our Results

We exhibit two propositions. The ﬁrst shows that only transformations of the type described in Observation 1 can be computed perfectly. Then we give two examples that show that strong results can not be hoped for. Finally we give the main proposition, which may have some practical signiﬁcance. It identiﬁes a set of functions ψ such that the map (y, φ, ψ) is hard to compute for every φ. 2.1

Some Preparation

The hypothesis of the propositions diﬀer only slightly depending on which case is considered. To avoid duplication of the hypothesis, and for increased clarity we give it here. Hypothesis 1. 1. Let G = {Gn } be a family of groups such that |Gn | = qn , where qn is a prime number such that log2 qn = n, and assume that DDH holds in G. Let g = {gn } be a generator of G. 2. Let X = {Xn } be a family of random variables, where Xn is u.i.d. in Zqn , and let Y = {Yn }, where Yn = g Xn . 3. Let R = {Rn } be a family of random variables, where Rn is u.i.d. in Zqn . 4. Let M = {Mn } be a family of random variables on Gn , and define the induced family (U, V ) = {(Un , Vn )} of random variables by setting (Un , Vn ) = EYn (Mn , Rn ).

A Note on the Malleability of the El Gamal Cryptosystem

179

5. Let φ = {φn } and ψ = {ψn } be families of functions over Zq , i.e. φn , ψn : Zqn → Zqn . Define for each family y = {yn } ∈ G a family of maps (y, φ, ψ) = {(yn , φn , ψn )}, where: (yn , φn , ψn ) : Gn × Gn → Gn × Gn (yn , φn , ψn ) : (gnr , ynr gnme ) → (gnφn (r) , ynφn (r) gnψn (me ) ) . Deﬁnitions of M , φ, and ψ are given separately in each proposition. The following deﬁnition, ﬁrst given by Goldwasser and Micali [3] deﬁne what should be considered randomly guessing the output of a knowledge function. Definition 1. Let M = {Mn } be a family of random variables, where the outcomes of Mn are in Gn , and let f = {fn } be a family of functions fn : Gn → Gn . We define: pn (f, M ) = max Pr[Mn ∈ fn−1 (v)] . v∈Gn

The probability pn (f, M ) is the maximum probability of any algorithm to guess fn (Mn ) using no information on the outcome of Mn except its distribution. Since El Gamal is semantically secure [3, 4] we have under the assumptions in the hypothesis and with arbitrary f = {fn }, that ∀A ∈ PC, ∀c, ∃n0 such that for n > n0 it holds that: Pr[A(Y, (U, V )) = f (M )] < pn (f, M ) + 2.2

1 . nc

The Perfect Case

The following proposition says that if we require a circuit family to succeed with probability 1 in computing the map (y, φ, ψ) the only possible maps are those where ψ is linear. Proposition 1. Let G, X, Y , M , (U, V ), φ and ψ be as in Hypothesis 1, let M be arbitrarily distributed in G, and assume that ψn (x) is non-linear for infinitely many n. Then ∀A ∈ PC, ∃n0 such that ∀n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] < 1 . Proof. The proof is by contradiction. Assume that A, φ, and ψ as above show the proposition false for indices n in some inﬁnite index set N . Then ψ1 (x) = ψ(1 + x) − ψ(x) is not constant. Let g m0 and g m1 be two messages such that ψ1 (m0 ) = ψ1 (m1 ). Let A be the circuit family that given a public key y and an encryption (u, v) of the message g mb computes (u0 , v0 ) = A(y, (u, v)) and (u0 , v1 ) = A(y, (u, vg)), and returns b when v1 /v0 = g ψ1 (mb ) . Clearly A breaks the polynomial indistinguishability, and thus the semantic security of the El Gamal cryptosystem.

180

2.3

Douglas Wikstr¨ om

Two Examples of Possible Approximations

In general we expect that the diﬃculty of computing a map (y, φ, ψ) depends on both φ and ψ. On the other hand, in applications we are more interested in how an adversary can transform the cleartext hidden inside a cryptotext. In most situations we expect the adversary to rerandomize its output, but as explained in Section 1.3 such an adversary implies the existence of a deterministic adversary. Thus, given a ﬁxed ψ, a reasonable goal is to bound the probability for any adversary to compute (y, φ, ψ) for any choice of φ. We now present two examples that show that we should not hope for general strong results. Both examples assume that G, X, Y , M , (U, V ), φ and ψ are as in Hypothesis 1, and that M is u.i.d. . Example 1. Let ψ be arbitrary but ﬁxed and let w maximize Pr[M ∈ ψ −1 (w)]. Let A be the circuit family that computes r = h(u), where h : G → Zq , and then outputs (g r , y r g w ). Clearly Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] = pn (ψ, M ), where φ(r) = h(g r ). The example shows that for every ψ there is a non-trivial φ such that the map (y, φ, ψ) can be computed with probability at least pn (ψ, M ). Thus the best general result under Hypothesis 1 we could hope for at this point is to show that ∀A ∈ PC, ∀c > 0, ∃n0 > 0, such that for n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] < pn (ψ, M ) +

1 , nc

but no such result exists as the next example shows. Example 2. Let c > 0 be ﬁxed and deﬁne Bn = {x ∈ Zqn : 0 ≤ x ≤ nqnc }, B = {Bn }. Deﬁne ψn (x) = x + 1 if x ∈ Bn , and ψn (x) = x2 otherwise, and set φ = id. Let A be the circuit family that assumes that the input (u, v) = (g r , y r g me ) satisﬁes me ∈ B, and simply outputs (u, vg). We have |ψ −1 (x)| ≤ 3 for all x ∈ Zq , which implies pn (ψ, M ) ≤ q3n , but still A computes (y, φ, ψ) with probability 1/nc for a ﬁxed c. Thus the example shows that we can sometimes compute a transformation with much greater probability than pn (ψ, M ), i.e. the probability of guessing ψ(me ). Intuitively the problem seems to be that our ability to compute transformations from the class described in Observation 1 changes what should be considered guessing. 2.4

A Class of Hard ψ

We now exhibit a class of ψ that are hard in the sense that the map (y, φ, ψ) is hard to compute for all φ. The idea of Proposition 2 below is that given input (y, (u, v)) and an oracle A for computing a transformation (y, φ, ψ) we can ask A several diﬀerent but related questions. If A answers our questions correctly we are able to compute some derived knowledge function f of the cleartext.

A Note on the Malleability of the El Gamal Cryptosystem

181

Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn , and let s ∈ Zq . Denote by ψs the function given by ψs (x) = ψ(x + s) − ψ(x). We prove below that a ψ that satisﬁes the following deﬁnition has the desired property. Definition 2. Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn , let M = g Me , where Me is a random variable in Zq , and let S be u.i.d. in Zq . If ∀c > 0, ∃n0 > 0 such that ∀n > n0 we have: Pr[pn (ψS , M ) <

1 1 ]>1− c , nc n

then we say that ψ is strongly non-linear with respect to M . The following deﬁnition may seem more natural to some readers. Definition 3. Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn , let Me and S be random variables in Zq , where S is u.i.d. . If ∀a ∈ Zq , ∀c > 0, ∃n0 such that ∀n > n0 we have: Pr[ψ(Me + S) − ψ(Me ) = ψ(S) + a] <

1 , nc

then we say that ψ is strongly non-linear* with respect to Me . Unfortunately it captures a larger class than Deﬁnition 2 as Lemma 1 below shows, and we can not prove Proposition 2 for all ψ satisfying this deﬁnition. The essential diﬀerence between the two deﬁnitions is that in the second a is ﬁxed, and does not depend on s, whereas in the ﬁrst pn (ψs , M ) is maximized for each s independently. Note that if we ﬁx S = s in the second deﬁnition there is always an a such that the resulting conditioned probability equals pn (ψs , M ), but in general a depends on s. Lemma 1. Strongly non-linear implies strongly non-linear*. Proof. Set J(S) = pn (ψS , M ). Then ∀c > 0, ∃n0 such that ∀n > n0 : Pr[ψ(Me + S) − ψ(Me ) = ψ(S) + a] = Pr[S = s] Pr[ψ(Me + s) − ψ(Me ) = ψ(s) + a] s∈Zq

≤

Pr[S = s]J(s) = E[J(S)]

s∈Zq

1 1 1 1 ]E[J(S)|J(S) < c ] + Pr[J(S) ≥ c ]E[J(S)|J(S) ≥ c ] nc n n n 1 2 1 < 1· c + c ·1 = c . n n n

= Pr[J(S) <

182

Douglas Wikstr¨ om

The Main Proposition. Informally the proposition below says that if ψ is strongly non-linear, then (y, φ, ψ) is hard to compute for all φ. Proposition 2. Let G, X, Y , M , (U, V ), φ and ψ be as in Hypothesis 1, let M be u.i.d. in G, and assume that ψ is strongly non-linear with respect to M . Then ∀A ∈ PC, ∀c > 0, ∃n0 > 0, such that for n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] <

1 . nc

Proof. The proof is by contradiction. Assume A, c > 0, φ, and ψ, as above shows the proposition false for indices n in some inﬁnite index set N . Deﬁne a function fs for each s ∈ Zq by fs (g me ) = g ψs (me ) . We describe a probabilistic circuit family A that uses A to compute the knowledge function fs with notable probability. This breaks the semantic security of the El Gamal cryptosystem, if pn (fs , M ) is negligible. Given input (y, (u, v)), where (u, v) = (g r , y r m) ∈ G × G, A does the following: 1. It randomly chooses s ∈ Zq . 2. It uses A to compute (u0 , v0 ) = A(y, (u, v)) and (u1 , v1 ) = A(y, (u, vg s )) 3. It returns vv10 . Let S = {Sn } be a u.i.d. random variable over Zq , and let H0 denote the event that A(Y, (U, V )) = (Y, φ, ψ)(U, V ), and H1 denote the event that A(Y, (U, V g S )) = (Y, φ, ψ)(U, V g S ). If the events H0 and H1 take place we have vv10 = fS (M ) by deﬁnition of the algorithm. We see that ((U, V )|R = r) and ((U, V g S )|R = r) are independent variables. Since R is u.i.d. we have: Pr[H0 ∧ H1 ] = Pr[R = r] Pr[H0 ∧ H1 |R = r] r∈Zq

=

Pr[R = r] Pr[H0 |R = r]2

r∈Zq



≥

2 Pr[R = r] Pr[H0 |R = r]

r∈Zq

= Pr[H0 ]2 ≥

1 n2c

where the inequality is implied by the convexity of the function h(x) = x2 and Jensen’s Inequality. We are only interested in outcomes s of S such that pn (ψs , M ) = pn (fs , M ) is negligible (in particular s = 0). Let W denote the event that S has this property. By assumption the probability of W is negligable and we have: Pr[W ∧ A (Y, (U, V )) = fS (M )] ≥

1 . 2n2c

A Note on the Malleability of the El Gamal Cryptosystem

183

The inequality implies that there exists for each n ∈ N an outcome sn of Sn such that the inequality still holds. Let A = {An } be the circuit family that is identical to A except that An uses this ﬁxed sn instead of choosing it randomly. We set s = {sn } and fs = {fsn }, and conclude that A has the property: Pr[A (Y, (U, V )) = fs (M )] ≥

1 , 2n2c

for n ∈ N . Semantic security of the El Gamal cryptosystem implies that ∀c > 0, ∃n0 such that for n > n0 holds: Pr[A (Y, (U, V )) = fs (M )] < pn (fs , M ) +

1 . nc

Since fs was constructed such that pn (fs , M ) is negligible we have reached a contradiction. The proposition can be slightly generalized by considering distributions of the messages that are only almost uniform on its support when the support is suﬃciently large. To keep this note simple we omit this analysis. We proceed by deﬁning a special subclass of the strongly non-linear functions that is particularly simple, and may be important in applications. Definition 4. Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn . We say that ψ has low degree if ∀c > 0, ∃n0 such that for n > n0 it holds that: deg ψn 1 < c . qn n A simple example of a family ψ = {ψn } that satisﬁes the above deﬁnition is where ψn (x) = p(x) for some ﬁxed polynomial p(x) for all n. We have the following corollary almost immediately from the proposition. Corollary 1. Let G, X, Y , M , (U, V ), φ and ψ be as in Hypothesis 1, let M be u.i.d. in G, and assume that ψ has low degree and that deg ψn ≤ 1 for at most finitely many n. Then ∀A ∈ PC, ∀c > 0, ∃n0 > 0, such that for n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] <

1 . nc

Proof. It suﬃces to show that if ψ has low degree and deg ψn ≤ 1 for ﬁnitely many n then ψ is strongly non-linear. For s = 0 and large enough n we have deg ψs > 0 and deg ψs = deg ψ − 1. This implies that when s = 0 we −1 max |ψs−1 (v)| ψ have pn (ψs , M ) = ≤ max |ψqn (v)| ≤ deg qn qn , which is negligible since ψ has low degree.

184

3

Douglas Wikstr¨ om

Conclusion

It seems impossible to prove anything useful about general malleability of the El Gamal cryptosystem as discussed in Section 1.3. Instead we have formalized what we consider a reasonably restricted problem. Under these restrictions we have exhibited a class of transformations that are not feasible to compute, when the message distribution is uniform. This may be of practical value when arguing about the security of certain protocols based on El Gamal. We have also given examples that indicate that the best possible results are not as strong as one may think. It is an open problem to characterize further classes of transformations. A natural generalization is to consider lists of cryptotexts and consider the diﬃculty of computing transformations on such lists. This and other generalizations are relevant for mix-nets, and mix-net based voting schemes, where robustness is based on repetition and the impossibility of general transformations. Another interesting line of research is to investigate the malleability properties of El Gamal in concrete groups, e.g. the multiplicative group of integers modulo a prime, or an elliptic curve group.

4

Acknowledgement

We had discussions with Gunnar Sj¨odin and Torsten Ekedahl. Johan H˚ astad gave advice on how to simplify this note.

References [1] Dan Boneh, The Decision Diﬃe-Hellman Problem, Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science 1423, pp. 48–63, Springer-Verlag, 1998. 177 [2] Taher El Gamal, A Public Key Cryptosystem and a Signiture Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory 31, pp. 469-472, 1985. 176 [3] Shaﬁ Goldwasser, Silvio Micali, Probabilistic Encryption, Journal of Computer Science 28, pp. 270-299, 1984. 179 [4] Yiannis Tsiounis, Moti Yung, On the Security of El Gamal based Encryption, International workshop on Public Key Cryptography, Lecture Notes in Computer Science 1431, pp. 117–134, Springer-Verlag, 1998. 177, 179

Authentication of Concast Communication Mohamed Al-Ibrahim1 , Hossein Ghodosi2 , and Josef Pieprzyk3 1

Center for Computer Security Research, University of Wollongong Wollongong, NSW 2522, Australia [email protected] 2 School of Information Technology, James Cook University Townsville, Qld 4811, Australia [email protected] 3 Department of Computing, Macquarie University Sydney, NSW 2109, Australia [email protected]

Abstract. In this paper we tackle the problem of ﬁnding an eﬃcient signature veriﬁcation scheme when the number of signatures is signiﬁcantly large and the veriﬁer is relatively weak. In particular, we tackle the problem of message authentication in many-to-one communication networks known as concast communication. The paper presents three signature screening algorithms for a variant of ElGamal-type digital signatures. The cost for these schemes is n applications of hash functions, 2n modular multiplications, and n modular additions plus the veriﬁcation of one digital signature, where n is the number of signatures. The paper also presents a solution to the open problem of ﬁnding a fast screening signature for non-RSA digital signature schemes.

1

Introduction

One of the greatest outcomes of the invention of public-key cryptography [10] is the digital signature. It creates a sort of digital encapsulation for the document such that any interference with either its contents or the signature has a very high probability of being detected. Because of this characteristic, the digital signature plays an important role in authentication systems. Authentication systems, however, are subject to a variety of attacks, and therefore the veriﬁcation of digital signatures is a common practice. A veriﬁcation of digital signature needs to apply a particular (in general, a publicly-known) algorithm. So, a digital signature scheme is a collection of two algorithms, and it must have the following properties: 1. The signing algorithm SigK : K × M → Σ assigns a signature σ = SigK (M ), where M ∈ M is a message, K ∈ K is the secret key of the signer and Σ is the set of all possible values of the signatures. 2. The signing algorithm executes in polynomial time when the secret key K is known. For an opponent, who does not know the secret key, it should A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 185–198, 2002. c Springer-Verlag Berlin Heidelberg 2002

186

Mohamed Al-Ibrahim et al.

be computationally intractable to forge a signature, that is, to ﬁnd a valid signature for a given message. 3. The veriﬁcation algorithm Vk : k × M × Σ → {yes, no} takes public information k ∈ K of the signer, a message M ∈ M and a given signature σ ∈ Σ of the message M . It returns “yes” if σ is the signature of the message M ; otherwise it returns “no”. 4. The veriﬁcation algorithm, in general, is a publicly known (polynomial time) algorithm. So, anyone can use it to check whether a message M matches the signature σ or not. Several digital signature schemes, for diﬀerent purposes, have been introduced in the literature of public-key cryptography. In original digital signature schemes (e.g., [16, 11]), both parties of the system (the signer and the veriﬁer) are individuals. The invention of society and group oriented cryptography [7] led to the generation and/or veriﬁcation of digital signatures by a group of participants rather than individuals (see, for example, [4, 8, 14, 19]). In almost all of these digital signature schemes, the generation/veriﬁcation of a signature requires the performance of some exponentiation. Since exponentiation is a costly operation, the design of eﬃcient digital signature schemes (from both the generation and veriﬁcation points of view) was the subject of investigation by several researchers (see, for example, [13, 18, 9, 6]). The eﬃciency of the system is of paramount importance when the number of veriﬁcations is considerably large (e.g., when a bank issues a large number of electronic coins and the customer wishes to verify the correctness of the coins). 1.1

Relevant Work

In our schemes, veriﬁcation of a digital signature implies modular exponentiation. Thus, previous works on improving the performance of modular exponentiation [5, 17] and batch veriﬁcation of modular exponentiation [12, 3] are highly relevant to this work. The latest work on batch veriﬁcation of modular exponentiation is by Bellare et al [3]. In their work, a batch instance consists of a sequence (x1 , y1 ), . . . , (xn , yn ), and the query is whether or not yi = g xi for all i = 1, . . . n (where g is a primitive element in a group). Their proposed algorithms solve this problem with an error probability of 2− for a predetermined parameter . They have also considered batch veriﬁcation for the RSA signatures, where the veriﬁcation relation is modular exponentiation with a common exponent. That is, given a sequence of pairs (Mi , σi ), one would like to verify the ith signature by checking that σie = H(Mi ) mod N , where H(.) is a hash function and e, N are the RSA public key and modulus respectively. In their solution to this particular case –also called screening algorithm– the batch instance (Mi , σi ), i = 1, 2, . . . , n, passes the test if n e n σi = H(Mi ) (mod N ). i=1

i=1

Authentication of Concast Communication

187

It is obvious that the batch instance (M, xα), (M, x/α) is incorrect, but passes their veriﬁcation test. However, they have shown that this is not really a problem from a screening perspective, since one wants to make sure that M has been sighted by the legitimate signer, even though the signature is not correct. They have proved that if RSA is one-way, then an adversary cannot produce such a batch instance that was never signed by the signer but still passes their test. Note that, in their work [3], fast screening algorithms for other signature schemes and several other issues have been left as open problems. 1.2

Concast Scenario

Multicast is a one-to-many communication mode that has greatly interested the research community in the past few years as a tool for delivering messages to a group of recipients in an eﬃcient way. The main beneﬁt behind deploying multicast is that it minimizes the bandwidth utilization in the already congested network [9, 1]. Multicast communication is usually not a one-way direction communication. A group of recipients, in reliable multicast applications for example, may contact the sender as a feedback acknowledgment. A wide range of many-to-one applications also includes shared-whiteboard, collaborative applications, and report-in style applications. This sort of many-to-one communication is known as concast communication. The well known implosion problem in broadcast communication is addressed here. The problem occurs when a receiver is overwhelmed with messages from diﬀerent senders and has to process them eﬃciently. The problem of implosion could be worse if security validation was required to authenticate a group of messages. In this case, an eﬃcient authentication scheme is required to alleviate the burden on the receiver. Therefore, concast communication can be considered from the security perspective as many-signers/one-veriﬁer problem. In this paper, we present diﬀerent schemes that solve this problem. Our ﬁrst scheme works with the help of a trusted combiner. The second scheme works with no help from a trusted party, but requires interaction between signatories. The third scheme, however, minimizes the interaction between parties in the system.

2

The Model

Given a sequence of signatures (M1 , σ1 ), . . . , (Mn , σn ), a recipient –with relatively small computing resources accessible to him– wishes to verify these signatures. The naive method is to verify each signature individually and to accept the whole set if all signatures pass the veriﬁcation algorithm. Obviously, this is a very time consuming task and is not applicable for a recipient with small computing power. An alternative method could be to use the batch veriﬁcation strategy, in which a randomly selected subset of signatures is veriﬁed, and, if that subset passes the veriﬁcation, then we accept (with some probability) that

188

Mohamed Al-Ibrahim et al.

the whole sequence will pass the veriﬁcation algorithm. However, this technique might only be acceptable if there is a strong and trusted entity between the receiver and the senders. A desirable solution could be if the veriﬁer can perform a signature screening and accept the whole set of signatures if they pass the test. In other words, screening is the task of determining whether the signer has at some point authenticated the text Mi , rather than the task of checking that the particular string σi provided is a valid signature of Mi . Note that the screening technique of [3] does not seem to be applicable for RSA based signatures in a concast environment. In this paper, we present a signature screening for a variant of ElGamal [11] type digital signatures.

3

Components of the System

This section considers the basic tools which we will use for the implementation of our schemes. 3.1

Communication Channel

Each signer and the veriﬁer is connected to a common broadcast medium with the property that messages sent to the channel instantly reach every party connected to it. We assume that the broadcast channel is public, that is, everybody can listen to all information communicated via the channel, but cannot modify it. These assumptions for this model of communication channel may seem somewhat severe (i.e., does not ﬁt the Internet or cellular network). However, the purpose of these assumptions is to focus on the proposed protocol at a high level. It is worth noting that these assumptions can be substituted with standard cryptographic techniques for achieving privacy and authenticity. 3.2

Signature Scheme

We employ a variant of ElGamal-type digital signature, which is a slightly modiﬁed version of a signature that has been used in [15]. Let p, q be large primes such that q|(p − 1), and let g ∈ Zp = GF (p) be an element of order q. Let H(.) be an appropriate hash function that hashes messages of arbitrary length into an element of Zp . Also let xi ∈ Zq be the secret key and yi = g xi (mod p) be the public key associated with user ui . The values p, q, g, yi , and the hash function H(.), are the common parameters in the network. Signature Generation: In order to sign a message m = H(M ) ∈ Zp , the signer chooses a random k and computes r = mg −k

s = k − r xi where r = r

(mod q).

(mod p) (mod q)

(1) (2)

Authentication of Concast Communication

189

Verification: The veriﬁer accepts the signature (M, s, r) if the following equation holds true:

H(M ) = g s yir r 3.3

(mod p)

An Approach to Digital Multisignature

In society and group oriented cryptography it is required that a cryptographic transformation be performed by a group of participants rather than an individual. Let U = {u1 , . . . , un } be the set of all users and assume that the group policy requires that a group signature must be mutually generated by all group members. This is known as a multisignature scheme. The group signature on message m = H(M ) ∈ Zq can be generated using the following protocol: Signature Generation: 1. Each ui chooses a random ki ∈ Zp and computes ri = mg −ki (mod p). 2. After n all participants broadcast their ri , every signatory calculates r = (mod p). i=1 ri 3. Each ui (i = 1, . . . , n) generates his signature as si = ki − r xi (mod q), where r ≡ r (mod q). 4. Each ui (i = 1, . . . , n) sends his partial signature (si , ri ) of message m to the combiner (through the public channel). 5. Once all partial group signatures are received, the group signature of message m can be generated as (s, r), where s=

n

si

(mod q).

i=1

Verification: The veriﬁcation of the group signature is similar to the veriﬁcation of an indin vidual signature. Note that, the secret key of thegroup is, in fact, x = i=1 xi n (mod q), and the public key of the group is y = i=1 yi (mod p). The veriﬁer accepts the signature (M, r, s) if the following equation holds true:

mn = g s y r r

(mod p)

Note that the concast scenario is diﬀerent from the multisignature scheme in at least the following ways: – In a concast environment the set of users (signatories) is not ﬁxed. – In a concast environment each user may sign a diﬀerent message.

4

Scheme 1

This scheme utilizes a particular hash function, known as a sibling hash function [20, 2]. The sibling hash function has the property that given a set of initial

190

Mohamed Al-Ibrahim et al.

strings colliding with one another, it is computationally infeasible to ﬁnd another string that would collide with the initial strings. The performance of this scheme also requires the employment of a trusted Concast Manager (CM) who designs the sibling hash. Signature Generation: Let a set of n participants wish to sign their own messages. Each participant (using the public channel) sends his message to the CM, who is responsible for designing the sibling hash. After receiving all messages, CM generates the hash value of all messages and transmits it (through the public channel) to all signatories. Note that, although the messages were diﬀerent, their hash values are the same, and thus, from the signature algorithm’s point of view, a single message needs to be signed. That is, the problem of signing diﬀerent messages has now been converted to the problem of signing a single message by a set of n participants. This is the multisignature scheme, and the protocol in Section 3.3 can be applied. 4.1

Security Issues

The security analysis of a multisignature system comprises the following: (i) The set of partial signatures and the group signature must not give away any information about the secret keys of the users or the secret key of the group. It is not diﬃcult to see that this requirement is satisﬁed in the proposed multisignature scheme. (ii) An opponent might try to impersonate user ui and participate in the signing protocol. Since the secret key of each user has chosen randomly and independently from the secret keys of other users, a successful attack implies that the underlying digital signature is not unforgeable. (iii) A pair (s, r) will be accepted as the group signature on message, m, if it passes the signature veriﬁcation test. Note that, if all partial signatures are genuine then the combined signature is a genuine signature, but the other way around is not necessarily correct. For example, in the proposed multisignature scheme every set of random values {(r1 , s1 ), . . . , (rn , sn )} that satisfy n r = Πi=1 ri

(mod p)

and

n s = Σi=1 si

(mod q)

will generate a correct group signature. However, knowing that a group signature cannot be generated by any unauthorized set of users, generation of faulty partial signatures –that combine to a correct group signature– is only possible by the set of legitimate users. The main drawback of this scheme is that it does not work without the help of a trusted CM. Considering the fact that agreement on who is trusted is not

Authentication of Concast Communication

191

easily reached, cryptographic systems that rely on the use of a trusted party are not very desirable. Remark: In multisignature schemes, if the generated group signature cannot pass the veriﬁcation test, then the combiner performs partial signature veriﬁcation, in order to ﬁnd the malicious user. The commonly used algorithm requires the veriﬁcation of all partial signatures, that is, in O(n) running time. This is a very time consuming task. In this paper, after providing necessary background information, we will present an algorithm that detects a faulty partial signature in O(log n) running time (see Section 7).

5

Scheme 2

In this scheme we omit the trusted CM. Let users u1 , . . . , un wish to sign the messages m1 , . . . , mn respectively, where mi = H(Mi ). We suggest the following protocol, which works in almost the same manner as multisignature schemes, although the messages are diﬀerent. Signature Generation 1. Each ui chooses a random ki ∈ Zp and computes ri = mi g −ki (mod p). 2. After n all participants broadcast their ri , every signatory calculates r = (mod p). i=1 ri 3. Each ui (i = 1, . . . , n) generates his signature as si = ki − r xi (mod q), where r ≡ r (mod q). 4. Each ui (i = 1, . . . , n) sends his signature (Mi , si , ri ) through the public channel. Verification: 1. After receiving n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ), the veriﬁer computes n n s= si (mod q), and m = H(Mi ) mod p i=1

i=1

2. The veriﬁcation of the combined signature (m, s, r) is the same as in the underlying signature scheme, that is, the signatures are accepted if

m = gsyr r 5.1

(mod p)

Performance Issues

Given n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) the scheme requires n applications of hash functions (to generate H(Mi ), i = 1, . . . , n), n modular multiplications (to compute m), n modular multiplications (to compute r), and n modular additions (to generate s) in order to construct the combined signature (m, s, r). After having the signature (m, s, r), the veriﬁer needs to verify a single signature

192

Mohamed Al-Ibrahim et al.

as in the underlying digital signature scheme. That is, from an eﬃciency point of view, the cost of our scheme is n applications of hash functions, 2n modular multiplications, and n modular additions plus the veriﬁcation of one digital signature. However, from a practical point of view, the scheme still needs some interaction between the signatories. Although this is a common practice in almost all society-oriented cryptographic systems, it may not be very reasonable in a concast environment, since the signatories do not form the body of an organization. In the next scheme, we will present a protocol that works with no interaction between the signatories.

6

Scheme 3

In this section, we present a modiﬁed version of our algorithm from Scheme 2, which requires no interaction between the signatories. In this algorithm, instead of broadcasting ri = mi g −ki by each user ui and then computing r, in the beginning of each time period, a random value R is broadcast to the network. (This value, R, plays the role of r in the previous algorithm.) The time period is chosen such that no signatory generates more than one signature in a time period. That is, all signatures generated in time period tj use a common parameter Rj which is broadcast by the veriﬁer. Signature Generation: 1. In the beginning of time period tj , the veriﬁer broadcasts a random value Rj ∈R Zp . 2. Each ui chooses a random ki and computes ri = mi g −ki (mod p). 3. Each ui generates his signature as si = ki − Rj xi (mod q), where Rj ≡ Rj mod q. 4. ui sends his signature (Mi , si , ri ) through the public channel. Verification: 1. After receiving n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) in time period j, the veriﬁer n ri )−1 mod p, – calculates rn+1 = Rj × (Πi=1 – chooses a random kn+1 and calculates sn+1 = kn+1 − Rj xn+1 (mod q), where xn+1 is the secret key of the veriﬁer. That is, the veriﬁer signs a message mn+1 = H(Mn+1 ) such that rn+ 1 = mn+1 g −kn+1 (mod p). Note that knowing rn+1 and kn+1 it is easy to calculate mn+1 , although the veriﬁer does not know (and does not need to know) the relevant message Mn+1 (since the underlying hash function is one-way). 2. The veriﬁer computes m=

n+1 i=1

mi mod p

and

s=

n+1 i=1

si

(mod q)

Authentication of Concast Communication

193

3. The combined signature (m, s, r) is accepted if

m = g s y Rj Rj

(mod p)

Remark: The purpose of signing a dummy message by the veriﬁer is to transform the veriﬁcation of the signatures received into the general veriﬁcation formula used in the proposed multisignature scheme. Note that, this type of signature generation is not a security problem, since the message cannot be chosen by the forgery signer. In fact, if M is chosen ﬁrst then the pair (s, r) must be cal culated such that g s y r r is equal to a predetermined value. Knowing the public values of g and y and choosing one of the parameters r (or s), achieving a correct result requires solving a discrete logarithm problem for the other parameter. Considering the fact that r = r mod q, one cannot select r and s randomly and then solve the equation r = H(M ) × (g s y r )−1 for calculating r. 6.1

Performance Issues

The cost of our scheme is n applications of hash functions, 2n modular multiplications, and n modular additions, plus the veriﬁcation of one digital signature. The main advantage of this scheme is that there is no need for any interaction among the users. Indeed, the major shortcoming of all interactive systems is that the system must be highly synchronized. That is, for example, in signature generation applications one cannot generate his signature before all participants have broadcast their computed value (ri , in our protocols).

7

Security

The main issue in security consideration of a digital signature is to determine whether an adversary, without knowing the secret key, is able to generate a signature of a message which has never been signed by the legitimate signer but passes the veriﬁcation test. This is a general question, and the answer is given in the security analysis of the underlying digital signature. (Obviously, a digital signature that allows forgery will be considered completely useless.) In our signature screening algorithms, however, one would like to check whether it is possible to have a sequence of signatures that passes the test but contains fake signatures. We begin our security analysis in regard to this type of attack by the following theorem. Theorem 1. Given a set, S, consisting of n digital signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) that pass our screening test, it is impossible to find two subsets A and B such that A ∩ B = ∅, S = A ∪ B, and signatures in A (or B) pass the test but signatures in B (or A) fail the test. Proof. Without loss of generality, let A = (M1 , s1 , r1 ), . . . , (M , s , r ) and B = (M+1 , s+1 , r+1 ), . . . , (Mn , sn , rn ), for an integer 0 ≤ ≤ n. Deﬁne mA =

i=1

m i , sA =

i=1

si , kA =

i=1

ki , yA =

i=1

yi , and rA =

i=1

ri

194

Mohamed Al-Ibrahim et al.

Similarly, mB , sB , kB , yB , and rB can be deﬁned. Note that, we have m = mA × mB , s = sA + sB , k = kA + kB , y = yA × yB , and r = rA × rB . Let the sequence of signatures in the set A pass our screening test. The sequence of signatures in A forms a combined signature (mA , sA , rA ) such that sA =

si = kA − r

i=1

xi

(mod q)

i=1

and thus the veriﬁcation implies that the following equation must be true

r mA = g sA yA rA

(mod p).

(3)

On the other hand, the set of all signatures in the set S also passes the test, that is, m = g s y r r (mod p) which can be written as

r r mA × mB = g sA × g sB × yA × yB × rA × rB

(mod p).

(4)

Now, dividing both sides of equation (4) by equation (3) gives

r mB = g sB yB rB

(mod p)

which indicates that the sequence of signatures in the set B also passes the test. An immediate consequence of Theorem 1 is that: Theorem 2. If a set, S = {(M1 , s1 , r1 ), . . . , (Mn , sn , rn )} that passes our screening test consists of some fake signatures, then the set of all fake signatures must also pass the screening test. Proof. Split the sequence of signatures in S into two sets A and B, such that A consists of all genuine signatures but B consists of all fake signatures. Using Theorem 1, since A passes the test, B must also pass the test. Corollary 1. Given a set S, consisting of n digital signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) that passes our screening test, it is impossible that S contains only one fake signature. That is, either there exists no fake signature in S or there is more than one fake signature in S. Note that, knowing a signature (M, s, r), it is easy to form a set of fake signatures that passes the screening test. For example, in order to form a set of fake signatures, one can form a set of pairs (si , ri ) such that s = i=1 si and r = i=1 ri . Clearly, this set of fake signatures (M, s1 , r1 ), . . . , (M, s , r ) passes our screening test. This is similar to the problem identiﬁed in [3]. We observe that it is not diﬃcult to overcome this problem. In particular, it is easy

Authentication of Concast Communication

195

to deal with this problem in the RSA type signatures of [3] (the RSA signature is deterministic and thus a message cannot have diﬀerent signatures). That is, a sequence with such instances will be easily detected as faulty sequences. However, we observe another way to create a faulty sequence of signatures that passes the screening test. The method is applicable to both our schemes and the scheme introduced in [3]. Let (M1 , σ1 , ), . . . , (Mn , σn ) be a sequence of n genuine signatures. Obviously, this set passes the screening test. On the other hand, the set (M1 , σπ(1) ), . . . , (Mn , σπ(n) ), where π(.) is a random permutation over {1, 2, . . . , n}, also passes the screening test. That is, no matter how secure are the underlying digital signatures, it is always possible to produce a sequence of faulty signatures (in the above manner) that passes the signature screening test. However, as mentioned in [3], this is not a security problem since these attacks do not succeed without knowing the signatures of the messages, that is, the messages must be signed by legitimate signers. A serious threat to the scheme could be if an adversary can select messages of his own choice and then generate a (set of) signature(s) that pass(es) our screening test. The following theorem indicates the security assurance of our screening technique. Theorem 3. Let a set, S, consist of n digital signatures (Mi , si , ri ), i = 1, . . . , n that passes our screening test. If the underlying digital signature is secure then S does not contain a message that has never been signed by a legitimate signer. Proof. Let A ⊆ S and A consist of all messages that have never been signed by legitimate signers. Obviously, the set of all signatures in A passes the veriﬁcation test and thus a set of unauthorized users can sign a message in a multisignature manner, which is not the case. In multisignature schemes, if a set of unauthorized users tries to forge a signature, or when a malicious user tries to prevent the process of signature generation, the generated group signature is not genuine and fails to pass the veriﬁcation test. The following theorem presents an eﬃcient algorithm to detect such a faulty signature (malicious user). Theorem 4. Let a set, S, consist of n digital signatures (Mi , si , ri ), i = 1, . . . , n and let S fail to pass our screening test. There exists an O(log n) running time algorithm that detects a faulty signature (a malicious user). Proof. The following algorithm, which is an instance of the binary search algorithm, works properly based on our results so far. 1. Split the set S into two subsets (with almost equal sizes) and submit one of them to the veriﬁcation algorithm. If the set of signatures in this subset passes the veriﬁcation test, then the other subset cannot do so (i.e. the faulty signature is in the other subset), otherwise this set contains the faulty signature. 2. Repeat step 1 on the subset that cannot pass the veriﬁcation test as long as the cardinality of the set is larger than one.

196

8

Mohamed Al-Ibrahim et al.

Fast Screening for a Non-RSA Signature Scheme

In [3], ﬁnding fast screening algorithms for signature schemes other than RSA has been left as an open problem. That is, instead of n signatories, a signer generates a large number of signatures and a receiver wishes to verify all these signatures (e.g., when a bank issues a large number of electronic coins and the customer wishes to verify the correctness of coins). We observe that this problem can be solved as a special case in our proposed schemes. In ElGamal-type signatures, however, the signer must use a fresh random number for every signature; otherwise, it compromises the secrecy of the secret key of the signer. Hence, performance of the proposed schemes, which use a common random number in the generation of n diﬀerent messages in a concast environment, is not acceptable in this case. In order to avoid this problem, the signer needs to follow the original signature scheme (see Section 3.2). Signature Generation: Let x and y = g x be the secret and public keys of the signer respectively. Also, let mi (i = 1, . . . , n) be the hash values (or any other encoding) of messages M1 , . . . , Mn . In order to sign mi , the signer performs the following steps: 1. generates a random ki and computes ri = mi g ki (mod p). 2. generates a signature on message mi as si = ki − ri x (mod q), where ri = ri mod q. 3. sends all signatures (Mi , si , ri ) to the receiver. Verification: 1. After receiving n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ), the veriﬁer calculates r=

n

ri

i=1

(mod p),

m=

n

mi

(mod p),

i=1

and s =

n

si

(mod q)

i=1

2. The veriﬁcation of the combined signature (m, s, r) is the same as in the underlying signature scheme, that is, the signatures are accepted if

m = gsyr r

(mod p)

References [1] M. Al-Ibrahim and J. Pieprzyk, “Authenticating Multicast Streams in Lossy Channels Using Threshold Techniques,” in Networking – ICN 2001, First International Conference, Colmar, France, Lecture Notes in Computer Science, vol. 2094, P. Lorenz (ed), pp. 239–249, July 2001. 187 [2] M. Al-Ibrahim and J. Pieprzyk, “Authentication of Transit Flows and K-Siblings One Time Signature” in Advanced Communications and Multimedia Security, B. Jerman-Blazic and T. Klobucar, (ed.), pp. 41–55, Kluwer Academic Publisher, CMS’02, Portoroz - Slovenia, September 2002. 189

Authentication of Concast Communication

197

[3] M. Bellare, J. Garay, and T. Rabin, “Fast Batch Veriﬁcation for Modular Exponentiation and Digital Signatures,” in Advances in Cryptology - Proceedings of EUROCRYPT ’98 (K. Nyberg, ed.), vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, 1998. 186, 187, 188, 194, 195, 196 [4] C. Boyd, “Digital Multisignatures,” in Cryptography and Coding (H. Beker and F. Piper, eds.), pp. 241–246, Clarendon Press, 1989. 186 [5] E. Brickell, D. Gordon, K. McCurley, and D. Wilson, “Fast Exponentiation with Precomputation,” in Advances in Cryptology - Proceedings of EUROCRYPT ’92 (R. Rueppel, ed.), vol. 658 of Lecture Notes in Computer Science, SpringerVerlag, 1993. 186 [6] R. Cramer and I. Damg˚ ard, “New Generation of Secure and Practical RSABased Signatures,” in Advances in Cryptology - Proceedings of CRYPTO ’96 (N. Koblitz, ed.), vol. 1109 of Lecture Notes in Computer Science, pp. 173–185, Springer-Verlag, 1996. 186 [7] Y. Desmedt, “Society and group oriented cryptography: a new concept,” in Advances in Cryptology - Proceedings of CRYPTO ’87 (C. Pomerance, ed.), vol. 293 of Lecture Notes in Computer Science, pp. 120–127, Springer-Verlag, 1988. 186 [8] Y. Desmedt and Y. Frankel, “Shared generation of authenticators and signatures,” in Advances in Cryptology - Proceedings of CRYPTO ’91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Science, pp. 457–469, SpringerVerlag, 1992. 186 [9] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-receiver/Multi-sender network security: Eﬃcient authenticated multicast/feedback,” IEEE Infocom ’92, pp. 2045– 2054, 1992. 186, 187 [10] W. Diﬃe and M. Hellman, “New Directions in Cryptography,” IEEE Trans. on Inform. Theory, vol. IT-22, pp. 644–654, Nov. 1976. 185 [11] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Trans. on Inform. Theory, vol. IT-31, pp. 469–472, July 1985. 186, 188 [12] A. Fiat, “Batch RSA,” Journal of Cryptology, vol. 10, no. 2, pp. 75–88, 1997. 186 [13] A. Fiat and A. Shamir, “How To Prove Yourself: Practical Solutions to Identiﬁcation and Signature Problems,” in Advances in Cryptology - Proceedings of CRYPTO ’86 (A. Odlyzko, ed.), vol. 263 of Lecture Notes in Computer Science, pp. 186–194, Springer-Verlag, 1987. 186 [14] L. Harn, “Group-oriented (t, n) threshold digital signature scheme and digital multisignature,” IEE Proc.-Comput. Digit. Tech., vol. 141, pp. 307–313, Sept. 1994. 186 [15] K. Nyberg and R. Rueppel, “Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem,” Designs, Codes and Cryptography, vol. 7, pp. 61–81, 1996. Also, Advances in Cryptology - Proceedings of EUROCRYPT ’94 Vol. 950 LNCS, pp. 182-193. 188 [16] R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, vol. 21, pp. 120–126, Feb. 1978. 186 [17] P. D. Rooij, “Eﬃcient Exponentiation using Precomputation and Vector Addition Chains,” in Advances in Cryptology - Proceedings of EUROCRYPT ’94 (A. Santis, ed.), vol. 950 of Lecture Notes in Computer Science, Springer-Verlag, 1994. 186 [18] C. Schnorr, “Eﬃcient Signature Generation by Smart Cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991. 186

198

Mohamed Al-Ibrahim et al.

[19] M. De Soete, J.-J. Quisquater, and K. Vedder, “A signature with shared veriﬁcation scheme,” in Advances in Cryptology - Proceedings of CRYPTO ’89 (J. Brassard, ed.), vol. 435 of Lecture Notes in Computer Science, pp. 253–262, SpringerVerlag, 1990. 186 [20] Y. Zheng, T. Hardjono, and J. Pieprzyk, “The Sibling Intractable Function Family (SIFF): Notion, Construction and Applications,” IEICE Trans. Fundamentals, vol. E76-A, pp. 4–13, Jan. 1993. 189

Self-certified Signatures Byoungcheon Lee1 and Kwangjo Kim2 1 Joongbu University San 2-25, Majon-Ri, Chuboo-Meon, Kumsan-Gun, Chungnam, 312-702, Korea [email protected] 2 International Research center for Information Security (IRIS) Information and Communications University (ICU) 58-4, Hwaam-dong, Yusong-gu, Daejeon, 305-732, Korea [email protected]

Abstract. A digital signature provides the authenticity of a signed message with respect to a public key and a certiﬁcate provides the authorization of a signer for a public key. Digital signature and certiﬁcate are generated independently by diﬀerent parties, but they are veriﬁed by the same veriﬁer who wants to verify the signature. In the point of a veriﬁer, verifying two independent digital signatures (a digital signature and the corresponding certiﬁcate) is a burden. In this paper we propose a new digital signature scheme called selfcertified signature. In this scheme a signer computes a temporary signing key with his long-term signing key and its certiﬁcation information together, and generates a signature on a message and certiﬁcation information using the temporary signing key in a highly combined and unforgeable manner. Then, a veriﬁer veriﬁes both signer’s signature on the message and related certiﬁcation information together. This approach is very advantageous in eﬃciency. We extend the proposed self-certiﬁed signature scheme to multi-certification signature in which multiple certiﬁcation information are veriﬁed. We apply it to public key infrastructure (PKI) and privilege management infrastructure (PMI) environments. Keywords: digital signature, self-certiﬁed signature, self-certiﬁed key, multi-certiﬁcation signature, public key infrastructure, privilege management infrastructure

1 1.1

Introduction Digital Signature and Certiﬁcation

A digital signature is computed by a signer from a message and his signing key. When the signature is veriﬁed to be valid with the corresponding public key, it provides the authenticity of the signed message with respect to the public key. But the signature is only linked to the public key and does not provide the authorization of the signer by itself. To provide the authorization of the signer for the public key, a certiﬁcate is used, which is signed by a trusted third party. In X.509 [PKI], a certiﬁcation authority (CA) can provide the signer with A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 199–214, 2002. c Springer-Verlag Berlin Heidelberg 2002

200

Byoungcheon Lee and Kwangjo Kim

a certiﬁcate which is a digital signature of CA on the public key and relevant certiﬁcation information such as serial number, identity of the signer, identity of CA, period of validity, extensions, etc. In other words a certiﬁcate provides an unforgeable and trusted link between a public key and a speciﬁc signer. Whenever a veriﬁer wants to use the public key to verify a signature, he ﬁrst has to check the validity of the certiﬁcate using CA’s public key. Public key infrastructure (PKI) [PKI] is a hierarchical framework to issue and manage certiﬁcates. It is also said that PKI is a trust management infrastructure. It is a key infrastructure for the digital signature technology to be adapted in real world. Recently, many countries over the world enact the digital signature act which provides legal support to the validity of digital signature. Nowadays, PKI industry is booming and digital signature technology is being adapted quickly in our real life. Digital signature and certiﬁcate are generated independently by diﬀerent parties, but they are veriﬁed by the same veriﬁer who wants to verify the signature. In the point of a veriﬁer, verifying two independent digital signatures (a digital signature on a message and the corresponding certiﬁcate) is a burden. Moreover the veriﬁer has to locate and keep the corresponding certiﬁcate by himself. Therefore more elegant and eﬃcient approach for the veriﬁcation of digital signature and certiﬁcate is required. To solve this problem, we propose a new digital signature scheme called selfcertified signature (SCS). In this scheme a signer computes a temporary signing key with his long-term signing key and certiﬁcation information together, and generates a signature on a message and certiﬁcation information using the temporary signing key in a highly combined and unforgeable manner. Then, a veriﬁer veriﬁes both signer’s signature on the message and related certiﬁcation information together. This approach has many advantages in eﬃciency (computation and communication) and in real world usage. Moreover, in PKI and PMI environment many additional certiﬁcation information need to be checked together, such as certiﬁcate revocation list (CRL), certiﬁcation path from the root CA to the signer, attribute certiﬁcates, etc. We extend the SCS scheme to multi-certification signature (MCS) in which multiple certiﬁcation information are veriﬁed, and apply it to PKI and PMI environment. 1.2

Related Concepts

The concept of SCS has some similarity with identity-based cryptosystem, selfcertiﬁed key (SCK), and proxy signature scheme. These concepts commonly deal with the issue how to certify public keys. The most familiar approach to certify a public key is using explicit certiﬁcate such as X.509, but these concepts show other possibilities to manage certiﬁcation. In identity-based scheme, ﬁrst introduced by Shamir [Sha84], the public key is nothing but the identity of the signer and the related secret key is computed from some trapdoor originated by CA. This scheme is very attractive because it needs no certiﬁcate and no veriﬁcation of certiﬁcate, hence reduces the amount

Self-certiﬁed Signatures

201

of storage and computation, but it’s disadvantage is that the secret key is known to CA. The concept of self-certiﬁed key (SCK), introduced in [Gir91], is a sophisticated combination of certiﬁcate-based and identity-based models. Using an RSA cryptosystem a user chooses his secret key, computes his public key, and gives it to the authority. Then the authority computes a certiﬁcation parameter for the user which satisﬁes a computationally unforgeable relationship with the public key and the identity. A veriﬁer can compute the public key from the identity and the certiﬁcation parameter. [PH97] extended [Gir91] to DLP-based cryptosystem in which self-certiﬁed key is issued securely using weak blind Schnorr signature protocol. A problem of SCK schemes is that it provides only implicit authentication, i.e., the validity of a SCK is determined only after a successful communication. [LK00] improved [PH97] such that explicit authentication of SCK is provided by using the concept of self-certiﬁcate. In the point of cryptographic primitives, SCS is similar to proxy signature schemes [MUO96, PH97, KPW97, LKK01a, LKK01b]. Proxy signature is a signature scheme in which an original signer delegates her signing capability to a proxy signer, and then the proxy signer creates a signature on behalf of the original signer. From a proxy signature a veriﬁer can check both original signer’s delegation and proxy signer’s digital signature. The basic methodology used in proxy signature scheme is that the original signer creates a signature on delegation information (ID of the designated proxy signer, period of validity, speciﬁcation on message space, or any warrant information) and gives it secretly to the proxy signer, and then the proxy signer uses it to generate a proxy key pair. From a proxy signature computed by using the proxy signing key, any veriﬁer can check original signer’s delegation, because the proxy key pair is generated from original signer’s signature on delegation information. In SCS scheme certiﬁcation information is used in a similar way as the delegation information in proxy signature scheme. More recently, proxy certiﬁcate proﬁle was proposed in [PC]. Proxy certiﬁcate can be used for entity A to give the delegation information to entity B in the form of certiﬁcate. Then B can authenticate with others as if it were A. These concepts commonly specify how to make key pair. SCK scheme is a key issuing protocol with no speciﬁcation on signing and veriﬁcation, but SCS scheme contains signing and veriﬁcation algorithms together with key generation algorithm. Proxy signature schemes [PH97, KPW97, LKK01a] specify signing and veriﬁcation algorithms, but they are signatures only on message. As will be shown in later Section, there are possibilities of forgery if a proxy signature is a signature only on message. Proxy signature schemes in [LKK01b] are signatures on message and delegation information together, but detailed analysis was not given. On the other hand, a SCS is a signature both on message and certiﬁcation information together such that a veriﬁer can verify both the digital signature on message and certiﬁcation information in an eﬃcient way. Since a SCS contains certiﬁcation information in a digital signature, it provides more concrete nonrepudiation evidence than a normal digital signature.

202

1.3

Byoungcheon Lee and Kwangjo Kim

Our Contributions

To provide the authenticity of a digital signature and the authorization of a public key together in an eﬃcient way, we introduce a new digital signature scheme called self-certiﬁed signature. In this approach the signer generates a temporary signing key using his long-term signing key and CA’s certiﬁcation information together and signs a message and certiﬁcation information using this temporary signing key. In the veriﬁcation stage both the signature on the message and certiﬁcation information are checked together. We extend the proposed SCS scheme to multi-certiﬁcation signature (MCS) in which multiple certiﬁcation information are veriﬁed. We apply MCS scheme to public key infrastructure (PKI) and privilege management infrastructure (PMI) environments in which many additional certiﬁcation information, such as certiﬁcate revocation list (CRL), path validation from the root CA to the signer, attribute certiﬁcate (AC), etc, have to be veriﬁed. A signer can collect all the certiﬁcation information required to verify the authorization for his public key and compute a MCS. Then it provides more concrete non-repudiation evidence than a normal digital signature. In the point of a veriﬁer, he doesn’t need to locate all the required certiﬁcation information by himself. The paper is organized as follows: In Section 2 we deﬁne SCS scheme and show a general implementation of SCS based on DLP. We also show a distinguished implementation of SCS and discuss its security. In Section 3 we extend the proposed SCS scheme to MCS and apply it to PKI and PMI environments in which many additional certiﬁcation information have to be veriﬁed. We compare the eﬃciency of MCS scheme with a general multiple signature approach. Finally, we conclude in Section 4.

2

Self-certified Signature

Assume that a signer S has a long-term key pair (x0 , y0 ) where x0 is a secret signing key and y0 is the corresponding public key. The public key y0 is certiﬁed by a certiﬁcation authority CA with a certiﬁcate Certs . CA issues Certs as a certiﬁcate for the public key y0 and the signer S by signing a certiﬁcation information CIs prepared by himself. According to X.509, CIs can include information such as serial number, signer’s identity, issuer’s identity, public key y0 , period of validity, extensions, etc. To sign a message using SCS scheme, the signer S computes a temporary key pair (x, y) using his long-term key pair (x0 , y0 ) and the certiﬁcate Certs . The basic idea of the proposed SCS scheme is as follows. 1. A signer S computes a temporary signing key x for SCS using his long-term signing key x0 and certiﬁcate Certs such that it can be computed only by himself. 2. S signs a message and related certiﬁcation information using the temporary signing key x to generate a self-certiﬁed signature σ.

Self-certiﬁed Signatures

203

3. A veriﬁer V computes the temporary public key y from signer’s long-term public key y0 and certiﬁcation information, and veriﬁes the self-certiﬁed signature σ using y. The resulting SCS is a combination of general signature scheme and certiﬁcation scheme, therefore it should satisfy the non-repudiation requirement of general signature scheme and certiﬁcation requirement of certiﬁcation scheme. In this paper we use the following notation. – – – – – – – – – – – – – – 2.1

S: a signer V: a veriﬁer CA: a certiﬁcation authority (x0 , y0 ): signer’s long-term key pair (secret signing key, public key) (x, y): signer’s temporary key pair for SCS CIs : certiﬁcation information, prepared by CA, for the public key y0 and the signer S Certs : a certiﬁcate, issued by CA, for the public key y0 and the signer S Sx (m): a signing algorithm on message m using a signing key x Vy (s, m): a veriﬁcation algorithm of a signature s using a public key y Sx (m1 , m2 ): a two-message signing algorithm on messages m1 and m2 using a signing key x Vy (s, m1 , m2 ): a two-message veriﬁcation algorithm of a signature s on messages m1 and m2 using a public key y h(), h1 (), h2 (): collision resistant hash functions m: a message σ: a self-certiﬁed signature Deﬁnition of SCS

First, we need to consider how to sign two messages together. Deﬁnition 1 (Two-message signature). Let m1 and m2 be two messages that a signer S wants to sign together. Let Sx (m) be a signing algorithm which is a signature on message m using a signing key x. Then two-message signature is a signature on two messages m1 and m2 together and we denote it as Sx (m1 , m2 ), where m1 and m2 are called the first and second message. The most general approach of two-message signature is to prepare a new message by concatenating two messages as m = (m1 ||m2 ) and then sign m using a general signature scheme. But there can be numerous modiﬁcations. We will show an example in later Section. Now we deﬁne self-certiﬁed signature. Deﬁnition 2 (Self-certiﬁed signature). Let (x0 , y0 ) be a signer’s long-term key pair where x0 and y0 are a secret signing key and the corresponding public key, respectively. Let Certs be a certificate for the public key y0 issued by CA. Self-certified signature scheme consists of the following three algorithms.

204

Byoungcheon Lee and Kwangjo Kim

1. Key generation algorithm takes the long-term key pair (x0 , y0 ) and certificate Certs and outputs a temporary key pair (x, y) x = f (x0 , Certs ), y = g(y0 , Certs ) where f, g are public algorithms. 2. Signing algorithm is a probabilistic algorithm which takes a message m, a certificate Certs , and the temporary signing key x as input and outputs a self-certified signature σ = Sx (m, Certs ) using the two-message signature scheme where the first message is m and the second message is Certs . 3. Verification algorithm takes a self-certified signature σ, a message m, a certificate Certs , a long-term public key y0 as input and outputs a binary value 0 (invalid) or 1 (valid). It is a three-step algorithm. – It computes the temporary public key y = g(y0 , Certs ). ?

– It verifies the self-certified signature using y, Vy (σ, m, Certs ) = 1. – It checks whether y0 is stated in Certs correctly (This is just a document test, not a signature verification). If all the verifications hold, it represents that the signature of the signer on message m is valid and certification by CA is also confirmed. If the document test of Certs is not valid, the self-certified signature is considered to be invalid, although the signature verification was passed. Self-certified signature scheme should satisfy the following security requirements. 1. Non-repudiation: The self-certified signature should be generated only by the signer S who knows the long-term signing key x0 . Therefore the signer should not be able to repudiate his signature creation later. 2. Certification: From the self-certified signature a verifier should be convinced that the signer S is authorized to use the public key y0 by the trusted authority CA. 2.2

Attack Models against SCS

The most powerful attack model on digital signature scheme is the adaptively chosen message attack [PS00] in which an adversary is allowed to access the signing oracle as many times as she wants and get valid signatures for messages of her choice. In SCS scheme the attacker is more advantageous since she has additional knowledge of certiﬁcation information. There is also possibility for the signer to misuse the temporary signing key. We consider the following additional attack scenarios. 1. Forgery using partial information (by third party): In SCS scheme partial information of the temporary signing key x is known to third parties, i.e., the certiﬁcation information Certs is published (but the long-term signing key x0 is kept secret). Moreover the algebraic relationship between x

Self-certiﬁed Signatures

205

and x0 is publicly known. The long-term signing key x0 can be used to generate normal signatures, while the temporary signing key x is used to generate SCS. If the SCS scheme is not secure, an active attacker can try to change the certiﬁcation information, induce a valid normal signature from a valid SCS, or induce a valid SCS from a valid normal signature. For the SCS scheme to be secure, this partial information should be of no help for any malicious third party to forge a valid signature. 2. Key generation stage attack (by signer): In SCS scheme the signer computes the temporary signing key x by himself. A malicious signer can try to use it for another malicious purpose. For example, he can get a certiﬁcate for (x, y) from another CA without exposing the previous certiﬁcation information and use it for malicious purpose. He can show the previous certiﬁcation information later when it is necessary. For the SCS scheme to be secure, this kind of malicious usage of the temporary key pair should be prevented and detected easily. These attacks can work in proxy signature schemes [PH97, KPW97, LKK01a] also if it is a signature only on message. 2.3

General Implementation of SCS Based on DLP

The SCS scheme can be implemented easily using the DLP-based cryptosystem if system parameters are shared among signer’s key pair and CA’s key pair. We consider the Schnorr signature scheme as an underlying signature scheme. Firstly, we review Schnorr signature scheme brieﬂy. Let p and q be large primes with q|p − 1. Let g be a generator of a multiplicative subgroup of Zp∗ with order q. h() denotes a collision resistant cryptographic hash function. Assume that a signer has a secret signing key x and the corresponding public key y = g x mod p. To sign a message m, the signer chooses a random number k ∈R Zq∗ and computes r = g k , s = x · h(m, r) + k. Then the tuple (r, s) becomes a valid signature on message m. The validity of signature is veriﬁed ? by g s = y h(m,r) r. Note that the signing process requires one oﬄine modular exponentiation and the veriﬁcation of signature requires two online modular exponentiations. This signature scheme has been proven to be secure under the random oracle model [PS96, PS00]. They have shown that existential forgery under the adaptively chosen message attack is equivalent to the solution of discrete logarithm problem. We assume that a signer S has a long-term key pair (x0 , y0 ) where y0 = g x0 mod p. He also has a certiﬁcate Certs on the public key y0 issued by CA. We also assume that the same system parameters p and q are shared among signer’s key pair and CA’s key pair. Let (xCA , yCA ) be CA’s key pair where yCA = g xCA . The certiﬁcate Certs = (rc , sc ) on public key y0 is CA’s Schnorr signature on some certiﬁcation information CIs prepared by CA, which includes serial number, long-term public key y0 , signer’s identity, issuer’s identity, period of validity, extensions, etc. To issue Certs CA chooses kc ∈R Zq∗ and computes Certs = (rc , sc ) = (g kc , xCA · h(CIs , rc ) + kc ).

206

Byoungcheon Lee and Kwangjo Kim ?

h(CI ,r )

It’s validity is veriﬁed by g sc = yCA s c rc . CA has issued Certs = (rc , sc ) to S as a certiﬁcate for the public key y0 . Now the self-certiﬁed signature scheme on a message m and a certiﬁcate Certs is given by the following three algorithms. General Implementation of SCS: 1. Key generation: A signer S computes a temporary key pair (x, y) by using the long-term key pair (x0 , y0 ) and the certiﬁcate Certs as h(CIs ,rc )

x = x0 + sc , y = y0 yCA

rc .

2. Signing: Using the temporary signing key x, S computes a self-certiﬁed signature σ = (r, s) on message m and certiﬁcate Certs as follows. – Prepare a concatenated message m||CIs ||rc . – Chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h(m||CIs ||rc , r) + k. – Gives {(r, s), CIs , rc } as a SCS on message m. 3. Veriﬁcation: A veriﬁer V checks the validity of {(r, s), CIs , rc } as follows. h(CI ,r ) – Computes a temporary public key y = y0 yCA s c rc . ?

– Veriﬁes the signature (r, s) using y by g s = y h(m||CIs||rc ,r) r. – Checks whether y0 is stated in CIs correctly (This is just a document test, not a signature veriﬁcation).

If the veriﬁcation holds, it means that the signature of the signer on message m is valid and certiﬁcation by CA is also conﬁrmed. If the document test of Certs is not valid, the self-certiﬁed signature is considered to be invalid, although the signature veriﬁcation was passed. Therefore the signer should construct a valid temporary key pair using correct certiﬁcation information. Because the underlying Schnorr signature scheme is secure, the proposed SCS scheme satisﬁes the security requirements listed above. 1. Non-repudiation: Since the Schnorr signature scheme is a secure signature scheme, any other party who does not know the temporary signing key x cannot forge a valid Schnorr signature on two messages m and Certs . Therefore the signer cannot repudiate his signature creation later. 2. Certiﬁcation: Since the Schnorr signature (r, s) is veriﬁed by using the temh(CI ,r ) porary public key y = y0 yCA s c rc , a veriﬁer is convinced that the signer was authorized to use the public key y0 by CA. Note that {(r, s), CIs , rc } is a signature on a combined message m||CIs ||rc (instead of just m) with a temporary signing key x = x0 + sc . This prevents additional attacks proposed above.

Self-certiﬁed Signatures

207

1. Forgery using partial information (by third party): Third party cannot manipulate a valid SCS to generate a new valid SCS (modifying certiﬁcation information) or a normal signature (deleting certiﬁcation information), although he knows additional information sc . 2. Key generation stage attack (by signer): A malicious signer cannot try to hide the certiﬁcation information on purpose and expose it later. He can get a new certiﬁcate for x = x0 + sc from other CA and use it as a new certiﬁed key. But when he exposes the hidden certiﬁcation, it is not accepted since certiﬁcation information should be included explicitly in message. Since a SCS includes both a signature on message and certiﬁcation, it provides more concrete non-repudiation evidence than a normal signature. For example, assume that a normal signature is veriﬁed to be valid, but the corresponding certiﬁcate is turned out to be invalid, then the signature is not qualiﬁed. But a valid SCS is qualiﬁed by itself. A complete non-repudiation evidence is provided in SCS scheme if the signer had computed it correctly, while only partial non-repudiation evidence is provided in normal signature schemes. In the point of communication, a veriﬁer does not need to locate and keep the certiﬁcation information by himself because it is already included in a SCS. In the point of computation, SCS is more eﬃcient than the general approach of independent signature veriﬁcation. Detailed eﬃciency analysis will be given in Section 3. 2.4

Comparison with Self-certiﬁed Key

The proposed SCS scheme can be compared with the self-certiﬁed key (SCK) scheme as follows. First, SCK scheme is a key issuing protocol and it does not specify how to sign a message using the self-certiﬁed key. On the other hand, SCS scheme does not specify how to certify a public key, but speciﬁes how to sign a message and verify a signature using a long-term key pair and the corresponding certiﬁcate together. Therefore in SCS scheme already wide-spread PKI environment can be used without any change. SCS can be considered as signer’s additional service to provide more concrete non-repudiation evidence and more eﬃcient veriﬁcation of signature. As will be shown later, eﬃciency is provided mainly in veriﬁcation stage, not in signing stage. Second, SCK scheme provides only implicit authentication. Since any kind of certiﬁcate is not used explicitly, the authenticity of a public key is guaranteed only when it is used successfully in application. On the other hand, SCS scheme provides explicit authentication since certiﬁcate in PKI environment is used. Only diﬀerence is that the certiﬁcate is used in highly combined manner with the signature in the signing and veriﬁcation algorithms. 2.5

Distinguished Implementation of SCS

If the same digital signature scheme (for example, Schnorr signature) is used both as a normal signature scheme and a SCS scheme, then some argument

208

Byoungcheon Lee and Kwangjo Kim

can happen. The SCS (r, s) generated above can also be considered as a normal signature on message m||CIs ||rc using a new signing key x. Anyone can launch the following attacks using the public information sc . – If the signer signs a message something like m||CIs ||rc using his long-term signing key x0 , anyone can compute a valid SCS by adding the certiﬁcation component. – If the signer generates a SCS on m||CIs ||rc as above, anyone can compute a normal signature on m||CIs ||rc by deleting the certiﬁcation component. The resulting forgery can be considered not so risky in real world, but the signer should be careful not to sign any maliciously formed message. Although the SCS scheme is secure in cryptographic sense, this kind of argument needs to be removed. Therefore normal signature scheme and SCS scheme need to be implemented in distinguished ways. The ﬁrst natural approach in designing SCS scheme is to use the message and certiﬁcation information in distinguished way in the signing algorithm. First, we introduce a distinguished two-message signature scheme in which two messages are used in diﬀerent hash functions. It is a slight modiﬁcation of Schnorr signature scheme. Distinguished two-message signature scheme: Let m1 and m2 be two messages to be signed. Let (x, y) be signer’s key pair. 1. Signing algorithm: A signer chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h1 (m1 , r) + k · h2 (m2 , r) where h1 () and h2 () are cryptographic hash functions. Note that the ﬁrst and the second messages are used in h1 () and h2 (), respectively. 2. Veriﬁcation algorithm: A veriﬁer veriﬁes the signature (r, s) as g s = y h1 (m1 ,r) rh2 (m2 ,r) . ?

We consider the security of the distinguished two-message signature scheme. It can be proven that the distinguished two-message signature scheme is secure under an adaptively chosen-message attack. Theorem 1. Consider an adaptively chosen message attack in the random oracle model against the distinguished two-message signature scheme. Probabilities are taken over random tapes, random oracles and public keys. If an existential forgery of this scheme has non-negligible probability of success, then the discrete logarithm problem can be solved in polynomial time. Proof. The signer can be simulated by a simulator (who does not know the secret key) with an indistinguishable distribution. We denote the signature scheme as r = g k , s = x · e1 + k · e2

Self-certiﬁed Signatures

209

where e1 = h1 (m1 , r) and e2 = h2 (m2 , r). A simulator who does not know secret key x can choose s, e1 , e2 ∈R Zq and compute r = g s/e2 y −e1 /e2 . Then, (r, s) computed by the simulator is indistinguishable from signer’s signature. Then the attacker and the simulator can collude in order to break the signature scheme, and we can solve the discrete logarithm. Assume that an existential forgery of this scheme has non-negligible probability of success. Using the Forking lemma [PS96, PS00], we get two valid signatures (r, s, e1 , e2 ) and (r, s , e1 , e2 ) such that g s = y e1 re2 and g s = y e1 re2 . Then, from

g s/e2 y −e1 /e2 = g s /e2 y −e1 /e2 the signing key x can be computed as x = (s/e2 − s /e2 )/(e1 /e2 − e1 /e2 ). Now, we implement a SCS scheme using the distinguished two-message signature scheme and call it a distinguished implementation. In this scheme the ﬁrst message is the message to be signed and the second message is certiﬁcation information for the public key. In this implementation the key generation algorithm is the same, but signing and veriﬁcation algorithms are modiﬁed as follows. Distinguished Implementation of SCS: 1. Key generation: same as the general implementation of SCS. 2. Signing: Chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h1 (m, r) + k · h2 (CIs ||rc , r). 3. Veriﬁcation: Veriﬁes the signature (r, s) using y by g s = y h1 (m,r) rh2 (CIs ||rc ,r) . ?

Note that message m is used in the ﬁrst hash function and certiﬁcation information CIs ||rc is used in the second hash function. Compared with the general implementation, this modiﬁcation requires one more online exponentiation in veriﬁcation. Since the distinguished two-message signature scheme is a secure signature scheme, distinguished implementation of SCS also satisﬁes non-repudiation and certiﬁcation requirements.

3 3.1

Multi-certification Signature and PKI PKI and PMI Environments

A digital signature provides the authenticity of a signed message with respect to a public key and a certiﬁcate issued by a trusted authority provides the

210

Byoungcheon Lee and Kwangjo Kim

authorization of a signer for a public key. Whenever a veriﬁer wants to use the public key to verify a signature, he ﬁrst has to check the validity of the certiﬁcate using CA’s public key. The next question is whether the veriﬁer trusts signer’s CA or not, or how to manage the trust relationship between a signer and a veriﬁer. Public key infrastructure (PKI) [PKI] is a hierarchical framework to issue and manage certiﬁcates. It is also said that PKI is a trust management infrastructure. As the trust relationship between a signer and a veriﬁer becomes complex in PKI environment, the veriﬁer should check not only the certiﬁcate of the signer, but also various extra certiﬁcation information related with the certiﬁcate. – He has to check CRL [CRL] to check whether the signer’s certiﬁcate was revoked or not. – He has to check certiﬁcation path from signer’s CA to the root CA who is trusted by himself (Check certiﬁcates and CRLs of CAs located in the middle of the certiﬁcation path). Recently, attribute certiﬁcate (AC) and PMI [PMI] are becoming an issue. Since the the public key certiﬁcate (PKC) provide authentication only for the key pair and is used for relatively long period of time, it is not suitable to authenticate short-term attributes of signer (such as access control, role, authorization, etc.) which are used for short period of time. For these applications attribute authority (AA) issues AC to a signer to certify signer’s speciﬁc attribute. PMI is an infrastructure to manage ACs while PKI is an infrastructure to manage PKCs. AC does not use an independent key pair, but has a link to a PKC, therefore same key pair is shared among PKC and AC. When a signer signs a message with the key pair and asserts both certiﬁcations of PKC and AC, a veriﬁer has to verify both certiﬁcations. – He has to verify certiﬁcations related with AC, if it is asserted by the signer. Therefore, in the point of a veriﬁer the veriﬁcation process of a digital signature is a burden and he should be very careful to check every required certiﬁcations. The proposed SCS scheme can be extended to multi-certiﬁcation situation easily in which multiple certiﬁcation information should be veriﬁed. In this Section we introduce multi-certiﬁcation signature (MCS) and apply it to PKI and PMI environments. 3.2

Multi-certiﬁcation Signature

Multi-certiﬁcation signature (MCS) scheme is a generalization of the self-certiﬁed signature scheme in which multiple certiﬁcation information are veriﬁed together. Deﬁnition 3 (Multi-certiﬁcation Signatures). Multi-certification signature is a self-certified signature in which multiple certification information are used.

Self-certiﬁed Signatures

211

Let (x0 , y0 ) be signer’s long-term key pair. Let (c1 , . . . , cn ) be n certification information related with y0 , which can be PKCs, CRLs, ACs, etc. Multi-certification signature scheme consists of the following three algorithms. 1. Key generation algorithm takes the long-term key pair (x0 , y0 ) and n certification information (c1 , . . . , cn ) and outputs a temporary key pair (x, y) x = f (x0 , c1 , . . . , cn ), y = g(y0 , c1 , . . . , cn ) where f, g are public algorithms. 2. Signing algorithm is a probabilistic algorithm which takes a message m, n certification information (c1 , . . . , cn ), and the temporary signing key x as input and outputs a multi-certification signature σ = Sx (m, c1 , . . . , cn ) using the two-message signature scheme where the first message is m and the second message is (c1 , . . . , cn ). 3. Verification algorithm takes a multi-certification signature σ, a message m, n certification information (c1 , . . . , cn ), the long-term public key y0 as input and outputs a binary value 0 (invalid) or 1 (valid). It is a three-step algorithm. – It computes the temporary public key y = g(y0 , c1 , . . . , cn ), ?

– It verifies the multi-certification signature using y, Vy (σ, m, c1 , . . . , cn ) = 1. – It checks whether (c1 , . . . , cn ) are valid (This is just a document test, not a signature verification). Now consider a general implementation of MCS based on DLP cryptosystem. We assume that a signer S has a certiﬁed key pair (x0 , y0 ) where y0 = g x0 and n certiﬁcation information (c1 , c2 , . . . , cn ) related with it. ci can be PKCs, CRLs, ACs, etc, which are all represented by digital signatures. Here we assume that the same system parameters p and q are shared among signer’s key pair and n certiﬁcation information. The certiﬁcation information ci are digital signatures on some certiﬁcation messages CIi related with the key pair (x0 , y0 ) in any form and are provided by authorities Ai . Let (xi , yi ) be Ai ’s key pair where yi = g xi . Then ci is a Schnorr signature of the authority Ai on certiﬁcation message CIi . To generate ci , Ai chooses ki ∈R Zq∗ and computes ci = (ri , si ) = (g ki , xi · h(CIi , ri ) + ki ). ?

h(CI ,r )

i i It’s validity can be veriﬁed by g si = yi ri . Ai has issued (ri , si ) as a certiﬁcation information. The MCS scheme is given by the following three algorithms.

212

Byoungcheon Lee and Kwangjo Kim

General Implementation of MCS: 1. Key generation: A signer S computes a temporary signing key pair (x, y) by using the long-term key pair (x0 , y0 ) and n certiﬁcation information (c1 , . . . , cn ) as x = x0 + s1 + s2 + · · · + sn , h(CI1 ,r1 )

y = y0 y1

r1 · · · ynh(CIn ,rn ) rn .

2. Signing: Using the temporary signing key x the signer S computes a multicertiﬁcation signature σ = (r, s) on message m and certiﬁcation information (CI1 , r1 , . . . , CIn , rn ) as follows. – Prepare a concatenated message m||CI1 ||r1 || · · · ||CIn ||rn . – Chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h(m||CI1 ||r1 || · · · ||CIn ||rn , r) + k. – Gives {(r, s), CI1 ||r1 || · · · ||CIn ||rn } as a MCS on message m. 3. Veriﬁcation: A veriﬁer V checks the validity of {(r, s), CI1 ||r1 || · · · ||CIn ||rn } as follows. h(CI ,r ) h(CI ,r ) – Computes a temporary public key y = y0 y1 1 1 r1 · · · yn n n rn . ?

– Veriﬁes the signature (r, s) using y by g s = y h(m||CI1 ||r1 ||···||CIn ||rn ,r) r. – Checks the certiﬁcation information stated in (CI1 , . . . , CIn ) (This is just a document test, not a signature veriﬁcation). If the veriﬁcation holds, it means that the signature of the signer is valid and n certiﬁcation information are also conﬁrmed. We can consider the distinguished implementation of MCS in the same way. 3.3

Eﬃciency

To compare the eﬃciency of the proposed MCS scheme, we consider a general approach that the signer just generates a signature on message m with his signing key x0 , and then the veriﬁer has to verify n + 1 signatures (a signature of the signer and n certiﬁcation information) independently. We show the comparison result in Table 1. In the point of computation the general approach requires 1 signature generation (1 oﬄine exponentiation) and n + 1 signature veriﬁcations (2(n + 1) online exponentiations), while the general implementation of MCS scheme requires 1 signature generation (1 oﬄine exponentiation) and 1 signature veriﬁcation together with n exponentiations (n + 2 online exponentiations). In distinguished implementation of MCS scheme n + 3 online exponentiations are required in veriﬁcation. On average the proposed MCS schemes are about 50% more eﬃcient than the general approach. Note that computational eﬃciency is provided mainly in veriﬁcation stage, not in signing stage. If we consider a special case that n certiﬁcation information are somewhat ﬁxed and the veriﬁer can verify them all in advance, then the veriﬁer in MCS

Self-certiﬁed Signatures

213

Table 1. Comparison of the eﬃciency of MCS schemes in computation and communication Process

General approach

No. of Exp. in signing No. of Exp. in veriﬁcation Signature size

1 (oﬄine) 2(n + 1) (online) (n + 1)(|p| + |q|)

General implementation of MCS 1 (oﬄine) n + 2 (online) (n + 1)|p| + |q|

Distinguished implementation of MCS 1 (oﬄine) n + 3 (online) (n + 1)|p| + |q|

scheme also can compute the temporary public key y in advance and can use it repeatedly. Then the amount of computation in MCS scheme and in general approach are the same. In signature size general approach uses n + 1 independent signatures ((n + 1)(|p| + |q|)) while the proposed MCS schemes require a single signature and (r1 , . . . , rn ) ((n + 1)|p| + |q|). (Note that if the signer sends certiﬁcates themselves as certiﬁcation information to the veriﬁer, communication size will not be changed.) Therefore MCS scheme is more eﬃcient than the general approach in computation and communication. We can consider another eﬃciency point. In MCS scheme a signer collects all the relevant certiﬁcation information and provides a veriﬁer with a highly combined digital signature with which both the digital signature on message and all certiﬁcation information are veriﬁed together. If the signature cannot pass the veriﬁcation process because of wrong certiﬁcation information, it will not be considered as a valid signature. Therefore, a signer has to provide all the correct certiﬁcation information and a veriﬁer does not need to locate and keep them by himself. MCS can be considered as signer’s additional service to provide more concrete non-repudiation evidence and more eﬃcient veriﬁcation of signature.

4

Conclusion

In this paper we have considered the real situation of using digital signatures in PKI and PMI environments and derived the necessity of new digital signature schemes called self-certiﬁed signature and multi-certiﬁcation signature. First, we have shown the necessity of signing a message with a long-term signing key and certiﬁcation information related with the public key together, and proposed the self-certiﬁed signature scheme. Then we have considered the PKI and PMI environments and extended SCS to multi-certiﬁcation signature scheme in which multiple certiﬁcation information have to be veriﬁed together. The proposed schemes turned out to be very eﬃcient in real usage. In this paper we have implemented SCS and MCS schemes in DLP-based cryptosystems. However, RSA signature schemes are also widely used in practice.

214

Byoungcheon Lee and Kwangjo Kim

Therefore designing RSA-based SCS scheme is an attractive further work. It is also required to provide more concrete security notions and proofs on SCS schemes.

Acknowledgements We would like to thank anonymous reviewers for their valuable comments, which help to make this paper more readable one.

References [CRL]

[Gir91] [KPW97]

[MUO96]

[LK00]

[LKK01a] [LKK01b]

[PC] [PH97]

[PKI] [PMI] [PS96] [PS00]

[Sha84]

RFC 2459, Internet X.509 Public Key Infrastructure Certiﬁcate and CRL Proﬁle, IETF, 1999, http://www.ietf.org/html.charters/pkix-charter.html 210 M. Girault, “Self-certiﬁed public keys”, Advances in Cryptology: Eurocrypt’91, LNCS 547, Springer-Verlag, 1991, pages 490–497. 201 S. Kim, S. Park, and D. Won, “Proxy signatures, revisited”, In Proc. of ICICS’97, International Conference on Information and Communications Security, Springer, Lecture Notes in Computer Science, LNCS 1334, pages 223–232, 1997. 201, 205 M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: Delegation of the power to sign messages”, In IEICE Trans. Fundamentals, Vol. E79-A, No. 9, Sep., pages 1338–1353, 1996. 201 B. Lee and K. Kim, “Self-Certiﬁcate: PKI using Self-Certiﬁed Key”, Proc. of Conference on Information Security and Cryptology 2000, Vol. 10, No. 1, pages 65–73, 2000. 201 B. Lee, H. Kim and K. Kim, “Strong Proxy Signature and its Applications”, Proc. of SCIS2001, pages 603–608, 2001. 201, 205 B. Lee, H. Kim and K. Kim, “Secure Mobile Agent using Strong Non-designated Proxy Signature”, Proc. of ACISP2001, LNCS Vol.2119, Springer-Verlag, pages 474–486, 2001. 201 S. Tuecke, et. al., “Internet X.509 Public Key Infrastructure Proxy Certiﬁcate Proﬁle”, IETF, 2002. 201 H. Petersen and P. Horster, “Self-certiﬁed keys – Concepts and Applications”, In Proc. Communications and Multimedia Security’97, pages 102– 116, Chapman & Hall, 1997. 201, 205 Public-Key Infrastructure (X.509) (pkix), http://www.ietf.org/html.charters/pkix-charter.html 199, 200, 210 Request for Comments, An Internet Attribute Certiﬁcate Proﬁle for Authorization (RFC 3281), IETF, 2002. 210 D. Pointcheval and J. Stern, “Security Proofs for Signatures”, Advances in Cryptology: Eurocrypt’96, pages 387–398, Springer, 1996. 205, 209 D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures”, Journal of Cryptology, Vol. 13, No. 3, pages 361–396, Springer-Verlag, 2000. 204, 205, 209 A. Shamir, “Identity-based cryptosystems and signature schemes”, Advances in Cryptology: Crypto’84, LNCS 196, Springer-Verlag, pages 47–53, 1985. 200

Identity Based Authenticated Group Key Agreement Protocol K.C. Reddy1 and Divya Nalla2 1

AILab, Dept of Computer/Info. Sciences, University of Hyderabad Gachibowli, Hyderabad, 500046, India [email protected] 2 Center

for Distributed Learning (APSCHE) IIITcampus, Gachibowli, Hyderabad, 500046, India

[email protected]

Abstract. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. One-way function trees can be used to extend two-party Key Agreement protocols to n-party protocols. Tree-based Group Diffie-Hellman [17] is one such protocol. This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement protocol [13] using the One-way function trees. A new function called the transformation function is defined, which is required in generating keys at any level from a lower level key in the key tree. The new protocol provides complete forward and backward secrecy. Authentication is implicit in this protocol, whereas it has to be explicitly dealt with in other Key Agreement protocols. ID-AGKA protocol is more advantageous for systems without a deployed PKI. Keywords: Key Agreement, group Key Agreement, elliptic curves, Weil pairing, cryptography, Identity based, ID-based, Diffie-Hellman, Key Agreement Protocols, key trees, one-way function trees.

1

Introduction

Asymmetric Key Agreement Protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key with that information. This secret key is known only to those parties which are involved in the key generation and which cannot be determined by any external entity. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. Many of these newly distributed and other inherently collaborative applications need secure communication. However, security mechanisms for collaborative, Dynamic Peer Groups (DPGs) tend to be both expensive and unexpectedly complex. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 215-233, 2002.  Springer-Verlag Berlin Heidelberg 2002

216

K.C. Reddy and Divya Nalla

A huge number of two party key agreement protocols have been proposed [2]. The situation where three or more parties share a secret is often called Conference Keying [9]. Boneh and Franklin [7] and Cocks [5] have proposed two Identity based (IDbased) encryption systems which allow the replacement of a Public Key Infrastructure (PKI) with a system where the public key of an entity is given by its identity, and a Key Generation Center (KGC) helps in generating the private key. Cocks' system is based on the Quadratic Residue theorem whereas Boneh and Franklin's system is based on the Weil Pairing. A two pass Identity based (ID-based) Authenticated key agreement protocol based on Weil pairing has been proposed in [13]. Joux [1] proposed a tripartite generalisation of the Diffie-Hellman protocol using the Weil and Tate pairings. Joux's protocol for tripartite Key Agreement has been modified in [15] to provide authentication by including certificates. Tripartite ID-based authenticated key agreement protocols are proposed in [8]. One-Way function trees (OFTs) can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying was first proposed by Sherman in [6], though the idea of using OFTs is not a new one. Merkle [10] proposed an authentication method based on such trees. Fiat and Naor [12] used a one-way function in a top-down fashion in their group keying method for the purpose of reducing the storage requirements of information theoretic group key management. Any two party key agreement protocol satisfying some specific properties [6] can be extended to an n-party key agreement protocol using one-way function trees. Treebased Group Diffie-Hellman (TGDH) [17] is one such protocol which extends the Diffie-Hellman protocol to a group key agreement protocol using one-way function trees. Appendix D provides a comparison [16] of TGDH with other contributory group key agreement protocols STR [16], BD [9], and GDH.3 [11] resulting in a conclusion that TGDH protocol works best in both LAN and WAN settings compared to these protocols i.e., more communication efficient. Hence, using the approach of TGDH for group membership operations is more advantageous. This paper extends the Identity based two-party authenticated key agreement protocol to an authenticated group key agreement protocol, using the one-way function trees to generate the first ID-based group key agreement protocol. The extension is not as obvious as it seems to be. In TGDH protocol, the key generated at one level is directly used to generate the key for the next level since it only needs to do modular exponentiation of the key with the blinded key of the sibling node. But in the new protocol, the key generated by the ID-based authenticated key agreement protocol has to be transformed into some value, that can be used to calculate the key at the next level. Hence, a new function called the transformation function is defined to do this operation. Single or multiple join and leave operations are common in group communication. Coping with group partitions (multiple member leave) and merges (multiple member join) is considered to be a crucial component of group key agreement. Hence these issues are also dealt in the new protocol. The main advantage of this protocol over TGDH is that this protocol is ID-based. Authentication is implicit in this ID-based protocol, and hence this protocol can be named Identity-based Authenticated Group Key Agreement protocol (ID-AGKA).

Identity Based Authenticated Group Key Agreement Protocol

217

The protocol has the novel property that the key generation center is able to recover the agreed session keys from the message flows and its secret key s. And hence, this allows for an efficient ID-based escrow facility. This would enable law enforcement agencies to decrypt messages encrypted with the group keys, after having obtained the necessary warrants. If this property is not desired, or, if a single KGC is not desirable, multiple KGCs can be used where each one of them generates a part of the private key. These parts are then combined by the user to obtain his/her private key. The paper is organised as follows. The next section gives insight into Identity based public-key cryptosystems. Section 3 describes the One-way function trees and the tree based group Diffie-Hellman protocol. The Weil pairing is defined in section 4. The new ID-based group key agreement protocol is discussed in section 5. Section 6 discusses the security properties of the new protocol, and section 7 concludes the paper. Appendix A lists out the advantages of an ID-based system, Appendix B describes the two-party ID-based authenticated key agreement protocol. The desirable group key agreement protocol properties are listed in Appendix C. Appendix D provides the comparison of TGDH with other contributory key agreement protocols.

2

Identity-Based Public Key Cryptosystem

Problems with the traditional Public Key Crypto systems (PKCs) are the high cost of the infrastructure needed to manage and authenticate public keys, and the difficulty in managing multiple communities. Whilst ID-based PKC will not replace the conventional Public Key Infrastructures (PKIs), it offers easier alternative solutions to some of these problems. In ID-based PKC, everyone's public keys are predetermined by information that uniquely identifies them, such as their email address. This concept was first proposed by Shamir [4]. Shamir's original motivation for ID-based encryption was to simplify certificate management in e-mail systems. When Alice sends mail to Bob at [email protected] she simply encrypts her message using the public key string [email protected]. There is no need for Alice to obtain Bob's Public Key Certificate. When Bob receives the encrypted mail he contacts the KGC. He authenticates himself to the KGC and obtains his private key from the KGC. Bob can then read his e-mail. Unlike the existing secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob has not yet setup his Public Key Certificate. It should be noted that key escrow is inherent in ID-based systems since the KGC knows Bob's private key. For various reasons, this makes implementation of the technology much easier, and delivers some added information security benefits. ID-based PKC remained a theoretical concept until [5] and [7] were proposed. An ID-based system requires a trusted KGC. The KGC generates the private keys of the entities in the group using the public key, which in turn is based on the identity of the entity. Since a single authority for key generation may present an obvious point of compromise or system failure, and it can masquerade as any given entity, it is split into two or more cooperating parties. The authorities perform a one-time set-up in order to share the system secrets in a secure manner. The user proves itself to each

218

K.C. Reddy and Divya Nalla

authority. Each authority then returns its part of the private key. The user combines these parts to obtain his private key. This provides more security as the private key remains split until use. We can also have n-authorities in the system wherein no n-1 of them can generate a key or compromise the system. With traditional PKI, sending the message implies that the recipient can read it since the private key must exist. This is not true in ID-based PKC. In ID-based PKC, the system (rather than the user / sender) determines whether the recipient is able to read a particular message. Another advantage is that, since the associated private key doesn't necessarily exist, these conditions need not be pre-arranged and can be ephemeral down to a single transaction. ID-based PKI has simple procedure of managing public key list, it has advantages such as automatic key escrow/recovery [7]. Also when the whole ID-based scheme is used by one user, it can be applied for delegation of duties [7] on encryption and proxy signatures in signature. Sometimes key escrow may not be desirable. Also, the key generation center is required to be a trusted authority, and there is computational overhead using pairings (for ID-based encryption and key agreement). Despite these debating issues, the IDbased scheme has many useful applications such as email system, Intranet PKI, and mobile PKI ID-based two party key agreement protocol has been proposed by Smart [13]. This paper extends this protocol to an n-party protocol.

3

One-Way Function Trees

This section discusses the One-way function trees (OFTs), and the OFT algorithm for key establishment in dynamic groups [6]. Diffie-Hellman(DH) protocol is extended to a group key agreement protocol using OFTs [17]. From this section, it can be concluded that, any two-party key agreement protocol can be extended to an n-party key agreement protocol. 3.1

Notations N Mi h T BKi* p, q

– number of group members – i-th group member; i ∈ { 1, 2,…… N} – height of the tree – v-th node at level l in a tree – A subtree rooted at node – set of Mi s blinded keys – prime integers

G

– unique subgroup of

A A

Z *p of order q

→ B : m - A sends message m to B → * : m - A broadcasts message m

The root is located at level 0 and the lowest leaves are at level h. Each node is associated with the key k and the blinded key BK (explained later)

Identity Based Authenticated Group Key Agreement Protocol

3.2

219

One-Way Function Tree (OFT) Algorithm for Key Establishment

One-Way function trees can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying, was first proposed by Sherman in [6]. In an OFT, the group manager maintains a binary tree, each node x of which is associated with two cryptographic keys, a node key kx and a blinded key kx' = g (kx). The blinded node key is computed from the node key using a one-way function g; it is blinded in the sense that computing kx from kx’ is a computationally Hard problem. Interior nodes of the tree has exactly two leaves. Every leaf of the tree is associated with a group member. The group manager assigns a randomly chosen key to each member, securely communicates this key to the member (using an external secure channel), and sets the node key of the member's leaf to the member's key. The interior node keys are defined by the rule kx = f(g(kleft(x)), g(kright(x))) ……………..(Rule1) where left(x) and right(x) denote the left and right children of the node x. The function g is a one-way function and the function f is a mixing function. Property 1: The function g is one-way, given g(x), it is computationally infeasible to find x with any non-negligible probability. Property 2: Given a sequence x0 , x1 , ……. , xl-1 , it is computationally infeasible to find kl with any non-negligible probability, where ki+1 = f(xi, g(ki)), and k0 is chosen at random, for any l less than some value lmax. Property 1 makes it impossible to find a node key kx given the blinded key kx' = g (kx). Property 2 makes it impossible for a member who has left the group, whose distance to the root is less than lmax , to find any node key. When a new member is added to the group, or an existing member of the group leaves, the key values of some of the members change, to change the group key. The security of the system depends on the fact that each member's knowledge about the current state of the key tree is limited by the following invariant: System invariant: Each member knows the unblinded node keys on the path from its node to the root, and the blinded node keys that are siblings to its nodes on the path to the root, and no other blinded or unblinded keys. Definition: The OFT method is secure if it is computationally infeasible for an adversary to compute any unblinded node key with non-negligible probability [6]. Thus, from the above properties, and the rule for defining the interior node keys, the group key computed using OFTs satisfies the group key secrecy property, and provides complete forward and backward secrecy (defined in Appendix C). The algorithm provides complete forward and backward secrecy: newly admitted members cannot read previous messages, and members deleted from the group cannot read future messages. Any key agreement protocol in which the key is computed using the rule (Rule 1 defined above, where f and g satisfy the above properties) can use the OFT method to support group key agreement.

220

K.C. Reddy and Divya Nalla

In the OFT method, the functions f and g can be any functions which satisfy the above properties. These functions are replaced by the DH protocol (where we use modular exponentiation function for both f and g), and the TGDH protocols are generated. This is discussed in the next subsection. Similarly, these functions can be replaced by the ID-based two-party key agreement protocol to obtain an ID-based group key agreement protocol. But this cannot be done directly. Some functions are required in between key computations for different levels. These functions are defined and the ID-based twoparty key agreement protocol is extended to ID-AGKA in section 5. 3.3

Tree-Based Group Diffie-Hellman Protocol (TGDH)

Key trees have been suggested in the past for centralised group key distribution systems. TDGH [17] protocols make use of key trees in fully distributed contributory key agreement. Key trees are used in fully distributed contributory key agreement. The concept of a key manager does not exist here. Hence, the members select random secret values for themselves. The root is located at level 0 and the lowest levels are at level h. Binary trees are used here and hence every node is either a leaf or a parent of two nodes. The nodes are denoted by where 0 ≤ v ≤ 2l − 1 since each level l hosts at most 2l nodes. Each node is associated with the key k and the blinded key (Bkey) BK = f (k) where the function f(k) = αk mod p. Assuming a leaf node hosts the member Mi , the node has Mi's session random key K. Furthermore, the member Mi at node knows every key along the path from to <0, 0>, referred to as the key-path and denoted KEYi*. Every key k is computed recursively as follows: k

mod p

k

mod p

k< l , v > = ( BK ) = ( BK ) =α

k k

mod p

= f ( k , k )

Co-path COi* is the set of siblings of each node in the key-path of member Mi. Consequently, every member Mi at leaf node can derive the group secret k<0, 0> from all Bkeys on the co-path COi* and its session random k.. A group key can be computed from any member's secret share (i.e., any leaf value) and all Bkeys on the co-path to the root. For a point-to-point session, the costs of session establishment and key distribution are incurred just once, at the beginning of the session. A group session, on the other hand, may persist for a relatively long time with members joining and leaving the session. After a join, the new member should not come to know the old group keys, and after a leave, the member should not be able to compute future group keys. Large groups whose members join and leave frequently pose a problem since the keys have to be computed frequently. Hence, there is the need for concentration on issues of frequent changes, and the associated scalability problem for large groups. In TGDH, in case of an additive change (join or merge), all group members identify a unique sponsor. This sponsor is responsible for updating its secret key

Identity Based Authenticated Group Key Agreement Protocol

221

share, computing affected [key, Bkey] pairs and broadcasting all Bkeys of the new tree to the rest of the group. The common criteria for sponsor selection is determined by the tree maintenance criteria [17]. ID-AGKA protocol proposed in this paper follows the same approach as the TGDH protocols in dealing with these issues. A complete Group Key Agreement solution should support adjustments to the group key for any membership change in the group. There can be four types of membership changes: Join, Leave, Merge (multiple join or addition of groups), Partition (multiple leaves or splitting a group into smaller groups). TGDH protocol suite addresses these four types of membership changes.

4

The Weil Pairing

The modified Weil pairing which forms the basis for the ID-based Key Agreement protocols is defined here. Definition: Let G be a subgroup of the group of points on the Elliptic curve E over the finite field Fq . Let the order of G be denoted by l and define k to be the smallest integer such that l / qk –1 (this implies that there exists a unique subgroup of Fq* of k

order l). In practical implementations we will require k to be small and so we will usually take E to be a super singular curve over Fq The modified Weil pairing [13] is a map eˆ : G × G → Fq* which satisfies the k

following properties: 1.

Bilinear eˆ( P1 + P2 , Q ) = eˆ( P1 , Q ).eˆ( P2 , Q ) eˆ( P, Q1 + Q2 ) = eˆ( P, Q1 ).eˆ( P, Q2 )

2. 3.

i.e., eˆ( aP, bQ ) = eˆ( P, Q ) ab where a, b ∈ Z q* Non-Degenerate There exists a P∈G such that eˆ( P, P ) ≠ 1 Computable: One can compute eˆ( P, Q ) in polynomial time.

The non-degeneracy defined here does not hold for the standard Weil Pairing e( P, Q ) . A more comprehensive description is provided in [6].

5

ID-Based Authenticated Group Key Agreement (ID-AGKA)

This section discusses the protocol for Authenticated Group Key Agreement. Knowing the advantages of an ID-based system, it would be advantageous to have ID-based key agreement protocols. Smart [13] proposed an ID-based two party

222

K.C. Reddy and Divya Nalla

authenticated key agreement protocol. ID-based tripartite key agreement protocols are proposed in [8]. Extending the same to a group of n parties would be desirable. Also, authentication is implicit in ID-based protocols, whereas it has to be explicitly dealt with in other key agreement protocols. As seen in section 3.2, the ID-based Authenticated Key Agreement protocol [13] can be extended to an n-party ID-based Authenticated Group Key Agreement protocol (ID-AGKA). Key trees are used in fully distributed contributory key agreement. Binary trees are used in this case. The leaves in the tree represent the members of the group, and every other node is a parent of two child nodes. The key associated with this node represents the common key for its two child nodes. The same rule applies to all the non-leaf nodes in the tree. Thus the key associated with the root node becomes the group key, or the common key for all the members in the group. 5.1

Assumptions

Suppose G is a subgroup of an Elliptic curve for which the modified Weil Pairing eˆ maps into the finite field Fq . The following properties are assumed. k

• • • •

•

k

q is large enough to make solving discrete logarithms in a finite field infeasible Elliptic curve contains a large prime subgroup of order l such that solving discrete logarithms in the subgroup of order l is also infeasible. Let V: Fq

* k

→ {0, 1}* is the key derivation function [13]. Such functions can

be readily found in a number of documents. A function H: {0, 1}* → G is also assumed. It denotes a cryptographic hash function. It is generally used to compute the public keys of the members using their identities (which are binary strings). Another hash function H' : {0, 1}* → {0, 1}* is defined. Another important function is defined, which is required to extend the twoparty ID-based protocol to a group key agreement protocol is a transformation function ft defined as f t : Fq* → Z q* . This function is applied over the keys k

associated with the intermediate nodes, to obtain a value, which can be used as the ephemeral private key for the next higher level. 5.2

System Settings

The Key Generation Center chooses a secret key s ∈ {1,….. l-1}. The KGC produces a random P∈G and computes PKGC =[s]P. Then the KGC publishes (P, PKGC): - When a user with identity ID wishes to obtain a public/private key pair, the public key is given by

QID = H (ID)

Identity Based Authenticated Group Key Agreement Protocol -

223

And the KGC computes the private key SID = [s] QID

The (public, private) key pair of the user is given by (QID ,SID) This calculation can be performed using multiple key generation centers, each generating a part of the private key. These are combined by the user to obtain his/her private key. 5.3

Protocol

Figure 1 shows an example of a key tree. Computation of the group key for this tree is as follows. First, A and B compute the common key associated with node <1,0> by using the IDbased authenticated key agreement protocol by Smart [13]. The two party authenticated ID-based key agreement protocol is described in Appendix B.

A and B choose random values,

*

a , b ∈ Z q , and exchange the values

TA = T< 2,0 > = [ a ]P and TB = T< 2 ,1> = [ b ] P respectively. These two values are called the ephemeral (temporary) public values of A and B whereas, a, and b are their ephemeral private keys.

Fig. 1.

The key computed by A is a

k AB = k <1, 0 > = eˆ ([ a ]QB , PKGC ).eˆ( S A , TB ) = eˆ(QB ,[ s ]P ) .eˆ([ s ]QA ,[b ]P ) as

= eˆ(QB , P ) .eˆ(QA , P )

bs

s

= eˆ(QB , TA ) .eˆ(QA , TB )

s

= eˆ([ s ]QB ,[a ]P ).eˆ([b]QA ,[ s ]P ) = eˆ([b]QA , PKGC ).eˆ( S B , TA ) = k BA Thus, A can compute the key associated with its parent node if it knows the identity of B: QB and the ephemeral public key of B: TB . The pair (Q , T ) is called the blinded key or Bkey of B. Similarly, C and D also compute the key associated with the node <1,1>. These computations are shown in table 1. B

B

224

K.C. Reddy and Divya Nalla Table 1.

A

B

C

D

The public key QA is sent The public key QB is sent The public key QC is sent The public key QA is sent to the KGC to get the to the KGC to get the to the KGC to get the to the KGC to get the private key private key private key private key

S A = [ s ]QA

S B = [ s ]QB

SC = [ s ]QC

S D = [ s ]QD

selects a random value selects a random value selects a random value selects a random value

a ∈ Z q*

b ∈ Z q*

Compute

TA = [a ]P

compute

c ∈ Z q* TB = [b]P

d ∈ Z q*

compute

TC = [c ]P

compute

TD = [ d ]P

Exchange TA and TB

TA = [a ]P

TC = [c ]P TB = [b]P

TD = [ d ]P

eˆ ([ a ]Q B , PKGC ).eˆ ( S A , TB )

eˆ ([ b ]Q A , PKGC ).eˆ ( S B , TA )

eˆ ([ c ]QD , PKGC ). eˆ ( S C , TD )

eˆ ([ d ]QC , PKGC ).eˆ ( S D , TC )

= k AB

= k BA

= k CD

= k DC

The value kAB or kCD is never used directly as a cryptographic key for the purpose of encryption. Instead, such special-purpose sub-keys are derived from the group secret, eg. by setting Key=V(k). The secret key associated with the node <1,0>, Key<1, 0> = V ( k<1,0 > ) . Thus, the secret key at each node would be a binary string. A function f t : Fq* → Z q* is applied k

over the value k<1,0 > to obtain k<1,0 > ' ∈ Z q* . A, B and C, D compute k <1,0 > ' and k<1,1> ' respectively. These two values act as the ephemeral private values at this level. These values are used to compute the keys at the next higher level. At this level, each node requires a public and a private key pair. The public key is obtained by adding the public values of its two children, and taking the hash of that value. The public value is then sent to the KGC to obtain its private counterpart. Table 2.

AB

CD

The public key QAB= QBA=H' (QA+QB )is sent to the KGC to get the private key

The public key QCD=QDC= H' (QC+QD )is sent to the KGC to get the private key

S AB = [ s ]QAB

SCD = [ s ]QCD

Compute kAB’ = ft (kAB)

Compute kCD’ = ft (kCD)

Compute

'

TAB = [ k AB ]P

Compute

'

TCD = [ kCD ]P

Exchange TAB and TCD '

TAB = [ k AB ]P '

TCD = [ k CD ]P '

eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD )

'

eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB )

Identity Based Authenticated Group Key Agreement Protocol

The

node

<1,0>

will

have

a

public

value

225

Q<1,0 > = H ′(Q< 2 ,0 > + Q< 2 ,1> ) or

QAB = H ′(QA + QB ) . The KGC computes the private key SAB or S<1,0> = [ s ]Q<1,0 > from

Q<1,0>. At node <2,0>, A does these computations and computes the key at <0,0> using the identity at the node <1,0>, Q<1,1> or QCD, and the ephemeral public key at <1,1>, T<1,1> or TCD (as shown in table 2). The pair (Q<1,1> , T<1,1> ) is the Bkey of <1,1>. A and B compute '

k ABCD = eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD ) '

= eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB ) = k CDAB which is computed by C and D.

A can compute the group key, i.e., the key at the root node, if it knows every key along the path from <2,0> to <0,0>, referred to as the key-path in section 3, and every Bkey along its Co-path (set of all siblings of all the nodes on the key path) {<2,1>, <1,1>}. Similarly, each member in the group can compute the group key if it knows all the blinded keys along its Co-path. For any node in the key tree, the key is given by V(k) where k< l , v > = eˆ([ k ']Q , PKGC ).eˆ( S , T ) = eˆ(Q , P )

s . k '

.eˆ(Q , P )

s . k '

= eˆ(Q , Tk ' ) s .eˆ(Q , Tk ' ) s = eˆ([ k ']Q , PKGC ).eˆ( S , T ) and k< x , y > ' = f t ( k< x , y > ) . Assuming an n-party group {M1, M2, …….Mn }, every member Mi at leaf node can derive the group secret k<0,0> from all the secret keys on the key path, and all the Bkeys on its Co-path. Thus, every key computation involves two Elliptic curve scalar multiplications and two Weil pairings. It can be noted that, instead of including the identity of the node QID in the Bkey, if the KGC knows the key tree structure, it can compute the identities associated with all the nodes in the key tree and send the required secret keys to the corresponding nodes when requested. This would reduce some of the redundant computations. In figure 1, to compute the key associated with the node <1,0>, the identity QAB = H' (QA + QB) is required. This value is computed by A and B separately, to compute kAB and kBA respectively. This computation can be done only once by the KGC instead of being computed twice by both the members. This computation of the Identities associated with the nodes becomes more redundant at higher levels in the key tree i.e., the same value may have to be computed by more members. Hence computation of the identities associated with the non-leaf nodes by the KGC would be a desirable property. Single or multiple Join or leave operations are common in a group communication. These situations have to be taken care of in a group key agreement solution. The basic idea here is that after any group membership event, every member unambiguously

226

K.C. Reddy and Divya Nalla

adds or removes some nodes related with the event, and validates all the keys and blinded keys related with the affected nodes. A special group member (the sponsor) then, computes the keys and blinded keys and broadcasts the new key tree to the group. The sponsor and the insertion location (in the case of an additive event) are decided by the tree management policy [17]. 5.4

Adding or Deleting a Member in the Key Tree

Firstly, whenever a user Mn+1 wants to join the existing group {M1, M2, …….Mn}, it broadcasts a join request (containing its Bkey) to all the group members. Every member then updates the key tree by adding the new member node and the intermediate node (new member is added at the rightmost shallowest node to maintain the tree height).

Fig. 2. Join operation

Fig. 3. Leave operation

When a new member joins the group, an existing leaf node x is split, the member associated with x is now associated with left(x) and the new member is associated with the right(x). The new member would be having a new long term public/private key pair (private key obtained from the KGC using his ID as public key) and a new ephemeral public/private key pair. The old member should change his ephemeral public key (by choosing a new ephemeral private key), since its former sibling knows its old blinded key, and could use this information in collusion with another member

Identity Based Authenticated Group Key Agreement Protocol

227

in the group to find an unblinded key that is not on his path to the root. This member is called the sponsor. The sponsor, after updating the tree, computes the group key since it knows all the necessary blinded keys. After computing the group key, the sponsor broadcasts the new tree, which contains the blinded keys which have been changed after the join. The whole tree information has to be sent to the new member. When the member associated with the node y is removed from the group, the member assigned to the sibling of y is reassigned to the parent p of y and given a new leaf key value (ephemeral key). If the sibling s of y is the root of a subtree, then p becomes s, moving the subtree closer to the root, and one of the leaves of this subtree is given a new ephemeral key (so that the deleted member no longer knows the blinded key associated with the root of the subtree). The sponsor in this case is the rightmost leaf node of the subtree rooted at the leaving member's sibling node. The sponsor picks up a new secret share, computes all keys on its key path up to the root, and broadcasts the new set of blinded keys to the group which allows all members to recompute the new group key. 5.5

Merge and Partition

Suppose there are two merging groups. In the first round, each sponsor (the rightmost member of each group) broadcasts its tree (with all Bkeys) to the other group after updating the secret share of the sponsor and relevant information (key, Bkey) pairs up to the root node. Upon receiving these messages, all members can uniquely and independently determine how to merge the trees by tree management policy [17]. The merge position is the rightmost shallowest node, which does not increase the tree height. If the two trees have the same height, we join one tree to the root node of the other tree. The rightmost member of the subtree rooted at the merge point becomes the sponsor of the key update operation. The sponsor, then, takes on the role of computing the keys, and the blinded keys and broadcast the entire tree with the blinded keys to all the other members. All the members now have the complete set of blinded keys, which allows them to compute all the keys on their key path. A partition in the key tree would be as follows. In the first round, each member updates its view of the key tree by deleting all leaf nodes associated with partitioned members and (recursively) their parent nodes. All leaving nodes are sorted by depth order. Starting at the deepest level, each pair of leaving siblings is collapsed into its parent, which is then marked as leaving. This node is then re-inserted into the leaving nodes list. The above is repeated until all leaving nodes are processed, i.e., there are no more leaving nodes that can be collapsed. The resulting tree has a number of leaving (leaf) nodes but every such node has a remaining sibling node. Each of these sibling nodes becomes a sponsor. Each sponsor now computes the keys and Bkeys on the key-path as far up the tree as possible. Then, each sponsor broadcasts the set of new Bkeys. Upon receiving the new broadcast, each member checks whether the message contains new Bkeys. This procedure iterates until all members obtain the group key. To prevent reuse of the old group keys, one of the remaining members (the shallowest rightmost sponsor) changes its key share. In the first protocol round, the shallowest rightmost sponsor changes its share.

228

K.C. Reddy and Divya Nalla

6

Security Analysis

This section analyses the security properties and communication and computation costs for join, leave, merge, and partition protocols of ID-AGKA, comparing with the TGDH protocol. In case of a join or a merge operation, the sponsor selects a new key, so that its former siblings who know its blinded key could not use this information in collision with another members in the group to find the group key. Similarly, even in a leave or a partition operation, the sponsor selects a new ephemeral key before broadcasting the changed Bkeys to the other group members. Thus, the protocol maintains both forward secrecy and backward secrecy. Implicit key authentication is provided in the protocol as it is ID-based. The protocol is contributory since each party equally contributes to the group key. The message flows are similar for all the group membership operations (join, leave, merge, and partition) in both TGDH and ID-AGKA protocols, as both the protocols use the same approach. Communication wise, ID-AGKA incurs more cost in the sense that every time a secret key is required for a node, the identity (ID) associated with that node is sent to the KGC, and the KGC sends back the secret key for that ID. This cost can be reduced by giving the key tree information to the KGC, and, as described earlier in section 5.3, the KGC would compute the identities for the intermediate nodes and send all the secret keys related to a single member at once. This would increase the responsibility and the computations at the KGC. The computation cost would definitely be different in both the protocols since the base protocol used is different for both the protocols. Weil pairings, and scalar multiplications over elliptic curves are the basic computations in ID-AGKA whereas TGDH uses modular exponentiations. In ID-AGKA protocol, every key computation involves two elliptic curve scalar multiplications, and two Weil pairings. Computation of blinded keys involves one elliptic curve multiplication. Whereas in TGDH, computation of the blinded key costs one modular exponentiation, and computation of the key also costs one exponentiation. Since evaluating a Weil pairing is a costly operation, this protocol would be an expensive one. Computation cost would not be a constraint in the present world as the computational costs are decreasing day by day. In ID-AGKA, the cost increases, but with an improved security since Elliptic curves provide high security with smaller key lengths [3]. ID-based systems require a trusted KGC. One major attribute of the ID-AGKA protocol is that it is an ID-based system, and does not require computation of signatures, or verifications. ID-based systems simplify key management procedures in certificate-based PKI. However, TGDH requires a deployed PKI so as to authenticate the long- term public keys. In a traditional PKI deployed system, any member wishing to join a group is required to obtain a certificate from the certifying authority, whereas in an ID-based system, this is not required. New users can join the group at any time, and get a private key at that point of time from the KGC. Thus, ID-based systems allow more dynamism. This is another advantage of ID-AGKA. Having studied the advantages of the ID-AGKA protocol, even though the cost increases when compared to TGDH, it would be more desirable to incorporate ID-

Identity Based Authenticated Group Key Agreement Protocol

229

AGKA protocol for improved security. And also, the initial cost of deploying a PKI is null in ID-AGKA protocol.

7

Conclusions and Future Work

A key establishment protocol using one-way function trees is proposed in [6]. It is shown in section 3 that any key agreement function satisfying some given properties can be extended to a group key agreement protocol using one-way function trees. The tree-based group Diffie-Hellman protocol is explained and the four membership change operations (join, leave, merge and partition) are studied for this protocol. The first ID-based group key agreement protocol is proposed based on the twoparty ID-based authenticated key agreement protocol [13] and the one-way function trees. A new transformation function is defined, which is required in generating keys at any level, from a lower level key in the key tree. The protocol has been analysed for performance and it is found that the base computation and communication costs are slightly more than TGDH, but at the same time with an advantage of increased security and saving the cost of deploying a PKI. Key authentication is also provided implicitly in the protocol as it is ID-based which is not the case with TGDH. Also, ID-AGKA protocol is seen to be more dynamic as it is ID-based and not certificate based. The protocol has to be implemented and tested against various other existing group key agreement protocols.

References [1]

[2] [3] [4] [5] [6] [7]

Joux.: A one round protocol for tripartite Diffie-Hellman. In W. Bosma, editor, Proceedings of Algorithmic Number Theory Symposium. ANTS IV, volume 1838 of Lecture notes in Computer Science , pages 385-394, Springer-Verlag, 2000. Menezes, P.C. Van Oorschot, and S. Vanstone.: Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997. Menezes.: Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 2001. Shamir.: Identity based cryptosystems and signature schemes. Advances in Cryptology – Proceedings of Crypto'84. Cocks.: An Identity based encryption scheme based on quadratic residues. Cryptography and Coding, 2001. D.A. McGrew and A.T. Sherman.: Key establishment in large dynamic groups using one-way function trees. Manuscript, 1998. Boneh and M. Franklin.: Identity-based encryption from the Weil Pairing. In Advances in Cryptology – CRYPTO 2001, Springer-Verlag LNCS 2139, 213229, 2001.

230

K.C. Reddy and Divya Nalla

[8]

Divya Nalla, K.C. Reddy.: ID-based tripartite Key Agreement protocol from pairings, Submitted . M. Burmester and Y. Desmedt.: A secure and efficient conference Key distribution system. In A. De Santis, editor, Advances in Cryptology EUROCRYPT '94, Workshop on the theory and Application of Cryptographic Techniques, volume 950 of Lecture notes in Computer Science, pages 275286, Springer-Verlag, 1995. Merkle, Ralph.C. Secrecy.: Authentication and public-key cryptosystems, Technical Report No. 1979-1, information systems laboratory, Stanford University (Palo Alto, CA, 1979). M. Steiner, G. Tsudik, and M. Waidner.: Key agreement in Dynamic Peer Groups, IEEE Transactions on Parallel and Distributed Systems, August 2000. Fiat, Amor, and Moni Naor: Broadcast encryption, in Advances in Cryptology: Proceedings of Crypto 93, D.R.Stinson, ed., LNCS 773, Springer-Verlag (1993), 481-491. N.P. Smart.: An Identity based authenticated Key Agreement protocol based on the Weil Pairing. Cryptology ePrint Archive, Report 2001/111, 2001. http://eprint.iacr.org/. R. Sakai, K. Ohgishi, and M. Kasahara: Cryptosystems based on pairings. In SCIS 2000, 2000. Sattam S. Al-Riyami, Kenneth G. Paterson: Authenticated Three Party Key Agreement Protocols from Pairings, Information security group, Royal Holloway, University of London, March 2002. Y. Kim, A. Perrig, and G. Tsudik: Communication-efficient group key agreement. In Information systems Security, Proceedings of the 17th International Information Security Conference IFIP SEC'01, 2001. Y. Kim, A. Perrig, and G. Tsudik.: Simple and fault tolerant key agreement for dynamic collaborative groups, in Proceedings of 7th ACM Conference on Computer and Communications Security, pp. 235-244, ACM Press, November 2000.

[9]

[10] [11] [12] [13] [14] [15] [16] [17]

Appendix A A. Applications of ID-Based Encryption

The original motivation for ID-based encryption is to simplify certificate management in e-mail systems i.e., to help the deployment of PKI. Several other applications are shown below. A.1 Revocation of Public Keys

Public Key Certificates contain a preset expiration date. In an ID-based system key expiration can be done having Alice encrypt e-mail sent to Bob using the public Key: "[email protected] || current-year". In doing so Bob can use his private Key during the current year only. Note that unlike the existing traditional PKI, Alice does not need to obtain a new certificate from Bob every time Bob refreshes his certificate.

Identity Based Authenticated Group Key Agreement Protocol

231

The public Key can be made [email protected] || current-date so that the private Key needs to be refreshed every day. Key revocation would be simpler in this scenario. A.2 Delegation of Decryption Capabilities

Another application for ID-based systems is delegation of decryption capabilities. Two examples can be considered. In both these applications the user Bob plays the role of a KGC. Bob generates his own ID-based system parameters (his public Key) and his own master Key. Bob obtains certificate from a CA for his public Key. When Alice wishes to send mail to Bob, she first obtains Bob's public Key from Bob's Public Key Certificate. Note that Bob is the only one who knows his master Key and hence there is no Key escrow with this setup. Delegation to a laptop: Suppose Alice encrypts mail to Bob using the current date as the ID-based encryption parameter. Suppose Bob goes on trip for 3 days. Normally, Bob would put the private key on his laptop and if the laptop is stolen his private Key is compromised. But in ID-based system, Bob could simply install three private Keys corresponding to the three days on his laptop. If the laptop is stolen, only those three Keys are compromised. Delegation of duties: Suppose Alice encrypts mail to Bob using the subject line as the ID-based encryption Key. Bob can decrypt the mail using his master Key. Now, suppose Bob has several assistants each responsible for a different task. Bob gives one private key to each of his assistants depending on their responsibility. Each assistant could then decrypt only those messages whose subject line falls within its responsibilities, but it cannot decrypt messages intended for other assistants. Note that here Alice obtains a single public Key to send mail with any subject line of her choice.

Appendix B B. ID-Based Two Party Authenticated Key Agreement Protocol B.1 Protocol

Suppose two users A and B wish to agree on a Key. We denote the private keys of these users by S A = [ s ]QA and S B = [ s ]QB respectively, which have been obtained from the Key Generation Center (KGC) by sending their identities QA and QB. Each user generates an ephemeral private key, say a and b. The data flows of the protocol are as follows. A → B : TA = [ a ]P ; B → A : TB = [b ] P User A then computes k A = eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) and user B computes k B = eˆ([b]QA , PKGC ).eˆ( S B , TA ) k A = k B = k AB = eˆ([ a ]QB + [b ]QA ,[ s ]P )

232

K.C. Reddy and Divya Nalla

Hence the shared secret depends on the identities QA, QB of the two parties, the secret Key s of the Key generation center and the two ephemeral Keys a, b. The KGC can thus compute the key kAB from the message flows and the secret key s, and hence the ID-based escrow facility is possible. The protocol requires each party to compute two elliptic curve multiplications and two Weil pairings and provides the following security properties: • •

Known Key security Forward secrecy: Note, however that compromise of the Key generation centre’s long term secret s will allow anyone to compute the Key via s s eˆ(QB , TA ) .eˆ(QA , TB )

To get rid of the "escrow" property of Smart's protocol, the non-interactive key agreement protocol [14] can be used, where the protocol messages are: A → B : [ a ]P ; B → A : [b] P s

And the common key computed is = hash ( abP, eˆ(QA , QB ) ) . The value of s eˆ(QA , QB ) can be pre-computed before the protocol begins. Using this protocol instead of Smart's key agreement protocol reduces the number of computations. But this protocol is vulnerable to man-in-the-middle attack. Hence we prefer using Smart’s protocol in defining our n-party protocol.

Appendix C C. Group Key Agreement Protocol Properties:

A group Key Agreement protocol is required to have the following properties assuming that a group key is changing. Group Key secrecy, Forward secrecy, Backward secrecy, Key Independence, Key Freshness, Contributory, Implicit Key Authentication, Key Integrity Some more desirable properties of a Key Agreement Protocol are: low communication overhead, minimal number of passes and rounds, and role symmetric (messages transmitted and computations performed by all the entities have the same structure). Two important computational attributes also have to be considered for the Key Agreement Protocol: computation overhead and the ability to perform Precomputation. It may be desirable that some computations may be done offline (i.e., pre-computed or computed during the protocol run).

Identity Based Authenticated Group Key Agreement Protocol

233

Appendix D D. Performance Analysis

The following table summarises the communication and computation costs [16] of the four protocols STR [15], BD [8], and GDH.3 [10].

GDH

TGDH

STR

BD

Join Leave Merge Partition Join Leave Merge Partition Join Leave Merge Partition Join Leave Merge Partition

Communication Rounds Messages 4 n+3 1 1 m+3 n+2m+1 1 1 2 3 1 1 log2k +1 2k 2h min (log2p,h) 2 3 1 1 2 k+1 1 1 2 2n+2 2 2n-2 2 2n+2m 2 2n-2p

n - number of members in the group k – number of merging groups

Exponentiations n+3 n-1 n+2m+1 n-p 3h/2 3h/2 3h/2 3h

Computation Signatures 4 1 m+3 1 2 1 log2k +1 min(log2p,h)

Verifications n+3 1 n+2m+1 1 3 1 log2k min(log2p,h)

4 3n/2 + 2 3m+1 3n/2 + 2 3 3 3 3

2 1 2 1 2 2 2 2

3 1 3 1 n+3 n+1 n+m+2 n-p+2

h – height of the key tree p – number of members partitioned from a group of n members.

Construction of Cryptographically Important Boolean Functions Soumen Maity1 and Thomas Johansson2 1

Theoretical Statistics and Mathematics Unit Indian Statistical Institute, 203 B. T. Road, Calcutta-700108, INDIA [email protected] 2 Department of Information Technology, Lund University P.O. Box 118, S-221 00 Lund, SWEDEN [email protected]

Abstract. Boolean functions are used as nonlinear combining functions in certain stream ciphers. A Boolean function is said to be correlation immune if its output leaks no information about its input values. Balanced correlation immune functions are called resilient functions. Finding methods for easy construction of resilient functions with additional properties is an active research area. Maitra and Pasalic [3] have constructed 8-variable 1-resilient Boolean functions with nonlinearity 116. Their technique interlinks mathematical results with classical computer search. In this paper we describe a new technique to construct 8-variable 1-resilient Boolean functions with the same nonlinearity. Using a similar technique, we directly construct 10-variable (resp. 12-variable), 1-resilient functions with nonlinearity 488 (resp. 1996). Finally, we describe some results on the construction of n-variable t-resilient functions with maximum nonlinearity. Keywords: Boolean function; Balancedness; Nonlinearity; Perfectly nonlinear function; Bent function; Algebraic degree; Correlation immunity; Resiliency; Stream cipher; Combinatorial problems

1

Introduction

Boolean functions have many applications in computer security practices including the construction of keystream generators based on a set of shift registers. Such a function should possess certain desirable properties to withstand known cryptanalytic attacks. Four such important properties are balancedness, correlation immunity, algebraic degree and nonlinearity. The maximum possible nonlinn earity for n-variable functions is known only for even n and equals 2n−1 − 2 2 −1 . Functions achieving this nonlinearity are called bent and were introduced by Rothaus [6]. Correlation immune functions were introduced by Siegenthaler [8], to withstand a class of “divide and conquer” attacks on certain models of stream ciphers. He also investigated the properties of Boolean functions with

This research was supported by ReX program of Stichting Nlnet, Netherlands.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 234–245, 2002. c Springer-Verlag Berlin Heidelberg 2002

Construction of Cryptographically Important Boolean Functions

235

correlation immunity. Recently, a nontrivial upper bound on the nonlinearity of resilient functions was obtained by Sarkar and Maitra [7]. They proved that the nonlinearity of n-variable (n even) t-resilient function is less then or equal n to 2n−1 −2 2 −1 −2t+1 (resp. 2n−1 −2t+1 ) if t+1 ≤ n2 −1 (resp. t+1 > n2 −1). A similar kind of result has been presented independently by Tarannikov [9] and Zheng and Zhang [11]. Construction of resilient Boolean functions achieving the upper bound on nonlinearity is an important research area. Maitra and Pasalic [3] have constructed 8-variable 1-resilient Boolean functions with nonlinearity 116. In this paper, we describe a new technique to construct other 8-variable 1-resilient Boolean functions with nonlinearity 116. We start with an 8-variable bent function f and suitably change some bits in the output column of the truth table of f to get our 8-variable 1-resilient function with nonlinearity 116. Furthermore, using a similar technique, we directly construct 10-variable (resp. 12-variable), 1-resilient functions with nonlinearity 488 (resp. 1996). Finally we provide some results on the construction of n-variable t-resilient functions with maximum nonlinearity.

2

Preliminaries

Let n be any positive integer. An n-variable Boolean function is a map f : {0, 1}n→{0, 1}. These functions play a major role in stream cipher cryptosystems. Boolean functions are used in many diﬀerent binary keystream generators based on LFSRs. Their purpose in the keystream generators is often to destroy the linearity introduced by the LFSRs. An n-variable Boolean function f (x1 , x2 , . . . , xn ) can be represented as multivariate polynomial over GF (2). That is, f (x1 , x2 , . . . , xn ) can be written as a0 +

n i=1

ai xi +

aij xi xj + . . . + a12...n x1 x2 . . . xn ,

1≤i<j≤n

where the coeﬃcients a0 , aij , . . . , a12...n ∈ GF (2) and the addition and multiplication operations are in GF (2). A truth table lists the function output value for all possible inputs. In the cryptographic applications there are several properties of Boolean functions that are interesting to investigate. We now discuss some important properties of Boolean functions for stream cipher application. Definition 1. An n-variable Boolean function f (X) is balanced if the output column in the truth table contains an equal number of 0’s and 1’s. Definition 2. The algebraic degree, or simply degree, of a Boolean function f (X) is deﬁned to be the number of variables in the highest order product of f (X), when f (X) is written in algebraic normal form. The algebraic degree of f (X) is denoted by deg(f ).

236

Soumen Maity and Thomas Johansson

Let Fn be the set of all Boolean functions in n variables. Let F2 = GF (2). The Hamming distance between two functions f (X), g(X) ∈ Fn is deﬁned as, dH (f, g) = |{X | f (X) = g(X), X ∈ F2n }|. Functions of degree at most one are called aﬃne functions. An aﬃne function with constant term equal to zero is called a linear function. Let An be the set of all aﬃne functions in n variables. Definition 3. We deﬁne the nonlinearity of a Boolean function f (X), denoted by Nf , as the Hamming distance to the nearest aﬃne function, i.e., Nf = min dH (f, g). g∈An

This measure of nonlinearity is related to linear cryptanalysis [4]. In most of the cryptographic applications, we would like that the correlation between an individual input variable and an output variable is small. Siegenthaler [8] introduced the concept of correlation immunity of combining functions for nonlinear combined stream ciphers, and investigated the properties of Boolean functions with correlation immunity. The purpose of introducing correlation-immune functions as nonlinear functions for stream cipher is to spare them from the “divide and conquer” attack. Definition 4. An n-variable Boolean function is deﬁned to be t-th order correlation immune, if for any t-tuple of independent identically distributed binary random variables Xi1 , Xi2 , . . . , Xit , we have I(Xi1 , Xi2 , . . . , Xit ; Y ) = 0, 1 ≤ i1 < i2 < . . . < it ≤ n, where Y = f (X1 , X2 , . . . , Xn ), and I(X; Y ) denotes the mutual information. A Boolean function that is both balanced and t-th order correlation immune is called a t-resilient function. The properties above are often investigated through the Walsh transform. Definition 5. Let f (X) be an n-variable Boolean function. Let us consider X = (x1 , x2 , . . . , xn ) and ω = (ω1 , ω2 , . . . , ωn ) both belonging to {0, 1}n and X · ω = x1 ω1 ⊕ x2 ω2 ⊕ . . . ⊕ xn ωn . Then the Walsh transform of f (X) is a real valued function over {0, 1}n, which is deﬁned as (−1)f (X)⊕X·ω Wf (ω) = X∈{0,1}n

The Walsh transform is sometimes called the spectral distribution or simply the spectrum of a Boolean function.

Construction of Cryptographically Important Boolean Functions

237

The Hamming distance between a Boolean function f (X) and an aﬃne function g(X) = X · ω + b, where b ∈ F2 , can be calculated with the Walsh transform as dH (f, g) = 2n−1 −

(−1)b Wf (ω) . 2

Thus, the nonlinearity of f (X) can be obtained from the Walsh transform as Nf = 2n−1 −

1 max |Wf (ω)|. 2 ω n

A function f of n variables is called bent if Wf (ω) = ±2 2 for all ω ∈ {0, 1}n. n In other words, an n-variable function is called bent if Nf = 2n−1 − 2 2 −1 . These functions are important in both cryptography and coding theory since they achieve the maximum possible nonlinearity. Xiao and Massey [10] gave a spectral characterization of Boolean function with correlation immunity. Here we state this characterization as a deﬁnition of correlation immunity. Definition 6. A Boolean function f is t-th order correlation immune (CI) iﬀ its Walsh transform W satisﬁes Wf (ω) = 0 for all ω ∈ F2n ; 1 ≤ wt(ω) ≤ t, where wt(ω) is the Hamming weight of the binary string ω. Furthermore, if f is balanced then Wf (0) = 0. Balanced t-th order correlation immune functions are called t-resilient functions. Thus, a Boolean function f is t-resilient iﬀ its Walsh transform W satisﬁes Wf (ω) = 0 for all ω ∈ F2n ; 0 ≤ wt(ω) ≤ t. We now recall the deﬁnition and some properties of perfectly nonlinear functions for later use. Let f be a function from abelian group (A, +) of order n to another abelian group (B, +) of order m. A robust measure [5] of the nonlinearity of functions is related to diﬀerential cryptanalysis [1] and uses the derivatives Da f (x) = f (x + a) − f (x). It may be deﬁned by Pf = max max Pr(Da f (x) = b), 0 =a ∈A b∈B

where Pr(E) denotes the probability of the occurrence of event E. The smaller the value of Pf , the higher the corresponding nonlinearity of f (if f is linear, then Pf = 1). Definition 7. A function f : A→B has perfect nonlinearity if Pf =

1 |B| .

Definition 8. A function g : A→B is balanced if the size of g −1 (b) is same for every b ∈ B.

238

Soumen Maity and Thomas Johansson

Theorem 1. A function f : A→B has perfect nonlinearity if and only if, for every a ∈ A∗ = A − {0}, the derivative Da f is balanced. Theorem 2. (Carlet and Ding [2]) Let f : (A, +)→(B, +) have perfect nonlinearity, and let l : (B, +)→(C, +) be a linear onto function. Then the composition l ◦ f is a function from (A, +) to (C, +) with perfect nonlinearity. In the case of Boolean functions, perfect nonlinear functions are called bent. For a general survey of perfectly nonlinear functions one can refer to Carlet and Ding [2].

3

Construction of Bent Functions

In this section, we describe a method to construct n-variable (n even) bent function. Lemma 1. Let n and m be any positive integers, where m divides n. Let n

g : F2mm →F2m and

n

f = T r(g) : F2mm →F2 where T r is the trace function from F2m to F2 . If g is perfectly nonlinear, then f is an n-variable bent function. n

Proof: Since g : F2mm →F2m is perfectly nonlinear function and T r : F2m →F2 is n a linear onto function, the composition T r(g) is a bent function from F2mm to F2 . It follows from Theorem 2. The bent functions we will use in Theorem 3 and Theorem 4 can be obtained using Lemma 1. Example 1. Let n = 8, m = 4 and g(X1 , X2 ) = X1 X2 where Xi ∈ F24 . It is known that g is a perfectly nonlinear function. For detail see Carlet and Ding [2]. We use primitive polynomial x4 + x + 1 to generate all the elements of the ﬁeld F24 . By using Lemma 1, we get an 8-variable bent function f (X1 , X2 ) = T r(g(X1 , X2 )) as follows: 0000000000000000010101011010101000001111000011110101101010100101 0011001100110011011001101001100100111100001111000110100110010110 0101010101010101000000001111111101011010010110100000111111110000 0110011001100110001100111100110001101001011010010011110011000011.

It has nonlinearity 120 and weight 120. Example 2. Let n = 10, m = 5 and g(X1 , X2 ) = X1 X2 where Xi ∈ F25 . Here we consider primitive polynomial 1 + x3 + x5 to generate all the elements of the ﬁeld F25 . Then, by Lemma 1, we get a 10-variable bent function f as follows: 0000000033CC33CC5A5A5A5A699669963333333300FF00FF696969695AA55AA55555555566 9966990F0F0F0F3CC33CC36666666655AA55AA3C3C3C3C0FF00FF00000FFFF33CCCC33 5A5A5A5699696693333CCCC00FFFF00696996965AA5A55A5555AAAA669999660F0FF0F0 3CC3C33C6666999955AAAA553C3CC3C30FF0F00F. To save space we represent f in hexadecimal format. Note that, f has nonlinearity 496 and wt(f ) = 496.

Construction of Cryptographically Important Boolean Functions

239

Later we will use bent functions of this type to construct our resilient functions.

4 4.1

Construction of 1-Resilient Functions Construction of 8-Variable 1-Resilient Functions with Nonlinearity 116

We now show how to construct an 8-variable 1-resilient function with nonlinearity 116 using an 8-variable bent function f . Theorem 3. Let S1 = {(0, 0, 0, 0, 0, 0, 0, 1), (0, 0, 0, 0, 0, 0, 1, 0), (0, 0, 0, 0, 0, 1, 0, 0), (0, 0, 0, 0, 1, 0, 0, 0), (0, 0, 0, 1, 0, 0, 0, 0),(0, 0, 1, 0, 0, 0, 0, 0), (0, 1, 0, 0, 0, 0, 0, 0), (1, 0, 0, 0, 0, 0, 0, 0)} and S2 = {(0, 0, 0, 0, 0, 0, 0, 0), (1, 1, 1, 1, 1, 1, 1, 1)}. Let f be an 8-variable bent function such that f (X) = 0 for all X ∈ S1 ∪ {(0, 0, 0, 0, 0, 0, 0, 0)} and f (1, 1, 1, 1, 1, 1, 1, 1) = 1. Let us construct f as follows: f (X) ⊕ 1 if X ∈ S1 ∪ S2 f (X) = f (X) otherwise Then f is an 8-variable 1-resilient function with nonlinearity 116. Proof. Let h : {0, 1}n→{0, 1} be a Boolean function and C ⊆ {0, 1}n. Then C we deﬁne ρC 1 (h) = |{X ∈ C ; h(X) = 1}| and ρ0 (h) = |{X ∈ C ; h(X) = 0}|. 8 ¯ Let A = {0, 1} , S = S1 ∪ S2 and S = {0, 1}8 − S. It may be noted that, ¯ ¯ ¯ ¯ ρS1 (f ⊕ X · ω) = ρS1 (f ⊕ X · ω) and ρS0 (f ⊕ X · ω) = ρS0 (f ⊕ X · ω) for all ω ∈ {0, 1}8. Let wt(ω) ∈ {0, 1}. We verify from Table 2, that ρS1 (f ⊕ X · ω) = 1 and ρS1 (f ⊕ ¯ S S X · ω) = 9. So, wt(f ⊕ X · ω) = ρA 1 (f ⊕ X · ω) = ρ1 (f ⊕ X · ω) + ρ1 (f ⊕ X · ω) = ¯ ¯ S S ρ1 (f ⊕ X · ω) + 1 = 120 implies ρ1 (f ⊕ X · ω) = 119. Thus wt(f ⊕ X · ω) = ¯ ¯ S S

S

ρA 1 (f ⊕ X · ω) = ρ1 (f ⊕ X · ω) + ρ1 (f ⊕ X · ω) = ρ1 (f ⊕ X · ω) + 9 = 128. Hence f is 1-resilient. It only remains to prove that f has nonlinearity 116. The nonlinearity of f can be obtained from the Walsh transform as Nf = 2 7 −

1 max |Wf (ω)|. 2 ω

A We now recall Deﬁnition 5 and write Wf (ω) = ρA 0 (f ⊕ X · ω) − ρ1 (f ⊕ X · ω) 8 where A = {0, 1} . To ﬁnd maxω |Wf (ω)|, we consider the following cases:

Case 1: Let wt(ω) ∈ {0, 1}. Since f is 1-resilient, f ⊕ X · ω is balanced. Hence Wf (ω) = 0. Case 2: Let wt(ω) ∈ {2, 3}. It is know that, We verify from Table 2, that ρS1 (f ⊕ X · ω) = 3 and ρS1 (f ⊕ X · ω) = 7. and ρS1 (f ⊕ X · ω) = 7. The Walsh ¯ S A S transform of f , Wf (ω) = ρA 0 (f ⊕X ·ω)−ρ1 (f ⊕X ·ω) = [ρ0 (f ⊕X ·ω)+ρ0 (f ⊕X ·

240

Soumen Maity and Thomas Johansson ¯

¯

¯

ω)]−[ρS1 (f ⊕X ·ω)+ρS1 (f ⊕X ·ω)] = [ρS0 (f ⊕X ·ω)+7]−[ρS1 (f ⊕X ·ω)+3] = ±16. ¯ ¯ Hence [ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω)] ∈ {−20, +12}. Thus, the Walsh transform ¯ ¯ of f , Wf (ω) = [ρS0 (f ⊕X ·ω)+ρS0 (f ⊕X ·ω)]−[ρS1 (f ⊕X ·ω)+ρS1 (f ⊕X ·ω)] = ¯ ¯ ¯ ¯ [ρS0 (f ⊕ X · ω) + 3] − [ρS1 (f ⊕ X · ω) + 7] = [ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω)] − 4 ∈ {−24, +8}. Case 3: Let wt(ω) ∈ {4, 5}. Here ρS1 (f ⊕ X · ω) = 5 and ρS1 (f ⊕ X · ω) = 5. Thus the Walsh transform of f , Wf (ω) = ±16. Case 4: Let wt(ω) ∈ {6, 7}. Note that, ρS1 (f ⊕ X · ω) = 7 and ρS1 (f ⊕ X · ω) = 3. So, the Walsh transform values of f , Wf (ω) ∈ {−8, +24}. Case 5: Let wt(ω) = 8. It’s easy to check that the Walsh transform value is −16 ¯ and, ρS1 (f ⊕ X · ω) = 9 and ρS1 (f ⊕ X · ω) = 1. So, Wf (ω) = [ρS0 (f ⊕ X · ω) + 1] − ¯ ¯ ¯ S S S [ρ1 (f ⊕ X · ω) + 9] = −16 implies [ρ0 (f ⊕ X · ω) − ρ1 (f ⊕ X · ω)] = −8. Thus, ¯ ¯ the Walsh transform of f , Wf (ω) = [ρS0 (f ⊕ X · ω) + 9] − [ρS1 (f ⊕ X · ω) + 1] = ¯ ¯ [ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω)] + 8 = 0. So maxω |Wf (ω)| = 24 and Nf = 27 − 12 = 116. Hence the theorem follows. We now indicate our basis for the choice of the elements of S in Theorem 3. We choose the elements of S in two steps. First we select the set S1 and construct f (X) ⊕ 1 if X ∈ S1 f1 (X) = f (X) otherwise Note that f1 is balanced but wt(f1 ⊕ Xi ) = 126 for all i. To make wt(f1 ⊕ Xi ) = 128, keeping balancedness property unaﬀected, we ﬁnally choose the set S2 and construct f1 (X) ⊕ 1 if X ∈ S2 f (X) = . f1 (X) otherwise

Table 1. Table shows the values of f (X) and f (X) for X ∈ S S.N. 0 1 2 4 8 16 32 64 128 255

x1 0 0 0 0 0 0 0 0 1 1

x2 0 0 0 0 0 0 0 1 0 1

x3 0 0 0 0 0 0 1 0 0 1

x4 0 0 0 0 0 1 0 0 0 1

x5 0 0 0 0 1 0 0 0 0 1

x6 0 0 0 1 0 0 0 0 0 1

x7 0 0 1 0 0 0 0 0 0 1

x8 f (X) f (X) 0 0 1 1 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 0 0 1 1 1 0

Construction of Cryptographically Important Boolean Functions

241

Note that f is balanced as well as wt(f + Xi ) = 128 for all i. We mention that the bent function of Example 1 can be used in Theorem 3. 4.2

Construction of 10-Variable (resp. 12-Variable) 1-Resilient Functions with Nonlinearity 488 (resp. 1996)

In this section, we construct a 10-variable 1-resilient function with nonlinearity 488, by using the same technique as in the construction of 8-variable 1-resilient functions with nonlinearity 116. Theorem 4. Let S1 = {(0, 0, 0, 0, 0, 0, 0, 0, 0, 0), (0, 0, 0, 0, 0, 0, 0, 0, 0, 1), (0, 0, 0, 0, 0, 0, 0, 0, 1, 0), (0, 0, 0, 0, 0, 0, 0, 1, 0, 0), (0, 0, 0, 0, 0, 0, 1, 0, 0, 0), (0, 0, 0, 0, 0, 1, 0, 0, 0, 0), (0, 0, 0, 0, 1, 0, 0, 0, 0, 0), (0, 0, 0, 1, 0, 0, 0, 0, 0, 0), (0, 0, 1, 0, 0, 0, 0, 0, 0, 0), (0, 1, 0, 0, 0, 0, 0, 0, 0, 0), (1, 0, 0, 0, 0, 0, 0, 0, 0, 0), (0, 0, 0, 0, 0, 0, 0, 0, 1, 1), (0, 0, 0, 0, 0, 0, 0, 1, 1, 0), (0, 0, 0, 0, 0, 0, 1, 1, 0, 0), (0, 0, 0, 0, 0, 1, 1, 0, 0, 0), (0, 0, 0, 0, 0, 1, 0, 0, 0, 1), (0, 0, 0, 1, 1, 0, 0, 0, 0, 0), (0, 0, 1, 1, 0, 0, 0, 0, 0, 0), (0, 1, 1, 0, 0, 0, 0, 0, 0, 0), (1, 1, 0, 0, 0, 0, 0, 0, 0, 0), (1, 0, 0, 0, 1, 0, 0, 0, 0, 0), (1, 1, 1, 1, 1, 1, 1, 1, 1, 1)} and S2 = {(0, 0, 0, 0, 1, 0, 1, 0, 0, 1), (1, 1, 1, 1, 0, 1, 0, 1, 1, 0), (0, 1, 0, 0, 1, 0, 0, 0, 0, 1), (1, 0, 1, 1, 0, 1, 1, 1, 1, 0)}. Let f be a 10-variable bent

function such that f (X) = 0 for all X ∈ S1 − {(1, 1, 1, 1, 1, 1, 1, 1, 1, 1)} and f (X) = 1 for all X ∈ S2 ∪ {(1, 1, 1, 1, 1, 1, 1, 1, 1, 1)}. Let us construct f as follows: f (X) ⊕ 1 if X ∈ S1 ∪ S2 f (X) = f (X) otherwise Then f is a 10-variable 1-resilient function with nonlinearity 488. Proof: The proof of the present theorem is similar to that of Theorem 3. Note that wt(f ⊕ X · ω) = 496 for all ω such that wt(ω) ∈ {0, 1}. Table 3 shows the values of f (X) and f (X) for all X ∈ S. Let A = F210 , S = S1 ∪S2 and S¯ = A−S. Let wt(ω) ∈ {0, 1}. We see from Table 3, that ρS1 (f ⊕ X · ω) = 5 and ρS1 (f ⊕ X · ¯ ¯ ω) = 21. Then wt(f ⊕X·ω) = ρS1 (f ⊕X·ω)+ρS1 (f ⊕X·ω) = ρS1 (f ⊕X·ω)+5 = 496 ¯ ¯ ¯ S S S implies ρ1 (f ⊕ X · ω) = 491. Moreover, ρ1 (f ⊕ X · ω) = ρ1 (f ⊕ X · ω) for all ¯ ¯ ω ∈ {0, 1}10. Thus wt(f ⊕ X · ω) = ρS1 (f ⊕ X · ω) + ρS1 (f ⊕ X · ω) = ρS1 (f ) + 21 =

512. Hence f is 1-resilient. The nonlinearity of f can be obtained from the Walsh transform as Nf = 2 9 −

1 max |Wf (ω)|. 2 ω

It is known that, Wf (ω) = ±32 for all ω ∈ {0, 1}10. To ﬁnd maxω |Wf (ω)|, we consider the following cases: Case 1: Let wt(ω) ∈ {0, 1}. Since f is 1-resilient, f ⊕ X · ω is balanced. Hence Wf (ω) = 0. Case 2: Let wt(ω) ∈ {2, 3, . . . , 10}. We verify from Table 3, that ρS1 (f ⊕ X · ω) ∈ {5, 7, 9, 11, 13, 15, 17, 19}. Let Ω1 = {ω ; ρS1 (f ⊕ X · ω) = 5, 7} and Ω2 =

242

Soumen Maity and Thomas Johansson

Table 2. Table shows the values of f ( X ) and f l ( X ) for X t S S.N. X I x2 x3 x4 x5 x6 xr 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 2

xs xo 0 0 0 0 0 1

x ~ of ( X ) f l ( X ) 0 0 1 1 0 1 0 0 1

{w ; p f ( f @ X . w ) = 19). It can be verified that W f( w ) = +32 for w t nl and W f ( w ) = -32 for w t n2. If p f ( f @ X . w ) = 5 , then W f ( w )= [p:(f @ X

+

. w ) ] - [ p f ( f@ X . w ) p f ( f @ X . " J ) ] = [ p i ( f @ X . w ) + 211 [ p f ( f @ ~ . w ) + 5=+32. ] Hence [&(f @ X . w ) - p f ( f @ ~w.) ] = +16 and the Walsh transform of f ' , W f , ( w ) = [ p ; ( f 1 @X . w ) + 5 ] - [ p f ( f ' @ X .w ) +21] = [p:(f @ X . w ) - p lS ( f @ X . w ) ] - 1 6 = 0. Similarly, if p f ( f f 3 X . w ) = 7 (resp. 1 9 ) , then W f t ( w ) = +8 (resp. -8). Otherwise, if p f ( f @ X . w ) t {9,11,13,15,17), then the Walsh transform of f', Wft( w ) t {*16, *24, *32, *40, *48). So max, 1 W f t ( w ) = 48 and N f t = 2' - 24 = 488. Hence the theorem follows.

POS ( f @ X

We now indicate our basis for the choice of the elements of S in Theorem 4. First we select the set S1 and construct

f(X)@l ifXtSl otherwise

Construction of Cryptographically Important Boolean Functions

243

It may be noted that f1 is 1-resilient but wt(f1 ) = 516. Now to make f1 balanced, keeping the resiliency property unaﬀected, we choose the elements of S2 by computer search and construct f1 (X) ⊕ 1 if X ∈ S2 f (X) = . f1 (X) otherwise The bent function of Example 2 can be used in Theorem 4. If we list the elements of S as the rows of a matrix M , then in each column of M , 1 occurs the same number of times. The M matrix necessarily satisﬁes this condition to get a 1resilient function. We construct a 12-variable 1-resilient function with nonlinearity 1996, by using the same technique as in the construction of 8-variable and 10-variable resilient functions. Let n = 12, m = 6 and g(X1 , X2 ) = X1 X2 where Xi ∈ F26 . We use primitive polynomial 1 + x + x6 to generate the elements of the ﬁeld F26 . Then, by Lemma 1, we get a 12-variable bent function f with f (1, 1, 1, . . . , 1) = 1. Here, we consider S = {(000), (001), (002), (004), (008), (010), (020), (040), (080), (100), (200), (400), (800), (F F F ), (003), (005), (006), (009), (00A), (00C), (011), (012), (014), (018), (021), (022), (024), (028), (030), (0C0), (140), (180), (240), (280), (300), (440), (480), (500), (600), (840), (880), (900), (A00), (C00), (043), (F BC), (045), (F BA), (049), (F B6), (060), (F 9F ), (066), (F 99)}. To save space we present the elements of S in hexadecimal format. Maitra and Pasalic [3] have constructed a 10-variable (resp. 12-variable) 1resilient function with nonlinearity 488 (resp. 1996) by suitably concatenating 8-variable 1-resilient functions with nonlinearity 116. But our construction is not based on concatenation and we believe one can construct 10-variable (resp. 12-variable) 1-resilient functions with maximum nonlinearity 492 (resp. 2012) by choosing an appropriate S. In the following section, we focus on selection of the elements of S.

5

Some General Results

Lemma 2. Let f be an n-variable (n even) bent function, and let S ⊆ {0, 1}n, such that n

(i) ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω) = 2 2 −1 for all ω such that 0 ≤ wt(ω) ≤ 1, n (ii) −22 ≤ ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω) ≤ +2 2 + 22 for all ω whenever n 2 ≤ wt(ω) ≤ n and Wf (ω) = +2 2 and n (iii) −(2 2 + 22 ) ≤ ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω) ≤ +22 for all ω whenever n 2 ≤ wt(ω) ≤ n and Wf (ω) = −2 2 . Then f (X) =

f (X) ⊕ 1 f (X)

if X ∈ S otherwise n

is an n-variable 1-resilient function with nonlinearity 2n−1 − 2 2 −1 − 22 .

244

Soumen Maity and Thomas Johansson

We shall illustrate Lemma 2 by Theorem 3 and Theorem 4. It is easy to verify that, in Theorem 3, S satisﬁes conditions (i), (ii) and (iii) of Lemma 2. So f of Theorem 3 is an 8-variable 1-resilient function with maximum nonlinearity. Let us consider Theorem 4. It can be veriﬁed that, ρS1 (f ⊕ X · ω) = 9 (resp. 17) for some ω such that 2 ≤ wt(ω) ≤ 10 and Wf (ω) = −32 (resp. Wf (ω) = +32). That is, ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω) = +8 (resp. −8) for some ω such that 2 ≤ wt(ω) ≤ 10 and Wf (ω) = −32 (resp. Wf (ω) = +32). Which violates condition (iii) (resp. condition (ii)) of Lemma 2. It may be noted that, f of Theorem 4 is a 10-variable 1-resilient function but not with maximum nonlinearity. In general we have the following lemma. Lemma 3. Let f be an n-variable (n even) bent function, and let S ⊆ {0, 1}n, such that n

(i) ρS0 (f ⊕ ω.X) − ρS1 (f ⊕ ω.X) = 2 2 −1 for ω such that 0 ≤ wt(ω) ≤ t, n (ii) −2t+1 ≤ ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω) ≤ +2 2 + 2t+1 for all ω such that n t + 1 ≤ wt(ω) ≤ n and Wf (ω) = +2 2 and n (iii) −(2 2 + 2t+1 ) ≤ ρS0 (f ⊕ X · ω) − ρS1 (f ⊕ X · ω) ≤ +2t+1 for all ω such that n t + 1 ≤ wt(ω) ≤ n and Wf (ω) = −2 2 . Then f (X) =

f (X) ⊕ 1 f (X)

if X ∈ S otherwise n

is an n-variable t-resilient function with nonlinearity 2n−1 −2 2 −1 −2t+1 if t+1 ≤ n 2 − 1.

6

Conclusions

We have considered the construction of 1-resilient functions with maximum nonlinearity. We have constructed 8-variable 1-resilient functions with maximum nonlinearity. Moreover, we have constructed 10-variable (resp. 12-variable), 1resilient functions with nonlinearity 488 (resp. 1996). The new construction is based on selecting a number of elements S. However we mention that we do not have any good algorithm to generate the elements of S. The method mentioned to construct the three Boolean functions may be generalized and that is our future course of research. It is also interesting to investigate the propagation characteristics of these functions.

Acknowledgement The authors are grateful to Stichting Nlnet, Netherlands for supporting this research work.

Construction of Cryptographically Important Boolean Functions

245

References [1] Biham, E. and Shamir, A., Diﬀerential cryptanalysis of DES-like cryptosystems., Journal of Cryptology Vol 4, No. 1, 1991, 3-72. 237 [2] Carlet, C. and Ding, C., Highly nonlinear mappings. Email: [email protected] (C. Carlet), [email protected] (C. Ding). 238 [3] Maitra, S. and Pasalic, E., Further construction of resilient Boolean functions with very high nonlinearity. IEEE Trans. on Information Theory, Vol 48, No. 7, July 2002, 1825-1834. 234, 235, 243 [4] Matsui, M., Linear cryptanalysis method for DES cipher. Advances in Cryptology-EUROCRYPT 1993, LNCS 765, 1994, pp. 386-397. 236 [5] Nyberg, K., Perfect non-linear S-boxes. Advances in Cryptology-EUROCRYPT 1991, LNCS 547, 1992, pp. 378-386. 237 [6] Rothaus, O. S., On bent functions, J. Combin. Theory, Ser. A 20, 1976, 300-305. 234 [7] Sarkar, P. and Maitra, S., Nonlinearity bounds and constructions of resilient Boolean functions. CRYPTO 2000, LNCS 1880, 2000, pp. 515-532. 235 [8] Siegenthaler, T., Correlation-immunity of nonlinear combining functions for cryptographic applications. IEEE Trans. on Information Theory, IT-30(5), September 1984, 776-780. 234, 236 [9] Tarannikov, Y. V., On resilient Boolean functions with maximum possible nonlinearity. In Progress in Cryptology-INDOCRYPT 2000, LNCS 1977, Springer Verlag, 2000, pp. 19-30. 235 [10] Xiao, G. and Massey, J. L., A spectral characterization of correlation-immune functions. IEEE Trans. on Information Theory, 34(3), 1988, 569-571. 237 [11] Zheng, Y. and Zhang, X. M., Improved upper bound on the nonlinearity of high order correlation immune functions. In Selected Areas in Cryptography-SAC 2000, LNCS 2012, 2000, pp. 264-274. 235

Evolving Boolean Functions Satisfying Multiple Criteria John A. Clark1 , Jeremy L. Jacob1 , Susan Stepney1 , Subhamoy Maitra2 , and William Millan3 1

Department of Computer Science, University of York York YO10 3EE, England {jac,jeremy,susan.stepney}@cs.york.ac.uk 2 Applied Statistics Unit, Indian Statistical Institute 203 B T Road, Calcutta 700 108, India [email protected] 3 Information Security Research Center Queensland University of Technology GPO Box 2434, Brisbane, Queensland, Australia 4001 [email protected]

Abstract. Many desirable properties have been identiﬁed for Boolean functions with cryptographic applications. Obtaining optimal tradeoﬀs among such properties is hard. In this paper we show how simulated annealing, a search technique inspired by the cooling processes of molten metals, can be used to derive functions with proﬁles of cryptographicallyrelevant properties as yet unachieved by any other technique. Keywords: Heuristic Optimisation, Boolean Functions, Nonlinearity, Autocorrelation, Correlation Immunity.

1

Introduction

A variety of desirable criteria for functions with cryptographic application have been identiﬁed: balancedness, high nonlinearity, correlation immunity of reasonably high order, low autocorrelation, high algebraic degree etc. The tradeoﬀs between these criteria have received a lot of attention in Boolean function literature for some time (see [12] and the references therein). The more criteria that have to be taken into account, the more diﬃcult it is to generate Boolean functions satisfying those properties purely by constructive algebraic means. Indeed, recent work has sought to blend construction with aspects of computer search. Many of the best functions on small numbers of variables (7–10) have been obtained in this way [12, 19, 16]. Some authors have attempted to use guided search techniques to evolve Boolean functions [13, 14, 15, 3]. Although such eﬀorts have shown promise, they have not rivalled the best of alternative methods. In this paper, using modiﬁcations of the simulated annealing based in [3] we demonstrate how to evolve various functions with proﬁles of desirable properties unachieved by other means. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 246–259, 2002. c Springer-Verlag Berlin Heidelberg 2002

Evolving Boolean Functions Satisfying Multiple Criteria

247

We shall also show how the capabilities of search-based techniques can be enhanced using well-established cryptology theory (and change of basis in particular). First, we provide the technical deﬁnitions needed to understand this paper together with a description of the simulated annealing algorithm used.

2

Preliminaries

Boolean Functions. This section provides deﬁnitions concerning Boolean functions with cryptographic application. We denote the binary truth table of a Boolean function by f : Z2n → Z2 mapping each combination of n binary values to some binary value. If the number of combinations mapping to 0 is the same as the number mapping to 1 then the function is said to be balanced. The polarity truth table is a particularly useful representation for our purposes. It is deﬁned by fˆ(x) = (−1)f (x) . Two functions f and g are said to be g (x) = 0. If so, if one tries to approximate f by uncorrelated when x∈Z n fˆ(x)ˆ 2 using g, he/she will be right half the time and wrong half the time. An area of particular importance for cryptanalysts is the ability to approximate a function f by a simple linear function. One of the cryptosystem designer’s tasks is to make such approximation as diﬃcult as possible (by making the function f suitably nonlinear ). We make use of the following terms (these and further deﬁnitions can be found in [2] and [25]). Linear Boolean Function. A linear Boolean function, determined by ω ∈ Z2n , is denoted by Lω (x) = ω1 x1 ⊕ω2 x2 · · ·⊕ωn xn , where wi xi denotes the bitwise AND of the i-th bits of ω and x, and ⊕ denotes bitwise XOR. Aﬃne Function. The set of aﬃne functions is the set of linear functions and their complements Aω,c (x) = Lω (x) ⊕ c, where c ∈ Z2 . Walsh Hadamard Transform. For a functionˆ f , the Walsh Hadamard Transform Fˆf is deﬁned by Fˆf (ω) = x∈Z n fˆ(x)L (x). We denote the maximum 2 ω absolute value by W Hmax (f ) = maxω∈Z2n Fˆf (ω). It is related to the nonlinearity of f . Nonlinearity. The nonlinearity Nf of a Boolean function f is its minimum distance to any aﬃne function. It is given by Nf = 12 (2n − W Hmax (f )). Parseval’s Theorem. This states that ω∈Z n (Fˆf (ω))2 = 22n . A consequence 2 n of this result is that W Hmax (f ) ≥ 2 2 . This fact forms the starting point for the principal cost functions in this paper. Autocorrelation Transform. autocorrelation transform of a function f ˆ The ˆ is given by rˆf (s) = x f (x)f (x ⊕ s). We denote the maximum absolute value in the autocorrelation spectra of a function f by ACf , i.e., ACf = ˆ ˆ f (x)f (x ⊕ s). Here x and s range over Z n and so produces a result maxs in Z2n .

x

2

Simulated Annealing. In 1983 Kirkpatrick et al. [8] proposed simulated annealing, a new search technique inspired by the cooling processes of molten metals. It merges hill-climbing with the probabilistic acceptance of non-improving

248

John A. Clark et al.

moves. The basic algorithm is shown in Figure 1. The search starts at some initial state S = S0 . There is a control parameter T known as the temperature. This starts ‘high’ at T0 and is gradually lowered. At each temperature, a number M IL (Moves in Inner Loop) of moves to new states are attempted. A candidate state Y is randomly selected from the neighborhood N (S) of the current state. The change in value, δ, of f is calculated. If it improves the value of f (S) (i.e., if δ < 0 for a minimisation problem) then a move to that state is taken is taken (S = Y ); if not, then it is taken with some probability. The worse a move is, the less likely it is to be accepted. The lower the temperature T , the less likely is a worsening move to be accepted. Probabilistic acceptance is determined by generating a random value U in the range (0..1) and performing the indicated comparison. Initially the temperature is high and virtually any move is accepted. As the temperature is lowered it becomes ever more diﬃcult to accept worsening moves. Eventually, only improving moves are allowed and the process becomes ‘frozen’. The algorithm terminates when the stopping criterion is met. Common stopping criteria, and the ones used for the work in this paper, are to stop the search after a ﬁxed number M axIL of inner loops have been executed, or else when some maximum number M U L of consecutive unproductive inner loops have been executed (i.e., without a single move having been accepted). Generally the best state achieved so far is also recorded (since the search may actually move out of it and subsequently be unable to ﬁnd a state of similar quality). At the end of each inner loop the temperature is lowered. The simplest way of lowering the temperature is to multiply by a constant cooling factor α in the range (0..1); this is known as geometric cooling. The basic simulated annealing algorithm has proven remarkably eﬀective over a range of problems.

S = S0 T = T0 Repeat {

for(int i = 0; i < M IL; i + +) { Select Y ∈ N (S) δ = f (Y ) − f (S) if (δ < 0) then S=Y else Generate U = U (0, 1) if (U < exp(−δ/T )) then S = Y } T =T ×α

} Until stopping criterion is met

Fig. 1. Basic Simulated Annealing for Minimisation Problems

Evolving Boolean Functions Satisfying Multiple Criteria

3 3.1

249

Nonlinearity, Autocorrelation and Algebraic Degree Cost Functions and General Approach

We aim to derive excellent Boolean functions via optimisation of some cost function. The cost function used here is motivated by Parseval’s theorem and the characteristics of Bent functions. Bent functions have maximal nonlinearity n and zero autocorreation. For Bent functions Fˆf (ω) = 2 2 for all ω. For balanced Boolean functions this ideal bound cannot be achieved but it does suggest that a cost function that seeks to minimise the spread of the Walsh Handamard values is well-motivated. Accordingly a cost function of the following form is used: R cost(fˆ) = (1) Fˆf (ω) − X ω∈Z2n

The value R is positive and can be varied. In the experiments reported here we have mostly used R = 3. Values of X ranging from −16 to 30 have been used. (This was to investigate the eﬀects of parametric variation. Here we present only summary results. Further results can be found in [4]). A balanced function is represented using polar form, i.e., as a vector fˆ in 2n R with 2n−1 elements equal to 1 and 2n−1 elements equal to −1. A search starts with a balanced (but otherwise random) function in polar form. A valid move simply swaps two dissimilar vector elements and so preserves balance — the (equal) numbers of 1s and −1s are maintained. The approach is as follows: 1. Use an annealing-based search to minimise the value of the new cost function (suitably parametrised) given in Equation (1). Let the best solution produced during the search be fsa . 2. Hill-climb from fsa with respect to nonlinearity or autocorrelation (we shall term these the Non-Linearity Targeted (NLT)and Auto-Correlation Targeted (ACT) approaches respectively) to produce the ﬁnal solution fsahc 3. Measure the nonlinearity, autocorrelation and algebraic degree of fsahc . 3.2

Experimental Results

A variety of runs have been carried out. Our interest is primarily in demonstrating the proﬁles of properties of the functions generated by the NCT and ACT methods. The best proﬁles are recorded in Table 1. (Further information on nonlinearity and autocorrelation in isolation is given in Tables 2 and 3.) The quadruplet entry (n, d, nl, ac) indicates that the technique was able to evolve a function on n inputs with algebraic degree d, nonlinearity nl and autocorrelation ac. For n less than or equal to 7 the technique has generated functions with the highest achievable nonlinearity values (often within a few seconds). For n = 8 no function with nonlinearity of 118 has ever been demonstrated. The evolution of functions with proﬁle (8, 5, 112, 16) is of particular interest. The autocorrelation value of 16 is lower than the best achieved previously (and indeed lower

250

John A. Clark et al.

Table 1. Best Values ( n , d , nl , ac ) Obtained Using NLT (upper) and ACT (lower) (5,3,12,8) (6,5,26,16) (7,6,56,16) (8,7,116,24) (5,4,12,16) (8,5,112,16) (9,8,238,40) (10,9,486,72) (11,9,984,96) (12,10,1992,156) (10,9, 484, 64) (11,10,982, 96) (12,10,1990,144) (5,3,12,8) (6,5,26,16) (7,6,56,16) (8,7,116,24) (5,4,12,16) (8,5,112,16) (9,8,238,40) (10,9,484,56) (11,10,982,88) (12,11,1986,128)

Table 2. Comparing the Nonlinearity of Balanced Functions 5 6 7 8 9 10 Lowest Upper Bound 12 26 56 118 244 494 Best Known Example [17, 7] 12 26 56 116 240 492 Dobertin’s Conjecture [5] 26 116 492 Bent Concatenation 12 24 56 112 240 480 Random - - - 112 230 472 Random Plus Hill-Climb - - - 114 236 476 Genetic Algorithms [14] 12 26 56 116 236 484 NLT 12 26 56 116 238 486 ACT 12 26 56 116 238 484

11 12 1000 2014 992 2010 2010 992 1984 962 1954 968 1960 980 1976 984 1992 982 1986

Table 3. Conjectured Bounds and Attained Values for Autocorrelation of Balanced Functions Zhang and Zheng Maitra Construction [10] Maitra Conjecture [10] NLT ACT

5 6 7 8 8 16 16 24 8 16 16 24 16 24 8 16 16 16 8 16 16 16

9 10 11 12 32 48 64 96 32 40 64 80 40 80 40 64 96 144 40 56 88 128

Table 4. Sum of Squares Bounds and Results using Equation (2). 100 Runs. Annealing parameters of α = 0.95, M IL = 200, M axIL = 400 and M U L = 50 n Son et al. Bound 5 1280 6 4608 7 17408 8 67584 9 266240 10 1056768

GAC-σf Bound 2048 7168 32768 90112 524288 1245184

Annealing + Hill-climbing Minimum Average Maximum 1664 1664 1664 6784 6784 6784 23936 24550.4 24704 86656 89931.5 101248 379904 389273.6 404864 1535488 1550272 1566592

Average Time (secs) 0.4 1.2 1.25 2.9 13.5 137

Evolving Boolean Functions Satisfying Multiple Criteria

251

than a recently conjectured bound). Table 3 summarises autocorrelation results. For n = 5, 6, 7 and 8 the autocorrelation must be bounded below by 8. Despite extensive computation, AC values of 8 have eluded discovery for n = 6, 7 and 8. Many functions found by the searches have best achieved values for nonlinearity, autocorrelation and algebraic degree simultaneously. (Note: for n = 5, the proﬁles shown have been found to be optimal by exhaustive search, i.e., (5, 4, 12, 8) is unattainable.) Zhang and Zheng [25] oﬀered two Global Avalanche Criteria (GAC). One was what we have termed autocorrelation above; the other was the sum-of-squares measure σf (which treats all autocorrelation transform values rˆ(s) equally): σf =

n 2 −1

rˆ2 (s)

(2)

s=0

Zhang and Zheng also oﬀered constructions for even and odd n and claimed that the resulting sums of squares were optimal for balanced functions. This is in fact not the case. The authors have used simulated annealing with the sum-of-squares given in Equation (2) as a cost function to obtain functions with lower values. For 5–10 input variables 100 runs of the annealing algorithm were carried out followed by hill-climbing (with the same cost function). The results are given in Table 4. Lower bounds on GAC sum-of-squares values have recently been derived by Son et al. and are also shown in Table 4. Zhang and Zheng’s conjectured bounds have frequently and easily been exceeded, often within a few seconds (running on a 1.4 GHz Pentium PC). The GAC sum-of-squares of functions derived by NLT and ACT methods earlier have also been measured. Some functions had sums-of-squares as low as the minima generated by the direct experiments in this section. Additionally, for n = 9 a function with sum-of-squares value of 376832 had been generated and for n = 10 one with value 1534720 had been produced. Each is lower than the results obtained by the direct use of sum-of-squares as a cost function (shown in Table 4). This suggests that the cost function given in Equation (1) is capable of generating very special functions indeed. As it happens, there are more surprises in store, as we show below.

4

Constructing Correlation Immune Functions

The relationship between the criteria balancedness, correlation immunity, nonlinearity and algebraic degree is now known [20, 19, 1, 24, 21]. At this point, by (n, m, d, x) function we denote an n-variable, m-resilient function with degree d and nonlinearity x following the notation in [19]. It is now clear that the nonlinearity and algebraic degree of such functions are maximised simultaneously and for balanced mth order correlation immune functions, the maximum algebraic degree is n−m−1 [20]. Let us now clarify the exact upper bounds on nonlinearity of resilient Boolean functions. In particular we consider (n, m, n − m − 1, x) functions. We use the term nlmax(n) to denote the maximum nonlinearity of an nn variable Boolean function. It is known that for n even, nlmax(n) = 2n−1 − 2 2 −1

252

John A. Clark et al.

Table 5. Upper Bounds on Achievable Properties (n, m, d, nl) (5, 1, 3, 12) (6, 1, 4, 24) (7, 1, 5, 56) (8, 1, 6, 116) (9, 1, 7, 244)* (10, 1, 8, 492)*

(5, 2, 2, 8) (6, 2, 3, 24) (7, 2, 4, 56) (8, 2, 5, 112) (9, 2, 6, 240)* (10, 2, 7, 488)*

(5, 3, 1, 0) (6, 3, 2, 16) (7, 3, 3, 48) (8, 3, 4, 112) (9, 3, 5, 240)* (10, 3, 6, 480)

(6, 4, 1, 0) (7, 4, 2, 32) (8, 4, 3, 96) (9, 4, 4, 224) (10, 4, 5, 480)

(7, 5, 1, 0) (8, 5, 2, 64) (9, 5, 3, 192) (10, 5, 4, 448)

(bent functions). However, the problem remains open for odd n. It is clear that the bent functions cannot be correlation immune. For the n odd case, to write the upper bound on nonlinearity of resilient functions, we assume here that the functions attaining the maximum possible nonlinearity nlmax(n) may have the correlation immunity property. 1. 2. 3. 4.

If n is even, and m > n2 − 2, then x ≤ 2n−1 − 2m+1 . n If n is even, and m ≤ n2 − 2, then x ≤ 2n−1 − 2 2 −1 − 2m+1 . If n is odd, and nlmax(n) ≥ 2n−1 − 2m+1 , then x ≤ 2n−1 − 2m+1 . If n is odd, and nlmax(n) < 2n−1 − 2m+1 , then x is the highest multiple of 2m+1 which is ≤ nlmax(n).

Table 5 provides the best theoretical bounds known for optimal tradeoﬀs for balanced functions and is formed using information in [19, 21, 12, 16, 22, 23]. The mark ‘*’ in the Table 5 highlights that the indicated bound has not yet been demonstrated by any method. Examples of (7, 2, 4, 56) functions [16] and (8, 1, 6, 116) functions [12] were found only very recently using search techniques which need considerable combinatorial argument to reduce the search space. 4.1

Motivation and Method – The First Pass

In [14] a genetic algorithm was used to derive correlation immune balanced functions with high nonlinearity. A cost function inﬂuenced by the notions of deviation from [14] but which draws more on the experience of the previous section is cost(f ) = |Fˆf (ω)|R + A × max |Fˆf (ω)|. (3) |ω|≤m

ω

Here A is a weighting constant for the nonlinearity component. This enables correlation immunity and nonlinearity to be taken into account. For correlation immunity, the values of all relevant |Fˆf (ω)| rather than just the most extreme value are considered. The search will be restricted to balanced functions and so Fˆf (0) = 0. Algebraic degree is ignored during the search; its value is simply recorded for the ﬁnal function obtained. Experiments were carried out for 5–10 input variables. The parameter of A in Equation (3) was 10 (except for the searches for (7,2,4,56) where a value of 100 proved successful). The parameter R varied from 2.0 to 3.0. The cooling

Evolving Boolean Functions Satisfying Multiple Criteria

253

parameter α was in the range 0.95–0.99. M IL was in the range 400–2000 and M U L was in the range 50–200. In heuristic search experimentation with cost function and annealing function parameters is pretty much universal. Table 6 records the best values attained. The values marked with an asterisk are known to be suboptimal (from Table 5). The symbol ⇐= indicates that direct attempts failed but the values have been inherited from a higher order success (e.g., the technique successfully evolved a (9,5,3,192) function and since any CI(5) function is also CI(4), a (9,4,3,192) function has been demonstrated too.)

Table 6. Best Results (n, m, d, nl) obtained by the Direct Method (5, 1, 3, 12) (6, 1, 4, 24) (7, 1, 5, 52)* (8, 1, 6, 112)* (9, 1, 7, 232)* (10, 1, 8, 476)*

(5, (6, (7, (8, (9,

2, 2, 2, 2, 2,

2, 3, 4, 5, 6,

8) 24) 56) 112) 232)

(6, 3, 2, 16) (7, 3, 3, 48) (7, 4, 2, 32) (8, 3, 3, 96, 256)* (8, 4, 3, 96) (8, 5, 2, 64) ⇐=* ⇐=* (9,5,3,192)

The direct technique would appear to have achieved a fair amount of success. In addition it has proved capable of deriving a (7,2,4,56) (demonstrated only very recently citex2000-Pasalic-Maitra-Johansson-Sarkar). 4.2

Change of Basis

We now revisit the functions generated previously by the NLT and ACT approaches and investigate whether they can be transformed under change of basis to give ﬁrst order correlation immune functions. This technique has previously been used by Maitra and Pasalic [12]. Consider functions f on n input variables. Now consider the set of Walsh zeroes W Zf = {ω : Fˆf (ω) = 0}

(4)

If there exist n linearly independent vectors in W Zf , then one can construct a nonsingular n × n matrix Bf whose rows are linearly independent vectors from W Zf . Let Cf = Bf−1 . Now if we construct a function f (x) = f (Cf x), then both f , f have the same nonlinearity and algebraic degree. Moreover, Fˆf (ω) = 0 for wt(ω) = 1, where Fˆf is the Walsh Hadamard transform of f . This ensures that f is 1st order correlation immune. Also if f is balanced then f is balanced. In Section 3, we have considered optimization both in terms of nonlinearity and autocorrelation values. Now we consider these functions obtain correlation immune functions of order 1 using linear transformation. Using this technique we get the functions (5, 1, 3, 12, 8), (6, 1, 4, 24, 16), (7, 1, 5, 56, 16), (8, 1, 6, 116, 24), (9, 1, 7, 236, 40), (10, 1, 8, 484, 64), (11, 1, 9, 984, 96) and (12, 1, 10, 1992,

254

John A. Clark et al.

160). Here we consider the function parameters in the form (n, m, d, nl, ACf ). The value of the parameter X in Equation 1 may have signiﬁcant eﬀect. For example, for n = 8 and X = −14, 82 out of 100 runs produced functions with Walsh zeroes of rank 8. With X = 0 none were produced. The reader is referred to [4] for details. Here we present only summary results. Comparison to Previous Works for 1st Order Correlation Immunity Note that the function (5, 1, 3, 12, 8) has been reported in [11]. The (6, 1, 4, 24) and (7, 1, 5, 56) functions have been reported in [18]. However, the construction proposed in [18] has not considered the ACf value. A construction by Maitra [18] provides (6, 1, 4, 24, 64) and (7, 1, 5, 56, 64) functions in comparison to (6, 1, 4, 24, 16) and (7, 1, 5, 56, 16) functions in our method. We have also used an (8, 0, 6, 116, 24) function with the support a53a20176ca6cbd897f 5a8743035cda47f c5ace26bc8ef 4e4030ad66929c0ebb and transform it to get (8, 1, 6, 116, 24) function with the following support : c7d185111af 4adf dc36666da964280f 9c93ab2558d28cd621f d63a0b6a8f b531 This function has much better autocorrelation property than the (8, 1, 6, 116, 80) function described in [12]. In [12], (10, 1, 8, 488, 320) function has been constructed and (10, 1, 8, 484, 192) function has been constructed in [18]. The autocorrelation values have not been reported in the respective papers, which we check here. In our method, the (10, 1, 8, 484, 64) function has been found using linear transformation from a (10, 0, 8, 484, 64) function.

Table 7. Best Achieved Properties (n, m, d, nl, ACf ) by Any Optimisation Method (5,1,3,12,8) (6,1,4,24,16) (7,1,5,56,16) (8,1,6,116,24) (9,1,7,236,40) (10,1,8,484,64) (11,1,9,984,96) (12,1,10,1992,160)

4.3

(5,2,2,8,32) (6,2,3,24,32) (7,2,4,56,24) (8,2,5,112,56) (9,2,6,232,88)

(5,3,1,0,32) (6,3,2,16,64) (7,3,3,48,128) (8,3,3,96,256) (9,3,3,192,512)

(6,4,1,0,64) (7,4,2,32,128) (7,5,1,0,128) (8,4,3,96,256) (8,5,2,64,256) (9,4,3,192,512) (9,5,3,192,512)

Transformation for Higher Order Correlation Immunity

Linear change of basis has proved to be an eﬀective way of transforming functions to obtain ﬁrst order correlation immunity. Can a similar transformation be found to produce higher order correlation immunity? Once again consider set of Walsh

Evolving Boolean Functions Satisfying Multiple Criteria

255

zeroes W Zf (deﬁned in Equation 4). Consider there exists a subset SW Zf of W Zf with the following property. For any k elements ωi1 , . . . , ωik , 1 ≤ k ≤ m, k Fˆf ( ωij ) = 0. j=1

Now construct a nonsingular n × n matrix Bf whose rows are vectors from SW Zf . Let, Cf = Bf−1 . Now if we construct a function f (x) = f (Cf x), then both f , f have the same nonlinearity and algebraic degree. Moreover, Fˆf (ω) = 0 for 1 ≤ wt(ω) ≤ m, where Fˆf is the Walsh Hadamard transform of f . This ensures that f is mth order correlation immune. Also if f is balanced then f is balanced. Obtaining a linearly independent subset is an easily solvable problem of linear algebra (start with an empty set and add to the set only vectors that increase the dimension of the space spanned). There would appear to be no known eﬃcient method for obtaining a basis with the indicated mth order characteristics. The problem is hard but is of relevance. It can also be couched as a nonlinear search problem. Let pwz = ω1 , . . . , ωr (5) be a permutation of the Walsh zeroes W Zf . For each such permutation, let the ﬁrst n elements form a candidate basis. Thus, candBasis(pwz) = {ω1 , . . . , ωn }.

(6)

To be a suitable basis the set {ω1 , . . . , ωn } must have rank n and the kth order k combinations j=1 ωij of its elements (1 ≤ k ≤ m) must also be in the set W Zf . A permutation not meeting these requirements should be punished. As example, for m = 2, for a candidate basis candBasis(pwz) deﬁne the number of misses as the number of xor combinations of two dissimilar candidate basis elements that are themselves not in W Zf . misses(candBasis(pwz)) = #{i, j : 1..n · i < j ∧ wi ⊕ wj ∈ W Zf }

(7)

A cost function that seeks to punish deviation from required properties is given by: cost(pwz) = K ∗ (n − rank(candBasis(pwz))) + misses(candBasis(pwz)) (8) In attempting to obtain (7, 2, 4, 56) functions the authors also obtained many which were (7, 0, 4, 56) but for which the Walsh zeroes had rank seven. With K = 20, this cost function was used as part of an annealing search over the sets of Walsh zeroes with dimension 7. Of 23 such functions the annealing-based search for bases giving second order immunity was successful in the case of 4 of these functions. A search for second order characteristics usually takes less than a minute in comparison to half an hour reported in [16].

256

John A. Clark et al.

4.4

Linear Transformation for Propagation Characteristics

For a Boolean function f consider ACZf = {s | rˆf (s) = 0}. Suppose that there are n linearly independent vectors in ACZf . Consider Bf to be a n × n matrix whose rows are the n linearly independent vectors. Thus, it is clear that f (xBf ) has the same nonlinearity and algebraic degree as f (x) and satisﬁes PC(1). The (8,0,6,116,24) function can similarly be transformed to the P C(1) balanced function. 9215f 91f a524f f 81ab12337e5b7d328dbba8c1b2e02419689e6cf 8e1372742c5 Obtaining higher order properties using this directed search method is novel. We also use the same technique as in Subsection 4.3 to search for a linear change of basis giving rise to P C(2) functions. In the same way as before, if all pairwise combinations wi ⊕ wj from the basis subset are also in ACZf then the function transformed function is P C(2) . Very little experimentation has been carried out but this has already provided new information. Prior to 1997 the highest algebraic degree exhibited for a P C(2) function was n2 (for bent functions, which are actually P C(n) — they have zero autocorrelation). Honda et al. [6] showed how this bound was very weak and demonstrated how to construct functions on n = l + 2l − 1 input bits with algebraic degree n − l − 1 and showed also how to construct similar balanced functions. They noted that the degree of their constructed functions is ‘much larger than the best degree so far’. This is true. They also comment Now suppose f (x1 , . . . , xn ) satisﬁes P C(2). Then since f satisﬁes SAC [Strict Avalanche Criterion] we obtain a trivial upper bound on deg(f ) such that deg(f ) ≤ n − 1. We revisited the batches of functions generated in Section 3.2. For functions of six input variables, application of annealing based searches for second order characteristics enabled balanced P C(2) functions of algebraic degree 5 to be found. No balanced P C(2) function has previously been demonstrated at the trivial bound of n − 1 (balanced functions can have degree at most n − 1). An example function obtained is given below c65b4d405ceb91f 1. For low numbers of input variables optimisation is able to generate examples with optimal properties that have hitherto escaped theoretical construction. Honda et al. make no claim to optimality, merely that the previous best bound can be surpassed. Whether or not P C(2) functions exist with degree n − 1 for n > 6 is left as an open question (though preliminary experimentation has come very close — for n = 7 and 8 change of bases have been found that give rise to P C(1) functions with only a single element wi ⊕ wj not being in the set of AC zeroes). Thorough investigation of the application of the optimisation techniques to propagation characteristics (and other propagation criteria) is left as future work. The generation of a single example meeting the ‘trivial’ bound shows once again that optimisation techniques have some potential to check conjectures or to attack current bounds for relationships between the various criteria.

Evolving Boolean Functions Satisfying Multiple Criteria

257

Table 8. Supports for Functions with CI and PI Together n 6 6 7

Support 6CB405778EA9BD30 5C721BCAAC27B1C5 3BD8254D458FB41D CDA8F192662334FA 8 PC(1)CI(1) 54FFAAC5467F9703B1AC48E3C016DB82 98621FE54A386A60163247E1F7C7BD8D

4.5

PC(k)CI(m) PC(1)CI(1) PC(1)CI(2) PC(1)CI(1)

NL 24 16 52

AC 32 64 32

112 48

CI and PC Together

Optimisation-based approaches can easily be extended to incorporate multiple criteria. Correlation immunity CI(m) and propagation criteria PC(k) can be targeted together using a cost function of the form: cost(f ) = A × |ˆ rf (s)|R + B × |Fˆf (ω)|R + C × max |Fˆf (ω)|. (9) 1≤|s|≤k

|ω|≤m

ω

At present only small scale experiments have been performed but these have already produced interesting results. Table 8 records the support of some functions evolved so far.

5

Conclusions

Using heuristic approaches we have attained functions with proﬁles unattained by other techniques. The range of properties addressed shows that heuristic search is a ﬂexible framework for Boolean function investigation. The change of basis transformations show that a little theory can complement heuristic approaches to good eﬀect. Adopting further elements of cryptological theory into the search process may prove a fruitful avenue for future research. Heuristic search is little exploited in modern-day cryptology. We encourage other researchers to consider it.

References [1] C. Carlet. On the coset weight divisibility and nonlinearity of resilient and correlation immune functions. In Sequences and Their Applications - SETA 2001, Discrete Mathematics and Theoretical Computer Science, pages 131–144. Springer Verlag, 2001. 251 [2] C. Ding, G. Xiao, and W. Shan. The Stability of Stream Ciphers, Lecture Notes in Computer Science, Volume 561. Springer-Verlag, 1991. 247 [3] J. A. Clark and J. L. Jacob. Two-Stage Optimisation in the Design of Boolean Functions. In 5th Australasian Conference on Information, Security and Privacy – ACISP 2000, Lecture Notes in Computer Science, Volume 1841, pages 242–254. Springer-Verlag, 2000. 246

258

John A. Clark et al.

[4] J. A. Clark. Metaheuristic Search as a Cryptological Tool. DPhil Thesis. YCST2002-07. Deptartment of Computer Science. University of York, York UK. December 2001. Available at http://www.cs.york.ac.uk/ftpdir/reports/ 249, 254 [5] H. Dobbertin. Construction of bent functions and balanced functions with high nonlinearity. In Fast Software Encryption, 1994 Leuven Workshop, Lecture Notes in Computer Science, Volume 1008, pages 61–74, Berlin, 1994. Springer-Verlag. 250 [6] T. Honda, T. Satoh, T. Iwata and K. Kurosawa. Balanced Boolean functions satisfying pc(2) and very large degree. Selected Areas in Cryptography (SAC) 1997. Available from http://adonis.ee.queensu.ca:8000/sac/sac97/papers.html 256 [7] X.-D. Hou. On the Norm and Covering Radius of First-Order Reed-Muller Codes. IEEE Transactions on Information Theory, 43(3):1025–1027, May 1997. 250 [8] S. Kirkpatrick, Jr. C. D. Gelatt, and M. P. Vecchi. Optimization by simulated annealing. Science, 220(4598):671–680, May 1983. 247 [9] S. Maitra and P. Sarkar. Modiﬁcations of Patterson-Wiedemann functions for cryptographic applications. IEEE Transactions on Information Theory, 48(1):278–284, January 2002. [10] S. Maitra. Highly nonlinear balanced Boolean functions with very good autocorrelation property. In Workshop on Coding and Cryptography - WCC 2001, Paris, January 8–12, 2001. Electronic Notes in Discrete Mathematics, Volume 6, Elsevier Science, 2001. 250 [11] S. Maitra. Autocorrelation properties of correlation immune Boolean functions. INDOCRYPT 2001, Lecture Notes in Computer Science Volume 2247, pages 242– 253. Springer Verlag, December 2001. 254 [12] S. Maitra and E. Pasalic. Further constructions of resilient Boolean functions with very high nonlinearity. IEEE Transactions on Information Theory, 48(7):1825– 1834, July 2002. 246, 252, 253, 254 [13] W. Millan, A. Clark and E. Dawson. An eﬀective genetic algorithm for ﬁnding highly nonlinear Boolean functions. In First International Conference on Information and Communications Security, Lecture Notes in Computer Science, Volume 1334, pages 149–158. Springer Verlag, 1997. 246 [14] W. Millan, A. Clark and E. Dawson. Heuristic Design of Cryptographically Strong Balanced Boolean Functions. In Advances in Cryptology EUROCRYPT’98, Lecture Notes in Computer Science, Volume 1403, pages 489–499. Springer Verlag. 1998. 246, 250, 252 [15] W. Millan, A. Clark and E. Dawson. Boolean function design using hill climbing methods. In 4th Australasian Conference on Information, Security and Privacy, Lecture Notes in Computer Science, Volume 1587, pages 1–11. Springer Verlag, April 1999. 246 [16] E. Pasalic, S. Maitra, T. Johansson and P. Sarkar. New constructions of resilient and correlation immune Boolean functions achieving upper bound on nonlinearity. In Workshop on Coding and Cryptography - WCC 2001, Paris, January 8–12, 2001. Electronic Notes in Discrete Mathematics, Volume 6, Elsevier Science, 2001. 246, 252, 255 [17] N. J. Patterson and D. H. Wiedemann. The covering radius of the (215 , 16) ReedMuller code is at least 16276. IEEE Transactions on Information Theory, IT29(3):354–356, 1983 (see correction IT-36(2):443, 1990). 250 [18] P. Sarkar and S. Maitra. Construction of nonlinear Boolean functions with important cryptographic properties. In Advances in Cryptology - EUROCRYPT 2000, Lecture Notes in Computer Science, Volume 1807, pages 485–506. Springer Verlag, May 2000. 254

Evolving Boolean Functions Satisfying Multiple Criteria

259

[19] P. Sarkar and S. Maitra. Nonlinearity bounds and constuction of resilient Boolean functions. In Mihir Bellare, editor, Advances in Cryptology - Crypto 2000, Lecture Notes in Computer Science, Volume 1880, pages 515–532, Berlin, 2000. SpringerVerlag. 246, 251, 252 [20] T. Siegenthaler. Correlation immunity of nonlinear combining functions for cryptographic applications. IEEE Transactions on Information Theory, IT-30(5):776– 780, September 1984. 251 [21] Y. Tarannikov. On resilient Boolean fnctions with maximal possible nonlinearity. In Progress in Cryptology - INDOCRYPT 2000, Lecture Notes in Computer Science, Volume 1977, pages 19–30. Springer Verlag, 2000. 251, 252 [22] Y. V. Tarannikov. New constructions of resilient Boolean functions with maximal nonlinearity. In Fast Software Encryption - FSE 2001, Lecture Notes in Computer Science, Volume 2355, pages 70–81. Springer Verlag, 2001. 252 [23] M. Fedorova and Y. V. Tarannikov. On the constructing of highly nonlinear resilient Boolean functions by means of special matrices. In Progress in Cryptology - INDOCRYPT 2001, Lecture Notes in Computer Science, Volume 2247, pages 254–266. Springer Verlag, 2001. 252 [24] Y. Zheng and X. M. Zhang. Improved upper bound on the nonlinearity of high order correlation immune functions. In Selected Areas in Cryptography - SAC 2000, Lecture Notes in Computer Science, Volume 2012, pages 264–274. Springer Verlag, 2000. 251 [25] X-M. Zhang and Y. Zheng. GAC – the criterion for global avalanche characteristics of cryptographic functions. Journal of Universal Computer Science, 1(5):316–333, 1995. 247, 251

Further Results Related to Generalized Nonlinearity Sugata Gangopadhyay1 and Subhamoy Maitra2 1

Mathematics Group, Birla Institute of Technology & Science Pilani, Rajasthan 333 031, INDIA [email protected] 2 Applied Statistics Unit, Indian Statistical Institute 203, B T Road, Calcutta 700 108, INDIA [email protected]

Abstract. In this paper we consider the generalized nonlinearity of Boolean functions. First we characterize n-variable Boolean functions f : GF (2n ) → GF (2) such that f (xc ) = f (x) for any c coprime to 2n − 1, where c is a cyclotomic coset leader modulo 2n − 1. This guarantees that the generalized nonlinearity of these functions are same as their nonlinearity itself. Boolean functions with very high generalized nonlinearity have been constructed by Youssef and Gong in 2001 which uses repetition of same binary string. Here we study the trace representation for this set of functions. Further we discuss the deﬁnition of generalized nonlinearity in terms of standard truth table realization of a Boolean function and raise important issues in this direction. Keywords: Algebraic Approach, Boolean Function, Generalized Nonlinearity, Nonlinearity.

1

Introduction

Good propagation characteristics, high nonlinearity and high algebraic degree are important criteria in the design of S-boxes in block ciphers. In [3], Gong and Golomb have identiﬁed a new criterion for S-box design, which is called the generalized nonlinearity. In [6], Youssef and Gong provided a construction of hyperbent functions and later in [7], they have also provided methods to construct Boolean functions on odd number of variables with very high generalized nonlinearity. In this direction ﬁrst we consider n-variable Boolean functions f : GF (2n ) → GF (2) such that f (xc ) = f (x) for any c coprime to m = 2n − 1. This guarantees that the generalized nonlinearity of such functions will be the same as the standard nonlinearity measure. In Section 3, we show that these functions are of the form f (x) = d|m λd gcd(a,m)=d T r1sa (xa ), where λd ∈ {0, 1}, a is a cyclotomic coset leader modulo 2n − 1 and sa is the size of the cyclotomic coset containing a. However, this class is extremely restrictive and it seems that getting high generalized nonlinearity from this class of functions is elusive. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 260–274, 2002. c Springer-Verlag Berlin Heidelberg 2002

Further Results Related to Generalized Nonlinearity

261

In [6, 7], it has been noted that repetition of certain patterns produce very good generalized nonlinearity. We here revisit the problem in Section 4. First we try to ﬁnd the trace representation for such functions. We show that if a function f : GF (2n ) → GF (2) is constructed by repeating a binary sequence b of period d and weight wt(b) = r, 2t − 1 times then t s t T r1a(2 −1) (βa xa(2 −1) ), f (x) = a(2t −1)∈T

where βa ∈ GF (2sa(2t −1) ), a(2t − 1) ∈ T , the set of coset leaders modulo 2n − 1 and sa(2t −1) is the size of the cyclotomic coset modulo 2n −1 containing a(2t −1). We also present some experimental results related to generalized nonlinearity for 9-variable and 15-variable functions. Carlet pointed out [1] that the functions constructed by repeating a certain pattern has been identiﬁed earlier by Dillon [2]. We also note that the construction proposed by Patterson and Wiedemann [4] used the similar idea. Patterson and Wiedemann further considered functions which remain invariant under the transformation x → x2 . We have obtained the trace representation of such functions in Theorem 3. In Section 5, we present some idea about navigating between standard truth table representation of Boolean functions and the Boolean functions represented as mappings from GF (2n ) to GF (2). This helps in understanding the meaning of generalized nonlinearity with respect to standard truth table representation of Boolean functions. Further in Subsection 5.1 we present a nonlinear transformation over the set of bent functions provided by Dillon [2] which preserves the maximum nonlinearity.

2

Preliminaries

Let Bn be the set of all n-variable Boolean functions, that is, mapping from {0, 1}n → {0, 1}. We know that standard truth table of an n-variable Boolean function f (x0 , . . . , xn−1 ) is deﬁned as length 2n binary string f (0, 0, . . . , 0), f (1, 0, . . . , 0), f (0, 1, . . . , 0), . . ., f (1, 1, . . . , 1). Given a Boolean function of n variables, this is a unique representation. For f ∈ Bn , by T T (f ), we represent the truth table of f , the 2n length binary string. Further, let Fn be the set of all polynomial functions from GF (2n ) to GF (2). It is known [6] that there exists one to one correspondence between Bn and Fn . However, we like to point out that this correspondence is very much dependent on the choice of a primitive polynomial of degree n. We discuss this in more detail in Section 5 and also see Table 1 in that section which presents some examples of the correspondence. Let g(x0 , x1 , . . . , xn−1 ) be an n-variable Boolean function, i.e., g ∈ Bn . Each n-bit input pattern of the function corresponds to an element of GF (2n ) based on the choice of the primitive polynomial (see Section 5 and Table 1 in that section for more details). Let p(x) be the primitive polynomial which

262

Sugata Gangopadhyay and Subhamoy Maitra

is used for the correspondence and ζ be a root of it. Therefore one can determine a unique polynomial ρ (in Fn ) of degree atmost 2n − 1 whose values at the points 0 and ζ i ∈ GF (2n ), 0 ≤ i ≤ 2n − 2 are determined from the values g(x0 , x1 , . . . , xn−1 ), where (x0 , . . . , xn−1 ) ∈ {0, 1}n. In particular we 2n −1 j can write ρ(x) = x∈GF (2n )∗ (g(x0 , x1 , . . . , xn−1 ) − j=0 dj x , where dj = n−1 i g(0, 0, . . . , 0))x−j when j = 0 and d0 = g(0, 0, . . . , 0). Here x = i=0 xi ζ . See [6, 7] for more details about this interpolation formula. In this paper we are interested in studying nonlinearity and generalized nonlinearity of Boolean functions. We know that a Boolean function and its complement both have the same nonlinearity and generalized nonlinearity. A Boolean function which has value 1 at (0, 0, . . . , 0) is complement of a Boolean function which has value 0 at (0, 0, . . . , 0). Thus without loss of generality one can assume n that g(0, 0, . . . , 0) = 0. Since 1, ζ, ζ 2 , . . . , ζ 2 −2 are the elements of GF (2n )∗ , for any (x0 , x1 , . . . , xn−1 ) we have g(x0 , x1 , . . . , xn−1 ) = ρ(ζ i ) for some i. Thus we 2n −2 can write d0 = 0 and di = j=0 ρ(ζ j )ζ −ij where i = 0. For α ∈ GF (2n ) the trace T r1n (α) of α over GF (2) is deﬁned by T r1n (α) = 2 n−1 α + α2 + α2 + . . . + α2 . Any polynomial ρ(x) can be written as ρ(x) = mti s mti ti ) (see [6] for more details). Here ti is i=1 T r1 (βi x ) where βi ∈ GF (2 a coset leader of a cyclotomic coset modulo 2n − 1, mti (mti |n) is the size of the cyclotomic coset containing ti and s is the number of cyclotomic cosets. On the other hand, consider a primitive polynomial p(x) of degree n and let ζ be a root of p(x). Then 1, ζ, ζ 2 , . . . , ζ n−1 is a basis for GF (2n ) and any element x can be written as x = x0 + x1 ζ + x2 ζ 2 + . . . + xn−1 ζ n−1 , where (x0 , x1 , . . . , xn−1 ) ∈ {0, 1}n . In the above trace representation of a polynomial in Fn , if we replace x by x0 + x1 ζ + x2 ζ 2 + . . . + xn−1 ζ n−1 then we shall get a polynomial in GF (2)[x0 , x1 , x2 , . . . , xn−1 ]. This polynomial in n-variables over GF (2) naturally corresponds to a Boolean function. Functions of the form a0 x0 + a1 x1 + . . . + an−1 xn−1 ∈ Bn are called linear functions where a0 , a1 , . . . , an−1 ∈ GF (2). We denote the set of all n-variable linear Boolean functions by L(n). Let S1 = {T r1n (λx)|λ ∈ GF (2n )} ⊂ Fn . Then there is a one-to-one correspondence between the set S1 and the set L(n). The concept of linear Boolean functions can be generalized by introducing bijective monomials as has been done in [6]. Given λ ∈ GF (2n ), the functions of the form T r(λxc ), where gcd(c, 2n − 1) = 1, are called bijective monomials. For a ﬁxed c, the set {T r(λxc )|λ ∈ GF (2n )} is denoted by Sc . If c = 1 then Sc is the set of all linear Boolean functions. The set of all bijective monomials, including the set of linear functions, is given by S = ∪gcd(c,2n −1) Sc . As a passing remark, if ζ is a primitive element of GF (2n ), then the sequence si = T r(λζ i ) where i = 0, 1, 2, . . . is an m-sequence [6]. This sequence corresponds to the point value representation of the function T r(λx) at the points n n 1, ζ, ζ 2 , . . . , ζ 2 −2 . If the same function is evaluated at 1, ζ c , ζ 2c , . . . , ζ (2 −2)c , where gcd(c, 2n − 1) = 1, we get another m-sequence which is same as the msequence generated by the bijective monomial T r(λxc ) when evaluated at 1, ζ, n ζ 2 , . . . , ζ 2 −2 .

Further Results Related to Generalized Nonlinearity

263

Now we deﬁne (as in [6, 7]) the nonlinearity and generalized nonlinearity of a function ρ ∈ Fn . The Hadamard transform of ρ ∈ Fn is deﬁned by ρˆ(λ) = ρ(x)+T r(λx) (−1) . Nonlinearity of ρ ∈ Fn is deﬁned by x∈GF (2n ) N L(ρ) = 2n−1 −

1 2

max |ˆ ρ(λ)|.

λ∈GF (2n )

n

For even n, ρ is called a bent function if ρˆ(λ) = ±2 2 for any λ ∈ GF (2n ). Extended Hadamard Transformation [6] is deﬁned as c ρˆ(λ, c) = (−1)ρ(x)+T r(λx ) , x∈GF (2n )

where gcd(c, 2n − 1) = 1, c is a coset leader modulo 2n − 1 and λ ∈ GF (2n ). Using this, generalized nonlinearity can be deﬁned by N LG(ρ) = 2n−1 −

1 2

max

λ∈GF (2n ),gcd(c,2n −1)=1

|

c

(−1)ρ(x)+T r(λx ) |.

x∈GF (2n ) n

For even n, a function ρ is called hyperbent function if ρˆ(λ, c) = ±2 2 for any λ ∈ GF (2n ) and gcd(c, 2n − 1) = 1, where c is a coset leader.

3

Group Action on Fn

Let x ∈ GF (2n ) and U (2n − 1) be the multiplicative group modulo 2n − 1 consisting of positive integers coprime to and less than 2n − 1. U (2n − 1) is isomorphic to the group of group automorphisms of GF (2n )∗ . If c ∈ U (2n − 1) then x → xc is an automorphism on GF (2n )∗ , when considered as a group with respect to multiplication. We introduce a map φc over Fn as φc (f (x)) = f (xc ). First we present a simple technical result. Lemma 1. The map (c, f (x)) → φc (f (x)) = f (xc ) from U (2n − 1) × Fn → Fn is a group action of U (2n − 1) on Fn . Proof. Let c, d ∈ U (2n −1) and f ∈ Fn . By the deﬁnition of the map (cd, f (x)) → f (xcd ) = f ((xd )c ), but (c, (d, f (x)) → (c, f (xd )) → f ((xd )c ). Thus (cd, f (x)) = (c, (d, f (x))). Further (1, f (x)) → f (x). Thus the above map deﬁnes a group action of U (2n − 1) on Fn . For the map φc induced by c the following relations are satisﬁed : φcd (f (x)) = φc (φd (f (x)) = φd (φc (f (x))) and φ1 (f (x)) = f (x). In this section we characterize a class of functions which are stable under the action of U (2n − 1) on Fn . A direct consequence of this property is that the generalized nonlinearity and nonlinearity of such a function are same. Now we present a few technical results used in the main theorem. Let us consider the action of U (2n − 1) on Z/(2n − 1)Z deﬁned by ψs (c) = sc where s ∈ U (2n − 1). Let T be the set of coset leaders modulo 2n − 1 and m = 2n − 1.

264

Sugata Gangopadhyay and Subhamoy Maitra

Lemma 2. If a, b ∈ Z/mZ then gcd(a, m) = gcd(b, m) = d if and only if there exists c ∈ U (m) such that ca ≡ b mod m. Proof. Let a = d and gcd(b, m) = d. Let m = pa1 1 . . . pann de11 . . . dekk (df11 . . . dfkk ), where d = df11 . . . dfkk and pi and di ’s are primes. Since gcd(b, m) = d, b = x0 d = x0 a. Thus x0 is a solution for the equation xa ≡ b mod m. ek a1 m an e1 Now, m d = p1 . . . pn d1 . . . dk , where ai > 0, ei ≥ 0. Since gcd(x0 , d ) = 1, m m m if some prime qi | d then qi |x0 and if qi |x0 then qi | d . Now pi | d for all i therefore pi |x0 for any i. Thus pi |x0 + q m d for all i = 1, . . . n and for all q ∈ Z. Consider the following cases m Case 1. di |x0 . This implies di | m d ⇒ di |x0 + q d whenever gcd(di , q) = 1. Case 2. di |x0 . There are two sub cases possible m Sub case 2a. di | m d ⇒ di |x0 + q d for all q ∈ Z. m Sub case 2b. di | d . Let Q = {i|di |x0 and di | m d }. Construct xˆ0 = x0 + m (Πj∈Q dj ) m = x + q , where q = Π d . 0 j∈Q j d d It can be easily checked that if di |x0 then di |q m d , therefore di |xˆ0 . On the other hand if di |x0 then di |q and hence di |xˆ0 . Thus gcd(m, xˆ0 ) = 1. Next let a, b ∈ Z be such that gcd(a, m) = gcd(b, m) = d then from the above result there exist k1 and k2 ∈ U (m) such that k1 d ≡ a mod m and k2 d ≡ b mod m. From this we obtain k2 k1−1 a ≡ b mod m where k2 k1−1 ∈ U (m). Conversely let a, b ∈ Z/mZ and ca ≡ b mod m for some c ∈ U (m). Let gcd(a, m) = d1 and gcd(b, m) = d2 . By the above result there exist c1 , c2 ∈ U (m) such that c1 a ≡ d1 and c2 b ≡ d2 mod m. Combining we obtain c2 ca ≡ d2 mod m which implies c2 ca = d2 + rm for some r. But d2 |(d2 + rm) ⇒ d2 |c2 ca. Since c2 c ∈ U (m), gcd(d2 , c2 c) = 1 therefore d2 |a ⇒ d2 |gcd(m, a) = d1 . Using similar argument it can be proved that d1 |d2 and hence d1 = d2 . Lemma 3. Let c ∈ U (m) and t ∈ Z/mZ. If ψc (t) = ct = t then t and t both belong to cyclotomic cosets of the same size. Proof. We have, ct ≡ t mod m ⇒ t ≡ c−1 t mod m. Let st and st be the sizes of the cyclotomic cosets containing t and t respectively. Now, t2st ≡ t mod m ⇒ ct2st ≡ ct mod m ⇒ t 2st ≡ t mod m ⇒ st ≤ st . Similarly we can prove that st ≤ st . Corollary 1. If a, b ∈ Z/mZ such that gcd(a, m) = gcd(b, m) = d then the cyclotomic cosets containing a and b are of the same size and the elements of one coset can be mapped onto the elements of the other by a map ψc for some c ∈ U (m). Let T denotes the set of cyclotomic coset leaders modulo m and a ¯ denotes the coset leader corresponding to the element a ∈ Z/mZ. The proofs of the following facts which we use in theorem 1 are trivial: 1. Let t ∈ T , c ∈ U (m), t = ct ∈ T then it is possible to ﬁnd d ∈ U (m) such that dt = t¯ . 2. If a, b ∈ Z/mZ are such that a ¯ = ¯b then T r(xa ) = T r(xb ).

Further Results Related to Generalized Nonlinearity

265

Deﬁne FnU = {f ∈ Fn |φc (f (x)) = f (x) for all c ∈ U (2n − 1)}. We now prove the main theorem of this section. Theorem 1. If f ∈ FnU then nonlinearity and generalized nonlinearity of f are same and   λd f (x) = T r1sa (xa ) , d|m

gcd(a,m)=d

where λd ∈ {0, 1}, a is a cyclotomic coset leader modulo 2n − 1 and sa is the size of the cyclotomic coset containing a. The order of FnU is 2k where k is the number of divisors of m = 2n − 1. Proof. For any g ∈ Fn , the weight of g(x) is denoted by wt(g(x)). We note that wt(T r(λxc ) + f (x)) = wt(φd (T r(λxc ) + f (x))) = wt(T r(λxcd ) + f (xd )). We choose d such that cd ≡ 1 modulo (2n −1). In case f ∈ FnU we have f (xd ) = f (x). Thus wt(T r(λxc ) + f (x)) = wt(T r(λx) + f (x)). Finally we have, fˆ(λ, c) = f (x)+T r(λxc ) = 2n − 2wt(T r(λxc ) + f (x)) = 2n − 2wt(T r(λx) + x∈GF (2n ) (−1) f (x)). From this, it is evident that fˆ(λ, c) = fˆ(λ, 1) for all λ ∈ GF (2n ). Thus if f ∈ FnU then the nonlinearity of f is same as the generalized nonlinearity. If we write f (x) in the trace representation then any particular term in the trace representation will be of the form T r1s (βxt ), where t is a coset leader modulo 2n − 1 of a cyclotomic coset of size s and β ∈ GF (2s ). We have 2 s−2 s−1 T r1s (βxt ) = (βxt ) + (βxt )2 + (βxt )2 + . . . + (βxt )2 + (βxt )2 . Applying s t s 2t φ2 on this term we obtain φ2 (T r1 (βx )) = T r1 (βx ). Expanding 2

s−2

T r1s (βx2t ) = (βx2t ) + (βx2t )2 + (βx2t )2 + . . . + (βx2t )2 i.e.,

T r1s (βx2t )

= (β

2s−1 t 2

+(β

x ) + (β

2s−1 t 22

x)

+ (β

2s−1 t 23

x)

s−1

+ (βx2t )2

+ . . . + (β

,

2s−1 t 2s−1

x)

2s−1 t

x ),

s−1

i.e., T r1s (βx2t ) = T r1s (β 2 xt ). l mt Therefore if f (x) = i=1 T r1 i (βi xti ) where for each i, ti is a cyclotomic n coset leader modulo 2 − 1, mti |n is the size of the cyclotomic coset containing ti l mt −1 mt and βi ∈ GF (2mti )∗ then f (x2 ) = i=1 T r1 i (βi2 i xti ). If we express f (x) and f (x2 ) as polynomials of degrees less than or equal mt −1 to 2n − 1 then the coeﬃcients of xti are βi and βi2 i respectively. Since f ∈ FnU , we have f (x) = f (x2 ). In that case if f (x) and f (x2 ) are expressed as polynomials of degrees less than or equal to 2n − 1, the coeﬃcients of xti for mt −1 both the polynomials should be equal, which implies that β = β 2 i . Since mt mt mt −1 mt −1 β ∈ GF (2mti )∗ , we have β 2 i = β. Thus, β 2 i = β 2 i , i.e. β 2 i (2−1) = 1, mt −1 i.e., β 2 i = 1. Hence, β = 1. From the above discussion it is clear that sa a if f ∈ FnU then f (x) = a∈T λa T r1 (x ), where T is a set of coset leaders modulo m and λa ∈ GF (2). We note that this representation is unique once the set T is ﬁxed.

266

Sugata Gangopadhyay and Subhamoy Maitra

sa sa ac ac Let c ∈ U (m). Then φc (f (x)) = a∈T λa T r1 (x ) = a∈T λa T r1 (x ) (by fact 1). Since φc (f (x)) = f (x) we compare the coeﬃcients of the polynomial representation of φc (f (x)) and f (x) as before to obtain λac = λa . We have already proved in corollary 1 that if a, b ∈ T and gcd(a, m) = gcd(b, m) then there exists c ∈ U (m) such that ac = b. Therefore, in the above trace representation λa = λac for all c ∈ U (m). Thus f (x) = d|m λd gcd(a,m)=d T r1sa (xa ) , where λd ∈ {0, 1}, a is a cyclotomic coset leader modulo 2n − 1 and sa is the size of the cyclotomic coset containing a. The order of FnU is 2k where k is the number of divisors of m. Remark 1. From an intermediate step of the above theorem we note that if a function f ∈ Fn is invariant under the map φ2 then it must be of the form f (x) = a∈T λa T r1sa (xa ), where T is a set of coset leaders modulo m and λa ∈ GF (2). Due to this, in the trace representation in Theorem 1, the coeﬃcients of “x or the powers of x” are either 0 or 1. We use this result in the next section in Theorem 3. Example 1. Here we present the functions of the form in Theorem 1 for n = 4 to 6. For n = 4, the form is λ1 (T r14 (x) + T r14 (x7 )) + λ3 T r14 (x3 ) + λ5 T r12 (x5 ) + λ15 T r11 (x15 ). For n = 5, we get the form λ1 (T r15 (x) + T r15 (x3 ) + T r15 (x5 ) + T r15 (x7 ) + T r15 (x11 ) + T r15 (x15 )) + λ31 T r11 (x31 ). For n = 6, we get, λ1 (T r16 (x) + T r16 (x5 )+T r16 (x11 )+T r16 (x13 )+T r16 (x23 )+T r16 (x31 ))+λ7 T r16 (x7 )+λ3 (T r16 (x3 )+ T r16 (x15 )) + λ9 (T r13 (x9 ) + T r13 (x27 )) + λ21 T r12 (x21 ) + λ63 T r11 (x63 ). Here λi , λij ∈ {0, 1} for all i, j.

4

Functions of Repetitive Sequence

Youssef and Gong [6] have constructed functions that attain maximum generalized nonlinearity for even number of input variables. These functions are called hyperbent functions. In this construction technique they have used the concept of interleaved sequence. We give a deﬁnition of interleaved sequence below. n

Definition 1. Let 2n − 1 = d · k. The sequence {f (1), f (ζ), f (ζ 2 ), . . . , f (ζ 2 can be written as   f (ζ 0 ) f (ζ 1 ) f (ζ 2 ) . . . f (ζ (d−1) )  f (ζ d )  f (ζ 1+d ) f (ζ 2+d ) . . . f (ζ (d−1)+d )   2d 1+2d 2+2d (d−1)+2d  f (ζ )  f (ζ ) f (ζ ) . . . f (ζ )   .  . . . .   .  . . . . f (ζ (k−1)d ) f (ζ 1+(k−1)d ) f (ζ 2+(k−1)d ) . . . f (ζ (d−1)+(k−1)d )

−2

)}

This sequence is defined as a (d, k)-interleaved sequence of the function f . For n even, Youssef and Gong [6] have considered a binary sequence b of pen n riod 2 2 + 1 and repeated it 2 2 − 1 times to construct a function f over GF (2n ).

Further Results Related to Generalized Nonlinearity

267

A ﬁxed primitive polynomial of degree n is considered and ζ be a root of that polynomial. The i-th element in the above sequence is the value of f (ζ i ) when the ﬁrst element of the sequence is counted as the zero-th element. The value of n n f (0) is always set to zero. This sequence can be written as an (2 2 + 1, 2 2 − 1)interleaved sequence as is clear from the following example. It has been proved [6] n that when wt(b) = 2 2 −1 the function corresponding to such a sequence is hyperbent. This construction has earlier been observed by Dillon [2]. However, the hyperbent property has not been seen in [2], which has been observed by Youssef and Gong in [6]. Example 2. Let n = 4. The binary sequence b is {11000}. We construct the following interleaved sequence: 11000 11000 11000 The function f corresponding to this sequence is: f (1) = 1, f (ζ) = 1, f (ζ 2 ) = 0, f (ζ 3 ) = 0, f (ζ 4 ) = 0, f (ζ 5 ) = 1, f (ζ 6 ) = 1, f (ζ 7 ) = 0, f (ζ 8 ) = 0, f (ζ 9 ) = 0, f (ζ 10 ) = 1, f (ζ 11 ) = 1, f (ζ 12 ) = 0, f (ζ 13 ) = 0, f (ζ 14 ) = 0 along with f (0) = 0. According to the construction of Youssef and Gong [6] this is a hyperbent function on 4 input variables. It can be checked that this function can be written as f (x) = T r14 (ζx3 ), where ζ is a root of the primitive polynomial p(x) = x4 + x + 1. However, it should be noted that there are non repetitive sequences also which are hyperbent. As example, 00001 01100 11010 or 00000 10110 01101 are non repetitive, but they are both hyperbent functions on 4 variables. These are not covered by the repetitive sequence as described in [6]. In [7], the case for n odd has also been considered. Let n be the number of input variables, either even or odd. If t|n then n = tk and (2n − 1) = (2t − 1)((2t )k−1 + (2t )k−2 + . . . + (2t ) + 1). Denote (2t )k−1 + (2t )k−2 + . . . + (2t ) + 1 by d. Let b be a binary sequence of length d and weight wt(b) = r. Construct interleaved sequence of by repeating b, 2t − 1 times. We shall obtain a trace representation of such a function. Lemma 4. If t|n then the size of the cyclotomic coset modulo m = 2n − 1 containing 2t − 1 is n. Proof. Let s be the size of the cyclotomic coset modulo m containing 2t −1. Then (2s − 1)(2t − 1) ≡ 0 mod m ⇒ (2n − 1)|(2s − 1)(2t − 1) ⇒ d = ((2t )k−1 + (2t )k−2 + . . . + (2t ) + 1)|(2s − 1). Since t|n we can write n = tk. Clearly s > (tk − t). For if s ≤ (tk − t) then 2s ≤ 2t(k−1) ≤ d ⇒ (2s − 1) < d ⇒ d |(2s − 1). Write s = tk − t + i where i = 1, 2, 3, . . . , t. We obtain 2s − 1 = 2tk−t+i − 1 = 2tk−(t−i) − 1. Multiplying both sides by 2t−i , we get, 2t−i (2s − 1) = 2tk − 2t−i =

268

Sugata Gangopadhyay and Subhamoy Maitra

(2n − 1) + (1 − 2t−i ). Thus (2t−i )(2s − 1) − (2n − 1) = (1 − 2t−i ). The left hand side of the equation is divisible by d. Since for i = 1, 2, . . . , (t − 1) the number (2t−i − 1) < d, the right hand side is divisible by d only if i = t. Then s = tk − t + t = tk = n. Theorem 2. If a function f : GF (2n ) → GF (2) is constructed by repeating a binary sequence b of period d and weight wt(b) = r, 2t − 1 times then t s t T r1a(2 −1) (βa xa(2 −1) ) f (x) = a(2t −1)∈T

where βa ∈ GF (2sa(2t −1) ), a(2t − 1) is a coset leader modulo 2n − 1 and sa(2t −1) is the size of the cyclotomic coset modulo 2n − 1 containing a(2t − 1). Proof. Assume that b has ones in the positions i1 , i2 , . . ., ir . Using the interpolation formula described in Section 1 we obtain di = ζ −i1 i + ζ −i2 i + . . . + ζ −ir i +ζ −(i1 i+di) + ζ −(i2 i+di) + . . . + ζ −(ir i+di) +ζ −(i1 i+2di) + ζ −(i2 i+2di) + . . . + ζ −(ir i+2di) +...... t

+ζ −(i1 i+(2

−2)di)

t

+ ζ −(i2 i+(2

−2)di) t

= ζ −i1 i + ζ −(i1 i+di) + . . . + ζ −(i1 i+(2

t

+ . . . + ζ −(ir i+(2

−2)di)

−2)di) t

+ζ −i2 i + ζ −(i2 i+di) + . . . + ζ −(i2 i+(2

−2)di)

+...... t +ζ −ir i + ζ −(ir i+di) + . . . + ζ −(ir i+(2 −2)di) = ci1 ,i + ci2 ,i + . . . + cir ,i . Let cj,i be the general term where j = i1 , i2 , . . . , ir . Then t

cj,i = ζ −ji + ζ −(ji+di) + . . . + ζ −(ji+(2

−2)di) t

= ζ −ji (1 + ζ −di + ζ −2di + . . . + ζ −(2 t

−2)di

t

) n

where i = 1, 2, . . . , 2n − 1. Note that (ζ −di )2 −1 = ζ −d(2 −1)i = ζ −(2 −1)i = 1. Thus ζ −di is a (2t − 1)-th root of unity. We have the following cases. Case 1. (2t − 1) |i. In this case ζ −di = 1. Otherwise (2n − 1)|di ⇒ (2t − 1)|i. t Therefore 1 + ζ −di + ζ −2di + . . . + ζ −(2 −2)di = 0. Thus cj,i = 0 for all j. Case 2. (2t − 1)|i. Here, ζ −di = 1, i.e., cj,i = ζ −ji . The polynomial representa d r d r −ij a (2t −1) a(2t −1) a(2t −1) x ζ = β , tion is f (x) = a=1 j=1 a=1 j=1 j,a x t

where βj,a = ζ −ij a (2 −1) ∈ GF (2sa(2t −1) ). The trace representation of this func sa(2t −1) t tion is f (x) = (βa xa(2 −1) ), where βa ∈ GF (2sa(2t −1) ), a(2t −1)∈T T r1 a(2t − 1) is a coset leader modulo 2n − 1 and sa(2t −1) is the size of the cyclotomic coset modulo 2n − 1 containing a(2t − 1).

Further Results Related to Generalized Nonlinearity

269

Next we do some experimentation on the functions of odd variables constructed using the method described in [7]. We implement a program in C language to calculate the generalized nonlinearity. The experimentation shows that the true generalized nonlinearity of these functions are much better than the lower bound mentioned in [7]. For n = 9, repetitive sequence of length 73 (note that 73 × 7 = 511 = 29 − 1) has been considered. Thus, length of b is d = 73. Using the above construction for n = 9 with wt(b) = d−1 2 = 36, Youssef and Gong [7] have proved that the lower bound on generalized nonlinearity of such functions is 220. We have experimented with random strings of weight 36, and found functions with generalized nonlinearity either 220 or 228. Putting f (0) = 0, these functions are of weight 36 × 7 = 252, whereas we need weight 256 for balancedness. So considering the functions with generalized nonlinearity 228 and changing 4 bits from 0 to 1, we get balancedness and the generalized nonlinearity becomes at least 224. Thus there exists balanced functions on 9-variables with generalized nonlinearity 224. Moreover, we have attempted further search method and obtained 9-variable functions with generalized nonlinearity 232. An example of b with wt(b) = 40 is 0010100111101011001111001010111110100001001110111011100101000010011111100. For 15 variable function, the lower bound given in [7] is 15856. We have checked that the generalized nonlinearity of the Patterson-Wiedemann (PW) functions [4] is 15860. However, with random search having such repetition (1057 length, 31 times, 1057 × 31 = 215 − 1) we could ﬁnd functions with generalized nonlinearity as high as 16047. Note that the functions considered in [4] have the property that f (x2 ) = f (x) for all x ∈ GF (2n ). Thus it is interesting to ﬁnd the trace representation of such functions. Below we present a result in relation to that which follows from Theorem 1 and Theorem 2. Theorem 3. If a function f : GF (2n ) → GF (2) is constructed by repeating a binary sequence b of period d and weight wt(b) = r, 2t − 1 times and is such that f (x2 ) = f (x) for all x ∈ GF (2n ) then t s t λa T r1a(2 −1) (xa(2 −1) ) f (x) = a(2t −1)∈T

where λa ∈ {0, 1}, a(2t − 1) is a coset leader modulo 2n − 1 and sa(2t −1) is the size of the cyclotomic coset modulo 2n − 1 containing a(2t − 1). s t t Proof. From Theorem 2 we get that f (x) = a(2t −1)∈T T r1a(2 −1) (βa xa(2 −1) ). Note that from the proof of Theorem 1 with the condition f (x2 ) = f (x), we get βa ∈ {0, 1}. Thus the result. Remark 2. Note that in the ﬁnal trace representation the coeﬃcients of the powers of x are either 0 or 1.

270

5

Sugata Gangopadhyay and Subhamoy Maitra

Navigating between Diﬀerent Representations

The standard truth table of an n-variable Boolean function f (x0 , . . . , xn−1 ) is deﬁned as a length 2n binary string as f (0, 0, . . . , 0), f (1, 0, . . . , 0), f (0, 1, . . . , 0), . . . , f (1, 1, . . . , 1). Given a Boolean function of n variables, this is a unique representation. Given a Boolean function f ∈ Bn , we represent the truth table of f , the 2n length binary string by T T (f ). In this paper, we always consider f (0) = 0 as in [6, 7]. Importantly, some issues need to be discussed when we consider the same function f ∈ Bn as a mapping from GF (2n ) → GF (2), i.e., as an item of Fn . We ﬁrst ﬁx a primitive polynomial p(x) of degree n and take a primitive root α of p(x). Interpreting GF (2n ) as a ﬁnite ﬁeld, we consider the basis {1, α, α2 , . . . , αn−1 }. The coordinate vectors corresponding to 1, α, . . . , αn−1 are the bit patterns (0, 0, . . . , 0, 0, 1), (0, 0, . . . , 0, 1, 0), . . ., (1, 0, . . . , 0, 0, 0) respectively. Further, any αi , n ≤ i ≤ 2n − 2 can be represented as an n-bit vector using the polynomial p(x). Once the n-bit vector is decided, this is basically the assignment to the inputs of the Boolean function and we can refer back to the standard truth table to get the value of the function corresponding to the input pattern. Following the convention in [6, 7], we interpret this truth table n as a binary string of length 2n − 1 as f (1), f (α), f (α2 ), . . . , f (α2 −2 ). We do not explicitly consider f (0) here, since throughout the paper f (0) = 0. Note that, for unique representation, the primitive polynomial need to be ﬁxed, and we denote this truth table as GF T Tp(x) (f ). The most interesting observation in this direction is as follows. Consider an n-variable Boolean function f in terms of its hardware representation in a cryptographic device. The function is either realized by logic gates or as a look up table. This is clearly related to the standard truth table representation T T (f ). On the other hand, if we like to analyze the properties such as generalized nonlinearity, then we need to interpret this as a binary string as represented by GF T Tp(x) (f ). Now the question is which primitive polynomial of degree n should we consider for this realization? Related issues in same direction has also been discussed in [5]. It is clear that given f ∈ Bn , GF T Tp(x) (f ) and GF T Tq(x) (f ), where p(x) = q(x), may very well be two diﬀerent mappings from GF (2n ) → GF (2). We describe this situation by an example in Table 1. The left most truth table is the standard truth table of a 4-variable Boolean function f . It can be checked that f is a Maiorana-McFarland type bent function (i.e., nonlinearity 6), which is basically concatenation of 4 distinct 2-variable aﬃne functions. Consider the primitive polynomial p(x) = x4 + x + 1 and denote its root by ζ. Then GF T Tp(x) (f ) is represented as the middle one. The function f , interpreted in this way is a hyperbent function as presented by Youssef and Gong [6]. This has generalized nonlinearity 6. However, considering another primitive polynomial q(x) = x4 + x3 + 1, say with root α, we ﬁnd that GF T Tq(x) (f ) produces generalized nonlinearity 4 (rightmost one). Hence this is not hyperbent.

Further Results Related to Generalized Nonlinearity

271

Table 1. Navigation between diﬀerent representations x3 x2 x1 x0 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111

f 0 1 1 0 0 0 1 1 0 0 0 0 1 0 1 0

The function f ∈ Bn

*0 1 ζ ζ2 ζ3 ζ4 ζ5 ζ6 ζ7 ζ8 ζ9 ζ 10 ζ 11 ζ 12 ζ 13 ζ 14

x3 x2 x1 x0 0000 0001 0010 0100 1000 0011 0110 1100 1011 0101 1010 0111 1110 1111 1101 1001

f 0 1 1 0 0 0 1 1 0 0 0 1 1 0 0 0

GF T Tp(x) (f )

*0 1 α α2 α3 α4 α5 α6 α7 α8 α9 α10 α11 α12 α13 α14

x3 x2 x1 x0 0000 0001 0010 0100 1000 1001 1011 1111 0111 1110 0101 1010 1101 0011 0110 1100

f 0 1 1 0 0 0 0 0 1 1 0 0 0 0 1 1

GF T Tq(x) (f )

Therefore if a Boolean function is described by a standard truth table then we cannot assign any unique generalized nonlinearity to it. Thus the most interesting problem is to ﬁnd Boolean functions whose generalized nonlinearity remains invariant when we change the primitive polynomials for the transformation.

Table 2. Hyperbent functions w.r.t. both the primitive polynomials of degree 4 0001 0010 0011 0101

T T (f ) 0001 0001 1000 0001 1001 0000 0000 1100

1110 1011 0101 1001

GF T Tx4 +x+1 (f ) 00001 01100 11010 01100 01100 01100 01101 00000 10110 10011 01000 00101

GF T Tx4 +x3 +1 (f ) 00000 10110 01101 01100 11010 00001 01100 01100 01100 10011 01000 00101

Note that there are 896 bent functions on 4-variables. Out of them 448 functions have zero value at all zero input coordinate. Out of them there are only 4 bent functions which are hyperbent with respect to both the primitive polynomials of degree 4. This we represent in Table 2. Note that there is only one pattern 01100 01100 01100 provided by [6] which is hyperbent in this consideration. The others have not been identiﬁed in [6]. With the previous discussion, we now present a few deﬁnitions. Consider an n-variable Boolean function f , having the truth table T T (f ). Also f (0) = 0. Consider a primitive polynomial p(x) of degree n. Now we deﬁne the gener-

272

Sugata Gangopadhyay and Subhamoy Maitra

alized nonlinearity of a Boolean function. We deﬁne the extended Hadamard Transformation with respect to p(x) as i i c fˆp(x) (λ, c) = 1 + (−1)f (α )+T r(λ(α ) ) , 0≤i≤2n −2

where α is a root of p(x), gcd(c, 2n − 1) = 1, c is a coset leader modulo 2n − 1 and λ ∈ GF (2n ). Using this, p(x)-generalized nonlinearity can be deﬁned by 1 N LGp(x) (f ) = 2n−1 − maxλ∈GF (2n ),gcd(c,2n−1)=1 |fˆp(x) (λ, c)|. 2 A function f is called p(x)-hyperbent if for a primitive polynomial p(x) of degree n, n N LGp(x) (f ) = 2n−1 − 2 2 −1 . In [6], these functions have been discussed. Given the degree n, denote the set of primitive polynomials as Pn . We deﬁne perfect generalized nonlinearity of a Boolean function f as P N LG(f ) = min N LGp(x) (f ). p(x)∈Pn

Moreover, we call a function f as perfect hyperbent function, when P N LG(f ) = n 2n−1 − 2 2 −1 . Table 2 provides perfect hyperbent functions on 4 variables. It is interesting to ﬁnd out if there exists any perfect hyperbent function for even n > 4. 5.1

A Nonlinear Transformation over Bn

Let f be an n-variable Boolean function and T T (f ) be the truth table of f . Let Bn be the set of all n-variable Boolean functions. Fix a primitive polynomial p(x) of degree n-over GF (2). Construct GF T Tp(x) (f ). If α is a root of p(x), the n GF T Tp(x) (f ) is associated to the sequence f (1), f (α), f (α2 ), . . . , f (α2 −2 ). Let us now deﬁne a transformation as follows. Consider f ∈ Bn and two distinct primitive polynomials p(x), q(x) of degree n. Let β be a root of q(x). Construct a function g ∈ Bn such that g(β i ) = f (αi ), where i = 0, 1, 2, . . . , 2n − 2. Note that the bit pattern corresponding to both α and β is (0, 0, . . . , 1, 0). It is not diﬃcult to observe that N LGp(x) (f ) = N LGq(x) (g). We denote this transformation as g = Θp(x),q(x) (f ). It can be checked that Θp(x),q(x) maps a linear function to a bijective monomial, which is nonlinear. Therefore over Bn this is a nonlinear transformation. Theorem 4. Let f be a p(x)-hyperbent function. Then Θp(x),q(x) (f ) is bent. Proof. Let g = Θp(x),q(x) (f ). Then N LGp(x) (f ) = N LGq(x) (g). It is clear that N L(f ) ≥ N LGp(x) (f ) = N LGq(x) (g) ≤ N L(g). If f is a p(x)-hyperbent function then N L(f ) = N LGp(x) (f ) = N LGq(x) (g) ≤ N L(g) ≤ N L(f ). Therefore g is a bent function.

Further Results Related to Generalized Nonlinearity

273

Note that the Dillon’s construction [2] basically provides hyperbent functions as demonstrated in [6]. Hence these are clearly p(x)-hyperbent for some primitive polynomial p(x). Theorem 4 presents application of a nonlinear transformation on the bent functions available from Dillon’s construction [2] and this transformation preserves the highest nonlinearity.

6

Conclusions

In Section 3 we have characterized the functions in Fn which are stable with respect to U (2n −1). The functions which are stable with respect to some subgroup of U (2n − 1) also forms an interesting class to study. In Section 4 we have studied functions of repetitive sequence. The trace representation of functions which are stable with respect to the Frobenius automorphisms and are functions of repetitive sequence are obtained. This is an important class of functions since the functions constructed by Patterson and Wiedemann [4] are members of this class. In the case of n = 4, we have constructed hyperbent functions which are not of the type constructed by Youssef and Gong [6]. It is not known whether such functions exist for n > 4. Also in Section 5 we demonstrate that it is not possible to ﬁx a unique generalized nonlinearity to a function when it is represented as an element of Bn . We extend the concept of generalized nonlinearity so that it can be used for elements of Bn . These discussions give rise to a nonlinear transformation which transforms bent function constructed by Dillon to another bent function, keeping the nonlinearity unchanged.

Acknowledgment The authors like to acknowledge Mr. A. Venkateswarlu of IIT Madras, Chennai, India, Dr. P. H. Keskar of Mathematics Group, BITS Pilani, India and the anonymous reviewers for their valuable comments which improved both the technical quality and presentation of this paper.

References [1] C. Carlet. Personal Communication, 2002. 261 [2] J. F. Dillon. Elementary Hadamard diﬀerence sets. In Proceedings of 6th S. E. Conference of Combinatorics, Graph Theory, and Computing. Utility Mathematics, Winnipeg, Pages 237–249, 1975. 261, 267, 273 [3] G. Gong and S. W. Golomb. Transform domain analysis of DES. IEEE Transactions on Information Theory, 45(6):2065–2073, September 1999. 260 [4] N. J. Patterson and D. H. Wiedemann. The covering radius of the (215 , 16) ReedMuller code is at least 16276. IEEE Transactions on Information Theory, IT29(3):354–356, 1983, (see correction in IT-36(2):443, 1990). 261, 269, 273 [5] A. Youssef and G. Gong. On Interpolation Attacks on Block Ciphers. In FSE 2000, LNCS, Number 1978, Pages 109–120, Springer-Verlag, 2001. 270

274

Sugata Gangopadhyay and Subhamoy Maitra

[6] A. Youssef and G. Gong. Hyper-bent Functions. In Advances in Cryptology, Eurocrypt 2001, LNCS, Number 2045, Pages 406–419, Springer-Verlag, 2001. 260, 261, 262, 263, 266, 267, 270, 271, 272, 273 [7] A. Youssef and G. Gong. Boolean Functions with Large Distance to all Bijective Monomials: N odd case. In Selected Areas in Cryptography, SAC 2001, LNCS, Number 2259, Springer-Verlag, 2001. 260, 261, 262, 263, 267, 269, 270

Modular Multiplication in GF (pk ) Using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe N`egre Laboratoire d’Informatique de Robotique et de Micro´electronique de Montpellier LIRMM – CNRS UMR 5506 161 rue Ada, 34392 Montpellier Cedex 5, France {bajard,imbert,negre}@lirmm.fr

Abstract. In this paper we present a new hardware modular multiplication algorithm over the ﬁnite extension ﬁelds GF (pk ) where p > 2k. We use an alternate polynomial representation of the ﬁeld elements and a Lagrange like interpolation technique. We describe our algorithm in terms of matrix operations and point out some properties of the matrices that can be used to improve the hardware design. The proposed algorithm is highly parallelizable and seems well suited for hardware implementation of elliptic curve cryptosystems. Keywords: Finite ﬁelds, multiplication, cryptography, fast implementation.

1

Introduction

Cryptographic applications such as elliptic or hyperelliptic curves cryptosystems (ECC, HECC) [1, 2, 3] and the Diﬃe-Hellman key exchange algorithm [4] require arithmetic operations to be performed in ﬁnite ﬁelds. An eﬃcient arithmetic in these ﬁelds is then a major issue for lots of modern cryptographic applications [5]. Many studies have been proposed for the ﬁnite ﬁeld GF (p), where p is a prime number [6] or the Galois ﬁeld GF (2k ) [7, 8, 9]. In 2001, D. Bailey and C. Paar proposed an eﬃcient arithmetic in GF (pk ) when p is a pseudo-Mersenne prime [10], but although it could result in a wider choice of cryptosystems, arithmetic over the more general ﬁnite extension ﬁelds GF (pk ), with p > 2, has not been extensively investigated yet. Moreover it has been proved that elliptic curves deﬁned over GF (pk ) – where the curves verify the usual conditions of security – provide at least the same level of security than the curves usually deﬁned over GF (2k ) or GF (p). This paper introduces a Montgomery like modular multiplication algorithm in GF (pk ) for p > 2k. Given the polynomials A(X) and B(X) of degree less than k, and G(X) of degree k (we will give more details on G(X) in section 3), our algorithm computes A(X) × B(X) × G(X)−1 mod N (X), where both the operands and the result aregiven in an alternate representation. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 275–284, 2002. c Springer-Verlag Berlin Heidelberg 2002

276

Jean-Claude Bajard et al.

In the classical polynomial representation, we consider the ﬁeld elements of GF (pk ) as polynomials of degree less than k in GF (p)[X] and we represent the ﬁeld with respect to an irreducible polynomial N (X) of degree k over GF (p). Any element A of GF (pk ) is then represented using a polynomial A(X) of degree k − 1 or less with coeﬃcients in GF (p), i.e., A(X) = a0 + a1 x + · · · + ak−1 xk−1 , where ai ∈ {0, . . . , p − 1}. In this paper we consider an alternate solution which consists of representing the polynomials with their values at k distinct points instead of their k coeﬃcients. As a result, if we choose k points (e1 , e2 , . . . , ek ), we represent the polynomial A(X) with the sequence (A(e1 ), A(e2 ), . . . , A(ek )). Within this representation addition, subtraction and multiplication are performed over completely independent channels which is a great advantage from a chip design viewpoint.

2

Montgomery Multiplication in GF (pk)

In 1985, Peter Montgomery proposed an integer reduction algorithm that can be easily extended to modular multiplication of large integers [11]. This method has recently been adapted to modular multiplication in GF (2k ) (deﬁned according to the k-order polynomial X k ) [7] and extend easily to GF (pk ), with p > 2. As in [7], we represent the ﬁeld GF (pk ) with respect to the monic irreducible polynomial X k and we consider the ﬁeld elements as polynomials of degree less than k in GF (p)[X]. If A(X) and B(X) are two elements of GF (pk ), Montgomery’s multiplication technique is used to compute A(X) × B(X) × X −k mod N (X). We successively evaluate: Q(X) = −A(X) B(X) N (X)−1 mod X k R(X) = [A(X) B(X) + Q(X) N (X)] × X −k 2.1

Implementation

Let us denote A(X) = a0 + a1 X B(X) = b0 + b1 X N (X) = n0 + n1 X N −1 (X) = n0 + n1 X

+ a2 X 2 + ... + ak−1 X k−1 + b2 X 2 + ... + bk−1 X k−1 + n2 X 2 + ... + nk−1 X k−1 + n2 X 2 + ... + nk−1 X k−1

The reduction modulo X k can be accomplished by ignoring the terms of order larger than or equal to k. Division by X k simply consists of shifting the polynomial to the right by k places. These operations are easily integrated in the matrix operations and the computations are then decomposed as follow:     n0 0 ... 0 0 a0 b0 0 ... 0 0  n1 n0 ... 0 0   a1 a0 ... 0 0   b1         ..   ..  Q(X) = −  ...  .  . .      n   ak−2 ak−3 ... a0 0   bk−2  k−2 nk−3 ... n0 0 nk−1 nk−2 ... n1 n0 ak−1 ak−2 ... a1 a0 bk−1

Modular Multiplication in GF (pk ) Using Lagrange Representation

The evaluation of R(x) then rewrites R(X) =     b0 0 nk−1 0 ak−1 . . . a2 a1  0 0 . . . a3 a 2   b 1   0 0      ..   ..   .. .  .   .   +  0 0 . . . ak−1 ak−2   bk−3   0 0      0 0 . . . 0 ak−1   bk−2   0 0 0 0 ... 0 0 bk−1 0 0

. . . n2 . . . n3 . . . nk−1 ... 0 ... 0

277

  q0 n1   n2    q1    ..   .      nk−2    qk−3    nk−1 qk−2  0 qk−1

The last row ensures that R(X) is given with k coeﬃcients. In terms of elementary operations over GF (p), the complexity of this method is: k 2 + (k − 1)2 multiplications and (k − 1)2 + (k − 2)2 additions. Furthermore, we can note that if p < 512, elementary operations over GF (p) can be implemented with a lookup table.

3

Alternate Polynomial Representation

Thanks to Lagrange’s theorem, we can represent polynomials of degree less than k with their values at k distinct points {e1 , e2 , . . . , ek }, i.e., if A(X) is a polynomial of degree at most k − 1, we denote aei = A(ei ) and we represent it with the sequence (ae1 , ae2 , . . . , aek ) (length k). Unlike the previous approach which uses the polynomial G(X) = X k , we deﬁne G(X) = (X − e1 )(X − e2 ) . . . (X − ek ),

(1)

where ei ∈ {0, 1, . . . , p − 1}. This clearly implies p > k. As we shall see further, 2k such distinct points are actually needed, which in turn implies p > 2k. The following algorithm computes A(X) × B(X) × G−1 (X) mod N (X) for p > 2k. In algorithm 1 it is important to note that it is impossible to evaluate R(X) directly as mentioned in step 2. Since we only know the values of the polynomials A(X), B(X), Q(X), N (X) and G(X) for X ∈ {e1 , e2 , . . . , ek }, it is clear that the sequences representing [A(X) × B(X) + Q(X) × N (X)] and G(X) are merely composed of 0. Thus the division by G(X), which actually reduces to the multiplication by G−1 (X), has no eﬀect. We address this problem by using k extra values {e1 , e2 , . . . , ek } where ei = ej for all i, j, and by computing [A(X) × B(X) + Q(X) × N (X)] and G(X) for those extra values. In the modiﬁed algorithm 2, the operation in step 2 is then performed for X ∈ {e1 , e2 , . . . , ek }. Steps 1 and 3 are fully parallel operations in GF (p). The complexity of algorithm 2 mainly depends on the two polynomial interpolations (steps 2, 4).

278

Jean-Claude Bajard et al.

Algorithm 1 Step 1: Deﬁne the polynomial Q(X) of degree less than k such that: Q(X) = −A(X) × B(X) × N −1 (X) mod G(X), in other words, we compute in parallel (in GF (p)) Q(x) = −A(x) × B(x) × N −1 (x) for x ∈ {e1 , e2 , . . . , ek }. Step 2: since [A(X) × B(X) + Q(X) × N (X)] is a multiple of G(X), we compute R(X) (of degree less than k) such that

R(X) = A(X) B(X) + Q(X) N (X) × G−1 (X)

Algorithm 2 Step 1 Compute Q(X) = −A(x)×B(x)×N −1(x) for x ∈ {e1 , e2 , . . . , ek } (in parallel), Step 2 Extend Q(X) for x ∈ {e1 , e2 , . . . , ek } using Lagrange interpolation, Step 3 Compute R(X) in {e1 , e2 , . . . , ek }

R(X) = A(X) B(X) + Q(X) N (X) × G−1 (X), Step 4 Extend R(X) back in {e1 , e2 , . . . , ek } using Lagrange interpolation.

3.1

Implementation

In step 1 we compute in GF (p) and in parallel for all i in {1, . . . , k} qei = −aei × bei × n ei , where n ei = N −1 (ei ). Then in step 2, the extension is performed via Lagrange interpolation:   k k X − ej  Q(X) = qei  ei − ej i=1

(2)

j=1,j=i

If we denote ωt,i =

k

j=1,j=i

becomes 

qe1 qe2 .. .





ω1,1 ω2,1 .. .

et − ej , the extension of Q(X) in {e1 , e2 , . . . , ek } ei − ej ω1,2 . . . ω1,k−1 ω2,2 . . . ω2,k−1

         =       ωk−1,1 ωk−1,2 . . . ωk−1,k−1  qe k−1 qek ωk,1 ωk,2 . . . ωk,k−1

  qe1 ω1,k   ω2,k    qe2    ..   .    ωk−1,k   qek−1  ωk,k qek

(3)

Modular Multiplication in GF (pk ) Using Lagrange Representation

279

Operations in step 3 are performed in parallel for i in {1, . . . , k}. We compute in GF (p) rei = (aei ∗ bei + qei ∗ nei ) ∗ ζi where

 ζi = 

k

−1 (ei − ej )

= [G(ei )]

−1

mod p.

j=1

It is easy to remark that G(ei ) = 0 for i in {1, . . . , k}. At the end of step 3, the polynomial R(X) of degree less than k is deﬁned by its k values in GF (p) for X ∈ {e1 , e2 , . . . , ek }. In step 4 we extend R(X) back in e. As in step 2 we deﬁne ωt,i =

k j=1,j=i

et − ej , ei − ej

and we compute 





ω1,1   ω2,1       ..  = .      rek−1   ω k−1,1 rek ωk,1

re1 re2 .. .

ω1,2 . . . ω1,k−1 ω2,2 . . . ω2,k−1 ωk−1,2 ωk,2

... ...

ωk−1,k−1 ωk,k−1

  ω1,k re1   re2  ω2,k     ..   .      re  ωk−1,k k−1 rek ωk,k

(4)

Complexity In terms of elementary operations, the complexity of this method is 2k 2 multiplications by a constant and 2k(k − 1) additions in GF (p).

4

Example

Let us ﬁrst deﬁne the constant parameters. We consider the ﬁnite ﬁeld GF (235 ) according to the irreducible polynomial of degree 5: N (x) = x5 + 2x + 1, the two sets of points e = {2, 4, 6, 8, 10} and e = {3, 5, 7, 9, 11}, the interpolation matrices needed in steps 2 and 4:     8 9 7 11 12 3 19 22 18 8  12 17 14 2 2   8 9 7 11 12       and ω =  12 17 14 2 2  , 2 2 14 17 12 ω=      12 11 7 9 8   2 2 14 17 12  8 18 22 19 3 12 11 7 9 8 and the vector ζ = (16, 1, 22, 7, 12) used in step 3.

280

Jean-Claude Bajard et al.

Given the two elements A(X) and B(X) of GF (235 ): A(x) = 2x4 + x + 3

B(x) = x2 + 5x + 4,

we aim at computing R(X) = A(X)B(X)G−1 (X) mod N (X) in the evaluated form re = (R(e1 ), R(e2 ), . . . , R(ek )). We evaluate A, B and N at each value of e and e : ae = (14, 13, 2, 15, 3)

and

ae = (7, 16, 5, 1, 17),

be = (18, 17, 1, 16, 16)

and

be = (5, 8, 19, 15, 19),

ne = (14, 21, 15, 10, 17)

and

ne = (20, 8, 9, 4, 5);

and we compute the vector n e = (5, 11, 20, 7, 19). In step 1 of the algorithm we compute qe = (5, 7, 6, 22, 8), and we extend it in step 2 from e to e (eq. (3)): qe = (0, 1, 3, 4, 4). Now in step 3, we evaluate in parallel for each value of e : re = (8, 21, 16, 10, 22), and we interpolate it back (eq. (4)) to obtain the ﬁnal result in e: re = (4, 3, 5, 3, 15). It is easy to verify that the results re and re are correct by evaluating R(X) = A(X)B(X)G−1 (X) mod N (X) = 3X 4 + 17X 3 + 11X 2 + 6X + 17 at each points of e and e .

5 5.1

Discussions Simplified Architecture

A major advantage of this method is that the matrices in (3) and (4) do not depend on the inputs. Thus, all the operations reduce to multiplications by constants which signiﬁcantly simplify the hardware implementation. Moreover, in the example presented in section 4, we have detected symmetries between the two matrices that can also contribute to a simpliﬁed architecture.

Modular Multiplication in GF (pk ) Using Lagrange Representation

281

Lemma 1. Let us denote k

ωi,j =

m=1,m=j

2i + 1 − 2m 2j − 2m

and

ωi,j

k

=

m=1,m=j

(2i + 1 − (2m + 1)) , (5) (2j + 1 − (2m + 1))

for i, j ∈ {1, . . . , k}. Then for every i, j ∈ {1, . . . , k} we have ωi,j = ωk+1−i,k+1−j .

In other words equation (4) can be implemented with the same matrix than eq. (3), by simply reversing the order of the elements of the vectors re and re :      rek ω1,1 ω1,2 . . . ω1,k−1 ω1,k rek  rek−1   ω2,1 ω2,2 . . . ω2,k−1 ω2,k   rek−1        ..   ..   ..  (6)  . = .  .        re2   ωk−1,1 ωk−1,2 . . . ωk−1,k−1 ωk−1,k   re2  re1 ωk,1 ωk,2 . . . ωk,k−1 ωk,k re1 The proof of Lemma 1 is given in Appendix A. Lemma 2. Under the same conditions than those of equations (5) in Lemma 1 ; then, for all i ∈ {2, . . . , k}, j ∈ {1, . . . , k} we have the identity ωi,j = ωi−1,j .



ω1,1  ω2,1   ..  .   ω k−1,1 ωk,1

ω1,2 . . . ω1,k−1 ω2,2 . . . ω2,k−1 ωk−1,2 . . . ωk−1,k−1 ωk,2 . . . ωk,k−1

  ω1,k ωk,k  ω2,k    ω1,1   .. = .   ωk−1,k   ωk−2,1 ωk−1,1 ωk,k

ωk,k−1 . . . ωk,2 ω1,2 . . . ω1,k−1 ωk−2,2 . . . ωk−2,k−1 ωk−1,2 . . . ωk−1,k−1

 ωk,1 ω1,k      ωk−2,k  ωk−1,k

The proof of Lemma 2 is given in Appendix B. Remarks These two lemmas point out symmetry properties of the matrices that mainly depend on the choice made in the example for the points of e and e . The can be taken into account to improve the hardware architecture. Other choice of points could be more interesting and could result in very attractive chip design solutions. It is currently a work in progress in our team. 5.2

Cryptographic Context

In ECC, the main operation is the addition of two points of an elliptic curve over a ﬁnite ﬁeld. Hardware implementation of elliptic curves cryptosystems thus requires eﬃcient operators for additions, multiplications and divisions. Since division is usually a complex operation, we use homogeneous coordinates to bypass this diﬃculty (only one division is needed at the very end of the algorithm).

282

Jean-Claude Bajard et al.

Thus the only operations are addition and multiplication in GF (p). The cost of an addition over GF (p) is no more than p Full-Adders. Actually we do not have to reduce modulo p after each addition. We only subtract p from the result of the last addition if it is greater than 2log2 (p) (we recall that p is odd). In other words we just have to check one bit after each addition. The exact value is only needed for the ﬁnal result. In ECC protocols, additions chains of points of an elliptic curve are needed. In homogeneous coordinates, those operations consist in additions and multiplications over GF (pk ). Only one division is needed at the end and it can be performed in the Lagrange representation using the Fermat-Euler theorem which k states that for all non zero value x in GF (pk ), then xp −1 = 1. Hence we can k compute the inverse of x by computing xp −2 in GF (pk ). It is also advantageous to use a polynomial equivalent to the Montgomery notation during the computations. We consider the polynomials in the form A (X) = A(X) × G(X) mod N (X) instead of A(X). It is clear that adding two polynomials given in this notation gives the result in the same notation, and for the product, since Mont(A, B, N ) = A(X) × B(X) × G−1 (X) mod N (X), we have Mont(A , B , N ) = A (X)×B (X)×G−1 (X) mod N (X) = A(X)×B(X)× G(X) mod N (X).

6

Conclusion

Recent works from Bailey and Paar have shown that it is possible to obtain more eﬃcient software implementation over GF (pk ) than over GF (2k ) or GF (p). In this article we have presented a new modular multiplication algorithm over the ﬁnite extension ﬁeld GF (pk ), for p > 2k, which is highly parallelizable and well adapted to hardware implementation. Our algorithm is particularly interesting for ECC since it seems that there exists less nonsingular curves over GF (pk ) than over GF (2k ). Finding ”good” curves for elliptic curve cryptography would then be easier. Furthermore, under the condition ”k is a power of a prime number q 11”, the primality condition on k required for the ﬁelds GF (2k ) could be released in the case GF (pk ). This could result in a wider choice of curves than in the case p = 2. This method can be extended to ﬁnite ﬁelds on the form GF (2nm ), where 2n > 2m. Fields of this form can be useful for the recent tripartite DiﬃeHellamn key exchange algorithm [12] or the short signature scheme [13] which require an eﬃcient arithmetic over GF (pkl ), where 6 < k 15 and l is a prime number greater than 160. In this case p = 2n is no longer a prime number which forces us to choose the values of e and e in GF (2n )∗ .

References [1] Koblitz, N.: Elliptic curve cryptosystems. Mathematics of Computation 48 (1987) 203–209 275 [2] Koblitz, N.: A Course in Number Theory and Cryptography. second edn. Volume 114 of Graduate texts in mathematics. Springer-Verlag (1994) 275

Modular Multiplication in GF (pk ) Using Lagrange Representation

283

[3] Koblitz, N.: Algebraic aspects of cryptography. Volume 3 of Algorithms and computation in mathematics. Springer-Verlag (1998) 275 [4] Diﬃe, W., Hellman, M. E.: New directions in cryptography. IEEE Transactions on Information Theory IT-22 (1976) 644–654 275 [5] Menezes, A. J., Van Oorschot, P. C., Vanstone, S. A.: Handbook of applied cryptography. CRC Press, 2000 N. W. Corporate Blvd., Boca Raton, FL 33431-9868, USA (1997) 275 [6] Yanik, T., Sava¸s, E., C ¸ . K. Ko¸c: Incomplete reduction in modular arithmetic. IEE Proceedings: Computers and Digital Technique 149 (2002) 46–52 275 [7] C ¸ . K. Ko¸c, Acar, T.: Montgomery multiplication in GF(2k ). Designs, Codes and Cryptography 14 (1998) 57–69 275, 276 [8] Halbutoˇ gullari, A., C ¸ . K. Ko¸c: Parallel multiplication in GF(2k ) using polynomial residue arithmetic. Designs, Codes and Cryptography 20 (2000) 155–173 275 [9] Paar, C., Fleischmann, P., Roelse, P.: Eﬃcient multiplier architectures for galois ﬁelds GF(24n ). IEEE Transactions on Computers 47 (1998) 162–170 275 [10] Bailey, D., Paar, C.: ”eﬃcient arithmetic in ﬁnite ﬁeld extensions with application in elliptic curve cryptography. Journal of Cryptology 14 (2001) 153–176 275 [11] Montgomery, P. L.: Modular multiplication without trial division. Mathematics of Computation 44 (1985) 519–521 276 [12] Joux, A.: A one round protocol for tripartite Diﬃe-Hellman. In: 4th International Algorithmic Number Theory Symposium (ANTS-IV. Volume 1838 of Lecture Notes in Computer Science., Springer-Verlag (2000) 385–393 282 [13] Boneh, D., Shacham, H., Lynn, B.: Short signatures from the Weil pairing. In: proceedings of Asiacrypt’01. Volume 2139 of Lecture Notes in Computer Science., Springer-Verlag (2001) 514–532 282

A

Proof of Lemma 1

We are going to rearrange each part of the equality, to make appear the identity. We ﬁrst focus on the right part of the identity: = ωk+1−i,k+1−j

=

k

(2(k + 1 − i) − (2m + 1)) (2(k + 1 − j) + 1 − (2m + 1))

k

(−2i + 2(k + 1 − m) − 1) (−2j + 1 + 2(k + 1 − m) − 1)

m=1,m=k+1−j

m=1,m=k+1−j

Here we have just changed the place of k + 1 in each term of the product. Next just by simplifying each fraction by −1, and factorizing all the 2 in the denominators, we get: ωk+1−i,k+1−j = 21−k

= 21−k

k

m=1,m=k+1−j

k

m=1,m=j

(2i − 2(k + 1 − m) + 1) (j − (k + 1 − m))

(2i + 1 − 2m) (j − m)

Here we have changed the indices m ← k + 1 − m.

284

Jean-Claude Bajard et al.

We now do the same procedure with the left term.

ωi,j =

m=1,m=j

2i + 1 − 2m 2j − 2m

We factorize the 2 in the denominators: ωi,j = 21−k

(

m=1,m=j

2i + 1 − 2m ) j−m

We can then conclude that the new expressions of ωi,j and ωk+1−i,k+1−j are the same.

B

Proof of Lemma 2

Here again, this is proved with only simple manipulations on the coeﬃcients. Let us begin with the expression of ωi−1,j ωi−1,j = =

k

2(i − 1) + 1 − 2m 2j − 2m

k

2i − 1 − 2m 2j + 1 − 1 − 2m

m=1,m=j

m=1,m=j

Here we have just used the equalities 2(i − 1) + 1 = 2i − 1 in the numerators and 0 = 1 − 1 in the denominators. So rearranging, each factor of the product, gives: ωi−1,j =

k

m=1,m=j

= ωi,j

2i − (2m + 1) ((2j + 1) − (2m + 1))

Speeding up the Scalar Multiplication in the Jacobians of Hyperelliptic Curves Using Frobenius Map YoungJu Choie and Jong Won Lee 1

Department of Mathematics POSTECH, Pohang, Korea [email protected] 2 IEM, University of Essen Essen, Germany [email protected]

Abstract. In [8] Koblitz suggested to make use of a Frobenius expansion to speed up the scalar multiplications in the Jacobians of hyperelliptic curves over the characteristic 2 ﬁeld. Recently, G¨ unther et. al.[6] have modiﬁed Koblitz’s Frobenius expansion method and applied it to the Koblitz curves of genus 2 over F2 to speed up the scalar multiplication. In this paper, we show that the method given in [6] can be extended to the case when the hyperelliptic curves are deﬁned over the ﬁnite ﬁeld of any characteristic. For cryptographic purposes, we restrict our interest only to those with genus 2, 3, 4. We give a theoretical eﬃciency of our method by comparing to the double-and-add method over the Jacobians. As a result, with some reference tables we can reduce the cost of doubleand-add method to nearly 41%. Keywords: Hyperelliptic cryptosystem, Frobenius map, Scalar multiplication

1

Introduction

Since Koblitz and Miller proposed to use elliptic curve cryptography in 1985, cryptosystems based on elliptic curves become very attractive nowadays due to the diﬃculty of the discrete logarithm problem in the group of the elliptic curve. In [8] Koblitz generalized this idea and suggested to make use of, as a source of cryptographically suitable ﬁnite abelian groups, the Jacobians of hyperelliptic curves. One of the advantage of using the Jacobians of hyperelliptic curves of higher genus g, say g = 2, 3, is the possibility of performing the discrete logarithm based schemes with the shorter key length than using the elliptic curves. Except for some special cases (see [1], [4], [5], [16]), since there are no known subexponential algorithms for solving the discrete logarithm problem on the Jacobians of the hyperelliptic curves, cryptosystems using hyperelliptic

partially supported by MSRI

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 285–295, 2002. c Springer-Verlag Berlin Heidelberg 2002

286

YoungJu Choie and Jong Won Lee

curve of genus 2, 3, 4 are considered to be secure. Some experimental results are presented in Section6. On the other hand, due to the greater complexity of the underlying arithmetic the hyperelliptic cryptography is not on the stage of commercial interest. However, Koblitz[8] suggested to make use of a Frobenius expansion to speed up the scalar multiplications on the Jacobians of hyperelliptic curves over the characteristic 2 ﬁeld. Recently, G¨ unther et.al.[6] have modiﬁed Koblitz’s Frobenius expansion method to reduce the cost of the double-and-add method over the Jacobians of two Koblitz curves of genus 2 deﬁned over F2 . In this paper, we show that the method given in [6] can be extended to the case when the hyperelliptic curves are deﬁned over the ﬁnite ﬁeld with any characteristic. This paper focuses on the fast scalar multiplication for those curves with genus 2, 3, 4, which are the most cryptographically interesting curves, using a Frobenius expansion. In addition, we give a theoretical eﬃciency of our method by comparing it to the double-and-add method. As a result, with some reference tables we can reduce the cost of double-and-add method to nearly 41%. This paper is organized as follows. Section 2 recalls the deﬁnitions and some known results about the hyperelliptic curves over ﬁnite ﬁelds. In section 3, algorithms for the Frobenius expansion of n, n ∈ Z, are presented. In section 4, we suggest a new Algorithm for the scalar multiplication for the hyperelliptic curves using the Frobenius expansion of a scalar n. Section 5 is concerned with an eﬃciency of our suggested method for the scalar multiplication by comparing it to that of double-and-add method.

2

Preliminaries

In this section we recall the basic deﬁnitions and some known results without details. Throughout this section, F means a ﬁnite ﬁeld and K is a ﬁeld with F ⊂ K ⊂ F. 2.1

Hyperelliptic Curves

Let g be a positive integer. A hyperelliptic curve C of genus g defined over F is the set of F × F-points satisfying the equation H(x, y) = y 2 + h(x)y − f (x) = 0

(1)

together with a special point ∞ called the point at infinity, where h(x) ∈ F[X] is a polynomial of degree at most g and f (x) ∈ F[X] is a monic polynomial of degree 2g + 1. Here, we require that the curve has no singular points in F × F. The set C(K) = {P = (xP , yP ) ∈ K × K | P ∈ C} is called K-points. The opposite of a K-point P = (xP , yP ) = ∞ on C is the point P = (xP , −yP − h(xP )) ∈ C(K) and we deﬁne ∞ := ∞. If σ ∈ Gal(K/F) and P = (xP , yP ) ∈ C(K) \ {∞}, then P σ is deﬁned to be a point (σ(xP ), σ(yP )) ∈ C(K) and let ∞σ = ∞ .

Speeding up the Scalar Multiplication in the Jacobians

2.2

287

Jacobians of Hyperelliptic Curves

Let C be a hyperelliptic curve of genus g deﬁned over F. A divisor D on C is a ﬁnite formal sum of F-points on C D= mP P, mP ∈ Z. A semi-reduced divisor on C is a divisor of the form D = ri=1 Pi − r(∞), where j for i = j. In this case we say each Pi is a ﬁnite point (i.e. Pi = ∞) and Pi = P that D has a weight r and denote wtD = r. A semi-reduced divisor D issaid to be reduced if wtD ≤ g. The degree, denoted by deg D, of the divisor D = mP P is the integer deg D = mP . The divisors form an additive group D, in which the divisors of degree 0 form a subgroup D0 . A divisor D = mP P is said to be positive if mP ≥ 0 for all P ∈C(F) \ {∞}. The greatest common divisor, gcd(D1 , D2 ), of two divisors D1 = mP P and D2 = nP P in D0 is deﬁned to be the divisor gcd(D1 , D2 ) = min(mP , nP )P − min(mP , nP ) (∞) of degree 0. Each σ ∈ Gal(K/K) induces a homomorphism σ : D → D given by mP P σ . D= mP P → Dσ := A divisor D is said to be a K-divisor, (or defined over K) if D = Dσ for all σ ∈ Gal(K/K). D0 (K) denotes a subgroup of K-divisors in D0 . Since a polynomial G(x, y) ∈ F[X, Y ] can be considered as a function on the curve C, we let G(x, y) = a(x) − b(x)y, where a(x), b(x) ∈ F[X]. The order, ordP G, of the polynomial at a point P = (x0 , y0 ), P ∈ C, is deﬁned as, for P = ∞, r + s if P = P ordP G := 2r + s if P = P and ord∞ G := − max{2 degx a(x), 2g + 1 + 2 degx b(x)}. Here r is the highest power of (x − x0 ) that divides both a(x) and b(x) and write G(x, y) = (x − x0 )r (a0 (x) − b0 (x)y). If a0 (x) − b0 (x)y = 0, then let s = 0; otherwise s is the highest power of (x − x0 ) that divides a20 + a0 b0 h − b20 f. The divisor of G G(x,y) a rational function H(x,y) := (G) − (H), on C is deﬁned to be the divisor H where the divisor (G) of each polynomial G(x, y) over C is a ﬁnite sum de ﬁned as (G) := P ∈C (ordP G)P . The jacobian1 J(K) of C is the quotient group J(K) = D0 (K)/P(K).2 Here, P(K) is a subgroup of pricipal K-divisors which are from rational functions over C. O denotes the zero element in J(K) and two 1

2

Strictly speaking, J(K) is isomorphic to the group of K-rational points on Jac(C), where the Jacobian Jac(C) of the hyperelliptic curve C is an abelian variety with an embedding C → Jac(C) that can be extended a group isomorphism J(K) Jac(C). In this case, we call the ﬁeld K the base field of the jacobian group.

288

YoungJu Choie and Jong Won Lee

K-divisors D1 and D2 are said to be linearly equivalent, denoted by D1 ∼ D2 , iﬀ they are in the same class of the jacobian J(K). Since each class of J(K) has a unique reduced K-divisor by the RiemannRoch Theorem, the group operation on the jacobian J(K) can be performed by using the reduced divisors[14]. The following theorem, due to Mumford[13], says that one can take the unique reduced form from representing each semi-reduced K-divisor by the pair of two polynomials in K[X]. Theorem 1 (semi-reduced divisor) Let C be a hyperelliptic curveof genus g defined over F given by the equar tion y 2 + h(x)y = f (x). Let D = i=1 Pi − r(∞) be a semi-reduced K-divisor on r C with Pi = (xi , yi ), i = 1, 2, · · · , r, and u(x) = i=1 (x − xi ). Then there exists a unique polynomial v(x) ∈ K[X] which satisfies the following three conditions: (1) degx v(x) < degx u(x); (2) v(x) − y vanishes at all point Pi ; (3) u(x) divides the polynomial v 2 + hv − f . Remark 2 (reduced divisor) For each D in Theorem 1, we can check that denote

D = gcd((u), (v − y)) = div(u, v) and that D is reduced if and only if deg u(x) ≤ g. Hence, each class in the Jacobian J(K) has the unique reduced divisor div(u(x), v(x)), where u(x) and v(x) are polynomials in K[X] satisfying (i) deg v(x) < deg u(x) ≤ g and (ii) u|v 2 + hv − f . From now on we assume that every element of J(K) is given by the pair [u(x), v(x)] of polynomials in K[X] which satisfy two conditions (i) and (ii) in Remark2. 2.3

Frobenius Map on the Jacobians

Let Fq be a ﬁnite ﬁeld with q elements and φ be the Frobenius q th power automorphism of Fqn . Let C be a hyperelliptic curve of genus g deﬁned over Fq given by y 2 + h(x)y = f (x). Consider a semi-reduced Fqn -divisor D = r i=1 Pi − r(∞) with each

rPi = (xi , yi ) and D = div(u(x), v(x)). From Theorem 1, we have u(x) = i=1 (x − xi ), deg v(x) < r, v(xi ) = yi for all i and r φ φ u(x)|v 2 (x) + h(x)v(x) − f (x). Since Dφ = i=1 Pi − r(∞) with each Pi = q q φ φ (φ(xi ), φ(yi )) = (xi , yi ) and u(x) and v(x) satisfy the three conditions in Theorem1, we have Dφ = div(u(x)φ , v(x)φ ). Since the Frobenius automorphism φ induces an endomorphism φ : J(Fqn ) → J(Fqn ), the group Z[φ] acts on J(Fqn ) in the way i

j aj φj mi Pi

=

j

aj

i

j mi Piφ

,

Speeding up the Scalar Multiplication in the Jacobians

289

with aj ∈ Z. We note that φn is the identity map in Fqn and so the induced φn ∈ End(J(Fqn )) is also the identity map in J(Fqn ). The characteristic polynomial χ(T ) of the induced Frobenius map φ in the Jacobian J(Fqn ) is given by 2g χ(T ) = i=0 ai T i = a2g T 2g + a2g−1 T 2g−1 + a2g−2 T 2g−2 + · · · +q g−2 a2g−2 T 2 + q g−1 a2g−1 T + q g a2g ,

(2)

where a2g = 1, ai = q g−i a2g−i for 0 ≤ i ≤ g (see [10] in details).

3

Base-φ Expansion

An eﬃcient algorithm for computing scalar multiplication is essential to construct the cryptosystem based on the discrete logarithm problem. In this section we show how to speed up the scalar multiplication over the Jacobians of hyperelliptic curves deﬁned over any ﬁnite ﬁeld with an arbitrary characteristic using the Frobenius map. This idea has been already studied for the elliptic curve cases (see [9], [12],[15], [17]) and for the Koblitz curves of genus 2 (see [6]). Let C be a hyperelliptic curve of genus g deﬁned over Fq and φ be the induced Frobenius endomorphism of J(Fqn ) with characteristic polynomial χ(T ) = 2g i i=0 ai T given in the equation (2). Then we have the following lemma. 2g−1 Lemma 3 Let m = i=0 bi φi ∈ Z[φ]. Then m is divisible by φ in Z[φ] if and only if b0 is divisible by q g in Z. 2g−1 i Proof. Suppose m = is divisible by φ in Z[φ] and write m = φ · i=0 bi φ 2g−1 2g−1 i 2g i c φ . Then, since φ = − b0 = c2g−1 q g . Conversely, i i=0 i=0 ai φ , we have 2g−1 2g assume b0 = q g s for q g = − i=1 ai φi , m = i=1 bi φi − some integer s. Since 2g 2g−1 2g i−1 − s · i=1 ai φi−1 . s · i=1 ai φi = φ i=1 bi φ Using this lemma, we immediately have the following theorem. 2g−1 Theorem 4 For any m = i=0 bi φi ∈ Z[φ], there is a unique integer u with g g − q2 < u ≤ q2 so that m − u is divisible by φ. g

g

q q Remark 5 1.(Base-φ expansion) Let Ii = (− 2 , 2 ]. Given any m ∈ Z[φ], we may ﬁnd the base-φ expansion i ui φ , where each ui is an integer in I, as follows. Observe that, from Theorem4, we can choose the integer u0 ∈ I such 0 that m1 = m−u ∈ Z[φ]. Here, φ is identiﬁed as an algebraic integer satisfying φ its characteristic polynomial over Q. And then we ﬁnd the integer u1 ∈ I such that m2 = m1φ−u1 ∈ Z[φ]. Continuing in this way, we obtain the desired base-φ expansion ui φi of m with ui ∈ I. 2. We can check that the expected length of the base-φ expansion ui φi of m is roughly 2 logq ||m||, where || · || denotes the complex absolute value.

290

YoungJu Choie and Jong Won Lee

Algorithm 1 2g−1 Input: m = i=0 bi φi ∈ Z[φ] g g Output: base-φ expansion i ui φi of m with each ui ∈ I = (− q2 , q2 ] 1. i ← 0; 2. While m = 0 do 3. Find an integer ui ∈ I such that q g |(b0 − ui ). 2g−1 i 4. m = i=0 bi φi ← m−u φ ; 5. i ← i + 1; 6. Return ( i ui φi ) Now, we note that any two elements of Z[φ] are the same in End J(Fqn ) provided that they are congruent to each other modulo φn − 1. So, in order to l−1 ﬁnd shorter representations m = i=0 ci φi we look for an element M ∈ Z[φ] such that M ≡ m (mod φn − 1) and the base-φ expansion of M is as short as possible. Considering φ as an algebraic integer over Q, given any integer m, there 2g−1 are rational numbers ri (i = 0, · · · , 2g − 1) such that φnm−1 = i=0 ri φi . For each i, let zi be an integer with |ri − zi | ≤ 12 . Let z and M be the elements 2g−1 z = i=0 zi φi and M = m − z(φn − 1). Then we have M ≡ m (mod φn − 1) with the expected length

2 logq ||M || = 2 logq φn − 1 + 2 logq φnm−1 − z (3) n 2 g ≤ logq q 2 + 1 + logq 41 q 1 −1 . q 2 −1

Algorithm 2 2g Input: the extension degree n and characteristic polynomial χ(T ) = i=0 ai T i of φ ∈ End (J(Fqn )) 2g−1 Output: i=0 ri φi = φn1−1 , where each ri ∈ Q 2g−1 2g−1 1. Using T 2g = − i=0 ai T i recursively, write T n − 1 = i=0 ci T i . 2g−1 2. Find A(T ), B(T ) ∈ Q[T ] such that 1 = A(T ) i=0 ci T i + χ(T )B(T ). 3. Return (A(φ))

Algorithm 3 shows, given any integer m, how to ﬁnd an element of Z[φ] congruent to m modulo (φn − 1) with smaller expected length of base-φ expansion than m itself. This algorithm can be used to compute the scalar multiplication mD of D ∈ J(Fqn ) eﬃciently. Algorithm 3 Input: integer m qg qg i Output: base-φ expansion i ui φ , ui ∈ I = (− 2 , 2 ], of m with smaller length 2g−1 1. Perform Algorithm 2 to ﬁnd i=0 ri φi = φn1−1 . 2g−1 2g−1 i i 2. i=0 ri φ ← m · i=0 ri φ ;

Speeding up the Scalar Multiplication in the Jacobians

291

For i from 0 to 2g − 1, ﬁnd an integer zi |ri − zi | ≤ 12 . 2g−1 z ← i=0 zi φi ; M ← m − z(φn − 1) (mod χ(T )); Perform Algorithm 1 to ﬁnd the expansion i ui φi of M . Return ( i ui φi ) i This expansion i ui φ of m is called the semi-reduced base-φ expansion of m. 3. 4. 5. 6. 7.

Remark 6 1. The above algorithms have been already studied for the Koblitz curves of genus 2 over the ﬁnite ﬁeld of characteristic 2 [6]. 2. In Algorithm 3, as soon as Algorithm1 is carried out once, in the next performance of this algorithm we can skip the step 1 by using the information 2g−1 i q φ = φn1−1 from the previous performance. And the result φn − 1 = i i=0 2g−1 i i=0 ci φ also can be used in step 5. 3. The base-φ obtained in the algorithm 3 can be rewritten in the n−1 expansion form of i=0 u i φi from the fact that φn − 1 = 0 in End J(Fqn ). And we will call this expansion the reduced base-φ expansion of m. Note that unfortunately we cannot determine the explicit intervals for the u i .3 However, we can determine them under some assumptions.

4

Scalar Multiplication on the Jacobian

Finally, we suggest the following algorithm to proceed the scalar multiplication mD of D ∈ J(Fqn ) using the Frobenius map. For each i = 0, · · · , n − 1, if i i i D ∈ J(Fqn ) is given by D = div(u, v), then Dφ = div(uφ , v φ ). Given any in i teger m, to compute mD we ﬁrst ﬁnd the reduced base-φ expansion n−1 i=0 ui φ A (i) j n−1 of m and write each |ui | = j=0 uj 2 , where A = max{log2 ui }i=0 , as n−1 (i) a binary expansion. Next, we compute the following values X0 = i=0 uA Di , n−1 (i) (i) X1 = 2X0 + n−1 i=0 uA−1 Di , X2 = 2X1 + i=0 uA−2 Di , · · · , XA = 2XA−1 + n−1 (i) φi for each i. Then we have mD = XA . We describe i=0 u0 Di , where Di = D this procedure by the following algorithm. Algorithm 4 Input: integer m and D ∈ J(Fqn ) Output: mD ∈ J(Fqn ) i

· · , n − 1. 1. Compute Di = Dφ for each i = 1, · n−1 2. Find the reduced base-φ expansion i=0 ui φi of m. 3. For i from 0 to n − 1 do (i) A 4. Write |ui | = j=0 uj 2j . 3

After we ﬁnished this work, recently, Lange[11] solved the ﬁniteness problem using the diﬀerent norm. There are some overlaps between our works and those in [11], but these were independently studied.

292

5. 6. 7. 8. 9. 10.

YoungJu Choie and Jong Won Lee

Set Di = (sign ui )Di for i = 1, · · · , n − 1. n−1 (i) X ← i=0 uA Di ; For j from A − 1 down to 0 do X ← 2X; (i) X ← X + n−1 i=0 uj Di ; Return (X)

Note that in the above algorithm the number of additions4 and doublings and A, respecneeded to compute mD in the Jacobian are on average n(A+1) 2 tively. On the other hand, if we use the generic double-and-add method to compute mD, we need on average B+1 additions and B doublings in the Jacobian, 2 where B = log2 m.

5

Eﬃciency of the Base-φ Expansion Method

In this section, we analyze the theoretical eﬃciency of the base-φ expansion method by comparing it to the double-and-add method for the scalar multiplication mD in the Jacobians of hyperelliptic curve over the ﬁnite ﬁelds. Throughout this section, the following claims are assumed to hold. (A1) The hyperelliptic curves of genus g deﬁned over Fq are given by the equation if char (Fq ) = 2, y 2 = f (x) y 2 + y = f (x) if char (Fq ) = 2. (A2) To avoid the known attacks such as the smooth-divisor attack [5] and the index-calculus attack [1], we only consider the cases when g = 2, 3, 4. n (A3) The order q of deﬁnition ﬁeld Fq and the extension degree n satisfy q 2 + 1 < q n−2 . (A4) m ≈ q ng . g < q 4 and hence it Remark 7 Under the assumption (A2) we have 14 qq1/2−1 −1 follows from the equation (3) and the assumption (A3) that the expected length n−1 i of the semi-reduced base-φ expansion of m is less than 2n. So, if i=0 ui φ g g is the reduced base φ-expansion of m then each ui lies in (−q , q ] and A := max{log2 |ui |}n−1 i=0 ≤ g log2 q. If we use the double-and-add method for the scalar multiplication mD, D ∈ ng log2 q+1 J(Fq ), we need on average additions and ng log2 q doublings in the 2 Jacobian while if we use the base-φ expansion method, we need on average ng log2 q+n n(A+1) (≤ ) additions and A (≤ g log2 q) doublings in the Jacobian. 2 2 The Table 1 shows the comparison of the number of operations between the double-and-add method and the suggested base-φ expansion method for the scalar multiplication mD, D ∈ J(Fq ). 4

addition of diﬀerent elements of J(Fqn )

Speeding up the Scalar Multiplication in the Jacobians

293

Table 1. Operations in J(Fq ) to compute mD Double-and-Add Base-φ Expansion Addition Doubling

ng log 2 q+1 2

ng log2 q

ng log2 q+n 2

g log2 q

Enge [3] analyzed the number of operations in Fq that are needed for addition and doubling in the Jacobian J(Fqn ). One of his results in [3] is that the cost of addition in the Jacobian is roughly two times that of doubling in the Jacobian if char Fq = 2 and the costs of addition and doubling in the Jacobian are almost the same if char Fq > 2. Let R be the ratio of the cost of base-φ expansion method to that of double-and-add method and let B = g log2 q. Then we have n(B+1)+B if char Fq = 2, 2nB+1 R ≈ n(B+1)+2B if char Fq > 2. 3nB+1 Here, the cost of precomputation in our base-φ expansion method is ignored since one can choose normal basis. The ﬁnal Table 2 shows the ratios R when g = 2, B = 12, and, so, 2156 ≤ q 2n ≤ 2276 , for 13 ≤ n ≤ 23. ¿From these table, we notice that the suggested base-φ expansion method is more eﬃcient (in comparison to the generic double-and-add method).

Table 2. The Ratios R when q ng ≈ 2160 R n = 13 n = 17 n = 19 n = 23 char Fq > 2 0.412 0.400 0.396 0.390 char Fq = 2 0.534 0.526 0.523 0.519

6

Example

Let p = 131 and n = 13. Consider a hyperelliptic curve C/Fp of genus 2 given by the equation y 2 = x5 + x3 + 1. Since 13 is prime, we can avoid the Weil-descent attack. The characteristic polynomial of the Frobenius pth power endomorphism of J(C; Fpn ) is χ(T ) = T 4 − 7T 3 + 42T 2 − 917T + 17161. Using this polynomial we can compute the cardinality of the Jacobian J(C; Fpn ) #J(C; Fpn ) = 23 · 32 · 11 · 29 · 1307 · lmax , where lmax is a 159 bits prime 383006484667541076721959864196673351844636009817.

294

YoungJu Choie and Jong Won Lee

We precompute the base φ-expansion of φ13 − 1 18975134696 φ3 + 8953805784 φ2 + 4411750061697 φ − 39997799211217

and then using the extended Euclidean algorithm we ﬁnd a polynomial η(T ) ∈ Q[T ] of degree < deg χ(T ) satisfying η(T )A(T ) ≡ 1 mod (χ(T )),

(4)

where A(T ) = 18975134696 T 3 + 8953805784 T 2 + 4411750061697 T − 39997799211217 . In our case, 117678622457862080437145286456538625313 η(T ) = − 11195762758134878674637932482838091566015619537664862520 T3 174677163782007865735438012914490059099 + 5597881379067439337318966241419045783007809768832431260 T2 18967637776312728276546337606785316567 − 21365959462089463119538039089385670927510724308520730 T 94465142980366005092915547514510768843 , + 85463837848357852478152156357542683710042897234082920

satisﬁes the equation (4) and so (φ13 − 1)−1 = η(φ) in Q[T ]. Now, for any arbitrarily chosen integer m we ﬁrst compute rational numbers q0 , · · · , q3 such that m = m · η(φ) = q3 φ3 + q2 φ2 + q1 φ + q0 , φ13 − 1 and ﬁnd integers zi (i = 0, 1, 2, 3) satisfying |qi − zi | ≤ 12 . And then ﬁnd a base φ3 expansion of m−(φ13 −1) i=0 zi φi which is the same as m in the endomorphism ring of the jacobian group. Remark 8 1. Finite ﬁeld F131 possesses an optimal extension ﬁeld. So when we perform Algorithm 4, the cost of the precomputation step can be ignored. 2. In our suggested base φ-expansion method, timing for a scalar multiplication in the jacobian group is on average 92.3 milliseconds. This timing is obtained on a Pentium III 650 MHz using the Visual C++ compiler.

7

Conclusion

The Frobenius expansion method is more eﬃcient than the double-and-add method for the scalar multiplication in the Jacobians of hyperelliptic curves of genus g = 2, 3, 4 deﬁned over any small ﬁnite ﬁelds of arbitrary characteristic. In particular, if we use the Jacobian J(Fqn ), of hyperelliptic curve deﬁned over Fq with char Fq > 2, using the suggested base-φ expansion method we can reduce the cost of the double-and-add method in the Jacobian to approximately 41%. The experimental results are discussed.

Speeding up the Scalar Multiplication in the Jacobians

295

References [1] L. M. Adleman, J. DeMarrais and M. D. Huang, A Subexponential Algorithm for Discrete Logarithms over Hyperelliptic Curves of Large Genus over GF (q), Theoretical Computer Science, Vol. 226, pp. 7-18, 1999. 285, 292 [2] D. G. Cantor, Computing in the Jacobian of a hyperelliptic Curve, Mathematics of Computation, Vol. 48, pp. 95-101, 1987. [3] A. Enge, The Extended Euclidean Algorithm on Polynomials, and the Computational Eﬃciency of Hyperelliptic Cryptosystems,Des. Codes and Cryptogr., 23 (2001), No1, 53-74. 293 [4] G. Frey and H. G. R¨ uck, A Remark Concerning m-dvisiblety and the Discrete Logarithm in the Divisor Class Group of Curves, Mathematics of Computation, Vol.62, No. 206, pp. 865-874, 1994. 285 [5] P. Gaudry, An Algorithm for Solving the Discrete Log Problem on Hyperelliptic Curves, Advances in Cryptology, Eurocrypt ’2000, LNCS, Vol. 1807, pp. 19-34, Springer-Verlag, 2000. 285, 292 [6] C. G¨ unther, T. Lange and A. Stein, Speeding Up the Arithmetic on Koblitz Curves of Genus Two, Selected Areas in Cryptography SAC 2001, LNCS, 106-117, Springerverlag, 2001. 285, 286, 289, 291 [7] T. Kobayashi, H. Morita, K. Kobayashi and F. Hoshino, Fast Elliptic Curve Algorithm Combining Frobenius Map and Table Reference to Adapt to Higher Characteristic, EUROCRYPT ’99, LNCS, Vol. 1592, pp. 176-189, Springer-Verlag, 1999. [8] N. Koblitz, Hyperelliptic Cryptosystems, Journal of Cryptology, Vol. 1, pp. 139-150, 1989. 285, 286 [9] N. Koblitz, CM-curves with good cryptographic properties, Advanced in Cryptology, Crypto’91, LNCS, Vol. 576, pp 279-287, Springer-Verlag, 1992. 289 [10] N. Koblitz, Algebraic Aspects of Cryptography, Vol. 3 of Algorithms and Computation in Mathematics, Springer-Verlag, 1998. 289 [11] T. Lange, Eﬃcient Arithmetic on Hyperelliptic Koblitz Curve, Preprint 2001. 291 [12] V. M¨ uller, Fast Multiplication on Elliptic Curves over Small Fields of Characteristic Two, Journal of Cryptology, Vol. 11, pp. 219-234. 1998. 289 [13] D. Mumford, Tata Lectures on Theta II, Vol. 43 of Progr. Math., Birkhauser, 1984. 288 [14] A. J. Menezes, Y. H. Wu and R. J. Zuccherato, An Elementary Introduction to Hyperelliptic Curves, Technical Report CORR 96-19, Department of C&O, University of Waterloo, Ontario, Canada, 1996. 288 [15] N. P. Smart, Elliptic Curve Cryptosystems over Small Fields of Odd Characteristic, Journal of Cryptology, Vol.12, pp. 141-151, 1999. 289 [16] H. G. R¨ uck, On the Discrete Logarithm in the Divisor Class Group of Curves, Mathematics of Computation, Vol. 68, No.26, pp. 805-806, 1999. 285 [17] J. Solinas, Eﬃcient arithmetic on Koblitz curves, Towards a quarter-century of public key cryptography, Des. Codes Cryptogr. 19 (2000), no. 2-3, 195–249. 289 [18] H. Stichtenoth, Algebraic Function Fields and Codes, Springer-Verlag, 1993.

Improved Elliptic Curve Multiplication Methods Resistant against Side Channel Attacks Tetsuya Izu1 , Bodo M¨ oller2 , and Tsuyoshi Takagi2 1

FUJITSU LABORATORIES Ltd. 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki, 211-8588, Japan [email protected] 2 TU Darmstadt, Fachbereich Informatik Alexanderstr.10, D-64283 Darmstadt, Germany {moeller,ttakagi}@cdc.informatik.tu-darmstadt.de

Abstract. We improve several elliptic curve multiplication algorithms secure against side channel attacks (SCA). While some eﬃcient SCAresistant algorithms were developed that apply only to special classes of curves, we are interested in algorithms that are suitable for general elliptic curves and can be applied to the recommended curves found in various standards. We compare the running time and memory usage of the improved schemes. Keywords: elliptic curve cryptosystems, scalar multiplication, side channel attacks, memory constraints, window method

1

Introduction

Side channel attacks (SCA) [Koc96, KJJ99] allow adversaries to obtain the secret key in a cryptographic device, or partial information on it, by observing information such as computing time and power consumption traces if the implementation is naive or careless. This is a serious threat especially to mobile devices such as smart cards. Thus, implementers need algorithms that are not only eﬃcient, but also SCA-resistant. Power analysis attacks subsume timing attacks, so we will focus on the former. Simple power analysis (SPA) utilizes information from a single computation, while diﬀerential power analysis (DPA) uses statistical tools to evaluate information from multiple computations. Elliptic curve based cryptosystems (ECC) have gained popularity for cryptographic applications because of the short key length compared with earlier public key cryptosystems such as RSA. They are considered particularly suitable for implementation on smart cards or mobile devices. Because of the physical characteristics of such devices and their use in potentially hostile environments, the power consumption trace or the timing of computations using the secret key can be clearly observed. Thus, side channel attacks are a serious threat against these devices. The main target for side channel attacks against ECC implementation is the algorithm used for scalar multiplication on the elliptic curve. Therefore, A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 296–313, 2002. c Springer-Verlag Berlin Heidelberg 2002

Improved Elliptic Curve Multiplication Methods

297

various elliptic curve multiplication algorithms designed to resist side channel attacks have been proposed. In this paper we deal with DPA-resistant methods that do not require specifically selected elliptic curves and thus can be used for the recommended curves found in [NIST], [ANSI] and [SEC2]. We focus on curves over ﬁnite ﬁelds of characteristic greater than 3. (While all the methods can be similarly applied to curves over binary ﬁelds, our eﬃciency analysis does not cover this case.) We examine Coron’s dummy addition method [Cor99], a method using a non-standard addition chain [M¨ ol01], and a method using the Montgomery ladder [IT02a]. We investigate their security against DPA and analyze their eﬃciency.

2

Elliptic Curve Arithmetic

Let K = Fq be the ﬁnite ﬁeld with q elements where q is a power of a prime p > 3. Elliptic curves over K are certain subsets of K 2 ∪ {O} equipped with an additive group structure; O denotes the point at inﬁnity, the neutral element of addition. Every elliptic curve over K is isomorphic to a curve described in the form E(K) := {(x, y) | y 2 = x3 + ax + b} ∪ {O}, (1) with a, b ∈ K, 4a3 + 27b2 = 0, which we call the Weierstrass form. Let P1 = (x1 , y1 ), P2 = (x2 , y2 ) be two elements of E(K) that are diﬀerent from O. We have −P1 = (x1 , −y1 ). If −P1 = P2 , then the sum P1 + P2 = (x3 , y3 ) is given by x3 = λ2 − x1 − x2 ,

y3 = λ(x1 − x3 ) − y1

(2)

where λ = (y2 − y1 )/(x2 − x1 ) for P1 = P2 , and λ = (3x21 + a)/(2y1 ) for P1 = P2 . We call computing P1 + P2 an elliptic curve addition (ECADD) if P1 = ±P2 ; otherwise if P1 = P2 we speak of an elliptic curve doubling (ECDBL); the remaining case P1 = −P2 (where P1 + P2 = O) should usually be avoided when SCA-resistance is intended. The algorithms for ECADD and ECDBL are usually not same (a general addition algorithm typically will have to detect the special cases when the ECDBL algorithm is called for, or when P1 = −P2 ). Elliptic curve cryptography usually employs curves whose order is the product of a large prime and a very small integer h, the so-called cofactor. In this paper, we assume that this standard scenario is fulﬁlled. Cryptographic protocols avoid points of small order, i.e. points P such that hP = O. The recommendations of [SEC1] require h ≤ 4; in practice, the cofactor often is 1. 2.1

Eﬃciency of Addition and Doubling Algorithms

We estimate the eﬃciency of ECDBL and ECADD when using Jacobian coordinates, a variant of projective coordinates where triples (X : Y : Z) represent points (X/Z 2 , Y /Z 3 ) on the elliptic curve. This type of coordinates yields the best performance for our purposes. Denote by M , S, and A the time needed for a multiplication, a squaring, and an addition, respectively, in the base ﬁeld Fq .

298

Tetsuya Izu et al.

(The eﬀort for a subtraction may be considered equivalent to that for an addition.) For the total eﬃciency of elliptic curve operations, we are interested in the time depending on the individual times M , S, A, and in the amount of auxiliary storage used by the computation. The coeﬃcient a in the deﬁning polynomial of the curve can be an arbitrary ﬁeld element. However, many curves recommended by speciﬁcations such as [NIST, ANSI, SEC2] use a = −3, allowing for a more eﬃcient ECDBL implementation. We assume that a is stored in memory as part of the system parameters. In appendix A.1, we show algorithms for both cases: the general algorithm ECDBLJ requires time 4M + 6S + 11A using 6 auxiliary variables; the optimized algorithm ECDBLJ ,a=−3 requires time 4M + 4S + 13A using 5 auxiliary variables. For ECADD, we consider two cases: the general case of addition of points given in Jacobian coordinates, and the special case where one of the input points has a Z-coordinate of 1, i.e. is represented in aﬃne coordinates. The latter case allows for faster addition [CMO98]; this is known as addition with mixed coordinates. Algorithms for both cases are shown in appendix A.2: the general algorithm ECADDJ requires time 12M + 4S + 7A using 7 auxiliary variables, and algorithm ECADDJ ,Z=1 for mixed coordinates requires time 8M + 3S + 7A using 7 auxiliary variables. In the scalar multiplication algorithm in section 4, we will have to compute 2w P where P is a point and w is a positive integer. If ECDBLJ is repeatedly applied to compute 2w P , we need 4wM + 6wM + 11wA operations. Itoh et al. [ITTTK99] proposed a faster algorithm for directly computing 2w P , which can be found in appendix A.3. This algorithm wECDBLJ w requires time 4wM + (4w + 2)S + (12w − 1)A using 7 auxiliary variables. However, in the case a = −3, it is more eﬃcient to iterate w times algorithm ECDBLJ ,a=−3 , which requires time 4wM + 4wS + 13wA. We summarize these results on the eﬃciency of algorithms for elliptic curve arithmetic in table 1.

Table 1. Computing time and number of auxiliary variables for several algorithms Algorithm Time # of auxiliary variables ECDBLJ 4M + 6S + 11A 6 ECDBLJ ,a=−3 4M + 4S + 13A 5 ECADDJ 12M + 4S + 7A 7 ECADDJ ,Z=1 8M + 3S + 7A 7 wECDBLJ 4wM + (4w + 2)S + (12w − 1)A 7 w

Improved Elliptic Curve Multiplication Methods

3

299

Scalar Multiplication and Side Channel Attacks

Let d be a positive integer and P be a point on an elliptic curve E(K). Com puting dP = 1≤i≤d P is called a scalar multiplication. Scalar multiplications are used in encryption and decryption or signature generation and veriﬁcation of elliptic curve cryptosystems. These computations are relatively expensive when implemented on low-power devices. A standard method for performing scalar multiplications is the left-to-right binary method. We show how to compute dP with this method. Let d = d[k − 1]2k−1 + . . . + d[1]21 + d[0]20 be the binary representation of d where k is chosen minimal so that d[k − 1] = 1. Then, given d[0], d[1], . . ., d[k − 1] and P , we can compute dP as follows. INPUT d, P, (d[0],d[1],..,d[k-1]) OUTPUT d*P 1: Q = P 2: for i = k-2 down to 0 3: Q = ECDBL(Q) 4: if d[i]==1 5: Q = ECADD(Q,P) 6: return Q

With the usual algorithms for ECDBL in step 3 and for ECADD in step 5, bit information can be detected by SPA [Cor99]: the power consumption traces of ECDBL and ECADD are not same, so an attacker can easily distinguish between these operations and derive the values d[i]. 3.1

SPA-Resistant Scalar Multiplication Methods

We describe several SPA-resistant methods for computing dP . If point P might be chosen by the attacker, we assume that it is rejected if hP = O where h is the cofactor, as otherwise SCA-resistance may be voided due to the special cases of elliptic curve arithmetic (see section 2). Note that h is usually very small so that hP can be computed with a short ﬁxed sequence of operations. At ﬁrst we describe Coron’s dummy addition method [Cor99], which is one of standard countermeasures against SPA. We will compare it with other eﬃcient methods in this paper. The algorithm is as follows: INPUT d, P, (d[0],d[1],...,d[k-1]) OUTPUT d*P 1: Q[0] = P 2: for i = k-2 down to 0 3: Q[0] = ECDBL(Q[0]) 4: Q[1] = ECADD(Q[0],P) 5: Q[0] = Q[d[i]] 6: return Q[0]

300

Tetsuya Izu et al.

(We note that there is a potential security problem with this method [M¨ ol01]. If d[i] = 0, the point that is one of the inputs to ECADD in the current iteration will be the input to ECDBL in the next iteration. When using projective coordinates, both ECADD and ECDBL involve squaring the Z coordinate, so the same Z value will be squared again if d[i] = 0. Side channels may provide hints that the same squaring is performed again, thus leaking information on d[i].) As Coron’s dummy addition method requires (k − 1) ECDBL operations and (k − 1) ECADD operations, it is slower than the standard binary method. When we use algorithms ECADDJ and ECDBLJ or ECDBLJ ,a=−3 , Coron’s dummy addition method requires 12(k − 1)M + 9(k − 1)S + 18(k − 1)A for a = −3 and 12(k − 1)M + 7(k − 1)S + 20(k − 1)A for a = −3 (not counting conversion of the ﬁnal result from Jacobian into aﬃne coordinates). Several SPA-resistant algorithms have been proposed that are faster than Coron’s dummy addition method. Three basic approaches are known to achieve SPA resistance: – The ﬁrst one is to use indistinguishable addition and doubling algorithms in the scalar multiplication (cf. [CJ01]). Jacobi form and Hesse form elliptic curves achieve this as they allow using the same algorithm for both additions and doublings [LS01, JQ01]. However, this requires speciﬁcally chosen elliptic curves and does not work for the standardized curves recommended by speciﬁcations such as [NIST], [ANSI] and [SEC2]. Brier and Joye proposed an indistinguishable addition and doubling algorithm applicable to Weierstrass form curves [BJ02], but it fails on certain inputs, making it vulnerable to attacks [IT02b]. – The second one is the so-called double-and-always-add approach. Coron’s dummy addition method is the simplest algorithm of this type. Okeya and Sakurai proposed to use Montgomery form elliptic curves to achieve a doubleand-always-add method [OS00], but this is not applicable to the standardized curves. This method was recently extended to general curves [BJ02, IT02a]. – The third approach is to use a special addition chain with a sequence of additions and doublings that does not depend on the bit information of the secret key, as proposed by M¨oller [M¨ ol01]. (Recently, Seysen has proposed a diﬀerent addition chain secure against the SPA [Sey01].) In this paper, we are interested in scalar multiplication algorithms that do not require speciﬁcally chosen curves. Therefore we will examine M¨ oller’s method [M¨ol01] and Izu and Takagi’s method [IT02a]. 3.2

Countermeasures against DPA

Even if a scalar multiplication implementation is secure against SPA, it may be possible to break it by using DPA, i.e. by employing statistical tools to analyze the information observed in many executions of the algorithm. However, it is easy to enhance SPA-resistant methods to be DPA-resistant. We describe two approaches, one due to Coron and one due to Joye and Tymen.

Improved Elliptic Curve Multiplication Methods

301

One of the countermeasures described by Coron in [Cor99] is projective randomization: Let P = (X : Y : Z) be a base point given in Jacobian coordinates; then for all r ∈ K\{0}, (r2 X : r3 Y : rZ) represents the same point. If we transform a base point (X : Y : Z) into (r2 X : r3 Y : rZ) with a random r before starting the scalar multiplication, the side channel information available to the statistic analysis will be randomized. The additional computational cost is only 4M + 1S at the beginning of the scalar multiplication. Joye and Tymen proposed a related countermeasure [JT01]. It is based on randomly selected isomorphisms between elliptic curves. The base point P = (x, y) and the deﬁning coeﬃcients a, b of an elliptic curve can be randomized into P = (r2 x, r3 y) and a = r4 a, b = r6 b, yielding the corresponding point on an isomorphic curve deﬁned by a , b . This randomization allows us to keep a Z-coordinate of 1 and thus beneﬁt from mixed coordinates in the scalar multiplication. Joye-Tymen randomization requires 5M + 3S in the beginning of the scalar multiplication. At the end of the scalar multiplication, we have to transform the point to the original curve using r. For Jacobian coordinates, trans formation from (X : Y : Z) back into aﬃne coordinates X/(rZ)2 , Y /(rZ)3 for the original curve requires 5M + 1S + 1I. Joye-Tymen randomization requires additional storage: during the scalar multiplication, implementations must store the random ﬁeld element r; and elliptic curve operations have to be performed using modiﬁed coeﬃcients a , b . Thus, three ﬁeld elements have to be stored. Actually the b coeﬃcient is usually not needed for elliptic curve operations. For Joye-Tymen randomization without b, the initial transformations require only 4M + 3S, and additional storage is needed only for two ﬁeld elements. The other countermeasure against DPA is to randomize the computation process of the addition chain [IYTT02, OA01, LS01]. However, the OswaldAigner scheme was broken by an SPA proposed by Okeya and Sakurai [OS02a]. Walter showed how to attack the Liardet-Smart method [Wal02]. 3.3

Computing Architecture

We discuss the relevant properties of smart card computing architectures (for a more comprehensive description, see [VW98]). The main components are a central processing unit (CPU), read only memory (ROM), electrically erasable programmable read only memory (EEPROM), random access memory (RAM), and the arithmetic unit (AU). Typical smart card CPUs are variants of the Motorola 6805 or Intel 8051 processor. The ROM contains the smart card operating system and additional software including the scalar multiplication algorithm. Fixed system parameters can be stored in EEPROM. Writing into EEPROM is very slow (usually on the order of 1 000 times slower than writing or reading RAM). The RAM of smart cards is usually limited to 4 Kbits. The AU includes a coprocessor; this is used for implementing ﬁeld operations (addition, subtraction, and multiplication). Assuming that the underlying ﬁeld K = Fq is a prime ﬁeld (which is typically the case), system parameters for most elliptic curve cryptosystems are of the form (q, a, b, G, #G, h) where (a, b) are the coeﬃcients deﬁning the elliptic curve, G is

302

Tetsuya Izu et al.

a base point generating a prime-order subgroup of the elliptic curve, #G is the order of G, and h = #E(K)/#G is the cofactor. Coeﬃcient b may be omitted if it is not needed for elliptic curve arithmetic or for verifying that externally supplied points actually lie on the curve. These system parameters are ﬁxed, so they can be stored in EEPROM. A ﬁxed secret key may also be stored in EEPROM. Depending on the cryptographic application, scalar multiplication dP may involve the ﬁxed base point (P = G) or ephemeral points. For scalar multiplication methods involving a precomputed table of points, we assume that this table is stored in RAM; as we will explain in section 4.1, using a ﬁxed table might make the implementation vulnerable to DPA. Finally, we need a random number generator (see section 3.2). Smart cards often provide random number generation through their operation system.

4

Window-Based Method

To minimize the exposure to side channel attacks, elliptic curve scalar multiplication should be implemented using a ﬁxed sequence of operations. We describe M¨ oller’s method that achieves this for general elliptic curves [M¨ ol01, M¨ ol01a].1 We ﬁrst describe it in a general form; choice of point representations will be discussed in the following security analysis. This method represents the multiplier d in base 2w for some window size w ≥ 2 such that digit value 0 is avoided (except for leading zeros): in the original method [M¨ol01], digits are from the set {−2w , 1, 2, . . ., 2w − 1}; in the improved method [M¨ol01a], digits are from the set bi ∈ − 2w , ±1, ±2, . . ., ±(2w−1 − 1), 2w−1 . Both sets have cardinality 2w , and for both methods the binary repk resentation of d can easily be transformed into a representation d = i=0 bi · 2wi using digits bi from the respective set. (To ensure that k does not depend on the speciﬁc multiplier, a small multiple of the group order can be added to d, assuming that the original value of d is bounded above by the order. This way it is easy to achieve k = (n + 2)/w where n denotes the bit length of the group order.) Then the following algorithm can be used for computing dP if precomputed values P [b] = bP are available: INPUT k, b[], P[] OUTPUT d*P 1: A~= P[b[k]] 2: for i = k-1 down to 0 3: A~= ECADD(A, P[b[i]]) 4: for j = 1 to w 1

A new window-based algorithm for elliptic curve multiplication with resistance against side channel attacks has recently been described in [M¨ ol02]. It can provide better eﬃciency than the window-based algorithm from [M¨ ol01, M¨ ol01a] if ﬁxed precomputation for the elliptic curve in question can be used. In the present paper, we assume that we have to work without such precomputation.

Improved Elliptic Curve Multiplication Methods

303

5: A~= ECDBL(A) 4: return A Algorithm 1: Compute dP where d = k0 bi 2wi and P [b] = bP

Note that −bP can be computed from bP at almost no cost, so it is possible to implement the improved method using a P [] array containing only 2w−1 + 1 elements. Precomputation can be performed as follows (exp2(w-1) denotes 2w−1 ): INPUT w, P OUTPUT P[] 1: m = exp2(w-1) 2: P[1] = P 3: for i = 2 to m-2 step 2 4: P[i] = ECDBL(P[i/2]) 5: P[i+1] = ECADD(P[i], P) 6: P[m] = ECDBL(P[m/2]) 7: P[2*m] = ECDBL(P[m]) 5: return P[] Algorithm 2: Precomputation for Algorithm 1

If w ≥ 4, it is possible to compute array P [] more eﬃciently than this by exploiting that a combined computation of (b + b )P and (b − b )P from bP and b P is faster than two separate point additions; see [OK02]. 4.1

Security Analysis

If points in the table are represented using aﬃne coordinates, the security of window-based methods against DPA is questionable: because the points in aﬃne coordinate system can be uniquely presented for the given system parameter (p, a, b), we can analyze the power consumption trace of the ECADD for a ﬁxed point and we can guess which points are used for the ECADD. We show a general attack strategy against table lookup based methods using the DPA if the same scalar is used in many elliptic curve multiplications. In applications such as elliptic curve Diﬃe-Hellman, the attacker may be able to submit the same point P many times. The feasibility of the attack depends on an implementation of the method. We call the attack a ﬁxed table attack. We brieﬂy describe the attack strategy. Let (A1 : B1 : 1), (A2 : B2 : 1), (A3 : B3 : 1) be the values of points in the table using aﬃne coordinates. The ECADD implementation consists of several base ﬁeld operations, and we can know the power consumption traces of each base ﬁeld operation by the help of SPA [Sey01]. When using algorithm ECADDJ or ECADDJ ,Z=1 , we always compute Ai X and Bi Y for some integers X, Y . During the scalar multiplication, the integers X and Y may be considered random assuming that point A is projectively randomized at the beginning of Algorithm 1. An attacker can gather measurements Power (Ai X) and Power (Bi Y ) for i = 1, 2, 3 and random X, Y from many computations. The length of Ai and Bi is ﬁxed, and we can ﬁnd the mean value of Ai X and Bi Y : 1 1 Exp(Ai ) = Power (Ai X), Exp(Bi ) = Power (Ai X) #S #S X∈S

X∈S

304

Tetsuya Izu et al.

where S is the set of all sampled points and #S is the cardinality of set S. Then we can guess which point of the table is used, or we can classify them into three classes based on Exp(Ai ), Exp(Bi ) for i = 1, 2, 3. For example, if A1 has smaller Hamming weight than A2 , A3 and Power (Ai X) is positively correlated with the Hamming weight of Ai , the relationship Exp(A1 ) < Exp(A2 ), Exp(A3 ) will hold for large S. A countermeasure against the ﬁxed table attack is to randomize the points in the table by using Coron’s projective randomization method: when using Jacobian coordinates, replace (X : Y : Z) by (r2 X : r3 Y : rZ) where r is a random non-zero ﬁeld element. More sophisticated ﬁxed table attacks may apply even if the table is ﬁxed only during each single point multiplication: observations from individual ECADD operations performed within each point multiplication may show correlations that indicate whether the same table value is used or not (cf. [WT01, Sch02] for related attacks against RSA).2 Thus, a projective randomization should be done for each ECADD: after each use of a table value, the table should be updated by substituting the randomized point (r2 X : r3 Y : rZ) for the old point (X : Y : Z). This requires an additional 4M + 1S for each ECADD. We now analyze the security of randomization in the initial phase. We assume that the above countermeasure against the ﬁxed table attack is used. In the ﬁrst step of Algorithm 1, a point is assigned to A depending on the digit b[k]. In step 3 of Algorithm 1, the addition ECADD(A, R) is carried out for a randomized point R. If the point A is not randomized before the scalar multiplication, the attacker has a statistical advantage for guessing the digit b[k]. Therefore point A should be randomized. When using Algorithm 1 in the improved method with precomputed points −2w P, P, 2P, . . ., (2w−1 − 1)P, 2w−1 P and digit set {−2w , ±1, ±2P, . . ., ±(2w−1 − 1), 2w−1 }, then when b[i] is a negative digit for which no table entry exists, an addition in the underlying ﬁeld K must be carried out to invert the Y coordinate of P − b[i] in order to compute the inverted point for use by the ECADD in step 3 of Algorithm 1. This may provide the attacker with partial information on digit b[i] if this point inversion can be detected by DPA. A countermeasure is to perform this inversion unconditionally and use either its result or the original value (dummy point inversion). 4.2

Eﬃciency

We now estimate the eﬃciency of M¨ oller’s method for w = 2, 3. We use the algorithms and eﬃciency estimations discussed in section 2.1. Both the cases a = −3 and a = −3 are considered. As input to the scalar multiplication algorithm, we assume that the following values are given: the deﬁnition of the curve (the deﬁnition of ﬁeld K = Fq and coeﬃcients a, b ∈ K), the base point P = (x, y) represented in aﬃne coordinates, and the scalar d in M¨ oller’s representation. 2

Recently, Okeya and Sakurai proposed a ﬁxed table attack against M¨ oller’s scheme using a second order DPA [OS02b]

Improved Elliptic Curve Multiplication Methods

305

The points in the precomputed table for w = 2 are −4P, P, 2P . In order to generate the points, we ﬁrst compute 2P = ECDBLJ (P ), 4P = ECDBLJ (2P ), and reverse the sign of the Y -coordinate of 4P , which requires 2(4M + 6S + 11A) + 1A = 8M + 12S + 23A for a = −3 and 2(4M + 4S + 13A) + 1A = 8M + 8S + 27A for a = −3. For making M¨ oller’s method DPA-resistant, we apply Coron’s projective randomization method (see section 4.1). In the beginning of the scalar multiplication, we randomize all the points in the table, namely −4P, P, 2P . Because the Z coordinate of P is 1, we require 2(4M + S) + 1(3M + S) = 11M + 3S. Before each multiplication, we randomize the point P b[i] in the table, which requires k(4M + 1S) in total, where k is the number of ECADDJ operations performed by Algorithm 1. In the main loop of the scalar multiplication in the case a = −3, we perform k point inversions and compute k times ECADDJ and k times wECDBLJ w , which requires kA + k(12M + 4S + 7A) + k(4wM + (4w + 2)S + 12w − 1)A = (12 + 4w)kM + (6 + 4w)kS + (6 + 12w)kA = 20kM + 14kS + 31kA. In the case a = −3, we perform k point inversions and compute k times ECADDJ and kw times ECDBLJ ,a=−3 , which requires kA+k(12M +4S+7A)+kw(4M +4S+13A) = (12 + 4w)kM + (4 + 4w)kS + (7 + 13w)kA = 20kM + 12kS + 34kA. After the scalar multiplication, we pull back the point (X : Y : Z) to aﬃne coordinates by computing (X/Z 2 , Y /Z 3 ). This requires 2M + 1S + 1I. Consequently, we need (24k + 21)M + (15k + 16)S + (31k + 23)A + 1I for a = −3 and (24k+21)M +(13k+12)S +(34k+27)A+1I for a = −3. For scalars d up to 160 bits, k becomes 81. In this case, we conclude that M¨oller’s method with Coron’s projective randomization requires 3005.1M for a = 3 and 2874.8M for a = −3, assuming that 1S = 0.8M, 1A = 0.01M, 1I = 30M [OS01] [MvOV97]. We estimate the memory requirements for the method excluding the system parameters. Assume that n bits are needed to store one element of the underlying ﬁeld K. The table of the algorithm consists of 3 points represented in Jacobian coordinates, using a total of (3n)·3 = 9n bits of storage. This is 1440 bits for 160bit elliptic curve cryptography. The point arithmetic algorithms need 7 auxiliary variables (i.e., 7n bits). These also suﬃce to store point A during the algorithm and to perform projective randomization of table elements. Similarly, we can estimate the eﬃciency and memory for w = 3. In this case, there are 5 precomputed points: −8P, P, 2P, 3P, 4P . Compared with w = 2, preparing the table requires one more ECADDJ ,Z1 =1 operation for computing 3P (additional cost 8M + 3S + 7A), one more ECDBLJ or ECDBLJ ,a=−3 operation for computing 4P (additional cost 4M + 6S + 11A or 4M + 4S + 13A, respectively), and two more projective randomizations (additional cost 2(4M +S) = 8M +2S). The loop body in Algorithm 1 requires one more point doubling (additional cost 4kM + 4kS + 12kA for a = −3 with wECDBLJ w , 4kM + 4kS + 13kA for a = −3 with ECDBLJ ,=− ). The total computational cost of the scalar multiplications becomes (28k + 41)M + (19k + 27)S + (43k + 41)A + 1I for a = −3 and (28k + 41)M + (17k + 21)S + (47k + 47)A + 1I for a = −3. For scalars up to 160 bits, here we have k = 54, so this is 2449.0M for a = −3 and 2360.0M for a = −3

306

Tetsuya Izu et al.

with the same assumption above. The size of the precomputed table is 15n bits (2400 bits for 160-bit ECC).

5

Montgomery-Type Method

Another approach to compute an SCA-resistant scalar multiplication is to use Montgomery’s ladder, which was originally proposed in [Mon87] for Montgomery form elliptic curves. Recently, the method also has been applied to Weierstrass form curves [BJ02, IT02a] in order to resist side channel attacks. With this approach, the x-coordinate-only point addition algorithm is employed to minimize the computation time. In this paper, we use the following addition algorithm [IT02a] for eﬃciency. Let x1 , x2 be x-coordinate values of two points P1 , P2 of an elliptic curve E : y 2 = x3 + ax + b. Then the x-coordinate value x3 of the sum P3 = P1 + P2 is given by x3 =

2(x1 + x2 )(x1 x2 + a) + 4b − x3 (x1 − x2 )2

where x3 is the x-coordinate value of P3 = P1 − P2 . On the other hand, the xcoordinate value x4 of the doubled point P4 = 2P1 is given by x4 =

(x21 − a)2 − 8bx1 . 4(x31 + ax1 + b)

These relations enable us to compute xd , the x-coordinate value of dP , using only the x-coordinates of points. These formulae are called the (additive) xcoordinate-only addition formulae. In the original ladder, ECADD and ECDBL are computed separately. For performing SCA-resistant scalar multiplication eﬃciently, Izu and Takagi [IT02b]. encapsulated these formulae into one formula xECADDDBL, which outputs x-coordinate values of P3 = P1 + P2 and P4 = 2P1 on inputs P1 , P2 . In fact, with a projective version of the x-coordinate-only formulae, we can compute X3 , Z3 , X4 , Z4 with 13M + 4S + 18A for a = −3 and 11M + 4S + 23A for a = −3. The number of auxiliary variables for the formulae is 7. The concrete algorithms are in appendix A.4 (xECADDDBL, xECADDDBLa=−3 ). Algorithm 3 shows an improved Montgomery’s ladder. Note that we need P3 = P1 − P2 to compute P3 = P1 − P2 . The following ladder keeps P3 constant (equal to P ). In the scalar multiplication with the x-coordinate-only formula, an output is the x-coordinate of dP . We need to extra computation to obtain the y-coordinate (y-recovering). dP = (Xd : Yd : Zd ) is computed on input Xd , Zd , Xd+1 , Zd+1 , P = (x, y) as in appendix A.5 (YRecovering), which requires 11M + 2S + 7A and 7 auxiliary variables. INPUT d, P, (n) OUTPUT d*P 1: Q[0] = P, Q[1] = ECDBL(P)

Improved Elliptic Curve Multiplication Methods

307

2: for i = n-2 down to 0 3: (Q[d[i] XOR 1], Q[d[i]]) = ECADDDBL(Q[d[i]], Q[d[i] XOR 1]) 4: return Q[0] Algorithm 3: Improved Montgomery ladder

5.1

Security Analysis

We discuss the security of the improved Montgomery ladder (Algorithm 3). For each bit of Algorithm 3, we always compute ECADDDBL. As a sequence of operations in K, the computation is a ﬁxed pattern unrelated to the bit information d[]. Thus the side information becomes a ﬁxed pattern and we conclude that the ladder is secure against the SPA. Note that the security of the ladder is independent of which particular formula is used within the ladder. In order to enhance the method to be DPA-resistant, we have the Coron and Joye-Tymen countermeasures described in section 3.2. With Coron’s projective randomization countermeasure transferred to the x-coordinate-only setting, base point P = (x : 1) is randomized to (rx : r), giving us a DPA-resistant algorithm as side information is randomized. In this situation, Okeya et al. observed that a constant diﬀerence P3 need not be randomized [OMS01]; they claimed that it is secure enough if only the base point is randomized. This approach provides good eﬃciency. With Joye-Tymen’s countermeasure, base point (x, y) would be transformed into (r2 x, y 3 y) in order to randomize side channel information. Efﬁciency is a little worse than Coron’s countermeasure. From now on, we assume that Coron’s countermeasure is used with Algorithm 3. 5.2

Eﬃciency

We estimate the eﬃciency of the improved Montgomery-ladder with Coron’s project randomization method. As input to the scalar multiplication algorithm, we assume that the following values are given: the deﬁnition of the curve (the deﬁnition of ﬁeld K = Fq and coeﬃcients a, b ∈ K), the base point P = (x, y) in aﬃne coordinates, and the scalar d in binary representation. From base point (x, y), we compute two points P = (rx : r) (randomized base point) and P3 = (x : 1) (constant diﬀerence) before applying Algorithm 3, which requires 1M . We also compute a ECDBL in step 1, which requires 6M + 3S + 9A using 5 auxiliary variables. In the main loop of Algorithm 3, we compute n − 1 times xECADDDBL (or xECADDDBLa=−3 ), where n is the bit length of the scalar d. This requires (13n − 13)M + (4n − 4)S + (18n − 18)A for a = −3 and (11n − 11)M + (4n − 4)S + (23n − 23)A for a = −3. After that, y-recovering requires 13M + 4S + 16A using 7 auxiliary variables, and the conversion from projective to aﬃne coordinates requires 2M + 1I. The total eﬃciency of the improved Montgomery ladder combined with the xcoordinate-only formula and Coron’s projective randomization method is (13n + 7)M + (4n + 1)S + (18n − 2)A + 1I for a = −3, and (11n + 9)M + (4n + 1)M + (23n − 7)A + 1I for a = −3. If we choose a 160-bit scalar, the method requires

308

Tetsuya Izu et al.

Table 2. Computing times of the scalar multiplications Method

Computing Time

Coron’s dummy Coron’s dummy (a = −3) Improved M¨ oller (w = 2) Improved M¨ oller (w = 2, a = −3) Improved M¨ oller (w = 3) Improved M¨ oller (w = 3, a = −3) Improved Izu-Takagi Improved Izu-Takagi (a = −3)

(12n − 7)M + (9n − 8)S + (18n − 18)A + 1I (12n − 7)M + (7n − 6)S + (20n − 20)A + 1I (24k2 + 21)M + (15k2 + 16)S + (31k2 + 23)A + 1I (24k2 + 21)M + (13k2 + 12)S + (34k2 + 27)A + 1I (28k3 + 41)M + (19k3 + 27)S + (43k3 + 41)A + 1I (28k3 + 41)M + (17k3 + 21)S + (47k3 + 47)A + 1I (13n + 7)M + (4n + 1)S + (18n − 2)A + 1I (11n + 9)M + (4n + 1)S + (23n − 7)A + 1I

(160-bit ECC) 3117M 2866M 3005M 2875M 2449M 2360M 2659M 2349M

2659M for a = 3, and 2349M for a = −3, under assumptions 1S = 0.8M, 1A = 0.01M, 1I = 30M [OS01] [MvOV97]. Let us estimate the required memory excluding the system parameters. Let n be the bit size of the deﬁnition ﬁeld. The registers used by the algorithm are (X1 : Z1 ) and (X2 : Z2 ). The total bit size of these registers is 4n, which is 640 bits for n = 160. The number of auxiliary variables used during the computation is 7, which amounts to 1120 bits for n = 160.

6

Comparison

In this section, we compare the computing times of a scalar multiplication resistant against the SCA. The Coron dummy addition method with Joye-Tymen randomization in section 3, the improved M¨ oller method with Coron’s projective randomization method in section 4.2, and the improved Izu-Takagi method with Coron’s projective randomization method in section 5.2 are compared. In table 2 we summarize the computing time of these methods depending on the group size n (in bits). Both cases of a = −3 and a = −3 are estimated. The last numbers of the rows are estimated for 160-bit ECC, where we assume that 1S = 0.8M, 1A = 0.01M, 1I = 30M [OS01] [MvOV97]. Here we use kw = (n + 2)/w. In table 3, we summarize the RAM usage of the improved M¨oller method and the improved Izu-Takagi method. We see that at 160 bits the improved Izu-Takagi method is more eﬃcient than the improved M¨ oller method with w = 2 both in terms of computing time and in terms of storage requirements. In the case a = −3, it remains faster than the latter method with w = 3. If suﬃcient storage is available for the improved M¨ oller method with w = 3, then in the case a = −3 this method is the fastest.

Table 3. Comparison of memory usage Method Improved M¨ oller (w = 2) Improved M¨ oller (w = 3) Improved Izu-Takagi

RAM usage 7n plus 9n for the table (2560 bits) 7n plus 15n for the table (3520 bits) 7n (1120 bits)

Improved Elliptic Curve Multiplication Methods

309

References [ANSI]

ANSI X9.62 - 1998, Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), 1998. 297, 298, 300 [BJ02] E. Brier and M. Joye, “Weierstraß Elliptic Curves and Side-Channel Attacks”, PKC 2002, LNCS 2274, pp. 335–345, Springer-Verlag, 2002. 300, 306 [CJ01] C. Clavier and M. Joye, “Universal exponentiation algorithm – A ﬁrst step towards provable SPA-resistance –”, CHES 2001, LNCS 2162, pp. 300–308, 2001. 300 [CMO98] H. Cohen, A. Miyaji and T. Ono, “Eﬃcient elliptic curve exponentiation using mixed coordinates”, ASIACRYPT ’98, LNCS 1514, pp. 51–65, 1998. 298 [Cor99] J. Coron, “Resistance against diﬀerential power analysis for elliptic curve cryptosystems”, CHES ’99, LNCS 1717, pp. 292–302, 1999. 297, 299, 301 [ITTTK99] K. Itoh, et al. “Fast Implementation of Public-Key Cryptography on a DSP TMS320C6201”, CHES ’99, LNCS 1717, pp. 61–72, 1999. 298 [IYTT02] K. Itoh, J. Yajima, M. Takenaka, and N. Torii, “DPA Countermeasures by improving the Window Method”, to appear in CHES 2002,, 2002 301 [IT02] T. Izu and T. Takagi, “A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks”, PKC 2002, LNCS 2274, pp. 280–296, 2002. [IT02a] T. Izu and T. Takagi, “A Fast Parallel Elliptic Curve Multiplication Resistant against Side Channel Attacks”, Technical Report CORR 2002-03, University of Waterloo, 2002. Available from http://www.cacr.math.uwaterloo.ca/. 297, 300, 306 [IT02b] T. Izu and T. Takagi, “On the Security of Brier-Joye’s Addition Formula for Weierstrass-form Elliptic Curves”, TR No. TI-3/02, Technische Universit¨ at Darmstadt, 2002. Available from http://www.informatik.tu-darmstadt.de/TI/. 300, 306 [JQ01] M. Joye and J. Quisquater, “Hessian elliptic curves and side-channel attacks”, CHES 2001, LNCS 2162, pp. 402–410, 2001. 300 [JT01] M. Joye and C. Tymen, “Protections against diﬀerential analysis for elliptic curve cryptography”, CHES 2001, LNCS 2162, pp. 377–390, 2001. 301 [Koc96] C. Kocher, “Timing Attacks on Implementations of Diﬃe-Hellman, RSA, DSS, and Other Systems”, CRYPTO ’96, LNCS 1109, pp. 104–113, 1996. 296 [KJJ99] C. Kocher, J. Jaﬀe and B. Jun, “Diﬀerential power analysis”, CRYPTO ’99, LNCS 1666, pp. 388–397, 1999. 296 [LS01] P. Liardet and N. Smart, “Preventing SPA/DPA in ECC systems using the Jacobi form”, CHES 2001, LNCS 2162, pp. 391–401, 2001. 300, 301 [MvOV97] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography, CRC Press, 1997. 305, 308 [M¨ ol01] B. M¨ oller, “Securing elliptic curve point multiplication against side-channel attacks”, ISC 2001, LNCS 2200. pp. 324-334, Springer-Verlag, 2001. 297, 300, 302 [M¨ ol01a] B. M¨ oller, “Securing elliptic curve point multiplication against side-channel attacks”, Addendum: eﬃciency improvement, http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/ ecc-sca-isc01.pdf, 2001. 302

310 [M¨ ol02]

Tetsuya Izu et al.

B. M¨ oller, “Parallelizable elliptic curve point multiplication method with resistance against side-channel attacks”, ISC 2002, LNCS 2433. pp. 402413, 2002. 302 [Mon87] P. Montgomery, “Speeding the Pollard and elliptic curve methods for factorizations”, Math. Comp., vol. 48, pp. 243–264, 1987. 306 [NIST] National Institute of Standards and Technology, Recommended Elliptic Curves for Federal Government Use, Appendix to FIPS 186-2, 2000. 297, 298, 300 [OA01] E. Oswald, M. Aigner, “Randomized Addition-Subtraction Chains as a Countermeasure against Power Attacks”, CHES 2001, LNCS2162, pp. 3950, 2001. 301 [OK02] H. Oguro and T. Kobayashi, “Eﬃcient Window Method on Elliptic Curve Cryptosystems”, Proceedings of the 2002 Symposium on Cryptography and Information Security, SCIS 2002, pp. 687–692, 2002 (in Japanese). 303 [OMS01] K. Okeya, K. Miyazaki, and K. Sakurai, “A Fast Scalar Multiplication Method with Randomized Projective Coordinates on a Montgomeryform Elliptic Curve Secure against Side Channel Attacks”, ICISC 2001, LNCS 2288, pp.428-439, Springer-Verlag, 2002. 307 [OS00] K. Okeya and K. Sakurai, “Power analysis breaks elliptic curve cryptosystems even secure against the timing attack”, INDOCRYPT 2000, LNCS 1977, pp. 178–190, Springer-Verlag, 2000. 300 [OS01] K. Okeya and K. Sakurai, “Eﬃcient elliptic curve cryptosystems from a scalar multiplication algorithm with recovery of the y-coordinate on a Montgomery-form elliptic curve”, CHES 2001, LNCS 2162, pp. 126–141, Springer-Verlag, 2001. 305, 308 [OS02a] K. Okeya, and K. Sakurai, “On Insecurity of the Side Channel Attack Countermeasure using Addition-Subtraction Chains under Distinguishability between Addition and Doubling”, ACISP 2002, LNCS2384, pp. 420–435, 2002. 301 [OS02b] K. Okeya, and K. Sakurai, “A Second-Order DPA Attack Breaks a Windowmethod based Countermeasure against Side Channel Attacks”, ISC 2002, LNCS 2433, pp. 389–401, 2002. 304 [Sch02] W. Schindler, “A Combined Timing and Power Attack”, PKC 2002, LNCS 2274, pp. 263–279, Springer-Verlag, 2002. 304 [Sey01] M. Seysen, “DPA-Gegenmaßnahmen bei einer ECDSA-Implementierung auf Chipkarten”, presented at DPA Workshop, Bonn (BSI), ECC Brainpool, 2001. 300, 303 [SEC1] Standards for Eﬃcient Cryptography Group/Certicom Research, SEC 1: Elliptic Curve Cryptography, Version 1.0, 2000. Available from http://www.secg.org/. 297 [SEC2] Standards for Eﬃcient Cryptography Group/Certicom Research, SEC 2: Recommended Elliptic Curve Cryptography Domain Parameters, Version 1.0, 2000. 297, 298, 300 [VW98] K. Vedder and F. Weikmann, “Smart Cards – Requirements, Properties and Applications –”, Chipkarten, Vieweg, pp. 1-23, 1998. 301 [WT01] C. D. Walter and S. Thompson, “Distinguishing Exponent Digits by Observing Modular Subtractions”, CT-RSA 2001, LNCS 2020, pp. 192–207, 2001. 304 [Wal02] C. D. Walter, “Breaking the Liardet-Smart Randomized Exponentiation Algorithm”, to appear in CARDIS ’02. 301

Improved Elliptic Curve Multiplication Methods

A

311

Appendix

We show the concrete algorithms for computing ECDBLJ , ECDBLJ ,a=−3 , ECADDJ , a=−3 ECADDJ ,Z=1 , wECDBLJ , and YRecovering, which w , xECADDDBL, xECADDDBL are describe in this paper. In order to estimate the eﬃciency, we use four notations ×, ·2 , +, − for the arithmetic of the deﬁnition ﬁeld K. The notation × is a standard multiplication in K. The notation ·2 is a squaring in K. The notations + and − are a multiplication and a subtraction in K, respectively. A.1

Computing ECDBLJ (left) and ECDBLJ ,a=−3 (right) ECDBLJ , 4M + 6S + 11A Input (X1 , Y1 , Z1 , a) Output (X2 , Y2 , Z2 ) R4 ← X1 , R5 ← Y1 , R6 ← Z1 R1 R2 R2 R4 R4 R2 R2 R3 R3 R6 R6 R5 R1 R3 R1 R3 R5 R5 R4 R1 R4

← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ←

R24 R25 R2 + R2 R4 × R2 R4 + R4 R22 R2 + R2 R26 R23 R5 × R6 R6 + R6 R1 + R1 R1 + R5 a × R3 R1 + R3 R21 R4 + R4 R3 − R5 R4 − R5 R1 × R4 R1 − R2

X2 ← R5 , Y2 ← R4 , Z2 ← R6

ECDBLJ ,a=−3 , 4M + 4S + 13A Input (X1 , Y1 , Z1 ) Output (X2 , Y2 , Z2 ) R4 ← X1 , R5 ← Y1 , R6 ← Z1 R2 R2 R3 R3 R2 R2 R5 R5 R6 R4 R6 R6 R4 R6 R4 R6 R6 R6 R3 R4 R4

← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ←

R25 R2 R4 R3 R22 R2 R5 R5 R26 R4 R6 R4 R4 R4 R4 R24 R6 R6 R3 R4 R4

+ R2 × R2 + R3 + R2 × R6 + R5 + R6 + R6 − R6 × R6 + R4 + R6 − R3 − R3 − R6 × R3 − R2

X2 ← R5 , Y2 ← R4 , Z2 ← R5

312

A.2

Tetsuya Izu et al.

Computing ECADDJ (left) and ECADDJ ,Z1 =1 (right) ECADDJ , 12M + 4S + 7A Input (X1 , Y1 , Z1 , X2 , Y2 , Z2 ) Output (X3 , Y3 , Z3 ) R2 ← X1 , R3 ← Y1 , R4 ← Z1 R5 ← X2 , R6 ← Y2 , R7 ← Z2 R1 R2 R3 R3 R1 R5 R6 R6 R5 R7 R7 R6 R1 R4 R2 R5 R4 R1 R4 R2 R6 R1 R1

← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ←

R27 R2 R3 R3 R24 R5 R6 R6 R5 R4 R5 R6 R25 R26 R2 R1 R4 R2 R4 R2 R6 R3 R6

× R1 × R7 × R1 × R1 × R4 × R1 − R2 × R7 × R7 − R3 × R1 × R5 − R5 + R2 − R1 − R4 × R2 × R5 − R1

X3 ← R4 , Y3 ← R1 , Z3 ← R7

A.3

ECADDJ ,Z1 =1 , 8M + 3S + 7A Input (X1 , Y1 , X2 , Y2 , Z2 ) Output (X3 , Y3 , Z3 ) R2 ← X1 , R3 ← Y1 , R5 ← X2 R6 ← Y2 , R7 ← Z2 R1 R2 R3 R3 R5 R7 R6 R1 R4 R2 R5 R4 R1 R4 R2 R6 R1 R1

← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ←

R27 R2 R3 R3 R5 R5 R6 R25 R26 R2 R1 R4 R2 R4 R2 R6 R3 R6

× R1 × R7 × R1 − R2 × R7 − R3 × R1 × R5 − R5 + R2 − R1 − R4 × R2 × R5 − R1

X3 ← R4 , Y3 ← R1 , Z3 ← R7

Computing wECDBLJ w wECDBLJ w , 4wM + (4w + 2)S + (12w − 1)A Input (X1 , Y1 , Z1 , a) Output (X2 , Y2 , Z2 ) R4 ← X1 , R5 ← Y1 , R6 ← Z1 R1 R2 R2 R4 R4 R2 R2 R3 R3 R6 R6 R5 R1 R7 R1 R3 R5 R5 R4 R1 R4

← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ← ←

R24 R25 R2 + R2 R4 × R2 R4 + R4 R22 R2 + R2 R26 R23 R5 × R6 R6 + R6 R1 + R1 R1 + R5 a × R3 R1 + R7 R21 R4 + R4 R3 − R5 R4 − R5 R1 × R4 R1 − R2

X2 ← R5 , Y2 ← R4 , Z2 ← R6

Repeat the following w − 1 times: R7 ← R2 × R7 R7 ← R7 + R7 R1 ← R25 R2 ← R24 R2 ← R2 + R2 R6 ← R4 × R6 R6 ← R6 + R6 R4 ← R5 × R2 R4 ← R4 + R4 R2 ← R22 R2 ← R2 + R2 R5 ← R1 + R1 R1 ← R1 + R5 R1 ← R1 + R7 R3 ← R21 R5 ← R4 + R4 R5 ← R3 − R5 R4 ← R4 − R5 R1 ← R1 × R4 R4 ← R1 − R2

Improved Elliptic Curve Multiplication Methods

A.4

Computing xECADDDBL (left) and xECADDDBLa=−3 (right) xECADDDBL, 13M + 4S + 18A Input (X1 , Z1 , X2 , Z2 , x, a, b) Output (X3 , Z3 , X4 , Z4 ) R1 ← X1 , R2 ← Z1 , R3 ← X2 R4 ← Z2 R6 ← R1 × R4 R1 ← R1 × R3 R4 ← R2 × R4 R2 ← R3 × R2 R3 ← R6 − R2 R3 ← R2 3 R5 ← x × R3 R7 ← a × R4 R1 ← R1 + R7 R2 ← R2 + R6 R1 ← R1 × R2 R2 ← R2 4 R7 ← b × R2 R1 ← R1 + R7 R1 ← R1 + R1 R5 ← R1 − R5 R5 ← R7 + R5 R5 ← R7 + R5 R2 ← a × R2 R1 ← R2 6 R1 ← R1 + R2 R2 ← R2 + R2 R2 ← R1 − R2 R2 ← R2 2 R1 ← R6 × R1 R7 ← R4 × R7 R1 ← R1 + R7 R7 ← R6 × R7 R7 ← R7 + R7 R7 ← R7 + R7 R7 ← R7 + R7 R7 ← R2 − R7 R6 ← R4 × R1 R6 ← R6 + R6 R6 ← R6 + R6

X3 ← R5 , Z3 ← R3 X4 ← R7 , Z4 ← R6

A.5

xECADDDBLa=−3 , 11M + 4S + 23A Input (X1 , Z1 , X2 , Z2 , x, b) Output (X3 , Z3 , X4 , Z4 ) R1 ← X1 , R2 ← Z1 , R3 ← X2 R4 ← Z2 R6 ← R1 × R4 R1 ← R1 × R3 R4 ← R2 × R4 R2 ← R3 × R2 R3 ← R6 − R2 R3 ← R2 3 R5 ← x × R3 R1 ← R1 − R4 R1 ← R1 − R4 R1 ← R1 − R4 R2 ← R2 + R6 R1 ← R1 × R2 R2 ← R2 4 R7 ← b × R2 R1 ← R1 + R7 R1 ← R1 + R1 R5 ← R1 − R5 R5 ← R7 + R5 R5 ← R7 + R5 R1 ← R2 + R2 R1 ← R1 + R1 R2 ← R2 − R1 R1 ← R2 6 R1 ← R1 + R2 R2 ← R2 + R2 R1 ← R1 − R2 R2 ← R2 2 R1 ← R6 × R1 R7 ← R4 × R7 R1 ← R1 + R7 R7 ← R6 × R7 R7 ← R7 + R7 R7 ← R7 + R7 R7 ← R7 + R7 R7 ← R2 − R7 R6 ← R4 × R1 R6 ← R6 + R6 R6 ← R6 + R6 X3 ← R5 , Z3 ← R3 X4 ← R7 , Z4 ← R6

Computing YRecovering YRecovering, 11M + 2S + 7A Input (Xd , Zd , Xd+1 , Zd+1 , x, y, a, b) , Y , Z ) Output (Xd d d R1 ← Xd , R2 ← Zd , R3 ← Xd+1 , R4 ← Zd+1 R5 ← x × R2 R6 ← R5 − R1 R6 ← R2 6 R6 ← R3 × R6 R5 ← R5 + R1 R7 ← x × R1 R1 ← R1 × R2 R3 ← a × R2 R2 ← R2 2 R7 ← R3 + R7 R7 ← R5 × R7 R5 ← y × R4 R5 ← R5 + R5 R3 ← R5 × R2 R1 ← R5 × R1 R2 ← b × R2 R2 ← R2 + R2 R7 ← R7 + R2 R7 ← R4 × R7 R7 ← R7 − R6 ← R , Y ← R , Z ← R Xd 1 7 3 d d

313

The Design and Implementation of Improved Secure Cookies Based on Certificate Jong-Phil Yang1 and Kyung-Hyune Rhee2 1

2

Department of Computer Science, Pukyong Nat’l Univ. 599-1, Daeyeon3-Dong, Nam-Gu, Pusan 608-737, Republic of Korea [email protected] Division of Electronic, Computer and Telecommunication Engineering Pukyong Nat’l Univ. 599-1, Daeyeon3-Dong, Nam-Gu, Pusan 608-737, Republic of Korea [email protected]

Abstract. The HTTP does not support continuity for browser-server interaction between successive visits of a user due to a stateless feature. Cookies were invented to maintain continuity and state on the Web. Because cookies are transmitted in plain and contain text-character strings encoding relevant information about the user, the attacker can easily copy and modify them for his undue profit. In this paper, we design a secure cookies scheme based on public key certificate for solving these security weakness of typical web cookies. Our secure cookies scheme provides not only mutual authentication between client and server but also confidentiality and integrity of user information. Additionally, we implement our secure cookies scheme and compare it to the performance with SSL(Secure Socket Layer) protocol that is widely used for security of HTTP environment. Keywords: web security, authentication, cookie, public key certificate

1

Introduction

Nowadays, a web browsing and on-line shopping are rapidly increasing due to their convenience. A user can personalize a web page and have his/her own shopping cart, and then the web page can be automatically authenticated without entering username and password repeatedly. Especially, the commercial web site has to serve a payment system, therefore it needs inherently a security system for prohibiting the attacker from exposing some personal information or credit card numbers. The HTTP does not support continuity for browser-server interaction between successive visits of a user due to a stateless feature. That is, when web server ﬁnishes sending a response to a request of a client, it loses the information related to the client. Therefore, cookies were invented to maintain continuity and state on the Web. They are sent to the user’s hard drive or RAM via the browser while the user visits a cookie-using website. The Web server A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 314–325, 2002. c Springer-Verlag Berlin Heidelberg 2002

The Design and Implementation of Improved Secure Cookies

315

retrieves the user’s information from those cookies when the user later returns to the same website. The cookies’ purpose is to acquire information for use in subsequent server-browser communications without requesting for the same information repeatedly[1],[6]. A merchant Web server could use a cookie that contains the user’s name and credit card numbers. Although this would be convenient for users, it would also be risky. Because they are stored and transmitted in plain, cookies are readable and easily forged. One way to solve this problem is to apply some cryptographic techniques such as encryption, one-way hashing and digital signature to typical web cookies. When some cryptographic techniques are applied to cookies, user information such as user ID, user password, credit card numbers can be stored to cookies securely, without saving to a database on server. Therefore, this method has some advantages such that it reduces maintenance cost of database on serverside and it is more secure than typical cookies for users. In this paper, we design and implement a new cookies scheme that is based on public key certiﬁcate and provide several cryptographic services and the improved solution against security threats. The rest of this paper is organized as follows. In Section 2, we refer to typical cookies, security threats and the related works. In Section 3, we propose a new secure cookies scheme and discuss its security issues. In Section 4, we add security feature of our scheme in the point of view of session tracking on the single server or the Internet domain. In Section 5, we implement our scheme and accomplish the performance comparison of it to that of the SSL. Finally, we make conclusions in Section 6.

2

The Security Threat of Cookies

In this section, we show typical cookies and refer to some threats against them. Additionally, we consider the proposed solutions for security of cookies. 2.1

Typical Cookies and Security Threats

Cookies serve many purposes on the Web, such as selecting display mode(for example, frames or text only), maintaining shopping cart selections, and storing user identiﬁcation data. All cookies on the web are fundamentally similar. Fig. 1

Fig. 1. Typical cookies on the web

316

Jong-Phil Yang and Kyung-Hyune Rhee

shows typical cookies and they have several ﬁelds[3]. The well-known security threats against typical cookies on the web are given as followings[6]: – Network threat: Cookies transmitted in plain on the network are susceptible to snooping (for subsequent replay) and to modiﬁcation. – End-system threat: Once cookies are in the browser’s end system, they reside on the hard drive or memory in plain. Such cookies can be trivially altered by users and easily copied from one computer to another, with or without the cooperation of the user on whose computer the cookie was originally stored. The ability to alter and copy cookies lets attackers easily forge cookies’ information and impersonate other users. – Cookie-harvesting threat: If an attacker collects cookies by impersonating a site that accepts cookies from users (who believe that they are communicating with a legitimate Web server), the attacker can later use those harvested cookies for all other sites accepting them. 2.2

Related Works

V. Khu-smith and C. J. Mitchell[8] distinguished the security scheme for cookie into two approaches. One is server-managed cookie, the other is user-managed cookie. The server-managed cookie has the major beneﬁt of user transparency. If implemented appropriately, no changes to servers will be required. A disadvantage of this approach is obviously replay attack. Otherwise, with the usermanaged cookie, a user obviously has the beneﬁt of control over what, when and how the security mechanisms should be applied. However, a special web browser or additional software is required in order to enable users to perform the security procedures. J. S. Park and R. Sandhu[6] proposed one of server-managed cookie scheme that consists of three types of secure cookies: At ﬁrst, address-based authentication is that the cookie value of cookie grabs a user’s IP address. When the user’s IP address is dynamically assigned to his computer or the user’s domain uses proxy server, it is not desirable. In addition, it cannot avoid IP spooﬁng. At second, password-based authentication is that the cookie value of cookie grabs a user’s hashed password. Password-based authentication supports dynamic IP addresses or proxy servers and avoids IP spooﬁng. However, this mechanism is inherently vulnerable to dictionary attack. At third, digital-signature-based authentication does not verify the validation of public key of communicating entity by itself. V. Khu-smith and C. J. Mitchell[8] proposed one of user-managed cookie scheme that is based on symmetric cryptography or asymmetric cryptography. This scheme provides several security services such as authentication, integrity and conﬁdentiality by using additional software. Our scheme is basically user-managed cookie. However, the extension of our scheme, that will be introduced in section 4, is server-managed cookie. In order to accomplish public key encryption and digital signature properly, we apply the

The Design and Implementation of Improved Secure Cookies

317

public key certiﬁcate to our scheme. Moreover, when a user login into a server under the proposed scheme, a password-based mechanism also can be applicable to our scheme so that it defends the whole system against end-system threat and cookie-harvesting threat.

3

Design of Secure Cookies Based on Public Key Certificate

In this section, we propose a new architecture of secure cookies based on public key certiﬁcate, and design some applicable secure protocols on proposed secure cookies. 3.1

Notation and Architecture of Secure Cookies

We introduce some notations that are used to represent proposed scheme as followings; – – – – – – – – – – –

C: The identity of a client(user). S: The identity of a server. P asswd: The password which is required for a user to login into the server. P RX : The private key of a communicating entity X on public key cryptosystem. P UX : The public key of a a communicating entity X on public key cryptosystem. SK: The secret key on symmetric cryptosystem. CertX : The public key certiﬁcate of a communicating entity X. TX : The timestamp value of a communicating entity X. H(m): The one-way hash value of a message m. EK (m): The message m is encrypted with a key K. SIGK (m): The message m is digitally signed with a key K.

Fig. 2 shows the architecture of the proposed secure cookies scheme. Some cookie family and their roles are given as follows; – CertCookie: The cookie value is a certiﬁcate of a client(user). – PassCookie: The cookie value is an encrypted user’s password with SK to login into the server. – KeyCookie: The cookie value is an encrypted SK with the server’s public key P US . – SealCookie: The cookie value is a signed message digest of cookies with the server’s private key P RS .

318

Jong-Phil Yang and Kyung-Hyune Rhee

Fig. 2. The architecture of secure cookies set Remark 1. In this paper, the set of cookies such as CertCookie, PassCookie and KeyCookie are called by cookies set. And, the set of cookies set and SealCookie are called by secure cookies set. Additionally, it is possible for the administrator of a server to generate new cookies and securely add them to cookies set for his/her necessity(for example, access control or saving of user related information on client-side) through encryption with SK. A secure cookies set provides integrity, conﬁdentiality and authentication services using several cryptographic techniques. 3.2

Issuing Secure Cookies Set

Fig. 3 shows the issuing procedure of secure cookies set. We assume that each communicating entity in this paper has a public key certiﬁcate that is issued by CA(Certiﬁcate Authority). In Fig. 3, when a client requests a server to issue a secure cookies set(that is, a client sends message-1(M1 ) to a server), the server sends message-2(M2 ) to the client. M 2 : CertS

Fig. 3. The issuing procedure of secure cookies set

The Design and Implementation of Improved Secure Cookies

319

Now, the client can authenticate the server by verifying the server’s certiﬁcate and obtain the public key of the server P KS . It generates a secret key SK that is used to encrypt some cookie values and requests a user to deﬁne a password which is used to login into the server. The client conﬁgures message-3(M3 ) and sends it to the server. The client deletes SK on local memory immediately after sending M 3. M 3 : CertC ||EP US (P asswd||SK||SIGP RC (P asswd||SK)) The server authenticates the client by verifying the client’s certiﬁcate and obtains the public key of the client P UC . The server decrypts the encrypted part of M3 with its private key P RS , and it obtains the client’s password P asswd and SK. The server veriﬁes the signed part of M3 with P UC , and identiﬁes the origin of M3 and conﬁrms no fault. After verifying M 3, the server sends message-4(M4 ) to the client. M 4 : CertCookie|| · · · ||P assCookie||KeyCookie||SealCookie secure cookies set

In M 4, the cookie value of SealCookie is SIGP RS (H(CertCookie|| · · · ||P assCookie||KeyCookie)). cookies set

3.3

A Login Procedure through a Secure Cookies Set

Fig. 4 shows a login procedure through a secure cookies set. When a client requests a server to login(that is, a client sends message-1(M1 ) to a server), the server sends the message-2(M2 ) to the client. M 2 : CertS || TS After receiving M2, the client veriﬁes the certiﬁcate of the server, authenticates the server and obtains P US . To login into the server successfully, the client requests a user to input his password. The user’s password is encrypted together

Fig. 4. The login procedure through secure cookies set

320

Jong-Phil Yang and Kyung-Hyune Rhee

with the received TS by the public key of the server. The client makes message3(M3 ) and sends it to the server. M3 consists of the previously encrypted part and secure cookies set. M 3 : EP US (P asswd, TS )|| CertCookie|| · · · ||SealCookie secure cookies set

The server decrypts the encrypted part of M3 with P RS , and obtains P asswd and TS . The server compares the received TS with the one which is in M2. If two values are equal, it turns out that M3 is fresh. Next, the server calculates a hash value of cookies set such as CertCookie, PassCookie and KeyCookie in M3, and signs the hash value digitally. The server compares this value with the cookie value of SealCookie. If two values are equal, the received secure cookies set is not forged by any attackers, and it is the secure cookies set which has been issued by the server itself. Now the server decrypts the cookie value of KeyCookie with P RS and obtains SK, and it decrypts the cookie value of PassCookie and obtains P asswd. The server compares P asswd in PassCookie with the encrypted P asswd with P US in M3. It two values are equal, the server conﬁrms that a legitimate user sends the secure cookies set. Finally, the server veriﬁes the validity of certiﬁcate in the cookie value of CertCookie, and authenticates the client. 3.4

The Security of Proposed Secure Cookies Set

We assume that all cryptographic techniques used in this paper have enough security against attackers’ strength. The proposed secure cookies set provides the following security services: – Mutual Authentication: Whenever a secure cookies set is issued and a user wants to login, the client and server always exchange their public key certiﬁcates, and verify them. Hence, the proposed scheme solves the key veriﬁcation problem of Park’s scheme[6]. – Confidentiality: The Cookie values in cookies set can be encrypted with SK. – Integrity: The cryptographic one-way hash function is applied to generate the cookie value of SealCookie. – Originator Authentication: The digital signature technique is applied to generate the cookie value of SealCookie. Hence, the signer of the cookie value of SealCookie is uniquely identiﬁed. We can also solve the following security threats which were introduced in Section 2.1. – Network threat: Because of conﬁdentiality, integrity and originator authentication, it is possible to defend the cookies against network threat. Moreover, since the timestamp value in Fig. 4 is used, it is impossible for an attacker to replay.

The Design and Implementation of Improved Secure Cookies

321

– End-system threat: An attacker cannot modify cookies, but copy them to some place(for example, the hard-drive of attacker). However, if the attacker wants to forge the original user of cookies, he should know the user’s password P asswd. – Cookie-harvesting threat: If an attacker wants to know the plaintext of cookie values of cookies, he should know the private key of the server. And then, if an attacker wants to reuse the collected cookies for malicious intention, he should know the user’s password P asswd. In proposed scheme, through using public key certiﬁcate, each communication entities can authenticate each other and veriﬁes the authenticity of public key directly in each certiﬁcate. And, through P asswd, the proposed scheme prohibits an attacker from using the cookies for his undue proﬁt.

4

Extension of Secure Cookies Set

In this section, we extends the function of secure cookies set that was introduced in section 3. 4.1

Authenticated Session Tracking in Single-Server

When a user moves from one web-page to another web-page in a single-server or makes a new connection on the same HTTP session(for example, in the Internet Explorer browser, ”Ctrl+N” key is pressed), cookies can be used for session tracking. After the login procedure of Fig. 4, the server issues STCookie and sends it to the client with the web page. Fig. 5 shows the procedure of an authenticated session tracking in a single-server. STCookie is only used for a session tracking and used during a single session of a short period of time. The cookie value of STCookie is SI||CDN ||V P ||SIGP RS (H(SI||CDN ||V P )).

Fig. 5. The procedure of authenticated session tracking in single server

322

Jong-Phil Yang and Kyung-Hyune Rhee

Fig. 6. Authenticated login in multi-server through CrossCookie – SI : The HTTP session information – CDN : The DN(Distributed Name) in the certiﬁcate of a client. – VP : The valid period of STCookie. If the valid period is too short, the possibility of a replay attack is seldom, but the user has to perform the login procedure frequently. If the valid period is too long, although the user is convenient, the possibility of replay attack will be increased. 4.2

An Authenticated Login in Multi-server

If there are several servers in the same Internet domain, it is possible for a client to securely move, or access, from one server to another by using the cryptographic cookies. We consider the following three assumptions. At ﬁrst, a client has securely logged in a server through our scheme. At second, there are several servers(Si , where 1 ≤ i ≤ n) in the same Internet domain. For example, a.paper.net, b.paper.net and c.paper.net are servers which are in the same Internet domain paper.net. At third, servers in the same Internet domain trust each other, that is, each server knows the public keys of the others. When a client wants to move from one server(Si ) to another server(Sj ), practically a user clicks the mouse button on a hyper link that is linked to a web page of Sj , the client can simply login Sj through CrossCookie. Fig. 6 shows the usage of CrossCookie when a client move S1 to S2 that is hyper linked on a web page of S1 . Through CrossCookie, a client can securely move(or login) from S1 to S2 . The value of CrossCookie is Si DN ||Sj DN ||CDN ||V P ||SIGP RSi (H(Si DN ||Sj DN ||CDN ||V P )) – Si DN : The certiﬁcate DN(Distributed Name) of Si that is being connected to a client at present, where 1 ≤ i ≤ n. – Sj DN : The certiﬁcate DN of Sj that a client is willing to connect, where 1 ≤ j ≤ n. – CDN : The certiﬁcate DN of a client

The Design and Implementation of Improved Secure Cookies

323

– VP : The valid period of CrossCookie. It has very short time period for considering STCookie, since the time which a client requires to move to a diﬀerent server is too short.

5

An Implementation of Secure Cookies Set

In this section, we introduce an implementation of the secure cookies set and the performance of it. 5.1

The Implementation Environment

For the implementation, the following environment was used. – – – – –

Language: Java(JDK 1.3), JSP, CryptixJCE, Java Web Start V1.01 Hardware: Pentinm III 866 MHz, 256 MB RAM Web Server: Apache 1.3.19(for Win32), Jakarta Tomcat(3.2.1) Network: LAN Cryptographic Algorithm • Public key algorithm: RSA, 1024 bit • One way hash function: MD5 • Symmetric key algorithm: DES

HTML and JSP were used for the implementation of server-side, and Java Web Start was used for the implementation of client-side. Additionally, we use a selfsigned certiﬁcate for client and server, respectively[2],[4],[5],[7]. 5.2

The Implementation Result and Performance

When a user connects to a web page of a server and moves to a web page for issuing cookies, cookies issuing program is automatically executed on the client. The user inputs his real name that is the same one in the DN of his/her certiﬁcate and two passwords for a login. One is the password(P asswd) is used for server to identity the user, and another is for using his private key correspond to the public key in his/her certiﬁcate. After completing the issuing procedure, the client obtains a secure cookies set on the local hard drive. When the user

Fig. 7. User agent program for issuing secure cookies set and login

324

Jong-Phil Yang and Kyung-Hyune Rhee

Fig. 8. Secure cookie set which is stored on user’s local hard drive tries to login the server, login program is automatically executed on the client. In this case, the user only inputs a password(P asswd) which is used for server to identity the user and defend cookies threat that were introduced in section 2.1. After completing the login procedure, the user succeeds in login the server. Fig. 7 shows two programs which are used by the client. Fig. 8 shows the secure cookies set that is stored on the client’s local hard drive. We accomplish the performance comparison of SSL(Secure Socket Layer) with the implementation of the proposed scheme. To analyze the performance, we use the SSL of JSSE 1.0.2 on the environment of fullhandshake with client-server mutual authentication[7]. Table. 1 shows the result of the performance comparison.

Table 1. The performance comparison of SSL and the proposed scheme Time for issuing secure cookies set

6.125 sec

Time for login through secure cookies set

5.796 sec

Time for establishing a connection through SSL 7.721 sec

6

Summary and Conclusion

In this paper, we presented a solution to overcome inherent security threats against cookies, and designed a new cookies set which provides conﬁdentiality, integrity and mutual authentication between a server and a client. Moreover,

The Design and Implementation of Improved Secure Cookies

325

in addition to basic CertCookie, PassCookie, KeyCookie, it is possible for the administrator of a server to generate new cookies and securely add them for his/her necessity through encryption with SK. Our scheme also provides an authenticated session tracking in a single-server and an authenticated login on the diﬀerent servers in the same Internet domain. By storing the user related information on cookies instead of the database on the server, the maintenance cost of the server can be reduced.

References [1] [2] [3] [4] [5] [6]

http://www.certcc.or.kr/advisory/ka2000/ka2000-041.html 315 http://www.cryptix.org/products/jce/index.html 323 http://www.netscape.com/newsref/std/cookie spec.html 316 http://java.sun.com/products/javawebstart/developers.html 323 http://java.sun.com/products/jsp/download.html 323 Joon S. Park and Ravi Sandhu, ”Secure Cookies on the Web” IEEE Internet Computing, Volume: 4 Issue: 4, July-Aug. 2000 315, 316 [7] Scott Oaks, ”Java Security, 2nd Edition”, O’Reilly. 2001 323, 324 [8] V. Khu-smith and C. J. Mitchell, ”Enhancing the security of cookies”, in: K. Kim (ed.), Information Security and Cryptology - ICISC 2001 - Proceedings of the 4th International Conference, Seoul, Korea, December 2001, Springer-Verlag (LNCS 2288), Berlin (2002), pp.132-145 316

A Certified E-mail System with Receiver’s Selective Usage of Delivery Authority Kenji Imamoto and Kouichi Sakurai Kyushu University, Fukuoka, Japan [email protected] [email protected]

Abstract. Certified E-mail can be divided into an on-line protocol an optimistic protocol by the usage of a third party. We call this party ”Delivery Authority”. An on-line protocol can realize send-and-forget. There is a drawback, however, that the cost to Delivery Authority becomes large, because users surely access Delivery Authority in the middle of a protocol. On the other hand, when an optimistic protocol is used, there is little cost to Delivery Authority because users access Delivery Authority only in case a problem occurs, however, send-and-forget is unrealizable. Each protocol may be inconvenient depending on the situation. In the conventional system, however, a sender selects which protocol to use depending on a sender’s convenience. In this paper, we propose the new system having both our proposed on-line protocol and optimistic protocol a receiver can choose freely. By this mechanism, a receiver can choose the usage of Delivery Authority freely according to that time after taking the necessity and the situation of Delivery Authority and the sender into consideration. Keyword: certified e-mail, receiver’s selective protocols, non-repudiation, electronic commerce

1

Introduction

As more commerce moves online, contracts are moving online as well. By oﬄine, many contracts are signed face-to-face. By default online, however, all parties signing the contract can not be reasonably sure that the other parties are who they claim to be, that the wording of the contract has indeed been agreed upon by all parties, and, that everyone has signed the contract. When two parties are connected to each other via a possibly unreliable network, ensuring fairness becomes a serious problem. A variant of the contract signing problem is the certiﬁed mail problem [Mo01]. Here, Alice is sending mail to Bob, and she wants some evidence that Bob received the mail. Certiﬁed mail problem is the fair exchange problem of a mail and receipt. Some E-mail programs have the function which a sender asks the receiver to return the receipt A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 326–338, 2002. c Springer-Verlag Berlin Heidelberg 2002

A Certified E-mail System with Receiver’s Selective Usage

327

of E-mail. This function is, however, useless when a sender cannot trust the receiver, since it is dependent on the receiver to decide whether returns or not. Even when they cannot trust each other, this function should be realized. Fairness is the most important character in this problem. The protocol with fairness should terminate with either party having obtained the desired information, or with neither one acquiring anything useful information. In other word, fairness is the situation in which the following things do not happen: a receiver receives the E-mail, however, a sender cannot receive the receipt, or a sender receives the receipt, however, a receiver cannot receive the E-mail. Fairness is also one of the most important characters in electric commerce [Mo01]. To solve this Certiﬁed mail problem, some systems which are called Certiﬁed E-mail have been considered. 1.1

Related Work

A lot of Certiﬁed E-mail systems have been proposed, and some systems are commercialized [Cer98]. Moreover, by governmental deregulation of any countries, legal documents, such as a bill, a coupon, and a salary speciﬁcation, can be distributed also with electronic means. So, this system has been increasing importance further. For eﬃciency, almost all of Certiﬁed E-mail systems include a third party as a mediator. We call this third party Delivery Authority. Delivery Authority is concerned with the system in order to ﬁll the fairness of the contract. The protocols which don’t use any third party are also proposed [Mar78], however, eﬃciency such as the number of communication rounds and computation, is bad. Moreover, there are some questions of security. Therefore, they are not practical methods. In this system, there are some important requirements other than fairness, such as authentication, conﬁdentiality, integrity, non-repudiation, and eﬃciency. Moreover, there is a manner called send-and-forget. This manner is as follows: after sending an E-mail, a sender does not have the necessity of waiting for a receiver’s reply, and a receiver can read this E-mail without a sender’s help. Certiﬁed E-mail is distinguishable to two protocols depending on how to use Delivery Authority. One is an on-line protocol, and the other is an optimistic protocol. In an on-line protocol, Delivery Authority must be used in the middle of the protocol. And in an optimistic protocol, Delivery Authority is only used in case of dispute [ASW98]. In an optimistic protocol, after a sender sends a message, communications must been exchange in several times between a sender and a receiver. So, both a sender and a receiver must wait the partner’s reply. Therefore, send-and-forget cannot be realized in any optimistic protocols. In an on-line protocol, because of using Delivery Authority in the middle of protocol as delivery channel, there is a problem that the cost of communication or calculation to Delivery Authority becomes large. In stead of that, this protocol can realize send-and-forget, since a sender can leave the execution of a protocol to Delivery Authority after sending a message.

328

Kenji Imamoto and Kouichi Sakurai

In the conventional on-line protocol, the system sends the whole message to Delivery Authority. For example, Certiﬁedmail.com which oﬀers commercial service of an E-mail with a delivery guarantee [Cer98], a sender creates a message and transmits it to a partner through the website of the company. After sending a message, a sender can visit the site of Certiﬁedmail.com, and check whether a receiver received the E-mail or not. A receiver receives the message which tells arrival of a Certiﬁed E-mail, a receiver goes to the site of Certiﬁedemail.com from URL indicated by the message. Thus, although there is no problem when mail is small capacity, when the transmitting ﬁle size is large the burden concerning communication of Delivery Authority will become large too much [HPS01]. This problem often occurs when dealing of digital contents. When the use frequency of Delivery Authority becomes high (users increase in number, etc.), the same problem arises. Then, the system of Abadi et al. [AGHP02] solved this problem. In their system, the amount of communications transmitted to Delivery Authority is not proportional to the capacity of a transmitting message. This is proportional to the number of times of use of service. Since a message is not transmitted to Delivery Authority, it is possible to reduce the amount of communications to Delivery Authority. As explained above, an on-line protocol has some advantage. The cost to Delivery Authority, however, poses a problem. On the other hand, in an optimistic protocol, although there is an advantage that there is little cost to Delivery Authority and it ends, send-and-forget cannot be realized. That is, an on-line protocol is a system which is easy to use for a user, and an optimistic protocol can do the view of a system with easy arrangement of Delivery Authority. 1.2

Our Result

The realization of send-and-forget is one of the greatest advantages which traditional mail has. The cost to Delivery Authority, however, becomes large in an on-line protocol. Moreover, when Delivery Authority cannot be accessed, on-line protocol cannot be executed at all. Then, in this paper, we propose both new on-line protocol and optimistic protocol, and construct the system with them. A receiver can choose a protocol to be used in this system. Both our proposed on-line protocol and optimistic protocol have the following characters so that a receiver can select the usage of Delivery Authority. – The ﬁrst communication is sent to a receiver from a sender. – The ﬁrst communication contents of our proposed on-line protocol is the same as the one of our proposed optimistic protocol. – The same receipt can be obtained by the both our proposed on-line protocol and optimistic protocol. We make the proposal system into the simplest possible system in order to realize these characters. When a sender or a receiver does not sends a reply in the optimistic protocol, the other side needs to wait for a long time. So, [AMG01 and MK01] need to guarantee Timeliness (this character is to guarantee that

A Certified E-mail System with Receiver’s Selective Usage

329

an exchange is ﬁnished within a ﬁnite time). Our system has both the on-line protocol and the optimstic protocol. So, when a reply of a sender or a receiver is late, the other side can leave processing to Delivery Authority. Therefore, Timeliness is not necessity since both a sender and a receiver do not need to wait for a long time. Therefore, in our system, the simple optimistic protocols can be realized. This proposal optimistic protocol is based on [AMG01]. Thereby, the same receipt can be obtained in both the proposal on-line protocol and optimistic protocol. Moreover, the whole message is not sent to DA in the proposal on-line protocol. This method has the advantage which is to reduce the amount of communications to Delivery Authority. This method is also based on [AGHP02, IS02, and AMG01]. Our proposed optimistic protocol can be used for free. On the other hand, when proposal on-line protocol is used, charging a user. Therefore, a receiver who wants to read mail immediately selects an on-line protocol. On the other hand, a receiver who seldom hurries selects the optimistic protocol. Therefore, too large cost to Delivery Authority can be prevented. Moreover, in our system, it is possible to change a protocol when the ﬁrst selected protocol goes wrong on the way. With above characters, a receiver can select the protocol to be used according to the situation of a sender or Delivery Authority. Comparison In [AGHP02, MK01, IS02], a receipt is sometimes guaranteed by the signature of Delivery Authority. In our system, however, the signature of Delivery Authority is not necessity anytime. Thus, TTP invisibility [AR02] is ﬁlled. TTP is visibile if he end result makes it obvious that TTP participated during a protocol. The system of [AR02] needs to generate an encryption key in advance by Delivery Authority. In our system, there is no necessity for such pre-preparation. Furthermore, four communications are required in [AGHP02, AMG01, AR02, MK01 and IS02], the proposal optimistic protocol needs, however, only three communications. The following sections explain the proposal system concretely.

2

Preliminaries

Model and Assumptions In this protocol, three parties exist, that is, a sender, a receiver, and Delivery Authority. A sender sends Certiﬁed E-mail to a receiver. Both a sender and a receiver use Delivery Authority as an intermediary of a protocol. Moreover, about the encryption technologies (that is, a symmetric key encryption, a public key encryption, a Hash Function, digital signature method, etc.) which are used between all entities should be already known. Each entity has a pair of public key and knows these public keys each other. Both a sender and a receiver needs the signature key. Delivery Authority, however, does not need signature key. The channel between each entity is assumed to be private and authenticated.

330

Kenji Imamoto and Kouichi Sakurai

Notations We use the following notations to describe the protocols. M: message cleartext: a text which explains the message M. S: an identiﬁer of a sender R: an identiﬁer of a receiver D: an identiﬁer of Delivery Authority K: a session key generated by a sender at random H(·): Hash function EK (·): symmetric encryption with a session key K ED (·): asymmetric encryption with a public key of Delivery Authority. ER (·): asymmetric encryption with a public key of a receiver. SIGD (·): digital signature with a signature key of Delivery Authority. SIGS (·): digital signature with a signature key of a sender SIGR (·): digital signature with a signature key of a receiver. C: =EK (M) message M encrypted with a session key K. t: =ED (S, R, ER (K)) When each entity signs message M or encrypted message C, they sign a hash value instead of the message.

3

Requirements

There are some desirable properties for Certiﬁed E-mail. This section deﬁnes these properties. Fairness: Both a sender and a receiver can obtain the result each user desires, or neither of them does. Authentication: A communication partner is certainly the target partner. Conﬁdentiality: A message cannot be read by a third person. Integrity: In the middle of a protocol, an attacker cannot forge a message. Non-Repudiation: All parties cannot decide to withdraw their support from a contract after the protocol is over. Eﬃciency: A protocol can be performed in the fewest possible computation, the possible number of times of communication, and the amount of communications. Especially, fairness is the most important property in Certiﬁed E-mail. NonRepudiation has two variant. One is Non-Repudiation of Receipt that guarantees that a receiver cannot deny the receipt of mail later after a receiver received. The other is Non-Repudiation of Origin that guarantees that a sender cannot deny the transmission of mail later if a sender sent [MK01, KM01].

4

The Proposal System

In an on-line protocol, a receiver can read a message without a sender’s help for reading a message. A receiver cannot, however, execute an on-line protocol at all

A Certified E-mail System with Receiver’s Selective Usage

331

when Delivery Authority cannot be used. On the other hand, the communication is usually performed only between a sender and a receiver in the optimistic protocol. Both a sender and a receiver can execute without concerning Delivery Authority (although any problems cannot be soleved during Delivery Authority is unusable). The optimistic protocol, however, cannot be executed when a receiver tries to read a message when a sender is oﬀ-line. So, the execution possibility is dependent on the situation of a sender and Delivery Authority when a receiver tries to read a message. Therefore, a receiver should be able to select a protocol. In this section, we propose two protocol, that is the on-line protocol and the optimistic protocol, as Certiﬁed E-mail. As for the system ﬂow, a sender sends communication to a receiver at ﬁrst, and next, a receiver decides which protocol to use by the situation of a sender and Delivery Authority in the time of reading a message, or his demand. The contents of ﬁrst communication of the on-line protocol sent to a receiver from a sender is the same as the one of the optimistic protocol. Therefore, a receiver can select a protocol to be used. There is, however, a possibility of using only the on-line protocol even when both a sender and a receiver do not need send-and-forget so much. This causes too large cost to Delivery Authority. So, Certiﬁed E-mail with our proposed optimistic protocol can be used for free. On the other hand, Certiﬁed E-mail with the on-line protocol needs toll. Consequentry, a receiver who wants to realize send-and-forget uses our proposal on-line protocol. On the other hand, a receiver who does not want to realize send-and-forget so much uses the optimistic protocol. Therefore, the cost to Delivery Authority can be reduced. Moreover, when not being easily connected with Delivery Authority, selection of using the optimistic protocol is also possible. Therefore, the proper use according to the situation of Delivery Authority is also possible. In this section, we consider whether proposal system achieves the requirements which is deﬁned in section 2 or not. Furthermore, reliability to Delivery Authority which is the intermediary of a protocol is also considered. 4.1

On-Line Protocol

Here, we explain the system with our proposed on-line protocol. Both a sender and a receiver do not send the mail itself to Delivery Authority. Therefore, there is little cost of the amount of communications. Moreover, since the session key is encrypted with a receiver’s public key other than the public key of Delivery Authority, conﬁdentiality is maintained also to Delivery Authority. Moreover, since Delivery Authority is not concerned with generation of a receipt, forgery of a receipt cannot be performed by anyone. The number of communication rounds is four, and send-and-forget is realized. Protocol The concrete procedure of our proposed on-line protocol is as follows (See Fig.1).

332

Kenji Imamoto and Kouichi Sakurai

1. A sender generates the session key K at random, and transmits S, D, C, t, cleartext, and SIGS (R, C, t) to a receiver. 2. A receiver veriﬁes the signature of SIGS (R, C, t). If it is correct, then he signs and sends C, t, and SIGR (SIGS (R, C, t)) to Delivery Authority. 3. Delivery Authority decrypts the messages of (2) and veriﬁes the signatures. If they are correct, then Delivery Authority sends ER (K) to a receiver. Moreover, Delivery Authority sends SIGR (SIGS (R, C, t)) to a sender as a receipt. 4. A receiver decrypts message M from C using the session key K.

Analysis of Properties Here, we analyze the requirements deﬁned in section 2. Fairness: When a receiver wants to read a message, it is necessary to transmit SIGR ( SIGS (R, C, t)) to Delivery Authority. Then, Delivery Authority sends a receipt to a sender, when sending ER (K) to a receiver. Therefore, neither a sender nor a receiver can run away with a partner’s data. Thus, fairness is maintained. Authentication: In this protocol, the exchange of a session key and a receipt needs the signatures of both a sender and a receiver. So, authentication can be performed. Therefore, even Delivery Authority cannot impersonate other entity. Conﬁdentiality: In case a message is sent to a receiver from a sender, it is encrypted with the session key K. Moreover, K is encrypted with the public key of both Delivery Authority and a responder. Thus, conﬁdentiality is maintained from a third party (even Delivery Authority). Integrity: Since a sender signed encrypted message, C, and an identiﬁer of a responder. Therefore, if a third party forges the contents of communication,

Delivery Authority (3) SIGR(SIGS(R, C, t)) (3) ER(K) (2) C, t SIGR(SIGS(R, C, t))

Sender

(1) S, D, C, t, cleartext SIGS(R, C, t) Fig. 1. On-line protocol

Receiver

A Certified E-mail System with Receiver’s Selective Usage

333

anyone can detect this attack. Therefore, integrity is maintained. Non-repudiation: It is proved on SIGR ( SIGS (R, C, t) ) that surely a receiver received the message. If a receiver claims that ”I have not received the message”, it can be proved that the opinion is not right by showing this receipt. Moreover, a receiver can prove similarly that surely a sender created the message, M by showing this receipt. Eﬃciency: This protocol does not transmit the whole message to Delivery Authority. Therefore, there are few amounts of communications between Delivery Authority and a sender/a receiver. Send-and-forget: Send-and-forget is realized. Because after transmitting mail for a receiver, what a sender should do is just to wait until SIGR (SIGS (R, C, t)) is sent from Delivery Authority. Our protocol prevents a third person (including Delivery Authority) to break authentication, conﬁdentiality, integrity and non-repudiation. Fairness can be, however, broken by conspiracy between a sender/a receiver and Delivery Authority. We consider this problem in next section. Malicious Delivery Authority A lot of Certiﬁed E-mail protocols assume that Delivery Authority is not malicious. It is, however, diﬃcult to arrange completely trusted Delivery Authority. Therefore, many requests concentrate on a few Delivery Authoritys. So, in this protocol, we consider the little trusted Delivery Authority and propose the counter measure of this problem. – The attack by Delivery Authority individually Session key, is encrypted with the public key of both Delivery Authority and a responder. So, Delivery Authority cannot recover the message, even when Delivery Authority taps the ﬁrst communication. Therefore, conﬁdentiality can be maintained from this attack. Moreover, impersonating and forgery of a receipt cannot be performed because a receipt needs the signature of a sender and a responder. – The attack by conspiracy between Delivery Authority and a sender Fairness is broken under the following scenario: the session key is not returned by Delivery Authority although a responder sends SIGR ( SIGS (R, C, t) ) to Delivery Authority. A receiver can sue, however, at a court by showing SIGR ( SIGS (R, C, t) ) as evidence of origin, because a receiver can detect this attack soon. – The attack by conspiracy between Delivery Authority and a receiver When Delivery Authority sends ER (K) to a receiver, and does not send SIGR ( SIGS (R, C, t) ) to a sender, a receiver can read a message in spite of that a sender cannot get a receipt. Therefore, fairness is broken in this case. Moreover, a sender cannot detect this attack easily (a sender cannot distinguish this attack and a receiver’s reject of a message).

334

Kenji Imamoto and Kouichi Sakurai

As explained above, Delivery Authority cannot succeed any attacks include tapping, impersonating, and forgery of a receipt. Furthermore, a receipt does not need the signature of Delivery Authority in any case, so forgery of a receipt cannot succeed even if Delivery Authority and a sender/a receiver cooperate. Fairness can be, however, broken when Delivery Authority and a sender/a receiver cooperate. Because a sender cannot detect easily the conspiracy between Delivery Authority and a receiver, this attack is especially danger. This malicious Delivery Authority problem can be prevented by using secret sharing with multiple Delivery Authoritys. The more this measure has much Delivery Authority to be used, the more it requires cost. The number of Delivery Authorities to be used depends on the importance of the mail.

4.2

Optimistic Protocol

Here, we explain the proposal system using optimistic protocol. Because Delivery Authority is used only when a problem occurs in this protocol. Thus, there is little cost to Delivery Authority when there are few problems. Conﬁdentiality is protected also to Delivery Authority in this optimistic protocol as well as the online protocol proposed in section 3.2. Because both a sender and a receiver must wait the other’s return, send-and-forget cannot be realized. Moreover, a receiver can also change to on-line protocol on the way, when this optimistic protocol goes wrong on the way. Usually, an optimistic protocol may require timeliness [AMG01, KM01 and MK01]. In our proposal optimistic protocol, a receiver can, however, use the on-line protocol when a sender is oﬀ-line. This means that a sender does not need to wait for a long time. So, timeliness is unnecessary. Therefore, very simple protocol which has only three communications is enough. Moreover, in this optimistic protocol, the signature of Delivery Authority is unnecessary in any cases. Therefore, TTP invisibility is achieved [AR02]. Though a receiver chooses which of our proposed on-line protocol and optimistic protocol, he can obtain the same result (=receipt). Protocol The concrete procedure of proposal optimistic protocol is as follows (See Fig.2). 1. A sender generates the session key K at random, and transmits S, D, C, t, cleartext, and SIGS (R, C, t) to a receiver. 2. A receiver veriﬁes the signature of SIGS (R, C, t). If it is correct, then he signs and sends SIGR ( SIGS (R, C, t) ) to a sender. 3. A sender veriﬁes the signatures. If it is correct, then a sender sends ER (K) to a receiver. 4. A receiver decrypts message M from C using the session key K. When any problems occur (such that a receiver sends the communication of (2) to a sender and a sender does not return the communication of (3) easily), a receiver can use the proposal on-line protocol as solution of these problems.

A Certified E-mail System with Receiver’s Selective Usage

335

Analysis of Properties Here, we analyze the requirements deﬁned in section 2. This proposal optimistic protocol use the same methods of encryption and signature as the proposal on-line protocol. So, they have the same properties about authentication, conﬁdentiality, integrity, and non-repudiation. Here, we discuss about fairness, eﬃciency and send-and-forget. Fairness: A receiver must send a receipt to a sender at ﬁrst. If a receiver sends a receipt to a sender and a sender does not return ER (K), a receiver can use the on-line protocol to get session key. Therefore, both a sender and a receiver can get their desired items. So, fairness is maintained. Eﬃciency: This protocol does not need the decryption of public key encryption. Moreover, the number of communication rounds is only three. A sender needs, however, two transmissions (there is more this once than the proposal on-line protocol). A receiver has the same burden with the on-line protocol about the number of times of communication and the amount of computation. Send-and-forget: Send-and-forget cannot be realized. Because after transmitting mail for a receiver, a sender should wait a receiver’s return. Similarly, a receiver should also wait a sender’s return. If a sender cannot wait for a receiver, post-processing can be left to Delivery Authority (then, a receiver uses the online protocol).

Receiver

Sender (1) S, D, C, t, cleartext SIGS(R, C, t) (2) SIGR(SIGS(R, C, t)) (3) ER(K) Fig. 2. Optimistic protocol

336

Kenji Imamoto and Kouichi Sakurai

4.3

Our Combined Proposal System

The main proposal in this paper is the system which is combined the protocols explained with Section 3.2 and 3.3. In this system, the receipt ﬁnally obtained in the proposal on-line protocol is the same as one in the proposal optimistic protocol. Moreover, both the on-line protocol and the optimistic protocol ﬁll with authentication, conﬁdentiality, integrity, and non-repudiation. Furthermore, about eﬃciency, when the on-line protocol is used, a sender needs one transmission and one reception, and a receiver needs one transmission and two receptions. On the other hand, when the optimistic protocol is used, a sender needs two transmissions and one reception, and a receiver needs one transmission and two receptions. Moreover, there is no great diﬀerence in the amount of computation and the amount of communications of both our proposed on-line protocol and optimistic protocol. Therefore, there are little diﬀerence about the eﬃciency between the proposal on-line protocol and optimistic protocol. Therefore, a receiver does not need to consider the eﬃciency. Therefore, a receiver can select a protocol freely after taking only the realization of send-and-forget and the situation of the Delivery Authority or a sender into consideration. There are two problems when a receipt has validity with the signature of Delivery Authority [AGHP02, KM01, MK01]. One is that a forgery of receipt problem by malicious Delivery Authority. The other is that a receipt becomes invalid if the signature of Delivery Authority becomes invalid. In our proposal system, even when a problem occurs, the signature of Delivery Authority is not used at all. Therefore, these problems do not arise in our system. Furthermore, our system ﬁlls TTP invisibility [AR02]. Fee Collection Our proposal on-line protocol can realize send-and-forget. Therefore, this protocol is easy to use for both a sender and receiver. There is, however, a possibility that the cost to Delivery Authority may become too large. Then, in this system, the cost to Delivery Authority can be reduced by the introduction of fee collection. To put it precisely, Delivery Authority charges when using the on-line protocol, and does not charge when using the proposal optimistic protocol. In this section, we consider this fee collection system. In this system, both a sender and a receiver pay Delivery Authority rental fee by halves fundamentally. This is from the following reasons. Supposing only a sender pays, it has a possibility that a receiver may stop using the optimistic protocol. On the other hand, supposing only a receiver pays, it has a possibility that a sender stops answering after receiving a receipt in the optimistic protcol. Consequently, a receiver has to use the on-line protocol after all. If fee collection is introduced, Delivery Authority should be able to refuse a receipt which was sent to Delivery Authority once. This is for preventing transmitting one eﬀective receipt to Delivery Authority repeatedly, and making both a sender and a receiver pay useless expense. Therefore, Delivery Authority should record the receipt which received once.

A Certified E-mail System with Receiver’s Selective Usage

337

The Relation with Existing Mail System Today, a lot of people use a provider for transmission and reception of mail. Therefore, if this provider is used as Delivery Authority, the infrastructure will already be ready and the system is easier to use for a sender/a receiver. Our proposal system can use a provider as Delivery Authority, so the provider can introduce this system as additional service. Since there is no necessity of taking into consideration a few problems such as the amount of transmission to Delivery Authority. Thus, when using a provider as Delivery Authority, it is possible to constitute a simple system. Moreover, it is also possible to use an organization which is not related to the provider at all as Delivery Authority. Therefore, the various methods of arranging Delivery Authority are possible, and the system conﬁguration becomes a high ﬂexibility for the service donor. The communication with a person and an exterior has the fewer possible good one in environment with unstable communication connection, such as a mobile phone. Moreover, the mail user using a mobile phone is considered to desire a system which it is simple and is easy to use. So, the system with which the mail server of a mobile phone also has the role of Delivery Authority is suitable.

5

Conclusion

The availability of both the on-line protocol and optimistic protocol is dependent on the situation of DA/a sender in the time of a receiver’s receiving. So, a receiver should be able to select how to get. In the conventional systems, however, a sender selects a protocol at ﬁrst. Then, in this paper, we propose new Certiﬁed E-mail system in which a receiver can select the protocol between the on-line protocol and the optimistic protocol according to a situation. A sender transmits ﬁrst communication to a receiver, and a receiver selects the protocol which he uses. Moreover, when a receiver tries the optimistic protocol ﬁrst and a partner’s reaction cannot be found, it is also possible to change into the on-line protocol on the way. The on-line protocol has the same security as the optimistic protocol. Diﬀerent points are the number of communication rounds, the use frequency of Delivery Authority, and the realization of send-and-forget. In order to avoid the superﬂuous cost to Delivery Authority, the proposal system introduces fee collection. Thus, a receiver who does not realize send-andforget so much selects the optimistic protocol. This can prevent the concentration to the on-line protocol. Moreover, when the cost to Delivery Authority is too large, a receiver can also stop the on-line protocol on the way, and use the optimistic protocol. Thus, in this proposal system, a receiver can select a protocol properly according to the necessity for his own, and the situation of Delivery Authority or a sender.

338

Kenji Imamoto and Kouichi Sakurai

References [AGHP02] M. Abadi, N. Glew, B. Horne and B. Pinkas, Certified Email with a Light On-line Trusted Third Party: Design and Implementation, WWW2002, May 7-11, 2002, Honolulu, Hawaii, USA. [AMG01] G. Ateniese, B. d. Medeiros and M. T. Goodrich, TRICERT: A Distributed Certified E-Mail Scheme, In ISOC 2001 Network and Distributed System Security Symposium (NDSS’01), San Diego, CA, USA, Feb 2001. [AR02] G. Ateniese and C. N. Rotaru, Stateless-Recipient Certified E-mail System based on Verifiable Encryption, In B. Preneel, editor, Topics in Cryptology - CT-RSA 2002, volume 2271 of Lecture Notes in Computer Science, pages 182-199. Springer-Verlag, Feb 2002. [ASW98] N. Asokan, V. Shoup and M. Waidner, Optimistic Fair Exchange of Digital Signatures, In Proceedings of EUROCRYPT ’98, 1998. [Cer98] http://www.certifiedemail.com/, 1998. [HK01] Hugo Krawczyk, ”The order of encryption and authentication for protecting communications (Or:how secure is SSL?)”, Crypto2001, 2001 http://citeseer.nj.nec.com/krawczyk01order.html [HPS01] B. Horne, B. Pinkas and T. Sander, Escrow Services and Incentives in Peerto-Peer Network, 3rd ACM Conference on Electronic Commerce, 2001. [IS02] Kenji IMAMOTO, Kouichi SAKURAI, A Scalable On-line Certified Email Protocol Using Password Authentication, WISA2002, Aug 2002. [KM01] Steve Kremer and Olivier Markowitch, Selective Receipt in Certified Email, Progress in Cryptology - INDOCRYPT 2001 Second International Conference on Cryptology in India, Chennai, India, December 16-20, 2001. [Mar78] Markle. R, Secure Communications over insecure channels, Communications of the ACM 21:294-299, April 1978. [MK01] Olivier Markowitch and Steve Kremer, An Optimistic Non-repudiation Protocol with Transparent Trusted Third Party, 4th International Conference, ISC2001, October 1-3, 2001. [Mo01] D. Molnar, Signing Electronic Contracts, Jan 2001 http://www.acm.org/crossroads/xrds7-1/ [SR98] B. Schneier and J. Riordan, A Certified E-Mail Protocol with No Trusted Third Party, 13th Annual Computer Security Applications Conference, ACM Press, Dec 1998.

Spending Oﬄine Divisible Coins with Combining Capability Eikoh Chida1 , Yosuke Kasai2 , Masahiro Mambo3 , and Hiroki Shizuya3 1

Dept. of Electrical Eng., Ichinoseki National College of Technology Takanashi, Hagisho, Ichinoseki, Iwate, 021-0902 Japan [email protected] 2 NEC Soft, Ltd. 1-18-6 Shinkiba, Koto-ku, Tokyo, 136-8608 Japan [email protected] 3 Graduate School of Information Sciences, Tohoku University Kawauchi, Aoba, Sendai, 980-8576 Japan {mambo,shizuya}@icl.isc.tohoku.ac.jp

Abstract. In the purchase with electronic money customers are sometimes required to spend multiple electronic coins at a time. In case of physical coins a customer simply grabs multiple coins and hands them out to a merchant. Likewise, the customer spends multiple electronic coins just by giving all coins to the merchant. However, we can expect one step further in the electronic coins. There is room to create a combined coin from multiple coins. If the combining leads to an eﬃcient spending, the customer as well as the merchant and the bank can get beneﬁt of the reduction of cost. There is a proposal by Chaum for the combining operation in the online cash, but no method has been proposed for oﬄine coins up to now. Thus we seek a way to spend oﬄine electronic coins in a combined form without assistance of an issuing bank. The combining reduces either computational complexity associated with the spending or communication complexity between the customer and the merchant. We propose a method to achieve combining capability in the Eng-Okamoto oﬄine divisible electronic cash, and show that (2n − 2)|p| − (n − 1)|q| bits of the message length can be reduced in the combining of n coins under the parameter of moduli p and q satisfying q|p − 1. If preliminary computation is allowed, the veriﬁcation cost is also slightly reduced. Signiﬁcantly, even after combining coins, the bank can identify overspenders. Keywords: Oﬄine divisible coins, Combining capability, Combined coin, Anonymity, Overspending prevention, Eﬃciency

1

Introduction

There are situations where customers are required to spend multiple electronic coins at a time. For example, we can consider a situation where customers have to pay more than the amount they have already withdrawn. The customers will A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 339–353, 2002. c Springer-Verlag Berlin Heidelberg 2002

340

Eikoh Chida et al.

withdraw the lacking amount and spend it together with already withdrawn coins. We can also consider a situation where many unspent portions of divisible electronic money are left in the hand of a customer. Each portion does not enable her to purchase goods but the sum of them does. As for physical coins, a customer simply grabs multiple coins and hands them out to a merchant. Likewise, the customer spends multiple electronic coins just by giving all coins to the merchant. Even so, there is room to add a new property to electronic coins. Multiple electronic coins may be combined into one coin. As long as the combining leads to an eﬃcient spending, the customer as well as the merchant and the bank can get beneﬁt of the reduction of cost. The combining capability is a new functionality of electronic money not observed in the physical money. There is a proposal [4] for the combining operation in the online cash. It uses a so-called cookie-jar for gathering unspent portions of coins and bringing it to the bank for the deposit. In contrast, as far as authors know, no combining method has been proposed for oﬄine cash. We seek a way to spend oﬄine divisible electronic coins in a combined form without assistance of an issuing bank and to achieve the reduction of either computational complexity associated with the spending or of communication complexity between the customer and the merchant. We should stress that the combining operation must not prevent the bank from identifying the overspending customers. The combined coins allow customers to spend coins in an eﬃcient way and also preserves the basic functionalities [5] of oﬄine divisible cash. We should also stress that divisibility does not cover the combining capability. To understand this relationship, let us consider a situation where a customer uses a divisible coin worth a very large amount of money. One may imagine that the customer possessing such a coin does not need to combine coins. However, this is not always true. In anonymous oﬄine cash the maximum division number of the divisible coins has to be determined at the time of withdrawal. If the maximum division number is set to be small, a coin with high denomination is divided into sub-coins worth only large amount of money. So the customer has to withdraw coins with small denomination in addition to coins with high denomination, and spends such multiple coins (after combining them). Alternatively, the customer can set a larger maximum division number to a coin with high denomination. Then she can spend sub-coins worth small amount of money. However, the customer encounters a privacy problem in this case. It is known that divided portions of a coin can be linked to each other in anonymous ofﬂine divisible cash, so that diﬀerent payments using sub-coins produced from the same coin are linked as well. Also there is another concern on the increase in computation and message length required for spending a small divided portion of the coin. Moreover, combining capability is eﬀective in a situation where the customer has to pay more than the amount speciﬁed by the withdrawn coins and additionally withdraws coins. Detachable coins [9] provide the functionality similar to the divisibility. As in the divisible coins, it ﬁxes the maximum number

Spending Oﬄine Divisible Coins with Combining Capability

341

of detached coins in advance, and the same discussion holds for the detachable coins. The scheme proposed in this paper is based on the Eng-Okamoto scheme [6], in which digital signature of the bank serves as a part of an electronic coin. So the combining operation for the Eng-Okamoto scheme requires combining multiple signatures with keeping the basic functionalities of the Eng-Okamoto scheme. Similar to the detachable coins, we can use batch cryptography [1] for merchant’s and bank’s veriﬁcation of multiple signatures. Unfortunately, such a direct application of batch cryptography does not generate a well-formed combined coin retaining the basic functionalities and cannot be viewed as the combining operation. We are aiming at generating a combined coin which serves as an oﬄine divisible coin by itself and oﬀers the reduction of cost, too. It is known that the Eng-Okamoto scheme itself is not enough eﬃcient. With this respect, our result is important as an evidence of the existence of oﬄine divisible coins with combining capability. This paper is organized as follows. After the introduction, we review the Eng-Okamoto scheme in Sect. 2. Then we show our basic approach to the combining mechanism and propose a concrete scheme for the Eng-Okamoto scheme in Sect. 3. We analyze the properties of the proposed scheme in Sect. 4. Finally, we describe concluding remarks in Sect. 5.

2

The Eng-Okamoto Scheme

In this section we review the Eng-Okamoto scheme [6], the EO scheme in short. 2.1

Definitions

A bank selects and publishes p, q, g, g1 , g2 such that p and q are a large prime number satisfying q|(p − 1) and g, g1 , g2 ∈ Zp∗ are a generator of order q. Tree of value: The EO scheme makes use of a binary tree. Each coin of worth 2 dollars is associated with a tree of + 1 levels and 2 leaves. The tree can be thought of as a collection of 2 paths of length . Each path originates from the root and terminates in a leaf. These paths are called routes. The root is denoted as n0 , and the left child and the right child of the root are denoted as n00 and n01 , respectively. Other descendant nodes are similarly denoted by adding 0 or 1 depending on the place of the descendant node from the parent node. The subscript of n corresponds to a node number. Fig. 1 shows a tree with four leaves. Worth of nodes: The root at the ﬁrst level is assigned by 2 dollars, which is the withdrawn amount of a coin. The left and right children at the second level are assigned by 2−1 dollars. Each descendant node has one half of the amount assigned to its ancestor node. The assignment is exempliﬁed in Fig. 1 for a 4 dollar coin, i.e. = 2.

342

Eikoh Chida et al. 4$

✇ n0 ✚ ✚  ✚ 

✚✚ ✇ ✡✡❏ ❏ ✡ ❏❏✇ ✡ ✇

n00

n000

2$

1$

n001

✇ n01 ✡❏ ✡ ❏ ✡ ❏❏✇ ✡ ✇

n010

n011

Fig. 1. Tree of values for 4 dollars

Values of each node: Each node has two values, t-value and r-value. For jκ ∈ {0, 1}, an integer κ satisfying 1 ≤ κ ≤ l, the t-value of n0j1 j2 ···jκ is expressed as t0j1 j2 ···jκ , and its r-value is computed from the t-value by t0j1 j2 ···jκ = (r0j1 j2 ···jκ ,1 r0j1 j2 ···jκ ,2 ), where r0j1 j2 ···jκ ,i ∈ {0, 1}|q| for i ∈ {1, 2}. Let H1 : {0, 1}∗ → {0, 1}2|q| and H2 : {0, 1}∗ → {0, 1}|q| be a secure hash function. When a customer withdraws 2 dollars, t- and r-values of each node are determined as follows. 1. A customer selects a random number e and computes for each leaf n0j1 j2 ···j t-value by t0j1 j2 ···j = H1 (e0j1 j2 · · · j ). 2. For all integers κ satisfying 1 ≤ κ < , repeatedly compute t-value t0j1 j2 ···jκ of an internal node n0j1 j2 ···jκ by t0j1 j2 ···jκ =

r0j1 j2 ···jκ 0,1 r0j1 j2 ···jκ 0,2 g2

H1 (H2 (g1

r0j1 j2 ···jκ 1,1 r0j1 j2 ···jκ 1,2 g2

mod p)H2 (g1

mod p)),

and ﬁnally determine the t-value of the root. 2.2

The EO Protocol

The EO protocol is based upon the Brands’ oﬄine electronic cash protocol [3], and the mechanism for t- and r-values is added. Account opening: A customer selects a random number u ∈R Zq and computes I = g1u mod p. She publishes I as her ID but keeps u as her secret. She opens her account corresponding to I at a bank.. Withdrawal: A bank computes h = g x mod p and publishes h as a public key corresponding to 2 dollars. The bank keeps x as its own secret. r

r

1. The customer computes T = g10,1 g20,2 mod p, and sends her own ID I to the bank. 2. The bank selects a random number ω ∈R Zq and computes m = Ig2 mod p, z = mx mod p, a = g ω mod p, b = mω mod p. Then (m, z, a, b) is sent to the customer.

Spending Oﬄine Divisible Coins with Combining Capability

343

3. The customer selects random numbers s, t, v ∈R Zq and computes m = ms mod p. Then she computes z = z s mod p, a = at g v mod p, b = bst (m )v mod p, c = H2 (m , z , a , b , T ) and c = c /t mod q, and sends c to the bank. The bank debits the account corresponding to I. 4. The bank computes r = xc + ω mod q and sends r to the customer. 5. The customer checks mr ≡ z c b (mod p) and g r ≡ hc a (mod p), and if they pass the check, she computes r = rt + v mod q . The customer receives a signature (a , b , z , r ) for (m , T ). It can be veriﬁed by checking

?

?

g r ≡ h c a

(mod p),

(m )r ≡ (z )c b ?

(mod p),

(1)

c = H2 (m , z , a , b , T ). Payment: The following protocol shows how to spend a node n0j1 j2 ···jd for d s.t. 1 ≤ d ≤ . Suppose a customer spends w dollars (w ≤ 2 ) and the binary representation of w is w1 w2 · · · w+1 where wi ∈ {0, 1}, 1 ≤ i ≤ + 1. Then wi = 1 indicates that a node of the i-th level is spent. The customer executes the following steps from Step 2 to Step 6 for a node n0j1 j2 ···jd of the d-th level whenever wd = 1 and 1 ≤ d ≤ . A signature S of a message M is denoted by Sig (M ) = S. 1. A customer sends m , T, Sig(m , T ) = (a , b , z , r ) to a merchant. 2. The merchant veriﬁes the coin by checking m = 1 mod p and the equations (1). If they are correct, then the merchant requests information for the node n0j1 j2 ···jd . 3. In response, the customer sends the merchant β-value of the node n0j1 j2 ···jd , r0j j ···j ,1 r0j j ···j ,2 β0j1 j2 ···jd = g1 1 2 d g2 1 2 d mod p, and values used to compute the r0j

j ···j ,1

r0j

j ···j ,2

r0j

j ···j

,1

r0j

j ···j

,2

root, H2 (g1 1 2 d g2 1 2 d mod p), H2 (g1 1 2 d−1 g2 1 2 d−1 mod r r p), · · ·, H2 (g10j1 ,1 g20j1 ,2 mod p). 4. The merchant computes T with use of the sent values, and checks if it is equals to T in the signature. Only when it is a valid T , the merchant generates a challenge α ∈R Zq∗ and sends it to the customer. 5. The customer computes y0j1 j2 ···jd ,1 = r0j1 j2 ···jd ,1 + α(su) mod q and y0j1 j2 ···jd ,2 = r0j1 j2 ···jd ,2 + αs mod q, and sends y0j1 j2 ···jd ,1 and y0j1 j2 ···jd ,2 to the merchant. 6. The merchant veriﬁes the validity of y0j1 j2 ···jd ,1 and y0j1 j2 ···jd ,2 by checky0j1 j2 ···jd ,1 y0j1 j2 ···jd ,2 ? g2 ≡

ing g1

β0j1 j2 ···jd (m )α

(mod p).

Deposit protocol: The description of the deposit protocol is omitted. Please refer to [6].

344

2.3

Eikoh Chida et al.

Properties

The EO protocol has the following properties. Identification of overspenders: The bank can identify with high probability a customer who has spent the same node with node number η twice. This is because rη,1 and rη,2 are ﬁxed for the same coin. More precisely, the bank obtains [1] [1] [2] four equations yη,1 = rη,1 + α[1] (su) mod q, yη,2 = rη,2 + α[1] s mod q, yη,1 [2]

[1]

[2]

= rη,1 + α[2] (su) mod q and yη,2 = rη,2 + α[2] s mod q. If yη,2 = yη,2 (modq), [1]

[2]

[1]

[2]

the bank can compute u by u = (yη,1 −yη,1 )/(yη,2 −yη,2 ) mod q. The probability of computing u is 1 − 1/q. Similarly, the bank can identify with high probability a customer who has spent a node nη lying in a route to an already spent node nη . This is because the bank can compute rη,1 and rη,2 from r-values of the descendant node nη . The bank knows yη,1 = rη,1 + α(su) mod q and yη,2 = rη,2 + αs mod q, and if yη,2 = rη,2 (modq), the bank can compute u by u = (yη,1 − rη,1 )/(yη,2 − rη,2 ) mod q. The probability of computing u is 1 − 1/q. When a customer has spent a node nη lying in a route from an already spent node nη , the bank can compute u in the same way by replacing η and η . Message length of a spent coin: When w dollars are spent, the number ν of nodes used in the spending can be expressed by ν = # {wi |wi = 1, 1 ≤ i ≤ + 1}. In the payment protocol the customer opens ν βvalues and responds to a challenge with ν messages each of which has the length 2|q|. Let be the least number satisfying wi = 0 for all i s.t. < i ≤ + 1. Then ( − ν) hash values are made open. Therefore, the message length of a coin spent by the customer is evaluated as ν(|p| + 2|q|) + 2( − ν)|q|.

3 3.1

Combining Mechanism Notation and Basic Mechanism

To add the combining mechanism we change the EO scheme as follows. Notation for the combining: We denote by one-tiered combining the generation of one parent node from two coins. The generated parent node is used for spending one-tiered combined electronic coin. In the similar context, i-tiered combining is deﬁned as the generation of one parent node from two (i-1)-tiered combined electronic coins. A tree generated in such a way is called a combined tree. A node in a combined tree is labeled by (i, j) where i denotes the tier of combining and j denotes the order of the node. The order is counted from the ˜ left most node in the same tier. In the combining of n coins where n = 2 for ˜ some integer ≥ 1, labels i and j satisfy 1 ≤ i ≤ log2 n and 1 ≤ j ≤ n/2i , respectively. Note that the labeling rule for the combined tree is not compatible with the labeling rule for the node number in the original EO scheme. For ˜ simplicity we adhere to the restriction, n = 2 , without explicitly mentioning it

Spending Oﬄine Divisible Coins with Combining Capability

Combined T2,1 = H(T1,1 T1,2 ) n2,1

✇ ✚

✚ ✚ ✇ n1,1 = H(T1 T2 ) ✚ ✡✡❏ ❏ ✡ ❏ ✇ ✡ n0,1 n0,2❏✇ Combined ✚

T1,1

T1

T2

345

✛ Two-tiered combining



 Combined  n1,2✇T1,2 = H(T3 T4 ) ✛ One-tiered combining ✡❏ ✡ ❏ ❏ ✇✡ ✛ Coins of the EO scheme n0,3 ✡ n0,4❏✇ T3

T4

Fig. 2. Two-tiered combined tree

throughout the paper. Although this restriction can be removed by modifying the protocol described in this paper, we omit the modiﬁed protocol here because of the lack of space. The node ni,j is assigned by a value Ti,j , which is computed in the following way. ∗

|q|

Construction of the combined tree: A hash function H : {0, 1} → {0, 1} is prepared. The value Ti,j of a node ni,j for 1 ≤ i ≤ log2 n and 1 ≤ j ≤ n/2i is computed by Ti,j = H (Ti−1,2j−1 Ti−1,2j ) , T0,j = Tj ,

(2)

where Tj is the t-value of the root of the EO scheme. Based on the expressions (2), the value Ti,j can be computed for all pairs of (i, j) from the leaves to the root of the combined tree. Unlike the calculation of the t-value in [6], Ti,j is computed with use of a hash function as in [9]. So the cost for computing the combined tree does not become large. Fig. 2 shows an example of two-tiered combined tree where four coins withdrawn from the bank are combined. The t-values of the roots of four coins are Tl , T2 , T3 and T4 . Change in the withdrawal protocol: We slightly change the EO protocol explained in Sect. 2.2 in the following two points. 1. The generation of c is changed from c = H2 (m , z , a , b , T ) to c = H2 (γ, T ),

(3)

where γ = H2 (m , z , a , b ), and the customer retains γ for the combining operation.

346

Eikoh Chida et al.

2. The generation of b is changed from b = bst (m )v mod p to b = B s mod p, where B = bt mv mod p, and the customer retains B for the combining operation. Note that the generated value b is not changed because of the relation m ≡ ms (mod p). 3.2

One-tiered Combining

We now explain how to combine two coins. We assume both coins have the same worth and the same customer withdraws the two coins. Combining method 1 (One-tiered combining) Suppose two coins with associated signatures Sig(m1 , T1 ) = (a1 , b1 , z1 , r1 ) and Sig(m2 , T2 ) = (a2 , b2 , z2 , r2 ) are combined. Associated values (γ1 , B1 ) and (γ2 , B2 ) are computed and retained by the customer as described in Sect. 3.1. At first, the value T1,1 of the root of a one-tiered combined tree is computed by T1,1 = H (T1 T2 ) . Then the following computation is executed with the knowledge of each signature, secret values stored during the withdrawal and T1,1 . M1,1 = m1 · m2 mod p, Z1,1 = z1 · z2 mod p, (1) (1) Γ1,1 = H2 M1,1 , Z1,1 , a1 , a2 , B1 , B2 , R1,1 = C1,1 · r1 + r2 mod q, C1,1 = H2 (Γ1,1 , T1,1 ) , where σ1,1 = s1 + s2 mod q, (1)

= (B1 )σ1,1 mod p,

(1)

= (B2 )σ1,1 mod p.

B1 B2

Obtained (a1 , a2 , B1 , B2 , Z1,1 , R1,1 , γ1 , γ2 ) can be regarded as a signature of (M1,1 , (T1 , T2 )). Note that γ1 = H1 (m1 , z1 , a1 , b1 ) and γ2 = H1 (m2 , z2 , a2 , b2 ), but the customer does not use m1 , m2 , z1 and z2 for the payment. The signature can be verified by (1)

(1)

g R1,1 ≡ hc1 ·C1,1 +c2 · (a1 )C1,1 · a2 mod p, R1,1

(M1,1 )

c1 ·C1,1 +c2

≡ (Z1,1 )

·

(1) (B1 )C1,1

·

(1) B2

(4) mod p,

where c1 = H2 (γ1 , T1 ), c2 = H2 (γ2 , T2 ), C1,1 = H2 (Γ1,1 , T1,1 ) and Γ1,1 = (1) (1) H2 M1,1 , Z1,1 , a1 , a2 , B1 , B2 .

Spending Oﬄine Divisible Coins with Combining Capability

347

In the combining of n coins of the EO scheme, there are n/2 combining units for the one-tiered combining. The j-th one-tiered combining for 1 ≤ j ≤ n/2 can derive a signature veriﬁed by

g R1,j ≡ hc2j−1 ·C1,j +c2j · (a2j−1 )C1,j · a2j mod p, c2j−1 ·C1,j +c2j

(M1,j )R1,j ≡ (Z1,j )

·

(1) (B2j−1 )C1,j

·

(1) B2j

(5)

mod p,

where c2j−1 = H2 (γ2j−1 , T2j−1 ), c2j = H2 (γ2j , T2j ), C1,j = H2 (Γ1,j , T1,j ) and (1) (1) Γ1,j = H2 M1,j , Z1,j , a2j−1 , a2j , B2j−1 , B2j . 3.3

Multi-tiered Combining

We can combine multiple coins by repeating the operation in the one-tiered combining. Again we assume that all coins to be combined have the same worth and all coins are possessed by the same customer. Moreover, we temporary assume that any portion of coins has not been spent yet. The last assumption can be removed as mentioned later. Combining method 2 (Multi-tiered combining) By repeating the onetiered combining, n coins with associated signatures Sig(mk , Tk ) = (ak , bk , zk , rk ) and associated values (γk , Bk ) for 1 ≤ k ≤ n are combined into one coin. In the course of the generation of the combined coin any internal node in the combined tree is assigned with a spendable combined coin. The following operations are executed so as to generate a combined coin for each node with label (i, j) in the combined tree, where 1 ≤ i ≤ log2 n and 1 ≤ j ≤ n/2i . At first Ti,j is computed by Ti,j = H (Ti−1,2j−1 Ti−1,2j ) . Then the following values are computed with use of the knowledge of the withdrawn coins, values stored during the withdrawal and Ti,j . Mi,j = Mi−1,2j−1 · Mi−1,2j mod p, Zi,j = Zi−1,2j−1 · Zi−1,2j mod p, (i) (i) Γi,j = H2 Mi,j , Zi,j , a2i (j−1)+1 , · · · , a2i j , B2i (j−1)+1 , · · · , B2i j , Ri,j = Ci,j · Ri−1,2j−1 + Ri−1,2j mod q, Ci,j = H2 (Γi,j , Ti,j ) , where σi,j = σi−1,2j−1 + σi−1,2j mod q 2i j 2i (j−1)+2i−1 = k=2i (j−1)+1 sk + k=2i (j−1)+2i−1 +1 sk mod q = s2i (j−1)+1 + · · · + s2i j mod q, (i) Bk

= (Bk )σi,j mod p,

348

Eikoh Chida et al.

for all k satisfying 2i (j − 1) + 1 ≤ k ≤ 2i j. 2i j As a result, a signature of (Mi,j , [Tk ]2i (j−1)+1 ) for 1 ≤ i ≤ log2 n, 1 ≤ j ≤ n/2i is obtained as 2i j i−1 2i j (i) 2i j 2i−˜ı j , ,Zi,j , Ri,j,[γk ]2i (j−1)+1 , [Γ˜ı,˜ ]˜=2i−˜ı (j−1)+1 [ak ]2i (j−1)+1 , Bk k=2i (j−1)+1

˜ ı=1

τ

where [λθ ]θ=µ with µ < τ denotes a sequence (λµ , λµ+1 , · · · , λτ ) of a variable/sequence λθ . Alternatively, we simply write [λθ ]τµ when it does not make any confusion. 2i j The signature of (Mi,j , [Tk ]2i (j−1)+1 ) is verified by checking g Ri,j ≡ Ki,j (Mi,j )Ri,j ≡ Li,j

(mod p), (mod p),

(6)

where Ki,j and Li,j are computed by using the relations K˜ı,˜ = (K˜ı−1,2˜−1 )C˜ı,˜ · K˜ı−1,2˜ , L˜ı,˜ = (L˜ı−1,2˜−1 )C˜ı,˜ · L˜ı−1,2˜ , for ˜ı and ˜ s.t. 1 < ˜ı ≤ i and 2i−˜ı (j − 1) + 1 ≤ ˜ ≤ 2i−˜ı j, and

K1,˜ = hc2˜−1 ·C1,˜ +c2˜ · (a2˜−1 )C1,˜ · a2˜ mod p,

L1,˜ = (Z1,˜ )c2˜−1 ·C1,˜ +c2˜ · (B2˜−1 )C1,˜ · B2˜ mod p (i)

(i)

for ˜ı = 1 and ˜ s.t. 2i−1 (j − 1) + 1 ≤ ˜ ≤ 2i−1 j. Here ck = H2 (γk , Tk ) for k s.t. 2i−1 (j − 1) + 1 ≤ k ≤ 2i−1 j, and C˜ı,˜ = H2 (Γ˜ı,˜ , T˜ı,˜ ) for ˜ı and ˜ s.t. 1 ≤ ˜ı ≤ i and 2i−˜ı (j − 1) + 1 ≤ ˜ ≤ 2i−˜ı j. 3.4

The Modified EO Protocol for Combined Coins

To spend the combined coins, the EO protocol described in Sect. 2.2 is changed as follows. Withdrawal: The withdrawal protocol itself is not changed. Additionally, the customers keep γ and B for spending combined coins. Payment: The following payment protocol is executed to spend a coin combined from n coins. 1. A customer sends a signature of a combined coin to a merchant. Remark that (T1 , · · · , Tn ) is also sent. 2. The merchant checks the combined coin: (a) Generate ck by substituting (γk , Tk ) into the equation (3) for all k s.t. 1 ≤ k ≤ n.

Spending Oﬄine Divisible Coins with Combining Capability

349

(b) Generate Ti,j from Tk ’s and Ci,j from (Γi,j , Ti,j ) for all i and j satisfying 1 ≤ i ≤ log2 n and 1 ≤ j ≤ n/2i . (c) Check if the congruences (6) hold. 3. If the signature is correct, the merchant sends α ∈R Zq∗ to the customer. 4. The customer computes y0,1,k and y0,2,k satisfying y0,1,k = r0,1,k + α(σ,1 ˜ u) ˜ mod q for all k s.t. 1 ≤ k ≤ n and = log mod q and y0,2,k = r0,2,k +ασ,1 ˜ 2 n. r0,1,k r0,2,k The values r0,1,k and r0,2,k satisfy Tk = g1 g2 mod p, The merchant sends all pairs of y0,1,k and y0,2,k to the merchant. 5. The merchant checks for all k s.t. 1 ≤ k ≤ n, the validity of y0,1,k and y0,2,k y

?

y

α by g1 0,1,k g2 0,2,k ≡ Tk · (M,1 ˜ )

4

(mod p).

Properties of the Combined Coins

The modiﬁcation we made for the EO scheme keeps the basic functionalities of the EO scheme. As in the EO scheme we can prove that spending combined coins without the knowledge of their secret values leads to solving the discrete logarithm problem. Identifying overspenders: Now we explain that the bank can identify overspending customers even after the modiﬁcation for the combining operation. Basically, the identifying method is based on the method described in 2.3. However, a careful analysis is required since the secret σ may become diﬀerent after the combining operation while the secret s is not changed in the original scheme. For instance,the customer may combine the same coin with diﬀerent coins. We show that u used to compute customer’s ID I can be computed even when σ’s are diﬀerent. Suppose a customer spends twice the same node with the node number n of a coin after the combining operation. In this discussion we can ignore the place k [1] of a coin in the combined tree. The bank obtains yη,1 = rη,1 + α[1] (σ1 u) mod q, [1]

[2]

[2]

yη,2 = rη,2 + α[1] σ1 mod q, yη,1 = rη,1 + α[2] (σ2 u) mod q, yη,2 = rη,2 + [1]

[2]

α[2] σ2 mod q. From these equations we have yη,1 − yη,1 = (α[1] σ1 − α[2] σ2 )u mod q,

[1] [2] yη,2 −yη,2

= (α[1] σ1 −α[2] σ2 ) mod q. When [1]

[2]

[1]

[2]

[1] yη,2

[2]

= yη,2 ( mod q), the bank can

compute u = (yη,1 − yη,1 )/(yη,2 − yη,2 ) mod q. The probability of computing u is 1 − 1/q. As in 2.3 the bank can identify with high probability a customer who has spent a node nη lying in a route of already spent node nη . The bank can compute rη,1 and rη,2 of nn from r-values of the descendant node nη . From the equations yη,1 = rη,1 + α(σu) mod q, yη,2 = rη,2 + ασ mod q, the bank can compute u = (yη,1 − rη,1 )/(yη,2 − rη,2 ) mod q if yη,2 = rη,2 (mod q). The probability of computing u is 1 − 1/q. Similarly, the bank can compute u with probability 1 − 1/q when a customer has spent a node nη lying in a route from an already spent node nη .

350

Eikoh Chida et al.

Combining internal nodes: Until now, we have explained a method to combine unspent coins. In other word our discussion is on the combining operation for the roots of coins. We can extend the discussion to the combining operation for the internal nodes of coins, i.e. an unspent portion of coin. To this end, the customer reveals information used to compute the t-value T of the root of partially unspent coin in addition to values opened for the combining. The customer can combine multiple unspent portions of divisible coins into one coin and spend it at a time. 4.1

Comparison of Cost

We compare computational cost and communication cost of the combined scheme ˜ with those of multiple use of the original scheme for spending n coins with n = 2 . (a) Communication cost: We call by communication cost the sum of the length of all messages sent by the customer to the merchant in the payment protocol, i.e. signatures, opened values and response to a challenge. (a-i) Communication cost in multiple use: In the original EO scheme Sig(m , T ) = (z , a , b , r ). The length of signature together with m and T is 5|p| + |q| bits for one coin. So for n coins, the length related to the signature becomes n(5|p|+|q|) bits. The length of the opened hash values varies depending on which Tk ’s, 1 ≤ k ≤ n, are spent in what way, and in each Tk we can count the number of opened hash values explained in Sect.2.3. On the other hand, the response to the challenge is 2|q| bits for each T . As a total, communication cost is 5n|p| + 3n|q| if only roots of individual coins are spent, and 5n|p| + 3n|q| + L if the internal nodes of individual coins are spent, where L denotes the length of all opened hash values. (a-ii) Communication cost in the combining: As shown in Sect.3.3 the n signature of M,1 is expressed as ˜ , [Tk ]1 n [ak ]1

˜ n () , Bk

k=1

n , Z,1 ˜ , R,1 ˜ , [γk ]1

−1 ˜ ˜ 2−˜ı , [Γ˜ı,˜ ]˜=1 ˜ ı=1

n

in the multi-tiered combining. The customer gives M,1 ˜ and [Tk ]1 together with the above signature to the merchant. Therefore, the total length of these values is (3n + 2)|p| + (2n − 1)|q|. The number of opened hash values and response to the challenge does not increase from the individual use. Hence, we have (3n + 2)|p| + (4n − 1)|q| for the use of the root and (3n + 2)|p| + (4n − 1)|q| + L for the use of the internal node, where L denotes the length of the opened hash values. (b) Computational cost: We evaluate computational cost required for the proposed construction. (b) Computational cost: Computational cost is divided into the cost for combining coins and the cost for verifying combined coins.

Spending Oﬄine Divisible Coins with Combining Capability

351

(b1) Computational cost for combining coins In the multi-tiered combining method, the customer executes one multiplication modulo p for Mi,j , Zi,j and one multiplication modulo q for Ri,j and one evaluation for each of hash functions Γi,j , Ci,j and Ti,j for each pair of (i, j) satisfying 1 ≤ i ≤ n, 1 ≤ j ≤ n/2i . There are (n − 2) internal nodes and one root. Thus 2(n − 1) multiplication modulo p and (n − 1) multiplication modulo q are required. (i) i j Moreover, the customer has to prepare [Bk ]2k=2 i (j−1)+1 for each (i, j) satisfy(i)

i

j ing 1 ≤ i ≤ n, 1 ≤ j ≤ n/2i . The sequence [Bk ]2k=2 i (j−1)+1 can be computed by i 2i j i 2 j 2 j sk ˜ [(Bk )σi,j (mod p)]k=2i (j−1)+1 . That is, (B ) (mod p) . k ˜ i (j−1)+1 k=2 i k=2 (j−1)+1

The computation involves O(n) |q|-bit exponentiations. Apparently its computational cost dominates the computational cost for combining coins. To reduce the computational cost during the payment the customer prepares in advance a table of (Bk )sk˜ for all k, k˜ s.t. 2i (j − 1) + 1 ≤ k, k˜ ≤ 2i j. By the direct calculation, the (i) table is computed through 22i |q|-bit exponentiations. Then Bk can be com(˜ ı) puted from the prepared table of (Bk )sk˜ ’s. By ﬁxing k, Bk for ˜ı ∈ {1, · · · , i} (˜ ı−1) can be derived from multiplication of Bk with 2˜ı−1 elements of the table. (˜ ı) So (2i − 1) multiplications are required for computing Bk in each ﬁxed k. As a total, the customer executes 2i (2i − 1) multiplications for the preparation of

i 2i j (˜ ı) ˜ the customer . ¿From these observations, when i = , Bk k=2i (j−1)+1 ˜ ı=1 2

performs n |q|-bit exponentiations for preparing the table and n(n − 1) multi(i) ˜ plications modulo p for generating all Bk satisfying 1 ≤ k ≤ n and 1 ≤ i ≤ . With use of the prepared table, the customer can generate a combined coin for any group of coins among n coins. Also as soon as the customer withdraws new coins, she can enlarge the table and combine any group of coins associated with the table. If we do not need to discuss the combining of arbitrary groups of coins, the customer can prepare a slightly modiﬁed table after n(˜+ 1) |q|-bit exponentiations. Afterwards, when the customer has decided to combine n coins, n ˜ (˜ ı) she can compute Bk after n˜ multiplication modulo p. k=1 ˜ ı=1

(b2) Computational cost for verification: We evaluate the number of exponentiations and omit to evaluate other operations. (b2-i) Verification cost in multiple use: In the multiple use of the EO scheme, if each coin is veriﬁed individually, four exponentiations are performed for each coin from congruences (1). However, a more eﬃcient veriﬁcation method called a batch veriﬁcation [1] is known. δ

[Batch verification for the EO scheme] Select αi ∈ {0, 1} for all i ∈ {1, . . . , n}, and check

352

Eikoh Chida et al.

Table 1. Comparison between multiple use and combining Multiple use Combined coins Computational cost (No. of exp.) (2n + 2) |q|-bit exp. (2n + 2) |q|-bit exp. 2n δ-bit exp. message length (bit) (Use of roots) 5n|p| + 3n|q| (3n + 2)|p| + (4n − 1)|q| (Use of internal nodes) 5n|p| + 3n|q| + L (3n + 2)|p| + (4n − 1)|q| + L exp.: exponentiations

n n r a mod q) ( c a mod q) αi ? (− i=1 i i i=1 i i h mod p, (a ) ≡ g i=1 i αi ? n −ri ci 1 ≡ i=1 (mi ) (zi ) bi mod p. The check requires 2n+2 |q|-bit exponentiations plus 2n δ-bit exponentiations for the veriﬁcation of n coins. Remark that to defeat the attack shown in [2], extra precaution proposed in the same paper is required in the batch veriﬁcation, e.g. the modulus p is selected as those satisfying that (p − 1)/(2q) is a prime and min(q, (p − 1)/(2q)) > 2δ . The EO scheme works under such a condition. n

(b2-ii) Verification cost in the combining: Let Ei be the number of diﬀerent bases for which |q|-bit exponentiation is computed in the ﬁrst expression of (6), where i denotes the i-th tier in the combined tree. ¿From the expressions (6), we can observe Ei = 2Ei−1 − 1 and E1 = 3. By induction we can obtain Ei = 2i−1 (E1 −1)+1 = 2i +1. Therefore E˜ = n+1. Since the same relationship holds for the second expression of (6), the computational cost for the veriﬁcation is evaluated as (2n + 2) |q|-bit exponentiations. The combining operation cuts 2n δ-bit exponentiations in the computational cost for the veriﬁcation, compared in the case of the individual veriﬁcation. As a summary, we have Table 1, where L and δ denote the length of the opened hash values and a parameter for the batch veriﬁcation, respectively. Under the parameter of 1024-bit modulus p and 160-bit modulus q, we can show that the message length can be reduced, for example, by about 16 percent for combining two coins and about 30 percent for combining 16 coins.

5

Concluding Remarks

In this paper we have examined the combining capability in the oﬄine divisible cash scheme. As an example, we have shown a combining method for the Eng-Okamoto scheme, which provides mainly reduction of communication complexity. The original Eng-Okamoto scheme is not enough eﬃcient among oﬄine cash schemes known so far. Nonetheless, to authors’ knowledge, no method has been proposed for combining oﬄine divisible coins, and our result has an importance in giving an evidence of oﬄine divisible coins with combining capability. It is an important topic to construct oﬄine coins with combining capability in other eﬃcient electronic cash schemes (with anonymity revocation).

Spending Oﬄine Divisible Coins with Combining Capability

353

References [1] M. Bellare, J. A. Garay and T. Rabin, ”Fast Batch Veriﬁcation for Modular Exponentiation and Digital Signatures,” K. Nyberg (Eds.), Advances in Cryptology -EUROCRYPT ’98, Lecture Notes in Computer Science 1403, Springer-Verlag, pp.236-250 (1998). 341, 351 [2] C. Boyd and C. Pavlovski, ”Attacking and Repairing Batch Veriﬁcation Schemes,” T. Okamoto. (Ed.), Advances in Cryptology -ASIACRYPT 2000, Lecture Notes in Computer Science 1976, Springer-Verlag, pp.58-71 (2000). 352 [3] S. Brands, ”Untraceable Oﬀ-line Cash in Wallet with Observers,” D. R. Stinson (Ed.), Advances in Cryptology -CRYPTO ’93, Lecture Notes in Computer Science 773, Springer-Verlag, pp.302-318 (1994). 342 [4] D. Chaum, ”Online Cash Checks,” J.-J. Quisquater and J. Vandewalle (Eds.), Advances in Cryptology -EUROCRYPT ’89, Lecture Notes in Computer Science 434, Springer-Verlag, pp.288-293 (1990). 340 [5] E. CHIDA, M. MAMBO, H. SHIZUYA, ”Digital Money – A Survey,” Interdisciplinary Information Sciences, Vol.7, No.2, pp.135–165 (2001). 340 [6] T. Eng and T. Okamoto, ”Single-Term Divisible Electronic Coins,” A. De Santis (Ed.), Advances in Cryptology -EUROCRYPT ’94, Lecture Notes in Computer Science 950, Springer-Verlag, pp.306-319 (1995). 341, 343, 345 [7] T. Okamoto, ”Provable secure and practical identiﬁcation schemes and corresponding signature schemes,” E. F. Brickell, (Ed.), Advances in Cryptology CRYPTO ’92, Lecture Notes in Computer Science 740, Springer-Verlag, pp.31-53 (1993). [8] T. Okamoto, ”An Eﬃcient Divisible Electronic Cash Scheme,” D. Coppersmith (Ed.), Advances in Cryptology -CRYPTO ’95, Lecture Notes in Computer Science 963, Springer-Verlag, pp.438-451 (1995). [9] C. Pavlovski, C. Boyd and E. Foo, ”Detachable Electronic Coins,” V. Varadharajan and Y. Mu (Eds.), Information and Communication Security, ICICS’99, Lecture Notes in Computer Science 1726, Springer-Verlag, pp.54-70 (1999). 340, 345

Eﬃcient Object-Based Stream Authentication Yongdong Wu, Di Ma, and Changsheng Xu Laboratories for Information Technology 21 Heng Mui Keng Terrace, Singapore 119613 {wydong,madi,xucs}@lit.a-star.edu.sg

Abstract. This paper presents an object-based stream authentication scheme for practical end-to-end applications on present network infrastructure and protocols. In this proposal, a stream is divided into objects that are delivered sequentially. Each object consists of a unique identifier, content and operations. At the sender side, a locked object identifier is produced by encrypting the object identifier with a key generated from MAC of the object content. The object content and locked identifier are transmitted to the receiver. The receiver can recover the object identifier and check it to authenticate the object. The scheme tolerates packet loss, and incurs no additional overhead if an identifier is ingeniously chosen. In the experiment, we overload some particular ﬁelds in the headers of standard protocols as object identifier to implement a real time video stream authentication scheme.

1

Introduction

A stream is a potentially very long (inﬁnite) sequence of bits such as live sport programme. It is always split into packets to be delivered one by one since the sender has insuﬃcient memory to buﬀer the whole stream, or the receiver likes to consume the data in real time. As in other applications involving message communication, data integrity is of importance in streaming. A straightforward authentication solution is to append a signature or Message Authentic Code (MAC) to each packet itself. This na¨ıve solution may increase the communication traﬃc and reduce the performance of the sender host. Here watermark based authentication schemes may not help to authenticate stream because an attacker can make small modiﬁcation on the stream without aﬀecting the watermark. A practical stream authentication scheme should be lightweight in overhead, and tolerant of packet loss. 1.1

Previous Stream Authentication Solutions

Gennaro and Rohatgi [1] initially addressed stream authentication and suggested two solutions to authenticate a stream. In their oﬀ-line paradigm, the sender divides a ﬁnite stream into a sequence of packets Pi (i = 1, 2, . . . , n) and generates a new packet sequence Pi by appending a hash value of packet Pi+1 (initial value Pn+1 = 0) to Pi . That is to say, Pi = Pi H(Pi+1 ) where H(·) is a one way A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 354–367, 2002. c Springer-Verlag Berlin Heidelberg 2002

Eﬃcient Object-Based Stream Authentication

355

function and denotes concatenation. The ﬁrst packet P0 includes H(P1 n) and the signature on H(P1 n) produced by the sender. After receiving the ﬁrst packet P0 , the receiver veriﬁes the signature, and saves H(P1 n) so as to authenticate the second packet P1 . After authenticating P1 , the receiver extracts H(P2 ) from packet P1 and keeps it to authenticate P2 . This process continues till Pn is authenticated. In their on-line solution, the size of the stream is unknown, each packet is appended with a one-time signature and a one-time public key for verifying the one-time signature of the next packet. The methods increase the traﬃc substantially and cannot tolerate packet loss. To overcome the above shortcomings, a chaining technique for signing ﬂows is presented in [2] based on tree chaining techniques. To construct an authentication tree, a group of packets is considered as a block. The root is the digest of the block and the intermediate node value is the digest of its children nodes. Any packet can be authenticated individually because it carries its own authentication information that consists of the block signature, the packet position in the tree, and the siblings of each node in the packet’s path to the root. Wong and Lam [2] extended Feige-Fiat-Shamir signature scheme to be adjustable and incremental so that veriﬁers with diﬀerent resources can verify the stream at diﬀerent security levels. Perrig et al [3] proposed two stream authentication schemes. One is Timed Eﬃcient Stream Loss-tolerant Authentication (TESLA) relying on a synchronization margin between the sender and the receiver. The sender transmits to the receiver a packet P , a commitment to a key k and MAC H(k P ). After a certain time interval, the sender discloses key k so that the receiver can verify packet P . A prerequisite security condition of TESLA is that the receiver must obtain a packet before the next packet is sent from the sender. The other scheme is the Eﬃcient Multi-chained Stream Signature (EMSS) scheme which aims to achieve non-repudiation besides source authentication. In the EMSS scheme, a packet Pi includes hash value H(Pi−1 ) of its previous packet Pi−1 . The last packet is a signature on its previous packet (i.e., the last but next packet). If the signature is authenticated, all the previous packets are authenticated. To increase robustness, any packet Pi may be attached with several hash values H(Pj ) where j < i. Miner and Staddon [4] authenticated digital stream over a lossy network based on a graph. In their authentication scheme tolerant of random loss, each packet is assumed to be lost independently with the same probability. In a prandom graph, for all pairs of nodes (i, j) where i < j, there is a directed edge from node i to node j with probability p. A node is associated with a packet and an edge e(i, j) means H(Pi ) ∈ Pj . The ﬁrst packet P1 is the signature packet that is always received by the receiver. Hence, packet Pi can be authenticated if and only if there is a path from Pi to P1 . The authors also constructed an authentication scheme that is tolerant of burst loss. In this scheme, the packets are categorized based on their priorities. The packets of the highest priority class are evenly spaced throughout the stream. To tolerate single burst, the packets of the highest priority class are chained and packets of other classes are chained

356

Yongdong Wu et al.

Fig. 1. Sara Miner Scheme [4] (r = 2,k0 = K1 = 2)

to those packets of the highest priority class. The authors extended this scheme to tolerate multi-burst loss by adding the edges ending in the highest priority packets. To reduce the overhead, we make a small improvement on the construction of the p-random graph: if there is an edge between Pi and P1 , other edges starting from Pi are redundant and are removed. The total hash overhead is reduced by one by removing the edge e(s1,3 , s0,3 ) (dashed line in Fig 1) because s0,1 is the signature packet and the edge e(s1,3 , s0,3 ) provides authentication for packet s1,3 . Recently, Park et al. [5] constructed an authentication scheme by encoding the hash values of packets and the signature on the whole block with an erasure code algorithm (e.g. Information Dispersal Algorithm). This strategy amortizes a signature among all the packets in a block to reduce space overhead and increase the tolerance of packet loss. Once obtaining suﬃcient number of packets, the receiver can recover the signature and authenticate the packets. 1.2

Weakness in Block-Based Solutions

All the above schemes divide a stream into a sequence of blocks B0 , B1 , . . . , Bi , . . . , and divides each block into packets Pi0 , Pi1 ,. . . ,Pij , . . . , Pin further. Within a block Bi , one or more relationship chains between packets Pij are built, and only one signature is required to authenticate the whole block Bi . We call them block-based authentication schemes. There are two other weaknesses in this strategy in addition to space overhead such as MAC or signature. 1. Additional overhead required to foil attacks Because there is no relationship between the blocks, the whole stream may be forged even if each block is authentic. For example, supposing a real time stock quote stream ”Intel Corporation $30.00 Microsoft Corporation $55.00” is divided into 4 blocks B0 , B1 , B2 and B3 as shown in Table 1. Even all the blocks B0 , B1 , B2 and B3 are authenticated, an attacker is able to forge a stream by reordering the blocks as shown in Table 2. The attacker can delete blocks B1 and B2 to produce another forgery stream too. Apparently, the forged steam conveys wrong information, which is not

Eﬃcient Object-Based Stream Authentication

357

Table 1. Original blocks B0 : B1 : B2 : B3 :

Intel Corporation $30.00 Microsoft Corporation $55.00

Table 2. Reordering attack B0 : B1 : B2 : B3 :

Intel Corporation $55.00 Microsoft Corporation $30.00

the intention of the sender. To foil block reordering, replaying or deleting attack, additional overhead such as sequence number should be employed. 2. Error propagation In the above block-based authentication schemes, because a stream is divided evenly or randomly, each packet or block does not have any physical meaning itself. Therefore, the receiver may not get correct, useful information from a single packet or block unless its context (previous and following packets/blocks) is correctly received. When a packet is lost, its contiguous packets or blocks may not be usable. For example, assuming the above exemplary stream is divided into packets (or blocks) in the way as shown in Table 3. If P1 is lost, P0 and P2 are useless because the receiver does not know how to interpret the messages even though they are authenticated. 1.3

Our Scheme

In this proposal, we segment a stream into meaningful objects that can be processed independently on both the sender and receiver sides. Objects carry selfcontained information that can be understood correctly without the context of its contiguous objects. For example, if the above exemplary stream can be divided into two objects O0 and O1 as Even if object O0 is lost, object O1 is still intelligible.

Table 3. Error propagation in block-based schemes P0 : Intel Corpora P1 : tion $30.00 M P2 : icrosoft Corp P3 : oration $55.00

358

Yongdong Wu et al.

Table 4. Object-based scheme O0 : Intel Corporation $30.00 O1 : Microsoft Corporation $55.00

An object includes members and operations on members. Object members are content and identifier. Object content includes raw data to describe the object. Object identifier is a set of elements that are related to the object. Object identifier should be ﬁxed or predictable to the receiver, and can be overloaded. Object operations are content coding and object authenticating. Content coding is application speciﬁc, and beyond the scope of this paper. Object authenticating includes identifier locking, identifier unlocking and identifier verifying. To lock an identifier, the sender encrypts the identifier with a key generated from MAC of the content. The object, including the locked identifier and the content, is transmitted to the receiver. After receiving the object, the receiver computes MAC of the content with the key shared between the sender and the receiver. The unlocking operation is to decrypt the locked identifier with the MAC as a key. At last, the verifying operation is executed to verify whether the identiﬁer is the expected one. If not, the receiver will reject the object. One advantage of our object-based scheme is that the loss of packets only affects the corresponding object itself, other objects are still meaningful. Secondly, it can foil the replaying, reordering or deleting attacks. Finally, by exploiting the intrinsic structure of an object, the locked identifier overloads the ﬁelds in the stream and introduces zero overhead. Another reason to reduce the payload is that this scheme does not require additional space to foil re-ordering/replay attack. The paper is organized as follows. Section 2 introduces the scheme and its performance. Section 3 is the application on the video stream. In that section, we overview the headers of RTP [6, 7] and ITU-T H.261 [8] and introduce how to construct an object. At last, a conclusion is drawn.

2 2.1

Object-Based Scheme Notation

In this authentication scheme, the sender and the receiver share a secret key k. They also agree with a block cipher algorithm (e.g. AES) whose encryption function is E(·, k) and decryption function is D(·, k), and a collision-resistant hash function H(·). – An object is a meaningful slice of a stream. An object O may be split into a sequence of packets. If part of the packets of an object is lost or tampered, the whole object is discarded because an incomplete object does not provide useful information. Each object O comprises two members: identifier α and content M . Content M includes the raw data to describe the object.

Eﬃcient Object-Based Stream Authentication

– –

– –

2.2

359

Identifier α describes object content M or the control data. Modiﬁcation on identifier α may degrade the quality of the object greatly, even make the object useless. We denote an object by using its member pair (α, M ). Locked identifier c = E(α, H(k M )) is the cipher text of object identifier α. Locked identifier c may be amortized over all the packets within the same object. It is transmitted to the receiver along with object content M . f (·) is an application speciﬁc function indicating the relationship between object identifiers. For example, if x is the object identifier representing current sampling time, then f (x) = x + t is the next sample instant, where t is the sampling cycle. ε << 2l is the number of tolerance of burst object loss, where l is the number of bits of the encryption block (e.g., l = 128). ε is predeﬁned and ﬁxed in a session. Template set Ωα = {αi |αi = f (αi−1 ), i = 1, 2, . . . , ε, α0 = α} {α} includes all the object identifiers that the receiver expects to accept presently. Primitives

Assumption. If E(α, k ) = E(α, k), then k = k with negligible probability. A popular application of this assumption is UNIX password authentication system. In the UNIX system, a user chooses a password P and registers it to the login process. The system stores E(0, P ) in a hard disk. To access the system, a user inputs a password P , and the login process will check whether E(0, P ) is equal to E(0, P ). If it is true, the user is welcomed. Otherwise, the user is refused. Proposition 1. Given a publicly known identifier α, the sender transmits to the receiver a message M and cipher text c = E(α, H(k M )). The receiver calculates α = D(c, H(k M ). if α ≡ α, then message M is authenticated. Proof: Assume proposition 1 is false. i.e. with non-negligible probability, an adversary can produce a message M = M and c , such that D(c , H(k M )) = α, i.e., c = E(α, H(k M )). If c ≡ c, then E(α, H(k M )) = E(α, H(k M )), H(k M ) = H(k M ). It contradicts the hypothesis that H(·) is collusion resistant. If c = c, then α = D(c , H(k M )) indicates that the cipher algorithm is so weak that a ciphertext-only attack can be mounted. It contradicts the hypothesis of block cipher algorithm. So proposition 1 must be true. Proposition 2. Given k and x ∈ Ωα , if a k can be found such that E(y, k ) = E(x, k), where y ∈ Ωα , then k = k with negligible probability. Proof: Obviously, if x = y, then k = k with negligible probability. If x = y, there are ε independent equations E(x, k) = E(yj , kj ) where yj ∈ Ωα , x = yj , j = 1, 2, . . . , ε. Assume proposition 2 is false. i.e. with non-negligible probability, an adversary can calculate key kj from a pair of (b, yj ) where b = E(x, k). It means that the cipher algorithm is vulnerable to cipher-only attack. It contradicts the hypothesis of block cipher algorithm. Thus, if x = y, an adversary cannot calculate k by solving E(y, k ) = E(x, k). So proposition 2 must be true.

360

Yongdong Wu et al.

The assumption is a special case of proposition 2 (i.e., ε = 0). In case of proposition 2, an attacker has higher probability of success to cheat the receiver than the case in the assumption, but the success probability is yet rare. Lemma. Given a publicly known set Ωα , the sender transmits to the receiver a message M and cipher text c = E(x, H(k M )), where x ∈ Ωα . The receiver calculates α = D(c, H(k M )). If α ∈ Ωα , message M and x are authenticated. Proof: Assume this lemma is false. i.e. with non-negligible probability, an adversary can produce a message M = M and c , such that y = D(c , H(k M )) ∈ Ωα , i.e., c = E(y, H(k M )). If c = c, then E(y, H(k M )) = E(x, H(k M )). Since x ∈ Ωα and y ∈ Ωα , H(k M ) = H(k M ). It contradicts the hypothesis that H(·) is collusion resistant. So if c = c, then M = M . Let us consider the case when c = c. y = D(c , H(k M )). Of ε equations, the adversary can solve at least one equation zi = D(ci , H(k Mi )) where zi ∈ Ωα , i = 1, 2, . . . , ε + 1, with negligible knowledge on k. That is to say, the adversary is able to launch a ciphertext-only attack. It contradicts the hypothesis of block cipher algorithm. So the adversary cannot ﬁnd a pair (c , M ) such that D(c , H(k M )) ∈ Ωα if c = c. So message M and c are authenticated. Since x = D(c, H(k M )), x is authenticated too. 2.3

Basic Authentication Protocol

Figure 2 illustrates the authentication process based on the above lemma. In this solution, both sides share the same key k and initial identifier in advance. In streaming application, the sender acquires data with speciﬁc devices and encapsulates the data correctly to create an object. After forming an object O = (α, M ), the sender calculates c = E(α, H(k M )) and transmits object O = (c, M ) to the network. Consequently, the sender creates a new object by updating identifier and content for the next transmission.

Fig. 2. Basic authentication protocol

Eﬃcient Object-Based Stream Authentication

361

When the receiver obtains an object O , he computes α = D(c, H(k M )). If α ∈ Ωα , object O = (α , M ) is authenticated and the receiver updates template set Ωα . Consequently, the receiver waits for the next object. For instance, in one video stream, an image frame is represented by an object whose identifier is a time variable with initial value α0 and content M is the raw image data. Let f (x) = x + 1 and ε = 3. The initial template set Ωα = {α0 , α0 +1, α0 +2, α0 +3}. The sender delivers objects (c0 , M0 ), (c1 , M1 ), (c2 , M2 ), . . . , (ci , Mi ), . . . sequentially, where ci = E(ai , H(k Mi )). For the sake of simplicity, we assume the recipient receives the objects in the right order. At ﬁrst, the receiver obtains object (c0 , M0 ). He calculates α = D(c0 , H(k M0 )). Obviously α = α0 ∈ Ωα , object (c0 , M0 ) is authenticated. The receiver changes identifier α to f (α ) = α0 + 1, and template set Ωα to {α0 + 1, α0 + 2, α0 + 3, α0 + 4}. Then next,for unknown reasons, objects (c1 , M1 ) and (c2 , M2 ) are lost. When object (c3 , M3 ) arrives at the receiver side, the receiver calculates α = D(c3 , H(k M3 )) = α0 + 3. Because of α ∈ Ωα , object (c3 , M3 ) is authenticated too. Once object (c3 , M3 ) is authenticated, the new identifier α is α = f (α ) = f (α0 + 3) = α0 + 4 Simultaneously, the new template set is Ωα = {α0 + 4, α0 + 5, α0 + 6, α0 + 7} 2.4

Re-synchronization

In the above example, supposing there is a burst loss of 4 objects (c4 , M4 ), (c5 , M5 ), (c6 , M6 ), and (c7 , M7 ), and the recipient receives object (c8 , M8 ). He calculates α = D(c8 , H(k M8 )) = α0 + 8. Because of α ∈ Ωα , he will regard object (c8 , M8 ) as a forgery and reject it. Since the template set Ωα is not updated, all the following objects will be rejected too. To deal with this case, the basic scheme should be improved to re-synchronize the stream. The change is: when the receiver obtains an object (d1 , N1 ) and rejects it, α1 = D(d1 , H(k N1 )) should be buﬀered. When object (d2 , N2 ) comes, the receiver calculates α2 = D(d2 , H(k N2 )). If α1 ∈ Ωα2 (or α2 ∈ Ωα1 ), then object (d1 , N1 ) and object (d2 , N2 ) are authenticated and the receiver sets the identifier α to f (α1 ) (or f (α2 ) ). In the above example, assume the receiver obtains object (c9 , M9 ). He calculates α = D(c9 , H(k M9 )) = α0 + 9 Because α ∈ Ωα = {α0 +8, α0 +9, α0 +10, α0 +11}, the receiver will authenticate objects (c8 , M8 ) and (c9 , M9 ). The new identifier α is α = f (α ) = f (α0 + 9) = α0 + 10. The new template set is Ωα = {α0 + 10, α0 + 11, α0 + 12, α0 + 13}. With this improvement, whenever the receiver obtains two consecutive objects, he can authenticate them with this re-synchronization step.

362

2.5

Yongdong Wu et al.

Performance

Tolerance of Packet Loss In the protocol, set Ωα includes all the possible identifiers that the recipient expects to receive. Parameter ε indicates the number of burst object loss. If at most ε objects are lost consecutively, the identifier of the latest received object must be in the set Ωα . Therefore, the receiver can authenticate the object. On the contrary, if the object identifier is not in the set Ωα , this object can not be veriﬁed. But based on the re-synchronization method, if two objects received consecutively are included in a template set Ωα , both of them are authenticated. The object itself is an independent unit that can be interpreted without its neighbor objects. If one object is lost, the other objects will not be aﬀected. This characteristic stops the error propagation. Overhead The object identifier plays an important role in the authentication scheme. It is extracted from some ﬁelds (e.g. timestamp) that are necessary in the applications. Our protocol overloads these ﬁelds to provide authentication without aﬀecting their normal functions. Thus, the extra space overhead for authentication is zero. On the other hand, there are only one hash calculation and one encryption/decryption operation per object. The computation overhead is very small. Security Based on the lemma mentioned in subsection 2.2, we know that an attacker can not produce a new object to cheat the receiver. Additionally, the object identifier chain generated from the function f (·) can foil reordering and replaying attacks.

3

Application on Video Stream

Most of stream applications are real time data delivery such as audio/video broadcast that runs Real-time Transport Protocol (RTP) on top of UDP. As an example, we explain how to build an object-based video stream authentication system. A video object represents an image frame that may be encapsulated in one or more IP packets. In this section, we will explain how to create objects. Especially, we focus on member identifier α derived from RTP header and H.261 Header. In the typical applications, these headers are necessary and standardized in the video stream system. For completeness, we overview these headers. 3.1

Overview of RTP and H.261

RTP Header The RTP header has the following format [6]: 1. Timestamp: 32 bits The timestamp reﬂects the sampling instant of the ﬁrst octet in the RTP data packet. The initial value of the timestamp is random (unpredictable). For each frame time, the clock is just incremented by the multiple of the

Eﬃcient Object-Based Stream Authentication

363

Table 5. Structure of RTP Packet Header

nominal interval. RTP packets from the same video image must have the same timestamp. 2. Synchronization source (SSRC): 32 bits SSRC is the source of a stream of RTP packets, identiﬁed by a unique numeric within a particular RTP session. All packets from a SSRC form part of the same timing and sequence number space, so a receiver can group packets by SSRC for playback. In RTP header, SSRC is ﬁxed in a session, and timestamp changes in a predictable way. Thus these 2 ﬁelds can be overloaded. ITU-T H.261 The H.261 coding is organized as a hierarchy of groups. The video stream is composed of a sequence of frames organized as a set of Groups of Blocks (GOB). There are 12 GOBs in Common Intermediate Format (CIF) and only 3 GOBs in QCIF. Based on H.261 deﬁnition, the structure of a frame generated by the source encoder is shown in Table 6. PSC: Picture Start Code, its value is a 20-bit constant 0x00010. The structure of GOB is shown in Table 7. GBSC: Group of blocks start code, its value is a 16-bit constant 0x0001 In ITU-T H.261, PSC and GBSC are constants, which can be used in the authentication scheme. 3.2

Constructing Object Member

In a video streaming application, the sender acquires an image data with a digital camera and encodes sample data to produce ITU-T H.261 code, which is the payload of RTP packets. Because an image codec has at least 3 GOBs (1st , 3rd and 5th GOB), and is encapsulated into at least one RTP packet, we construct a string s as

Table 6. Structure of H.261 Frame PSC (20)

TR (5)

PTYPE (6)

PEI (1)

PSPACE

GOB

Table 7. Structure of GOB GBSC (16)

GN (4)

GQUANT (5)

GEI (1)

GSPACE

MB

364

Yongdong Wu et al.

T imestamp SSRC P SC GBSC GBSC GBSC · · · · · · (1) The size of string s is 32 + 32 + 20 + 16 × 3 = 132 bits. Assume the cipher algorithm is AES, we denote the ﬁrst 128 bits of string s as identifier α and the other part of the RTP packets as content M . If the video authentication system can tolerate ε burst object loss, template set Ωα includes ε + 1 elements because string SSRC P SC GBSC GBSC GBSC is invariable in the whole session and there are ε + 1 acceptable timestamps in the latest transmission. The object is (α, M ). Appendix is an example to construct identifier α. 3.3

Locking Object Identifier

Before transmitting an object to the receiver, the sender encrypts object identifier α with a key k shared between the sender and the receiver. The locking process includes the following steps: 1. Encrypting identifier α with key k and M to generate cipher text c (i.e. c = E(α, H(k M ))). 2. Denoting c(i, j) to be the sub-string of c between position i and position j. Substituting identifier α with c as formula (1). That is to say, replacing timestamp with c(0, 31), SSRC with c(32, 63), PSC with c(64, 83), and GBSCs with c(84, 127) respectively. If there are more than one RTP packets for one frame, only the ﬁrst RTP header is modiﬁed. 3. The modiﬁed object is (c, M ). Because cipher text c is used to replaces identifier α, the modiﬁed object has the same size as the original one. The modiﬁed object is sent to the receiver. That is to say, the overhead for authentication is zero. 3.4

Unlocking Object Identifier

Due to packet loss, part of an object may be lost. This incomplete object may be intelligible to nobody and should be discarded. Therefore, the receiver processes the complete objects only. After receiving all the RTP packets for one object, the receiver can reconstruct the original object by generating the decryption key from secret k and the object content. The authentication steps are 1. Extracting a string c from RTP header (timestamp and SSRC ﬁelds) and ITU-T H.261 header (PSC and GBSC ﬁelds). The format of c is as formula (1). The other part of the RTP packets which is not included in c is message M . 2. Decrypting c with key k and M to generate a plain text α . (i.e. α = D(c, H(k M ))). 3. Segmenting α into chunks following the formula (1). That is to say, timestamp is sub-string α (0, 31), SSRC is sub-string α (32, 63), PSC is sub-string α (64, 83), and GBSCs is sub-string α (84, 127). Here, α (i, j) refers to the sub-string of α between position i and position j.

Eﬃcient Object-Based Stream Authentication

3.5

365

Verifying Object

After the receiver extracts all the ﬁelds for object identiﬁer, he can check them one by one. – Because of packet loss in the network, the receiver may not receive all the objects. It means that the timestamp diﬀerence between two consecutively received objects is greater than the nominal interval (e.g. 3003 for 29.97 sampling rate). If the video stream system can tolerate ε burst object loss, then the timestamp of a genuine object should be one of the ε + 1 values known to the receiver. Otherwise, discard the object. – If SSRC is not the previous source in the same session, discard the object. – If PSC is not equal to 0x00010, discard the object. – If GBSCs is not equal to 0x0001 0001 000, discard the object. Here, only 12 bits of the GBSC of the 5th GOB are used. If the object passes the examinations, the H.261 code will be decoded and the frame image is shown on the screen. At the same time, the receiver should save the latest timestamp and SSRC to authenticate the next object.

4

Conclusion

This paper presents a stream authentication scheme based on object structure. The scheme is highly resistant to the packet loss and does not incur any overhead. As an end-to-end stream delivery solution, it is compatible with the present protocols and applicable to the present Internet Infrastructure. Besides the applications on real time multimedia communication, this proposal can be also applied to software streaming and real-time systems (e.g.,surveillance and process control. Considering an applet downloading from a web server, it includes many objects transmitted from the server one by one. The browser (e.g. Netscape Navigator) can execute the authenticated objects before the transmission of the whole applet is ﬁnished. Furthermore, this object-based authentication scheme can be integrated with other block-based schemes such as EMSS. The ﬂaw is that the ﬁelds used to construct the identifier should be customized to the applications.

References [1] Rosario Gennaro, Rankaj Rohatgi, “How to Sign Digital Streams”, CRYPTO’97, LNCS 1294, pp.180-197 354 [2] Chung Kei Wong and Simon S. Lam, “Digital Signatures for Flows and Multicasts”, IEEE ICNP’98, http://citeseer.nj.nec.com/wong98digital.html 355 [3] A.Perrig, R.Canetti, D.Tygar and D.Song, “Eﬃcient Authentication and Signature of Multicast Streams over Lossy Channels”, IEEE Symposium on Security and Privacy, 2000 355

366

Yongdong Wu et al.

[4] Sara Miner and Jessica Staddon, “Graph-Based Authentication of Digital Streams”, IEEE Symposium on Security and Privacy, 2001 355, 356 [5] Jung Min Park, Edwin K. P. Chong and Howard Jay Siegel, “Eﬃcient Multicast Packet Authentication Using Signature Amortisation”, IEEE Symposium on Security and Privacy, 2002 356 [6] H. Schulzrinne, GMD Fokus, S. Casner, R. Frederick and V. Jacobson, “RTP: A Transport Protocol for Real-Time Applications”, RFC 1889, 1996 358, 362 [7] T. Turletti and C. Huitema, “RTP Payload Format for H.261 Video Stream”, RFC 2032, 1996 358 [8] ITU-T Recommendation H.261, Line Transmission of Non-Telephone Signals, 1993 358 [9] M.Bellare, R.Canetti and H.Krawczyk, “Keying Hash Functions for Message Authentication”, CRYPTO’96, LNCS 1109, pp.1-15, 1996 [10] P. Rohatgi. “A Compact and Fast Hybrid Signature Scheme for Multicast Packet Authentication”, 6th ACM Conference on Computer and Communication Security, pp.93-100, 1999 [11] A.Perrig, R.Canetti, D.Tygar and D.Song, “Eﬃcient and Secure Source Authentication for Multicast”, ISOC Network and Distributed System Security Symposium (NDSS), 2001 [12] Philippe Golle and Nagendra Modadugu, “Authenticating Streamed Data in the Presence of Random Packet Loss”, ISOC Network and Distributed System Security Symposium(NDSS), 2001, http://www.isoc.org/isoc/conferences/ndss/01/2001/index.htm

Appendix: Example of Constructing identifier In our video conference prototype, the video sample rate is 29.97Hz. The image is CIF format. We show two consecutive frames in Figure 3 (left)and Figure 3 (right)respectively. In this implementation, the stream is divided into objects. An object includes all RTP packets within the same image frame. Because an incomplete image is useless, we discard all the data if part of an image is lost. Firgure 3 (left)shows an I-frame consisting of two IP/UDP/RTP packets. Table 8 is the ﬁrst part of its ﬁrst RTP packet, and Table 9 is the ﬁrst part of its second RTP packet. Figure 3 (right)shows the P-frame consisting of only one IP/UDP/RTP packet. Table 10 is the ﬁrst part of its RTP packet. In Table 8, timestamp is 0x000F 945C, and SSRC is 0xDAD3CE34. PSC is 0x00010 and GBSC is 0x0001. In Table 9, timestamp is 0x000F 945C, and SSRC is 0xDAD3CE34. The identifier is

Table 8. First RTP packet of the I-frame 0010 0020 0030 0040

80 00 B7 18

1F 01 FA 75

90 00 DE EB

5A 0E 03 14

00 00 33 31

0F 01 F5 91

94 17 0F 3F

5C 86 47 51

DA 35 48 13

D3 A3 02 17

CE 6B DB 7C

34 14 2C 13

1D A4 69 9B

00 22 2D 1E

3C DE 57 65

00 25 28 08

Eﬃcient Object-Based Stream Authentication

367

Fig. 3. I-frame (left) and P-frame (right) from a video sequence Table 9. Second RTP packet of the I-frame 0010 0020 0030 0040

80 00 75 D7

9F 00 4F B2

90 BB 54 51

5B C1 5D CA

00 86 17 ED

0F F2 90 E8

94 9B 1D 70

5C 01 80 0A

DA D6 98 C3

D3 DC 30 06

CE 34 37 3D 9A FB 80 DD

29 83 04 28

00 AB 06 01

3C 2C 8C 4E

00 5B 1A C3

00 0F 94 5C DA D3 CE 34 00 01 0 00 01 00 01 00 0 The size of this identifier is 128 bits. In Table 10, the timestamp is 0x000F A017, and SSRC is 0xDAD3CE34. PSC is 0x00010 and GBSC is 0x0001. The identifier a is 00 0F A0 17 DA D3 CE 34 00 01 0 00 01 00 01 00 0 Thus, we can construct a 128-bit identifier α from RTP header and ITU-T H.261 header. If we select MD5 as the hash function and AES to generate the locked identifier c, the length of the locked c is exactly 128 bits. When identifier a is replaced with locked identifier c, the size of object remains unchanged.

Table 10. RTP packet of the P-frame 0010 0020 0030 0040

80 00 9A 3F

9F 01 00 D8

90 00 2C DB

5C 0E 28 27

00 00 74 26

0F 01 A5 59

A0 17 29 0D

17 80 CF C0

DA 00 F4 64

D3 49 54 31

CE E1 31 25

34 8B 65 0F

19 60 00 D7

00 05 D7 5A

3C 45 6C 46

00 0B 05 86

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem Douglas Wikstr¨om Swedish Institute of Computer Science (SICS) [email protected]

Abstract. We introduce a deﬁnition of a re-encryption mix-center, and a deﬁnition of security for such a mix-center. Then we prove that any semantically secure public key system, which allows re-encryption, can be used to construct a secure mix-center.

1

Introduction

The notion of a mix-net was invented by Chaum [3], and further developed by a number of people. Properly constructed a mix-net enables a set of sender’s to send messages anonymously. A mix-net can be viewed as an electronic analog of a tombola; messages are put into envelopes, the envelopes are mixed, and ﬁnally opened. It is impossible to tell who sent any given message. Thus the service that a mix-net provides is anonymity. Informally the requirements on a mix-net are: correctness, privacy, robustness, availability, and eﬃciency. Correctness implies that the result is correct given that all mix-centers are honest. Privacy implies that if a ﬁxed minimum number of mix-centers are honest anonymity of the sender of a message is ensured. Robustness implies that if a ﬁxed number of mix-centers are honest, then any attempt to cheat is detected and defeated. Availability and eﬃciency are the general requirements on any system run on an open network. A mix-net consists of a number of mix-centers, i.e. servers, that collectively executes a protocol. The basic idea of a mix-net, present already in Chaum’s work [3], is that each mix-center receives a list of encrypted messages, transforms them, using partial decryption or random re-encryption, reorders them, and then outputs the transformed and reordered list. It should be diﬃcult to ﬁnd an element in the input list and an element in the output list that encrypts the same message. The reason for using several independent mix-centers is that it allows a sender to trust a subset of the mix-centers to ensure privacy. Later constructions have mostly dealt with robustness, availability and eﬃciency, which are aspects ignored by Chaum. 1.1

Previous Work and Applications of Mix-Nets

The mixing paradigm has been used to accomplish anonymity in many diﬀerent scenarios. Chaum’s original “anonymous channel” [3, 19] enables a sender to A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 368–381, 2002. c Springer-Verlag Berlin Heidelberg 2002

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

369

securely send mail to a receiver anonymously, and also to securely receive mail from this recipient without revealing the sender’s identity. When constructing election schemes [3, 8, 21, 24, 18] the mix-net is used to ensure that the vote of a given voter can not be revealed. Also in the construction of electronic cash systems [12] mix-nets have been used to ensure anonymity. Thus a mix-net is a useful primitive in constructing cryptographic protocols. Abe gives an eﬃcient construction of a general mix-net [1], and argues about its properties. Jakobsson has written (partly with Juels) a number of more general papers on the topic of mixing [11, 13, 14] also focusing on eﬃciency, of which the ﬁrst appeared at the same time as Abe’s construction. Jakobsson states a result similar to our Theorem 1 given below in an informal form as Lemma 1a in [13], but for the special case where the underlying cryptosystem is El Gamal. We discuss his lemma in more detail in the next section. Desmedt and Kurosawa [5] describes an attack on a protocol by Jakobsson [11]. Similarly Mitomo and Kurosawa [16] exhibits a weakness in another protocol by Jakobsson [13]. Pﬁtzmann has given some general attacks on mixnets [23], and Michels and Horster give additional attacks in [17]. 1.2

Previous Results on Mix-Centers

This work started with an attempt at writing down a formal proof of Jakobssons Lemma 1a [13] given in a slightly simpliﬁed form below. Unfortunately the statement, proof sketch, and usage of this lemma are not satisfactory. Lemma 1a. (Jakobsson) If the adversary can, with a non-negligible advantage over a guess uniformly at random, match any input of a mix-center to its corresponding output, then this adversarial strategy can be used as a black box to break the Decisional Diﬃe-Hellman assumption with a probability poly(). One problem is that it assumes all message variables identically and independently distributed. This model does not mirror the real world, where it is common that the adversary has some prior knowledge about the distribution of messages sent by a given party, and not all sender’s should be approximated by the same distribution. Similarly it is probable that some message variables are dependent. Consider for example elections, where the votes of spouses mostly are dependent. Some problems with arbitrarily distributed messages follow. Firstly, it is no longer clear how to state the lemma formally, since it is not clear what it should mean to “guess uniformly at random”. Since the adversary knows the order of the input elements of the ﬁrst mix-center he may be able to guess in diﬀerent ways giving vastly diﬀerent success probabilities. This is described in full detail when we argue about Deﬁnition 6. Secondly Jakobsson assumes that the outcomes of the diﬀerent copies of the message variables are all diﬀerent. This allows him to say that the probability of randomly guessing a matching pair is N1+2 . This is no longer true if the number of possible messages is small. Additionally, taking this into consideration, it is not possible to argue like Jakobsson does in the argument about the N + 2:th hybrid. He claims that if we pick new elements from the “message distribution”

370

Douglas Wikstr¨ om

the N + 2:th hybrid will have no advantage. Consider a uniformly distributed variable over a set of only two messages. When the lists are very large it is likely that replacing all sent messages by new outcomes of the message variable, does not change the lists much, and one can not conclude that the hybrid has no advantage. Thirdly, the proof sketch of the security of the complete mix-net of Jakobsson breaks down if we do not assume uniformly and independently distributed message variables, since he applies his lemma also to the ﬁrst mix-center in the ﬁrst re-encryption phase. This follows since, in the proof he permutes the input to the adversary A randomly, and this is not the case in the protocol, where the ﬁrst mix-center in the ﬁrst re-encryption phase may have partial knowledge about the distribution of the message variables. Another problem is that Jakobsson uses Lemma 1a in his proof sketch of his Theorem 1. We discuss this issue in Section 3.3. We conclude that a satisfactory deﬁnition, and formal proof are missing, and that some care is needed to avoid misuse of Theorem 1. 1.3

Contribution

In some cited papers above, results about security and anonymity are claimed, but a formal deﬁnition of a mix-center and a formal proof using such a deﬁnition are missing in the literature. We provide a deﬁnition of security for a single re-encryption mix-center and show in Theorem 1 that any semantically secure re-encryption public key system can be used to construct a secure mix-center. We have restricted ourselves to mix-centers based on the random re-encryption paradigm. We do not claim to give a deﬁnition of the privacy of a mix-net, since a definition of security of a complete mix-net must involve several other aspects. We highlight this in Section 3.3, where we explain two phenomena related to our theorem that occur naturally in the construction of a mix-net. One of these phenomena illustrates a misuse of Theorem 1 in the literature that to our knowledge was undetected until now. The results we present provide some of the missing pieces in a future formal proof of security of a mix-net based on the re-encryption paradigm.

2

Notation and Definitions

We concentrate on non-uniform adversaries and denote the set of polynomial size circuit families by PC. Let X be a random variable with probability function pX : {0, 1}n → [0, 1]. Let M be a string describing a probabilistic circuit. We use the notation M (X) for the induced random variable resulting when M is run on outcomes of X. Unless otherwise stated, all random variables are independent of all other random variables. We denote boolean values by T and F for true and false respectively.

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

371

Let ΣN be the group of permutations on N elements. If N (n) is a polynomial we sometimes write ΣN for the family {ΣN (n) }. We use a πN ∈ ΣN both as a permutation and as a function, i.e. if l is a list πN l is the permuted list, and if ∆ is a set of indices πN (∆) is the image of this set under the bijection deﬁned by πN . We write Mn = {0, 1}n, and M = {Mn }. We abuse notation for families of objects and the actual objects in a family, i.e. if we should write “for each n, Mn is a random variable distributed over Mn ”, we instead write “M is uniformly distributed over M”. Another example of this abuse of notation is that Pr[D(E(m)) = m] > 1 − n1c in Deﬁnition 1 below should be interpreted Pr[Dn (En (mn )) = mn ] > 1 − n1c . The same convention is used throughout. This convention greatly simpliﬁes the exposition. The following deﬁnitions of a secure cryptosystem are given by Micali, Rackoﬀ, and Sloan in [15]. The deﬁnition of semantic security given in [15] is a slightly changed version of a deﬁnition given by Goldwasser and Micali in [9]. Together these two papers give a proof of equivalence of the deﬁnition of semantic security of a cryptosystem and Deﬁnition 2 below. Deﬁnition 1 (Public Key Cryptosystem, tosystem is a probabilistic Turing machine C time that on input 1n outputs the description and Dn of polynomial size in n such that for a

cf. [15]). A Public Key Cryprunning in expected polynomial of two probabilistic circuits En polynomial κ(n):

1. The encryption circuit En has n inputs and κ(n) outputs. 2. The decryption circuit Dn has κ(n) inputs and n outputs. 3. ∀m ∈ M, ∀c > 0, ∃n0 such that for n > n0 : Pr[D(E(m)) = m] > 1 −

1 . nc

We use the notation E(m, r) instead of E(m) when we want to make explicit the probabilistic input r, and we assume that the number of random bits used by E is η(n), a polynomial in n. We write Rn = {0, 1}η(n), and R = {Rn }. Suppose m = (m1 , . . . , mN ) ∈ MN , and r = (r1 , . . . , rN ) ∈ RN . We use the notation E(m, r) = (E(m1 , r1 ), . . . , E(mN , rN )) for element-wise encryption. Deﬁnition 2 (GM-security, cf. [15]). Let (E, D) = {(En , Dn )} = {C(1n )}, where C is a public key cryptosystem, and let b be uniformly and independently distributed in {0, 1}. C is GM-secure if ∀m0 , m1 ∈ M, ∀T ∈ PC and ∀c > 0, ∃n0 such that ∀n > n0 : Pr[T (E, m0 , m1 , E(mb )) = mb ] − 1 < 1 . 2 nc Another deﬁnition of security which can be proven equivalent to the other two is the following:

372

Douglas Wikstr¨ om

Deﬁnition 3 (GM-security∗ ). Let (E, D) = {(En , Dn )} = {C(1n )}, where C is a public key cryptosystem, and let b be uniformly and independently distributed in {0, 1}. C is GM-secure∗ if ∀m0 , m1 ∈ M, ∀T ∈ PC and ∀c > 0, ∃n0 such that ∀n > n0 : Pr[T (E, m0 , m1 , E(mb ), E(m1−b )) = b] − 1 < 1 . 2 nc The following lemma is “folklore” knowledge, but for completeness we give a proof in the appendix. Lemma 1. Deﬁnition 3 is equivalent to Deﬁnition 2.

3

The Security of a Mix-Center

To be able to formally prove anything about a mix-center we ﬁrst deﬁne the concept of a mix-center and the right notion of security. 3.1

Deﬁnitions

The following deﬁnition captures that cryptotexts can be re-encrypted without knowledge of the private key. This property is closely related to the homomorphic property used in many papers (e.g. [10]). The by now classical El Gamal cryptosystem [7], and the recently discovered Paillier cryptosystem [20] are examples of systems that ﬁt this deﬁnition. Deﬁnition 4 (Re-Encryption Public Key Cryptosystem (RPKC)). A Re-Encryp-tion Public Key Cryptosystem is a public key cryptosystem C that on input 1n in addition to descriptions of En and Dn also outputs the description of a circuit Fn of polynomial size in n such that: 1. Fn has κ(n) inputs and κ(n) outputs. 2. For all m ∈ M and all α, α ∈ E(m, R) we have: Pr[α = F (α)] = Pr[α = E(m)] . The function F above is called the “re-encryption function”. As for E we use the notation F (α, r) instead of F (α) when we want to make explicit the probabilistic input r of F viewed as a deterministic circuit. Without loss of generality we can assume that En , Dn and Fn uses an equal number of random bits, i.e. we assume that all of the circuits use η(n) random bits, where η(n) is a polynomial in n. Again we use the array notation as introduced above, i.e. F (α, r) = (F (α1 , r1 ), . . . , F (αN , rN )), for arrays α = (α1 , . . . , αN ) = E(m), and r = (r1 , . . . , rN ) ∈ RN . Formally Deﬁnition 2 and 3 are not applicable to an RPKC. The reason is that A and T in Deﬁnition 2 and 3 respectively are given only E and not F as input. To see that this is an important detail, consider an RPKC C such that if we ignore F in the output it is GM-secure. Clearly C can encode the description

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

373

of D into the description of F , which makes C easy to break using the knowledge of F . It is however trivial to extend the deﬁnitions to be applicable also to an RPKC such that the equivalence of the deﬁnitions still holds. Thus we use the deﬁnitions as if they were deﬁned properly for the case at hand, i.e. A and T in Deﬁnition 2 and 3 respectively take as additional input F from the output (E, D, F ) of C. Deﬁnition 5 (Re-Encryption Mix-Center (RMC)). A Re-Encryption Mix-Center is a probabilistic Turing machine CH running in expected polynomial time that on input (1n , N ), N is a polynomial N (n) in n, outputs descriptions of probabilistic circuits En , Dn , Fn , and Hn of polynomial size in n such that: 1. The probabilistic Turing machine KN (CH ) that, given input 1n , simulates CH on input (1n , N ) and outputs descriptions of En , Dn , Fn is an RPKC. 2. Hn has κ(n) × N inputs and κ(n) × N outputs. 3. H(α) = ΠN F (α), where ΠN is uniformly distributed in ΣN . We use the notation πN F (α, r) = H(α) when we want to make explicit H’s probabilistic input, i.e. πN and r. Note that the above is a deﬁnition of a re-encryption mix-center. In Chaum’s [3] original construction each mix-center performed a partial decryption, and not a re-encryption. In Chaum’s construction the number of input bits is not equal to the number of output bits. Also one could imagine that a mix-center received input encrypted with one cryptosystem, and produced output using another cryptosystem. A Deﬁnition of a Secure RMC. We now introduce a notion of security for an RMC. Deﬁne a predicate ρ with regard to a given RMC taking as input a pair of lists and a pair of indices. Let l = E(m, r) and l = πN F (l, r ), where m = (m1 , . . . , mN ) ∈ MN , r, r ∈ RN , and πN ∈ ΣN . Let (i, j) be a pair of indices 1 ≤ i, j ≤ N . We let ρ(l, l , i, j) = T if and only if it holds that mi = mπ−1 (j) . N The predicate is true if the encryption at index i in l and the encryption at index j in l both encrypt the same message. It is clearly possible that there exist several pairs (i, j1 ), (i, j2 ), ..., (i, jk ) for which ρ(l, l , i, jt ) = T . The following deﬁnition says that given a secure RMC it is impossible to ﬁnd a pair of indices (i, j) such that ρ(l, l , i, j) holds with respect to the input l and output l of the RMC notably better than guessing cleverly. Deﬁnition 6 (Security of an RMC). Let CH be an RMC, deﬁne the family (E, D, F, H) = {(En , Dn , Fn , Hn )} = {CH (1n )}, and let A ∈ PC. Let M be arbitrarily but independently distributed over MN , and let J = {Jn }, where Jn is uniformly and independently distributed over {1, . . . , N (n)}. Deﬁne the random variables: L = E(M ),

L = H(L), and

(IA , JA ) = A(E, F, L, L ) .

CH is secure if for all M and A as above ∀c > 0, ∃n0 such that ∀n > n0 : 1 | Pr[ρ(L, L , IA , JA ) = T ] − Pr[ρ(L, L , IA , J) = T ]| < c . n

374

Douglas Wikstr¨ om

We argue that this is the right deﬁnition of a secure RMC as follows. Suppose that the underlying cryptosystem KN (CH ) is in some magical way perfect. That is, a cryptotext gives no information in an information theoretical sense about the encrypted message. Then an adversary clearly can not pick the second component of its output better then picking a uniformly chosen index, since the permutation ΠN , unknown to the adversary, is uniformly and independently distributed. On the other hand the ﬁrst component can still be chosen cleverly to bias the success probability. Consider for example the case where all Mi are constant, and all but one equals mi . Then the success probability depends heavily on how the ﬁrst component is chosen. The deﬁnition states that given an adversary A that has a certain success probability, we get almost the identical success probability by using the ﬁrst component of A’s output and picking the second component randomly. Since we pick the second index randomly this amounts to clever guessing. 3.2

Results on the Security for an RMC

Let KN (CH ) denote the probabilistic Turing machine that given input 1n simulates CH on input (1n , N ) to get (En , Dn , Fn , Hn ) and outputs (En , Dn , Fn ). We are able to prove the following theorem of which Jakobssons Lemma 1a [13] could be said to be a special case. Theorem 1. CH is a secure RMC if and only if for all polynomials N (n) in n, KN (CH ) is a semantically secure RPKC. The theorem implies that if there exists a semantically secure RPKC, then the construction given in Deﬁnition 5 gives a secure mix-center according to Deﬁnition 6. We implicitly use the generalization of Deﬁnition 2 and 3 to re-encryption public key cryptosystems, as discussed in Section 3.1. We give a proof of Theorem 1 in Appendix A. Note that the presence of the quantiﬁcation over the variable N in Theorem 1 is necessary. Without it there could exist some N for which KN (CH ) outputs trivial (E, D, F ). We also need that N is polynomial in n since we otherwise would be unable to perform a hybrid argument in the proof. 3.3

Deﬁnition 6 is Not Suﬃcient for a Mix-Net

Our results give strong evidence for the security of many constructions of mixnets in the literature. However they do not imply that the mix-nets proposed in the literature are secure, since there is not even a formal deﬁnition of security of a mix-net. Neither is Deﬁnition 6 intended to serve as a deﬁnition of security of a mix-net. To emphasize this fact we give a generalization of an attack on mix-nets of which special cases has been described by Pﬁtzmann [23], and Jakobsson [11]. Jakobsson also gives a solution on how to prevent this attack. We also give an example of a situation, where our results seem to be applicable but are not.

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

375

Using Malleability to Break Anonymity. The notion of non-malleability was introduced by Dolev, Dwork and Naor [6]. Informally a cryptosystem is nonmalleable if, given a cryptotext αi = E(mi ) of a message mi , it is impossible to construct αi = E(mi ), where mi has some non-trivial relation to mi . Suppose that we have a mix-net that viewed as a single mix-center is secure by Deﬁnition 6, and that the cryptotexts given as input to the mix-net are encrypted using a malleable cryptosystem. Let αi = E(mi ) be the encryption of a message mi sent to the mix-net by Alice. We want to break the anonymity of her message. To do this we construct αi = E(mi ) by using the malleability of the cryptosystem, where (mi , mi ) ∈ R, and R is some non-trivial relation. Then we send αj = αi as our message. Thus the input to the mix-net can be written as α1 , . . . , αN , where αi is the cryptotext of Alice and αj = αi is our contrived cryptotext. The output in cleartext of the mix-net has the form m ˆ 1, . . . , m ˆ N where mi = m ˆ l for some l and mi = m ˆ k for some k = l. If we apply the transformation φR on each m ˆ i, where φR (mi ) = mi and (mi , mi ) ∈ R, we get a list on the form: m ˆ 1 , . . . , m ˆ N . Note now that m ˆ k = m ˆ l . This implies that it is likely that m ˆ k is the message sent by Alice. Depending on the relation R the probability of getting an ambiguous answer is higher or lower, and several attackers using “independent” relations increase the probability of a correct guess. Jakobssons [11] relation is identity, and Pﬁtzmann [23] assumes an El Gamal cryptosystem where she uses the relation Rx = {(m, mx )} for some ﬁxed x. The attack clearly fails if we use a non-malleable cryptosystem and check for identical cryptotexts, and this is what Jakobsson proposes. The conclusion is that Deﬁnition 6 is inappropriate to deﬁne the privacy of a complete mix-net. A deﬁnition of privacy of mix-nets must allow adaptive attacks like the above, and must be deﬁned in a multi-party setting. Using Malleability to Break Robustness. A frequently used paradigm to achieve eﬃcient and robust mix-net protocols is repetition. Consider the following game, where we let the underlying cryptosystem be the El Gamal system. Let m = (m1 , . . . , mN ) be an array of cleartexts, let α = E(m) be the corresponding array of cryptotexts, and let H be the output of a secure RMC. Let α be the concatenation of h copies of the list α, and set α = H(α ). Note that α contains a multiple of h diﬀerent cryptotexts of each mi . Suppose we are given α and the goal of the game is to replace all cryptotexts of any single arbitrarily chosen message mi , with encryptions of some other message mi , but let the remaining set of encrypted messages be ﬁxed. That is we must, given α construct a α such that it contains a multiple of h cryptotexts of each mi except one mj for which we have replaced all its cryptotexts by encryptions of some mj . What is the probability of success in this game? At ﬁrst it seems that if all mi are diﬀerent, then since the RMC is secure the probability should be something like the probability of guessing the position of all h copies of cryptotexts of mi . Indeed an argument similar to this is used by Jakobsson [13] in the proof sketch of his Theorem 1.

376

Douglas Wikstr¨ om

Unfortunately this is not true in general, not even for uniformly distributed messages, as the following example shows. Suppose that the cryptosystem in use is the El Gamal system [7] over a group G. Let m1 be uniformly and independently distributed in G = M, let k1 ∈ G, and 0 = k2 ∈ Z|G| be ﬁxed and 2 set mi = k1 mki−1 for all i = 1. Given an El Gamal cryptotext αi = E(mi ) of mi it is easy to compute f (αi ) = E(k1 mki 2 ) without knowledge of the private key. Thus to succeed in our game we need only compute the list f (α), where we let f be deﬁned element-wise. This maps cryptotexts of mi−1 onto cryptotexts of mi except for mN , which is mapped to an element m1 = mi for all mi . Thus we have in eﬀect replaced cryptotexts of m1 with cryptotexts of m1 without identifying what cryptotexts to change. Even though this example is not an immediate attack on any existing mix-net construction, an argument similar to this, but for a more complicated game can be found in Jakobsson’s proof sketch of Theorem 1 in [13], and possibly other papers as well. We would welcome a formal proof of such claims.

4

Conclusion and Future Work

We have formalized the security of a mix-center in the re-encryption paradigm, and showed that a secure mix-center can be constructed if there exists a public key encryption system with the re-encryption property. For many mix-net constructions this is the key step in a formal proof of privacy. A formal proof of security for a complete mix-net, in the byzantine setting is still an open question. There are many proof sketches in the literature of mixnets, and several constructions have been broken. Since these constructions are claimed to be provably secure, we think this calls for greater attention to details. Only with formal proofs can important applications such as electronic elections be considered seriously. An interesting future line of research is to prove a mix-net secure in the security framework of Canetti [2] or Pﬁtzmann and Waidner [22].

Acknowledgement We are grateful to both Gunnar Sj¨ odin and Johan H˚ astad.

References [1] M. Abe, Universally Veriﬁable mix-net with Veriﬁcation Work Independent of the Number of Mix-centers, Eurocrypt ’98, pp. 437-447. 369 [2] R. Canetti, Universally Composable Security: A New Paradigm for Cryptographic Protocols, http://eprint.iacr.org/2000/067 and ECCC TR 01-24. Extended abstract appears in 42nd FOCS, 2001. 376 [3] D. Chaum, Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms, Communications of the ACM, ACM 81, pp. 84-88. 368, 369, 373

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

377

[4] R. Cramer, V. Shoup, A Practical Public Key Cryptosystem Provably Secure against Adaptive Chosen Ciphertext Attack, Crypto ’98, pp. 13-25. [5] Y. Desmedt, K. Kurosawa, How to break a practical MIX and design a new one, Eurocrypt 2000, pp. 557-572. 369 [6] D. Dolev, C. Dwork, M. Naor, Non-Malleable Cryptography, In Proceedings of the 23rd Symposium on Theory of Computing, ACM STOC 1991. 375 [7] T. ElGamal, A Public Key Cryptosystem and a Signiture Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory 31, 1985, pp. 469-472. 372, 376 [8] A. Fujioka, T. Okamoto and K. Ohta, A practical secret voting scheme for large scale elections, Auscrypt ’92, pp. 244-251. 369 [9] S. Goldwasser, S. Micali, Probabilistic Encryption, Journal of Computer Science 28, pp. 270-299, 1984. 371 [10] M. Hirt, K. Sako, Eﬃcient Reciept-Free Voting Based on Homomorphic Encryption, Eurocrypt 2000, pp. 539-556. 372 [11] M. Jakobsson, A Practical Mix, Eurocrypt ’98, pp. 448-461. 369, 374, 375 [12] M. Jakobsson, D. M’Raihi, Mix-based Electronic Payments, SAC ’98, pp. 157-173. 369 [13] M. Jakobsson, Flash Mixing, PODC’99, pp. 83-89. 369, 374, 375, 376 [14] M. Jakobsson, A. Juels, Millimix: Mixing in small batches, DIMACS Techical report 99-33, June 1999. 369 [15] S. Micali, C. Rackoﬀ, B. Sloan, The Notion of Security for Probabilistic Cryptosystems, SIAM J. Computing 1988, pp. 412-426. 371 [16] M. Mitomo, K. Kurosawa, Attack for Flash MIX, Asiacrypt 2000, pp. 192-204. 369 [17] M. Michels, P. Horster, Some remarks on a reciept-free and universally veriﬁable Mix-type voting scheme, Asiacrypt ’96, pp. 125-132. 369 [18] V. Niemi, A. Renvall, Eﬃcient voting with no selling of votes, Asiacrypt’94, pp. 105-116. 369 [19] W. Ogata, K. Kurosawa, K. Sako, K. Takatani, Fault Tolerant Anonymous Channel, ICICS ’97, pp. 440-444. 368 [20] P. Paillier, Public-Key Cryptosystems Based on Composite Degree Residuosity Classes, Eurocrypt ’99, pp. 223-238. 372 [21] C. Park, K. Itoh, K. Kurosawa, Eﬃcient Anonymous Channel and All/Nothing Election Scheme, Eurocrypt ’93, pp. 248-259. 369 [22] B. Pﬁtzmann, M. Waidner, Composition and Integrity Preservation of Secure Reactive Systems, 7th Conference on Computer and Communications Security of the ACM, pp. 245-254, 2000. 376 [23] B. Pﬁtzmann, Breaking an Eﬃcient Anonymous Channel, Eurocrypt ’94, pp. 332340. 369, 374, 375 [24] K. Sako, J. Killian, Reciept-free Mix-Type Voting Scheme, Eurocrypt ’95, pp. 393403. 369

A

Proofs

Before we prove Theorem 1 we prove some lemmas. Denote by π 0 the identity permutation and π 1 = π for any permutation π. Consider the following generalization of the GM-security∗ , i.e. Deﬁnition 3. Throughout this section we assume that (E, D) = {(En , Dn )} = {C(1n )}, when we write E or D.

378

Douglas Wikstr¨ om

Deﬁnition 7 (Generalized GM-security∗ (gGM)). Let C be a public key cryptosystem, let (E, D) = {(En , Dn )} = {C(1n )}, and let b be uniformly distributed in {0, 1}. C is gGM-secure if for all polynomials N in n, ∀πN ∈ ΣN , ∀m ∈ MN , ∀T ∈ PC, ∀c > 0, ∃n0 such that ∀n > n0 : Pr[T (E, m, π b E(m)) = b] − 1 < 1 . N 2 nc Lemma 2. A public key cryptosystem C is GM-secure iﬀ it is gGM-secure. Proof. We see that gGM-security immediately implies GM-security∗ , since we may take the polynomial N (n) = 2 in the deﬁnition of gGM-security. To prove the opposite direction of the lemma, we assume it is false. Then there exists a GM-secure cryptosystem C, and a polynomial N , ∃m ∈ M, ∃T ∈ PC, ∃πN ∈ ΣN , ∃c > 0, and an inﬁnite set N such that for n ∈ N : 1 1 b Pr[Tn (En , mn , πN,n ≥ E (m )) = b] − . n n 2 nc We now deﬁne an A = {An } ∈ PC that breaks the GM-security∗ of C. Consider a ﬁxed n ∈ N . Note that for any permutation, in particular for πN,n , there exists a chain of permutations id = π (1) , π (2) , . . . , π (N ) = πN,n , such that π (i+1) and π (i) diﬀer only by a transposition. We get the following hybrid argument: ζi = Pr[Tn (En , mn , (π (i) )b En (mn )) = b],

N −1 1 ≤ |ζ − ζ | ≤ |ζi+1 − ζi | . N 1 nc i=1

where ζ1 = 12 since (π (1) )b = id. This implies |ζt+1 − ζt | ≥ N1nc for some 1 ≤ t < N . Let k0 and k1 be the two indices such that π (t) (k0 ) = π (t+1) (k1 ) and π (t+1) (k0 ) = π (t) (k1 ). Let (En , mn,k0 , mn,k1 , α0 , α1 ) be the input to An , where b is randomly chosen, and (α0 , α1 ) = (En (mn,kb ), En (mn,k1−b )). The circuit An : 1. Computes α = π (t) En (mn ). 2. Replaces the elements of α at positions π (t) (k0 ) and π (t) (k1 ) by the elements α0 and α1 respectively. Let the resulting vector be α . 3. Runs b = Tn (En , mn , α ), and returns b. It follows that the GM-security∗ of C is broken.

Corollary 1. If C is gGM-secure then, ∀j = {jn }, where jn ∈ {1, . . . , N (n)}, ∀πN , ψN ∈ ΣN , ∀m ∈ MN , ∀T ∈ PC, ∀c > 0, ∃n0 such that ∀n > n0 : | Pr[T (E, m, πN E(m)) = j] − Pr[T (E, m, ψN E(m)) = j]| <

1 . nc

Proof. Assume the contrary. Then there exists j, πN , ψN , and c > 0 such that for n ∈ N the inequality above does not hold. Consider a ﬁxed n ∈ N . If we set ζπN = Pr[Tn (En , mn , πN,n En (mn )) = jn ], we have |ζπN − ζψN | ≥ n1c .

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

379

We now construct a B = {Bn } ∈ PC that breaks the gGM-security of C. Bn −1 takes input (En , mn , α), where α = (πN,n ψN,n )b En (mn ), and b ∈ {0, 1} is randomly chosen. The circuit Bn does the following k(n) times, where k(n) is a polynomial: It computes α = πN,n Fn (α), and runs Tn (En , mn , α ). Then it computes the fraction s of times Tn returned jn . If |s − ζπN | < |s − ζψN | then it returns 0 and otherwise it returns 1. Let Zi be an indicator variable of the event that Tn outputs jn in the i:th k(n) 1 run. Then s is an outcome of the random variable Z(k) = k(n) i=1 Zi . Thus: 1 1 Var[Z(k)|b = 0] = k Var[Z1 |b = 0] = k ζπN (1 − ζπN ), and similarly for ψN . Let d = 12 |ζπN − ζψN |, then we have from Chebychev’s bound that: Pr[|(Z(k)|b = 0) − ζπN | > d|b = 0] ≤

Var[Z(k)|b = 0] n2c ≤ 2 d k(n)

and similarly for b = 1. Thus if we set k(n) = 2n2c we have: −1 Pr[Bn (En , mn , (πN,n ψN,n )b En (mn )) = b] ≥

1 2

which breaks the gGM-security of C.

Lemma 3. For mn ∈ MN n , denote by ∆i (mn ) the set {j|mn,j = mn,i }, and let ΠN be uniformly distributed in ΣN . If C is GM-secure then ∀i = {in }, where in ∈ {1, . . . , N (n)}, ∀m ∈ MN , ∀T ∈ PC, ∀c > 0, ∃n0 such that ∀n > n0 : Pr[T (E, m, ΠN E(m)) ∈ ΠN (∆i (m))] − |∆i (m)| < 1 . N nc Proof. Let πN ,j = Pr[JT = j|ΠN = πN ] − Pr[JT = j|ΠN = id], where we let JT = T (E, m, ΠN E(m)). We write ∆i for ∆i (m), and have: Pr[JT ∈ ΠN (∆i )] =

πN ∈ΣN

=

N

j=1 πN ∈ΣN

=

N

1 Pr[JT = j|ΠN = πN ] Pr[JT ∈ ΠN (∆i )|ΠN = πN , JT = j] N!

Pr[JT = j|ΠN = id]

+

j=1 πN ∈ΣN

=

πN ∈ΣN

j=1 N

1 Pr[JT ∈ ΠN (∆i )|ΠN = πN ] N!

1 Pr[JT ∈ ΠN (∆i )|ΠN = πN , JT = j] N!

1 π ,j Pr[JT ∈ ΠN (∆i )|ΠN = πN , JT = j] N! N

N |∆i | + N j=1

πN ∈ΣN

1 π ,j Pr[JT ∈ ΠN (∆i )|ΠN = πN , JT = j] N! N

380

Douglas Wikstr¨ om

since

1 πN ∈ΣN N !

Pr[JT ∈ ΠN (∆i )|ΠN = πN , JT = j] =

N Pr[JT ∈ ΠN (∆i )] − |∆i | ≤ N j=1

πN ∈ΣN

|∆i | N .

Thus we have:

1 |π ,j | ≤ N max{|πN ,j |} πN ,j N! N

which is negligible since N (n) is polynomial and maxπN ,j {|πN ,j |} by Corollary 1 is negligible. We are now ready to give the proof of Theorem 1. Proof (of Theorem 1). First the easy direction of the proof. Suppose that CH is a secure RMC, but C = KN (CH ) is not a GM-secure RPKC for some polynomial N . Then ∃m0 , m1 ∈ M, ∃T ∈ PC, ∃c > 0 and an inﬁnite index set N such that for n ∈ N : Pr[T (E, m0 , m1 , E(mb ), E(m1−b )) = b] − 1 ≥ 1 . 2 nc The family A = {An }, where An given input (En , Fn , En (mn,0 , mn,1 ), (α0 , α1 )) returns the pair (0, Tn (En , mn,0 , mn,1 , α0 , α1 )) shows that CH is not secure. To prove the other direction, we assume that KN (CH ) is semantically secure for all polynomials N , but CH is not secure. Then, using the notation of Deﬁnition 6, there exists an A ∈ PC, an inﬁnite index set N , and a c > 0 such that for n ∈ N : | Pr[ρ(Ln , Ln , IAn , JAn ) = T ] − Pr[ρ(Ln , Ln , IAn , Jn ) = T ]| ≥

1 . nc

We abuse notation and write ρ(I, J) instead of the correct ρ(Ln , Ln , I, J). A probabilistic argument gives that there exists a ﬁxed m ∈ MN such that for n ∈ N : | Pr[ρ(IAn , JAn ) = T |Mn = mn ] − Pr[ρ(IAn , Jn ) = T |Mn = mn ]| ≥ n1c . We deﬁne: ζA,i = Pr[ρ(IAn , JAn ) = T |Mn = mn , IAn = i] and similarly ζi = Pr[ρ(IAn , Jn ) = T |Mn = mn , IAn = i] to simplify notation in the following. For some 1 ≤ t ≤ N (n) we have: 1 ≤ | Pr[ρ(IAn , JAn ) = T |Mn = mn ] − Pr[ρ(IAn , Jn ) = T |Mn = mn ]| nc N (n) pIAn (i)(ζA,i − ζi ) ≤ N (n)pIAn (t)|ζA,t − ζt | . = i=1 We construct a T ∈ PC that contradicts Lemma 3. The circuit Tn gets input (En , Fn , mn , ln ), where ln is an outcome of Ln , computes ln = E(mn ), runs (i, j) = An (E, F, ln , ln ), and if i = t it returns j, and otherwise it returns the outcome of a random variable Jn , which is uniformly and independently distributed over {1, . . . , N (n)}.

The Security of a Mix-Center Based on a Semantically Secure Cryptosystem

Using the notation of Lemma 3 we have ζt = Pr[JTn ∈ ΠN (n) (∆t )] =

i=t

pIAn (i)

|∆t | N

381

which gives:

|∆t | + pIAn (t)ζA,t N

|∆t | + pIAn (t)(ζA,t − ζt ) . = N Thus | Pr[JTn ∈ ΠN (n) (∆t )] − dicts Lemma 3.

|∆t | N |

= pIAn (t)|ζA,t − ζt | ≥

1 N (n)nc ,

which contra

In the proof above we implicitly use an extended version of Deﬁnition 7 that is applicable to an RPKC, and use that Lemma 2, Corollary 1, and Lemma 3 hold correspondingly (see Section 3.1). For completeness we give a proof of Lemma 1. Proof (of Lemma 1). Suppose that a PKC C is not secure according to Deﬁnition 2, and let T = {Tn } be the family of circuits that shows this. Then the family of circuits T = {Tn }, where Tn simulates Tn on the ﬁrst component of its input and returns b if Tn returns mb is clearly not secure according to Deﬁnition 3. For the other direction, suppose that a PKC C is not secure according to Deﬁnition 3. Then ∃m0 , m1 ∈ M, ∃T ∈ PC, and an inﬁnite index set N , such that for each n ∈ N : pbd = Pr[T (E, m0 , m1 , E(mb ), E(md )) = 1] 1 ≤ |p01 − p10 | = |p01 − p11 + p11 − p10 | ≤ 2|pt,1−t − p11 | nc for some t = {tn }, where tn ∈ {0, 1}. Set γt = α and γ1−t = E(m1 ). Then T runs b = T (E, m0 , m1 , γ0 , γ1 ) and returns mb . It follows that T breaks the security according to Deﬁnition 2.

New Identity Escrow Scheme for Anonymity Authentication Yong-Ho Lee1 , Im-Yeong Lee1 , and Hyung-Woo Lee2 1

2

Div. of Information Technology Engineering, Soonchunhyang University Chungnam, Korea, 336-745 [email protected] [email protected] Div. of Information & Communication Engineering, Cheonan University Chungnam, Korea, 330-704 [email protected]

Abstract. When a user and a service provider carry out the authentication process, a user’s identity may be exposed and this issue has become a serious social problem. To solve this problem, identity escrow scheme is suggested. In the identity escrow scheme, the issuer who has accurate user identity safely transmits anonymous authentication information to the user and by utilizing this information, the user proceeds authentication steps with the service provider while keeping anonymity. In this thesis, requirements for security and trusty of the identity escrow scheme are suggested and new mechanism is proposed to satisfy them. Also, methods for a service provider to safely transmit the contents to the user and improved mechanism able to support key escrow in encryption communication using the key generated by key agreement among users in the same domain are proposed.

1

Introduction

To receive the contents through the internet, users should send proof to the service provider that they are authenticated users, but this individual identiﬁcation method may infringe on the user’s privacy. While proceeding the authentication process, therefore, users want to keep anonymity for their identities but the service provider wants to identify user’s legitimacy. The identity escrow scheme can satisfy these two contradictory requirements at the same time[2, 3, 8, 10∼12]. In the identity escrow scheme, when proceeding the authentication process between the user and the service provider, the user provides anonymous authentication information, not own identity, to the service provider and thus keeps user’s anonymity. If the user commits an illegal act, then to control user’s anonymity the issuer provides the authentication information oﬀered from the user and then law enforcement agency and the issuer in cooperation can secure the user’s accurate identity responding to the authentication information. In the chapter 2 of this thesis, components and basic steps of the identity escrow scheme are introduced and general requirements are discussed and also

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 382–394, 2002. c Springer-Verlag Berlin Heidelberg 2002

New Identity Escrow Scheme for Anonymity Authentication

383

new requirements to improve the trusty and security of whole system are proposed. In the chapter 3, problems of existing methods are discussed and thus in the chapter 4, new identity escrow scheme to satisfy all requirements described above is suggested. In addition, when the service provider oﬀers the contents to user through this identity escrow system, improved method able to carry out secured communication by using the key generated through key agreement, and enhanced mechanism able to support key escrow in encryption communication by using key generated through key agreement among users of the same domain, are proposed. Finally, conclusions are discussed in the chapter 5.

2 2.1

Identity Escrow Composition and Step of Identity Escrow Scheme

Generally, the identity escrow scheme consists of 4 components as followings[7, 10, 11, 13]. – User : General users who provide their accurate identities to the issuer to get service in anonymities, and then provided with the authentication information from the service provider for anonymous authentication. – Issuer : The issuer saves accurate identity of users who wants to receive service from the service provider in anonymity and provides the authentication information. When necessary, the issuer exposes accurate user identity, upon request of law enforcement agency. – Service provider : The service provider veriﬁes the authentication information of users and, if conﬁrmed, provides service. When a user commit any illegal act, the service provider requests the law enforcement agency to control anonymity of the user identity. – Law enforcement agency : When necessary, upon request of the service provider, the law enforcement agency discloses user’s accurate identity in cooperation with the issuer. Normal identity escrow scheme consists of 4 steps as followings. – System initialization step : To initialize the system, each participating entity publicly pronounces its own parameter(public key or public parameter). – Identity registration step : The user provides his/her own accurate identity to the issuer and then receives safely the authentication information. – Authentication step : The user provides the authentication information to the service provider to receive service in anonymity. If this is valid authentication information, of which the user is aware, then the service provider oﬀers service to the user. – Anonymity control step : When necessary, the service provider oﬀers the authentication information given from the user in the authentication step to law enforcement agency and thus anonymity of the user is controlled to expose the accurate identity.

384

2.2

Yong-Ho Lee et al.

Requirements of Identity Escrow Scheme

In this paragraph, requirements for identity escrow scheme are discussed. The followings describe these requirements[6∼11]. (1) General requirement of Identity Escrow scheme – Authentication providing anonymity : When authentication process is in proceeded between the user and the service provider, anonymity of the user should be provided and validity of the user can be veriﬁed. – Anonymity control of illegal user : When necessary, the cooperation between law enforcement agency and the issuer should be able to control anonymity of illegal users. – Secret information maintenance proof of authentication information : The third party should not be able to misrepresent the user. This means that the secret value, by which authentication information can be proved to be that of the responsive user, should be in possession of the user only. – Independence of law enforcement agency : Communication with law enforcement agency should be carried out, only when anonymity control of illegal user is requested from the point of its special characteristics. – Prevention of illegal anonymity control : Anonymity control of the user should be possible only under permission of law enforcement agency. This means that the issuer or service provider should not be able to identify the user based on authentication information and publicly announced information. (2) New requirement of Identity Escrow scheme – Publicly verifiable anonymity control : The fact should be publicly veriﬁable to all participating entities that anonymity control for illegal user is feasible through the cooperation between law enforcement agency and the issuer. To improve security and trusty of the whole system, it should be provable that the user’s identity be exactly consigned to the issuer and the third party cannot misrepresent the user’s identity. But, if this fact can be veriﬁed only by law enforcement or the issuer, then it can be a factor in lowering security and trusty of the system. All participating entities, therefore, should be able to publicly verify the above fact.

3 3.1

Conventional Scheme Method 1 – Identity Escrow Scheme Using Group Signature

In this chapter, two schemes introduced at CRYPTO Conference held in 1998 and 2 schemes printed in the journal of the Multimedia Society in 2000 are discussed by application technology[1, 2]. This scheme, which was proposed by Joe Kilian and Erez Petrank at the Crypto Conference in 1998, provides user anonymity by using characteristics

New Identity Escrow Scheme for Anonymity Authentication

385

of group signatures. The issuer and law enforcement agency become a group manager and play the role as a group supervisor. The special feature includes that the group manager can allow new user to join the group and prove the message signed by any member of the group. Through this scheme, the user provides anonymity to the service provider by making the group signature and thus can prove to be a valid member of the group. Also, whenever necessary, the group manager can control the anonymity by identifying the signatory. Here, the system parameter z is the value connected to accurate identity of the user and possessed by the issuer. But, the issuer and law enforcement agency cannot know the secret information of the user and consequently cannot fabricate the message. This scheme is based on Camenisch’s group signature. By using the Camenisch’s group signature technology, the issuer and law enforcement agency can be maintained separately, but in the early step of group formation, the issuer and anonymity control agency are separated into two agencies from one agency, and during the process law enforcement agency is called. While law enforcement agency should be called only for anonymity control as its characteristic, but in this scheme it is called in its initial grouping stage. Finally, there is a problem that legitimacy of anonymity control cannot be publicly veriﬁed. 3.2

Method 2 – Identity Escrow Scheme Using ZKIP

This is the second scheme proposed by Joe Kilian and Erez Petrank at CRYPTO Conference in 1998 to point out the problems existing in group signature scheme and solve them by applying ZKIP(Zero- Knowledge Interactive Protocol). This scheme adopts zero-knowledge proof and thus controls the contact to law enforcement agency while the system is initialized[2, 3]. In this scheme, the user proves having the authentication information by using the zero-knowledge proof in authentication step. At this point, tracking factor able to control the user’s anonymity is also provided as public key of law enforcement agency through encryption. When necessary, the service provider oﬀers the tracking factor to law enforcement agency to control the user’s anonymity. Therefore, the contact of law enforcement agency can be controled while the system is initialized. But, this protocol has problems that the user can be misrepresented and legitimacy of anonymity control cannot be publicly veriﬁed, because the issuer has all information on users. 3.3

Method 3 – Identity Escrow Scheme Using Blind Scheme

This scheme is proposed by Hwang Bo-sung in the journal of the Multimedia Society in 2000 and adopts the blind scheme to solve the problems of 2 schemes proposed by Joe Kilian and Erez Petrank[4, 5]. This scheme satisﬁes requirements of identity escrow system by adopting the blind technology. Blind signature is used to prevent the contents of message signed by the user from being known and blind description is used in the

386

Yong-Ho Lee et al.

authentication step to check if the user has secret information about authentication information. Also, in identity registration step the issuer has accurate identity of the user and information connected to the accurate user identity is accessed only by law enforcement agency. Therefore, only when the issuer and law enforcement agency collaborate together, user identity can be known and one side alone cannot recognize the user identity. But, this scheme requires lots of communications between the user and law enforcement agency in identity registration step. Also, there is a problem that legitimacy of anonymity control cannot be publicly veriﬁed. 3.4

Method 4 – Identity Escrow Scheme Using E-cash Protocol

This scheme is the second scheme proposed by Hwang Bo-sung in the journal of the Multimedia Society in 2000 and adopts electronic cash protocol to meet the independence of law enforcement agency[12]. This scheme adopts electronic cash protocol to maintain the independence of law enforcement agency and prevent identity misrepresentation of the user. In identity registration step, the user provides accurate identity and I for identity detection to the issuer, and the issuer returns back z for authentication information to oﬀer to the user. The user uses z in collaboration with the issuer to generate authentication A and B to use in authentication step. In authentication step, the user provides service provider with A, B, sign(A, B), Sign issuer [EKP E (z)]and challenge value is generated to check if the user has secret information comprising A and B and the user transmits the secret information responding to the value as the response value and thus the user is authenticated. The electronic cash protocol is adopted to maintain the independence of law enforcement agency but problems arise from this fact, like that protocol processes get complicated and calculation procedures increase. Also, there is a problem that legitimacy of anonymity control cannot be publicly veriﬁed.

4

Proposal Schemes

In this chapter, three schemes proposed are described. First, new identity escrow scheme is proposed, in which independence of law enforcement agency is secured and legitimacy of anonymity control can be publicly veriﬁed, based on proxy signature. Second, improved scheme is proposed for service provider to transmit safely the contents to the user in this identity escrow mechanism. Finally, enhanced identity escrow scheme is proposed, which is able to support the key escrow in the encryption communication utilizing the key generated through key agreement among the users of the same domain in same environment as the above.

New Identity Escrow Scheme for Anonymity Authentication

4.1

387

Proposal Scheme I – New Identity Escrow Mechanism

System Parameters – – – – – – – – – – – – – – –

p : p is a large prime with p ≥ 2 512 q : q is a large prime with q ≥ 2 160 | p − 1 g : g is a generator for Zp∗ ∗ : A(user Alice), ISS(Issuer), SP(Service Provider), LEA(Law Enforcement Agent) X * : ∗’s private key Y * : *’s public key (here, Y * = gX ∗ mod p) E∗ () : Generated a ciphertext by *’s public key Sig ∗ () : Generated a signature by *’s private key h() : 160-bit secure one-way hash function S A : User Alice’s secret value t A, tA : Random number ID A : User Alice’s identity AID A : User Alice’s alias identity Identity information : User Alice’s information σ : Signer’s proxy signature information

Protocol This protocol consists of steps for identity registration and veriﬁcation of user Alice, generation and veriﬁcation of proxy signature information, generation and veriﬁcation of anonymous authentication information, and anonymity control, and each step is as following. Step 1 Alice’s identity registration, verification and publicly verifiable anonymity control step Phase 1 Process phase by Alice a) After arbitrary secret information t A and tA are randomly generated, secret value S A of user Alice is conﬁgured. Then, publicly announced information g t A responding to t A is announced. S A = t A + tA

(4-1-1)

b) Identity information of Alice, gS A , and secret random value tA are encoded as public key of the issuer, and t A and identiﬁer IDA of Alice are encoded as public key of law enforcement agency. This value is signed and transmitted to the issuer. SigA (EISS (Identity information|| gS

A

||tA)|| ELEA (t A||IDA ))

(4-1-2)

388

Yong-Ho Lee et al.

Phase 2 Process phase by Issuer a) The issuer verify the received signature information and then received EISS (Identity information|| gS A ||tA) is processed through description and escrow information of Alice is veriﬁed. In veriﬁcation procedure, it is checked if product of public information gtA responding to received tA and gt A publicly announced by Alice is same as received gS A . If same, then it proves that Alice’s secret information is correctly entrusted. gS

A

=? gtA *gt

A

(4-1-3)

b) When the above veriﬁcation procedure succeeds, the issuer generates Alice’s alias identity AIDA and announces publicly AIDA , gS A , and gtA . Phase 3 Process phase by all party a) Each entity participating in identity escrow system can proceed this procedure. First, gt A announced publicly by Alice and Alice’s gtA and gS A announced publicly by the issuer can be used to proceed the veriﬁcation procedure, like in the formula 4-1-3. a) If veriﬁcation procedure succeeds, then it proves that user’s anonymity can be controled when the user commits any illegal act. Step 2 Proxy signature information generation and verification step Phase 1 Process phase by Issuer a) Random value d is arbitrarily generated and then proxy signature information is generated as following. D = gd mod p σ =(X ISS + d*D) mod p-1 (4-1-4) b) After Alias identity of the user and encryption value as public key of law enforcement agency are signed, Alice’s public key is generated with proxy signature information, and this is transmitted to Alice. EA (σ|| D||AIDA ||SigISS (AIDA || ELEA (t A||IDA )) (4-1-5) Phase 2 Process phase by Alice a) Alice processes received value through description and veriﬁes proxy signature information as following. If correct, you keep proceeding on and, if not, proxy signature information should be received again by requesting the issuer. gσ =? Y ISS*DD mod p (4-1-6) Veriﬁcation progress is as following. gσ = Y ISS*DD mod p = gX ISS *(gd )D mod p = gσ mod p

New Identity Escrow Scheme for Anonymity Authentication

389

Step 3 Anonymity authentication information generation and verification step Phase 1 Process phase by Alice a) By using arbitrary random value r and service request message m, user anonymity authentication information Sσ (m) is generated as following. H = h(m) R = (gr mod p) mod q Sσ (m) = S A*r - R*σ *H mod p (4-1-7) b) The following information is comprised and transmitted to the service provider. AIDA || D|| R|| m|| Sσ (m)||SigISS (AIDA || ELEA (t A||IDA ))||SigA (gS A ) (41-8) Phase 2 Process phase by service provider a) The service provider compares received SigA (gS A ) with publicized gS A . If they are same, then keep proceeding on, but if not, then error message is transmitted to Alice. b) By using received information, H and V are generated as following. H = h(m) V = Y ISS*DD mod p (4-1-9) c) User’s anonymous authentication information is veriﬁed as following. If not correct, the error message is transmitted to the user. R*gS A =? (gSσ(m) *VRH mod p) mod q (4-1-10) Veriﬁcation progress is as following. R*gS A = (gSσ(m) *VRH mod p) mod q = gS A∗r−R∗σ∗H * (Y ISS*DD )R∗H mod p mod q = gS A∗r−R∗σ∗H * (gX ISS *gd∗D )R *H mod p mod q = gS A∗r−R∗σ∗H * gσ∗R∗H mod p mod q = gS A *R mod p mod q d) After above veriﬁcation procedure is completed, received SigISS (AIDA || ELEA (t A||IDA )) is securely saved and service is provided to the user. Step 4 Anonymity control step Phase 1 Process phase by service provider a) If Alice commits illegal acts, user’s anonymity control is requested and SigISS (AIDA || ELEA (t A||IDA )) saved is transmitted to law enforcement agency. Phase 2 Process phase by law enforcement agency a) Law enforcement agency use received SigISS (AIDA || ELEA (t A||IDA )) to secure identity IDA and secret information t A. b) Law enforcement agency requests the issuer for identity responding to identity IDA . Through this process, anonymity of Alice who committed illegal acts is controlled.

390

4.2

Yong-Ho Lee et al.

Proposal Scheme II – Advanced Identity Escrow Mechanism for Contents Transmission

In this paragraph, enhanced scheme is proposed for service provider to transmit securely contents to the user in new identity escrow mechanism described in the paragraph 4.1. System Parameters System parameters used in this scheme are described as following. Here, system parameters presented in the paragraph 4.1.1 are not described. – – – –

# : # is session key Contents : Contents is service that is transmit to users from service provider Cert(SP) : Service provider’s certiﬁcate E # : Generated a ciphertext by symmetric key #

Protocol In this paragraph, key distribution steps and encryption communication steps between the user Alice and the service provider are described separately. Assuming Alice and the service provider use same identity escrow mechanism here, key distribution steps are set up between Step 2 and Step 3 of the paragraph 4.1.2 and encryption communication steps are processed between Step 3 and Step 4 of the paragraph 4.1.2. Step 1 Key agreement step Phase 1 Process phase by Alice a) Alice uses the public key Y SP of the service provider to calculate the session key ssk. Then, the random value n1 is generated and private session key PsK is calculated as following. ssk = (gX SP )S A PsK = n1 ⊕ssk (4-2-1) b) Alice processes the message through encryption and transmits it to the service provider as following. E ssk(AIDA || n1 ||PsK)||SigA (gS A ) (4-2-2) Phase 2 Process phase by service provider a) a The service provider uses received value to calculate session key ssk and transforms the message through decryption. The service provider uses the decryption message to conﬁrm the user and verify private session key Psk. b) When veriﬁcation is completed, closing message is transmitted to Alice. Step 2 Encrypted communication step In this step, contents are provided after session key is generated. This means that the service provider provides the contents as following, after verifying anonymous authentication information of Alice. E PsK(Contents)||Cert(SP) (4-2-3)

New Identity Escrow Scheme for Anonymity Authentication

4.3

391

Proposal Scheme III – Advanced Identity Escrow Mechanism Supporting Key Recovery

In this paragraph, enhanced mechanism is proposed, which is able to support the key recovery in the encryption communication utilizing the key generated through key agreement among the users of the same domain in identity escrow mechanism described in the paragraph 4.1. System Parameters System parameters used in this scheme are described as following. Here, system parameters presented in the paragraph 4.1.1 and 4.2.1 are not described. – – – –

S B, t B : User Bob’s secret value N1 : Random number IDB : User Bob’s identity AIDB : User Bob’s alias identity

Protocol This protocol consists of key distribution and encryption communication steps and key recovery steps between users Alice and Bob, and each step is as following. Assuming Alice and Bob use same identity escrow mechanism and it is processed in advance here. Step 1 Key agreement and encrypted communication step Phase 1 Process phase by Alice a) Alice uses gt B publicized by Bob to calculate the session key seskey. Then, random value N1 is generated and private session key Puk is calculated as following. seskey = (gt B )t A PuK = N1 ⊕(gt B )t A (4-3-1) b) Alice transforms the message through encryption as following and transmits it to Bob. E seskey(IDA || N1 ||PuK)|| gt A (4-3-2) Phase 2 Process phase by Bob a) Bob uses received value to calculate session key seskey and transforms the message through decryption. Bob uses the decryption message to conﬁrm the other communication party and verify private session key Puk and then transmits closing message to Alice. b) Bob transmits encryption data to Alice as following. E PuK(message)||E seskey(IDA || N1 ||PuK) (4-3-3) Step 2 Key recovery step

392

Yong-Ho Lee et al.

In this paragraph, it is assumed that illegal encryption communication is in progress between Alice and Bob. In situation like this, key recovery steps to secure law enforcement right are described. Here, all communication and saved data are subject to key recovery. Phase 1 Process phase by law enforcement agency a) Law enforcement agency with permission of the courthouse secures the formula (4-3-3) transmitted in communication. Then, these values are secured from the issuer. ELEA (t A||IDA ), ELEA (t B||IDB ) (4-3-4) b) Law enforcement agency transforms each encryption text through decryption by using its own secret key and then calculate session key seskey from t A and t B. This session key seskey is used to calculate private session key PuK in formula (4-3-3). c) Law enforcement agency uses PuK to restore encryption communication data of illegal user. 4.4

Comparison and Analysis

In this paragraph, requirements satisfaction degrees of proposal schemes are analyzed, being focused on requirements suggested, and compared/analyzed with existing schemes. – Authentication providing anonymity : The issuer transmits proxy signature factor to valid user. The user use proxy signature factor of the issuer and his/her own secret value to generate own anonymous authentication information. The service provider uses public information of the issuer and user to verify anonymous authentication information received. Through these procedures, the user proceeds the authentication to provide anonymity to the service provider. – Anonymity control of illegal user : User’s secret information consists of 2 parts. It is such comprised that the one is accessed by the issuer and the other by law enforcement agency. When necessary, therefore, if law enforcement agency and the issuer collaborate, illegal user’s anonymity can be controlled. Also, the proposal scheme is conﬁgured to verify publicly anonymity control of illegal user and thus improves reliability of user. – Secret information maintenance proof of authentication information : User’s authentication information consists of secret values only the users know. Without knowing user’s secret value, therefore, the third party cannot misrepresent as a valid user. Also, in proposal scheme, the user generates own anonymous authentication information so that more enhanced security is acquired. – Independence of law enforcement agency : In proposal scheme, law enforcement agency can participate only in anonymity control.

New Identity Escrow Scheme for Anonymity Authentication

393

– Prevention of illegal anonymity control : Secret information responsive to user’s anonymous authentication information consists of two values and the one is securely publicized to the issuer and the other is transformed through encryption by using public key of law enforcement agency. Also, data from encryption by using public key of law enforcement agency do not contain information related to real identity of the user so that law enforcement agency or the issuer cannot control user’s anonymity illegally. – Publicly verifiable anonymity control : Secret information responsive to user’s anonymous authentication information consists of two values and the one is securely publicized to the issuer and the other is transformed through encryption by using public key of law enforcement agency. Then, public information responding to user’s secret information is publicized so that the fact that collaboration between law enforcement agency and the issuer is capable of anonymity control of illegal user can be publicly veriﬁed by any participating entity.

Table 1. Analysis table of requirement comparision in dentity escrow methods Method Method 1 Method 2 Method 3 Method 4 Proposal Requirement Method I Authentication O O O O O providing anonymity Anonymity control O O O O O of illegal user Secret information O X O O O maintenance proof of authentication information Independence X O X O O of LEA Prevention of illegal X X O O O anonymity control Publicly veriﬁable X X X X O anonymity control

5

Conclusion

When a user and a service provider carry out the authentication process, the user wants to keep anonymity for own identity but the service provider wants to provide the service only after conﬁrming accurate identify of the user. To solve these conﬂicting interests, identity escrow scheme can be used to satisfy requirements both of the user and the service provider. In this thesis, necessities and requirements of conventional identity escrow schemes and problems of existing

394

Yong-Ho Lee et al.

schemes are discussed in detail. Through these discussions, new requirements to enhance security and trusty are proposed, and new identity escrow scheme is suggested to solve the problems of existing schemes as well as to satisfy all new requirements mentioned above. In addition to these, the scheme to transmit securely contents of the service provider to the user and enhanced mechanism able to support the key escrow in the encryption communication among users of the same system are proposed. It is strongly recommended that researches for more secured and eﬃcient identity escrow schemes be actively carried out in the future.

References [1] C. Camenisch, ”Eﬃcient and generalized group signatures”, Advances in Cryptology-EUROCRYPT ’97, pp. 465-479, 1997 [2] J. Kilian and E. Petrank, ”Identity Escrow,” Advances in CryptologyCRYPTO’98, pp. 169-184, 1998 [3] J. Kilian and E. Petrank, ”Identity Escrow”, Theory of Cryptography Library, ftp://theory.lcs.mit.edu/pub/tcrypto1/97-11.ps, 1997 [4] K. Sakurai and Y. Yamane, ”Key Escrow system of Protecting User’s Privacy by Blind Decoding”, pp. 147-157, 1998 [5] M. Stadler, ”Fair blind signatures”, In Proc. Eurocrypt 95, LNCS 921, pp. 209219, 1995 [6] S. Micali, ”Fair Cryptosystems”, Advances in Cryptology-CRYPTO ’92, pp. 113138, 1992 [7] http://www.epic.org, ”Escrowed Encryption Standard(EES)”, Approval of FIPS 185, 1994 [8] http://csrc.nist.gov, ”Requriements for Key Recovery Prodeucts”, NIST, 1998 [9] Yong-Rak Choi, Ou-Yeong So, Jae-Gwang Lee, and Im-Yeong Lee, Computer network security, proceeding in greenpress, 2001 [10] Yong-Ho Lee and Im-Yeong Lee, ”Identity Escrow scheme for publicly veriﬁable of anonymity control”, CISC 2001, pp. 79-82, 2001 [11] Bo-Sung Hwang and Im-Yeong Lee, ”The proposals of Identity Escrow Scheme to Control user’s anonymity”, journal of korea multimedia society, vol.4, no.6, pp. 617-624, 2000 [12] Bo-Sung Hwang and Im-Yeong Lee, ”A Design of Identity Escrow Scheme”, WISC’2000, pp. 588-602, 2000

On Unconditionally Secure Distributed Oblivious Transfer Ventzislav Nikov1 , Svetla Nikova2, , Bart Preneel2 , and Joos Vandewalle2 1

Department of Mathematics and Computing Science Eindhoven University of Technology P.O. Box 513, 5600 MB, Eindhoven, the Netherlands [email protected] 2 Department Electrical Engineering, ESAT/COSIC Katholieke Universiteit Leuven, Kasteelpark Arenberg 10 B-3001 Heverlee-Leuven, Belgium {svetla.nikova,bart.preneel,joos.vandewalle}@esat.kuleuven.ac.be

Abstract. This work is about distributed protocols for oblivious transfer, proposed by Naor and Pinkas, and recently generalized by Blundo et. al. In this settings a Sender has n secrets and a Receiver is interested in one of them. The Sender distributes the information about the secrets to m servers, and a Receiver must contact a threshold of the servers in order to compute the secret. These distributed oblivious transfer protocols provide information theoretic security. We present impossibility result and lower bound for existence of one-round threshold distributed oblivious transfer protocols, generalizing the results of Blundo et. al. A threshold based construction implementing 1-out-of-n distributed oblivious transfer achieving the proved lower bound for existence is proposed. A condition for existence of general access structure distributed oblivious transfer scheme is proven. We also present a general access structure protocol implementing 1-out-of-n distributed oblivious transfer.

1

Introduction

Oblivious Transfer (OT ) refers to several types of two-party protocols where at the beginning of the protocol one party, the Sender, has an input, and at the end of the protocol the other party, the Receiver (sometimes called the chooser), learns some information about this input in a way that does not allow the Sender to ﬁgure out what the Receiver has learned. Introduced by M. Rabin in [22], and subsequently deﬁned in diﬀerent forms in [15, 5], the oblivious transfer has found many applications in cryptographic studies and protocol design. A variety of slightly diﬀerent deﬁnitions and implementations can be found in the literature as well as papers addressing issues such as the relation of OT with other cryptographic primitives (e.g. see [1, 3, 6, 12, 13, 19]).

The author was partially supported by NATO research fellowship and Concerted Research Action GOA-MEFISTO-666 of the Flemish Government.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 395–408, 2002. c Springer-Verlag Berlin Heidelberg 2002

396

Ventzislav Nikov et al.

The Private Information Retrieval (PIR) and Symmetric Private Information Retrieval (SPIR) Schemes, introduced in [7, 16] represent another very close area. In PIR and SPIR schemes the emphasis is placed on the communication complexity of the interaction between user and servers. Other interesting PIR papers for the distribute OT scenario are [2, 11, 17]. Rivest’s model given in [23] utilizes a trusted initializer, who participates only in an initial setup phase. The setting of the scheme is close to the one described in [20] and considered in this paper. In the very recent paper [24] the author deals with distributed oblivious transfer implementations, close to the settings in [20], but not unconditionally secure. In this paper we are concerned with unconditionally secure distributed oblivious transfer protocols, introduced by Naor and Pinkas in [20] and recently generalized by Blundo et. al. in [4]. Distributed oblivious transfer (DOT ) protocols distribute the task of the Sender between several servers. Security is ensured as long as a limited number of these servers collude. We present an analysis of the threshold and general access structure model for DOT . We prove an impossibility result and a lower bound for existence of one-round threshold distributed oblivious transfer protocols, generalizing the result of Blundo et. al. A threshold based construction implementing 1-out-of-n DOT achieving the proved lower bound for existence is proposed as well. Since in many natural scenarios the assumption that trust is “uniformly distributed” over the players does not model the reality well, and moreover, in more realistic model no threshold solution will work, we want to protect against general adversary structures. We give a condition for existence of general access structure DOT scheme. Finally, a General Access Structure protocol implementing 1-out-of-n DOT is presented. The paper is organized as follows. In the next section we give the basic definitions for the distributed oblivious transfer and a formal model. In Section 3 using some Information Theory tools we prove an impossibility result for certain parameters and consequently we derive a lower bound for the existence of DOT with the same parameters. Protocol Implementing (r, m) − DOT − n1 is presented in Section 4. In sections 5, 6 and 7 a General Access Structure model for DOT − n1 is analyzed and the corresponding protocol is constructed.

2

The Distributed Model

2.1

Deﬁnitions

A distributed r-out-of-m OT −

n 1

protocol involves three types of parties:

– A Sender S which has n inputs (secrets) s0 , s1 , . . . , sn−1 . It is convenient to assume that these inputs are elements in a ﬁnite ﬁeld F. – A Receiver R that has an input σ ∈ {0, 1, . . . , n − 1}. – Additional m servers, S1 , S2 , . . . , Sm . We assume that the Sender holds n secrets and the Receiver is interested in one of them. In the distributed setting the Sender S does not directly interact

On Unconditionally Secure Distributed Oblivious Transfer

397

with the Receiver R, in order to carry out the oblivious transfer. Rather, he delegates m servers to accomplish this task for him. The protocol is composed of the following functional steps: – Initialization Phase. Let S1 , S2 , . . . , Sm be m servers. The Sender S generates m programs P 1 , P2 , . . . , Pm and, for i = 1, . . . , m sends in a secure way, program Pi to the server Si . Each program Pi depends on the secrets s0 , s1 , . . . , sn−1 and on some random data. – Oblivious Transfer Phase. The Receiver R holds a program R which enables her to interact with a subset {Si1 , . . . , Sir } of r servers at her choice. She sends to the server Si a query qi which is a function of σ and i, and of some random data. The server answers the query with ai . Using the answers the Receiver R is collected, she is able to recover the secret in which is interested, receiving no information about the other secrets. At the same time, any subset of t − 1 servers, say {Si1 , . . . , Sit−1 } ⊆ {Si1 , . . . , Sir }, does not gain any information about the secret she has recovered. More precisely, a distributed (r, m)−DOT − n1 must guarantee the following properties: – Reconstruction. If the Receiver gets information from r out of the m servers, she can compute the secret sσ . – Sender’s Privacy. Given any r values, the Receiver must gain information about a single secret, and no information about the others. – Receiver’s Privacy. No coalition of less than t servers gains information about which secret the Receiver has recovered. – Receiver-servers collusion. A coalition of the Receiver with l corrupt servers cannot learn about the n secrets more than can be learned by the Receiver herself. 2.2

A Formal Model

In this section we will follow the notations and the formal model given by Blundo et. al. in [4]. Assume that S holds a program S to generate m pro grams P1 , . . . , Pm enabling S1 , . . . , Sm and R to perform (r, m) − DOT − n1 oblivious transfer of his n secrets. R holds an associated program R for interacting with the servers. The m + 1 programs P1 , . . . , Pm and R, specify the computations to be performed to achieve (r, m) − DOT − n1 . In order to model dishonest behavior, where a coalition of at most t − 1 servers tries to ﬁgure out which secret R has recovered from the transfer, we assume that cheating servers Si1 , . . . , Sit−1 hold a modiﬁed version of the programs, denoted by P i1 , . . . , P it−1 . These programs could have been generated either by a dishonest S, who holds a cheating program S , or could have been modiﬁed by the dishonest servers. Similarly, a cheating R, who tries to gain some information about other secrets, holds a modiﬁed version of the program R. These programs can be described by random variables, which will be denoted by the same letters in bold. An execution of the protocol can be described by using the following additional random variables: for j = 1, . . . , m let Cj be the transcript of the communication between R and Sj . Moreover, let W be the set of all length n sequences of

398

Ventzislav Nikov et al.

secrets, and, for any w ∈ W , let wi be the i-th secret of the sequence. Denoting by W the random variable that represents the choice of an element in W and by T the random variable representing the choice of an index i in T = {0, 1, . . . , n−1}, one can deﬁne (as in [4]) the conditions that (r, m)−DOT − n1 oblivious transfer protocol must satisfy as follows: Deﬁnition 1. [4] The sequence of programs [S , P1 , . . . , Pm , R] is correct for (r, m) − DOT − n1 if for any i ∈ T and j = 1, . . . , m H(Cj |Pj T R) = 0

(1)

and, for any w ∈ W and for any {i1 , . . . , ir } ⊆ {1, . . . , m} H(WT |Ci1 . . . Cir ) = 0.

(2)

The deﬁnition means that the transcript of the communication is completely determined by the program of the server Sj and the program of the Receiver and her choices. Moreover, after interacting with r servers, an honest Receiver always recovers the secret in which is interested. Assuming that both S and R are aware of the joint probability distribution PW,T on W and T , the probability with which S chooses the secretsin W and R chooses an index i ∈ T , the privacy property of (r, m) − DOT − n1 can be deﬁned as follows: Deﬁnition 2. [4] The sequence of programs [S , P1 , . . . , Pm , R] is private for (r, m) − DOT − n1 if – for any set of indices {i1 , . . . , it−1 } ⊆ {1, . . . , m}, H(T|Pi1 . . . Pit−1 Ci1 . . . Cit−1 ) = H(T).

(3)

– for any program R, for any i ∈ T and for any set of indices {i1 , . . . , ir } ⊆ {1, . . . , m}, H(W \ WT |T R Ci1 . . . Cir WT ) = H(W \ WT ).

(4)

– for any set of indices {i1 , . . . , il } ⊆ {1, . . . , m} for any i ∈ T and for any R, H(W|T R Ci1 . . . Cil Pi1 . . . Pil ) = H(W).

(5)

– for any pair of sets of indices {i1 , . . . , il } ⊆ {1, . . . , m} and {j1 , . . . , jr } ⊆ {1, . . . , m}, for any i ∈ T and for any R, H(W \ WT |T R Pi1 . . . Pil Cj1 . . . Cjr WT ) = H(W \ WT ).

(6)

These ﬁrst two conditions ensure that a dishonest coalition of t − 1 servers does not gain information about R’s index: a dishonest R infers at most one secret among the ones held by S1 , . . . , Sm . Condition (5) takes into account the possibility of an attack against S performed either by at most l servers alone or with the cooperation of R. The condition states that such kind of coalitions do not gain any information about the secrets held by S. Finally, conditions (6) states that a coalition of l servers and the Receiver cannot compute any information about the others, once the Receiver has obtained a secret.

On Unconditionally Secure Distributed Oblivious Transfer

3

399

Impossibility Result and Lower Bound for Existence

Using some Information Theory tools and the ideas in [4] we can show that with one round DOT protocol an impossibility result holds for the parameters r, t, and l. And consequently a lower bound for the existence of DOT with parameters r, t, and l will be proved. First of all, notice that if the protocol is one round, then Cj = (Qj , Aj ), the query of the Receiver and the answer of the server. Therefore, condition (1) can be re-phrased saying that for j = 1, . . . , m H(Qj |R T) = 0

and

H(Aj |Qj Pj ) = 0.

(7)

With this notation, we can prove the following impossibility result: Theorem 1. In any (r, m) − DOT − n1 scheme with parameters t, and l such that r < t + l, once the Receiver has legally recovered a secret, a coalition of l corrupt servers and the Receiver can recover all the others. Proof. Let r = l + t − 1 i.e. l = r − t + 1. Let q1 , . . . , qr be the queries sent by the Receiver when T = i, and let a1 , . . . , ar be the answers that S1 , . . . , Sr send back to R. The Receiver’s security property (3) with respect to t − 1 servers, say Sl+1 , . . . , Sr , implies that there exist queries q1s , . . . , qls and answers as1 , . . . , asl for any s = i, such that if H(Wi |Q1 = q1 . . . Qr = qr , A1 = a1 . . . Ar = ar ) = 0 then H(Ws | Q1 = q1s . . . Ql = qls Ql+1 = ql+1 . . . Qr = qr , A1 = as1 . . . Al = asl Al+1 = al+1 . . . Ar = ar ) = 0. Since the answers given by S1 , . . . , Sl depend only on their own programs P1 , . . . , Pl and on the received queries (i.e. H(Aj |Qj Pj ) = 0 for j = 1, . . . , l) it holds that H(W|P1 . . . Pl Al+1 . . . Ar , Ql+1 . . . Qr R) = 0. Indeed H(W|P1 . . . Pl Al+1 . . . Ar , Ql+1 . . . Qr R) ≤ H(Wt |P1 . . . Pl Al+1 . . . Ar , Ql+1 . . . Qr R, T = t) t∈T

and H(Wt |P1 . . . Pl Al+1 . . . Ar , Ql+1 . . . Qr R, T = t) ≤ H(Wt |P1 . . . Pl Al+1 . . . Ar , Q1 . . . Qr ) ≤ H(Wt |A1 . . . Ar , Q1 . . . Qr ) = 0. Therefore the Receiver and a coalition of l servers can recover all the secrets and the result holds.

400

Ventzislav Nikov et al.

The last theorem is a natural extension of Theorem 3.5 in [4], where the case r = k, t = k, l = 1 is considered. A consequence of this impossibility result for one-round protocols is the lower bound for existence of DOT with parameters r, t, and l. Corollary 1. A necessary and suﬃcient condition for existence of (r, m) − DOT − n1 scheme with parameters t and l is r ≥ t + l. Proof. The necessity follows directly from 1. In the next section the Theorem protocol implementing (r, m) − DOT − n1 scheme with parameters t, l and satisfying r = t + l will be presented, which prove the suﬃcient condition.

Note that two-round protocols, as for example the one proposed in [4], satisfy the same bound, because two times contacting k servers can be viewed as once contacting 2k servers. Hence r = 2k, t = l = k are suitable parameters for existence of DOT .

4

Protocol Implementing (r, m) − DOT − 2

n 1

Two protocols for (r, m) − DOT − 1 have been proposed by Naor and Pinkas in [20]. Recently Blundo et. al. in [4] generalized the idea of Naor and Pinkas and proposed several protocols for (r, m) − DOT − n1 . The protocols proposed by Naor and Pinkas and two of the protocols in [4] are based on polynomial interpolation. Combinatorial constructions are presented in [4] as well. In this section we propose a protocol, based on polynomial interpolation. It is a generalization of the protocols of Naor and Pinkas and Blundo et. al. The protocol is described as follows: Initialization Phase. Let s0 , s1 , . . . , sn−1 ∈ F (F - ﬁnite ﬁeld) be the Sender’s S secrets. 1. S generates n − 1 random polynomials B1 (x), . . . , Bn−1 (x) of degree l and one random polynomial B0 (x) of degree r − 1 ≥ l + t − 1 with values in F such that B0 (0) = s0 and, for i = 1, . . . , n − 1, si = B0 (0) + Bi (0). 2. Then, S constructs an n-variate polynomial Q(x, y1 , . . . , yn−1 ) with values in F such that Q(0, 0, . . . , 0) = s0 , Q(0, 1, 0, . . . , 0) = s1 , . . . , Q(0, 0, . . . , 1) = sn−1 . More precisely, Q(x, y1 , . . . , yn−1 ) = B0 (x) +

n−1

Bj (x)yj

j=1

3. Finally, for i = 1, . . . , m, he sends the n − 1 variate polynomial Q(i, y1 , . . . , yn−1 ) to the server Si .

On Unconditionally Secure Distributed Oblivious Transfer

401

Oblivious Transfer Phase. Let σ ∈ {0, 1, . . . , n − 1} be the Receiver’s R index. 1. R generates n − 1 random polynomials D1 (x), . . . , Dn−1 (x) of degree t − 1 such that (D1 (0), . . . , Dn−1 (0)) is an (n − 1)-tuple of zeroes with at most a 1 in position σ, the position corresponding to the secret in which she is interested. Deﬁne a univariate polynomial V to be V (x) = Q(x, D1 (x), . . . , Dn−1 (x)). 2. Then, she asks r servers Sij for j = 1, . . . , r, sending a query of the form (D1 (ij ), . . . , Dn−1 (ij )). 3. The server Sij calculates the value Q(ij , D1 (ij ), . . . , Dn−1 (ij )) = V (ij ) and sends it back to R. 4. After receiving r values of V , say V (i1 ), . . . , V (ir ), R interpolates V (x) and computes V (0). 4.1

Correctness and Security

The correctness of the proposed protocol: The degree of the polynomial V (x) is r − 1, hence receiving r values in step 3. the Receiver is able to recover correctly V (x) and calculate V (0). On the other hand assuming that (D1 (0), . . . , Dn−1 (0)) = (0, . . . , 0, 1, 0, . . . , 0) (i.e. at most a 1 in position σ), then V (0) = Q(0, D1 (0), . . . , Dn−1 (0)) = Q(0, 0, . . . , 0, 1, 0, . . . , 0) = sσ . Now we will see that the proposed protocol for (r, m) − DOT − n1 satisfy the four properties described in the deﬁnition. About the Reconstruction as we have already checked our protocol is correct. The Receiver’s Privacy is guaranteed against coalitions of at most t − 1 servers, because R herself chooses polynomials D1 (x), . . . , Dn−1 (x) to have degree t−1. Again using the proof for correctness of the proposed protocol it follows that Sender’s Privacy is guaranteed. And ﬁnally the Receiver-servers collusion, assuming that the Receiver has already calculated one secret and that a coalition of at most l corrupt servers helps her to discover others. Because the Sender S chooses the polynomials B1 (x), . . . , Bn−1 (x) of degree l and a polynomial B0 (x) of degree r − 1 ≥ l + t − 1, the information these l corrupt servers possess (i.e. B0 (ij ), B1 (ij ), . . . , Bn−1 (ij ) for j = 1, . . . , l) is insuﬃcient to recover any of the polynomials B0 (x), B1 (x), . . . , Bn−1 (x), hence it is insuﬃcient to ﬁnd any of the values B0 (0), B1 (0), . . . , Bn−1 (0). Remark: The proposed protocol satisfy r = l + t, which prove the “suﬃcient” part in the proof of the Corollary 1. 4.2

Eﬃciency

Comparing our scheme with the polynomial scheme of Blundo et. al. they are equal in respect of the following parameters: the memory storage of servers, the complexity of each interaction, the randomness to set up the scheme and the

402

Ventzislav Nikov et al.

randomness of the whole communication. The proposed here scheme achieves the bounds of Theorems 3.1, 3.2, 3.3, 3.4 in [4]. But the memory storage for the Sender and the Receiver is higher in our scheme, because it provides better security. One of the questions that Naor and Pinkas arose is how the scheme will ensure that a Receiver does not obtain more than r shares. It is clear that in our scheme the Sender can choose m = r, and solve this problem providing the desired security.

General Access Structure Model for DOT −

5

n 1

Threshold-based schemes make sense only in environment where one assumes that any player subset of a certain cardinality is equally likely (or unlikely) to cheat (or to be corrupted). In many natural scenarios this assumption does not model the reality well, thus we need to protect against general adversary structures. The well known drawback of using general access structure approach than the threshold one is that the memory storage and the complexity of each interaction will be not optimal. In this section we will apply a general access structure method for building a DOT − n1 . 5.1

Deﬁnitions

A Distributed General Access Structure OT − n1 protocol involves the same three types of parties as in the threshold case: Sender, Receiver and servers. The protocol now is composed in nearly the same way with a few changes in the Oblivious Transfer Phase: The Receiver R holds a program R which enables her to interact with a subset of qualiﬁed servers {Si1 , . . . , Sir } ∈ Γ at her choice. At the same time, any subset {Si1 , . . . , Sit−1 } ∈ ∆1 of forbidden servers, does not gain any information about the secret she has recovered. More precisely, a Distributed General Access Structure DOT − n1 must guarantee the following properties: – Reconstruction. If the Receiver gets information from a set of qualiﬁed servers G ∈ Γ , she can compute the secret sσ . – Sender’s Privacy. Given any set of qualiﬁed servers G ∈ Γ values, the Receiver must gain information about a single secret, and no information about the others. – Receiver’s Privacy. No coalition of set of forbidden servers G1 ∈ ∆1 gains information about which secret the Receiver has recovered. – Receiver-servers collusion. A coalition of the Receiver with a set of corrupt servers G2 ∈ ∆2 cannot learn about the n secrets more than can be learned by the Receiver herself. The set of m servers is divided in three sets of subsets Γ, ∆1 , ∆2 of qualiﬁed, forbidden and corrupt servers, resp. The set Γ is monotone increasing and the sets ∆1 , ∆2 are monotone decreasing.

On Unconditionally Secure Distributed Oblivious Transfer

6

403

Condition for Existence

First we will give the following deﬁnition: Deﬁnition 3. [21] We deﬁne the operation ∗ for any monotone decreasing sets ∆1 , ∆2 as follows: ∆1 ∗ ∆2 = {A = A1 ∪ A2 ; A1 ∈ ∆1 , A2 ∈ ∆2 }. It is easy to check that ∆1 ∗ ∆2 is also monotone decreasing. The same operation for monotone structures is deﬁned by Fehr and Maurer in [14], which they call element-wise union, in order to give necessary and suﬃcient conditions for robust VSS and Distributed Commitments. Using some Information Theory tools we can show, in the same way as in the threshold case (see Theorem 1), that there is a condition for existence of one-round General Access Structure DOT protocol. Theorem 2. In any General Access Structure DOT − n1 scheme with set of qualiﬁed, forbidden and corrupt servers Γ, ∆1 , ∆2 , and such that Γ ∩(∆1 ∗ ∆2 ) = ∅, once the Receiver has legally recovered a secret, a coalition of corrupt servers from ∆2 and the Receiver can recover all the others. A consequence of this existence condition for one-round protocols is the following Corollary. Corollary 2. A necessary condition for existence of General Access Structure DOT − n1 scheme with set of qualiﬁed, forbidden and corrupt servers Γ, ∆1 , ∆2 , is the tuple (Γ, ∆1 ∗ ∆2 ) to be access structure. Denote by U = {S1 , . . . , Sm } the set of servers and by 2U the set of all subsets of U. Denote Γ1 = ∆c1 to be the complement of ∆1 to the 2U and Γ2 = ∆c2 to be the complement of ∆2 to the 2U . Correspondingly we have ∆1 = Γ1c and ∆2 = Γ2c . It is well known that Γ1 , Γ2 are monotone increasing. Now we can consider three separate access structures Γ, Γ1 , Γ2 . Deﬁnition 4. [21] We deﬁne the operation ∗ for any monotone increasing sets Γ1 , Γ2 as follows: Γ1 ∗ Γ2 = (∆1 ∗ ∆2 )c .

7

General Access Structure Protocol for DOT −

n 1

In this section we propose a protocol for General Access Structure DOT − n1 . Most proposed SSS are linear, but the concept of an LSSS was ﬁrst considered in its full generality by Karchmer and Wigderson in [18], who introduced the equivalent notion of Monotone Span Program (MSP), which we describe later. Each linear SSS can be viewed as derived from a monotone span program M computing its access structure. On the other hand, each monotone span program gives rise to an LSSS. Hence, one can identify an LSSS with its underlying monotone span program. Such an MSP always exists because MSP’s can compute any monotone function. Note that the size of M is also the size of the corresponding

404

Ventzislav Nikov et al.

LSSS. Now we will consider any access structure, as long as it admits a linear secret sharing scheme. We will use the deﬁnitions and results by Cramer et. al. in [9] about General Secure Multi-Party Computation. Deﬁnition 5. [9, 8] A Monotone Span Program M is a quadruple (F, M, ε, ψ), where F is a ﬁnite ﬁeld, M is a matrix (with e rows and d ≤ e columns) over F, ψ : {1, . . . , e} → {1, . . . , m} is a surjective function and ε is a ﬁxed vector, called target vector, e.g. column vector (1, 0, ..., 0) ∈ Fd . The size of M is the number of rows (e). Thus, ψ labels each row with a number from [1, . . . , e] corresponding to a ﬁxed player, hence we can think of each player as being the “owner” of one or more rows. For every player we consider a function ϕ which gives the set of rows owned by the player, i.e. ϕ is (in some sense) inverse of ψ. It is known (e.g. see [10, Remark 2]) that the number of columns d can be increased, without changing the access structure that is computed by a MSP. The space generated by the 2nd up to the d-th column of M does not contain even a non-zero multiple of the ﬁrst column. Without changing the access structure that is computed, we can always replace the 2nd up to the d-th column of M by any set of vectors that generates the same space. T MSP is said to compute an access structure Γ when ε ∈ Im(MG ) if and only if G is a member of Γ . So, the players can reconstruct the secret precisely if the rows they own contain in their linear span the target vector of M, and otherwise they get no information about the secret, i.e. there exists a so called T recombination vector r such that r, MG (s, ρ) = s and MG r = ε for any secret s and any ρ. Let f1 and f2 be monotone boolean functions, computed by MSP’s M1 = (F, M1 , ε, ψ) and M2 = (F, M2 , ε, ψ). Given two d-vectors x and y, Cramer et. al. in [9, 8] denote x y to be the vector containing all entries of form xi yj , where ψ(i) = ψ(j). Thus, if di = |ϕ(i)| is the number of rows owned by a player i, then x y has d = i d2i entries. So, if x, y contain shares resulting from sharing two secrets using M1 and M2 , then the vector x y can be computed using only local computation by the players, i.e. each component of the vector can be computed by one player. Deﬁnition 6. [9, 8] A multiplicative MSPs are the MSPs M1 and M2 for which there exists an d-vector r called a recombination vector, such that for any two secrets s and s and any ρ and ρ , it holds that s s = r, M1 (s , ρ ) M2 (s , ρ ) It means that one can construct a multiplicative MSP computing f1 ∨ f2 . We will call it multiplicative result MSP. Deﬁnition 7. [9, 8] If A is a player subset, MA is the MSP obtained by M by keeping only the rows owned by players in A. We say that M1 and M2 are strongly multiplicative if for any player subset A that is qualiﬁed by both M1 and M2 , (M1 )A and (M2 )A are multiplicative.

On Unconditionally Secure Distributed Oblivious Transfer

405

It means that one can construct a strongly multiplicative MSP computing f1 ∨ f2 , this MSP we will call strongly multiplicative result MSP. We are now ready to describe the protocol for General Access Structure DOT − n1 scheme with set of qualiﬁed, forbidden and corrupt servers Γ, ∆1 , ∆2 , resp., and the corresponding three access structures Γ, Γ1 , Γ2 . Let Γ1 , Γ2 be the access structures with the MSPs M1 and M2 , which possess strongly multiplicative property. Denote by Γ the access structure corresponding to the strongly multiplicative result MSP M (see Deﬁnition 7). Deﬁnition 8. We say that MSPs M, M1 and M2 are DOT MSPs if there exists a d-vector r called a recombination vector, such that for any three secrets s, s and s and any ρ, ρ and ρ , it holds that s + s s = r, M (s, ρ) + M1 (s , ρ ) M2 (s , ρ ) Lemma 1. A necessary condition for existence of DOT MSPs M, M1 and M2 is that M1 and M2 are strongly multiplicative, and their strongly multiplicative result MSP M = M (i.e. Γ = Γ ). Thus, a necessary condition for existence of General Access Structure DOT − n1 scheme, which turns out to be also a suﬃcient condition, is the following. Theorem 3. A necessary and suﬃcient condition for existence of General Access Structure DOT − n1 scheme with set of qualiﬁed, forbidden and corrupt servers Γ, ∆1 , ∆2 , and the corresponding to them three access structures Γ, Γ1 , Γ2 is that their MSPs M, M1 and M2 are DOT MSPs. Now we are ready to present the following protocol for General Access Structure DOT − n1 scheme. Initialization Phase. Let s0 , s1 , . . . , sn−1 ∈ F be the Sender’s S secrets. There are three access structures Γ, Γ1 , Γ2 and corresponding to them three as well MSPs M1 = (F, M1 , ε, ψ), M2 = (F, M2 , ε, ψ) and M = (F, M, ε, ψ) as the “reverse” functions ϕ and ϕ. In our construction we require Γ = Γ , i.e. ϕ = ϕ and ψ = ψ. As we noted before the number of columns in the MSP can be increased without changing the access structure that is computed by a MSP. Therefore we can assume that the number of columns in the MSPs M, M1 and M2 is equal to d. 1. S generates n random vectors B0 , B1 , . . . , Bn−1 ∈ Fd , such that B0 , ε = s0 and, for i = 1, . . . , n − 1; si = B0 + Bi , ε. 2. Then, for i = 1, . . . , m, he sends the n packets of shares (vj )ϕ(i) , for j = 1, . . . , n − 1 and (v0 )ϕ(i) to the server Si . Where (v0 )ϕ(i) = Mϕ(i) B0 and for j = 1, . . . , n − 1, (vj )ϕ(i) = (M2 )ϕ(i) Bj .

406

Ventzislav Nikov et al.

Oblivious Transfer Phase. Let σ ∈ {0, 1, . . . , n − 1} be the Receiver’s R index. 1. R generates n − 1 random vectors D1 , . . . , Dn−1 ∈ Fd such that (D1 , ε, . . . , Dn−1 , ε) is an (n − 1)-tuple of zeroes with at most a 1 in position σ, the position corresponding to the secret in which she is interested. 2. Then she asks a set of qualiﬁed servers Si , sending a query of n−1 packets of temporary shares (vjR )ϕ(i) , for j = 1, . . . , n − 1. Where (vjR )ϕ(i) = (M1 )ϕ(i) Dj . 3. The server Si calculates the values (v S )ϕ(i) = (v0 )ϕ(i) +

n−1

(vjR )ϕ(i) (vj )ϕ(i)

j=1

and sends it back to R. 4. After receiving values (v S )ϕ(i) for a set of qualiﬁed servers (i.e. i ∈ G and G ∈ Γ ) the Receiver is able to recover the secret sσ . First she computes T r, such that Mϕ(G) r = ε and then she computes sσ = (v S )ϕ(G) , r. 7.1

Correctness and Security

The correctness of the proposed protocol: We have B0 , ε = s0 and, sj − s0 = Bj , ε for j = 1, . . . , n − 1. Denote by (d1 , . . . , dn−1 ) = (D1 , ε, . . . , Dn−1 , ε) So, (vjR )ϕ(i) (vj )ϕ(i) is the share of Si which corresponds to the share of strongly multiplicative result MSP computing f1 ∨ f2 , i.e. the share for the secret dj (sj − s0 ) shared with access structure Γ = Γ. Hence the share (v S )ϕ(i) corresponds to the share of the same strongly multiplicative MSP with shared secret s0 + n−1 d (s − s ). Since (d , . . . , d ) = (0, . . . , 0, 1, 0, . . . , 0) is (n − 1)-tuple of j j 0 1 n−1 j=1 zeroes with at most a 1 in position σ, the position corresponding to the secret n−1 in which R is interested. We have sσ = s0 + j=1 dj (sj − s0 ). Using the well known calculations for MSP (i.e. (v S )ϕ(G) , r) the Receiver recovers the secret, which is exactly sσ . Now we will see that the proposed General Access Structure protocol for DOT − n1 satisfy the four properties described in the extended deﬁnition. About the Reconstruction as we have already checked our protocol is correct. The Receiver’s Privacy is guaranteed against coalitions ∆1 of forbidden servers, because R herself chooses vectors D1 , . . . , Dn−1 with values d1 , . . . , dn−1 . Again using the proof for correctness of the proposed protocol it follows that Sender’s Privacy is guaranteed. And ﬁnally the Receiver-servers collusion, assuming that the Receiver has already calculated one secret and that a coalition of ∆2 corrupt servers helps her to discover others. Because the Sender S chooses the vectors B0 , B1 , . . . , Bn−1 the information these ∆2 corrupt servers posses (i.e. their collected shares) is insuﬃcient to recover any of the secrets s0 , s1 − s0 , . . . , sn−1 − s0 .

On Unconditionally Secure Distributed Oblivious Transfer

8

407

Conclusions

In this paper we have studied unconditionally secure distributed oblivious transfer protocols. We have presented an analysis of the threshold and general access structure model and some new results: impossibility result and lower bound for existence of one-round threshold DOT protocols, generalizing the result of Blundo et. al.; a threshold base construction implementing 1-out-of-n DOT achieving the proved lower bound for existence; a condition for existence of general access structure DOT scheme; a general access structure protocol implementing 1-out-of-n DOT .

References [1] D. Beaver, J. Feigenbaum, J .Kilian, P.Rogaway, Locally Random Reductions: Improvements and Applications, Journal of Cryptology 10 (1), 1997, pp. 17-36. 395 [2] A. Beimel, Y. Ishai, T. Malkin, Reducing the Servers Computation in Private Information Retrieval: PIR with Preprocessing, CRYPTO’2000, LNCS 1880, 2000, pp. 55-73. 396 [3] M. Bellare, S. Micali, Non-interactive Oblivious Transfer and Applications, Advances in Cryptology: Crypto ’89, Springer-Verlag, 1990, pp. 547-559 395 [4] C. Blundo, P. D’Arco, A. De Santis, D. R. Stinson, New Results on Unconditionally Secure Distributed Oblivious Transfer, to appear in SAC’02, 2002. 396, 397, 398, 399, 400, 402 [5] G. Brassard, C. Crepeau, J.-M. Roberts, All-or-Nothing Disclosure of Secrets, CRYPTO’86, LNCS 263, 1987, pp. 234-238. 395 [6] G. Brassard, C. Crepeau, M. Santha, Oblivious Transfer and Intersecting Codes, IEEE Trans. on Inf. Th., special issue in coding and complexity, Vol. 42, No. 6, 1996, pp. 1769-1780. 395 [7] B. Chor, O. Goldreich, E. Kushilevitz, M. Sudan, Private Information Retrieval, Proc. 36th IEEE Symposium on Foundations of Computer Sciences (FOCS), 1995, pp. 41-50. 396 [8] R. Cramer, Introduction to Secure Computation, Lectures on Data Security Modern Cryptology in Theory and Practice, LNCS 1561, 1999, pp. 16-62. 404 [9] R. Cramer, I. Damgard, U. Maurer, General Secure Multi-Party Computation from any linear secret sharing scheme, EUROCRYPT’00, LNCS 1807, 2000, pp. 316-335. 404 [10] R. Cramer, S. Fehr, Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups, Proc. CRYPTO 2002, Springer Verlag LNCS 2442, pp.272-287. 404 [11] G. Di Crescenzo, Y. Ishai, R. Ostrtovski, Universal Service-Providers for Database Private Information Retrieval, Proc. 17th Annual ACM Symposium on Principles of Distributed Computing (PODC), 1998. 396 [12] P. D’Arco, D. R. Stinson, Generalized Zig-zag Functions and Oblivious Transfer Reductions, SAC 2001, LNCS 2259, 2001, pp. 87-103. 395 [13] Y. Dodis, S. Micali, Lower bounds for Oblivious Transfer Reduction, EUROCRYPT’99, LNCS 1592, 1999, pp. 42-54. 395 [14] S. Fehr, U. Maurer, Linear VSS and Distributed Commitments Based on Secret Sharing and Pirwise Checks, Proc. CRYPTO 2002, Springer Verlag LNCS 2442, pp.565-580. 403

408

Ventzislav Nikov et al.

[15] S. Even, O. Goldreich, A. Lempel, A Randomized Protocol for Signing Contracts, Communications of the ACM 28, 1985, pp. 637-647. 395 [16] Y. Gertner, Y. Ishai, E. Kushilevitz, T. Malkin, Protecting Data Privacy in Private Information Retrieval Schemes, Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), 1998, pp. 151-160. 396 [17] Y. Gertner, S. Goldwasser, T. Malkin, A Random Server Model for Private Information Retrieval or How to Achieve Information Theoretic PIR Avoiding Database Replication, RANDOM 1998, LNCS 1518, 1998, pp. 200-217. 396 [18] M. Karchmer, A. Wigderson, On Span Programs, Proc. of 8-th Annual Structure in Complexity Theory Conference, San Diego, California, 18-21 May 1993. IEEE Computer Society Press, pp. 102-111. 403 [19] M. Naor, B. Pinkas, R. Sumner, Privacy Preserving Auctions and Mechanism Design, ACM Conference on Electronic Commerce, 1999, available at http://www.wisdom.weizmann.ac.il/ naor/onpub.html. 395 [20] M. Naor, B. Pinkas, Distributed Oblivious Transfer, ASIACRYPT’00, 2000, pp. 205-219. 396, 400 [21] V. Nikov, S. Nikova, B. Preneel, J. Vandewalle, Applying General Access Structure to Proactive Secret Sharing Schemes, Proc. of the 23rd Symposium on Information Theory in the Benelux, May 29-31, 2002, Universite Catolique de Lovain (UCL), Lovain-la-Neuve, Belgium, pp.197-206, Cryptology ePrint Archive: Report 2002/141. 403 [22] M. Rabin, How to Exchange Secrets by Oblivious Transfer, Technical Memo TR81, Aiken Computation Laboratory, Harvard University, 1981. 395 [23] R. Rivest, Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer, manuscript, available at: http://theory.lcs.mit.edu/ rivest/publications.html. 396 [24] W. Tzeng, Eﬃcient 1-out-of-n Oblivious Transfer Schemes, Proc. PKC2002, LNCS 2274, 2002, pp. 159-171. 396

Non-perfect Secret Sharing over General Access Structures K. Srinathan , N. Tharani Rajan, and C. Pandu Rangan Department of Computer Science and Engineering Indian Institute of Technology, Madras Chennai-600036, INDIA {ksrinath,tharani}@cs.iitm.ernet.in [email protected]

Abstract. In a secret sharing protocol, a dealer shares the secret such that only the subsets of players in the (monotone) access structure can reconstruct the secret, while subsets of players that are not in the access structure cannot reconstruct the secret. The sharing is perfect if the players of any set not in the access structure have no information about the secret. Non-perfect secret sharing slackens the requirement as: the players of any set not in the access structure can have some information about the secret but cannot reconstruct the secret. All known schemes in the literature for non-perfect secret sharing are directed toward speciﬁc classes of the access hierarchy like threshold, ramp, multiple-level hierarchy etc. In this work, we initiate the study of a more general non-perfect secret sharing. We model the access hierarchy via a weighted lattice. We ﬁrst give a necessary condition and a suﬃcient condition for the existence of a secret sharing scheme for any given weighted lattice (that deﬁnes the access hierarchy). Subsequently, we provide a framework for designing non-perfect secret sharing schemes, using generalized monotone span programs (GenMSPs). We also show how to construct new non-perfect secret sharing schemes by composition of known GenMSPs, and design an exemplary secret sharing algorithm that is based on and illustrates the above framework. Keywords: non-threshold secret sharing, non-perfect secret sharing.

1

Introduction

Secret sharing is an important and widely used primitive in cryptography. A secret sharing scheme satisﬁes the following two properties: (1) Availability: Any qualiﬁed subset of players can uniquely determine the secret from their shares. (2) Secrecy: Unqualiﬁed subsets of players cannot reconstruct the secret from their shares.

Financial support from Infosys Technologies Limited, India, is acknowledged. Partially supported by DRDO collaborative project on Communication and Networking Technologies.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 409–421, 2002. c Springer-Verlag Berlin Heidelberg 2002

410

K. Srinathan et al.

There exists a rich literature in this ﬁeld. In essence, a variety of deﬁnitions for the availability and secrecy properties have been proposed that capture various diﬀerent settings. These approaches can be classiﬁed according to a number of criteria. Some prominent ones are brieﬂy discussed below. – Adversarial computational power: Any unqualiﬁed set of players should not be able to reconstruct the secret: the players can be assumed to be computationally bounded (probabilistic polynomial time) [1] or unbounded. In the latter case, one can distinguish between perfect secret sharing [6, 19] wherein no information about the secret in revealed to unqualiﬁed subsets and nonperfect secret sharing [7] in which some information about the secret may be leaked. – Nature of faults: One may allow some non-trivial subset of the shares to be read/modiﬁed. In case of passive faults, the shares can only be read and not written, whereas, active (or Byzantine) faults model the scenario where some shares could even be modiﬁed maliciously. Tolerating active faults requires cheating prevention [20] and (the dealer faulty case requires) veriﬁability [10, 5]. The literature also considers mobile faults wherein diﬀerent subsets of players could be faulty at diﬀerent time instances [17, 11]. – Number of faults: The two well-known models capturing the number of faults are threshold model [6, 19] and the access structure model [12, 4, 14]. In the threshold model, up to t out of the n players could be faulty. More generally, an access structure completely enumerates all the non-faulty subsets of the player set. – Properties of the reconstruction procedure: The two major properties considered in the literature are anonymity and linearity. Anonymous secret sharing schemes [8] are such that the secret can be determined by the set of qualiﬁed shares without the knowledge of the share-owners. In linear secret sharing schemes, the secret is a linear combination of the (qualiﬁed) shares [19, 12, 14]. Non-linear schemes have also been studied [9, 18, 3]. In this work, we focus on passive non-perfect secret sharing over general access structures as deﬁned in the next subsection. One of the main advantages of non-perfectness is smaller share-size which is a major issue of any secret sharing scheme. Since increase in size of the shares will drastically increase the communication complexity, it is required to reduce the size of the shares. However for any perfect secret sharing, it is known that the size of the share must be at least as large as the secret. Suppose |S| be a secret size and |Vi | be share size of participant Pi , then for any perfect SS it holds that |Vi | ≥ |S| [13]. On the other hand, there exist non-perfect schemes with |Vi | < |S| [7]. 1.1 General Non-Perfect Secret Sharing (NSS) In this section, we formally describe the problem that is the main concern of this paper. Let D be the dealer and P = {P1 , P2 , . . . , Pn } denote the set of n players among whom the dealer needs to share his secret s. We assume that s is uniformly distributed over a ﬁnite ﬁeld S.1 1

We remark that our techniques easily generalize to any distribution known a priori.

Non-perfect Secret Sharing over General Access Structures

411

The access hierarchy that deﬁnes the availability and secrecy requirements of secret sharing is modeled using a weighted lattice as follows: Consider the lattice formed by 2P the set of subsets of P, with the relation A is related to B if A ⊃ B. Each subset A of P is associated with an ordered pair of real weights (wl , wu )A , 1 such that 1 ≥ wl ≥ wu ≥ |S| . We denote the above association by a mapping 1 1 P ∆ : 2 → [ |S| , 1] × [ |S| , 1]. Intuitively, wl and wu represent the lower and upper bounds respectively on the amount of information about s present with the players in A. More precisely, the players in A should have enough information about s “equivalent” to that of such that of pin-pointing a set K, K ⊆ S, s ∈ K, and wl |S| ≥ |K| ≥ wu |S|. See Deﬁnition 1 for formal details. Definition 1 (NSS). A general non-perfect secret sharing scheme where the secret is uniformly distributed over the ﬁnite ﬁeld S, is a pair of algorithms (Share, Rec), such that the (local) output(s) of Share (called as shares) is the (local) input(s) to Rec, satisfying the given access hierarchy ∆, that is: for every subset A ⊆ P with ∆(A) = (wl , wu ), it holds that 1 1 ≤ Prob(Rec reconstructs s from the shares of players in A) ≤ wl |S| wu |S| Note that the NSS as deﬁned above generalizes the known models of access hierarchies existing in the literature.2 For example, perfect access structures (like in [12]) is deﬁned as follows: for any set A that belongs to the access structure, 1 1 assign ∆(A) = ( |S| , |S| ). For all the sets B that do not belong to the access structure, assign ∆(B) = (1, 1).3 Similarly, the (z, k, n)-ramp scheme4 can be modeled as follows:  1 1  if |A| ≥ k. ,    |S| |S| 1 1 ∆(A) = if (k − z) < |A| < k. k−|A| , k−|A|   |S|1− z |S|1− z   (1, 1) if |A| ≤ (k − z). The z-level access hierarchy of [15] is a generalization of the ramp scheme and is modeled in our scheme by constraining the weights wl = wu , to always be z1 1 where |S| is of the form pd for some prime p. a power of |S| 2 3

4

All known schemes either consider wl = wu or wl = 0. Note that in a perfect secret sharing scheme, any set not in the access structure can 1 , while the sets in the access structure reconstruct the secret with a probability of |S| can obtain the secret with certainty. Recall that a (z, k, n)-ramp scheme satisﬁes the following conditions, where the secret s is divided into z parts such that s = (s1 ◦ s2 ◦ . . . ◦ sz ) where ◦ denotes concatenation: (1) Any set of k or more players can ﬁnd all z sub-secrets of secret s. (2) A set of k − z or less players have no information about the secret s. (3) Any player set A ⊆ 2P , where (k − z) < |A| < k, can have some information about the secret, but cannot ﬁnd the secret completely. It can be formally stated as H(S|A) = H(S)(k−|A|)/z where, H(S) denotes entropy of S. We assumed a uniform distribution of S and hence H(S|A) = log2 |S|(k − |A|)/z.

412

K. Srinathan et al.

1.2

Our Contributions

This paper is concerned with generalized non-perfect secret sharing, which distributes any given secret amongst n players satisfying the given access hierarchy. We consider only the passive case and assume that the shares cannot be modiﬁed by the players. All previous results in the literature address certain speciﬁc kinds of access hierarchy, like threshold [19, 6], access structures [12, 4], ramp [7] and nonperfect multiple-level hierarchy [15, 16]. We deﬁne a strictly more general secret sharing using a generalized access hierarchy. The signiﬁcance of the model can be understood as follows. There exist subsets of players that need to be given full information about the secret, namely access sets. On the other hand, there are subsets of players that should be given no information about the secret, namely adversary sets. Moreover, in non-perfect schemes, there may be subsets of players to whom partial information about the secret can be given, namely partial sets. Intuitively, the partial sets can be viewed either as “relaxed” adversary sets or as “constrained” access sets. When viewed as relaxed-adversary sets, for safety reasons, it is natural to provide an upper bound, say Imax on the amount of information about the secret that can be given. Analogously, when viewed as constrained-access sets, for availability reasons, it is natural to provide a lower bound, say Imin on the amount of information about the secret that must be given. Note that Imax and Imin need not be the same and can diﬀer.5 As a practical example, consider a company along with its employees and its trade-secrets. For security reasons, the company cannot aﬀord to leak more than a certain amount of information (say Imax ) about its trade-secrets to each of its employees (or subset of employees in case of business committees). Analogously, for productivity reasons, it is mandatory that each of the subset of employees (committees) know some partial information (say Imin ) of the tradesecrets, though diﬀerent committees may need to be given diﬀerent amounts of secret information. However, note that Imax need not be equal to Imin . Thus, the company’s trade-secrets have to be non-perfectly secret shared (as modeled in this work, see Deﬁnition 1) among its employees. The contributions of this paper are multi-fold. First, we introduce the notion of general access hierarchies into the ﬁeld of secret sharing, and we study which access hierarchies permit the existence of secret sharing schemes. Next, we deﬁne generalized monotone span programs (GenMSPs) and show how they can be used to realize NSS. Furthermore, we propose a framework for constructing new NSS schemes by using the concept of virtual shares in known GenMSPs. In particular, we illustrate the framework by describing a NSS scheme where the known GenMSP is ﬁxed to be the (n − 1, n, n)-ramp scheme. Interestingly, we show that this generalizes the results of [4]. 5

To the best of our knowledge, this is the ﬁrst paper wherein the lower and the upper bounds have been considered explicitly.

Non-perfect Secret Sharing over General Access Structures

2

413

On the Existence of Secret Sharing Schemes

In this section, we give a necessary and suﬃcient condition (on ∆) for the existence of NSS schemes. Let P = {P1 , P2 , . . . , Pn } be the set of n players and let S denote the secret-domain. Definition 2 (Monotone ∆). 1 1 An access hierarchy represented by the function ∆ : 2P → [ |S| , 1] × [ |S| , 1] is said to be monotone iﬀ for any set A ⊆ P, βA ≤ αB for all B ⊂ A, where ∆(X) = (αX , βX ), X = A or B. Theorem 1. A non-perfect secret sharing scheme satisfying the given access hierarchy ∆ exists only if ∆ is monotone. Furthermore, in addition to ∆ being 1 monotone, if a integral multiple of |S| exists between (and including) αA and βA , for each A ⊂ P, then a NSS scheme exists. We conjecture that this condition is also necessary for the existence of a NSS scheme. Proof: Necessity: Suppose on the contrary there exists a NSS scheme even if ∆ is not monotone. Then consider the sets A and B such that B ⊂ A but βA > αB . However, we know from the deﬁnition that αB1|S| ≤ (P rob(B gets s)) ≤ (P rob(A gets s)) ≤ βA1|S| which leads to contradiction. Suﬃciency: Suppose for each A ⊂ P, there exists an integer kA such that βA ≤ k |S ≤ αA . Then, an NSS scheme corresponding to such an access hierarchy can be designed as follows: to the players in the set A, perfectly share using a (|A|, |A|)threshold scheme, a secret s ∈ 2S , such that s represents the set S ⊂ S, such that |S| = kA . Notice that the end result is an NSS corresponding to the given ∆. Hereafter, we assume that |S| is an exact power of 2. To facilitate the design of NSS schemes, we also make a natural simpliﬁcation that for any set A ⊂ P the weights αA and βA are such that for some integer j, βA ≤ 21j ≤ αA . This is in line with the intuition that j bits out of the log |S| bits of the secret are being leaked.

3

Generalized Monotone Span Programs (GenMSP)

We begin with an overview of monotone span programs (MSPs) [14]. Definition 3 (Span). Let M be a matrix over a ﬁeld F . The span of the matrix M, denoted by span(M ), is the linear subspace generated by the rows of M , that is the set of vectors which are linear combinations of the rows of M . Definition 4 (MSP). A Monotone Span Program is deﬁned as a triple (F , M, ψ) where F represents a ﬁnite ﬁeld, M is a d × e matrix over F , and ψ : {1 . . . d} → {P1 . . . Pn } is a labeling function assigning each row of the matrix a label from the player set P = {P1 , P2 , . . . , Pn }. For any subset A of the player

414

K. Srinathan et al.

set P (A ⊂ P), MA denotes the matrix that consists of all rows in M labeled by players from A. A ﬁxed non-zero vector t ∈ F e is designated as the target vector. An MSP is said to accept (or reject) the input A if the target vector t belongs (or does not belong, respectively) to span(MA ). An MSP is said to correspond to the structure A if it accepts exactly the sets in A and rejects exactly its complement. The size of an MSP is the number of rows d in its matrix M . It was shown [14, 2] that an access structure A can be realized by a linear perfect secret sharing scheme over F in which the shares include a total of d ﬁeld elements if and only if there exists a monotone span program over F of size d that corresponds to A. Motivated by the above observation, we deﬁne GenMSPs that are similarly related to NSS. Definition 5 (GenMSP). A Generalized Monotone Span Program is deﬁned as a six-tuple (F , M, ψ, z, τz , Cz ) where F represents a ﬁnite ﬁeld, M is a d × e matrix over F , ψ : {1 . . . d} → {P1 . . . Pn } is a labeling function assigning each row of the matrix a label from the player set P = {P1 , P2 , . . . , Pn }, z < e is an integer, Fe 1 1 τz : ( [ |S| , 1] × [ |S| , 1]) → 22 is a ﬁxed target function,6 given z, from the e

weights (wl , wu ) to a set of set of non-zero vectors from F e and Cz ⊂ 2F is a set of critical non-zero target vectors for the given z. For any subset A of the player set P, MA denotes the matrix that consists of all rows in M labeled by players from A. An GenMSP is said to accept the input A with weights (α, β) if there exists a T ∈ τz (α, β) such that every target vector t ∈ T belongs to span(MA ) while no vector in Cz \T belongs to span(MA ). An GenMSP is said to correspond to the access hierarchy ∆ if it accepts all A ⊂ P, with weights ∆(A). The size of a GenMSP is the number of rows d in its matrix M .

Note that GenMSP simulates an MSP when z = 1 and τ1 is a constant function to {{t}}, and C1 = {t} where t is the target vector. In the next section, we describe as to how a GenMSP can be used to realize a NSS for a given access hierarchy ∆.

4

Relationship between GenMSP and NSS

We now show how a GenMSP (F , Md×e , ψ, z, τz , Cz ) corresponding to the access hierarchy ∆, can be used in secret sharing. Let the secret domain be S such that |S| = 2qz , for some integer q. Deﬁne the set Cz to be the set of all vectors of length e such that the last (e − z) entries are zeroes and the ﬁrst z entries contain either 0 or 1. To distribute the secret s, the dealer ﬁrst splits s into z (equal) parts such that s = (s1 ◦ s2 ◦ . . . ◦ sz ) where ◦ denotes concatenation, and si ∈ F = {0, 1, . . . , 2q − 1}, 1 ≤ i ≤ z. The target function τz (α, β) is deﬁned as follows: ﬁrst, ﬁnd a j such that β ≤ 21jq ≤ α.7 Then τz (α, β) is 6

7

We will see in the sequel that the exponential size of the range is only to simplify the deﬁnition and does not hinder in the design of NSS schemes that are polynomial in the size of the access hierarchy in both computational and share complexities. This is possible since both j and q are variables, where and by assumption, there exists an integer k such that β ≤ 21k ≤ α.

Non-perfect Secret Sharing over General Access Structures

415

the set of all target matrices8 satisfying the property that all entries in the matrix are 0 or 1 and all the 1’s are amongst some j columns within the ﬁrst z columns of the matrix. The dealer chooses a random vector of the form v = (s1 , s2 , . . . , sz , ρ1 , ρ2 , . . . , ρe−z ). For each row i the dealer sends to the player ψ(i) the share Mi , v T , where Mi1×e denotes the ith row of Md×e . Reconstruction 1 1 of s by any element X ⊂ P with ∆(X) = ( |S| , |S| ) follows from the properties of (i)

(i)

GenMSP since there exists a recombination vectors λX such that λX , SX = si , SX denotes the vector of shares of the players in X, 1 ≤ i ≤ z. Similarly, the choice of the target function assures that for any A ⊂ P with ∆(A) = (α, β), 1 1 ≤ (Probability of reconstruction of s from the shares of players in A) ≤ α|S| β|S|

The reason why the above scheme works is that for the given set A that allows j out of the z si ’s to be leaked, we make sure that from the shares of players in A, at most j vectors with exactly one 1 entry within the ﬁrst z columns belongs to the span(A). Thus, reconstruction of more than j si ’s is not possible. Ideally, we would like to construct the smallest GenMSP corresponding to the given access hierarchy. However, this is a very hard problem. In the next section, we present a framework using which new GenMSPs (for new access hierarchies) can be constructed from known GenMSPs (and their corresponding access hierarchies). Thus, from the known schemes like threshold, ramp, multi-level hierarchy etc., it is possible to construct NSS schemes for any access hierarchy.

5

A Framework for the Construction NSS Schemes

Our framework is based on the concept of virtual9 shares and composition of GenMSPs. In other words, the secret is recursively shared by known GenMSPs in such a manner that the end result is a sharing according to a new GenMSP corresponding to a new and tougher access hierarchy. We begin by deﬁning the key ingredient of the framework, viz., the GenMSPTree. Definition 6 (GenMSPTree). Given a player set P, an access hierarchy ∆, a generalized monotone span program tree GenM SP T ree(P, ∆) is a tree with the following properties: 1. Each node w is associated with a access hierarchy ∆w , a generalized monotone span program Mw , and a share sw . 2. The root is associated with ∆, Mroot and the secret s. 3. w is a leaf node if ∆w is such that there exists a player Py , such that for all 1 1 A ⊂ P with Py ∈ A, it holds that ∆(A) = ( |S| , |S| ). In this case, the leaf w is associated with the player Py and the share sw is given to the player Py . 8 9

By a target matrix, we mean a set of target vectors (rows of the matrix). A share is virtual if it is not stored in any player’s local memory but is reconstructable by a non-trivial set of players.

416

K. Srinathan et al.

4. For every non-root node w, ∆w , Mw = (Fw , Mw dw ×ew , ψw , zw , τzw , Czw ) and sw are related as follows: – Mw is a GenMSP that corresponds to ∆w . – sw is an element of the ﬁeld Fparent(w) . Furthermore, sw is the share that w would receive if sparent(w) is shared as per Mparent(w) . – The node w has dw children. Note that dleaf can be made 1 without violating the deﬁnition of a leaf node. 5. For any set A ⊂ P, with ∆(A) = (αA , βA ), let {%1 , %2 , %3 , . . . %N } be the corresponding leaf nodes in the tree (associated with the players in A). The following holds for any set A: Knowledge of the shares s1 , s2 , . . . , sN implies ≤ (Probability that s can be reconstructed) ≤ βA1|S| .

1 αA |S|

It is clear that given a GenMSPTree for an access hierarchy ∆, the corresponding NSS scheme is easily constructed as follows: ﬁrst share the secret s using the GenMSPTree Mroot . At the next level, if there is a leaf-node, give the share to him. For all other internal nodes w, assume that its (virtual) share is the secret and needs to be shared as per the access hierarchy ∆w , by using the GenMSPTree Mw , and so on. Eventually, the resultant shares got by the players will be that of a valid NSS scheme for ∆. However, to make the above deﬁnition more useful for actual design, we need to answer the following question: Let a secret s be shared using a GenMSP leading to k shares s1 , s2 , . . . , sk . Suppose an adversary has say I1 information about the share s1 , I2 information about the share s2 , . . . , and Ik information about the share sk , then in the worst-case what is the maximum information about the secret s available to the adversary? This is the subject of our next theorem. Theorem 2. Let a secret s be shared using a GenMSP leading to k shares s1 , s2 , . . . , sk . Let the probability that one would know s after knowing any k − 1 1 of the above k shares be at most q|S| . Then, if an adversary knows the share si 1 with a probability of at most pi |F | , then the probability that the adversary knows s is at most k 1 . q(

j=1

pj )|S|

Proof: Consider the space F k . Every point in this space denotes a set of k shares. Let the probability that one would know s after knowing all the k shares 1 be at most r|S| . This means that every point in F k is associated with at least r|S| secrets. Furthermore, ﬁxing some k−1 shares, we have |F | points in F k such that they together are associated with at least q|S| secrets. And there are |F |k−1 such clusters in F k . Thus, in the very extreme case, a secret can be associated k with not more than r|Fq | points in F k . However, since we have partial information about the shares, the working k set is not of size |F |k but is of size ( j=1 pj )|F |k . Thus, the number of secrets k r|S|( pj )|F |k j=1 which simpliﬁes to that are still in the reckoning is at least k r|F| q

Non-perfect Secret Sharing over General Access Structures

417

q|S|( kj=1 pj ). Therefore the probability that the adversary knows s is at most k 1 . q(

j=1

pj )|S|

Now we are in a position to understand as to how to construct the required GenMSPTree for ∆. First, using a known GenMSPTree as Mroot , share the secret s. Assign the ∆i ’s in the ﬁrst level such that for any set A ⊂ P, the 1 1 probability that its players can get the secret lies between α|S| and β|S| , where ∆(A) = (α, β). For this, we can use the Theorem 2. The set A should be assigned weights in each of the nodes at the ﬁrst level such that the required probability constraint is satisﬁed. Note that the share domain may be diﬀerent from S, in fact it is usually much smaller. After this step, recursively build the GenMSPTree by constructing the sub-GenMSPTrees for each ∆i in the ﬁrst level. The choice of Mroot (at each recursion step) is a crucial one and it dictates the communication complexity of the system as well as whether the recursion would actually terminate! In the next section, we use some well-known GenMSPTrees for Mroot and show how to build a NSS scheme based on the above framework. However, since there exists a very large degree of freedom, using more prudent Mroot ’s would certainly be more beneﬁcial.

6

A Concrete Implementation

We recall that in the perfect secret sharing scheme, any access structure A can be naturally and uniquely identiﬁed with a its characteristic Boolean function fA : {0, 1}n → {0, 1}. Furthermore, it was shown [4] that any monotone Boolean circuit (with AND and OR gates) can be converted into a perfect secret sharing scheme for A in a straight-forward manner. Thus, the tools developed for simplifying monotone Boolean circuits can be applied for optimizing secret sharing as well. In this section, we proceed in an analogous manner. As a ﬁrst step, we asso1 1 ciate every access hierarchy ∆ with a function g∆ : {0, 1}n → [ |S| , 1]× [ |S| , 1]. Here, g∆ (A) = ∆(A). We now consider circuits with the following gates: AND, OR, and GenAND, deﬁned as follows: AND is deﬁned only on certain speciﬁc inputs, viz., the input should consist of either 1 or |F1 | , where F is the sharedomain ﬁeld.  if ∃j, xj = 1 and ∀j, xj = 1 or |F1 | . 1 1 if ∀j, xj = |F1 | . AN D(x1 , x2 , . . . , xk ) = |F |  undeﬁned otherwise. Next, OR is deﬁned as follows: OR(x1 , x2 , . . . , xk ) =

1 1 |F |

if ∀j, xj = 1. otherwise.

We deﬁne GenAND as follows: GenAN D(x1 , x2 , . . . , xk ) =

k j=1

xj

418

K. Srinathan et al.

Let C be a circuit made-up of the above three types of gates, and each input wire in C is associated with a player. We say that C computes a function g∆ if for every subset A ⊂ P the following holds: assign the value 1 to the input wires whose associated players are not in A and the value |F1 | otherwise. If X is the output of C, then it should hold that β ≤ X ≤ α, where g∆ (A) = (α, β). Interestingly, we show that (see Theorem 3) any circuit C that computes g∆ can be used in a straight-forward manner to construct a non-perfect secret sharing scheme corresponding to the access hierarchy ∆. Furthermore, we show that (see Theorem 4) for every10 function g∆ there exists a circuit C that uses only AND, OR, and GenAND gates, and computes g∆ . Thus we have a deterministic procedure to construct NSS schemes for the given access hierarchy ∆. It will be clear that we need to use the best11 circuit C that computes g∆ . Theorem 3. Let C be a circuit that computes g∆ . Assume that the gates of C are the nodes of a GenMSPTree TC with the following local GenMSPs: if the gate is an AND, then the GenMSP of the corresponding node in TC is a (k, k)perfect threshold scheme, where k is the fan-in. Else if the gate is a OR, then the GenMSP of the corresponding node in TC is the scheme: give the secret to all k children. Finally, if the gate is a GenAND, then the GenMSP of the corresponding node in TC is a (k − 1, k, k)-ramp scheme. Then, the GenMSPTree TC is a NSS scheme for the access hierarchy ∆. Proof: To prove the theorem, it is suﬃcient to show for each of the three gates that the amount of information of the secret shared through the gate (or GenMSPTree node) is nothing but the gate function applied on the information about the shares. In the sequel, we do precisely that. First, consider the AND gate (or the (k, k)-perfect threshold node). Suppose we have partial information about k shares, viz. s1 , s2 , . . . , sk of a (k, k)-perfect threshold scheme. As earlier, the partialness of information is captured as follows: for each si , there is a subset Si ⊂ F such that si ∈ Si and |Si | = κi |F |. Clearly, since the AND gate is deﬁned only when κi = 1 or |F1 | , which means that either full or no information about the shares is available, it simulates a perfect sharing. Moreover, full information about the secret is known iﬀ full information about all the shares are known. Also, even when one share is unknown, the secret is unknown. Thus it is evident that applying the AND gate to the (all-or-nothing) inputs gives as the result whether the secret (of the immediate higher wire) is known or not. Next, consider the OR gate. The GenMSPTree equivalent for this gate is that the secret is given to all the children. Thus, the only case where we can be sure that the secret is unknown is when all the shares are unknown. In all the other cases, we are better-oﬀ assuming that the full information about the secret has 10

11

We continue to assume that the access hierarchy ∆ is such that for any set A ⊂ P, with ∆(A) = (αA , βA ), the weights αA and βA are such that for some integer j, βA ≤ 21j ≤ αA . By best, we mean the circuit with the least number of input wires.

Non-perfect Secret Sharing over General Access Structures

419

been revealed (by the, possibly partial, knowledge of the shares). This is exactly what the OR gate computes. Now for the GenAND gate. What is to be shown is that the product of the κi ’s of each of the shares is indeed the information about the secret revealed by the (partial) shares under the (k − 1, k, k)-ramp scheme. This we prove as follows: consider the space F k . Each point in this space represents a set of k shares. Since we know that in the (k − 1, k, k)-ramp scheme, any set of k shares should be able to recover the secret with certainty, it is clear that each point in F k is associated with exactly one point in the secret domain S. Another known fact about the (k − 1, k, k)-ramp scheme is that |S| = |F |k−1 . In the (k − 1, k, k)ramp scheme, there is place for only one random ﬁeld element, once the secret is ﬁxed. Therefore, for every secret, there cannot be more than |F | possible points in F k . Thus, every secret is associated with at most F points in F k . Now, after knowing that the shares si ∈ Si , where |Si | = κi |F |, the working space reduces k from F k to ( j=1 κj )F k . Hence, the number of secrets that are still possible is k ( κj )F k j=1 which is nothing but ( kj=1 κj )|S|. Therefore, the product at least |F | of the κi ’s is indeed a conservative limit on the information about the secret that is revealed by the partial shares. Thus, when the circuit C is computed on the input A, the output is a (conservative) measure of the information about the secret revealed to the players in A. Since by deﬁnition the output lies between αA and βA , it is clear that the resulting GenMSPTree obtained from C is indeed a NSS scheme for ∆.

Note that this generalizes the construction of [4] that uses only the ﬁrst two types of gates and helps design only perfect secret sharing schemes. Theorem 4. For any given function g∆ , there is a circuit C that uses only AND, OR and GenAND gates, and computes g∆ . Proof: As a ﬁrst step, we observe that the AND and OR gates are basically the same as the ones used in Boolean circuits. This is so because by 1 as input we mean no information (like 0 in the Boolean case) and with |F1 | as input we mean full information (like 1 in the Boolean case). Thus using our AND and OR gates, it is possible to simulate any Boolean function. Hence every function of the form h : {0, 1}n → {1, |F1 | } has a circuit using just AND and OR gates. We now build the circuit to compute any function g∆ as follows. For each A ⊂ P, with ∆(A) = (αA , βA ), we know that the weights αA and βA are such that for some integer j, βA ≤ 21j ≤ αA . Now, using a ﬁeld such that |F | is an exact power of 2, we can represent 21j as |F 1|xA for some integer xA since we know 1 1 |F |k ≤ 2j ≤ 1. Now construct the ﬁrst level of the circuit with a GenAND gate of k fan-in and 1 fan-out. We require that for each A, the output of the GenAND gate be |F 1|xA . This is easily achieved by having the input of any xA out of k inputs to be equal to |F1 | while the rest take the value 1. Clearly, it is suﬃcient even if every input to the GenAND gate is either 1 or |F1 | . This implies that we

420

K. Srinathan et al.

can have a set of k functions of the form fi : {0, 1} → {1, |F1 | } for 1 ≤ i ≤ k to feed inputs to the GenAND gate. Since each of these functions is implementable using AND and OR gates, we are through. We remark that the above construction of the circuit C is just for the sake of proving possibility and most probably will not be the best C to use to design NSS schemes.

7

Conclusion

We have considered the problem of non-perfect secret sharing (NSS) over general access structures, deﬁned a more general notion of access hierarchies and studied their tolerability properties. Analogous to the results in perfect secret sharing we deﬁned generalized monotone span programs (GenMSPs) to facilitate the design of NSS schemes. However, GenMSPs capture and address only NSS schemes that are linear. It may be the case that non-linear schemes substantially outperform linear ones [3]. It is an interesting open problem to design non-linear schemes that oﬀer non-perfect secrecy and are more eﬃcient (if not optimum) than their linear counterparts. On the other hand, designing optimum linear schemes itself is a very hard problem and hence a good approximation algorithm to construct optimal GenMSPs (or even MSPs for that matter) can have considerable impact.

References [1] P. Beguin and A. Cresti. General short computational secret sharing schemes. In Proceedings of EUROCRYPT’95, volume 921 of LNCS, pages 194–208. SpringerVerlag, 1995. 410 [2] A. Beimel. Secure Schemes for Secret Sharing and Key Distribution. PhD thesis, Department of Computer Science, Technion-Israel Institute of Technology, 1996. 414 [3] A. Beimel and Y. Ishai. On the power of nonlinear secret sharing. In Proceedings of the 16th Annual IEEE Structure in Complexity Theory, pages 188–202, 2001. 410, 420 [4] J. Benaloh and J. Leichter. Generalized secret sharing and monotone functions. In Proceedings of CRYPTO’88, volume 403 of LNCS, pages 27–35. Springer-Verlag, 1988. 410, 412, 417, 419 [5] J. C. Benaloh. Secret sharing homomorphisms: Keeping shares of a secret secret. In Proceedings of CRYPTO’86, volume 263 of LNCS, pages 251–260, SpringerVerlag. 1986. 410 [6] G. R. Blakley. Safeguarding cryptographic keys. In Proceedings of AFIPS 1979 National Computer Conference, pages 313–317. AFIPS, 1979. 410, 412 [7] G. R. Blakley and C. Meadows. Security of ramp schemes. In Proceedings of CRYPTO’84, volume 196 of LNCS, pages 242–268. Springer Verlag, 1984. 410, 412 [8] C. Blundo and D. R. Stinson. Anonymous secret sharing schemes. In Discrete Applied Mathematics, volume 77:13–28, 1997. 410

Non-perfect Secret Sharing over General Access Structures

421

[9] E. F. Brickell and D. M. Davenport. On the classiﬁcation of ideal secret sharing scheme. In Journal of Cryptology, pages 123–134, 1991. 410 [10] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Veriﬁable secret sharing and achieving simultaneity in the presence of faults. In 26th IEEE FOCS, pages 383–395. 1985. 410 [11] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret sharing, or: How to cope with perpetual leakage. In Proceedings of CRYPTO’95, volume 963 of LNCS, pages 339–352. Springer-Verlag, 1995. 410 [12] M. Itoh, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. In Proc. of IEEE Globecom’87, pages 99–102, 1987. 410, 411, 412 [13] E. D. Karnin, J. W. Green, and M. E. Hellman. On secret sharing systems. In IEEE Transactions on Information Theory, IT-29, pages 35–41, 1982. 410 [14] M. Kerchmer and A. Wigderson. On span programs. In Proceedings of the 8th IEEE Structure in Complexity Theory, pages 102–111, 1993. 410, 413, 414 [15] K. Kurosawa, K. Okada, K. Sakano, W. Ogata, and S. Tsuji. Nonperfect secret sharing schemes and matroids. In Proceedings of EUROCRYPT’93, volume 765 of LNCS, pages 126–141. Springer Verlag, 1993. 411, 412 [16] W. Ogata and K. Kurosawa. Some basic properties of general nonperfect secret sharing schemes. Journal of Universal Computer Science, 4(8):690–704, 1998. 412 [17] R. Ostrovsky and M. Yung. How to withstand mobile virus attacks. In Proceedings of the 10th ACM PODC, pages 51–59,1991. 410 [18] A. Renvall and C. Ding. A nonlinear secret sharing scheme. In ACISP’96, volume 1172 of LNCS, pages 56–66, 1996. 410 [19] A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979. 410, 412 [20] M. Tompa and H. Woll. How to share a secret with cheaters. In Proceedings of CRYPTO’86, volume 263 of LNCS, pages 261–265, 1987. 410

On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Sharing Schemes Based on General Access Structure Ventzislav Nikov1 , Svetla Nikova2, , Bart Preneel2 , and Joos Vandewalle2 1

Department of Mathematics and Computing Science Eindhoven University of Technology P.O. Box 513, 5600 MB, Eindhoven, the Netherlands [email protected] 2 Department Electrical Engineering, ESAT/COSIC Katholieke Universiteit Leuven, Kasteelpark Arenberg 10 B-3001 Heverlee-Leuven, Belgium {svetla.nikova,bart.preneel,joos.vandewalle}@esat.kuleuven.ac.be

Abstract. A Key Distribution Center of a network is a server enabling private communications within groups of users. A Distributed Key Distribution Center is a set of servers that jointly realizes a Key Distribution Center. In this paper we build a robust Distributed Key Distribution Center Scheme secure against active and mobile adversary. We consider a general access structure for the set of servers and for the adversary access structure. We also revise the unconditionally secure Verifiable Secret Sharing Schemes from [11, 10, 19, 22] proposing a modified version which is proactively secure.

1

Introduction

A new approach to the key distribution was introduced by Naor et.al. in [18]. A Distributed Key Distribution Center (DKDC) is a set of n servers of a network that jointly realize the function of a Key Distribution Center. A user who needs to participate in a conference sends a key-request to a subset of his own choosing of the n servers, and the contacted servers answer with some information enabling the user to compute the conference key. In such a model, a single server by itself does not know the secret keys, since they are shared between the n servers. In subsequent papers [3, 4, 8] the notion of the DKDC has been studied from an information theoretic point of view. Recently in [11, 10] a robust veriﬁable DKDC based on unconditionally secure proactive threshold VSS was proposed. In [18] Naor et.al. gave some speciﬁc proposals both in unconditional and in the computational security framework. Their computational secure scheme is

The author was partially supported by NATO research fellowship and Concerted Research Action GOA-MEFISTO-666 of the Flemish Government.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 422–435, 2002. c Springer-Verlag Berlin Heidelberg 2002

On Distributed Key Distribution Centers

423

based on the Decisional Diﬃe-Hellman Assumption. Recently in [9] the Naor’s computational security model was modiﬁed and a scheme based on the ElGamal cryptosystem was proposed. Veriﬁable secret sharing schemes (VSSs) are secret sharing schemes (SSSs) dealing with possible cheating by the participants. The concept of proactive security was introduced by Ostrovsky and Yung in [20] and applied to the secret sharing schemes by Herzberg et.al. in [15]. Basically the idea is that, if the information stored by the servers in order to share a given secret stays the same for all lifetime of the system, then an adversary can eventually break into a sufﬁcient number of servers, to learn and destroy the secret. On the other hand, let the time is divided into periods. At the beginning of each period the information stored by the servers in a given time period changes, while the shared secret stays the same. Then the adversary probably does not have enough time to break into necessary number of servers. Moreover, the information he learns during the period p is useless during the period p + i, for i = 1, 2, . . .. So, he has to start a new attack from scratch during each time period. The ﬁrst unconditionally secure proactive VSS was proposed by Stinson and Wei [22], where proactivity is added to the basic VSS described in the same paper. A generalization of the scheme has subsequently been given in [19]. Recently D’Arco and Stinson [11, 10] showed that some existing proactive schemes [19, 22] can be broken. They proposed two new variations of the schemes to add proactive security to VSS, based on two diﬀerent approaches, one using symmetric polynomials and another one using non-symmetric polynomials. In this paper we present a Robust Unconditional Proactive Veriﬁable DKDS, enabling a set of servers to jointly realize a Key Distribution Center. The basic building block will be an unconditionally secure proactive VSS based on a general access structure. We will use the scheme proposed by D’Arco and Stinson [11, 10], whose round complexity has been improved by applying the technique described by Gennaro et. al. in [14]. We also show an attack on the unconditionally secure proactive SSS with symmetric polynomials from [10] and propose a slightly modiﬁed scheme that solves the problem (see also [11]).

2 2.1

Background Notations

Let K be ﬁnite ﬁeld. For an arbitrary matrix M over K, with m rows labeled by 1, . . . , m let MA denote the matrix obtained by keeping only those rows i with i ∈ A, where A is an arbitrary non-empty subset of {1, . . . , m}. If {i} = A we write Mi . Consider the set of row-vectors vi1 , . . . , vik and let A = {i1 , . . . , ik } be the set of indices, then we denote by vA the matrix consisting of rows vi1 , . . . , vik . Instead of ε, vi for i ∈ A we will write ε, vA . Let MAT denote the transpose of MA , and let Im(MAT ) denote the K-linear span of the rows of MA . We use Ker(MA ) to denote the kernel of MA , i.e. all linear combinations of the columns of MA , leading to 0.

424

Ventzislav Nikov et al.

Let us deﬁne the standard scalar product x, y and x ⊥ y, when x, y = 0. For a K-linear subspace V of K t , V ⊥ denotes the collection of elements of K t , that are orthogonal to all of V (the orthogonal complement), which is again a KT ⊥ linear subspace. For all subspaces V of K t we have V = (V ⊥ )⊥ , (Im(MN )) = T ⊥ T Ker(MN ) or Im(MN ) = (Ker(MN )) , x, MN y = MN x, y. A matrix which i-th row is of the form (1, αi , ..., αt−1 ), where α1 , ..., αn ∈ K, i is called (n, t)-Vandermonde matrix (over K) with t < n. It is well known that any square Vandermonde matrix has non-zero determinant. If M is an (n, t)Vandermonde matrix over K and A is non-empty subset of {1, ..., n}, then the rank of MA is maximal (i.e. is equal to t, or equivalently, Im(MAT ) = K t ) if and only if |A| ≥ t. Moreover let ε denotes the column vector (1, 0, ..., 0) ∈ K t . If |A| < t, then ε ∈ / Im(MAT ), i.e. there is no λ ∈ K |A| such that MAT λ = ε. 2.2

General Access Structure, Monotone Span Program and LSSS

We call the groups who are allowed to reconstruct the secret qualified, and the groups who should not be able to obtain any information about it forbidden. The collection of all qualiﬁed groups is denoted by Γ , and the collection of all forbidden groups is denoted by ∆. In fact Γ is monotone increasing and ∆ is monotone decreasing. The tuple (Γ, ∆) is called access structure if Γ ∩ ∆ = ∅. If Γ ∪ ∆ = 2P , where P is the set of participants, then we say that (Γ, ∆) is complete and we denote it by Γ . Otherwise we say that (Γ, ∆) is incomplete. By Γ − we denote the collection of the minimal sets of Γ and by ∆+ – the collection of the maximal sets of ∆. It is obvious that (Γ − , ∆+ ) generates (Γ, ∆). We will consider general monotone access structure (Γ, ∆), which describes subsets of participants that are qualiﬁed to recover the secret s ∈ K in the set of possible secret values. There exists an adversary A which can corrupt a set of servers during any time period. Corrupting a server means learning the secret information in the server, modifying its data, sending out wrong message, and so on. Since the server can be rebooted, the adversary is a mobile one. The collection of all possible corrupted servers for ﬁxed time period we call bad and is denoted by ∆A , and the collection of all possible uncorrupted servers for the same period of time we call good and is denoted by ΓA . It is obvious that ∆A and ΓA are monotone and ΓA ∩ ∆A = ∅. So we can consider a second access structure (ΓA , ∆A ), which is called adversary access structure [16]. The adversary access structure is complete, so we will denote it only by ΓA . The simplest example of adversary access structure is to set a number b to be the maximum number of broken (corrupt) servers by adversary for ﬁxed time frame (i.e. the threshold case) [11, 10, 22]. A new operation for the access structure, which generalize the notion of Q2 (Q3 ) adversary structure introduced by Hirt and Maurer [16], is given in [19]. Definition 1. [19] For the access structure (Γ, ∆) the operation ∗ can be defined as follows: n ∗ ∆ = {A = A1 ∪ A2 ; A1 ∈ (n − 1) ∗ ∆, A2 ∈ ∆}, for n = 2, 3, . . ..

On Distributed Key Distribution Centers

425

Definition 2. [19] For the complete access structure Γ the operation ∗ can be defined as follows: First we set ∆ = 2P \ Γ and (as in Definition 1) calculate n ∗ ∆. Then we define n ∗ Γ = 2P \ n ∗ ∆, for n = 2, 3, . . . The same operation for monotone structures is deﬁned by Fehr and Maurer in [13], which they call element-wise union, in order to give necessary and suﬃcient conditions for robust VSS and Distributed Commitments. Brickell [5] pointed out how the linear algebraic view leads to a natural extension to a wider class of secret sharing schemes that are not necessarily of the threshold type. This have later been generalized to all possible so-called monotone access structures by Karchmer and Wigdreson [17] based on a linear algebraic computational device called monotone span program (MSP). Definition 3. [17] The quadruple M = (K, M, ε, ψ) is called monotone span program, where K is a finite field, M is a matrix (with m rows and d ≤ m columns) over K, ψ : {1, . . . , m} → {1, . . . , n} is a surjective function and ε is a fixed vector, called target vector, e.g. column vector (1, 0, ..., 0) ∈ K d . The size of M is the number of rows m. Here ψ labels each row with a number from [1, . . . , m] corresponding to a ﬁxed player, so we can think of each player as being the “owner” of one or more rows. And for every player we consider a function ϕ which gives the set rows owned by the player. In some sense ϕ is inverse of ψ. Theorem 1. [2, 12, 17] MSP is said to compute an access structure (Γ, ∆) if T the following holds: ε ∈ Im(MN ) if and only if N is a member of Γ . T Lemma 1. [7] The vector ε ∈ / ImMN if and only if there exists k ∈ K d such that MN k = 0 and k1 = 1.

A SSS is linear if the dealer and the participants use only linear operations to compute the shares and the secret. Each linear SSS (LSSS) can be viewed as derived from a monotone span program computing its access structure. On the other hand, each monotone span program gives rise to an LSSS. Hence, one can identify an LSSS with its underlying monotone span program. Note that the size of M is also the size of the corresponding LSSS. Now we will consider any access structure, as long as it admits a linear secret sharing scheme. 2.3

The Model of DKDC

From now on we will follow the settings in [10, 11]. Let U = {U1 , . . . , Um } be a set of m users and let S = {S1 , . . . , Sn } be a set of n servers. Each user has a private channel connecting him or her to all the servers. Each pair of servers is connected by a private channel and all of them share a broadcast channel. Servers can be good or bad (i.e., they are controlled by an adversary and can deviate from the protocol in arbitrary ways). Let C ⊂ 2U be the family of conferences, i.e. the family of groups of users which want to communicate privately. And let F be

426

Ventzislav Nikov et al.

the family of tolerated coalitions, i.e. the family of coalitions of users who can try to break the scheme in some way. We consider a general access structure (Γ, ∆) for the set of servers, we also consider the adversary access structure ΓA . A verifiable distributed key distribution scheme (VDKDS) is divided in three phases: an initialization phase, which involves only the servers; a key-request phase, in which users ask servers for keys; and a key-computation phase, in which users construct keys from the messages received from the servers who were contacted during the key-request phase. Initialization phase: We assume that the initialization phase is performed by a joint computation of all the servers. As a primitive for these phase we use a VSS (proactive VSS), so each server Si is able to verify the information received. Moreover, each server constructs a list G of good servers presented across the network at the end of this phase. (Note that the lists held by the good servers contain the same identiﬁers.) Key-request: Let Ch ∈ C be a conference. Each user Uj in Ch , contacts a subset G of good servers belonging to ΓA , requesting a key for the conference Ch . We denote such key k h . Each good server Si , contacted by a user Uj , checks for h membership of Uj in Ch ; if Uj ∈ Ch , then Si computes a value yi,j , using h a public known function. Otherwise, Si sets yi,j = ⊥ (a special value which does h convey no information about k h ). Finally, Si sends the value yi,j to Uj . Note that a bad server can either refuse to replay or it may send some incorrect value. Key-computation phase: Having received the values from the servers, each user Uj in Ch computes k h from a certain majority of the values received. Roughly speaking, a Veriﬁable DKDC must satisfy the following properties: • Correct and Verifiable Initialization Phase. When the initialization phase successfully terminates, any good server Si must be able to identify the subsets of good servers and to compute his private information. • Consistent Key Computation. Each user in a conference Ch ⊆ U must be able to compute the same conference key, after interacting with a subset of good servers. • Conference Key Security. A conference key must be secure against attacks performed by a coalition of bad servers, coalition of users, and coalition of both. Or in a more precise way: Definition 4. [11, 10] Let U = {U1 , . . . , Um } be a set of users and let S = {S1 , . . . , Sn } be a set of servers. Let C be the family of conferences and let U be the family of tolerated coalitions. A verifiable ((Γ, ∆), ΓA , m, n, C)-Distributed Key Distribution Scheme is a protocol which enables each user of Ch ∈ C to compute a common key k h interacting with set of servers of the network. More precisely, the following properties are satisfied:

On Distributed Key Distribution Centers

427

– After the initialization phase, each good server computes his private information and verifies its consistency with the information received and stored by other good servers. At least a set of servers successfully completes this phase and each of them constructs the same (public) list G containing the identities of the good servers. – After the initialization phase, each good server is able to answer the keyrequest messages. – Each user in Ch ∈ C can compute the common key kh by contacting the servers in G. At least one subset of the good servers G from 3 ∗ ΓA gives good answers, from which the user reconstructs the key. – Each conference key is completely secure against coalition of users in F ; coalitions of set of servers (∈ / ΓA ); and joint coalitions of users and servers.

3

A VSS

The main component of our ((Γ, ∆), ΓA , m, n, C)-VDKDS is a VSS. Since secret sharing were proposed initially by Shamir [23] and Blakley [1], research on this topic has been extensive. In the “classic” secret sharing schemes, there are assumed to be no faults in the system. Chor et.al. [6] ﬁrst deﬁned the complete notion of VSS. In this section we provide a slightly modiﬁed version of unconditionally secure VSS proposed by Stinson and Wei in [22], with improved round complexity by applying the technique described in [14], but for the general access structure. For the precise deﬁnition of the VSS one can see [11, 10, 19, 22]. 3.1

Distribution (Share) Phase

Let s ∈ K be a secret. 1. The dealer D chooses a random symmetric matrix R ∈ K d,d, subject to s in its upper left corner. He sends vϕ(k) = Mϕ(k) R (the row-vectors) to Pk . 2. Then each Pi generates and sends to every Pk random values rϕ(i),ϕ(k) ∈ K |ϕ(i)|,|ϕ(k)| through a private channel. T 3. After receiving rϕ(i),ϕ(k) , each Pk broadcasts the values Mϕ(i) vϕ(k) +rϕ(i),ϕ(k) T +rϕ(k),ϕ(i) for each i = k. 4. Each Pi computes the minimum subset G ⊂ {P1 , . . . , Pn }, such that any T ordered pair (e, k) ∈ G×G is consistent, i.e. such that Mϕ(e) vϕ(k) +rϕ(e),ϕ(k) + T T T T T rϕ(k),ϕ(e) = (Mϕ(k) vϕ(e) + rϕ(k),ϕ(e) + rϕ(e),ϕ(k) )T = vϕ(e) Mϕ(k) + rϕ(k),ϕ(e) + rϕ(e),ϕ(k) . If G ∈ ΓA , then Pi outputs veri = 1 otherwise Pi outputs veri = 0. It is obvious that every good participant computes the same subset G at the end of Share. Next we consider the reconstruction phase. Note that although the adversary is static, he could provide correct information in Share phase but wrong information in Reconstruction phase. It means that the adversary access structure in the reconstruction phase is 2 ∗ ΓA .

428

3.2

Ventzislav Nikov et al.

Reconstruction Phase

1. Each player Pi sends εT , vϕ(i) to Pk , where i, k ∈ G, the set of good participants after the distribution phase. T 2. After receiving the information, Pk computes λ, such that Mϕ( λ = ε, for G) some group G ⊂ G and G ∈ 2 ∗ ΓA . T 3. Denote by R1 the ﬁrst column in R, hence s = R1 , ε = R1 , Mϕ( λ = G) Mϕ(G) R1 , λ = (Mϕ(G) R)1 , λ = (vϕ(G) )1 , λ, where (vϕ(G) )1 is the columnvector of the ﬁrst coordinates of each share, i.e. εT , vϕ(G) .

Note that the joint information held by the players in G is vϕ(G) = Mϕ(G) R. It can be shown that the security of the protocol remains the same see [11, 10, 14, 19, 22]. The following theorem, proved in [19], gives necessary and suﬃcient conditions for existence of a unconditionally secure veriﬁable secret sharing scheme. Theorem 2. [19] The scheme is a unconditionally secure verifiable secret sharing scheme if the following condition is satisfied: i) Γ = 2 ∗ ΓA . It is well known that a secret sharing scheme with access structure Γ is robust if and only if Γ is Q2 access structure, or in other words P ∈ / 2 ∗ ∆. So, we can restate the result of Fehr and Maurer [13] as follows. Theorem 3. The very strong robustness property for VSS is fulfilled if and only if P ∈ / ∆ ∗ (2 ∗ ∆A ) = ∆ ∗ ∆A ∗ ∆A .

4

Proactivity

Proactive security for secret sharing was ﬁrst suggested by Ostrovski and Yung in [20], where they presented, among other things, a proactive polynomial secret sharing scheme. The polynomial proactive secret sharing scheme proposed in [20] uses the veriﬁable secret sharing scheme from [21]. Proactive security refers to security and availability in the presence of a mobile adversary. Herzberg et.al. [15] further specialized this notion to robust secret sharing schemes and gave a detailed eﬃcient proactive secret sharing scheme. Robust means that in any time period, the shareholders can reconstruct the secret value correctly. There are also many papers that discuss proactive security, see e.g. the references in [15, 20, 21, 22]. The secret value needs to be maintained for a long period of time. Then the life time is divided into time periods which are determined by the global clock. At the beginning of each time period the server engages in an interactive update protocol. The update protocol will not reveal the value of the secret. At the end of the period the servers hold new shares of the secret. We distinguish the following phases in each time period [15]. At the beginning we have Distribution

On Distributed Key Distribution Centers

429

or Recovery, during the period Renewal and at the end Reconstruct or Detection followed by Recovery for the beginning of the next period. The ﬁrst information theoretic unconditionally secure proactive VSS was proposed by Stinson and Wei in [22], were proactivity was added to the basic VSS described above. A generalization of that scheme to general access structure has subsequently been given in [19]. In [11, 10] D’Arco and Stinson found an attack to break the Renewal procedure given in [19, 22]. They also proposed a new variation of the scheme based on two diﬀerent approaches for adding proactive security to VSS. The ﬁrst technique uses symmetric polynomial and the second relies on the use of generic non-symmetric polynomial. The purpose of this section is to show an attack on the unconditionally secure proactive SSS with symmetric polynomials from [10] and to propose a slightly modiﬁed scheme that resists the attack and has better information rate (see also [11]). First, we make the following remarks to the proposed in [10] solutions. In the non-symmetric scheme of D’Arco and Stinson besides the share (of length t) the servers should keep also the verification share of length t. So, the information which is kept by them is doubled, hence the information rate of the new scheme is reduced twice. In the symmetric scheme the servers should keep the share (of length t) and the verification share of length n, where n > t + 3b. Thus the information which is kept by them increases more than twice, hence the information rate of the new scheme is reduced more than twice. 4.1

Attack against Proactivity

Now we start with the analysis of the Renewal phase in [10], which is as follows: Renewal phase 1. Each server P selects a random symmetric polynomial (i.e. ri,j = rj,i ). r() (x, y) =

t−2 t−2

ri,j xi y j .

i=0 j=0 ()

2. P sends hk (x) = r() (x, ω k ) to Pk for k = 1, 2, . . . , n by a private channel. () () 3. After receiving hk (x), each Pk sends hk (ω m ) to Pm for k = 1, 2, . . . , n. () () 4. Pm checks whether hk (ω m ) = hm (ω k ) for k = 1, 2, . . . , n and k = m. If Pm ﬁnds that the equality is not true, then he broadcasts an accusation of P . 5. If P is accused by at most b servers, then he can defend himself as follows. () For those Pi he is accused by, P broadcasts hi (x). Then, the server Pk () () checks whether hk (ω i ) = hi (ω k ) and broadcasts “yes” or “no”. If there are at least n − b − 2 servers broadcasting yes, then P is not a bad server. 6. Pm updates the list of good servers G (i.e., the values * for which P is accused by at least b + 1 servers, or found bad in the previous step are not in G). Then, Pm updates its shares as hm (x) ←− hm (x) + ω m h∗m (x),

430

Ventzislav Nikov et al.

where h∗m (x) = by computing

()

∈G

hm (x). Moreover, Pm updates a veriﬁcation vector Vm Vm [j] ←− Vm [j] + h∗m (ω j ).

First, note that instead of veriﬁcation share Vm [j] for j = 1, 2, . . . , n one can use a polynomial Vm (x) of degree t − 2, such that Vm (ω j ) = Vm [j]. In fact we can change in step 6. Vm (x) ←− Vm (x) + h∗m (x). In this way the size of the veriﬁcation share become t − 1. Unfortunately the information from the share and veriﬁcation share of server Pi allows the attacker to calculate the initial share of Pi , obtained from the Dealer during the Distribution (Share) phase. Indeed, after q executions of Renewal Pi possesses q 0 i hi (x) = hi (x) + ω h∗,p i (x) p=1

and Vi (x) =

q

h∗,p i (x).

p=1

Subtracting ω Vi (x) from hi (x) the attacker obtain the initial share h0i (x). The consequence is that if a passive adversary breaks into t servers once, even in diﬀerent periods, he collects t initial shares and hence he can recover the secret. i

4.2

Modification of the Scheme

First we will consider the threshold case. Basically, the problem in the above procedure is due to the asymmetry in the renewal polynomial. Indeed, we have r(x, y) ←− r(x, y) + yr∗ (x, y) where r∗ (x, y) = ∈G r() (x, y). Note that r(0, 0) is not changed, so the secret stays the same. Also r(0, y) is changed randomly so the adversary is not able to calculate the new values. To be able to perform a pair-wise check one need a symmetry, that is why the servers keep two shares: one is the actual and the other is the veriﬁcation share, which collects the asymmetry in the protocol from [10]. We propose to keep the symmetry in the renewal polynomial: r(x, y) ←− r(x, y) + (x + y)r∗ (x, y). Hence in the Renewal phase for the threshold case we need to modify only step 6. 6 . Pm updates the list of good servers G (i.e., the values * for which P is accused by at least b + 1 servers, or found bad in the previous step are not in G). Then, Pm updates its shares as hm (x) ←− hm (x) + (x + ω m )h∗m (x),

On Distributed Key Distribution Centers

431

() where h∗m (x) = ∈G hm (x). Now we do not need veriﬁcation share any more. For general access structure the modiﬁcation of the Renewal phase of the proactive SSS in [19] will be as follows: Renewal phase 1. Each server Pe ∈ G selects a random (d − 1) × (d − 1) symmetric matrix R(e) and using it constructs two symmetric d × d matrix R(e,1) , R(e,2) . R(e,1) is constructed by adding zero column and zero row as last row and column and R(e,2) is constructed by adding zero column and zero row as ﬁrst row and column. (e,1) (e,2) 2. After that Pe sends vϕ(k) = Mϕ(k) R(e,1) and vϕ(k) = Mϕ(k) R(e,2) to all Pk by a private channel. (e,1) 3. Each Pk checks whether the last column of vϕ(k) is zero-column and whether (e,2)

the ﬁrst column of vϕ(k) is zero-column too. If these conditions are not (e)

satisﬁed Pk broadcasts an accusation to Pe , otherwise Pk computes vϕ(k) as (e,1)

the sum of the right shift of the coordinates of vϕ(k) and the left shift of the (e,2)

(e,2)

coordinates of vϕ(k) . i.e. if we denote vh

(e,2)

= (0, (vh

(e,2)

)1 , . . . , (vh

)d−1 ) (e,1) (e,1) (e) (e,2) (e,2) ((vh )1 , . . . , (vh )d−1 , 0) then vh = ((vh )1 , (vh )2 + (e,2) (e,1) (e,1) (vh )d−1 + (vh )d−2 , (vh )d−1 ), where h ∈ ϕ(k). Finally, (e,1) (e,2) Pk computes and sends to Pj the values Mϕ(j) (vϕ(k) )T , Mϕ(j) (vϕ(k) )T and (e) Mϕ(j) (vϕ(k) )T . (e) (e) (e,1) (e,1) T T Pj checks whether Mϕ(j) (vϕ(k) )T = vϕ(j) Mϕ(k) , Mϕ(j) (vϕ(k) )T = vϕ(j) Mϕ(k) (e,2) (e,2) T and Mϕ(j) (vϕ(k) )T = vϕ(j) Mϕ(k) for the values of e not accused by some (e,1) and vh = (e,1) (vh )1 , . . . ,

4.

set of servers from 2 ∗ ΓA (in step 3). If the set of values of k, for which the equations are not true, belongs to 2 ∗ ΓA , then Pj broadcasts an accusation of Pe . 5. If Pe is accused by some set of servers from 2 ∗ ΓA (from steps 3 and 4), then he can defend himself as follows. For those Pi that Pe is accused by, Pe broad(e,1) (e,2) (e) casts vϕ(i) and vϕ(i) . Then all servers Pk check whether Mϕ(i) (vϕ(k) )T = (e)

(e,1)

(e,1)

(e,2)

(e,2)

T T T vϕ(i) Mϕ(k) , Mϕ(i) (vϕ(k) )T = vϕ(i) Mϕ(k) and Mϕ(i) (vϕ(k) )T = vϕ(i) Mϕ(k) and broadcasts “yes” or “no”. If the set of servers broadcasting “yes” is from 2 ∗ ΓA , then Pe is not a bad server. 6. Pj updates the list of bad servers L by including all values e for which Pe is accused by at least one set from 2 ∗ ΓA or found bad in the previous step. (e) Then Pj updates its shares as vϕ(j) ←− vϕ(j) + e∈L / vϕ(j) .

Because of the symmetry all other procedures are the same as in [22] for the threshold case and as in [19] for the general access structure. Note that the information rate of the new scheme is optimal and equal to the rates in [19, 22].

432

Ventzislav Nikov et al.

The following theorem, which is proved in [19], gives necessary and suﬃcient conditions for the existence of an unconditionally secure proactive secret sharing scheme. Theorem 4. [19] The scheme is a unconditionally secure proactive secret sharing scheme if the following conditions are satisfied: ii) Γ = 3 ∗ ΓA . iii) For each group N ∈ Γ − the number of rows |ϕ(N )| for the group is equal to number of columns of matrix M .

5

A Proactive Verifiable DKDS

Using LSSS as a primitive and based on the linearity of the system we can build a DKDS. If we use a VSS instead of LSSS we can set up a Veriﬁable DKDS. Finally, if as primitive we use a proactive VSS we can build a Proactive VDKDS. The only diﬀerence between LSSS and VSS appears in the Set up phase. A straightforward solution to gain proactive security could be directly to apply, at the beginning of each time period the procedures Detection, Recovery and Renewal for each of the secrets. We assume that a Dealer D initializes the system, but as it is noted in [11, 10], it is also possible the system to be initialized without the Dealer. The scheme proposed in this section provides *-wise independent conference keys (as in [11, 10]), i.e. the *-th conference key is uniformly distributed over the set of possible values, even if an adversary already knows * − 1 conference keys. The Set up phase is as follows. 5.1

Set Up Phase

1. Let *F be the maximum number of conference keys that a group F can compute. Assume that * > max{*F ; F ∈ F }. The Dealer D chooses a random secret column vector k = (k1 , . . . , k ) and publishes an * × * matrix N , consisting of linearly independent row vectors, i.e. rank(N ) = *. The conference key for Cs is then deﬁned by ks = k T , Ns . 2. Then for each coordinate of the vector k the Dealer runs * independent copies of the proactive VSS Σz described before, where the secret that each proactive VSS Σz distributes among the servers is kz for z = 1, . . . , *. 3. Each server Si stores * packets of shares vϕ(i),kz sent by the Dealer during the executions of the Share Phase of the Σz ’s, and publishes the list of good servers G ∈ ΓA he has found. In a VSS the reconstruction of the secret is done by the participants (i.e. the servers in our settings) while in DKDS each user of a given conference contacts the servers, receives some information and computes the common key by applying a public function to the values received. Basically, the values sent by the servers must enable them to compute a single key, namely, the one the user is asking for.

On Distributed Key Distribution Centers

5.2

433

Key Request and Key Computation Phase

1. User Uj ∈ Cs asks a subset of good servers from 2 ∗ ΓA for the key k s . 2. Each server Si computes temporary shares vϕ(i),s = z=1 (Ns )z vϕ(i),kz and sends the ﬁrst column of vϕ(i),s to Uj ∈ Cs i.e. (vϕ(i),s )1 = vϕ(i),s , εT . T 3. Uj computes λ, such that Mϕ( λ = ε, for some group G ⊂ G and G ∈ 3 ∗ ΓA . G) Finally, he recovers k s = λ, (vϕ(G),s )1 .

Correctness. The correctness of the construction can be as follows: Acshown cording to step 1. in the Set up Phase k s = k T , Ns = z=1 (Ns )z kz but from the Reconstruct Phase of VSS we have that kz kz λ , (vϕ(G),k z )1 = λ, (Mϕ(G) R )1 = λ, Mϕ(G) (R )1 T kz = (Rkz )1 , Mϕ( λ = (R )1 , ε = kz . G)

Hence ks =

kz (Ns )z λ, Mϕ(G) (R )1 = λ,

z=1

= λ, Mϕ(G) = ε,

kz (Ns )z Mϕ(G) (R )1

z=1 T (Ns )z (Rkz )1 = Mϕ( λ, G)

z=1

(Ns )z (Rkz )1

z=1

(Ns )z (Rkz )1 = ε, (Rs )1 .

z=1

So, we can think for the secret conference key ks as a secret distributed with VSS using the temporary random symmetric matrix Rs = z=1 (Ns )z Rkz . That is why in step 2. in Key Request phase the server Si needs to compute the temporary shares vϕ(i),s . On the other hand we have: ks =

kz (Ns )z λ, Mϕ(G) (R )1 =

z=1

=

kz (Ns )z λ, (Mϕ(G) R )1 z=1

(Ns )z λ, (vϕ(G),k z )1 = λ,

z=1

(Ns )z (vϕ(G),k z )1

z=1

= λ, ( (Ns )z vϕ(G),k z )1 = λ, (vϕ(G),s )1 . z=1

Thus the user Uj is able to restore the secret conference key in step 3. of the Key Computation Phase.

434

6

Ventzislav Nikov et al.

Conclusions

In this paper we have shown how to set up a Robust Unconditional Proactive Veriﬁable DKDS, enabling a set of servers to jointly realize a Key Distribution Center. We have used unconditionally secure proactive VSS based on a general access structure as a building block. Basically, we can use only the VSS based on a general access structure (as a building block) and the structure of the DKDS will stay the same. We have also revised the unconditionally secure VSSs from [10, 19, 22], proposing a modiﬁed version which is proactively secure. Since the proactivity, considered as security property, can be useful in several settings in which the adversary is mobile, the applicability of such schemes has independent interest of the speciﬁc application to key distribution that has been addressed in this paper. It is clear that using the linear unconditional Proactive Veriﬁable DKDC as a base and the homomorphic properties of Diﬃe-Helman or ElGamal cryptosystem one can build a computational secure Proactive Veriﬁable DKDC. Using the ideas in [9] they can be made more eﬃcient.

Acknowledgements The authors would like to thank Paolo D’Arco and Dough Stinson for the fruitful discussions and comments.

References [1] G. R. Blakley, Safeguarding cryptographic keys, AFIPS Conference Proc. 48, 1979, pp. 313-317. 427 [2] G. R. Blakley, G. A. Kabatianskii, Linear Algebra Approach to Secret Sharing Schemes, Springer Verlag LNCS 829, 1994, pp. 33-40. 425 [3] C. Blundo, P. D’Arco, V. Daza, C. Padro, Bounds and Constructions for Unconditionally Secure Distributed Key Distribution Schemes for General Access Structures, Proc. of the Information Security Conference (ISC 2001), LNCS 2200, 2001, pp. 1-17. 422 [4] C. Blundo, P. D’Arco, C. Padro, A ramp model for distributed key distribution schemes WCC 2001, pp. 92-102. 422 [5] E. F. Brickell, Some ideal secret sharing schemes, J. of Comb. Math. and Comb. Computing 9, 1989, pp. 105-113. 425 [6] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing and achieving simultaneity in the presence of faults, Proc. of the IEEE 26th Annual Symp. on Foundations of Computer Science 1985, pp. 383-395. 427 [7] R. Cramer, Introduction to Secure Computation. In Lectures on Data Security Modern Cryptology in Theory and Practice, LNCS 1561, 1999, pp. 16-62. 425 [8] P. D’Arco, On the Distribution of a Key Distribution Center, Proc. of ICTCS 2001, LNCS 2202, 2001, pp. 357-369. 422 [9] V. Daza, J. Herranz, C. Padro, G. Saez, A distributed and computationally secure key distribution scheme, Cryptology ePrint Archive, Report 2002/069. 423, 434

On Distributed Key Distribution Centers

435

[10] P. D’Arco, D. Stinson, On Unconditionally Secure Proactive Secret Sharing Scheme and Distributed Key Distribution Centers, unpublished manuscript, May 2002. 422, 423, 424, 425, 426, 427, 428, 429, 430, 432, 434 [11] P. D’Arco, D. Stinson, On Unconditionally Secure Robust Distributed Key Distribution Centers, to appear in ASIACRYPT 2002. 422, 423, 424, 425, 426, 427, 428, 429, 432 [12] M. van Dijk, A Linear Construction of Secret Sharing Schemes, DCC 12, 1997, pp. 161-201. 425 [13] S. Fehr, U. Maurer, Linear VSS and Distributed Commitments Based on Secret Sharing and Pirwise Checks, Proc. CRYPTO 2002, Springer Verlag LNCS 2442, pp. 565-580. 425, 428 [14] R. Gennaro, Y. Ishai, E. Kushlevitz, T. Rabin, The round complexity of Verifiable Secret Sharing and Secure Multicasting, Proc. STOC 2001. 423, 427, 428 [15] A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactive secret sharing or: How to cope with perpetual leakage, Proc. CRYPTO 1995, Springer Verlag LNCS 963, pp. 339-352. 423, 428 [16] M. Hirt, U. Maurer, Player Simulation and General Adversary Structures in Perfect Multiparty Computation, J. of Cryptology 13, 2000, pp. 31-60. 424 [17] M. Karchmer, A. Wigderson, On Span Programs, Proc. of 8-th Annual Structure in Complexity Theory Conference, San Diego, California, 18-21 May 1993. IEEE Computer Society Press, pp. 102-111. 425 [18] M. Naor, B. Pinkas and O. Reingold, Distributed Pseudo-random Functions and KDCs, EuroCrypt’99, LNCS 1592, 1999, pp. 327-346. 422 [19] V. Nikov, S. Nikova, B. Preneel, J. Vandewalle, Applying General Access Structure to Proactive Secret Sharing Schemes, Proc. of the 23rd Symposium on Information Theory in the Benelux, May 29-31, 2002, Universite Catolique de Lovain (UCL), Lovain-la-Neuve, Belgium, pp. 197-206, Cryptology ePrint Archive: Report 2002/141. 422, 423, 424, 425, 427, 428, 429, 431, 432, 434 [20] R. Ostrovsky, M. Yung, How to withstand mobile virus attack, ACM Symposium on principles of distributed computing, 1991, pp. 51-59. 423, 428 [21] T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority, Proc. of the 21st Annual ACM Symp. on Theory of Computing 1989, pp. 73-85. 428 [22] D. R. Stinson, R. Wei, Unconditionally Secure Proactive Secret Sharing Scheme with combinatorial Structures, SAC’99, Springer Verlag LNCS 1758, pp. 200-214. 422, 423, 424, 427, 428, 429, 431, 434 [23] A. Shamir, How to share a secret, Communications of the ACM 22, 1979, pp. 612613. 427

Author Index

Abisha, P.J. . . . . . . . . . . . . . . . . . . . . 71 Al-Ibrahim, Mohamed . . . . . . . . . 185 Arnault, Fran¸cois . . . . . . . . . . . . . . . 22 Bajard, Jean-Claude . . . . . . . . . . . 275 Banks, William D. . . . . . . . . . . . . . . 62 Berger, Thierry P. . . . . . . . . . . . . . . 22 Chida, Eikoh . . . . . . . . . . . . . . . . . . 339 Choie, YoungJu . . . . . . . . . . . . . . . .285 Clark, John A. . . . . . . . . . . . . . . . . .246 Daemen, Joan . . . . . . . . . . . . . . . . . . . .1 Das, Tanmoy Kanti . . . . . . . . . . . . 135 Gangopadhyay, Sugata . . . . . . . . . 260 Ghodosi, Hossein . . . . . . . . . . . . . . 185 Gulati, Ved Prakash . . . . . . . . . . . 163 Imamoto, Kenji . . . . . . . . . . . . . . . . 326 Imbert, Laurent . . . . . . . . . . . . . . . 275 Izu, Tetsuya . . . . . . . . . . . . . . . . . . . 296 Jacob, Jeremy L. . . . . . . . . . . . . . . 246 Johansson, Thomas . . . . . . . . . . . . 234 Kasai, Yosuke . . . . . . . . . . . . . . . . . 339 Kavut, Sel¸cuk . . . . . . . . . . . . . . . . . . .34 Kim, Kwangjo . . . . . . . . . . . . . . . . . 199 Lee, Byoungcheon . . . . . . . . . . . . . 199 Lee, Hyung-Woo . . . . . . . . . . . . . . . 382 Lee, Im-Yeong . . . . . . . . . . . . . . . . . 382 Lee, Jong Won . . . . . . . . . . . . . . . . .285 Lee, Yong-Ho . . . . . . . . . . . . . . . . . . 382 Lipmaa, Helger . . . . . . . . . . . . . . . . . 48 Ma, Di . . . . . . . . . . . . . . . . . . . . . . . . 354 Maitra, Subhamoy . . . 135, 246, 260 Maity, Soumen . . . . . . . . . . . . . . . . 234 Mambo, Masahiro . . . . . . . . . . . . . 339 Millan, William . . . . . . . . . . . . . . . . 246 M¨ oller, Bodo . . . . . . . . . . . . . . . . . . 296 M¨ uller, Olaf . . . . . . . . . . . . . . . . . . . . 79 Mukkamala, Ravi . . . . . . . . . . . . . . 108

Nalla, Divya . . . . . . . . . . . . . . . . . . . 215 Necer, Abdelkader . . . . . . . . . . . . . . 22 N`egre, Christophe . . . . . . . . . . . . . 275 Nikov, Ventzislav . . . . . . . . . 395, 422 Nikova, Svetla . . . . . . . . . . . . 395, 422 N¨ usken, Michael . . . . . . . . . . . . . . . . 79 Pieprzyk, Josef . . . . . . . . . . . . . . . . 185 Prabhu, B. . . . . . . . . . . . . . . . . . . . . . .93 Preneel, Bart . . . . . . . . . . . . . 395, 422 Rajan, N. Tharani . . . . . . . . . . . . . 409 Rangan, C. Pandu . . . . . . . . . 93, 409 Reddy, K.C. . . . . . . . . . . . . . . . . . . . 215 Rhee, Kyung-Hyune . . . . . . . . . . . 314 Rijmen, Vincent . . . . . . . . . . . . . . . . . 1 Safavi-Naini, Reihaneh . . . . . . . . .149 Sakurai, Kouichi . . . . . . . . . . . . . . . 326 Samuel, S.C. . . . . . . . . . . . . . . . . . . . . 71 Saxena, Ashutosh . . . . . . . . . 122, 163 Shizuya, Hiroki . . . . . . . . . . . . . . . . 339 Shparlinski, Igor E. . . . . . . . . . . . . . 62 Srinathan, K. . . . . . . . . . . . . . . 93, 409 Stepney, Susan . . . . . . . . . . . . . . . . 246 Subramanian, K.G. . . . . . . . . . . . . . 71 Takagi, Tsuyoshi . . . . . . . . . . . . . . .296 Thomas, D.G. . . . . . . . . . . . . . . . . . . 71 Tˆo, Vu Dong . . . . . . . . . . . . . . . . . . 149 Vandewalle, Joos . . . . . . . . . .395, 422 Veerubhotla, Ravi Sankar . . . . . . 163 Viswanathan, Kapali . . . . . . . . . . .122 Wang, Yejing . . . . . . . . . . . . . . . . . . 149 Wei, Shimin . . . . . . . . . . . . . . . . . . . . 12 Wikstr¨ om, Douglas . . . . . . . 176, 368 Wu, Yongdong . . . . . . . . . . . . . . . . . 354 Xiao, Guozhen . . . . . . . . . . . . . . . . . . 12 Xu, Changsheng . . . . . . . . . . . . . . . 354 Yang, Jong-Phil . . . . . . . . . . . . . . . 314 Y¨ ucel, Melek D. . . . . . . . . . . . . . . . . 34