Progress in Cryptology — INDOCRYPT 2002: Third International Conference on Cryptology in India Hyderabad, India, December 16–18, 2002 Proceedings [1 ed.] 978-3-540-00263-5, 978-3-540-36231-9, 3-540-00263-4

Citation preview

Lecture Notes in Computer Science Edited by G. Goos, J. Hartmanis, and J. van Leeuwen

2551

3

Berlin Heidelberg New York Barcelona Hong Kong London Milan Paris Tokyo

Alfred Menezes Palash Sarkar (Eds.)

Progress in Cryptology – INDOCRYPT 2002 Third International Conference on Cryptology in India Hyderabad, India, December 16-18, 2002 Proceedings

13

Series Editors Gerhard Goos, Karlsruhe University, Germany Juris Hartmanis, Cornell University, NY, USA Jan van Leeuwen, Utrecht University, The Netherlands Volume Editors Alfred Menezes University of Waterloo Department of Combinatorics and Optimization Waterloo, Ontario, Canada N2L 3G1 E-mail: [email protected] Palash Sarkar Indian Statistical Institute Applied Statistics Unit 203, B.T. Road, Kolkata 700108, India E-mail: [email protected]

Cataloging-in-Publication Data applied for Bibliographic information published by Die Deutsche Bibliothek Die Deutsche Bibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data is available in the Internet at .

CR Subject Classification (1998): E.3, G.2.1, D.4.6, K.6.5, F.2.1-2, C.2 ISSN 0302-9743 ISBN 3-540-00263-4 Springer-Verlag Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copyright Law. Springer-Verlag Berlin Heidelberg New York a member of BertelsmannSpringer Science+Business Media GmbH http://www.springer.de © Springer-Verlag Berlin Heidelberg 2002 Printed in Germany Typesetting: Camera-ready by author, data conversion by DA-TeX Gerd Blumenstein Printed on acid-free paper SPIN 10871712 06/3142 543210

Preface

The third successful completion of the INDOCRYPT conference series marks the acceptance of the series by the international research community as a forum for presenting high-quality research. It also marks the coming of age of cryptology research in India. The authors for the submitted papers were spread across 21 countries and 4 continents, which goes a long way to demonstrate the international interest and visibility of INDOCRYPT. In the previous two conferences, the submissions from India originated from only two institutes; this increased to six for the 2002 conference. Thus INDOCRYPT is well set on the path to achieving two main objectives – to provide an international platform for presenting high-quality research and to stimulate cryptology research in India. The opportunity to serve as a program co-chair for the third INDOCRYPT carries a special satisfaction for the second editor. Way back in 1998, the scientific analysis group of DRDO organized a National Seminar on Cryptology and abbreviated it as NSCR. On attending the seminar, the second editor suggested that the conference name be changed to INDOCRYPT. It is nice to see that this suggestion was taken up, giving us the annual INDOCRYPT conference series. Of course, the form, character, and execution of the conference series was the combined effort of the entire Indian cryptographic community under the dynamic leadership of Bimal Roy. There were 75 submissions to INDOCRYPT 2002, out of which one was withdrawn and 31 were accepted. The invited talks were especially strong. Vincent Rijmen of AES fame gave a lecture on the design strategy for the recently accepted AES standard. Manindra Agrawal, Neeraj Kayal, and Nitin Saxena recently achieved a breakthrough by obtaining a polynomial time deterministic algorithm for primality testing. This was presented at an invited talk by the authors. GuoZhen Xiao, an eminent researcher in the theory of sequences and Boolean functions, presented a lecture on efficient algorithms for computing the linear complexity of sequences. The reviewing process for INDOCRYPT was very stringent and the schedule was very tight. The program committee did an excellent job in reviewing the papers and selecting the final papers for presentation. These proceedings include the revised versions of the selected papers. Revisions were not checked and the authors bear the full responsibility for the contents of the respective papers. Program committee members were assisted in the review process by external reviewers. The list of external reviewers is included in the proceedings. Our thanks go to all the program committee members and the external reviewers who put in their valuable time and effort in providing important feedback to the authors. Organizing the conference involved many individuals. We would like to thank the general chairs V.P. Gulati and M. Vidyasagar for taking care of the actual

VI

Preface

hosting of the conference. They were ably assisted by the organizing committee, whose names are included in the proceedings. Additionally, we would like to thank Kishan Chand Gupta, Sandeepan Chowdhury, Subhasis Pal, and Amiya Kumar Das for substantial help on different aspects of putting together this proceedings in its final form. Finally we would like to thank Springer-Verlag for active cooperation and timely production of the proceedings.

December 2002

Alfred Menezes Palash Sarkar

INDOCRYPT 2002 was organized by the Institute for Development and Research in Banking Technology (IDRBT) and is an annual event of the Cryptology Research Society of India.

General Co-chairs Ved Prakash Gulati M. Vidyasagar

IDRBT, Hyderabad, India Tata Consultancy Services, Hyderabad, India

Program Co-chairs Alfred Menezes Palash Sarkar

University of Waterloo, Canada Indian Statistical Institute, India

Program Committee Akshai Aggarwal Manindra Agrawal V. Arvind Simon Blackburn Colin Boyd ZongDuo Dai Anand Desai Ved Prakash Gulati Anwar Hasan Sushil Jajodia Charanjit Jutla Andrew Klapper Neal Koblitz Kaoru Kurosawa Chae Hoon Lim Subhamoy Maitra C.E. Veni Madhavan Alfred Menezes Rei Safavi-Naini David Pointcheval Bart Preneel A.K. Pujari Jaikumar Radhakrishnan Bimal Roy Palash Sarkar Vijay Varadharajan Stefan Wolf Chaoping Xing Amr Youssef

University of Windsor, Canada Indian Institute of Technology, India Institute of Mathematical Sciences, India Royal Holloway, University of London, UK Queensland University of Technology, Australia Academia Sinica, China NTT MCL, USA IDRBT, India University of Waterloo, Canada George Mason University, USA IBM, USA University of Kentucky, USA University of Washington, USA Ibaraki University, Japan Sejong University, Korea Indian Statistical Institute, India Indian Institute of Science, India University of Waterloo, Canada University of Wollongong, Australia ENS Paris, France Katholieke Universiteit Leuven, Belgium University of Hyderabad, India Tata Institute of Fundamental Research, India Indian Statistical Institute, India Indian Statistical Institute, India Macquarie University, Australia University of Montreal, Canada National University of Singapore, Singapore Cairo University, Egypt

VIII

Organization

Organizing Committee S. Sankara Subramanian Rajesh Nambiar V. Visweswar Ashutosh Saxena V. Ravi Sankar B. Kishore

IDRBT, India TCS, India IDRBT, India IDRBT, India IDRBT, India TCS, India

External Referees Kazumaro Aoki Alexandra Boldyreva Shiping Chen Olivier Chevassut Sandeepan Choudhury Tanmoy K. Das Matthias Fitzi Steven Galbraith Sugata Gangopadhyaya Craig Gentry Indivar Gupta Alejandro Hevia

Michael Jacobs Rahul Jain Shaoquan Jiang Meena Kumari Yingjiu Li Sin’ichiro Matsuo Mridul Nandi Laxmi Narain Satomi Okazaki Kapil Hari Paranjape Rajesh Pillai Matt Robshaw

Selwyn Russell Takeshi Shimoyama M.C. Shrivastava Jason Smith Alain Tapp Ayineedi Venkateswarlu Lingyu Wang Bogdan Warinschi Yiqun Lisa Yin Sencun Zhu

Sponsoring Institutions Acer India Pvt. Ltd., Bangalore Cisco Systems India Pvt. Ltd., New Delhi e-commerce magazine, New Delhi HP India, New Delhi IBM India Ltd., Bangalore Infosys Technologies Ltd., Bangalore Rainbow Information Technologies Pvt. Ltd. New Delhi Society for Electronic Transactions and Security, New Delhi Tata Consultancy Services, Mumbai

Table of Contents

Invited Talks Security of a Wide Trail Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Joan Daemen and Vincent Rijmen Fast Algorithms for Determining the Linear Complexity of Period Sequences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Guozhen Xiao and Shimin Wei

Symmetric Ciphers A New Class of Stream Ciphers Combining LFSR and FCSR Architectures 22 Fran¸cois Arnault, Thierry P. Berger, and Abdelkader Necer Slide Attack on Spectr-H64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Sel¸cuk Kavut and Melek D. Y¨ ucel On Differential Properties of Pseudo-Hadamard Transform and Related Mappings (Extended Abstract) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Helger Lipmaa

New Public-Key Schemes A Variant of NTRU with Non-invertible Polynomials . . . . . . . . . . . . . . . . . . . . . . . 62 William D. Banks and Igor E. Shparlinski Tree Replacement and Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 S.C. Samuel, D.G. Thomas, P.J. Abisha, and K.G. Subramanian

Foundations Never Trust Victor: An Alternative Resettable Zero-Knowledge Proof System . . . . . . . . . . . . . . . . . . 79 Olaf M¨ uller and Michael N¨ usken Asynchronous Unconditionally Secure Computation: An Efficiency Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 B. Prabhu, K. Srinathan, and C. Pandu Rangan

X

Table of Contents

Public-Key Infrastructures QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI) . . . . 108 Ravi Mukkamala Towards Logically and Physically Secure Public-Key Infrastructures . . . . . . 122 Kapali Viswanathan and Ashutosh Saxena

Fingerprinting and Watermarking Cryptanalysis of Optimal Differential Energy Watermarking (DEW) and a Modified Robust Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Tanmoy Kanti Das and Subhamoy Maitra A 2-Secure Code with Efficient Tracing Algorithm . . . . . . . . . . . . . . . . . . . . . . . . 149 Vu Dong Tˆ o, Reihaneh Safavi-Naini, and Yejing Wang Reed Solomon Codes for Digital Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Ravi Sankar Veerubhotla, Ashutosh Saxena, and Ved Prakash Gulati

Public-Key Protocols A Note on the Malleability of the El Gamal Cryptosystem . . . . . . . . . . . . . . . . 176 Douglas Wikstr¨ om Authentication of Concast Communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Mohamed Al-Ibrahim, Hossein Ghodosi, and Josef Pieprzyk Self-certified Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Byoungcheon Lee and Kwangjo Kim Identity Based Authenticated Group Key Agreement Protocol . . . . . . . . . . . . 215 K.C. Reddy and D. Nalla

Boolean Functions Construction of Cryptographically Important Boolean Functions . . . . . . . . . . 234 Soumen Maity and Thomas Johansson Evolving Boolean Functions Satisfying Multiple Criteria . . . . . . . . . . . . . . . . . . 246 John A. Clark, Jeremy L. Jacob, Susan Stepney, Subhamoy Maitra, and William Millan Further Results Related to Generalized Nonlinearity . . . . . . . . . . . . . . . . . . . . . . 260 Sugata Gangopadhyay and Subhamoy Maitra

Table of Contents

XI

Efficient and Secure Implementations Modular Multiplication in GF (pk ) Using Lagrange Representation . . . . . . . . 275 Jean-Claude Bajard, Laurent Imbert, and Christophe N`egre Speeding up the Scalar Multiplication in the Jacobians of Hyperelliptic Curves Using Frobenius Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 YoungJu Choie and Jong Won Lee Improved Elliptic Curve Multiplication Methods Resistant against Side Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Tetsuya Izu, Bodo M¨ oller, and Tsuyoshi Takagi Applications The Design and Implementation of Improved Secure Cookies Based on Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Jong-Phil Yang and Kyung-Hyune Rhee A Certified E-mail System with Receiver’s Selective Usage of Delivery Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Kenji Imamoto and Kouichi Sakurai Spending Offline Divisible Coins with Combining Capability . . . . . . . . . . . . . . 339 Eikoh Chida, Yosuke Kasai, Masahiro Mambo, and Hiroki Shizuya Efficient Object-Based Stream Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Yongdong Wu, Di Ma, and Changsheng Xu Anonymity The Security of a Mix-Center Based on a Semantically Secure Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368 Douglas Wikstr¨ om New Identity Escrow Scheme for Anonymity Authentication . . . . . . . . . . . . . . 382 Yong-Ho Lee, Im-Yeong Lee, and Hyung-Woo Lee Secret Sharing and Oblivious Transfer On Unconditionally Secure Distributed Oblivious Transfer . . . . . . . . . . . . . . . . 395 Ventzislav Nikov, Svetla Nikova, Bart Preneel, and Joos Vandewalle Non-perfect Secret Sharing over General Access Structures . . . . . . . . . . . . . . . . 409 K. Srinathan, N. Tharani Rajan, and C. Pandu Rangan On Distributed Key Distribution Centers and Unconditionally Secure Proactive Verifiable Secret Sharing Schemes Based on General Access Structure . . . . . . . . . . . . . . . . . . . . . . 422 Ventzislav Nikov, Svetla Nikova, Bart Preneel, and Joos Vandewalle Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .437

Security of a Wide Trail Design Joan Daemen1 and Vincent Rijmen2,3 1

3

ERG Group — ProtonWorld, Belgium [email protected] 2 Cryptomathic, Belgium [email protected] IAIK, Graz University of Technology, Austria

Abstract. The wide trail design strategy claims to design ciphers that are both efficient and secure against linear and differential cryptanalysis. Rijndael, the AES, was designed along the principles of this strategy. We survey the recent results on Rijndael and examine whether the design strategy has fulfilled its promise.

1

Introduction

In October 2000, the US National Institute of Standards and Technology (NIST) announced that Rijndael was selected as Advanced Encryption Standard (AES). Since then, Rijndael has probably become the best-known block cipher that was designed according to the wide trail design strategy. The findings that have been obtained as a result of the increased attention that was devoted to Rijndael, allow to evaluate the soundness of the wide trail design strategy. In Section 2, we present briefly the principles of the wide trail design strategy. The resulting security and performance are explained in Section 3 and Section 4. Subsequently, in Section 5 we give an overview of the most important cryptanalysis performed on Rijndael since its submission to the AES process. In Section 6, we discuss the improvements in performance of dedicated hardware implementations. This paper doesn’t contain a full description of Rijndael. For a complete specification, we refer the reader to [DR02a].

2

The Wide Trail Design Strategy

The wide trail design strategy can be used to design a variety of symmetric cryptographic primitives such as hash functions and stream ciphers, and block ciphers. Its best known application is the design of Rijndael, which is an example of a particular class of block ciphers, the key-alternating block ciphers. A keyalternating block cipher is an iterative block cipher with the following properties: – Alternation: the cipher is defined as the alternated application of key-independent round transformations and the application of a round key. The first round key is applied before the first round and the last round key is applied after the last round. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 1–11, 2002. c Springer-Verlag Berlin Heidelberg 2002


2

Joan Daemen and Vincent Rijmen

– Binary Key Addition: the round keys are applied by means of a simple XOR: to each bit of the intermediate state a round key bit is XORed. In the following, we will explain the principles of the wide trail design strategy, applied to the design of key-alternating block ciphers. In the wide trail strategy, the round transformations are composed of two invertible steps: – γ: a local non-linear transformation. By local, we mean that any output bit depends on only a limited number of input bits and that neighboring output bits depend on neighboring input bits. – λ: a linear mixing transformation providing high diffusion. What is meant by high diffusion will be explained in the following sections. We will now discuss both steps in some more detail. 2.1

The Non-linear Step

A typical construction for γ is the so-called bricklayer mapping consisting of a number of invertible S-boxes. In this construction, the bits of input vector a are partitioned into nt m-bit bundles ai ∈ Z2m by the so-called bundle partition. The block size of the cipher is given by nb = mnt . In the case of the AES, the bundle size m is 8, hence bundles are bytes. In the early 1990’s, many block cipher designs concentrated solely on the design of large nonlinear S-boxes. In contrast, the wide trail strategy imposes very few requirements on the S-box. The only criteria are the upper bound for input-output correlations and the upper bound for the difference propagation. Instead of spending most of the resources on the S-boxes themselves, the wide trail strategy aims at designing the round transformation so that the effect of the S-boxes is maximised. In ciphers designed by the wide trail strategy, a relatively large amount of resources is spent in the linear step to provide high multiple-round diffusion. 2.2

The Linear Steps

The transformation λ combines the bundles linearly: each bundle at the output is a linear function of bundles at the input. λ can be specified at the bit level by a simple nb × nb binary matrix M . We have λ : b = λ(a) ⇔ b = M a

(1)

λ can also be specified at the bundle level. For example, the bundles can be considered as elements in GF(2m ) with respect to some basis. In most instances a simple linear function is chosen that can be expressed as follows:
λ : b = λ(a) ⇔ bi = Ci,j aj (2) j

Security of a Wide Trail Design

3

In the case of the AES, λ is composed of two types of mappings: – θ: a linear bricklayer mapping that provides high diffusion within 32-bit columns, and – π: a byte transposition that provides high dispersion in between the columns. By imposing some simple requirements on θ and π, it is possible to achieve both a high diffusion and a good performance.

3

Security

We assume that the reader is familiar with the principles of differential cryptanalysis [BS91, LMM91, DR02a]. The wide trail design strategy allows upper bounds to be proved on the probability of characteristics. Here characteristics are called trails. Alas, as we explain below, these bounds can’t be used to construct a proof of the security against differential cryptanalysis. Subsequently, we explain why restricting the probability of difference propagations remains a sound design strategy. 3.1

Probability of Trails and Difference Propagations

For a successful classical differential cryptanalysis attack, the cryptanalyst needs to know an input difference pattern that propagates to an output difference pattern over all but a few (2 or 3) rounds of the cipher, with a probability that is significantly larger than 21−nb . We call this the difference propagation probability. Clearly, the first step to provable security against differential cryptanalysis is to specify a number of rounds large enough so that all differential trails have a probability below 21−nb . This strategy does not guarantee that there exist no difference propagations with a high probability. In principle, many trails each with a low probability may add up to a difference propagation with high probability. For every Boolean mapping, every difference pattern at the input must propagate to some difference pattern at the output. There are 2nb −1 non-zero output differences. We define a pair to be an unordered set of texts: the pair {P1 , P2 } equals the pair {P2 , P1 }. For a fixed non-zero input difference, there are 2nb −1 pairs. Each of the pairs goes to one of the non-zero output differences. For every pair that results in a given output difference, the probability of that output difference increases with 21−nb . Hence, a propagation probability is always a multiple of 21−nb . The sum of the difference propagation probabilities over all possible output differences is 1. Hence, there must be difference propagations with a difference propagation probability equal to or larger than 21−nb . It is commonly accepted that a strong block cipher should behave as a random Boolean permutation for each fixed value of the cipher key. We assume that in a random Boolean permutation, the 2nb −1 pairs with a given input difference are distributed over the 2nb − 1 non-zero output differences according to the Poisson

4

Joan Daemen and Vincent Rijmen

distribution. Then, we expect to find many output differences that occur for more than one pair or, equivalently, many difference propagations with propagation probabilities that are larger than 21−nb . 3.2

Motivation for the Propagation Probability Bounds

As explained in the previous section, the presence of difference propagations with a ‘high’ propagation probability can’t be avoided by decreasing the probability of trails. We explain here why it still makes sense to make sure that there are no trails with a high probability. Consider a difference propagation with probability y for a given key value. A difference propagation probability y means that there are exactly y2nb −1 pairs of texts with the given input difference pattern and the given output difference pattern. Each of the y pairs follows a particular differential trail. We will now examine these trails. For a well-designed cipher, all trails have a low probability, and we can assume that the pairs are distributed over the trails according to a Poisson distribution. In a Poisson distribution, the expected number of pairs that follow a differential trail with propagation probability 2−z , is 2nb −1−z . Consider a differential trail with a propagation probability 2−z ≪ 21−nb . A value below 21−nb for the probability of the trail, means that the trail will be followed by a pair for a fraction of the possible keys only. The probability that this trail is followed by more than one pair for the given key value, equals approximately 2nb −1−z ≪ 1 (under the Poisson assumption). Consequently, if there are no differential trails with a propagation probability above 21−nb , the y2nb −1 pairs that have the correct input difference pattern and output difference pattern, are expected to follow almost y2nb −1 different differential trails. Concluding, if there is no differential trail with a high difference propagation probability, a difference propagation with a relatively large probability is the result of multiple differential trails that are followed by a pair for the given key value. For another key value, each of these individual differential trails may be followed by a pair, or not. This makes predicting the input difference patterns and output difference patterns that have large difference propagation probabilities difficult. 3.3

Proven Bounds

For the AES, we can prove [DR02a] that the number of active S-boxes in a fourround differential trail is lower bounded by 25. Since the difference propagation probability over an active S-box is at most 2−6 , the probability of an 8-round differential trail is below 2−300 . A similar reasoning applies to the case of linear cryptanalysis, where we can show that the amplitude of the correlation contribution of a linear 8-round trail is below 2−150 .

Security of a Wide Trail Design

4

5

Performance

Rijndael can be implemented to run efficiently on a wide range of platforms. Some of the key factors for the efficient implementation are: 1. On 32-bit processors with a reasonable cache size, the different steps of the round transformation can be combined in a single set of look-up tables. This is made possible by the division of the linear step λ into a diffusion step θ and a dispersion step π. 2. On 8-bit processors, the different steps have to be implemented explicitly. The step θ has been designed to be efficient on this type of processors. 3. The parallelism in the round transformation allows multiple pipelines to be utilized. We observe that the performance in software is almost not influenced by the particular choice of S-box. Once the dimensions of the S-box have been fixed, it makes no difference how the S-box is specified, since the γ step is always implemented by means of a look-up table.

5

Attempts at Cryptanalysis of Rijndael

In this section we discuss recent observation on the structural properties of Rijndael and their impact on the security of the design. 5.1

Differential and Linear Cryptanalysis

Because of the proven upper bounds on the probability of differential trails and the correlation contribution of linear trails, classical linear and differential attacks are not applicable to Rijndael. However, linear and differential attacks have been extended in several ways and new attacks have been published that are related to them. The best known extension is known as truncated differentials. This attack has also been taken into account in the design of Rijndael from the start. Other attacks use difference propagation and correlation in different ways. This includes impossible differentials [BBS99], boomerang attacks [BDK02] and rectangle attacks [BDK02]. Thanks to the upper bounds for 4-round trails and the actual number of rounds, none of these methods of cryptanalysis have led to shortcut attacks in Rijndael. 5.2

Saturation Attacks

The most powerful cryptanalysis of Rijndael to date is the saturation attack. This is a chosen-plaintext attack that exploits the byte-oriented structure of the cipher and works on any cipher with a round structure similar to the one of Rijndael. It was first described in the paper presenting a predecessor of Rijndael, the block cipher Square [DKR97] and was often referred to as the Square attack.

6

Joan Daemen and Vincent Rijmen

The original saturation attack can break round-reduced variants of Rijndael up to 6 (128-bit key and state) or 7 rounds faster than exhaustive key search. N. Ferguson et al. [FKS+ 00] proposed some optimizations that reduce the work factor of the attack. In [Luc00], S. Lucks proposes the name ‘saturation attack’ for this type of attacks. More recently, these attacks have been called ’Structural attacks’ by A. Biryukov and A. Shamir [BS01] and ’Integral Cryptanalysis’ by L. Knudsen and D. Wagner [KW02]. 5.3

Algebraic Structure

Decomposition of the Round Transformation The round transformation of Rijndael can be decomposed into a sequence of steps in several different ways. S. Murphy and M. Robshaw observed that the decomposition can be defined in such a way that the steps of the round transformation have a low algebraic order [MR00]. The algebraic order of a transformation f equals the number of different transformations that can be constructed by repeated application of f : f , f ◦ f , f ◦ f ◦ f , . . . Until now, this observation on some of the components of the round transformation hasn’t led to any cryptanalytical attack. On the contrary, R. Wernsdorf proved recently that the full round transformation of Rijndael generates the alternating group [Wer02]. This shows that the algebraic order of the round transformation isn’t low. Structure within the S-Box Any 8 × 8-bit S-box can be considered as a composition of 8 Boolean functions sharing the same 8 input bits. J. Fuller and W. Millan observed that the S-box of Rijndael can be described using one Boolean function only [FM02]. The 7 other Boolean functions can be described as fi (x1 , . . . , x8 ) = f1 (gi (x1 , . . . , x8 )) + ci ,

i = 2, . . . , 8,

(3)

where the functions gi are affine functions and the ci are constants. This means that the Rijndael round transformation is even more regular than anticipated: not only does it use 16 instances of the same S-box in every round, but additionally —in some sense— this S-box uses 8 instances of the same Boolean function. While this is an interesting observation, it remains to be seen if and how it has an impact on the security of the design. 5.4

Algebraic Attacks

The transparent algebraic structure of Rijndael has encouraged several teams of researchers to investigate the security of Rijndael against algebraic solving methods. Typically, an algebraic attack consists of two steps. 1. Collecting step: The cryptanalyst expresses the cipher as a set of simple equations in a number of variables. These variables include bits (or bytes)

Security of a Wide Trail Design

7

from the plaintext, ciphertext and the key, and typically also of intermediate computation values and round keys. The term ‘simple’ can be defined very loosely as ‘suitable for the next step’. 2. Solving step: the cryptanalyst uses some data input such as plaintextciphertext pairs, substitutes these values in the corresponding variables in the set of equations collected in step 1 and tries to solve the resulting set of equations, thereby recovering the key. It doesn’t come as a big surprise that Rijndael can be expressed with elegant equations in several ways. Whereas in many other cipher designs the structure is obscured by the addition of many complex operations, in Rijndael the inner structure is very simple and transparent, clearly facilitating the expression of the cipher as a set of simple equations. The key issue to be judged however, is whether equations that look elegant to the mathematician’s mind, are also simple to solve. Several attempts have been made to construct algebraic attacks for Rijndael. None have resulted in shortcut attacks as yet, and most of the papers conclude that more research is required. In the following sections we discuss a number of attempts. Continued Fractions Ferguson, Schroeppel and Whiting [FSW01] derived a closed formula for Rijndael that can be seen as a generalisation of continued fractions. Any byte of the intermediate result after 5 rounds can be expressed as follows.
C1 x=K+ (4)  C2 ∗ K +  C3 K∗ +  C4 ∗ K +  C5 K∗ + K ∗ + p∗∗

Here every K is some expanded key byte, each Ci is a known constant and each ∗ is a known exponent or subscript, but these values depend on the summation variables that enclose the symbol. A fully expanded version of (4) has 225 terms. In order to break 10-round Rijndael, a cryptanalyst could use 2 equations of this type. The first one would express the intermediate variables after 5 rounds as function of the plaintext bytes. The second equation would cover rounds 6–10 by expressing the same intermediate variables as a function of the ciphertext bytes. Combining both equations would result in an equation with 226 unknowns. By repeating this equation for 226 /16 known plaintext/ciphertext pairs, enough information could be gathered to solve for the unknowns, in an information-theoretic sense. It is currently unknown what a practical algorithm to solve this type of equations would look like.

XSL Courtois and Pieprzyck [CP] observe that the S-box used in Rijndael can be described by a number of implicit quadratic Boolean equations. If the 8 input

8

Joan Daemen and Vincent Rijmen

bits are denoted by x1 , . . . x8 , and the 8 output bits by y1 , . . . y8 , then there exist equations of the form f (x1 , . . . , x8 , y1 , . . . y8 ) = 0,

(5)

where the algebraic degree of f equals two. In principle, 8 equations of the type (5) suffice to define the S-box, but Courtois and Pieprzyck observe that more equations of this type can be constructed. Furthermore, they claim that these extra equations can be used to reduce the complexity of the solving step. In the first step of the XSL method, equations are collected that describe the output of every sub-block of the cipher as a function of the input of the same sub-block. As a result, the cryptanalysts get a system of 8000 quadratic equations in 1600 unknowns, for the case of Rijndael, where the linear steps are ignored for sake of simplicity. The most difficult part of the XSL method is to find an efficient elimination process. Courtois and Pieprzyck estimated that for Rijndael the complexity would be 2230 steps. For Rijndael with 256-bit keys, the complexity would be 2255 steps. As an extension, they propose to use cubic equations as well. For that case, the complexity for Rijndael with 256-bit keys may drop to 2203 steps in their most optimistic estimation. All these complexity estimations are made under the assumption that the Gaussion elimination method for linear equations can be implemented in a complexity O(n2.4 ). Embedding Murphy and Robshaw [MR02] defined the block cipher BES, which operates on data blocks of 128 bytes instead of bits. According to Murphy and Robshaw, the algebraic structure of BES is even more elegant and simple than that of Rijndael. Furthermore, Rijndael can be embedded into BES. There is a map φ such that: Rijndael(x) = φ−1 (BES (φ(x))) .

(6)

Murphy and Robshaw proceed with some observations on the properties of BES. However, these properties of BES do not translate to properties of Rijndael. Murphy and Robshaw believe that when the XSL method is applied to BES, the complexity of the solving step could be significantly smaller than in the case where XSL is directly applied to Rijndael (cf. Section 5.4).

6

Efficient Hardware Implementations

The main challenge for compact or high-speed hardware implementations of Rijndael seems to be the efficient implementation of the S-box. The S-box is a nonlinear function with 8 input bits and 8 output bits. Commercially available optimisers are incapable of finding the optimal circuit fully automatically. For compact implementations, the S-box can’t be implemented as a 256-byte table. Instead a dedicated logical circuit has to be designed. In order to achieve maximal

Security of a Wide Trail Design

9

performance, 16 instances of the S-box have to be hardwired (neglecting the key schedule). Since 16 256-byte tables would occupy too much area, a dedicated logical circuit is also required here. The S-box is defined as the inverse map in the finite field GF(256), followed by an affine transformation: S[x] = f (x−1 ).

(7)

Different representations for the field elements can be adopted. It is well known that the representation of the field elements influences the complexity of the inverse map I(x) = x−1 over the field. In [Rij00], we described how a change of representation could decrease the gate complexity of a combinatorial implementation of I(x). This technique has been worked out in [WOL02, SMTM01]. In these implementations, I(x) is replaced by three operations: I(x) = φ−1 (i [φ(x)]) .

(8)

The change of representation is denoted by φ(x), and the more efficiently implementable inverse map is denoted by i(x). The maps φ and φ−1 have to be repeated in every round. Although the implementation of φ−1 can be combined with the implementation of the affine map f (x), there is still a considerable amount of overhead involved. The resulting improvements can be verified in Table 1. A lookup implementation of the S-box [KV01] is compared with several implementations using a different representation for the field elements [SMTM01]. Besides the raw performance measures throughput, clock frequency and gate count, the table also lists an efficiency indicator that is computed as follows [Jan01]: Indicator =

Throughput Clock frequency × Gate count

(9)

Note that the design of [KV01] implements the encryption operation only. Since the decryption operation of Rijndael uses different hardware for some parts of the round transformation, the number of gates for a full implementation would be significantly higher. The authors of [RDJ+ 01] proposed to do the change of field element representation only once, at the beginning of the cipher. Subsequently, all steps of the cipher are redefined to work with the new representation. At the end of the encryption, the data is transformed back to the original representation. This eliminates the overhead in every round. The resulting improvements are shown in Table 1.

7

Conclusions

The main feature of the wide trail design strategy is not the choice for the nonlinear components of the round function (the S-box), but rather the way in which

10

Joan Daemen and Vincent Rijmen

Table 1. Performance of hardware Rijndael implementations (ASIC) Throughput Frequency # gates Indicator (Gb/s) (MHz) (103 ) (10−3 b/gate) 1.82 100 173 0.11 0.12 100 5.7 0.21 0.3 131 5.4 0.42 2.6 224 21 0.55 0.8 137 8.8 0.66 [RDJ+ 01] 7.5 32 256 0.92

Reference [KV01] [WOL02] [SMTM01]

the linear diffusion layers are used to achieve elegant constructions with easily provable properties. This survey of recent results reveals that the described hardware performance improvements for Rijndael are based on the properties of the S-box, rather than the linear components. Also most attempts to cryptanalyze Rijndael are mainly motivated by the algebraic structure in the S-box. No observations have been made that question the core principles of the wide trail design strategy.

References [AES00] [BBS99]

[BDK02]

[BS91] [BS01]

[C ¸ KKP01]

[CP]

[DKR97]

Proceedings of the third AES candidate conference, New York, April 2000. 11 Eli Biham, Alex Biryukov, and Adi Shamir. Cryptanalysis of Skipjack reduced to 31 rounds using impossible differentials. In Jacques Stern, editor, Advances in Cryptology, Proceedings of Eurocrypt ’99, volume 1592 of Lecture Notes in Computer Science, pages 12–24. Springer-Verlag, 1999. 5 Eli Biham, Orr Dunkelmann, and Nathan Keller. New results on boomerang and rectangle attacks. In Daemen and Rijmen [DR02b], pages 1–16. 5 Eli Biham and Adi Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. 3 Alex Biryukov and Adi Shamir. Structural cryptanalysis of SASAS. In Birgit Pfitzmann, editor, Advances in Cryptology, Proceedings of Eurocrypt ’01, volume 2045 of Lecture Notes in Computer Science, pages 394–405. Springer-Verlag, 2001. 6 David Naccache C ¸ etin K. Ko¸c and Christophe Paar, editors. CHES 2001, volume 2162 of Lecture Notes in Computer Science. Springer-Verlag, 2001. 11 Nicolas T. Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations. Available from IACR’s e-Print server. 7 Joan Daemen, Lars R. Knudsen, and Vincent Rijmen. The block cipher Square. In Eli Biham, editor, Fast Software Encryption ’97, volume 1267 of Lecture Notes in Computer Science, pages 149–165. Springer-Verlag, 1997. 5

Security of a Wide Trail Design [DR02a]

11

Joan Daemen and Vincent Rijmen. The design of Rijndael, AES — the advanced encryption standard. Springer-Verlag, 2002. 1, 3, 4 [DR02b] Joan Daemen and Vincent Rijmen, editors. Fast Software Encryption ’02, volume 2365 of Lecture Notes in Computer Science. Springer-Verlag, 2002. 10, 11 [FKS+ 00] Niels Ferguson, John Kelsey, Bruce Schneier, Mike Stay, David Wagner, and Doug Whiting. Improved cryptanalysis of Rijndael. In AES3 [AES00], pages 213–231. 6 [FM02] Joanne Fuller and William Millan. On linear redundancy in the AES S-box. draft, 2002. 6 [FSW01] Niels Ferguson, Richard Schroeppel, and Doug Whiting. A simple algebraic representation of Rijndael. draft, 2001. 7 [Jan01] Cees Jansen. Personal communication, 2001. 9 [KV01] Henry Kuo and Ingrid Verbauwhede. Architectural optimization for a 1.82gbit/sec vlsi implementation of the AES Rijndael algorithm. In C ¸ etin K. Ko¸c and Paar [C ¸ KKP01], pages 51–64. 9, 10 [KW02] Lars Knudsen and David Wagner. Integral cryptanalysis. In Daemen and Rijmen [DR02b], pages 112–127. 6 [LMM91] Xuija Lai, James Massey, and Sean Murphy. Markov ciphers and differential cryptanalysis. In Donald W. Davies, editor, Advances in Cryptology, Proceedings of Eurocrypt ’91, volume 547 of Lecture Notes in Computer Science, pages 17–38. Springer-Verlag, 1991. 3 [Luc00] Stefan Lucks. Attacking 7 rounds of Rijndael under 192-bit and 256-bit keys. In AES3 [AES00], pages 215–229. 6 [MR00] Sean Murphy and Matt J. B. Robshaw. New observations on rijndael. http://www.isg.rhbnc.ac.uk/~sean/rijn newobs.pdf, August 2000. 6 [MR02] Sean Murphy and Matt J. B. Robshaw. Essential algebraic structure within the aes. In Moti Yung, editor, Advances in Cryptology, Proceedings of Crypto 2002, Lecture Notes in Computer Science. Springer-Verlag, 2002. 8 [RDJ+ 01] Atri Rudra, Pradeep K. Dubey, Charanjit S. Jutla, Vijay Kumar, Josyula R. Rao, and Pankaj Rohatgi. Efficient Rijndael encryption implementation with composite field arithmetic. In C ¸ etin K. Ko¸c and Paar [C ¸ KKP01], pages 171–184. 9, 10 [Rij00] Vincent Rijmen. Efficient implementation of the Rijndael S-box. http://www.esat.kuleuven.ac.be/~rijmen/rijndael/sbox.pdf, 2000. 9 [SMTM01] Akashi Satoh, Sumio Morioka, Kohji Takano, and Seiji Munetoh. A compact Rijndael hardware architecture with S-box optimization. In Colin Boyd, editor, Advances in Cryptology, Proceedings of Asiacrypt 2001, volume 2248 of Lecture Notes in Computer Science, pages 239–254. SpringerVerlag, 2001. 9, 10 [Wer02] Ralph Wernsdorf. The round functions of Rijndael generate the alternating group. In Daemen and Rijmen [DR02b], pages 143–148. 6 [WOL02] Johannes Wolkerstorfer, Elisabeth Oswald, and Mario Lamberger. An ASIC implementation of the AES S-boxes. In Bart Preneel, editor, Topics in Cryptology — CT-RSA 2002, Lecture Notes in Computer Science, pages 67–78. Springer-Verlag, 2002. 9, 10

Fast Algorithms for Determining the Linear Complexity of Period Sequences⋆ Guozhen Xiao1 and Shimin Wei2 1

2

National Key Lab of ISN, Xidian University Xi’an 710071, China [email protected] Department of Computer Science and Technique, Peking University Beijing 100871, China [email protected]

Abstract. We introduce a fast algorithm for determining the linear complexity and the minimal polynomial of a sequence with period p n over GF(q) , where p is an odd prime, q is a prime and a primitive root modulo p 2 ; and its two generalized algorithms. One is the algorithm for determining the linear complexity and the minimal polynomial of a sequence with period p m q n over GF(q), the other is the algorithm for determining the k -error linear complexity of a sequence with period p n over GF(q), where p is an odd prime, q is a prime and a primitive root modulo p 2 . The algorithm for determining the linear complexity and the minimal polynomial of a sequence with period 2p n over GF(q) is also introduced. where p and q are odd prime, and q is a primitive root (mod p 2 ). These algorithms uses the fact that in these case the factorization of xN − 1 is especially simple for N = pn , 2pn , pn q m . Keywords: cryptography, periodic sequence, linear complexity, k-error linear complexity, fast algorithm.

1

Introduction

In [5], R. A. Games and A. H. Chan presented a fast algorithm for determining the linear complexity of a binary sequence with period 2n . C. S. Ding [4] generalized the algorithm to sequences over a finite field GF (pm ) with period pn . S. R. Blackburn [2] generalized the algorithm to sequences over a finite field GF (pn ) with period upr , where u and p are co-prime. In Section 2, we introduce a fast algorithm proposed by Xiao, Wei, Lam and Imamura in [19] for determining the linear complexity of a sequence with period pn over GF(q), where p is an odd prime, q is a prime and a primitive root (mod p 2 ). This algorithm is a generalization of the algorithm proposed by Xiao, Wei, Imamura and Lam in [18]. Generalizations of these two algorithms also are introduced. Section 3 introduce ⋆

The work was supported in part by 973 Project(G1999035804) and the Natural Science Foundation of China under Grant 60172015 and 60073051.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 12–21, 2002. c Springer-Verlag Berlin Heidelberg 2002


Fast Algorithms for Determining the Linear Complexity of Period Sequences

13

the algorithm presented by Wei, Xiao and Chen in [15] for determining the linear complexity and the minimal polynomial of a sequence with period 2p n over GF(q), where p and q are odd prime, and q is a primitive root (mod p 2 ). Although linear complexity is a necessary index for measuring the unpredictability of a sequence, it is not sufficient. The linear complexity has a typical unstable property as a fast change (increase or decrease) by only a few bit change within one period of the original sequence, hence it is cryptographically weak. Ding,Xiao and Shan [4] introduced some measure indexes on the security of stream ciphers. One of them is the sphere complexity of periodic sequences. Stamp and Martin [12] proposed a measure index analogous with the sphere complexity, the k-error linear complexity. In Section 4, we introduce an efficient algorithm for determining the k-error linear complexity of a sequence with period pn over GF(q) presented by Wei, Xiao and Chen in [16], where p is a odd prime, and q is a prime and a primitive root modulo p2 . This algorithm is a generalization of the algorithm presented by Wei, Chen and Xiao [14] for determining the k-error linear complexity of a binary sequence with period pn . In this article we will consider sequences over GF (q), where q is a prime. Let s = {s0 , s1 , s2 , s3 , · · ·} be a sequence over GF (q). The sequence s is called an L-order linear recursive sequence if there exist a positive integer L and c1 , c2 , · · · , cL in GF (q) such that sj + c1 sj−1 + · · · + cL sj−L = 0 for any j ≥ L; and the minimal order is called the linear complexity of s, and denoted by c (s). If there exists a positive number N such that si = si+N for i = 0, 1, 2, · · ·, then s is called a periodic sequence, and N is called a period of s. The generating function of s is defined as s (x) = s0 + s1 x + s2 x2 + s3 x3 + · · ·. Let s be a periodic sequence with the first period sN = {s0 , s1 , · · · , sN −1 }. Then
 sN (x) /gcd sN (x) , 1 − xN sN (x) g (x) s (x) = = , = N N N N 1−x (1 − x ) /gcd (s (x) , 1 − x ) fs (x) where 

fs (x) = 1 − xN gcd sN (x) , 1 − xN ,  
g (x) = sN (x) gcd sN (x) , 1 − xN .

Obviously, gcd (g (x) , fs (x)) = 1,degg (x) < degfs (x) ,the polynomial fs (x) is the minimal polynomial of s, and degfs (x) = c (s) (see [4, page 86 and 87]). We recall some results in finite field theory and number theory (see [8], [10] and [11]). Let p be a prime number. Then φ (pn ) = pn − pn−1 , where n is a positive integer, φ is the Euler φ-function. Let K be a field of characteristic q,n a positive integer not divisible by q, and ζ a primitive n-th root of unity over K. Then the polynomial Φn (x) =

n 

(x − ζ s )

s=1,gcd(s,n)=1

is called the n-th cyclotomic polynomial over K. The degree of Φn (x) is φ (n)and its coefficients obviously belong to the n-th cyclotomic field over K. A simple argument will show that they are actually contained in the prime subfield GF (q)

14

Guozhen Xiao and Shimin Wei

of K, and Φn (x) is irreducible in GF (q), if and only if q is a primitive root (mod n), i.e. if q has order φ (n)modulo n. Let p be an odd prime, q a primitive root (mod p2 ). Then q is also a primitive root (mod pn )(n ≥ 1). If q is an odd number, then q is also a primitive root (mod 2pn )(n ≥ 1). Hence, if q is a prime, then Φpn (x) (n ≥ 1) is irreducible in GF (q); if q is an odd prime, then Φ2pn (x) (n ≥ 1) is irreducible in GF (q).

2

Fast Algorithms for Computing the Linear Complexity of Sequences with Period p n and p mq n

Let s = (s0 , s1 , · · ·) be a sequence with period N = pn over GF(q), where p is an odd prime, q is a prime and a primitive root (mod p 2 ). Set a = (A1 , A2 , · · · , Ap ), where 
Ai = a(i−1)pn−1 , a(i−1)pn−1 +1 , · · · , aipn−1 −1 , i = 1, 2, · · · , p. Xiao, Wei, Imamura and Lam [19] proposed a fast algorithm for determining the linear complexity and the minimal polynomial of s as follows: Algorithm 1[19] . Initial values: a ← sN , l ← pn , c ← 0, f ← 1. (1) If l = 1, go to (2); otherwise l ← l/p, go to (3). (2) If a = (0), stop; otherwise c ← c + 1, f ← (1 − x) f , stop. (3) If A1 = A2 = · · · = Ap , a ← A1 , go to (1); otherwise b ← A1 + A2 + · · · + Ap , c ← c + (p − 1) l, f ← f Φpl (x), go to (1). Finally, we have that c (s) = c and fs (x) = f . The following theorem is the foundation of Algorithm 1. Theorem 1[19] . Let q be a primitive root (mod p 2 ), s = (s0 , s1 , · · ·) a sequence with periodN = pn over GF (q), and let sN  = (s0 , s1 , · · · , sN −1 ) be the first
period of s. Set Ai = s(i−1)pn−1 , · · · , sipn−1 −1 ,i = 1, · · · , p. Then (1) If A1 = A2 = · · · = Ap , then fs (x) = f(A1 ) (x), hence c (s) = c ((A1 )); (2) Otherwise, fs (x) = f(b) (x) ΦN (x), hence c (s) = c ((b)) + (p − 1) pn−1 . Where b = A1 + A2 + · · · + Ap , (A1 )(or (b)) denotes the periodic sequence with the first periodA1 (or b).

In [18], Xiao, Wei, Imamura and Lam presented a special version of Algorithm 1 for q = 2. This special version was generalized to a fast algorithm for determining the linear complexity and the minimal polynomial of a binary sequence with period N = 2n pm , where 2 is a primitive root (mod p2 ) ([17]). Theorem 2[17] . Let a = (a0 , a1 , · · · , aN −1 ) be a finite binary sequence, 2 a primitive root (mod p2 ) and N = 2n pm . Denote M = 2n−1 pm−1 , Ai = (a(i−1)M i, a(i−1)M+1 , · · · , aiM−1 ), i = 1, 2, · · · , 2p. Then n−1

(1) Φpm (x)2

|a (x) if and only if A1 + Ap+1 = A2 + Ap+2 = · · · = Ap + A2p ;

Fast Algorithms for Determining the Linear Complexity of Period Sequences

(2) If Φpm (x)

2n−1

|a (x) , then

2n−1

= Φpm (x) (3) If Φpm (x)

15



  2n gcd a (x) , Φpm (x) 2n−1

gcd Φpm (x)

,

p 

(Ai (x) + Ai+1 (x)) x(i−1)M

i=1

2n−1



;

|a (x) doesn’t hold, then     2n 2n−1 = gcd a (x) , Φpm (x) gcd a (x) , Φpm (x)  p  2n−1 (Ai (x) + Ap+i (x)) x(i−1)M ; , = gcd Φpm (x) i=1

p p    M 2M 2M A2i (x) ; A2i−1 (x) + x = gcd 1 − x , (4) gcd a (x) , 1 − x i=1 i=1  

 2n (5) gcd a (x) , 1 − xN = gcd a (x) , 1 − x2M · gcd a (x) , Φpm (x) .


Theorem 3[17] . Let s be a binary sequence with period N = 2n pm , sN = (s0 , s1 , · · · sN −1 ) the first
period of s, and 2 a primitive root modulo p2 . Denote M = 2n−1 pm−1 , Ai = s(i−1)M , · · · , siM−1 , i = 1, 2, · · · , 2p. Then fs (x) = z f(a) (x) · Φpm (x) , hence, c (s) = c ((a)) + (p − 1) pm−1 z; where M = 2n−1 pm−1 , a = (A1 + A3 + · · · + A2p−1 A2p ), , A2 + A4 + · · · +  2n

z

2n

gcd Φpm (x) , sN (x) , (a) presents the sequence with Φpm (x) = Φpm (x) n the first  period a, hence, z= 2 −t, t is the multiple number of the factor Φpm (x) 2n

in gcd Φpm (x) , sN (x) . By Theorem 2 and 3 we have the following algorithm. Algorithm 2[17] .i Initial: a ← sN , l ← 2n , k ← pm , c ← 0, f ← 1.

(1) If k = 1, go to (2); otherwise k ← k/p, go to (5). (2) If l = 1, go to (3); otherwise l ← l/2, L = (a0 , a1 , · · · , al−1 ), R = (al , al+1 , · · · , a2l−1 ), b ← L + R, go to (4). (3) If a = (0), stop; otherwise c ← c + 1, f ← f (1 − x), stop. l (4) If b = 0, then a ← L, go to (2); otherwise a ← b,c ← c + l,f ← f (1 − x) , go to (2). 
(5) If l = 1, then Ai = a(i−1)k
, a(i−1)k+1 , · · · , aik−1 , i = 1, 2, · · · , p, go to (6); = a(i−1)kl , a(i−1)kl+1 , · · · , aikl−1 , i = 1, 2, · · · , 2p, otherwise Ai

p l ← l/2, p   b← A2i , go to (7). A2i−1 , i=1

i=1

(6) If A1 = A2 = · · · = Ap , then a ← A1 , go to (1); otherwise a ← A1 + A2 + · · · + Ap , c ← c + (p − 1) k, f ← f Φpk (x), go to (1) (7) If A1 + Ap+1 = A2 + Ap+2 = · · · = Ap + A2p , then a ← (A1 + A2 , A2 + A3 , · · · , Ap + Ap+1 ), go to (8); otherwise, a ← (A1 + Ap+1 , A2 + Ap+2 · · · Ap +A2p ), c ← c + (p − 1) lk,f ← f Φpk (x)l , go to (8).

16

Guozhen Xiao and Shimin Wei


(8) If l = 1, then Ai = a(i−1)k
, a(i−1)k+1 , · · · , aik−1 ,i = 1, 2, · · · , p,go to (9); otherwise l ← l/2Ai = a(i−1)kl , a(i−1)kl+1 , · · · , aikl−1 ,i = 1, 2, · · · , 2p, go to (7). (9) If A1 = A2 = · · · = Ap , then a ← b,l ← 2n , go to (1); otherwise c ← c + (p − 1) k, f ← f Φpk (x), a ← b, l ← 2n , go to (1). Finally, we have that the linear complexity c (s) = c and the minimal polynomial fs (x) = f of s. In [13], The algorithm above was generalized to one for determining the linear complexity of a sequence with period p m q n over GF(q), where p is an odd prime, q is a prime and a primitive root (mod p 2 ). The algorithm is as follows. Algorithm 3[13] . Initial value: a ← sN , l ← q n , k ← pm , c ← 0, f ← 1. (1) If k = 1, go to (2); otherwise k ← k/p, go to (6). 
(2) If l = 1, go to (3); otherwise l ← l/q, Ai = a(i−1)l , a(i−1)l+1 , · · · , ail−1 , i = 1, 2, · · · , q, b ← A1 + · · · + Aq , h ← q − 1, go to (4). (3) If a = (0), stop; otherwise c ← c + 1,f ← f (1 − x), stop. (4) If b = (0, · · · , 0), then Ai ← A1 +· · ·+Ai , i = 1, 2, · · · , h, go to (5); otherwise hl a ← b, c ← c + hl, f ← f (1 − x) , go to (2). (5) If h = 1, then a ← A1 , go to (2); otherwise b ← A1 + · · · + Ah , h ← h − 1, go to (4). 
(6) If l = 1, Ai = a(i−1)k
, a(i−1)k+1 , · · · , aik−1 , i = 1,2, · · · , p, go to (7); otherwise l ← l/q, Ai = a(i−1)kl , a(i−1)kl+1 , · · · , aikl−1 , i = 1, 2, · · · , pq,

p−1 p−1 p−1    Aqi+1 , Aqi+2 , · · · , Aqi+q , go to (8). b← i=0

i=0

i=0

(7) If A1 = A2 = · · · = Ap , a ← A1 , go to (1); otherwise a ← A1 +A2 +· · ·+Ap , c ← c + (p − 1) k, f ← f Φpk (x), go to (1). ⌊i/p⌋ q−1 q−1    Aip+p , then Ai ← Aip+1 = · · · = (Ai−jp − Ai−jp−1 ) for (8) If i=0

i=0

j=0

i = 1, 2, · · · , (q − 1) p + 1, r ← 1, go to (9); q−1 q−1 q−1    otherwise a ← Aip+p , Aip+2 , · · · , Aip+1 i=0

i=0 (q−1)l

c

←

c +

i=0

(p − 1) (q − 1) lk,  f ← f Φpk (x)  , go to (6). (9) If Ai = Ai = · · · = Ai , then r ← r + 1, go to (10); othi∈I1,r i∈I2,r i∈Ip,r    erwise a ← Ai , · · · , Ai , c ← c + (p − 1) (q − r − 1) lk, f ← i∈I1,r (q−r−1)l

f (Φpk (x))

i∈Ip,r

, r ← 0, go to (6).

(10) If r = q, a ← b, go to (1); otherwise Ai ←

⌊i/p⌋  j=0

i = 1, 2, · · · , (q − r) p + r, go to (9). Finally, we have that c (s) = c and fs (x) = f .

(Ai−jp − Ai−jp−1 ) for

Fast Algorithms for Determining the Linear Complexity of Period Sequences

3

17

Fast Algorithms for Computing the Linear Complexity of Sequences with Period 2p n

In this section we introduce the algorithm proposed by Wei, Xiao and Chen [15] for determining the linear complexity of a sequence with period 2p n over GF(q), where pand q are odd prime, q is a primitive root modulo p 2 . Theorem 4[15] . Let pand q be odd prime, q a primitive root (mod p2 ), s = (s0 , s1 , · · ·) a sequence with period N = 2pn over GF (q), and let sN = (s0 , s1 , · · · , sN −1 ) be the first period of s. Set 
Ai = a(i−1)pn−1 , a(i−1)pn−1 +1 , · · · , aipn−1 −1 ,

i = 1, 2, · · · , 2p,

and Bj = (A2j−1 , A2j ), j = 1, 2, · · · , p.

Then (1) If B1 = B2 = · · · = Bp , then fs (x) = f((B1 )) (x), hence c (s) = c ((B1 )). (2) If the condition of (1) does not hold, we have one of three cases as follows. Case 1. If A1 +Ap+1 = A2 +Ap+2 = · · · = Ap +A2p , then fs (x) = f(b) (x) Φ2pn (x). Hence c (s) = c ((b)) + (p − 1) pn−1 ; i+1 Ap+i − Ai , i = 1, 2, · · · , p, then fs (x) = Case 2. If Ap+1 − A1 = (−1) f(b′ ) (x) Φpn (x), hence c (s) = c ((b′ )) + (p − 1) pn−1 ; Case 3. If neither of Case 1 and Case 2 holds, then fs (x) = f(b”) (x) Φpn n−1 ; where (x) Φ 2pn (x), hence c (s) = c ((b”)) +2 (p − 1) ip

p p p p     i+1 i+1 ′ Ai+1 , and Ai , (−1) Ai+1 , b = (−1) Ai , b= i=1

i=1

i=1

b” = B1 + B2 + · · · + Bp .

i=1

Let s = (s0 , s1 , · · ·) be a sequence with period N = 2pn over GF(q), sN = (s0 , s1 , · · · , sN −1 ) the first period of s. If pand q are odd prime, and qis a primitive root (mod p2 ), then we have a fast algorithm proposed in [15] for computing the linear complexity of s as follows. Algorithm 4[15] . Initial values: a ← sN , l ← 2pn , c ← 0, f ← 1.
(1) If l = 2, go to (2); otherwise l ← l/p, Ai = a(i−1)pn−1 , a(i−1)pn−1 +1 , · · · , aipn−1 −1 , i = 1, 2, · · · , 2p, Bj = (A2j−1 , A2j ), j = 1, 2, · · · , p. go to (5). (2) If a = (0, 0), stop; otherwise go to (3). (3) If a0 = a1 , then c ← c + 1, f ← (1 − x) f , stop; otherwise go to (4). (4) If a0
+ a1 =0, then c ← c + 1, f ← (1 + x) f , stop; otherwise c ← c + 2, f ← 1 − x2 f , stop. (5) If B1 = B2 = · · · = Bp , b ← B1 , go to (8); otherwise go to (6). (6) If A1 +Ap+1 = A c ← c+(p − 1) pn−1 , f ←

2 p+Ap+2 = · · · =pAp +A2p , then   i+1 i+1 (−1) Ai+1 , go to (8); otherwise go (−1) Ai , f Φ2pn (x), b ← i=1

to (7).

i=1

18

Guozhen Xiao and Shimin Wei

(7) If Ap+1 − A1 = Ap+2 · · · = A2p − Ap , then c ← c + (p − 1) pn−1 ,

p− A2 = p   Ai+1 , go to (8); otherwise Ai , f = f Φpn (x), b ← i=1

i=1

f ← f Φpn (x) Φ2pn (x), c ← c + 2 (p − 1) pn−1 , b ← B1 + B2 + · · · + Bp , go to (1).

Finally, we have that c (s) = c and fs (x) = f .

4

Fast Algorithms for Computing the k -Error Linear Complexity of Sequences with Period p n

Definition 1. Let s = (s0 , s1 , · · ·) be a binary sequence with period N. The smallest linear complexity that can be obtained when any k (0 ≤ k ≤ N ) or fewer of the s i ’ s are altered in every period of s is called the k-error linear complexity of s [12], and denoted by ck (s), i.e. ck (s) = min {c (s + t)}, where tis a binary wH (t)≤k

sequence with period N, wH (t) is the number of non-zero elements of the first period of t, c (s) is the linear complexity of s. Stamp and Martin [12] gave an algorithm for determining the k-error linear complexity of binary sequences with period 2 n . Kaida, Uehara and Imamura [7] generalized the algorithm to an algorithm for determining the k-error linear complexity of sequences over GF (pm ) with period pn . This algorithm is also a generalization of the algorithm presented by Ding [4]. In this section, we introduce an efficient algorithm for determining the k-error linear complexity of a sequence with period pn over GF(q) presented by Wei, Xiao and Chen in [16], where p is a odd prime, and q is a prime and a primitive root modulo p2 . This algorithm is a generalization of Algorithm 1. Let sN = (s0 , s1 , · · · , sN −1 ) be the first period of a sequence s over GF (q), q a primitive root modulo p2 . In Algorithm 1, c only increases when A1 = A2 = · · · = Ap doesn’t hold. Therefore, in the following algorithm, if A1 = A2 = · · · = Ap doesn’t hold, we should force A1 = A2 = · · · = Ap under the change permitted of the original sequence. Algorithm 6[16] . Initial value: a ← sN , l ← pn , c ← 0, cost [i, ai ] ← 0, cost [i, h] ← 1, 0 ≤ h ≤ q − 1 and h = ai ,i = 0, 1, 2, · · · , l − 1, K ← k.
(1) If l = 1, then go to (2); otherwise l ← l/p, Ai = a(i−1)l , a(i−1)l+1 , · · · p−1  cost [i + jl, h], h = 0, 1, 2, · · · , q − 1 , Ti = , ail−1 ), i = 1, 2, · · · , p, Tih = j=0

min {Tih }, T =

0≤h≤q−1

l−1 

Ti , go to (4).

i=0

(2) If a = 0, then stop; otherwise go to (3). (3) If cost [0, 0] ≤ K, then stop; otherwise c ← c + 1, stop. (4) If T ≤ K, then K ← K − T , cost [i, h] ← Tih − Ti , i = 0, 1, 2, · · · , l − 1, go to (5); otherwise, a ← A1 + A2 + · · · + Ap , c ← c + (p − 1) l,

cost [i, h] ←

i = 0, 1, 2, · · · , l − 1, go to (1).

min

d0 +···+dp−1 =h−ai

{

p−1  j=0

cost [i + jl, ai+jl + dj ]},

Fast Algorithms for Determining the Linear Complexity of Period Sequences

19

(5) For i = 0, 1, 2, · · · , l − 1, if Tih = Ti then ai = h. a ← A1 , go to (1). Finally, the k-error linear complexity ck (s) of s is equal to c. In Algorithm 6, cost [i, h] is the minimal number of changes in the initial sequence sN necessary and sufficient for changing the current element ai into h without disturbing the results A1 = A2 = · · · = Ap of any previous steps. When q = 2, we obtain the algorithm presented by Wei, Chen and Xiao in [14] for determining the k-error linear complexity of a binary sequence with period pn , where 2 is a primitive root modulo p2 . Algorithm 7[14] . Initial: a ← sN , l ← pn , c ← 0, cost [i] ← 1, i = 0, 1, 2, · · · , l − 1, K ← k. 
(1) If l = 1, go to (2); otherwise, l ← l/p, Ai = a(i−1)l , a(i−1)l+1 , · · · , ail−1 , p−1 p−1   cost [i + jl] − Ti1 ,Ti = ai+jl cost [i + jl], Ti0 = i = 1, 2, · · · , p, Ti1 = min{Ti0 , Ti1 },T =

j=0 l−1 

j=0

Ti , go to (4).

i=0

(2) If a = 0, stop; otherwise go to (3). (3) If cost [0] ≤ K, stop; otherwise c ← c + 1, stop. (4) If T ≤ K, K ← K − T , cost [i] ← max{Ti0 , Ti1 } − Ti , i = 0, 1, · · · , l − 1, go to (5); otherwise, a ← A1 + A2 + · · · + Ap ,c ← c + (p − 1) l, cost [i] ← min {cost [i + jl]}, i = 0, 1, 2, · · · , l − 1, go to (1). 0≤j≤p−1

(5) For i = 0, 1, 2, · · · , l − 1, if Tih = Ti then ai ← h. a ← A1 , go to (1). Finally, the k-error linear complexity ck (s) of s is equal to c. In Algorithm 7, cost [i] is the minimal number of changes in the initial sequence sN necessary and sufficient for changing the current element ai without disturbing the results A1 = A2 = · · · = Ap of any previous step.

5

Conclusion

In this article, we introduce some algorithms for determining the linear complexity and the minimal polynomial of periodic sequences. Our algorithms makes up for the shortcoming that Games-Chan algorithm cannot compute the linear complexity of sequences with period N ( = q m )over GF(q) in part. The time complexity and the space complexity of the algorithm are both O (N ). We have also shown that it is possible to give linear algorithms for periods other than those of [2],[4] and [5]. Finding fast algorithms to compute the linear complexity of periodic sequences is of great significance. The Berlekamp-Massey algorithm [9] may have to run through more than one period of length N of the sequence before it stabilizes on the correct connection polynomial. The algorithm given in this article works only one period for a sequence with period N (= pn , 2pn , pm q n ) and computes the minimum polynomial in n steps. The Berlekamp-Massay algorithm must store a segment of length 2c

20

Guozhen Xiao and Shimin Wei

of the sequence, where c is the linear complexity of the sequence, while the algorithms given must always store a period of the sequence. The time complexity and the space complexity of our algorithms are both O (N ). There is a fast version of the Euclidean algorithm (see [1]) that can  be used to calculatethe minimal 2

polynomial of a sequence of length N using O N (logN ) loglogN operations. A paper of Blackburn [3] shows that the Berlekamp-Massay algorithm can be adapted to work with essentially the same number of operations, and returns a linear complexity profile as well as the minimal polynomial of the sequence. These algorithms can beused to compute the  minimal polynomial of a sequence 2 with period N using O N (logN ) loglogN operations. Our algorithm can be used to determine the linear complexity and the minimal polynomial of a periodic sequence with period N (= pn , 2pn , pm q n ) using O (N ) operations. an efficient algorithm for determining the k-error linear complexity of a sequence s over GF (q) with period pn is introduced, where q is a prime and a primitive root modulo p2 . The algorithm computes the k-error linear complexity of s in n steps. When q = 2, the algorithm solves partially the open problem by Stamp and Martin [12].

References [1] A. V. Aho, J. E. Hopcroft, J. D. Ullman, The Design and Analysis of Computer Algorithms. Reading, MA: Addision-Wesley, 1974. [2] S. R. Blackburn, ”A generalisation of the discrete Fourier transform: determining the minimal polynomial of a periodic sequence”, IEEE Trans. Inform. Theory, Vol. 40, pp.1702-1704, 1994. [3] S. R. Blackburn, ”Fast rational interpolation, Reed-Solomon decoding, and the linear complexity profiles of sequences”, IEEE Trans. Inform. Theory, Vol. 43, pp. 537-548, 1997. [4] C. Ding, G. Xiao and W. Shan, The stability theory of stream ciphers, SpringerVerlag, Berlin Heidelberg, 1991. [5] R. A. Games, A. H. Chan, ”A fast algorithm for determining the complexity of a binary sequence with period 2n ”, IEEE Trans. Inform. Theory, vol. 29, pp. 144-146, 1983. [6] K. Ireland and M. Rosen, A classical introduction to modern number theory, Graduate Texts in Mathematics No. 84, Springer, New York, 1982. [7] T. Kaida, S. Uehara and K. Imamura, ”An algorithm for the k-error linear complexity of sequences over GF(pm ) with period p n , p a prime”, Information and Computation, Vol. 151, pp.134-147, 1999. [8] R. Lidl and H. Niederreiter, Finite Fields, Addison-Wesley Publishing Company, 1983. [9] J. L. Massay, ”Shift-register synthesis and BCH decoding”, IEEE Trans. Inform. Theory, Vol. 15, pp. 122-127, 1969. [10] R. J. McEliece, Finite fields for computer scientists and engineers, Kluwer Academic Publishers, 1987. [11] K. H. Rosen, Elementary number theory and its applications, Addison-Wesley Publishing Company, 1988.

Fast Algorithms for Determining the Linear Complexity of Period Sequences

21

[12] M. Stamp, C. F. Martin, ”An algorithm for k-error linear complexity of binary sequences with period 2 n , IEEE Trans on Inform. Theory, vol. 39, pp. 1398-1401, 1993. [13] S. Wei, An efficient algorithm for the linear complexity of a class of periodic sequences, Proceeding of ChinaCrypto’2002, Publishing House of Electronics Industry, Beijing, 2002. [14] S. Wei, Z. Chen and G. Xiao, A fast algorithm for k -error linear complexity of a binary sequence. 2001 International Conferences on Info-tech and Info-net Proceedings, IEEE Press, 2001, No Conferences E, 152-157. [15] S. Wei, G Xiao and Z. Chen, A Fast Algorithm for Determining the Minimal Polynomial of a Sequence with Period 2p n over GF(q) IEEE Trans. On Information Theory, 2002, 48(9). (to appear) [16] S Wei, G Xiao and Z Chen, An Efficient Algorithm for k -Error Linear Complexity. Chinese Journal of Electronics 2002 11( 2):265-267. [17] S. Wei, G. Xiao and Z. Chen, A fast algorithm for determining the linear complexity of a binary sequence with period 2n pm , Science in China, Series F, 2001, 44(6):453-460. [18] G. Xiao, S. Wei, K. Imamura and K. Y. Lam, Algorithms for Determingning the Liner complexity Proceeding of International workshop on Cryptographic andCommerce (CrypTEC’99), July 1999 ,Hong Kong, 31-36. [19] G. Xiao, S. Wei, K. Y. Lam, and K. Imamura, ”A fast algorithms for determining the linear complexity of a sequence with period pn over GF (q)”, IEEE Trans. Inform. Theory, 2000, 46(6): 2203-2206.

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures Fran¸cois Arnault, Thierry P. Berger, and Abdelkader Necer LACO, University of Limoges, 123, av. A. Thomas, Limoges 87060, France

Abstract. We propose a new pseudorandom generator based on Linear Feedback Shift Registers (LFSR) and Feedback with Carry Shift Registers (FCSR). We then present a variant of this generator which can used for a selfsynchronizing stream cipher. Keywords: Feedback shift registers, 2-adic expansion, Pseudorandom generators, Self-synchronizing stream ciphers.

Introduction The generation of pseudorandom binary sequences is of primary importance for cryptography. LFSRs are simple, very fast devices which produce pseudorandom bits with good statistical properties. Unfortunately, the sequences obtained this way are very weak for cryptographic purposes because they are easily predictable. Berlekamp-Massey algorithm enables to recover the feedback polynomial and the initial state of any LFSR of length n from the knowledge of 2n consecutive bits of the output sequence. Feedback Shift Registers with Carry operation (FCSRs) are similar fast devices, which have been introduced by Klapper and Goresky. However, there exists a synthesis algorithm (analogous to Berlekamp-Massey algorithm) which makes these devices also insecure [3]. Therefore, the key point in the design of a pseudorandom generator is to find a good trade-off between the implementation cost of the generator, its speed and the complexities of synthesis algorithms. A commonly used technique for increasing the complexities of synthesis algorithms consists in combining several LFSRs (or FCSRs). This method leads to several classical families of pseudorandom generators: nonlinear combination generators, nonlinear filter generators, clock-controlled generators... Here, we propose a new class of pseudorandom generators, which is obtained by combining both LFSR and FCSR architectures. We point out that this new technique makes the generator resistant to synthesis algorithms and that it has a low implementation cost. We also describe a new family of self-synchronizing stream ciphers which are obtained by a similar method.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 22–33, 2002. c Springer-Verlag Berlin Heidelberg 2002


A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

1

23

Generation of Eventually Periodic Binary Sequences with Feedback Shift Registers

We shall give in this section a review of some results concerning feedback shift registers and binary recurrence sequences (eventually periodic sequences). The two architectures (Fibonacci and Galois) of a Linear Feedback Shift Register are introduced as in [3]. We shall also recall some definitions and basic properties of 2-adic numbers and the circuits which generate them, the Feedback with Carry Shift Register (FCSR). For most details the reader could see [3] or [4]. 1.1

The LFSR Architectures for Eventually Periodic Binary Sequences

Linear Feedback Shift Registers are the most commonly used devices for generating eventually periodic sequences, i.e., sequences (sn )n∈N for which there exist nonnegative integers t and n0 such that sn+t = sn for all n ≥ n0 . An eventually periodic binary sequence S = (sn )n∈N satisfies a minimal linear recurrence over
d−1 GF (2): sn+d = i=0 qd−1−i sn+i for all n. Such a sequence can be generated by the well-known Fibonacci architecture of Linear Feedback Shift Registers (LFSR). For example the following circuit generates the sequence satisfying the relation sn+4 = sn+3 + sn with initial conditions s0 = s1 = s3 = 1 and s2 = 0. ✲1 ✲0 ✲1 ✲1 ❝❄ ✛

✲

In this diagram, boxes represent cells (or stages), whose content is a bit an which are controlled by a clock. At each cycle of the clock, each cell outputs the bit value present at is input during the preceding cycle. The symbol ⊕ denotes the addition in GF (2) i.e., the xor operation. An equivalent way to generate such a sequence is to use the Galois
∞architecture for LFSR. If S = (sn )n∈N is a binary sequence, then S(X) = n=0 sn X n ∈ GF (2)[[X]] denotes its generating function. The sequence S is eventually periodic if and only if the series S(X) is rational, i.e. if and only if there exist two polynomials P and Q, Q(0) = 0, such that S(X) = P (X)/Q(X). Moreover if deg(P ) < deg(Q), then S(X) is strictly periodic (cf. [13]). Then, using the classical electronic circuit for polynomial division, it is easy to generate S:
r−1
r If r = max(deg(P )+1, deg(Q)), P (X) = i=0 pi X i and Q(X) = i=0 qi X i , q0 = 1, then S(X) = P (X)/Q(X) is generated by the following circuit: ✲pr−1 ✲ ❝ pr−2 ✻ ♣ qr−1 ✲ ❝♣ q✲ r ❝ ✻ ✻

✲ ❝ p1 ✲ ❝ p0 ✻ ✻ ♣ q✲ ♣ q✲ 2 ❝ 1 ❝ ✻ ✻

✲

24

Fran¸cois Arnault et al.

Here ❝♣ denotes the binary multiplication. The pseudorandom sequences obtained this way have been extensively studied. The most interesting case is when the polynomial Q is primitive, as the period of the obtained sequence is guaranteed to be large (precisely 2deg Q − 1). We obtain this way so-called m-sequences which are sequences with number of good statistical properties (uniform distribution of non-zero words of small length, good distribution of run lengths, low autocorrelation, etc. . . ). Definition 1. The linear complexity (or the LFSR complexity) of a binary eventually periodic sequence S is the length (i.e., the number of cells) of the smallest LFSR generating S. If S(X) = P (X)/Q(X), with P and Q coprime in GF (2)[X], then the LFSR complexity ΛL of S is the maximum of deg(P ) + 1 and deg(Q). For a cryptographic use, given S, it would be difficult to recover the polynomials P and Q. Unfortunately, Berlekamp-Massey Algorithm [7] or Extended Euclidean Algorithm [6] enable to recover P and Q in O(Λ2L ) operations from the knowledge of 2ΛL consecutive bits of S. In the sequel, such a circuit is symbolized by 1.2

P (x)/Q(x)

✲

The 2-adic FCSR Architectures for Eventually Periodic Binary Sequences

First, we will recall briefly some basic properties of 2-adic numbers. For more theoretical approach the reader can refer to [5].
∞ n A 2-adic integer is formally a power series s = n=0 sn 2 , sn ∈ {0, 1}. Clearly, such a series does not always converge in the classical sense, however, it can be considered as a formal object. Actually, this series always converges if we consider the 2-adic topology. The set of 2-adic integers is denoted by Z2 . The addition and multiplication in Z2 can be performed by reporting the carries to the higher order term, i.e. 2n + 2n = 2n+1 for all n ∈ N. If there exists an integer N such that sn = 0 for all n ≥ N , then s is a positive integer.
n An important
remark is the fact that −1 = ∞ n=0 2 , which is easy to verify ∞ n by computing 1+ n=0 2 = 0. This allows us to compute the negative of a 2
fact
∞ ∞ adic integer very easily: if s = 2n + i=n+1 si 2i , then −s = 2n + i=n+1 (1−si )2i . In particular, this implies that s is a negative integer if and only if there exists an integer N such that sn = 1 for all n ≥ N . Moreover, every odd integer q has an inverse in Z2 which can be computed
∞ by the formula q −1 = n=0 q ′n , where q = 1 − q ′ . The following theorem gives a complete characterization of eventually periodic 2-adic binary sequences in terms of 2-adic integers (see [2] for the proof).
n Theorem 1. Let S = (sn )n∈N a binary sequence and S2 = ∞ n=0 sn 2 be the associated 2-adic integer. The sequence S is eventually periodic if and only if there exist two numbers p and q in Z, q odd, such that S2 = p/q. Moreover, S is strictly periodic if and only if pq ≤ 0 and |p| ≤ |q|.

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

25

An important fact is that the period of the rational number p/q is known since Gauss (cf. [2]): Theorem 2. Let S be an eventually periodic binary sequence, let S2 = p/q, with q odd and p and q coprime, be the corresponding 2-adic number in its rational representation. The period of S is the order of 2 modulo q, i.e., the smallest integer t such that 2t ≡ 1 (mod q). The 2-adic division p/q can be easily performed by a Galois architecture using Feedback with Carry Shift Register. For simplification, we will only consider p ≥ 0 and odd q = 1 − q ′ < 0. If pq > 0, it is easy to compute −p/q and then to
∞ obtain p/q by the formula −s = 2n + i=n+1 (1 − si )2i .
r i i=0 pi 2 and q = 1 −
r Underi the hypothesis q < 0 ≤ p, p < −q, p = i=1 qi 2 , the 2-adic division p/q is performed by the following circuit: ✲ pr−1

✲ pr−2 ✻

✲ ✻

♣ qr ✲ ♣❡ qr−1 ✲ ❡ ✻ ✻

q2 ✲ ♣❡ ✻

p1

✲ ✻

✲

p0

q1 ✲ ♣❡ ✻

Where the symbol ⊞ denotes the addition with carry, i.e., it corresponds to the ✛ following scheme:

❍ ❍ cn = ab ⊕ acn−1 ⊕ bcn−1 cn−1 ✲ ✲ ba ✲ s = a ⊕ b ⊕ cn−1 ✲ ✟ ✟

Definition 2. The 2-adic complexity of a binary eventually periodic sequence is the length (i.e., the number of cells) of the smallest FCSR generating S. Remark 1. Let S be a binary sequence. If S2 = p/q with p and q coprime integers, then the 2-adic (or FCSR) complexity Λ2 of S is the maximum of bitlengths of |p| and |q| (cf. [2]). As for the LFSR case, such a 2-adic divisor is symbolized by

2

p/q

✲

Pseudo-random Generator with Compound FCSR and LFSR Architecture

For random generation and stream ciphers, using linear registers alone, or feedback registers alone is weak, because there are algorithms which can easily exploit the algebraic structures carried by these devices.

26

Fran¸cois Arnault et al.

On the other hand, using devices without apparent structure, such as random non-linear register leads to systems which are difficult to analyze and very often completely insecure. A seemingly good method to make a good generator or stream cipher is to use two different structures so that tools which can attack either structure are stopped by the presence of the other structure. However, care must be taken in the way the two structures are interleaved so that some results about the security of the whole system can be deduced from the structure of each part. In our stream cipher we purposely separate the linear part and the 2-adic part. Each part is constructed such that its intrinsic period will be maximal. Moreover the size of each part must resist to an exhaustive attack, i.e. each generator (linear and 2-adic) must have at least 80 registers. The idea to mix GF (2) linearity with 2-adic linearity as yet been used in pseudorandom generation with the “Summation Generator” of Rueppel [11]. The original proposal was found insecure because of relatively small parameters which made a cryptanalysis by 2-adic tools feasible. Also a weakness involving correlation properties was found by J.W. Meier and O. Staffelbach [9] when only two LFSR are summed. However with suitable parameters, this generator seems to be one of the better at the moment. Here, we present another way to mix both these linearities which avoids this problem. 2.1

Concatenation of LFSR and FCSR

The Galois architecture of LFSR (or FCSR) corresponds to the division of a polynomial (an integer) by another polynomial Q(X) (or another integer q) (cf. [3]). A slight modification of these architectures leads to the division of a series by a polynomial or a 2-adic number by an integer. For example, if the input of the following circuit is S(X), then the output is S ′ (X) = S(X)/Q(X). . . . , sr+2 , sr+1 ✲ ❡✲ ✻

sr

❡✲ sr−1 ✻

♣ qr ✲ ♣❡ qr−1 ✲ ❡ ✻ ✻

❡✲ ✻ q2 ✲ ♣❡ ✻

s1

❡✲ ✻

s0

✲

♣ q1 ✲ ❡ ✻

Definition 3. We call such a circuit a LFSR (resp. FCSR) divisor-box with divisor Q(X) (resp. q). The number of cells in a box is called the size of the box. The period of the divisor-box is the order of the divisor Q(X) for the LFSR case, and the order of 2 modulo q for the FCSR case. Such a circuit is symbolized by S(x) and by S2

✲

/q

✲

✲

/Q(x)

for the FCSR case.

✲ for the LFSR case,

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

27

The principle of our pseudo-random generator is to use the output of a LFSR box P (X)/Q(X) as an input of a 2-adic divisor box. 2.2

Design of the Pseudorandom Generator

Public key: • an irreducible primitive polynomial Q(X) of degree k, where k is a prime such that 2k − 1 is also a prime. For practical application and examples , we propose k = 89. Private key: • a polynomial P (X) of degree less than k • A negative prime q of size k, i.e. q ≃ 2k , satisfying the two following conditions: 2k − 1 is co-prime to |q| − 1. The order of 2 modulo q is exactly |q| − 1. For example, this condition is satisfied by |q| = 2r + 1 with r a prime congruent to 1 modulo 4. Compute S(X) = P (X)/Q(X) using a LFSR generator. Set S the 2-adic sequence corresponding to S(X). The output is the pseudorandom sequence S ′ = S/q generated by a FCSR divisor. P(x) /Q(x)

LFSR generator 0

S ✲

/q

✲ S′

FCSR divisor

Statistic Quality of the Sequence S. Set T = 2k − 1 and N = 2T − 1. Since T is prime, if Q(X) is an irreducible polynomial of degree k, then it is a primitive polynomial. This implies that, except for the initialization P (X) = 0, the sequence S generated by the LFSR generator P (X)/Q(X) has the following properties: 1. The period of S is exactly T = 2k − 1. 2. For each run of 89 successive bits of S, the 2k −1 possible values are equiprobable. 3. The sequence S contains 2k−1 bits equal to 1 and 2k−1 − 1 bits equal to 0 in one period T . Some Statistical Properties of 2-adic Division Boxes. Consider the general situation where a binary sequence S is fed to a 2-adic division box by a prime q. Let S ′ denote the output sequence, so that S = qS ′ .

28

Fran¸cois Arnault et al.

If the length of the division box is k, then the prime q satisfies 2k ≤ q ≤ 2k+1 and there are π(2k+1 ) − π(2k ) such primes where π(x) = #{p ≤ x|p prime}. In the case k = 89, this gives approximately 283 possible values for q. For each input sequence, there are approximately 283 possible output sequences. Consider ℓ < 83 consecutive bits of the output sequence, when the divisor is fed with ℓ fixed input bits. As, by Dirichlet density theorem, the number of 89-bit primes in each residue class modulo 2ℓ is expected to be approximately constant, the ℓ consecutive output bits are expected to take any of the 2ℓ possible value with approximately equal probability.
T −1 2-adic Complexity of S ′ . Let ST = i=0 si 2i . Then the 2-adic expression of S is S = ST /N . Let d be the greatest common divisor of ST and N . Set p′ = ST /d and q ′ = N/d. The 2-adic reduced form of S is S = p′ /q ′ . From S ′ = S/q, we deduce S ′ = p′ /q ′ q. Proposition 1. The sequence S ′ is periodic of period T ′ = (2k − 1)(|q| − 1) with a heuristic probability p greater than 1 − 2−k . Proof. Under the hypothesis q  |p′ , the 2-adic reduced form of S ′ is S ′ = p′ /q ′ q. Note that the period of S is T . This implies that the order of 2 modulo q ′ is T . The order of 2 modulo q is |q| − 1, which is coprime to T . The order of 2 modulo q ′ q is then T ′ = (2k − 1)(|q|− 1). Since q is greater than 289 , the heuristic probability of q divides p′ is less than 2−k . For k = 89 this gives a period T ′ ≃ 2178 . Lemma 1. The 2-adic complexity of S ′ is Size(q)+Size(q ′) = k +2k −Size(d), where Size(a) = ⌈log2 (|a|)⌉ is the bitlength of a. Proof. This result is the direct consequence of the fact that p′ /q ′ q is the reduced form of S ′ and q ′ q = (2k − 1)q/d. Lemma 2. If p is a prime divisor of N then p ≥ 2k . Proof. Such a p divides N = 2T − 1, so the order of 2 modulo p divides T . As T is prime this order is exactly T . Hence T divides p − 1. This implies p ≥ T + 1. Lemma 3. The number s of prime divisors (counting multiplicities) of N satisfies s ≤ log(N )/ log(T + 1) < T /k.  t 1 Lemma 4. For t ≥ 2, we have the inequality 1 − t ≥ exp(−1 − 1/t). Proof. The function u → ln(1 − u) + (u + u2 ) is increasing and positive in the range [0, 1/2] so that, for t ≥ 2 we have ln(1 − 1/t) ≥ −(1/t + 1/t2). Multiplying by t and taking exponential of both sides gives the result.

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

29

Proposition 2. For x ∈ {0, 1, . . . , N − 1}, the expected value of gcd(x, N ) is upper bounded by σ(N ), the number of divisors of N . Proof. For all d dividing N , the probability ρd that gcd(x, N ) = d is upper bounded by 1/d.
Hence the expected value of gcd(x, N ) satisfies
E(gcd(x, N )) = d|N dρd ≤ d|N 1 = σ(N ).

Corollary 1. The expected value of gcd(x, N ) for x ∈ {0, . . . , N − 1} is less √ than k N + 1. Proof. From the previous lemmas, we√get E(gcd(x, N )) ≤ σ(N ) ≤ 2s < 2T /k = k N + 1. In consequence, for k = 89, the expected 2-adic complexity of S ′ is 289 + 89 − 2 /89 ≃ 288 . 89

Linear Complexity of S ′ . The main principle of this pseudorandom generator is the fact that 2-adic operations and linear operations are not related. This fact is used in most hash functions: such a function is a succession of linear (or affine) operations such as permutations of bits, XOR operations, and multiplication by a number modulo R, where R is generally a power of 2. This operation is simply a truncated 2-adic multiplication. In our work, we use the inverse of a non-truncated 2-adic multiplication. Under this assumption, the attempted linear complexity of S ′ is the attempted linear complexity of a random sequence of length T ′ . Following [12], it is about 22k−2 (≃ 2176 for k = 89). Modeling of the Pseudo-random Generator by a System of Equations. In this paragraph, we try to express the outputs s′r of the generator as functions of the secret key values. After a short times of initializations of the registers, the size and the degree of non-linearity of such functions increase very quickly. In consequence, it
is not possible to use these
∞ relations to break the system. k−1 Set P (x) = i=0 pi X i and 1/q = i=0 bi 2i . We know that the size of q is k, then it is easy to check that the knowledge of q is equivalent to the knowledge of the bi ’s for i = 0, . . . , k − 1: the integer q is the inverse modulo 2k of b =
k−1 i i=0 bi 2 . Moreover, we know that q and b are odd, and then b0 = 1. Since Q(X) is known, the sequence S ′ is completely known from the knowledge of pi and bi for i = 0, . . . , k − 1. For each r from 0 to T ′ − 1, there exists a boolean function Fr such that s′r = Fr (p0 , . . . , pk−1 , b0 , . . . , bk−1 ). Breaking the generator is equivalent to solve the system of equations Fr (p0 , . . . , pk−1 , b0 , . . . , bk−1 ) = s′r for r = 0, . . . , T ′ Note that it is theoretically possible to compute exactly the boolean functions Fr from the knowledge of Q(X). The aim of this paragraph is to determine the degree of non-linearity of these boolean functions and the reason for that it

30

Fran¸cois Arnault et al.

is necessary to eliminate the first values of S ′ . If not, it will be possible to recover some information about a few bits of P (X) and a few bits of b. For a maximum of security, we propose s′i for i < k − 1.
∞to eliminate i Set 1/Q(X) = i=0 ai X . For i greater than 89, the coefficient ai can be expressed linearly from a0 , . . . , a88 . In the sequel, we are interested by the 89 first coefficients of S(X) and S ′
. ∞ Set S(X) = P (X)/Q(X) = i=0 si X i . We obtain the following equations: s0 = a0 p0 = L0 (p0 ) s1 = a1 p0 ⊕ a0 p1 = L1 (p0 , p1 ) s2 = a2 p0 ⊕ a1 p1 ⊕ a0 p2 = L2 (p0 , p1 , p2 ) .. .. . . si = i−1 ℓ=0 ai−ℓ pℓ = Li (p0 , . . . , pi−1 ) for i ≤ k − 1 The boolean functions Li are linear, since the first part of the generator is a LFSR. Note that, since 1/Q(X) is well balanced, the average number of null coefficients in the linear boolean functions Li is equals to the average of coefficient equals to 1. We can notice that the diffusion of the pi ’s becomes maximal for i greater than k − 1. Now, we are interested by the action of the 2-adic division of S by q. For the k first values of S ′ , our divisor box can be replaced by the multiplication by b = q −1 (mod 2k ). In fact the i-th bit of S ′ is obtained from the multiplication of S by b (mod 2i+1 ). First, we will recall some results on the linear complexity of the addition of integers with
a fixed size.
k−1
k i i i Set α = k−1 i=0 αi 2 and β = i=0 βi 2 . Let σ = α + β = i=0 σi 2 . We have: σ0 = α0 ⊕ β0 , carry c0 = α0 β0 σ1 = α1 ⊕ β1 ⊕ cO , carry c1 = α1 β1 ⊕ α0 β0 (α1 ⊕ β1 ) σ2 = α2 ⊕ β2 ⊕ c1 , carry c2 = α2 β2 ⊕ α1 β1 (α2 ⊕ β2 ) ⊕ α0 β0 (α2 ⊕ β2 )(α1 ⊕ β1 ) ...... In our situation, the product S = qS ′ can be considered as some successive additions: S ′ = b0 S + 2b1 S + 22 b2 S + . . . + 2k bk S + . . .. This gives the relations (the degree is the degree of non-linearity of the boolean functions): s′0 = b0 s0 = a0 b0 p0 = F0 (p0 , b0 ), degree: 1 (linear!). s′1 = b0 s1 ⊕ b1 s0 = F1 (p0 , p1 , b0 , b1 ), degree 2. Carry c′1 = b0 s1 b1 s0 = c′1 (p0 , p1 , b0 , b1 ), degree 4. s′2 = b0 s2 ⊕ b1 s1 ⊕ b2 s0 ⊕ c′1 = F2 (p0 , p1 , p2 , b0 , b1 , b2 ), degree 4. The carry c′2 is of degree 5. Etc. . . In fact, it can be checked that, for i > 1, the degree of non-linearity of Fi is 2i if i is even or 2i − 1 if i is odd. The most important fact is that the number of active variables in Fi is not sufficient for i small. It is the reason for that we preconize to use the k − 1 first

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

31

bits for the initialization of the cells. Under this assumption, our problem can be modelized by a system of equations of expected degree at least 2k − 1, and 2k unknowns. For comparison the public-key cryptosystem HFE consists to solve a system of degree 2 with about 80 unknowns (cf. [10]). Cryptanalysis of the Pseudorandom Generator. Attack on the keys. This generator is broken as soon as P (X) or q are recovered. Indeed, if P (X) is known, it is possible to generate S. Computing the quotient S ′ /S on k bits gives q. If q is known, it is easy to recover 89 bits of S from S = qS ′ . The polynomial P (X) is recovered from P (X) = Q(X)S(X). This generator must be resistant to exhaustive attacks on each key. The size of key for P (X) is 2k − 1 (P (X) = 0 is prohibited. . . ). The size of key for q is the number of prime numbers of size k. For k = 89, it is greater then 283 . Moreover, there exist many algorithms to generate such prime number. 2-adic attack. This attack needs the knowledge of 2Λ2 (S ′ ) + 1 bits, that is about 2176 bits for k = 89. FCSR-Linear attack. This attack needs the knowledge of 2ΛL(S ′ ) + 1 bits, that is about 290 bits for k = 89. Boolean functions attack. The modeling of the generator by boolean functions Fk described previously arises to a very large polynomial system with very hight degree. Moreover, the exact computation of only one equation Fi for i ≥ k is a very difficult problem.

3

A New Self-synchronizing Stream Cipher

It is possible to modify the previous generator to produce a self-synchronizing stream cipher (cf. [8]). The principle is very simple: we need • a LFSR divisor-box, whose divisor is a primitive irreducible polynomial Q(X) of degree k, and then of period 2k − 1, • a FCSR divisor-box, whose divisor is a negative prime q such that Size(q) = k and N ′ = ordq (2) = |q| − 1 is co-prime to 2k − 1. Let S be the message to encrypted. The encryption scheme is the following: • Compute S ′ (X) = S(X)/Q(X) by the LFSR divisor-box. • Convert S ′ (X) into the 2-adic integer S2′ . • Compute the output S2′′ = S2′ /q by the FCSR divisor-box. S

✲

/Q(x)

LFSR divisor

✲

/q

FCSR divisor

✲ S′

32

Fran¸cois Arnault et al.

The decryption scheme follows easily from the encryption scheme: • Compute S ′ (2) = qS ′′ (2). • Convert S ′ (2) into the series S ′ (X). • Compute the input S by S(X) = Q(X)S ′ (X). Remark 2. The circuits to compute effectively these converse operations are wellknown. They correspond to the reverse of divisor circuits. The complexity are the same that whose of divisor circuits. If the size of each divisor-box is k, this scheme is self-synchronized after a delay of length just little more than 2k bits. Indeed, suppose we know the cipher stream S ′′ only from the n-th bit s′′n onwards. Multiplying the known part of the stream by q gives the correct bits of S’ from s′n+k + r onwards, where r is the length of a possible propagated carry. A carry may occur after the n + k bits of S ′ as far as the bits of S ′ are all equal to 1. Note that this carry propagation extends to no more than 2 bits with probability 0.75, and no more than 20 bits with probability greater than 0.999 999. We finally can recover a part of the sequence S by multiplication by Q(X). This induces one more delay of k bits for the initializations of the cells of the second multiplicator box. For a practical implementation, we propose k = 89. This implies in particular that every irreducible polynomial Q(X) is primitive. The attempted synchronization delay is about 200 bits. Moreover, for avoiding the problems of the initialization of cells, it is preferable to add a random preamble to S of size 89, or to initialize all the cells randomly. Analysis of the Stream Cipher. • As noticed previously, if we know k consecutive values of the input and output of a LFSR or FCSR divisor-box, it is possible to recover the divisor Q(X) or q of the box. However, when we use a serial composition of FCSR and LFSR divisor-boxes, this attack does not work: such a system cannot be simulated by a simple LFSR or FCSR box. • Every plaintext bit affects the entire following ciphertext. For example, suppose that two plaintexts differ by only one bit: S2 (X) = S1 (X) + X n . After the division by Q(X), this gives S2′ (X) = S1′ (X) + X n /Q(X). Note that X n /Q(X) is an infinite sequence of period 2k − 1. Moreover, setting T (X) = X n /Q(X), then S2′ (2) = S1′ (2) + T (2), since the first addition is without carry, and the second is with carries. • To achieve an attack on this stream cipher is strongly related to achieve an attack on the pseudorandom generator proposed in the previous section. Indeed, the plaintext can be represented by a polynomial P (X). The ciphertext we get is exactly the output of the sequence generated by the LFSR

A New Class of Stream Ciphers Combining LFSR and FCSR Architectures

33

generator P (X)/Q(X) followed by a FCSR divisor-box by q. To recover the plaintext, we need to find part of the structure of the pseudorandom generator.

4

Conclusion

We considered LFSR and FCSR architectures for pseudorandom generators. We proposed a new pseudorandom generator combining both architectures, being very fast and well suited for hardware implantation. The presence of two parts of different algebraic nature makes this generator difficult to synthesize by algebraic methods. We also proposed a self-synchronizing stream cipher derived from our pseudorandom generator, which inherits of its speed and resistance to known attacks. The authors wish to acknowledge Anne Canteaut and the anonymous referees for their suggestions and remarks.

References [1] D. Coppersmith, H Krawczyk, Y. Mansour. The Shrinking Generator, Lecture notes in computer science (773), Advances Cryptology, CRYPTO’93. Springer Verlag 1994, 22-39 [2] M. Goresky, A. Klapper Fibonacci and Galois Representation of Feedback with Carry Shift Registers, preprint, October 27, 2000. 24, 25 [3] A. Klapper, M. Goresky, Feedback Shift Registers, 2-Adic Span, and Combiners With Memory, Journal of Cryptology (10), (1997) 111-147. 22, 23, 26 [4] M. Goresky, A. Klapper Cryptanalysis based on 2-adic Rational Approximation, Lecture notes in computer science (963), Advances in Cryptology, CRYPTO’95, Springer Verlag 1995, 262-274. 23 [5] N. Koblitz p-adic Numbers, p-adic analysis and Zeta-Functions, Springer-Verlag 1997. 24 [6] F. J. Macwilliams, N. J. A. Sloane The theory of Error Correcting Codes, North-Holland 1986. 24 [7] J. L. Massey Shift register synthesis and BCH decoding, IEEE Trans. Inform. Theory, vol IT-15, 122-127, 1969. 24 [8] U. M. Maurer New approaches of the Design of Self-Synchronizing Stream Ciphers, Lecture Notes in Computer Science (547), Advances in Cryptology, EUROCRYPT’91, Springer-Verlag 1991, 458-471. 31 [9] J. W. Meier, O. Staffelbach Correlation properties of combiners with memory in stream ciphers, Journal of Cryptology, vol.5, n.1, 1992, 67-86. 26 [10] J. Patarin Hidden Field Equations (HFE) and Isomorphisms of Polynomials (IP): two new families of asymmetric algorithms, Advances in Cryptology, Eurocrypt 96, Springer LNCS 1070, 33–48 31 [11] R. A. Rueppel, Correlation immunity and the summation generator, Lecture Notes in Computer Science (218), Advances in Cryptology, CRYPTO’85, Springer-Verlag 1985, 260-272. 26 [12] R. A. Rueppel, Linear complexity of random sequences, Lecture Notes in Computer Science (219, Proc. of Eurocrypt’85, 167–188) 29 [13] N. Zierler, Linear recurring Sequences, J. Soc. Indust. Appl. Math., Vol. 7, 1958. 23

Slide Attack on Spectr-H64 Selçuk Kavut and Melek D. Yücel Electrical & Electronics Eng. Dept., Middle East Technical University TÜBİTAK-BİLTEN, Information Technologies and Electronics Research Institute 06531, Ankara, Turkey {kavut,melek-yucel}@metu.edu.tr

Abstract. We compare one round diffusion characteristics of the block cipher Spectr-H64 to those of AES-Rijndael and Safer K-64, in terms of the Avalanche Weight Distribution (AWD) criterion and observe a weakness in the round transformation of Spectr-H64. We exploit this weakness to break one round of Spectr-H64 extracting half of the key bits, and develop a chosen plaintext slide attack against the overall encryption algorithm, which works for 232 elements of the key space (out of 2256). We also observe 2128 weak keys, for which encryption becomes the same function as decryption, and 232 fixed points for each weak key. Keywords: Slide attack, Spectr-H64, Avalanche Weight Distribution (AWD).

1

Introduction

Spectr-H64 is a 12-round Feistel-like cipher, which is designed by N. D. Goots, A. A. Moldovyan and N. A. Moldovyan [1]. It is based on data-dependent permutations and data-dependent transformation of round keys, with 64-bit input block length and 256r r r bit key length as explained in Appendix A. The output P = (PL , PR ) of the rth round -1 -1 r r is found using the 32-bit left and right halves PL and PR of the previous round output as r r-1 r-1 (1) PL = f (PR , PL , Qr), r r-1 (2) PR = PL , where the round keys Q1, …, and Q12 are derived from the original key K∈{0,1}256 (see Table A-1 in Appendix A). The transformation f in (1) has a weak diffusion property such that, if k bits in the r-1 r-1 r-1 r-1 right half PR of the rth round input P = (PL , PR ) are complemented to obtain r-1 r-1 r-1 P = (PL , P R ), then corresponding round outputs differ in the left half exactly by k bits, hence the Hamming weight of the difference vector remains the same, i.e., k =wt (P

r-1

⊕ P

r-1

r-1

r-1

r

r

r

r

)= wt (PR ⊕ P R ) = wt (PL ⊕ P L ) = wt (P ⊕ P ).

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 34-47, 2002.  Springer-Verlag Berlin Heidelberg 2002

(3)

Slide Attack on Spectr-H64

35

In Section 2, we describe the experimental work that leads us to notice the weakness given by (3), and use it to break one round of Spectr-H64. We then propose a slide attack [2, 3] against the overall algorithm in Section 3, which works for 232 weak keys of the form K = (K1, K1, K1, K1, K1, K1, K1, K1) and K1∈{0,1}32. This attack requires 217 chosen plaintexts and 232 comparisons. We describe the slide attack on a modified variant of Spectr-H64, and implement it by using 217 chosen plaintexts and 216 comparisons in a sorted list. Finally, we discuss in Section 4 that for the 2128 keys of the form K = (K1, K1, K2, K2, K3, K3, K4, K4), which also include the above mentioned 232 weak keys, encryption is the same function as decryption; thus, double encryption reveals the plaintext. For each key in this set of size 2128, we observe that there are 232 fixed points.

2

Breaking One Round of Spectr-H64

Our idea to break one round of Spectr-H64 is based upon the influential work on differential cryptanalysis [4, 5]. We utilise the weak diffusion property described by (3) to extract 128 key bits after one round of the algorithm, using a single known plaintext and 32 adaptively chosen plaintexts. To demonstrate the weakness given by (3), we compare one round diffusion characteristics of Spectr-H64 [1] to those of AES-Rijndael [6] and Safer K-64 [7]. The latter two algorithms are compared in [8] with respect to their Avalanche Weight Distribution (AWD) curves, which are defined as the Hamming weight histograms of ciphertext difference vectors [9]. Calling an encryption function F, the avalanche vector for an input P is the output difference vector A = F(P) ⊕ F(P ⊕ ei), where ei is a unit vector with a 1 in position i. The AWD curves are defined simply as “the number of occurrences (in the sample space of all inputs) of the Hamming weight wt(A) sketched versus wt(A)”; and they are expected to be binomially distributed in the ideal case [9]. In Fig.1, we sketch Spectr-H64

Number of Occurences of wt(Avalanche vector)

AES

Safer K-64

0

10

20

30

40

50

60

wt(A)

Fig. 1. One round AWD curves of Spectr-H64, Safer K-64 and AES corresponding to the worst case single bit input differences

36

Selçuk Kavut and Melek D. Yücel

one round AWD curves corresponding to a (worst case) single bit plaintext difference for the block ciphers AES-Rijndael, Safer K-64, and Spectr-H64, using 1.000.000 randomly chosen plaintext pairs for AES-Rijndael, and 10.000 such pairs for Safer K-64 and Spectr-H64. (The graphs in the figure are normalized in order to make them comparable. Notice that since there are 2128 elements in the input vector space of Rijndael, as compared to 264 elements of the other two ciphers, AWD curve of Rijndael is more fluctuating than others. This is so, because the experimental set of 10.000 random plaintexts divided by 264 is a much higher fraction than 1.000.000 / 2128. Hence, presented AWD curves of Safer K-64 and Spectr-H64 are relatively more reliable than that of Rijndael.) We observe that although perfect diffusion cannot be obtained in a single round of these ciphers; yet Safer K-64, and Rijndael are quite successful in diffusing single bit changes, whereas Spectr-H64 is not if the complemented bit is in the right half. The reason why a right half difference vector propagates without any weight change in a given round is that, for the input vectors P and P with identical left half parts, all control bits of the data-dependent permutations P32/80 and P-132/80 and the output of the nonlinear function G remain the same under the same key (See Fig. A-1). Hence, the difference between the right half parts of P and P is only permuted and reflected to the first round output. It is possible to prove the weak diffusion property given by (3) starting from the round description equation (A-5) given in Appendix A. The initial transformation does not improve this weakness, since its bit permutations between adjacent pairs cannot mix separate halves of the plaintext with each other. Hence, as far as the propagation of the right half input difference is concerned, the first round of the algorithm can be modelled as a cascade connection of P32/80 and P-132/80 boxes, as shown in Fig.2. The first 5 layers in this figure belong to the permutation P32/80 and the last 5 layers belong to the inverse permutation P-132/80. The XOR boxes between P32/80 and P-132/80 boxes are not included in Fig.2 since they do not have any effect on difference vectors. Another weakness of the round transformation, exploited to extract the key bits after the first round, is the fact that the control vector V1 used in Layer 1 of P32/80 and Layer 10 of P-132/80 boxes is completely known. Initially, V1 is equal to the 16-bit right half of the rotated 32-bit left half of the input vector (see equation (A-2a) and Fig. A-1). In the following, we use these two weaknesses of Spectr-H64 to describe how the control bits of one permutation layer are found using all control bits of the previous permutation layer and propagation of one bit input differences. Calling one round encryption of Spectr-H64, F(P), for a single bit input difference vector ei, F(P ⊕ ei) = F(P) ⊕ ej, for all i ∈ {33, 34, …, 64}, and j ∈ {1, 2, …, 32}. Knowing the output difference bits (ej) caused by the input difference bits (ei), the control vector bits are found completely, which are then used to obtain 32 × 4 key bits K1, K2, K3 and K4 by applying the inverse of the extension transformation. In Fig.2, we sketch the first round propagation of one bit input difference vector e33 (corresponding to the state of all zero control bits at the first and last layers) without considering the initial transformation. Notice that only the right halves of propagating differences are shown in the figure since the left half differences are all zero vectors. All control bits of Layer 1 and Layer 10 are known since the plaintext is known (we

Slide Attack on Spectr-H64

37

Fig. 2. The combination of the transformations P32/80 and P-132/80, illustrating the propagation of one bit input difference (e33) after one round encryption of the algorithm without the initial transformation

38

Selçuk Kavut and Melek D. Yücel

assume vi = vi` = 0 for i = 1, 2, ..., 16). The first control bit v17 of Layer 2 is found using the propagation of input difference e33. If one of the output bits indicated by bold lines in Fig.2 is complemented in response to the input difference e33, then v17 = 0; otherwise v17 = 1. As a second step, the value of v18 is found similarly, considering the propagation of either e37 or e39, which are controlled by v18. Knowing the positions of the output bits in response to each single input bit difference, one can then obtain all control bits of Layer 2. Now since we know all the control bits of Layer 2, we can also obtain the input vectors of Layer 3 and corresponding output vectors of Layer 10; therefore the control bits of Layer 3 are found similarly. In this way all control bits and the key bits K1, K2, K3 and K4 are obtained using a known plaintext-ciphertext pair (P, C) and 32 adaptively chosen plaintext-ciphertext pairs (Pi, Cj) of one round encryption for each value of i (Pi = P ⊕ ei, Cj = C ⊕ ej, i ∈ {33, 34, …, 64}, j ∈ {1, 2, …, 32}). If the initial transformation is included, we observe a similar distribution of output difference bits, as for one round of Spectr-H64 without the initial transformation, in response to a single input bit difference. Therefore, the propagation of one bit input difference can also be exploited similarly to extract the key bits K1, K2, K3 and K4 after one round of Spectr-H64 with the initial transformation.

3

Applying Slide Attack on Spectr-H64

In this section, firstly the slide attack is applied to a modified variant of Spectr-H64, without the initial and final transformations for the 232 weak keys, and then it is shown how the initial and final transformations affect the number of operations necessary to break the algorithm for the same keys. The first step in “sliding” direction can be dated back to a 1978 paper by Grossman and Tuckerman [10]. Afterwards, Biham’s work on related-key cryptanalysis [11], and Knudsen's early work [12] are the milestones in this direction. Slide attacks are, in general, independent of the exact properties of the iterated round function and the number of rounds, which is not the case for the conventional cryptanalytic tools such as differential and linear cryptanalysis for which each additional round requires an exponential effort from the attacker [2, 3]. A typical slide attack exploits the self similarity of a block cipher and views the cipher as a product of identical transformations FQ (P), where Q is the round key (here F might include more than one round of the cipher). The only requirement on F is that it can be broken easily once an input-output pair is obtained. Calling the identical transformation FQ = r F, and the overall encryption function E = F ο F ο … ο F = F , the crucial observation leading to the slide attack [2, 3] is r

r

r

r

P′ =F(P) and C=F (P) implies C′= F (P′)=F (F (P))=F(F (P))=F (C). Hence, a standard slide attack tries to find plaintext-ciphertext pairs (P, C) and (P′, C′) with C′ = F (C). Such pairs are called slid pairs, and once a slid pair is found, an extra relation P′ = F (P) is obtained. In order to find the degree of self similarity in Spectr-H64, we first examine the key schedule given in Table A-1. It is observed that Spectr-H64 has 2128 weak keys

Slide Attack on Spectr-H64

39

of the form K = (K1, K1, K2, K2, K3, K3, K4, K4) for which encryption is the same function as decryption, and thus double encryption reveals the plaintext (see Section 4). However, in this case, the key scheduling does not yield periodic round keys. More specifically, all round keys are different with the exception that Q1 = Q9, Q3 = Q10 and Q4 = Q12, therefore slide attack does not apply. On the other hand, it is observed that if all Ki’s (i ∈ {1, 2, ..., 8}) are equal to each other, the same round keys are produced for each round, and Q1 = Q2 = ... = Q12 = Q (see Table A-1). Spectr-H64 can then be viewed as a product of identical permutations for this key subspace of 232 weak keys in which all Ki’s are equal to each other. Our attack is applicable for only these keys. The overall algorithm consists of the initial transformations, 12 identical round transformations and the final transformation for the mentioned 232 weak keys. Because of the weakness described in Section 3, once we obtain a pair (P, P′) of one round encryption where P′ = F (P), 128 key bits of K1, K2, K3 and K4 can be extracted in a negligible time. Therefore the easy cryptanalysis requirement on F is satisfied. We implement the slide attack on a modified variant of Spectr-H64 without the initial and final transformations, as illustrated in Fig.3 in simplified form, where f denotes the transformation applied to the right half of the round input.

Fig. 3. Illustration of the slide attack on Spectr-H64, applicable for the 232 keys, without initial and final transformations; if C′L = CR, then P′ is the one round encrypted form of P

A chosen plaintext slide attack encrypts two pools of chosen plaintexts P = (PL, PR) and P′ = (P′L, P′R ), where PL = P′R is fixed, and PR and P′L both take 216 random values. Then, checking whether C′L = CR, we expect to find a vector P′ in the second pool which is one round encrypted form of the element P from the first pool with high probability, by the birthday paradox. We identify such a slid pair by using a lookup table (or sorted list) with 216 comparisons [2] in a negligible time. After finding a slid pair, other adaptively chosen 32 plaintext-ciphertext pairs of the first round are easily found with the help of the procedure explained below:

40

1.

2.

Selçuk Kavut and Melek D. Yücel

Encrypt 32 plaintexts Pi = P ⊕ ei, and 32 plaintexts P′j = P′ ⊕ ej corresponding to the slid pair (P, P′); for all i ∈ {33, 34, …, 64}, j ∈ {1, 2, …, 32}, and obtain 32 × 32 ciphertext pairs Ci and C′j . (Notice that the r subscript of the ciphertext simply indicates the corresponding plaintext, F (Pi)= Ci, and it does not imply that Ci = C ⊕ ei .) Check whether C′iL = CjR for each ciphertext pair; if they are equal, corresponding plaintext pair Pi and P′j satisfy the equation F (Pi) = P′j.

Notice that since one bit input differences cause one bit output differences after one round encryption of Spectr-H64, the above procedure works. Now, one can extract the 128 key bits used for the first round, as explained in Section 3. Since our attack works for the 232 weak keys in which all Ki’s (i ∈ {1, 2, ..., 8}) are equal to each other, knowing the extracted key bits is equivalent to knowing all the key bits. The attack is independent of the number of rounds of the cipher, and requires 217 chosen plaintexts and 216 comparisons. Next, we consider the effect of the initial and final transformations on the cryptanalysis of Spectr-H64. One can observe from Fig.A-1 that, if successive bits of the plaintext entering the same P2/1 boxes are chosen the same, the initial transformation output is independent of the control bits. Hence, in the attempt of finding a slid pair, where one assigns the plaintexts P = (PL, PR) and P′ = (P′L, P′R) such that PL = P′R , we can choose PL and P′R in the above mentioned form that the initial transformation cannot affect. For example, if PL and P′R are chosen as all zero vectors (see Fig.4), the effect of the initial transformation is removed; however, the final transformation still remains effective unless QFTL = QFTR.

Fig. 4. Illustration of the effect of the initial and final transformations on the slide attack shown in Fig.3

Slide Attack on Spectr-H64

41

If QFTL = QFTR, the left and right halves of the final transformation inputs are subject to the same permutation; and one can find a match for the vectors C′L and CR, with 216 comparisons. On the other hand, if QFTL ≠ QFTR, we have to guess all possible (2 × 216) input vectors of the final transformation in order to find a match between C′L and CR. The slide attack on Spectr-H64 also requires 217 chosen plaintexts, as for the slide attack on the modified variant of Spectr-H64. However, in this case, since we have 2 × 232 possible vectors C′L and CR due to the different left and right halves of the vector QFT, time complexity increases remarkably from 216 to 232. In addition, there may be some false matches between the vectors C′L and CR while guessing the vectors QFTL and QFTR, which can be checked immediately during the process of extracting the key bits.1 After finding a slid pair, 32 adaptively chosen plaintexts can be found using a similar procedure, which is explained for the attack on the modified variant. The key bits are extracted after breaking one round of Spectr-H64 with the initial transformation, as explained in Section 3.

4

Weak Keys and Fixed Points

The analysis of fixed points in DES weak keys and cycle structure of DES using these keys are explained by Coppersmith [13]. Moore and Simmons published more extensive work later on DES weak keys [14]. We observe that Spectr-H64 also has a set of 2128 weak keys of the form K = (K1, K1, K2, K2, K3, K3, K4, K4), for which encryption is the same function as decryption. Since the round keys for decryption become the same as the round keys for encryption (see Table 1), double encryption reveals the plaintext. Table 1. The round keys of Spectr-H64 used for both encryption and decryption, for the keys of the form K = (K1, K1, K2, K2, K3, K3, K4, K4) QIT K1

Q1 K1 K1 K3 K4 K2 K2

Q2 K4 K3 K1 K2 K3 K4

Q3 K3 K4 K1 K2 K3 K4

Q4 K2 K2 K3 K4 K1 K1

Q5 K1 K1 K4 K3 K2 K2

Q6 K3 K4 K2 K1 K4 K3

Q7 K4 K3 K2 K1 K3 K4

Q8 K2 K3 K4 K3 K1 K1

Q9 K1 K1 K3 K4 K2 K2

Q10 K3 K4 K1 K2 K3 K4

Q11 K3 K4 K1 K2 K4 K3

Q12 K2 K2 K3 K4 K1 K1

QFT K1

Notice that, the final transformation is the inverse of the initial transformation, and the ith (i = 1, 2, …, 12) round key (A, B, C, D, E, F) of the decryption process is used to decrypt the (13-i)th round key (E, F, C, D, A, B) of the encryption process. If all round keys of the encryption and decryption are equal as in Table 1, the last six rounds of encryption can decrypt the intermediate cipher result obtained after the first 1

The correctness for the guesses of the left and right halves of the vector QFT can also be checked by a trial encryption if we exploit the restriction on the key bits. In this case, the secret-key can be found directly without the cryptanalysis process explained in Section 3.

42

Selçuk Kavut and Melek D. Yücel

six rounds of encryption, whenever the left and right halves of the intermediate cipher result are equal to each other. Hence, there are 232 fixed points for each weak key, which may cause some problems in using Spectr-H64 to build secure hash functions.

5

Conclusion

In this paper, we first describe an attack on single round of Spectr-H64, which exploits the diffusion weakness of the algorithm described by (3). This one round attack extracts 128 bits of the 256-bit key by using 1 known and 32 chosen plaintexts. Easy cryptanalysis of the first round then leads us to propose a slide attack against the overall algorithm, which uses 217 chosen plaintexts. The described slide attack requires 232 comparisons of 32-bit blocks, which takes much less work than 232 encryption operations needed for a brute force attack in a subset of 232 keys. The same attack is implemented on the modified variant of Spectr-H64 (only excluding initial and final transformations), and unknown key is identified using 217 chosen plaintexts and 216 comparisons. Since the attack is applicable for a small key subspace (one out of 2192), it does not indicate that Spectr-H64 is weak, but it should be interpreted as an independent confirmation of the observation in [2], which states that auto-key ciphers and data-dependent transformations are potentially vulnerable to conventional slide attacks. On the other hand, 2128 weak keys and 232 fixed points for each weak key that we observe, indicate that the key scheduling of the algorithm should be improved. As a final remark, we should mention that the key scheduling of Spectr-H64 yields four round periodicity for 264 weak keys of the form K = (K1, K1, K1, K1, K2, K2, K2, K2), which makes the cipher vulnerable to a similar slide attack [2], where the identical transformation F includes four rounds of the cipher. Although one may suspect that this periodicity makes Spectr-H64 also a candidate for advanced slide attacks [3], we think that this is not possible. Because, a suitable advanced slide attack with four round periodicity would be a combination of “complementation slide” and “sliding with a twist”; however, the complementation slide is not applicable because of data-dependent permutations of the round keys.

References [1]

[2]

[3]

N.D. Goots, A.A. Moldovyan, and N.A. Moldovyan, Fast Encryption Algorithm Spectr-H64. In: V.I. Gorodetski, V.A. Skormin, L.J. Popyack (Eds.), Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security. Lecture Notes in Computer Science, Vol. 2052, pp. 275-286, Springer-Verlag, 2001. Biryukov and D. Wagner, Slide Attacks. In: L.R. Knudsen (Ed.), Fast Software Encryption – FSE’99. Lecture Notes in Computer Science, Vol. 1636, pp. 245259, Springer-Verlag, 1999. Biryukov and D. Wagner, Advanced Slide Attacks. In: B. Preneel (Ed.), Advances in Cryptology – EUROCRYPT’2000. Lecture Notes in Computer Science, Vol. 1807, pp. 589-606, Springer-Verlag, 2000.

Slide Attack on Spectr-H64

[4] [5] [6] [7]

[8]

[9]

[10]

[11] [12]

[13] [14]

43

S. Murphy, The Cryptanalysis of FEAL-4 with 20 Chosen Plaintexts. Journal of Cryptography, Vol.2, No.3, pp.145-154, 1990. Shamir and E. Biham, Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, Vol.4, No.1, pp.3-72, 1991. J. Daemen and V. Rijmen, The Design of Rijndael, AES-The Advanced Encryption Standard. Springer-Verlag, 2002. J.L. Massey, Safer K-64: A Byte Oriented Block-Ciphering Algorithm. In: R.J. Anderson, Fast Software Encryption – FSE’93. Lecture Notes in Computer Science, Vol. 809, pp.1-17, Springer-Verlag, 1994. S. Kavut, and M.D. Yücel, On Some Cryptographic Properties of Rijndael. In: V.I. Gorodetski, V.A. Skormin, L.J. Popyack (Eds.): Information Assurance in Computer Networks: Methods, Models, and Architectures for Network Security. Lecture Notes in Computer Science, Vol. 2052, pp.300-311, Springer-Verlag, 2001. E. Aras and M.D. Yücel, Performance Evaluation of Safer K-64 and S-Boxes of Safer Family. Turkish Journal of Electrical Engineering & Computer Sciences, Vol.9, No.2, pp. 161-175, 2001. E.K. Grossman and B. Tuckerman, Analysis of a Weakened Feistel-like Cipher. Proc. International Conference on Communications, pp.46.3.1-46.3.5, Alger Press, 1978. E. Biham, New Types of Cryptanalytic Attacks Using Related Keys. Journal of Cryptology, Vol.7, pp.229-246, 1994. L.R. Knudsen, Cryptanalysis of LOKI91. In: J. Seberry and Y. Zheng (Eds.): Advances in Cryptology – ASIACRYPT’92. Lecture Notes in Computer Science, Vol. 718, pp.196-208, Springer-Verlag, 1993. D. Coppersmith, The Real Reason for Rivest's Phenomenon, Proc. CRYPTO’85, pp.535-536, Springer-Verlag, 1986. J.H. Moore and G.J. Simmons, Cycle Structure of the DES with Weak and Semi-Weak Keys, Proc. CRYPTO'86, pp.9-32, Springer-Verlag, 1987.

Appendix A: Description of Spectr-H64 The algorithm [1] is designed as a sequence of the initial transformation IT, 12 iterative rounds, and the final transformation FT. The overall encryption structure is shown in Fig.A-1. Round keys Q1, …, and Q12 are derived from the original key K∈{0,1}256, as shown in each column of Table A-1. Notice that in Table A-1, L 1, L 2, …, L 8 ∈ {0,1}32 indicate segments of the original key K=(L1, …, L8) and A, B, C, D, E, F (which are also used in Fig.A-1) correspond to 32-bit segments of each round key Qi ∈ {0,1}192. The initial and final transformations use the 32-bit keys, QIT = L1 and QFT = L 2. In Fig.A-1, qi and qi`, indicate the elements of QIT = (q1, q2, …, q32) and QFT = (q1`, q2`, …, q32`), respectively.

44

Selçuk Kavut and Melek D. Yücel Table A-1. Key scheduling for Spectr-H64 encryption

Round key segment A B C D E F

Q1

Q2

Q3

Q4

Q5

Q6

Q7

Q8

Q9

L1 L2 L6 L7 L3 L4

L8 L6 L1 L4 L5 L7

L5 L7 L2 L3 L6 L8

L4 L3 L5 L8 L2 L1

L1 L2 L7 L6 L4 L3

L6 L8 L3 L1 L7 L5

L7 L5 L4 L2 L6 L8

L4 L3 L8 L5 L1 L2

L2 L1 L6 L7 L4 L3

Fig. A-1. Overall encryption scheme of Spectr-H64

Q1

Q1

0

1

2

L6 L8 L1 L4 L5 L7

L5 L7 L2 L3 L8 L6

L3 L4 L5 L8 L1 L2

Q1

Slide Attack on Spectr-H64

45

The only difference between encryption and decryption of Spectr-H64 results from the key scheduling of the algorithm. If for i ∈ {1, 2,…, 12}, the ith round key of the encryption process is Qi = (A, B, C, D, E, F), then the (13-i)th round key of the decryption process is Q13-i = (E, F, C, D, A, B). Similarly, the final vector QFT used for encryption is equal to the initial vector QIT of the decryption. In each round of Spectr-H64, the following operations are used: • cyclic rotation “>>>k” by fixed amount k, • XOR operation “⊕”, • nonlinear function GCD, • data-dependent permutations P32/80, P-132/80, and • extension operation EAB (or ECD and EEF), where the subscripts A, B,…, F denote 32-bit segments of the 192-bit round key Qi = (A, B, C, D, E, F) used by the boxes G and E. The initial and final transformations also perform data-dependent permutations. The nonlinear function GCD uses the central segments C and D of the round key, and yields a 32-bit output vector Y, for a 32-bit input vector X, as Y = GCD(X) = M0⊕M1⊕(M2⊗C)⊕(M2⊗M5⊗D)⊕(M3⊗M5)⊕(M4⊗ D), where the vectors M0, …, M5 are obtained recursively through X as follows: M0 = (m1(0), m2(0), …, m32(0)) = X, Mj = (m1 , m2(j), …, m32(j)) = (1, m1(j-1), …, m31(j-1)), (j)

(A-1a) (A-1b)

where j = 1, …, 5. The extension operation EAB shown in Fig.A-1 is used to form an 80-bit control vector, which is represented as EAB (U) = (V1, V2, V3, V4, V5) = V, 32

where U ∈ {0,1} , V1, V2, …, V5 ∈ {0,1}16 and V ∈ {0,1}80. The vectors V1, V2,…,V5 are determined according to V1 = UR, V2 = π ((U ⊕ A)R), V3 = π ′ ((U ⊕ B)R), V4 = π ′ ((U ⊕ B)L), V5 = π ((U ⊕ A)L),

(A-2a) (A-2b) (A-2c) (A-2d) (A-2e)

where the subscripts L and R denote left and right half of the vectors respectively and the fixed permutations π and π ′ are defined for Z ∈ {0, 1}32 as

π (Z) = (ZR>>>1 , ZL>>>1), π ′ (Z) = (ZR>>>5 , ZL>>>5).

(A-3) (A-4)

The data-dependent permutation applied on the input X ∈ {0, 1}32 by the P32/80 box (Fig.A-2) produces the output Y ∈ {0, 1}32: Y = P32/80(X,V), where V = (v1, v2, …, v80) is the control vector formed by the extension operation.

46

Selçuk Kavut and Melek D. Yücel

The P32/80 box consists of the 80 P2/1 boxes arranged in 5 layers. Each P2/1 box has one control bit vi ( i ∈ {1, …, 80}), 2-bit input vector and 2-bit output vector. If the control bit vi = 0, then the input vector is directly carried to the output, otherwise the input bits are interchanged. From Fig.A-2 it is seen that the P32/80 box applies four permutations after the first 4 layers. It is important to observe that the initial values of the control bits (v1, v2, …, v16) of the first layer are equal to the right half part of 11bit cyclically rotated form of the left half plaintext (see Fig.A-1 and equation (A-2a)). The operation performed by P-132/80 box is the inverse of the operation applied by the P32/80 box. Therefore, the control bits of the last layer of P-132/80 box are also equal to the right half part of 11-bit cyclically rotated form of the left half plaintext.

Fig. A-2. P32/80 box

We can now describe the round transformation of Spectr-H64, for r = 0, 1, …, 11, as follows: Let r (A-5a) X = EEF(PL >>>11), and r r r r (A-5b) V = GCD(PL ⊕C)⊕P32/80(ECD(PL >>>17), D)⊕P32/80(EAB(PL >>>11), PR ) then, r (A-5c) PL +1 = P-132/80(X,V), and r r (A-5d) PR +1 = PL , r

r

where (PL , PR ) is the intermediate result after the rth round of encryption.

Slide Attack on Spectr-H64

47

The initial (IT) and final (FT) transformations of the algorithm are represented as: Y = IT(X, QIT); 64

Y` = FT(X`, QFT),

where X, X`, Y, Y` ∈ {0,1} , and QIT, QFT ∈ {0,1}32. As shown in Fig.A-1, the initial transformation uses 32 bits of QIT = (q1, q2, …, q32) as the control bits of its 32 P2/1 boxes, which interchange the two input bits with indices 2i-1 and 2i whenever qi = 1. Each even indexed bit at the P2/1 box output is then inverted. The final transformation becomes the inverse of the initial transformation, if QFT = QIT, i.e., each even indexed bit of the input block is first inverted and then each pair of bits with indices 2i-1 and 2i are interchanged whenever the control bit qi` = 1, where QFT = (q1`, q2`, …, q32` ).

On Differential Properties of Pseudo-Hadamard Transform and Related Mappings (Extended Abstract) Helger Lipmaa Laboratory for Theoretical Computer Science Department of Computer Science and Engineering Helsinki University of Technology P.O.Box 5400, FI-02015 Espoo, Finland [email protected]

Abstract. In FSE 2001, Lipmaa and Moriai proposed efficient log-time algorithms for computing some functions that are related to the differential probability of modular addition. They posed it as an open question whether their algorithms can be generalized to more complex functions. In this paper, we will give a fundamentally different proof of their main result by using a more scalable linear-algebraic approach. Our proof technique enables us to easily derive differential probabilities of some other related mappings like the subtraction and the Pseudo-Hadamard Transform. Finally, we show how to apply the derived formulas to analyse partial round mapping of Twofish. Keywords: differential probability, linear functions, Pseudo-Hadamard Transform, Twofish.

1

Introduction

To measure the success of first-order differential cryptanalysis [BS91] against cryptographic primitives like block ciphers, one must be able to efficiently calculate the differential probability of various functions. For example, one might need to bound the maximum differential probability, or the percentage of impossible differentials. Several well-known block ciphers were constructed so as their differential probabilities are easy to compute. This has enabled to bound the relevant maximum differential probabilities and prove the security against the impossible differential cryptanalysis. While this design methodology has been very productive (for example, AES and KASUMI are based on such an approach), practice has shown that ciphers that are specifically constructed to thwart the differential attacks are sometimes “simple enough” to be attackable by other cryptanalytic methods [JK97]. By this reason, the majority of modern block ciphers are still designed in a way that makes it rather difficult to estimate their security against differential A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 48–61, 2002. c Springer-Verlag Berlin Heidelberg 2002


On Differential Properties of Pseudo-Hadamard Transform

49

cryptanalysis. This difficulty is mostly caused by the hardness of computing differential probabilities of corresponding ciphers, not even talking about the maximum differential probabilities or many other differential properties. This situation is may be best demonstrated by the fact that until lately it was still not known how to efficiently compute exact differential probabilities of very simple and widely used mappings like the addition modulo 2n . Only recently Lipmaa and Moriai made a breakthrough in the last respect, by showing in [LM01] how to compute the differential probability of addition modulo 2n , for n > 1. Their algorithms are surprisingly efficient, working in worstcase time Θ(log n) when a RAM model of computation is assumed. By contrast, the best previous algorithms for related problems worked often in time 2Ω(n) . In the same paper, Lipmaa and Moriai suggested the next “bottom-up” cryptanalysis principle: start with exhaustive analysis of the simplest primitives and then gradually work upwards toward the analysis of the whole ciphers. The current paper is a further extension of the methods from [LM01]. We compute differential probabilities of a special class of practically important mappings. All such mappings can be represented as F (x1 , x2 ) = (x1≪κ11 ± x2≪κ12 , x1≪κ21 ± x2≪κ22 ) with κjk ≥ 0. Here, x≪k denotes the left shift of x by k bits (i.e., x≪k = 2k · x mod 2n ), and ± denotes either addition or subtraction in Z2n , where n ≥ 1. We call the class of such mappings Quasi-Hadamard Transforms. We show that for all Quasi-Hadamard Transforms, the formula for differential probability dpF of F can be transformed to a simple matrix equation in the inputs x and the carries c that occur in additions x1≪κj1 ± x2≪κj2 . It is valid to assume that c is a constant in the special case when κ11 = κ21 , κ12 = κ22 and κ11 ≤ κ12 + 1. This gives us a matrix equation in x, with 22n · dpF (∆x → ∆y) being equal to the number of solutions to this matrix equation, which can be found by using standard methods from linear algebra. This results, in particular, in a closed form formula and log-time algorithms for the differential probability of all functions that have the form F (x1 , x2 ) = 2κ1 x1 ± 2κ2 x2 . Our formula for addition is equivalent to the formula from [LM01] but our proof technique is very different and allows to obtain us a more general result after a relatively compact proof. Apart from addition and subtraction, only a few Quasi-Hadamard Transforms are used in real block ciphers. The most important one, the PHT (PseudoHadamard Transform) is employed in SAFER [Mas93] and Twofish [SKW+ 99]. The PHT is defined as PHT(x1 , x2 ) = (2x1 + x2 , x1 + x2 ). Another example is Schnorr’s FFT-hash [Sch92] that employs several functions F of type F (x1 , x2 ) = (4j x1 + x2 , x1 + x2 ). The mappings of both type are invertible. In the current paper, we present a formula for dpPHT . We show that a differential δ = (∆x1 , ∆x2 → ∆y1 , ∆y2 ) is PHT-possible iff corresponding projections of δ are possible under both coordinate mappings of both PHT and PHT−1 . We also describe a log-time algorithm for dpPHT . Therefore, this paper first solves completely the case when F (x1 , x2 ) = x1≪κ11 ± x2≪κ12 for κ1 ≤ κ2 + 1, and second, solves the important case of the Pseudo-Hadamard Transform.

50

Helger Lipmaa

We conclude the current paper with some applications of our results to Twofish [SKW+ 99] that was one of the leading AES candidates. In particular, we present a short proof that certain differentials described by Robshaw and Murphy in [MR02] (that were originally obtained by extensive computer experiments) are optimal under their conditions. Our proof only needs an exhaustive search over ≤ 210 differentials. We present a few new differentials that are optimal under some more general conditions and might result in other applications of the methods from [MR02]. Road-Map. In Section 2, we introduce preliminaries and notation that are necessary for reading the rest of this paper. In Section 3, we present a linear-algebraic framework for computing the differential probability of a large class of interesting mappings. In particular, in Section 3.2 we derive a formula for the differential probability of any mapping of the form F (x1 , x2 ) = x1≪κ11 ± x2≪κ12 . In Section 4, we present a formula for the differential probability of Pseudo-Hadamard Transform. In Section 5, we apply our results to the partial round function of Twofish. We end the paper with conclusions.

2

Preliminaries and Notation

Notation. Throughout this paper, we will denote by n the bit-length of basic variables. We will equivalently consider these variables as bit-strings of length n, members of group (Z2n , +) or members of ring (Zn2 , ·, ⊕). The variables x (the input variable) and y (the output variable) will have a special meaning. For any bit-vector α ∈ Z2n 2 , let α1 (resp., α2 ) denote its least significant (resp., most significant) half. For any bit-vector α ∈ Zm 2 , m ≥ 1, let α = α 0 20 +· · ·+ α m−1 2m−1 be the binary representation of corresponding integer, with α i ∈ {0, 1} being the ith bit of α. That is, we start counting bits from zero. We use the special notation α i to distinguish individual bits of α from n-bit sub-vectors of a 2n-bit vector.We assume that α i = 0 when i ∈ [0, m − 1]. Let wh (α) be the Hamming weight of α, that is, if α ∈ Zm 2 then wh (α) = α 0 + · · · + α m−1 . Hamming weight of an α ∈ Zm can be computed in time 2 Θ(log m) in a RAM model. Let ntz(x) be the number of trailing zeros of x; that is, ntz(x) = k iff 2k | x but 2k+1 ∤ x. For example, ntz(48) = 4 and ntz(0) = n. The function ntz can then be computed in time O(log2 n) as ntz(x) := wh (x − (x ∧ (x − 1)) − 1). Let α·β denote the component-wise multiplication in Zm 2 . Let maj(α, β, γ) := α·β⊕α·γ⊕β·γ be the bitwise majority function, xor(α1 , . . . , αm ) := α1 ⊕· · ·⊕αm and eq(α, β, γ) := (1 ⊕ α ⊕ β) · (1 ⊕ α ⊕ γ) be the bitwise equality function. (The xor function is solely introduced to make some formulas more readable.) Clearly, maj(α, β, γ) i = 1 iff α i + β i + γ i ≥ 2 and eq(α, β, γ) i = 1 iff α i = β i = γ i . Observe that matrix indexes (denoted as Aij ) start with 1, while vector indexes (denoted as α i ) start with 0. Differential cryptanalysis. Let ∂x = x ⊕ x∗ be the difference between two inputs 1n 2n x, x∗ ∈ Z2m1 n to a fixed mapping F : Zm → Zm . For every intermediate 2 2

On Differential Properties of Pseudo-Hadamard Transform

51

node Q in the computation graph of F , let q (or q ∗ ) denote the value in this node when the input was x (or x∗ ). Let ∂q = q ⊕ q ∗ be the corresponding difference with concrete inputs x and x∗ usually understood from the context. In particular, let ∂F (x) = F (x) ⊕ F (x∗ ) be the output difference. With ∆q we will denote the “desired” difference in node Q. That is, this is the difference the cryptanalyst is “aiming for”, but which is not necessarily the actual difference for every choice of x and x∗ with ∂x = ∆x. The cryptanalyst is successful when the probability Prx [∂F = ∆F ] is high. We always assume that ∆x = ∂x since ∂x can be controlled by the adversary in all relevant attack models. The pair (∆x, ∆F ) is usually denoted as (∆x → ∆F ). 1n 2n 1n For any mapping F : Zm → Zm , the differential probability dpF : Zm × 2n 2 2 m2 n F Z2 → [0, 1] of F is defined as dp (δ) := Prx [F (x) ⊕ F (x ⊕ ∆x) = ∆y], F 1n where x is chosen uniformly and randomly from Zm 2n . Equivalently, dp (δ) = m1 n m1 n ♯{x ∈ Z2 : F (x) ⊕ F (x ⊕ ∆x) = ∆y}/♯Z2 . We say that δ is F -possible if dpF (δ) = 0. Linear algebra. Let Matk×ℓ (R) be the group of k×ℓ matrices over a commutative ring R. Let Matk (R) := Matk×ℓ (R) when k = ℓ. We will mostly need n × n and 2n × 2n matrices. In the latter case, let Aij , i, j ∈ {0, 1}, denote the n × n sub-matrix in A that starts from the row i · n + 1 and the column j · n + 1. For any binary matrix (or vector) A, let ¬A denote the bit-inverse of A, that is, ¬Aij = 1 ⊕ Aij where Aij ∈ Z2 . To simplify reading, we will denote matrices with capital letters, while we denote vectors with lower-case letters. Let J be the binary m × m Toeplitz matrix with Jij = 1 iff i = j + 1; m is k usually understood from the context. Clearly, for any k and α ∈ Zm 2 , J · α i = k α i−k . Thus, J · α corresponds to the shifting the bits of α to left k times (when α is seen as a bit-string), or to the modular multiplication 2k · α in the ring Z2n . For any α ∈ Zm 2 , let [[α]] be the unique diagonal matrix, such that [[α]]ii = α i−1 . (Recall that by our convention, the matrix indexes start from 1 but the vector indexes start from 0.) Note that [[α]]·β = α·β, where on the right hand side “·” denotes component-wise multiplication in Zn2 . That is, α · β i = α i · β i .
m Also, J · [[α]] · β = m−1 i=1 α i−1 β i = [[Jα]] · β = (Jα) · β for any α, β ∈ Z2 . Now, let A · α = β be an arbitrary non-homogeneous matrix equation with A ∈ Matm (Z2 ) and α, β ∈ Zm equation has a solution in α ∈ Zm 2 iff 2 . This  rank(A) = rank A β , where A β is a m × (m + 1) matrix. If there is at least one solution, the solution space is a subspace of Zm 2 of dimension m − rank(A). Hence, it has 2m−rank(A) elements. As an example, if A is the identity matrix then A · α = β has a solution iff m = rank(A) = rank A β = m. (I.e., always.) Since 2m−rank(A) = 2m−m = 20 = 1, there is only one solution α ← β. Bit-level operations. Let α≪k := 2k α mod 2n be the left shift of α by k bits. If the variables are seen as bit-vectors of length m then the next operations have natural Boolean analogues: α·β = α∧β (multiplication in Zm 2 corresponds to the Boolean AND), J k α = α≪k (multiplication by J k corresponds to the left shift by k positions) and ¬α corresponds to bit-negation. While we use the algebraic

52

Helger Lipmaa

x1

x2

a)

✲ ≪ κ1 ✲ ≪ κ2

z1

❙ ✇ ± ✲ y1 ❙ ✼ ✓ ✓ z2

x1

x2

b)

✲≪ κ11

z11

✲≪ κ21

z21

✲≪ κ12

z12

✲≪ κ22

z22

❍ ❥± ✲ y ❍ 1 ✁✕ ❆✁ ✁❆ ❆ ✲ y 2 ✯± ✟ ✟

Fig. 1. Computational graph of a function a) F ∈ L1 with three internal nodes and of a function b) F ∈ L2 with 6 internal nodes notation during this paper, keeping these few equivalences in mind should make it fairly simple to transform our formulas to efficient algorithms in any modern computer language. Carry and borrow. For any α, β ∈ Zn2 , let carry(α, β) := α ⊕ β ⊕ (α + β) be the carry and borrow(α, β) := α ⊕ β ⊕ (α − β) be the borrow of α and β. We often denote carry by carry1 and borrow by carry0 . Differential Probability of Addition. Let δ = (∆x1 , ∆x2 → ∆y) and e = eq(J∆x1 , J∆x2 , J∆y). In [LM01], Lipmaa and Moriai showed that, reformulated in our notation, dp+ (δ) = 0 when e · (xor(∆x1 , ∆x2 , ∆y) ⊕ J∆x2 ) = 0, and dp+ (δ) = 2−wh (¬e) , otherwise.

3 3.1

Linear-Algebraic Viewpoint to Differential Probability Differential Probability in Language of Matrix Equations

We proceed with computing the differential probabilities of some mappings of form (x1≪κ11 ± x2≪κ12 , x1≪κ21 ± x2≪κ22 ). We call such functions Quasi-Hadamard Transforms. In this section, we develop a general framework for handling all mappings of form F (x1 , x2 ) = x1≪κ1 + x2≪κ2 . In particular, we show that the differential probability of such a mapping is equal to 2−2n times the number of solutions to a certain matrix equation. (The next section will concentrate on other mappings.) For σ ∈ {0, 1}, let z1 +σ z2 := z1 + (−1)σ z2 , and ∂cσ = ∂cσ (z1 , z2 ) := carryσ (z1 , z2 ) ⊕ carryσ (z1∗ , z2∗ ). Consider the set A := {J k : 0 ≤ k < n} ⊂ T  Matn (Z2 ). Let x = x1 x2 . Let L1 ⊂ Mat1×2 (Z2n ) be such that F ∈ L1 iff for some σ ∈ {0, 1}, F1 ∈ A and F2 ∈ (−1)σ A. Equivalently, F (x) = 2κ1 x1 ± 2κ2 x2 . Such a function F can alternatively be seen as a ±-operation applied to the results of some left shift operations, with z1 = x1≪κ1 , z2 = x2≪κ2 and y = z1 +σ z2 . (See Fig. 1.) With this representation in mind, we will consistently denote ∆zk := xk≪κk ⊕ ≪κ ≪κ (x∗k ) k and ∂y := y ⊕ y ∗ . Since the differential xk −→k zk has probability 1 then ∆zk = ∆xk≪κk and zk∗ = zk ⊕ ∂zk . As usual, we denote x := (x1 , x2 ) and

On Differential Properties of Pseudo-Hadamard Transform

53

∆x := (∆x1 , ∆x2 ). Let F ∈ L1 . By definition, dpF (δ) = Prx [(x1≪κ1 +σ x2≪κ2 ) ⊕ ≪κ ≪κ ((x∗1 ) 1 +σ (x∗2 ) 2 ) = ∆y] = Prx [(z1 +σ z2 ) ⊕ (z1∗ +σ z2∗ ) = ∆y] = Prx [∂y = ∆y]. Let σ ∈ Z2n be the vector of σ-s, that is, σ i = σ, ∀i. The main result of this subsection is the following: Theorem 1. Fix a function F ∈ L1 , and a differential δ = (∆x1 , ∆x2 → ∆y). For fixed z = (z1 , z2 ), let cσ := carryσ (z1 , z2 ). Let ω = ω(δ), a = a(δ, x) ∈ Zn2 , M = M (δ) ∈ Matn×2n (Z2 ) be defined as follows: ω :=J(σ · (∆z1 ⊕ ∆y) ⊕ ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y))⊕ xor(∆z1 , ∆z2 , ∆y) ,   M := J · [[∆z1 ⊕ ∆y]] · J κ1 J · [[∆z2 ⊕ ∆y]] · J κ2 , a :=ω ⊕ J · (∆z1 ⊕ ∆z2 ) · cσ .

(1)

Then dpF (δ) = Prx [M · x = a]. Equivalently, 22n · dpF (δ) is equal to the number of solutions to the matrix equation M · x = a in ring Z2 . Since a depends on cσ and hence in a nontrivial manner on x, we must first get rid of the variable cσ in a to find the number of solutions to the matrix equation M · x = a. We will deal with this in the next subsection. Rest of the current subsection will give a proof of Theorem 1. First, Lemma 1. Let F ∈ L1 and let x ∈ Z2n 2 be such that F (x) ⊕ F (x ⊕ ∆x) = ∆y. Denote q(α, β, γ) := (∂β ⊕∂γ)·α⊕(∂α⊕∂γ)·β ⊕(∂α⊕∂β)·γ and desired(δ, x) := J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(∆z1 , ∆z2 , ∂cσ ) ⊕ q(z1 , z2 , cσ )) ⊕ xor(∆z1 , ∆z2 , ∆y). Then desired(δ, x) = 0 . (2) In general, let D be the event that (2) holds for an uniformly random x. Then dpF (δ) = Pr[D]. Proof. Let c1 = c = carry(z1 , z2 ) and c0 = b = borrow(z1 , z2 ). By definitions of carry and borrow, c i+1 = 1 iff z1 i + z2 i + c i ≥ 2 and b i+1 = 1 iff z1 i < z2 i + b i . That is, c1 = c = J · maj(z1 , z2 , c) and c0 = b = J · (z2 ⊕ b ⊕ maj(z1 , z2 , b)). Thus, cσ = J · (¬σ · (z2 ⊕ cσ ) ⊕ maj(z1 , z2 , cσ )) and ∂cσ = J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(z1 , z2 , cσ ) ⊕ maj(z1 ⊕ ∂z2, z2 ⊕ ∂z2 , cσ ⊕ ∂cσ )) = J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(∆z1 , ∆z2 , ∂cσ ) ⊕ q(z1 , z2 , cσ )). But F (x) ⊕ F (x ⊕ ∆x) = ∆y iff ∂cσ = xor(∆z1 , ∆z2 , ∆y) and therefore F (x) ⊕ F (x ⊕ ∆x) = ∆y iff desired(δ, x) = 0. Thus, dpF (δ) = Pr[D]. ⊔ ⊓ Our next step is to eliminate the auxiliary variable ∂cσ = cσ ⊕ (c∗ )σ that introduces non-linearity to the equation (2). n−1 Proof (Proof of Thm. 1.). Define r(δ, x) := i=0 (1 − desired(δ, x) i ). By F 2n Lemma 1, dp (δ) = Pr[D], or equivalently, 2 · dpF (δ) = ♯{x : r(δ, x) = 1}. Observe that desired(δ, x) = 0 iff there is a (minimal) ℓ0 , such that n−1 desired(δ, x) ℓ0 = 1. Hence, for any λ(δ, x), r(δ, x) = i=0 (1 − λ(δ, x) i ), given that λ(δ, x) ≡ desired(δ, x) (mod 2ℓ0 +1 ).

54

Helger Lipmaa

Now, r(δ, x) = 1 iff F (x) ⊕ F (x ⊕ ∆x) = ∆y iff ∂cσ = xor(∆z1 , ∆z2 , ∆y). The ′ same holds also for word lengths i−1 n < n with the variables that have been reduced n′ modulo 2 . Thus, when ℓ=0 (1 − desired(δ, x) ℓ ) = 1 then desired(δ, x) ≡ 0 (mod 2i ) and thus J · ∂cσ ≡ J · xor(∆z1 , ∆z2 , ∆y) (mod 2i+1 ). Therefore, we set λ i to be equal to desired(δ, x) i , except that we substitute every occurrence of J · ∂cσ i in desired(δ, x) i with an occurrence of J · xor(∆z1 , ∆z2 , ∆y) i . Since this applies for every i, what we do is that we substitute J · ∂cσ with J · xor(∆z1 , ∆z2 , ∆y) in desired(δ, x). Denote α = (∆z1 ⊕ ∆y) · z1 ⊕ (∆z2 ⊕ ∆y) · z2 ⊕ (∆z1 ⊕ ∆z2 ) · cσ . By the previous discussion, x is δ-possible iff ∂cσ = desired(δ, x) ⊕ xor(∆z1 , ∆z2 , ∆y) = J · (¬σ · (∆z2 ⊕ ∂cσ ) ⊕ maj(∆z1 , ∆z2 , ∂cσ ) ⊕ q(z1 , z2 , cσ )) = J · (σ · (∆z1 ⊕ ∆y) ⊕ 1 ⊕ ∆z1 ⊕ eq(∆z1 , ∆z2 , ∆y) ⊕ α) is equal to xor(∆z1 , ∆z2 , ∆y). Therefore, dpF (δ) = Prx [J · α = ω] = Prx [J · α = ω] = Prx [J · ((∆z1 ⊕ ∆y) · J κ1 x1 ⊕ (∆z2 ⊕ ∆y) · J κ2 x2 ) = a]. The claim follows. ⊔ ⊓ 3.2

Algorithm for dpF for F ∈ L1

In the previous subsection we established that 22n ·dpF is equal to the number of solutions to a certain matrix equation M · x = a. Initially, this matrix equation depended on both ∂cσ and cσ . While we thereafter showed how to eliminate the dependency on ∂cσ , we still have a matrix equation that depends on the carry cσ . However, it is easy to show that this problem is not severe. Let again σ ∈ {0, 1} and let F ∈ L1 , F (x1 , x2 ) = 2κ1 x1 +σ 2κ2 x2 . As in the proof of Thm. 1, we can consider the matrix equation M · x = a as a system of equations in Z2 , starting with bit i = 0. Now, for every i, cσ i is already fixed and known when we look at the row i, since it is a function of the “previous” bits of x1 and x2 . Hence, J · [[∆z1 ⊕ ∆z2 ]] · cσ = J · (∆z1 ⊕ ∆z2 ) · cσ is a constant (although, an a priori unknown) vector and therefore, a is a constant vector. Therefore, we have proven that    0 , rank(M ) =

rank , M a dpF (δ) = (3) − rank(M) , otherwise . 2   Next we will compute the ranks of associated matrices M and M a . (Note that here a = a(δ) does not depend on x anymore.) For this, we must introduce an additional assumption κ1 ≤ κ2 + 1. The reasoning behind this assumption will become obvious from the proof of Thm. 2. Theorem 2. Let Ek ∈ Zn2 be the vector with Ek i = 1 iff i ≥ k. (That is, Ek = ¬(2k −1) when seen as an element of Z2n .) Let us denote ej := J((∆zj ⊕∆y)·Eκj ) and e := e1 ∨ e2 . Let F (x1 , x2 ) = z1 +σ z2 ∈ L1 be such that κ1 ≤ κ2 + 1. Then  0, ¬e · (J(¬σ · (∆z1 ⊕ ∆y) ⊕ ∆z2 ) ⊕ xor(∆z1 , ∆z2 , ∆y)) = 0, F dp (δ) = −wh (e) 2 , otherwise. Equivalently, Algorithm 1 computes dpF (δ) in time O(log n), given a RAM model of computation.

On Differential Properties of Pseudo-Hadamard Transform

55

Algorithm 1 An O(log n)-time algorithm for computing dpF (∆x1 , ∆x2 → ∆y) where F (x1 , x2 ) = 2κ1 x2 +σ 2κ2 x2 . Here we assume that κ1 ≤ κ2 + 1 INPUT: (∆x1 , ∆x2 → ∆y) and F as represented by κj and σ ∈ {0, 1} OUTPUT: dpF (∆x1 , ∆x2 → ∆y) 1. 2. 3. 4. 5.

Let ∆zj ← ∆xj≪κj for j ∈ {1, 2}; Let ej ← ((∆zj ⊕ ∆y) ∧ ¬(2κj − 1))≪1 for j ∈ {1, 2}; Let e ← e1 ∨ e2 ; If ¬e ∧ (((¬σ ∧ (∆z1 ⊕ ∆y)) ⊕ ∆z2 )≪1 ⊕ ∆z1 ⊕ ∆z2 ⊕ ∆y) then return 0 ; Return 2−wh (e) .

(Algorithm 1 works in time O(log n) since the Hamming weight wh can be computed in time O(log n) when working in the RAM model [LM01].) F Proof. Recall that by · x = a]. Therefore, dpF (δ) = 0  Thm.  1, dp F(δ) = Prx−[M rank(M) if rank(M ) = rank M a , and dp (δ) = 2 , otherwise. Next, for any vector v, (J[[v]]J κk )ij = v i−2 when j = i − 1 − κk and i > κk + 1, and (J[[v]]J κk )ij = 0, otherwise. (Recall that the bits v i are counted from i =  0 to i = n − 1.) Therefore, rank(M ) = rank J[[∆z1 ⊕ ∆y]]J κ1 J[[∆z2 ⊕ ∆y]]J κ2 = ♯{i ∈ [1, n] : (J[[∆z1 ⊕ ∆y]]J κ1 )i,i−κ1 −1 = 1 ∨ (J[[∆z2 ⊕ ∆y]]J κ2 )i,i−κ2 −1 = 1} = ♯{i ∈ [0, n − 1] : Eκ1 · J(∆z1 ⊕ ∆y) i = 1 ∨ Eκ2 J(∆z2 ⊕ ∆y) i = 1} = wh (Eκ1 ∨ Eκ2 ) = wh (e). That is, if δ is F -possible, then dpF (δ) = 2−wh (e) . Let us next establish when the equation M ·x = a does not have any solutions.   Since M is an echelon matrix up to the permutation of rows, then rank M a = rank(M ) only if for some i ∈ [0, n − 1], (M1 )i+1,i−κ1 = (M2 )i+1,i−κ2 = 0 but a i = 1. This happens iff for some i ∈ [0, n − 1], e1 i = e2 i = 0 (i.e., e1 ∨ e2 i = 0) but a i = ω ⊕ J(∆z1 ⊕ ∆z2 ) · cσ i = 1. Thus, δ is F -impossible iff ¬(e1 ∨ e2 ) · (ω ⊕ J(∆z1 ⊕ ∆z2 ) · cσ ) = 0. (Recall that ω = J(σ · (∆z1 ⊕ ∆y) ⊕ ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y)) ⊕ xor(∆z1 , ∆z2 , ∆y).) We are only left to prove that the next two facts hold in the case e1 ∨ e2 i = 0, or equivalently, in the case e1 i = e2 i = 0. First, J(∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y)) i = J · xor(∆z1 , ∆z2 , ∆y) i . Really, if i ≥ κ1 then e1 i = 0 ⇒ ∆z1 i−1 = ∆y i−1 and therefore ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y) i = xor(∆z1 , ∆z2 , ∆y) i . Otherwise, if i ≥ κ2 then ∆z2 i−1 = ∆y i−1 and thus ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y) i = ∆y i . (Since κ1 ≤ κ2 + 1 we can ignore this case.) Finally, let i ≤ min(κ1 , κ2 ). Then ∆z1 i−1 = ∆z2 i−1 = 0 and therefore ∆z1 ⊕ 1 ⊕ eq(∆z1 , ∆z2 , ∆y) i = 1 ⊕ eq(0, 0, ∆y) i = xor(∆z1 , ∆z2 , ∆y) i . Second, J(∆z1 ⊕ ∆z2 ) · cσ i = 0. Really, first assume σ = 1. If i ≤ κ1 then J κ1 x1 i−1 = x1 i−κ1 −1 = 0 and hence c1 i = 0, and therefore J(∆z1 ⊕ ∆z2 ) · c1 i = 0. The case i ≤ κ2 is dual. On the other hand, when i > max(κ1 , κ2 ) then J · (∆z1 ⊕ ∆z2 ) · cσ i = (e1 ⊕ e2 ) · cσ i = 0. Let us now consider the case σ = 0. If i ≤ κ2 then c0 i = (1 ⊕ z1 ) · c0 i−1 , which means that c0 ≡ 0 (mod 2κ2 ). Otherwise, if i ≤ κ1 then c0 i = 1 ⇐⇒

56

Helger Lipmaa

z2 ⊕ c0 i−1 = 1, which means that c0 ≡ (2ntz(z2 )+1 − 1) (mod 2κ1 ). (Since κ1 ≤ κ2 + 1 we can ignore this case.) If i ≥ max(κ1 , κ2 ) then J(∆z1 ⊕ ∆z2 )c0 i = 0 due to J(e1 ⊕ e2 ) i = 0. ⊔ ⊓ Corollary 1. Let +(x1 , x2 ) = x1 + x2 be the Z2n -addition mapping and let −(x1 , x2 ) = x1 − x2 be the Z2n -subtraction mapping. Recall that α ∨ β = α ⊕ β ⊕ α · β. First, the differential δ is +-impossible if ¬(J · (∆x1 ⊕ ∆y) ∨ J · (∆x2 ⊕ ∆y)) · (xor(∆x1 , ∆x2 , ∆y) ⊕ J · ∆x2 ) = 0. Otherwise, dp+ (δ) = 2−wh (J·(∆x1 ⊕∆y)∨J·(∆x2 ⊕∆y)) . Second, dp− (δ) = dp+ (δ) for any δ. Proof. First claim is trivial. For the proof of the second claim it is sufficient to observe that in this case, κ1 = κ2 = 0, and that in the third paragraph of the proof of Theorem 2, if e1 i = e2 i = 0 then ω i = J · (∆x1 ⊕ 1 ⊕ eq(∆x1 , ∆x2 , ∆y)) ⊕xor(∆x1 , ∆x2 , ∆y) i = J · ∆x1 ⊕xor(∆x1 , ∆x2 , ∆y) i = J · ∆x2 ⊕ xor(∆x1 , ∆x2 , ∆y) i for i > max(κ1 , κ2 ) = 0. ⊔ ⊓ The formula for dp+ , presented in Corollary 1, is equivalent to the formula from [LM01]. Its complete proof is somewhat longer than the one in [LM01]. However, our proof is based on a more scalable approach, that allows us to find similar formulas for other related mappings like subtraction, without having to write down yet another, somewhat different, proofs. Corollary 2. Let x, ∆x, ∆y ∈ Z2n . Let F = +α be the unary operation that adds the constant α to its single argument, F (x) = x + α. Let δ = (∆x → ∆y). Then, by definition, dp+α (δ) = Prx [(x + α) ⊕ ((x ⊕ ∆x) + α)]. Then δ is +α impossible iff ¬(J ·(∆x1 ⊕ ∆y))·¬(J ·∆y)·(∆x1 ⊕ ∆y) = 0. Otherwise, dp+ (δ) = 2−wh ((J·(∆x1 ⊕∆y)∨J·∆y)) . Proof. Straightforward from Corollary 1.

4 4.1

⊔ ⊓

The Pseudo-Hadamard Transform Generalization to 2 × 2 Matrices

Next, we will look at a slightly more general case. Namely, assume that L2 ⊂ Mat2 (Z2n ) is such that  F11 F12 ∈ L2 F = F21 F22

iff for some σ ∈ {0, 1}, Fj1 ∈ A and Fj2 ∈ (−1)σ A. Then F (x) = (2κ12 x1 +σ 2κ12 x2 , 2κ22 x1 +σ 2κ22 x2 ), for some κjk ≥ 0. Alternatively, such mappings F can be described by using a computation graph with zij = xj≪κij and yi = zi1 ± zi2 . (See Figure 1.) We call the mappings from L2 the QuasiHadamard Transforms. Next, let us state some generalizations of previous results.

On Differential Properties of Pseudo-Hadamard Transform

PHT−1 1 : x1 = y1 ⊟ y2

∆x1

....................................................................... ... .... .... ... 1 ... ... ... ... ... ... ... ... ... ... ... ... .... 1 ... 2 ... ... ... ... ... ... ... ... 2 ... ... ... ... .. ... .........................................................................

q ∆x✲

✻

∆x2

✲ ❄∂y

✲ PHT1 : y1 = Jx1 ⊞ x2

∂y1

∆x

PHT−1 2 : x2 = Jy2 ⊟ y1

57

∂y

✲ PHT2 : y2 = x1 ⊞ x2

∂y2

q

Fig. 2. Propagation of differences during the Pseudo-Hadamard Transform Lemma 2. [Generalization of Thm 1.] Let δ = (∆x → ∆y) with ∆x, ∆y ∈ Z2n 2 . For j ∈ {1, 2}, let ωj := J · (σ · (∆zj1 ⊕ ∆yj ) ⊕ ∆zj1 ⊕ 1 ⊕ eq(∆zj1 , ∆zj2 , ∆yj )) ⊕ xor(∆zj1 , ∆zj2 , ∆yj ). Let  J · [[∆z11 + ∆y1 ]]J κ11 J · [[∆z12 + ∆y1 ]]J κ12 , M = M (δ) := J · [[∆z21 + ∆y2 ]]J κ21 J · [[∆z22 + ∆y2 ]]J κ22  ω1 ⊕ J · (∆z11 ⊕ ∆z12 ) · cσ1 . a = a(δ, x) := ω2 ⊕ J · (∆z21 ⊕ ∆z22 ) · cσ2 Then dpF (δ) = Prx [M · x = a]. Proof. Straightforward corollary of Theorem 1.

⊔ ⊓

Note that Thm. 1 can additionally be generalized to more than 2-dimensional matrices. 4.2

Analysis of PHT

While Lemma 2 is a simple generalization of our previous result for F ∈ L1 , we cannot proceed by using exactly the same methodology as in Thm. 2. The reason is that here we cannot assume that the carries are constant so as to use simple linear algebra to derive the number of solutions to M · x = a. However, it comes out that at least in some special cases the value of dpF will depend on ′ the values of dpF for some functions F ′ in class L1 . If F ∈ L2 is an invertible mapping then det F = (−1)σ 2κ11 2κ22 − (−1)σ 2κ12 2κ22 = 0 and  1 (−1)σ 2κ22 −(−1)σ 2κ12 −1 , F = −2κ21 2κ11 det F or F −1 (y1 , y2 ) = det1 F ((−1)σ 2κ22 y1 −(−1)σ 2κ12 y2 , 2κ11 y2 −2κ21 y1 ). Let ∆x, ∆y ∈ Z22n . Clearly, δ = (∆x → ∆y) is F -possible iff δ −1 = (∆y → ∆x) is F −1 possible. The most important of invertible mapping F ∈ L2 from a cryptographic viewpoint,   21 1 −1 −1 with PHT = , F = PHT = 11 −1 2

58

Helger Lipmaa

is called the Pseudo-Hadamard Transform (PHT, [Mas93]). The PHT is employed in block ciphers like SAFER [Mas93] and Twofish [SKW+ 99] for achieving better diffusion. (See Figure 2.) For j ∈ {0, 1}, let Fj (x) denote the projection of F (x) to the jth coordinate. That is, Fj (x1 , x2 ) = 2κj1 x1 +σ 2κj2 x2 . By definition, dpFj (∆x1 , ∆x2 → ∆y1 ) = Prx [(2κj1 x1 +σ 2κj2 x2 ) ⊕ ((2κj1 x1 ⊕ ∆x1 )+σ (2κj2 x2 ⊕ ∆x2 )) = ∆y1 ]. In particular, PHT1 (x1 , x2 ) = 2x1 + x2 and PHT2 (x1 , x2 ) = x1 + x2 . Theorem 3. Let us denote ekj := J((∆zkj ⊕ ∆yk ) · Eκkj ). Let ej := ej1 ∨ ej2 . (1) δ is PHT-possible iff all next four differential probabilities are positive: −1 dpPHT1 (∆x1 , ∆x2 → ∆y1 ), dpPHT2 (∆x1 , ∆x2 → ∆y2 ), dpPHT1 (∆y1 , ∆y2 → −1 ∆x1 ), dpPHT2 (∆y2 , ∆y1 → ∆x2 ). (2) If δ is PHT-possible, then dpPHT (δ) = dp+ (∆x1 , ∆x2 → ∆y2 ) · 2−wh (e1 ·J(¬(eq(∆x1 ,∆y1 ,∆y2 )))·J(¬(eq(∆x2 ,∆y1 ,J∆y2 )))) . Proof (Sketch.). (1, ⇒) Straightforward: since PHT is invertible then δ = (∆x → ∆y) is PHT-possible iff δ −1 = (∆y → ∆x) is PHT−1 -possible. Rest of the proof is omitted from the extended abstract. ⊔ ⊓ Equivalently, δ is PHT-possible iff J∆x1 ⊕ ∆x2 ⊕ ∆y1 i = 0 and the next four differential probabilities are positive: dp+ (∆x1 , ∆x2 → ∆y1 ), dp+ (∆x1 , ∆x2 → ∆y2 ), dp+ (∆y1 , ∆y2 → ∆x1 ), dp+ (J∆y2 , ∆y1 , ∆x2 ). (Note that all four differential probabilities can be computed by using Algorithm 1.) Moreover, a computationally slightly less expensive formula for dpPHT is dpPHT (δ) = 2−wh (e2 ) · 2−wh (e1 )·J(¬(eq(∆x1 ,∆y1 ,∆y2 )))·J(¬(eq(∆x2 ,∆y1 ,J∆y2 )))) . Based on Theorem 3 one can build a Θ(log n)-time algorithm for computing the value of dpPHT in the RAM model by using the same ideas as in [LM01].

5

Application to Twofish

In their paper [MR02], Murphy and Robshaw proposed an interesting new methodology for attacking Twofish by first finding a good characteristic and then fixing such key-dependent S-boxes that satisfy this characteristic. However, their concrete approach is somewhat heuristic and based on computer experiments. For example, in [MR02, Section 4.1] they choose a differential (0, ∆z2 ), such that the differential probability of (0, ∆z2 → ∆z2 , ∆z2 ) w.r.t. the PHT and averaged sub-key additions (see Fig. 3) would be large. As they established experimentally, choosing ∆z2 = A0E080A0 results in a probability p = 2−14 , where p was determined experimentally averaged over random inputs and random additive round keys. No motivation was given in their paper why this concrete differential was chosen instead of some others. Based on our formula for dpPHT we are able to determine that Theorem 4. Let F be the part of the Twofish’s round that contains S-boxes,  T MDS-s and the PHT. Let the input-to-F difference ∆x = ∆x1 0 be chosen such that only one of the four S-boxes becomes active. Then dpF (0, ∆z2 →

On Differential Properties of Pseudo-Hadamard Transform

59

F

∆x1

x1

∆x2 x2

✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲

S-box 0 S-box 1 S-box 2 S-box 3

S-box 0 S-box 1 S-box 2 S-box 3

✲ ✲ ✲ ✲ ✲ ✲ ✲ ✲

K2r+8 PHT MDS

∂z1

♣ ✲

z1

✻

∆x1

MDS

✲❄

∂z2

✲ ❄∆y ✲1 y1 = 2z1 + z2

∆y1

K2r+9

♣

✲ ❄∆y ✲2 y2 = z1 + z2

∆y2

z2

Fig. 3. Propagation of differences within a partial round of Twofish Table 1. Optimal differences for the partial Twofish round function (∆x1 , ∆x2 ) (00000000, 00000080) (00000000, 00000400) (00000000, 00008000) (00000000, 00008900) (00000000, 00040000) (00000000, 00800000) (00000000, 04000000) (00000000, 80000000) (00000000, 00040004) (00000000, 004e00ed) (00000000, 00696900) (00000000, 04000004) (00000000, 08000008) (00000000, 10000010) (00000000, 20000020) (00000000, 40000040) (00000000, 69000069) (00000000, 80000080) (00000000, 69690000) (00000000, 0017eb43) (00000000, 3a00a6e8) (00000000, 53001d53) (00000000, 25a61f00)

δ = (0, ∆z2 → ∆z2 , ∆z2 ) 1 active S-box (00000000, e0e0a080 → e0e0a080, e0e0a080) (00000000, 04050707 → 04050707, 04050707) (00000000, 80a0e0e0 → 80a0e0e0, 80a0e0e0) (00000000, 89f10101 → 89f10101, 89f10101) (00000000, 07040705 → 07040705, 07040705) (00000000, e080e0a0 → e080e0a0, e080e0a0) (00000000, 05070405 → 05070405, 05070405) (00000000, a0e080a0 → a0e080a0, a0e080a0) Two active S-boxes (00000000, 00030201 → 00030201, 00030201) (00000000, 80004204 → 80004204, 80004204) (00000000, c0400080 → c0400080, c0400080) (00000000, 02000101 → 02000101, 02000101) (00000000, 04000202 → 04000202, 04000202) (00000000, 08000404 → 08000404, 08000404) (00000000, 10000808 → 10000808, 10000808) (00000000, 20001010 → 20001010, 20001010) (00000000, 80004040 → 80004040, 80004040) (00000000, 40002020 → 40002020, 40002020) (00000000, 80c0c000 → 80c0c000, 80c0c000) Three active S-boxes (00000000, 80000041 → 80000041, 80000041) (00000000, 80008000 → 80008000, 80008000) (00000000, 80400000 → 80400000, 80400000) (00000000, 01800000 → 01800000, 01800000)

dpF (δ) 2−13 2−13 2−12 2−13 2−13 2−13 2−13 2−12 2−6 2−6 2−6 2−5 2−6 2−6 2−6 2−6 2−4 2−6 2−6 2−3 2−2 2−2 2−3

∆z2 , ∆z2 ) ≥ 2−13 only in the 8 cases, depicted in Table 1. Therefore, the differential with ∆z2 = A0E080A0 chosen in [MR02] is optimal for F under the given constraints, and there is only one another differential with ∆z2 = 80A0E0E0

60

Helger Lipmaa

that has the same differential probability. Analogously, if two S-boxes are allowed to be active then there are 11 different differentials (0, ∆z2 ), such that dpF (0, ∆z2 → ∆z2 , ∆z2 ) ≥ 2−6 . If three S-boxes are active then there are 4 differentials (0, ∆z2 ), such that dpF (0, ∆z2 → ∆z2 , ∆z2 ) ≥ 2−3 . Proof. One can prove this by doing by exhaustive search over 210 = 1024 (in the one active S-box case), 3 · 217 (in the two active S-boxes case) or 32 · 226 (in three active S-boxes case) differentials. ⊔ ⊓ In all cases, one spends Θ(log n) steps for computing the corresponding differential probability. Thus, our method is still efficient with 3 active S-boxes. One of the conclusions of this lemma is that if two active S-boxes can be tolerated then it is possible to find a differential that is 28 times more probable— this sharp growth might, in some situations, compensate the need for the second active S-box, and therefore potentially lead to some attack against Twofish.

6

Conclusions

We extended the previous results of Lipmaa and Moriai [LM01] by developing a linear-algebraic framework for proving the differential properties for addition (in Z2n ) and related functions w.r.t. the XOR (or addition in Zn2 ). While [LM01] exhaustively analysed the addition itself but gave no guidelines for how to analyse related functions, we were able to compute differential probabilities of different functions like the subtraction and the Pseudo-Hadamard transformation as the special cases of our general approach. Our proof methods might be of independent interest. For example, we showed that the differential probability of 2α x ± 2β y, α ≤ β + 1, is equal to the number of solutions to a certain matrix equation. Due to the lack of space, this extended abstract has been shortened by omitting the complete solution for dpF for any F ∈ L2 and several proofs. Corresponding formulas will appear in the full version. We ended the paper by presenting optimal differentials for the partial Twofish round function. In particular, we were able to prove formally that a certain differential found by Murphy and Robshaw is really optimal under given conditions. We also presented other differentials that are optimal under somewhat general conditions. These results show that the results of the current paper are not only theoretical but might be directly applicable in practical cryptanalysis. Together with [LM01], the current paper presents a positive step forward in helping to construct ciphers that are secure against differential cryptanalysis. While until now, the differential properties of ciphers that include both modular addition and exclusive OR-s have only found experimentally by heuristic methods, our results make it possible to prove rigorously lower bounds on differential attacks of at least some ciphers. As compared to [LM01], our paper stepped significantly closer to the reality, since we were able to prove that some differentials used in an actual attack are optimal. Finally, all results of this paper have been implemented in the C language and verified by using a computer. In particular, it took about 30 seconds for a 1.4 GHz Athlon to produce the numbers in Table 1.

On Differential Properties of Pseudo-Hadamard Transform

61

Acknowledgments and Further Work This work was partially supported by the Finnish Defense Forces Research Institute of Technology. We would like to thank Stefan Lucks, Markku-Juhani Olavi Saarinen and anonymous referees for useful comments. An interesting open question is whether our methods can be applied to a more general class of mappings than L2 . We hope that more applications of our results to the real ciphers will be found in the future. The need for partial exhaustive search in Thm. 4 was caused by the nontrivial preconditions on the inputs. When there are no such preconditions (that is, all 232 values ∆z2 are allowed), we hope that an analytic formula can be derived for optimal differentials, akin to the ones presented in [LM01] for optimal differentials of additions. It might even be true that there is a closed-form formula for optimal differentials when ∆z2 is restricted.

References [BS91]

Eli Biham and Adi Shamir. Differential Cryptanalysis of DES-like Cryptosystems. Journal of Cryptology, 4(1):3–72, 1991. 48 [JK97] Thomas Jakobsen and Lars Knudsen. The Interpolation Attack on Block Ciphers. In Eli Biham, editor, Fast Software Encryption ’97, volume 1267 of Lecture Notes in Computer Science, pages 28–40, Haifa, Israel, January 1997. Springer-Verlag. 48 [LM01] Helger Lipmaa and Shiho Moriai. Efficient Algorithms for Computing Differential Properties of Addition. In Mitsuru Matsui, editor, Fast Software Encryption ’2001, volume 2355 of Lecture Notes in Computer Science, pages 336–350, Yokohama, Japan, 2–4 April 2001. Springer-Verlag, 2002. 49, 52, 55, 56, 58, 60, 61 [Mas93] James L. Massey. SAFER K-64: A Byte-Oriented Block-Ciphering Algorithm. In Ross Anderson, editor, Fast Software Encryption ’93, volume 809 of Lecture Notes in Computer Science, pages 1–17, Cambridge, UK, 9–11 December 1993. Springer-Verlag. 49, 58 [MR02] S. Murphy and M. J. B. Robshaw. Key-dependent S-boxes and Differential Cryptanalysis. Designs, Codes and Cryptography, 27(3):229–255, 2002. 50, 58, 59 [Sch92] Claus-Peter Schnorr. FFT-Hash II, Efficient Cryptographic Hashing. In Rainer A. Rueppel, editor, Advances in Cryptology — EUROCRYPT ’92, volume 658 of Lecture Notes in Computer Science, pages 45–54, Balatonf¨ ured, Hungary, 24–28 May 1992. Springer-Verlag. ISBN 3-540-56413-6. 49 [SKW+ 99] Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall, and Niels Ferguson. The Twofish Encryption Algorithm: A 128-Bit Block Cipher. John Wiley & Sons, April 1999. ISBN: 0471353817. 49, 50, 58

A Variant of NTRU with Non-invertible Polynomials William D. Banks1 and Igor E. Shparlinski2 1

Department of Mathematics, University of Missouri Columbia, MO 65211, USA [email protected] 2 Department of Computing, Macquarie University Sydney, NSW 2109, Australia [email protected]

Abstract. We introduce a generalization of the NTRU cryptosystem and describe its advantages and disadvantages as compared with the original NTRU protocol. This extension helps to avoid the potential problem of finding “enough” invertible polynomials within very thin sets of polynomials, as in the original version of NTRU. This generalization also exhibits certain attractive “pseudorandomness” properties that can be proved rigorously using bounds for exponential sums.

1

A Generalization of NTRU

In this generalization of the original NTRU cryptosystem [5, 6], one selects integer parameters (N, p, q) and four sets Lf , Lg , Lϕ , Lm of polynomials in the ring R = ZZ[X]/(X N − 1) as in the standard version of NTRU. We denote by ⊙ the operation of multiplication in the ring R. The parameters q and p are distinct prime numbers such that gcd(N, q) = 1, and the sets Lf , Lg , Lϕ , Lm are chosen to satisfy the “width condition” p ϕ ⊙ g + f ⊙ m < q for all polynomials f ∈ Lf , g ∈ Lg , ϕ ∈ Lϕ , m ∈ Lm , where for any polynomial F (X) = F0 + F1 X + . . . + FN −1 X N −1 , we define the width of F by F  =

max

0≤ν≤N −1

Fν −

min

0≤ν≤N −1

Fν .

Our extension of the original NTRU scheme can be described as follows. Key Creation. Alice randomly selects polynomials f ∈ Lf , g ∈ Lg and G ∈ R such that G has an inverse modulo q and f has an inverse modulo p. This is easily accomplished since G is allowed to range over all of R, and p will be very small A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 62–70, 2002. c Springer-Verlag Berlin Heidelberg 2002 

A Variant of NTRU with Non-invertible Polynomials

63

in any practical implementation of this scheme. Alice first computes inverses G∗q and fp∗ that satisfy G ⊙ G∗q ≡ 1 (mod q),

f ⊙ fp∗ ≡ 1

(mod p),

(1)

H ≡ G∗q ⊙ f

(mod q).

(2)

then Alice computes the products h ≡ G∗q ⊙ g

(mod q),

Alice publishes the pair of polynomials (h, H) as her public key, retaining (f, g, G) as her private key. The polynomial fp∗ is simply stored for later use, and the polynomial G∗q may be discarded. Encryption. Suppose Bob (the encrypter) wants to send a secret message to Alice (the decrypter). Bob selects a message m from the set of plaintexts Lm . Next, Bob selects a random polynomial ϕ ∈ Lϕ and uses Alice’s public key (h, H) to compute e ≡ p ϕ ⊙ h + H ⊙ m (mod q). Bob then transmits e to Alice. Decryption. Alice has received e from Bob. To decrypt the message, she first computes a ≡ G ⊙ e ≡ p ϕ ⊙ g + f ⊙ m (mod q), choosing the coefficients of a to lie in the interval from −q/2 to q/2. The remainder of our procedure now follows the standard version of NTRU; that is, Alice treats a as a polynomial with integer coefficients and recovers the message by computing m ≡ fp∗ ⊙ a (mod p). One easily verifies that the case G = f corresponds to the classical NTRU cryptosystem (in this case, H = 1, so the public key consists solely of the polynomial h). Moreover, if f (and therefore H) is invertible modulo q, then this generalization is equivalent to the original scheme. Indeed, instead of decrypting e the attacker can try to decrypt
 e ⊙ Hq∗ ≡ p ϕ ⊙ Hq∗ ⊙ h + m (mod q),

where Hq∗ H ≡ 1 (mod q). On the other hand, if f is a zero-divisor in the ring R, then our construction seems to produce a new scheme. The main disadvantage of this scheme versus the classical NTRU scheme is that the public key size and the encryption time are roughly doubled. The advantages are:

◦ This scheme provides more flexibility in the choice of parameters. In particular, it is likely that this generalization is more robust against some of the known attacks on classical NTRU. In particular, for a lattice attack (which is by far the most “dangerous” threat to NTRU), in this setting one must work with more general lattices than in the original scheme.

64

William D. Banks and Igor E. Shparlinski

◦ One can prove some theoretical results about the set of inverses G∗q . In particular, although the issue has never been doubted in practice, it is not clear how to prove rigorously that there exist “enough” invertible polynomials f ∈ Lf in the NTRU scheme. In our scheme, G is selected from the entire ring R, and the density of invertible polynomials has been explicitly evaluated in [11]. One can also prove some rigorous statements concerning the distribution of h and H, and also about the distribution of e (thus showing that the ciphertext e and the plaintext message m are uncorrelated ). ◦ One can select G to have very small degree, which will speed-up the decryption procedure as compared with the original NTRU scheme. ◦ It is possible to select h once and for all as a universal quantity (thus reducing the public key size), or it can be selected to have a certain special form (to speed-up the encryption), although it is not clear whether or not these choices might compromise the security of this scheme; this question should be studied in more detail. With such a modification, G would be computed in terms of f , g, and h, and the public key size be roughly the same as for classical NTRU. In what follows, we present rigorous proofs of some of the theoretical results alluded to above. In particular, we show that for almost all G ∈ R∗ , the set of polynomials {p ϕ ⊙ h}, where h is defined by (1) and (2) and ϕ runs over the set Lϕ (which can be rather arbitrary), is uniformly distributed. This means that for almost all G, the message m (or, equivalently, the product H ⊙ m) is reliably concealed by adding {p ϕ ⊙ h}.

2

Character Sums

Let Rq be the reduction of R modulo q, and let R∗q be the set of invertible polynomials in Rq . We use ⊙ for multiplication in the ring Rq . Recall that the cardinality of R∗q is given by an analogue of the Euler function |R∗q | = q N

r 

(1 − q −nj )

(3)

j=1

where n1 , . . . , nr are the degrees of the r ≥ 1 irreducible divisors of X N − 1. Though we will not need this, a more explicit expression for nj ’s (hence also for |R∗q |) is given in [11]; see also Section 6.5 of [3] and Section 7.5 of [10]. Let X N − 1 = Ψ1 (X) . . . Ψr (X) be the complete factorization of X N − 1 into irreducible polynomials in the ring Rq . Because gcd(N, q) = 1, we see that X N −1 is square-free in Rq , hence all of these factors are pairwise distinct. We recall that IFq [X]/Φ(X) ∼ = IFqm for any irreducible polynomials Φ(X) ∈ IFq [X] with deg Φ = m. For each j = 1, . . . , r, we fix a root αj of Ψj (X), and denote (4) IKj = IFqnj = IFq (αj ) ∼ = IFq [X]/Ψj (X).

A Variant of NTRU with Non-invertible Polynomials

65

where nj = deg Ψj . For each j, let nj −1

Trj (z) =



zq

k

k=0

be the trace of z ∈ IKj to IFq . We denote by A the direct product of fields A = IK1 × . . . × IKr , and we have a natural isomorphism Rq ∼ = IK1 × . . . × IKr = A

(5)

given by the map that sends f ∈ Rq to af = (f (α1 ), . . . , f (αr )) ∈ A. In particular, the relation (3) from immediately from (5). For every vector a = (a1 , . . . , ar ) ∈ A, let χa be the character of Rq given by χa (f ) =

r 

e (Trj (aj f (αj ))) ,

f ∈ Rq ,

j=1

where e(z) = exp(2πiz/q). It is easy to shown that {χa | a ∈ A} is the complete set of additive characters of Rq . In particular, for any polynomial f ∈ Rq , one has   0, if f = 0, χa (f ) = (6) q N , if f = 0. a∈A

Our main results rely on an upper bound for character sums of the form         Wa (L) = a ∈ A. χa (Q ⊙ ϕ) ,    Q∈R∗ q ϕ∈L

To estimate these sums, we need the following identity (see Section 1 of Chapter 5 of [9])   0, if c = 0, e(Trj (xj c)) = (7) q nj , if c = 0, xj ∈IKj

which holds for any c ∈ IKj , j = 1, . . . , r. Lemma 1. Let a = (a1 , . . . , ar ) ∈ A and let J ⊆ {1, . . . , r} be the set of j with aj = 0. Then the bound  Wa (L) ≤ |R∗q |1/2 |L|1/2 q N/2 q nj /2 j ∈J

holds.

66

William D. Banks and Igor E. Shparlinski

Proof. Using the Cauchy inequality and extending the summation over all polynomials Q ∈ Rq , we derive  2      2 ∗  Wa (L) ≤ |Rq | χa (Q ⊙ ϕ)   Q∈Rq ϕ∈L   = |R∗q | χa (Q ⊙ (ϕ1 − ϕ2 )) Q∈Rq ϕ1 ,ϕ2 ∈L

≤ |R∗q |



r  

e (Trj (aj Q(αj ) (ϕ1 (αj ) − ϕ2 (αj )))) .

ϕ1 ,ϕ2 ∈L Q∈Rq j=1

From the isomorphism (5), we see that as Q runs over the set Rq the vector (Q (α1 ) , . . . , Q (αr )) runs through the set IK1 × . . . × IKr . Therefore Wa (L)2 ≤ |R∗q |



r  

e (Trj (aj xj (ϕ1 (αj ) − ϕ2 (αj ))))

ϕ1 ,ϕ2 ∈L j=1 xj ∈IKj

= |R∗q |



q nj

j ∈J



 

e (Trj (aj xj (ϕ1 (αj ) − ϕ2 (αj )))) .

ϕ1 ,ϕ2 ∈L j∈J xj ∈IKj

From (7) we see that the product vanishes if ϕ1 (αj ) = ϕ2 (αj ) for some j ∈ J , and    q nj e (Trj (aj xj (ϕ1 (αj ) − ϕ2 (αj )))) = j∈J

j∈J xj ∈IKj

otherwise. Since {Ψj | j = 1, . . . , r} are irreducible polynomials, the condition ϕ1 (αj ) = ϕ2 (αj ) is equivalent to Ψj (ϕ1 − ϕ2 ). Hence Wa (L)2 ≤ |R∗q |q N M (J ),

where M (J ) is the number of pairs ϕ1 , ϕ2 ∈ L with  Ψj ). ϕ1 ≡ ϕ2 (mod j∈J

For each ϕ1 ∈ L there are at most   qN q −nj = q nj j∈J

j ∈J

such values for ϕ2 . Consequently M (J ) ≤ |L|



q nj ,

j ∈J

and the lemma follows.

⊔ ⊓

A Variant of NTRU with Non-invertible Polynomials

3

67

Uniformity of Distribution

If we assume for simplicity that g ∈ Lg is invertible modulo q, it follows that Q = p G∗q ⊙ g runs through the entire set R∗q together with G. Thus it suffices to study the distribution of {Q ⊙ ϕ | ϕ ∈ L} “on average” for Q ∈ R∗q . We remark that the condition g ∈ R∗q is equivalent to gcd(g, X N − 1) = 1, and we will always need a condition of this type in any case; otherwise, the number of possible values for h becomes too small, and the cryptosystem is then vulnerable to a brute force attack. Given polynomials S ∈ Rq and Q ∈ R∗q , a set L ⊆ Rq , and an integer d, we denote by Nd (S, Q, L) the number of polynomials ϕ ∈ L such that the inequality deg(S − Q ⊙ ϕ) < d holds. Thus, roughly speaking, Nd (S, Q, L) counts how many products Q ⊙ ϕ with ϕ ∈ L are “close” to the given polynomial S. Our main result claims that this number is very close to the expected value for almost all polynomials Q ∈ R∗q . In particular, this means that for almost all polynomials Q ∈ R∗q , the encryptions e (of the same message m) in our modification of NTRU, obtained with randomly chosen polynomials ϕ ∈ Lϕ , are uniformly distributed in R. Theorem 1. For q ≥ 5, the bound   −1/2 1   |L|  Nd (S, Q, L) − N −d  ≤ 3N q |L|1/2  ∗ |Rq | q ∗ Q∈Rq

holds.

Proof. Clearly, Nd (S, Q, L) = q −d Td (S, Q, L), where Td (S, Q, L) is the number of representations Q ⊙ ϕ = S + ψ1 − ψ2 with ϕ ∈ L and polynomials ψ1 , ψ2 ∈ Rq of degree at most d − 1. From the identity (6) we derive   1  Td (S, Q, L) = N χa (Q ⊙ ϕ − S − ψ1 + ψ2 ) q ψ ,ψ ∈Rq ϕ∈L

=

1 2 deg ψ1 ,deg ψ2 ≤d−1

a∈A

 1  χa (−S) χa (Q ⊙ ϕ) N q a∈A

ϕ∈L



χa (ψ2 − ψ1 )

ψ1 ,ψ2 ∈Rq deg ψ1 ,deg ψ2 ≤d−1

 2        1   = N χa (−S) χa (Q ⊙ ϕ)  χa (ψ) .  ψ∈R  q q a∈A ϕ∈L  deg ψ≤d−1 

The term corresponding to a = 0 is equal to q 2d−N |L|. For any nonempty set J ⊆ {1, . . . , r}, let AJ be the subset of A consisting of all a = (a1 , . . . , ar ) such that aj = 0 whenever j ∈ J . Then we obtain 2                 1 |L|    ≤ Td (S, Q, L) − χa (Q ⊙ ϕ)  χa (ψ) .    N −2d N   q q J ⊆{1,...,r} a∈A    ψ∈Rq ϕ∈L J  J = ∅ deg ψ≤d−1 a =0

68

William D. Banks and Igor E. Shparlinski

Applying Lemma 1, it follows that      Td (S, Q, L) − |L|   q N −2d  Q∈R∗ q

≤ |R∗q |1/2 |L|1/2 q −N/2



J ⊆{1,...,r} J = ∅



q nj /2

j ∈J

It is easy to see that  2         χa (ψ)    a∈AJ  ψ∈Rq  deg ψ≤d−1 a =0  2        2d = −q + χa (ψ)   ψ∈R  q a∈AJ   deg ψ≤d−1   χa (ϕ − ψ) = −q 2d + ϕ,ψ∈Rq deg ϕ,deg ψ≤d−1



= −q 2d +

ϕ,ψ∈Rq deg ϕ,deg ψ≤d−1

= −q 2d + U



2          χa (ψ) .    ψ∈Rq a∈AJ   deg ψ≤d−1 a =0

a∈AJ

 

e (Trj (aj (ϕ (αj ) − ψ (αj ))))

a∈AJ j∈J

q nj ,

j∈J

where U is the number of pairs of ϕ, ψ ∈ Rq with deg ϕ, deg ψ ≤ d − 1 and such that ϕ (αj ) = ψ (αj ) for all j ∈ J . Since this condition is equivalent to the polynomial congruence  Ψj (X)), ϕ(X) ≡ ψ(X) (mod j∈J

we derive that U= Hence, in either case

   q 2d q −nj ,

if d ≥

qd ,

0 ≤ −q 2d + U



j∈J

nj ,

j∈J

j∈J





otherwise. q nj ≤ q d



q nj ,

j∈J

and consequently 2          q nj . χa (ψ) ≤ q d    ϕ∈Rq a∈AJ  j∈J  deg ϕ≤d−1 a =0

A Variant of NTRU with Non-invertible Polynomials

69

Therefore, we have   |L|  1   (S, Q, L) − T  d |R∗q | q N −2d  Q∈R∗ q  ≤ |R∗q |−1/2 |L|1/2 q d−N/2

J ⊆{1,...,r} J = ∅



= |R∗q |−1/2 |L|1/2 q d

J ⊆{1,...,r} J = ∅



= |R∗q |−1/2 |L|1/2 q d  < |R∗q |−1/2 |L|1/2 q d

r 

j=1

r 

j=1





q nj /2



q nj

j∈J

j ∈J

q nj /2

j∈J



1 + q nj /2 − 1



1 + q nj /2

r


−1/2 = |L|1/2 q d−N/2 1 + q nj /2 1 − q −nj j=1

r


−1/2 = |L|1/2 q d 1 + q −nj /2 . 1 − q −nj j=1

Since (1 − x2 )−1/2 (1 + x) < 3x for every x in the open interval 0 < x < 1/2, and each term q −nj /2 lies in this interval since q ≥ 5, we have r r r

  
 −1/2 −1/2 −nj −1/2 q−nj /2 −nj /2 1+q < 3q ≤ 3N q . 3 ≤ 1−q

j=1

j=1

j=1

Consequently   −1/2 1   |L|  Td (S, Q, L) − N −2d  < q d 3N q |L|1/2 ,  ∗ |Rq | q ∗ Q∈Rq

and the theorem follows immediately.

4

⊔ ⊓

Remarks

We remark that for the special set Lϕ considered in [5], the bound on M (J ) in Lemma 1 can be improved, which leads to a stronger bound in Theorem 1. We have already mentioned that using polynomials G of small degree can speed up the decryption procedure. It has been shown in [1] that using the method of [7, 8] (see also [4]), one can obtain an analogue of Theorem 1 for polynomials G of the form G = G1 G2 where G1 , G2 are irreducible polynomials of very small degree; see also [2].

70

William D. Banks and Igor E. Shparlinski

The above result is just one out of many other statements of similar nature which can be proved for the generalization of NTRU introduced in this paper. Finally, we remark that an analogue of Theorem 1 can be obtained in any polynomial ring of the form IFq [X]/F (X), where F (X) ∈ IFq [X] is a square-free polynomial.

Acknowledgement We thank Jeffrey Hoffstein, Daniel Lieman and Joe Silverman for attracting our interest in this problem and for many fruitful discussions. Work supported in part by NSF grant DMS-0070628 (W. Banks) and by ARC grant A00000184 (I. Shparlinski).

References [1] W. Banks, A. Harcharras and I. E. Shparlinski, ‘Short Kloosterman sums for polynomials over finite fields’, Canad J. Math., (to appear). 69 [2] W. Banks and I. E. Shparlinski, ‘Distribution of inverses in polynomial rings’, Indag. Math., 12 (2001), 303–315. 69 [3] E. R. Berlekamp, Algebraic coding theory, McGraw-Hill, New York, 1968. 64 [4] J. Friedlander and H. Iwaniec, ‘The Brun–Titchmarsh theorem’, Analytic Number Theory, Lond. Math. Soc. Lecture Note Series 247, 1997, 363–372. 69 [5] J. Hoffstein, J. Pipher and J. H. Silverman, ‘NTRU: A ring based public key cryptosystem’, Lect. Notes in Comp. Sci., Springer-Verlag, Berlin, 1433 (1998), 267–288. 62, 69 [6] J. Hoffstein and J. H. Silverman, ‘Optimizations for NTRU’, Proc. the Conf. on Public Key Cryptography and Computational Number Theory, Warsaw, 2000 , Walter de Gruyter, 2001, 77–88. 62 [7] A. A. Karatsuba, ‘Fractional parts of functions of a special form’, Izv. Ross. Akad. Nauk Ser. Mat. (Transl. as Russian Acad. Sci. Izv. Math.), 55(4) (1995), 61–80 (in Russian). 69 [8] A. A. Karatsuba, ‘Analogues of Kloosterman sums’, Izv. Ross. Akad. Nauk Ser. Mat. (Transl. as Russian Acad. Sci. Izv. Math.), 55(5) (1995), 93–102 (in Russian). 69 [9] R. Lidl and H. Niederreiter, Finite fields, Cambridge University Press, Cambridge, 1997. 65 [10] F. J. MacWilliams and N. J. A. Sloane, The theory of error-correcting codes, North-Holland, Amsterdam, 1977. 64 [11] J. H. Silverman, ‘Invertibility in truncated polynomial rings’, NTRU Cryptosystem Tech. Report 9 , 1998, 1–8. 64

Tree Replacement and Public Key Cryptosystem S.C. Samuel1 , D.G. Thomas2 , P.J. Abisha2 , and K.G. Subramanian2 1

2

Department of Mathematics, Voorhees College Vellore - 632 001, India Department of Mathematics, Madras Christian College, Tambaram Chennai - 600 059, India [email protected]

Abstract. In this paper, a public key cryptosystem based on tree replacement system is proposed. Keywords: public key cryptosystem (PKC), tree replacement system, Church-Rosser tree replacement system, word problem.

1

Introduction

There has been a lot of interest in the construction of safe and effective public key cryptosystems, which ensure secrecy of data. The basic idea of a public key cryptsystem (PKC) is due to Diffe and Hellman [1]. In a PKC, the encryption key is made public but the decryption key with a trapdoor is kept secret. Both encryption and decryption are made ‘easy’ but cryptanalysis, breaking the code without the knowledge of the trapdoor, is made ‘hard’. Several public key cryptosystems based on different principles are known. Knapsack system and RSA system are two well known public key cryptosystems that are widely studied. Recently, some public key cryptosystems have been designed as interesting applications of formal language theory to cryptography [3,6]. One such PKC based on word problem is to use a Churh-Rosser Thue system T , for which the word problem [4,7] is solvable and convert it into a general Thue System S, (for which the word problem is unsolvable), using a morphism g, which is the trapdoor function. Encryption of plaintext is done with S and decryption with T . Trees are one of the data structures used frequently for organizing information. Their applications include sorting and pattern matching. The importance of trees is reflected in the fact that many studies on strings are extended to trees, yielding fruitful results. Messages such as picture messages can be encoded as trees. It is therefore natural to think of construction of PKCs to take care of such messages in the form of trees. Here we consider tree rewriting [2] instead of string rewriting and extend the notions of encryption and decryption to trees. Basically the idea is to consider a Church-Rosser tree rewriting system and convert it into a general tree rewriting system for which the word problem is unsolvable using a morphism. The latter is used in encryption part and the former is used in decryption part. The trapdoor, which is kept secret, helps to convert the specific A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 71–78, 2002. c Springer-Verlag Berlin Heidelberg 2002


72

S.C. Samuel et al.

tree rewriting system to a general tree rewriting system. Hence the encryption and decryption are easy.

2

Preliminaries

We recall the definitions of ranked alphabets, trees, tree composition, tree replacement systems and related results [2,5] in this section. 2.1 Definition A ranked alphabet Σ is a set together with a rank function r : Σ → N , where N denotes the set of nonnegative integers. Every symbol f in Σ of rank r(f ) = n is said to have arity n. Symbols of arity zero are also called constants. 2.2 Definition A tree domain D is a non empty subset of strings over N satisfying the following conditions : 1. for each u in D, every prefix v of u is also in D. 2. For each u in D, for every positive integer i, if ui is in D then, for every j, 1 ≤ j ≤ i, uj is also in D. 2.3 Definition A Σ-tree (for short, a tree) is a function t : D → Σ such that: 1. D is a tree domain. 2. For every u in D, if n = card({i ∈ N |ui ∈ D}), then n = r(t(u)) the arity of the symbol labeling u in t. Given a tree t, its domain is denoted as dom(t). The elements of the domain are called nodes or tree addresses. A node u is a leaf if card({i ∈ N |ui ∈ D}) = 0. The node corresponding to the empty string is the root of the tree and is denoted by ǫ. The null tree is denoted as λ. Given a tree t, two addresses u, v in dom(t) are indepdendent if u is not a prefix of v and v is not a prefix of u (that is, there is no w such that u = vw or v = uw). Otherwise u and v are dependent and if, say v = uw, u is an ancestor of v. 2.4 Definition Given a tree t and a tree address u in dom(t), the subtree of t at u, denoted as t/u, is the tree whose domain is the set dom(t/u) = {v ∈ N ∗ |uv ∈ dom(t)} and such that t/u(v) = t(uv) for every v in dom(t/u). A tree is finite if its domain is finite. The set of finite Σ-trees is denoted as TΣ . 2.5 Definition Let X = {x1 , x2 , ...} be a countable set of variables, and let Xm = {x1 , x2 , ..., xm }. Adjoining the set X to the constants in Σ, we obtain the set of trees TΣ (X) with variables and similarly adjoining Xm , we obtain TΣ (Xm ). The set (TΣ (Xm ))n of n-tuples of trees with variables from Xm is denoted as TΣ (m, n). Hence TΣ (Xm ) and TΣ (m, 1) denote the same set of trees. In particular let the variable set contains a single variable x then TΣ (1, 1) denotes the set of trees over the singleton set X.

Tree Replacement and Public Key Cryptosystem

73

We now introduce two operations composition and tree replacement on trees. 2.6 Definition Given t = (t1 , t2 , ..., tn ) in TΣ (m, n) and s in TΣ (n, 1), their composition is the tree denoted by s ◦ t = s(t1 , t2 , ..., tn ) and defined by the set of pairs {(v, s(v))|v ∈ dom(s), s(v) ∈ Xm }∪ {(uv, ti (v))|u ∈ dom(s), v ∈ dom(ti ), s(u) = xi , 1 ≤ i ≤ n}. Tree composition is extended to tuples as follows : Given t = (t1 , t2 , ..., tn ) in TΣ (m, n) and s = (s1 , s2 , ..., sp ) in TΣ (n, p), then s ◦ t = (s1 (t1 , t2 , ..., tn ), s2 (t1 , t2 , ..., tn ), ..., sp (t1 , t2 , ..., tn )) We can extend this notion for three trees t1 , t2 , t3 in TΣ (n, n) as t1 ◦ t2 ◦ t3 = t1 ◦ (t2 ◦ t3 ) and similarly for n trees t1 , t2 , ..., tn in TΣ (n, n) as t1 ◦ t2 ◦ ... ◦ tn = t1 ◦ t2 ◦ ... ◦ (tn−1 ◦ tn ) For the trees t and s in TΣ (1, 1), their composition is thus defined as s ◦ t = {(v, s(v))|v ∈ dom(s), s(v) = x} ∪ {(uv, t(v))|u ∈ dom(s), v ∈ dom(t), s(u) = x} For convenience s ◦ t is denoted as st. 2.7 Definition Given a tree t1 , an address u in dom(t1 ), and another tree t2 , the tree obtained by replacement of t2 for u in t1 is the tree denoted as t1 [u ← t2 ] defined by the set of pairs {(v, t1 (v))|v ∈ dom(t1 ), u is not a prefix of v}∪ {(uv, t2 (v)|v ∈ dom(t2 )}. 2.8 Definition A substitution is any function h : X → TΣ (X). Since TΣ (X) is the free algebra over the set X, every substitution extends uniquely to a unique ¯ : TΣ (X) → TΣ (X), that is to a function h ¯ such that homomorphism h ¯ h(x) = h(x) for every x in X, ¯ h(f (t1 , t2 , ..., tn )) = f (h(t1 ), ..., h(tn )) if r(f ) ≥ 1, ¯h(a) = h(a) for a constant a. 2.9 Definition A set of rules S over TΣ (X) is a subset of TΣ (X) × TΣ (X). Each pair (s, t) in S is called a rule.

74

S.C. Samuel et al.

2.10 Definition The congruence generated by S is the reflexive transitive closure ↔∗ of the relation ↔ defined as follows: for any two trees t1 and t2 in TΣ (X), t1 ↔ t2 if and only if there is some tree T in TΣ (X), some tree address u both in dom(t1 ) and dom(t2 ), some pair (s, t) such that either (s, t) or (t, s) is a rule in S, some substitution h : V ar(s) ∪ V ar(t) → TΣ (X), and t1 = ¯ ¯ T [u ← h(s)], t2 = T [u ← h(t)] where V ar(t) = {xi ∈ X|∃u ∈ dom(t), t(u) = xi }. 2.11 Definition Two trees t1 and t2 are congruent (modS) if t1 ↔∗ t2 . The class of trees that are congruent to t1 is [t1 ] = {ti |t1 ↔∗ ti }. 2.12 Definition Given a set of rules S over a set of trees TΣ (X) the relation → is defined as t → s if and only if t ↔ s and size(t) > size(s), ∀t, s ∈ TΣ (X) where size(t) denotes the number of nodes in the tree domain of t. →∗ is the reflexive transitive closure of →. (S, →) is called a tree replacement system. 2.13 Definition Given a tree replacement system (S, →), a tree t is irreducible (modS) if there is no tree t′ such that t → t′ . 2.14 Definition A tree replacement system (S, →) is Church-Rosser if, for all t1 , t2 with t1 ↔∗ t2 , there exists t3 such that t1 →∗ t3 and t2 →∗ t3 . 2.15 Word problem The word problem for a tree replacement system (S, →) is that given any two trees s, t in TΣ (X) to decide whether s and t are congruent to each other or not. The word problem is undecidable in general for many tree replacement systems but it is proved in [2] that the word problem for any Church-Rosser tree replacement system is decidable in linear time.

3

Construction of PKC

We now propose a public key cryptosystem based on trees. Consider a Church-Rosser tree replacement system (S, →) over an alphabet Σ. Choose n trees t1 , t2 , ..., tn in TΣ (X) such that no two trees are congruent to each other and each tj is irreducible with respect to S. Let ∆ be a new alphabet of cardinality much greater than that of Σ. Let g : ∆ → Σ ∪ {λ} be a morphism. It can be extended to morphism in which every tree of T∆ (X) is mapped onto a tree of TΣ (X) or to the null tree. ¯ →) over the alphabet 3.1 Encryption Consider a tree replacement system (S, ∗ ¯ ∆ where S ⊆ {(s, t)/g(s) ↔ g(t) with respect to S}. The rules (s, t) in S¯ are selected with the following condition : If a node in t is labelled by a dummy symbol (i.e., a symbol in ∆ which is mapped to λ ∈ Σ by g) then atmost one of its children is labelled by a symbol which is not a dummy symbol. i.e., either all of its children are labelled by dummy symbols or excepting one child, other

Tree Replacement and Public Key Cryptosystem

75

children are labelled by dummy symbols. This requirement enables the correct decryption by merging all the children with the father in g(t) (See Decryption procedure). Choose n trees s1 , s2 , ..., sn ∈ T∆ (X) so that each sj ∈ g −1 ([tj ]), for ¯ s1 , s2 , ..., sn ). some j = 1, 2, ..., n. The public encryption key is (S, The encryption of a plain text is done as follows : Let the plaintext be any word over {1, 2, ..., n}. For example, let p = p1 p2 ...pk where each pj ∈ {1, 2, ..., n}. The tree T corresponding to the plain text p is sp1 sp2 ...spk . Then the encryption of T is done by taking the encryption for each spj and making the composition of the encrypted trees preserving the order of composition in T . Here the encryption of spj is a tree s′pj ∈ [spj ] where spj is a member of g −1 ([tpj ]). This yields the ciphertext of the tree T in the form Q = s′p1 s′p2 ...s′pk . Decryption The secret decryption key is (S, t1 , t2 , ..., tn , g). If Q is a tree in the encrypted form, then g(Q) = t′p1 t′p2 ...t′pk where t′pj ∈ [tpj ]. It should be noted that if λ is the label of a node which is not a leaf, it is replaced by the label of its child, which is not λ, and if λ is the label of a leaf node, then this node is neglected. Since S is Church-Rosser, tpj can be computed from t′pj . Hence the tree tp1 tp2 ...tpk can be recovered yielding the plain text message p1 p2 ...pk . Example: Let Σ = {a, b, c, d, e, f, g} and X = {x} with r(e) = 2, r(a) = r(b) = r(c) = 1, r(d) = r(f ) = r(g) = 0. Consider the Church-Rosser tree replacement system S, with the following three rules : (See Fig. 1) The above trees can be expressed in the form of functions as a(d) ↔ a(a(d)) b(d) ↔ e(f, b(d)) c(d) ↔ e(g, b(d)) Let t1 and t2 be two trees in TΣ (X) such that they are irreducibles (modS) and t1 is not congruent to t2 with respect to S. Two such trees are given in Fig. 2. The above trees can be expressed as t1 = e(a(d), e(x, c(d)) and t2 = e(e(x, c(d)), b(d)). Now we consider the alphabet ∆ = {c1 , c2 , ..., c17 } and define the morphism g as follows : g(c1 ) = f, g(c17 ) = g, g(c4 ) = g(c14 ) = c, g(c7 ) = g(c13 ) = d, g(c3 ) = g(c8 ) = g(c11 ) = a, g(c6 ) = g(c10 ) = g(c15 ) = b g(c5 ) = g(c9 ) = g(c16 ) = λ, g(c2 ) = g(c12 ) = e. Now a general tree replacement system S¯ corresponding to the above ChurchRosser system S is given by c3 (c7 ) ↔ c8 (c8 (c7 )) ↔ c11 (c5 (c3 (c13 ))) ↔ c5 (c3 (c13 )) ↔ c16 (c9 , c8 (c8 (c7 ))) c6 (c13 ) ↔ c2 (c1 , c10 (c7 )) ↔ c12 (c1 , c5 (c6 (c13 )))

76

S.C. Samuel et al.

a a a d d

e

b

b

f

d

d e

c

d

b

g

d

Fig. 1. Rules of S c4 (c7 ) ↔ c12 (c17 , c6 (c13 )) ↔ c5 (c9 , c4 (c7 )) c9 ↔ c5 (c16 , c9 ), c16 ↔ c9 (c5 ) The trees s1 and s2 given below are selected such that g(s1 ) ∈ [t1 ] and g(s2 ) ∈ [t2 ]. s1 = c5 (c12 (c3 (c7 ), c2 (x, c4 (c7 ))), c9 (c16 )) s2 = c5 (c2 (c12 (x, c4 (c7 )), c6 (c13 )), c5 (c16 , c9 )) If the plain text is p = 212, then consider the tree T = s2 s1 s2 . After the application of the tree replacement rules in S¯ several times in s1 , s2 respectively, we get s1 ↔∗ s′1 where s′1 = c5 (c12 (c16 (c9 , c11 (c16 (c9 , c11 (c3 (c7 ))))),

Tree Replacement and Public Key Cryptosystem

tree t 2

tree t 1

e

e

e

a

x

d

e

c

d

b

c

x

d

d

Fig. 2. Irreducible trees which are not congruent c2 (x, c5 (c9 , c12 (c17 , c6 (c13 ))))), c9 (c16 )); ∗

s2 ↔

s′2

77

where s′2 = c5 (c2 (c12 (x, c5 (c9 , c4 (c7 ))), c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))), c5 (c9 (c5 ), c5 (c16 , c5 (c16 , c5 (c9 (c5 ), c9 )))))

and s2 ↔∗ s′′2 where s′′2 = c5 (c2 (c12 (x, c5 (c9 , c12 (c17 , c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))))), c12 (c1 , c5 (c6 (c13 )))), c5 (c16 , c9 )) The composition is done as follows : s′2 s′1 = c5 (c2 (c12 (c5 (c12 (c16 (c9 , c11 (c16 (c9 , c3 (c7 )))), c2 (x, c5 (c9 , c12 (c17 , c16 (c13 ))))), c9 (c16 )), c5 (c9 , c4 (c7 ))), c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))), c5 (c9 (c5 ), c5 (c16 , c5 (c16 , c5 (c9 (c5 ), c9 ))))) and Q = s′2 s′1 s′′2 = c5 (c2 (c12 (c5 (c12 (c16 (c9 , c11 (c16 (c9 , c3 (c7 ))))), c2 (c5 (c2 (c12 (x, c5 (c9 , c12 (c17 , c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))))), c12 (c1 , c5 (c6 (c13 )))), c5 (c16 , c9 )), c5 (c9 , c12 (c17 , c6 (c13 ))))),

78

S.C. Samuel et al.

c9 (c16 )), c5 (c9 , (c4 (c7 ))), c12 (c1 , c5 (c2 (c1 , c10 (c7 ))))), c5 (c9 (c5 ), c5 (c16 , c5 (c16 , c5 (c9 (c5 ), c9 ))))) Applying the morphisms g on Q the above expression becomes g(Q) = λ(e(e(λ(e(λ(λ, a(λ(λ, a(d))))), e(λ(e(e(x, λ(λ, e(g, e(f, λ(e(f, b(d))))))), e(f, λ(b(d)))), λ(λ, λ)), λ(λ, e(g(b(d))))), λ(λ)), λ(λ, c(d))), e(f, λ(e(f, b(d))))), λ(λ(λ), λ(λ, λ(λ, λ(λ(λ), λ))))) Neglecting the null trees, the expression reduces to the form e(e(e(a(a(d))))), e(e(e(x, e(g, e(f, e(f, (b(d))))), e(f, b(d))))), e(g, b(d)))))), c(d), e(f, e(f, b(d)))))) Applying the Church-Rosser congruence relations the above expression reduces to e(e(e(a(d))), e(e(e(x, c(d))))), b(d), c(d), c(d), b(d))))) which is the composition t 2 t1 t2 of trees t1 , t2 and hence the required message 212 is received.

References [1] Diffie, W., and Hellman, M. E., New Directions in Cryptography, IEEE Transactions on Information Theory, Vol. IT - 22, No. 6, (1976), 644-654. [2] Gallier, J. H., and Book, R. V., Reductions in tree replacement systems, Theo. Comp. Sci. 37 (1985), 123-150. [3] Niemi, V., Cryptology: Language Theoretic Aspects, Handbook of Formal Languages, Vol. 2 (Editors : G. Rozenberg and A. Salomaa), Springer Verlag (1997), 507-524. [4] Oleshchuk, V. A., On public key cryptosystems based on Church-Rosser string rewriting systems, Proceedings of Computing and Combinatorics ’95 conference, LNCS 959, Springer-Verlag, (1995), 264-269. [5] Rosen, B. K., Tree-manipulating systems and Church-Rosser theorem, J. ACM 20 (1973), 160-187. [6] Salomaa, A., Computation and Automata, Cambridge University Press, 1985. [7] Siromoney, G., Siromoney, R., Subramanian, K. G., Dare, V. R., and Abisha, P. J., Generalised Parikh vector and public key cryptosystems in “A perspective in Theoretical Computer Science – Commemorative volume for Gift Siromoney”, Ed. R. Narasimhan, World Scientific, (1989), 301-323.

Never Trust Victor: An Alternative Resettable Zero-Knowledge Proof System Olaf M¨ uller and Michael N¨ usken Faculty of Computer Science, Electrical Engineering and Mathematics, University of Paderborn {olafmue,nuesken}@upb.de http://www.olaf-mueller.net/ http://www-math.upb.de/~nuesken/

Abstract. We present a new resettable zero-knowledge proof system for graph 3-colorability with round complexity O(u(n) log2 n), where u : N → R>0 is any unbounded function and n denotes the number of vertices in the graph. Furthermore, we present a new formulation of the definition of resettable zero-knowledge and define and implement a knowledgeable commitment scheme: after the commitment phase the receiver is convinced that the sender knows a valid decommitment. This remains true even if the receiver is resettable, albeit with the drawback of non-constant round complexity. This is achieved by appending a resettable perfect witness-indistinguishable proof of knowledge of a decommitment to the original commit phase. We base all our constructions on a standard intractability assumption: the hardness of one of the many variants of the discrete logarithm problem.

The starting point of our investigation is the constant-round zero-knowledge proof system for graph 3-colorability by Goldreich & Kahan (1996). Canetti, Goldreich, Goldwasser & Micali (2000b) show that it is resettable witness-indistinguishable if the prover obtains its random bits by applying a pseudo-random function to all previous messages. But they did not succeed in proving that it is resettable zero-knowledge. The crux of the problem is this: we cannot rule out the possibility that a malicious verifier does not know decommitments to its own commitments until after a lengthy conversation with the prover. Richardson & Kilian (1999) improve on an idea by Feige, Lapidot & Shamir (1999), the so-called FLS-paradigm, and prepend a preliminary phase to the protocol by Goldreich & Kahan (1996) that allows the simulator to obtain an alternative witness for a slightly weakened N P statement. This way they obtain a concurrent zero-knowledge proof with nε rounds. During the preliminary phase the prover and the verifier exchange commitments to random bit strings. A witness for the weakened N P statement can be obtained by matching a pair of strings, which is often possible for the simulator but no prover can cause this to happen with more than negligible probability. Richardson & Kilian (1999) have this to say about their own protocol:

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 79–92, 2002. c Springer-Verlag Berlin Heidelberg 2002


80

Olaf M¨ uller and Michael N¨ usken

Finally, it is paradoxical that such seemingly meaningless alterations in the protocol can restore zero-knowledge. Intuitively, it seems implausible that the protocol has been made more secure in practice. Canetti et al. (2000b) also use such a preliminary phase to obtain a resettable zero-knowledge proof system. Recent investigations on lower bounds culminated in the proof that “black˜ box concurrent zero-knowledge requires Ω(log n) rounds” by Canetti, Kilian, Petrank & Rosen (2001). Thus the latest improvement by Kilian, Petrank & Richardson (2001), who construct a refined simulator which allows them to reduce the length of the preliminary phase to O(u(n) log2 n) rounds, is nearly optimal concerning the number of rounds. Yet, this protocol still suffers from the lack of intuitive comprehensibility. Barak (2001) discovered “How to Go Beyond the Black-Box Simulation Barrier”. His protocol needs only a constant number of rounds and allows simulation in strict polynomial time. However, it is only computationally sound and bounded-concurrency zero-knowledge. The idea of our protocol is quite simple: We observe that in the resettable witness-indistinguishable protocol by Canetti et al. (2000b), the prover trusts the verifier (Victor!) to know valid decommitments to its edge query commitments. Consequently, in our protocol, after committing to its edge queries the verifier has to prove that it knows valid decommitments for its message by participating in a “resettable” proof of knowledge with negligible knowledge error. The simulator uses a “resettable” knowledge extractor to obtain the queried edges before it has to commit to colorings and may thus commit to locally correct ones. This way the simulator achieves the same kind of faked 3-colorings as the one in Goldreich & Kahan (1996). It is hardly surprising that the simulation techniques from Kilian et al. (2001) can be made to work for our protocol, since the structure with respect to message rounds is very similar. However, the semantics of the messages is completely different, both in the first and the second part of the proofs. Like Kilian et al. (2001) we obtain a resettable zero-knowledge proof system with O(u(n) log2 n) rounds, which is the state of the art for black-box resettable zero-knowledge proof systems without setup assumptions. In contrast to its predecessors our protocol is fully specified and makes no use of the fact that every N P statement has a constant-round resettable witnessindistinguishable proof. Consequently, we can easily count the number of bit operations and transferred bits. So far no explicit reduction of the weakened N P statement back to 3-colorability has been presented, but the size of the formula alone allows us to conclude that the Richardson & Kilian type protocols are more expensive than ours. A disadvantage of our protocol is the fact that it is based on the hardness of the discrete logarithm problem modulo primes rather than the hardness of any function. It can be generalized, for example easily to elliptic curves. Yet, the choice of the discrete logarithm problem is not arbitrary. Our proof of knowledge of a decommitment is not easily generalized to non-homomorphic commitment schemes.

Never Trust Victor

1

81

Resettable Zero-Knowledge

In this section, the definition of resettable zero-knowledge is presented. It is equivalent to the one by Canetti et al. (2000b) but takes a different view and seems a bit simpler. We assume that the reader is familiar with the basics, in particular the definitions of interactive Turing machine (ITM), zero-knowledge and witness-indistinguishability, as presented in Goldreich (2001). 1.1

Case History

The standard notions of security that are represented by the definitions of zeroknowledge and witness-indistinguishability do not take into consideration the possibility that several interactive proof systems might be run concurrently. We cannot rule out the possibility that, e.g. on the Internet, a malicious verifier gains knowledge by interacting with several provers that are not aware of one another. The notion of resettable zero-knowledge was invented by Canetti, Goldreich, Goldwasser & Micali (1999). A resettable zero-knowledge proof system stays zero-knowledge even if the prover can be reset by the verifier. The prover can be viewed as a chip-card with volatile memory, i.e. the power supply can be interrupted by the verifier, forcing the prover to use the same random coins again. Note however, that a black-box proof of knowledge for a language outside BPP cannot be resettable zero-knowledge, because the knowledge extractor is a very successful malicious verifier in that setting. Hence the use of such systems for identification is limited. Also most existing zero-knowledge protocols, being also proofs of knowledge, cannot be resettable zero-knowledge. We emphasize that resettable zero-knowledge implies concurrent zero-knowledge. 1.2

Our Definition of Resettable Zero-Knowledge

In the literature resettable zero-knowledge is defined by giving the malicious verifier V ∗ extra power and specifying a framework for the algorithm it may use. This seems somewhat paradoxical in a context where we allowed arbitrary behaviors for malicious parties and formerly did not have to think about specific strategies. What happens here is that V ∗ no longer needs to use P as a black box but may, though in a very limited way, manipulate P directly, namely by resetting it. Our view of this same situation is somewhat converse: we define a weaker prover ⌊P ⌋ that is a resettable version of P and (P, V ) to be resettable zero-knowledge if (⌊P ⌋ , V ) is zero-knowledge. This new formulation of the standard definition seems quite advantageous to us since it relates resettable zero-knowledge to ordinary (computational) zero-knowledge more directly. Definition 1 (Resettable ITM). Let P be an ITM. We define a new interactive machine ⌊P ⌋: it has numbered infinite sequences of common input, auxiliary input and random tapes. It uses the same algorithm as P , but in addition it reacts to a distinguished message “reset” together with two indices i1 , i2 ∈ N by using

82

Olaf M¨ uller and Michael N¨ usken

the i1 th common and auxiliary input tapes and the i2 th random tape, blanking its work and communication tapes, resetting all heads to their initial positions and setting the identity bit to its initial value. Initially it uses the first input and random tapes each, so that its behavior is identical to the original prover if no “reset” messages are sent. We call ⌊P ⌋ the resettable ITM corresponding to P . Clearly, such a machine can be simulated by a standard ITM. Definition 2. For a language L ⊆ {0, 1}∗ and a polynomial Q we write  
LQ := (x1 , . . . , xm ) ∈ L∗ m ≤ Q max {|xi |} . 1≤i≤m

Now we simply define (P, V ) to be resettable zero-knowledge if and only if (⌊P ⌋ , V ) is zero-knowledge: Definition 3 (Resettable Zero-Knowledge). Let (P, V ) be an argument or interactive proof system for some language L and let ⌊P ⌋ be the resettable ITM corresponding to P . The pair (P, V ) of linked ITMs is said to be resettable zeroknowledge on L, if (⌊P ⌋ , V ) is (computational) zero-knowledge on LQ for every polynomial Q.

2 2.1

Commitment Schemes Based on Exponentiation DLP Assumption

For our protocol we will use an assumption about the hardness of the discrete logarithm problem modulo prime numbers. Essentially we assume that exponentiation modulo suitable primes is a non-uniformly one-way function. We present a simple construction that yields a novel feature for a previously known perfectly hiding commitment scheme: the commitment sender can prove to the commitment receiver that it actually knows a decommitment without revealing any information about the committed value. Another way of looking at this hints at further applications: we obtain a commitment scheme so that it is infeasible for the sender to successfully finish the commitment phase without knowing a decommitment. DLP Assumption 4. There exists a probabilistic polynomial-time algorithm G that on input 1n outputs a prime p of length at most 2n together with the set pf(p − 1) of prime factors of p − 1 containing an (n + 1)-bit prime, and for every probabilistic polynomial-size circuit family (Cn )n∈N the function     (p, pf(p − 1)) ← G(1n ), g a random x n → prob Cn p, pf(p − 1), g, g = x generator of Z× p , x ∈R Zp−1 is negligible. Note that a random prime p can be generated together with the factorization of p − 1 due to Bach (1988).

Never Trust Victor

2.2

83

A Knowledgeable Perfectly Hiding Commitment Scheme

We employ a perfectly hiding bit commitment scheme with trapdoor: knowledge of some trapdoor allows to decommit own commitments to the opposite bit efficiently. The scheme is also described in Canetti et al. (1999). For bits, it can already be found in Boyar, Kurtz & Krentel (1990) and Chaum, Damg˚ ard & van de Graaf (1987), and for strings it can be found in Pedersen (1992), Chaum, van Heijst & Pfitzmann (1992) and Bos, Chaum & Purdy (1988). Commitment Scheme 5 (Perfectly hiding commitment scheme). The security parameter is some integer number n ∈ N. In the first step, the commitment receiver uses G to select randomly a prime q of length at most 2n together with pf(q − 1), an element h of Z× q of prime order of length n + 1, the trapdoor y ∈R Zord(h) and computes Y ← hy in Z× q . We call (q, h, Y ) an n-size instance of the commitment scheme. The receiver sends the commitment instance (q, h, Y ) along with pf(q − 1) to the commitment sender. In the second step, the commitment sender checks the instance (q, h, Y ) using pf(q − 1). After that, the commitment and decommitment phases can be done as follows: (i) To commit to a value b ∈ Zord(h) , randomly select r ∈R Zord(h) and output B := commq,h,Y (b, r) = Y b hr in Z× q . (ii) To decommit output (b, r). Committing to arbitrary long bit strings is done by cutting the strings into pieces with n bits which we interpret as elements of Zord(h) and committing to each one using independent randomness. The commitment receiver may not need the trapdoor. In that case Y may be chosen “directly” as a random element of h without knowing the discrete logarithm of Y ; note that Z× q has a unique subgroup of order ord(h). The basic tool for the construction of our main protocol will be a perfect zero-knowledge proof of knowledge with knowledge error 21 for one possible decommitment of a commitment made using Commitment Scheme 5. We call a commitment scheme with such a proof of knowledge knowledgeable. Dolev, Dwork & Naor (1991) use a similar concept, called ‘bit commit with knowledge’, based on a perfectly binding commitment scheme to build a non-malleable commitment scheme. Yet, it seems impossible to adapt their construction for perfectly hiding commitment schemes. The idea for the protocol is as follows: the prover computes a random commitment to a random value and sends it to the verifier. One option for the verifier is to ask the prover to decommit that commitment. The other option is to ask the prover to decommit the product of the input and the random commitment. It is easy to see that this proof is in fact perfect zero-knowledge and that answers to both questions by the verifier yield a decommitment of the common input.

84

Olaf M¨ uller and Michael N¨ usken

Interactive Protocol 6. PZK POK of a decommitment. Common input to P and V : A Commitment Scheme 5 instance (q,h, ord(h), Y ), i.e. a prime q, a prime-order element h of Z× q , an element Y ∈ h, and a commitment E ∈ Z× . q Auxiliary input to P : A decommitment (e, s) of E, i.e. a value e ∈ Zord(h) and a randomness s ∈ Zord(h) satisfying E = commq,h,Y (e, s). (P1) Select b ∈R Zord(h) , t ∈R Zord(h) , compute B ← commq,h,Y (b, t) and send B to V . (V1) Select a challenge c ∈R {0, 1} and send c to P . (P2) Set (b′ , t′ ) ← (b + ce, t + cs). Send (b′ , t′ ) to V . (V2) Check that BE c = commq,h,Y (b′ , t′ ). 2.3

A Perfectly Binding Commitment Schemes

In fact, we can use any perfectly binding commitment scheme in our protocol. For example, it is easy to come up with a perfectly binding commitment scheme based on DLP Assumption 4: The receiver chooses a prime p and an element g in Z× p of large, even order. To commit to a bit b, the sender chooses a randomness ord(g)

− 1} and computes B := commp,g (b, r) = g r+b 2 in Z× r ∈R {0, . . . , ord(g) p . It 2 is well known that b is a hard-core bit in this situation and thus the scheme is computationally hiding. Note that the same instance (p, g, ord(g)) can be used polynomially many times.

3

A new rZK Proof for Graph 3-Colorability

In this section we present our resettable zero-knowledge proof system. For every  bit of the edge query we will do R = u(n) log22 n proofs where u : N → R>0 is any unbounded function and n denotes the number of vertices in the graph. The encoding of an edge can be done using Θ(log n) bits, so that the size λ of the entire edge query is in Θ(mn log n), where m denotes the number of edges in the graph. We use a hybrid strategy: our proof of knowledge proceeds in R rounds and in each round, we execute Interactive Protocol 6 for groups of n of the λ edge query bits in “lock-step” parallel. However, in the very first message the verifier sends all initial proof of knowledge messages in one go. This ensures that the verifier’s actions during the proof of knowledge are more or less fixed right at the start. This is quite analogous to the aforementioned protocols of Canetti et al. (2000b) and Kilian et al. (2001). It is easy to see that this preliminary action is perfectly witness-indistinguishable and thus yields no information about the verifier’s edge query. The only difficult question that remains is how to simulate this and,   along the same line, why we chose the number R of rounds to be u(n) log22 n . These questions will be answered shortly, but first we write down the protocol in full.

Never Trust Victor

85

Interactive Protocol 7. rZK Proof System for Graph 3-Colorability. Common input to P and V : A 3-colorable graph G = (V, E) with vertex set V , edge set E, n = #V , m = #E, the number R ∈ N of rounds. Auxiliary input to P : A 3-coloring ϕ : V → {1, 2, 3} of G. Random input to P : A random tape w ∈R {0, 1}∞ . Output: P (ϕ), V  (G) ∈ {0, 1}. The prover P uses a polynomial part of the random tape to specify a pseudorandom function fw : {0, 1}∗ → {0, 1}∗ . To simplify notation, we make the following convention: when the prover has to make a random choice, it uses as coin tosses the outcome of fw applied to the common input and all previous messages by the verifier. Furthermore, a failed check leads to an aborting execution of the protocol, i.e. the checking party halts. (P1) Select an n-size instance (p, g, ord(g)) of the perfectly binding commitment scheme together with the set pf(p−1) and an n-size instance(q,h, ord(h), Y ) of Commitment Scheme 5 together with the set pf(q − 1). Send (p, g, ord(g)), pf(p − 1) and (q, h, ord(h), Y ), pf(q − 1) to V. (V1) Check that (p, g, ord(g)) and (q, h, ord(h), Y ) are valid. For j = 1, . . . , mn randomly select an edge {uj , vj } ∈R E. These edges are encoded by λ := 2m ⌈log2 (n)⌉ strings ej consisting of n bits each, j ∈ {1, . . . , λ}. For j = 1, . . . , λ select a randomness sj ∈R Zord(h) and compute the commitment Ej ← commq,h,Y (ej , sj ). Send E := (E1 , . . . , Eλ ) to P . Now follows, in steps (V2)–(P3), the proof of knowledge that V knows decommitments for E1 , . . . , Eλ . (V2) For i = 1, . . . , R do For j = 1, . . . , λ do Select bj,i ∈R Zord(h) , tj,i ∈R Zord(h) , compute Bj,i ← commq,h,Y (bj,i , tj,i ). Send B to P . For i = 1, . . . , R do (P2),(V3),(P3) (P2) (V3)

(P3)

Select a challenge c ∈R {0, 1}λ and send c to V . For j = 1, . . . , λ do Set (b′j , t′j ) ← (bj,i + cj ej , tj,i + cj sj ). Send (b′ , t′ ) to P . For j = 1, . . . , λ do c Check that Bj,i Ej j = commq,h,Y (b′j , t′j ).

We proceed with the parallel standard zero-knowledge proof for graph 3-colorability, yet bound to the edge queries committed to in (V1).

86

Olaf M¨ uller and Michael N¨ usken

(P4) For j = 1, . . . , mn choose πj ∈R S3 , set ψj ← πj ◦ ϕ and for all v ∈ V choose rj,v ∈R {0, . . . , ord(g) − 1}2 , send Ψj,v ← commp,g (ψj (v), rj,v ) to V . 2 (V4) Decommit all edge queries {uj , vj }j=1,...,mn by sending (e, s) to P . (P5) For j = 1, . . . , λ check ej ∈ {0, 1}n , sj ∈ Zord(h) , commq,h,Y (ej , sj ) = Ej . Denote by {uj , vj }j=1,...,mn the edges encoded by e. For j = 1, . . . , mn decommit the colors ψj (uj ) and ψj (vj ) by sending (ψj (uj ), rj,uj ) and (ψj (vj ), rj,vj ) to V . (V5) For j = 1, . . . , mn verify ψj (uj ), ψj (vj ) ∈ {1, 2, 3}, ψj (uj ) = ψj (vj ), rj,uj , rj,vj ∈ {0, . . . , ord(g) − 1}2 , Ψj,uj = commp,g (ψj (uj ), rj,uj ), and Ψj,vj = 2 commp,g (ψj (vj ), rj,vj ). Accept if and only if all checks succeeded. Theorem 8. Under the DLP Assumption 4, Interactive Protocol 7 is a resettable zero-knowledge interactive proof system for graph 3-colorability. It uses Θ(u(n)mn log3 n) transferred bits in the POK and Θ(mn3 ) transferred bits in the remaining steps. Proof. Perfect completeness is obvious, supposing we have already shown perfect completeness of the proof of knowledge Interactive Protocol 6, which is easy. Now let us consider soundness. We need to show that even a malicious prover P ∗ cannot get V to accept a no-instance with more than negligible probability. The only information that V wants hidden from P ∗ is the edge query it commits to in step (V1). The interaction in steps (V2)–(P3) is perfect witnessindistinguishable for the knowledge verifier, i.e. P ∗ learns nothing, even in the information theoretical sense, about the values committed to by V . Without steps (V2)–(P3) the verifier coincides with the verifier in the original protocol of Goldreich & Kahan (1996), which is an interactive proof system and thus sound. In conclusion Interactive Protocol 7 is also sound. What remains to be shown is that the protocol is resettable zero-knowledge. We now move on to describe the simulation. We will assume that an upper bound L for the number of messages that the possibly malicious verifier V ∗ will send is known in advance. This is not usually the case, but we can always start with a small L and double it as often as necessary without producing an unfaithful simulation. This only increases the running time bound by the constant factor 24 + 1. The original idea of Richardson & Kilian (1999) is to do sufficiently many, sufficiently long lookaheads every time we have to choose a proof of knowledge query. A lookahead is a shorter simulation starting at a certain point during the simulation or, recursively, during a longer lookahead. This approach works if the proof of knowledge has O(nε ) rounds for some ε > 0. Because we use a much smaller number of rounds, it would yield a non-polynomial running-time and/or an unfaithful simulation. The root of the problem here is that the lookaheads are too long and thus too much is lost if one of them fails, i.e. gets stuck in the middle because the preliminary phase of an unsolved proof ends there. The new idea by Kilian et al. (2001) involves very short lookaheads of lengths 2 or 4 and very long rewinds of length up to half the entire simulation. This way not much

Never Trust Victor

87

Fig. 1. The simulation schedule. The simulator’s time passes along the zigzag line starting in the upper left corner, whereas the verifier’s time passes from left to right. So the slopes tending to the left correspond to rewinds of V ∗ . The lowest horizontal lines will eventually enter the faked transcript

harm is done if a lookahead is not finished, and when we learn something, there often is a rewind that takes us back far enough to be able to use that knowledge. Moreover, the lookaheads do not start in every round when the simulator needs to choose a query but only in certain rounds, following a fixed pattern. The simulator schedules its lookaheads and rewinds like this: the entire simulation is split into two halves, each of which is simulated twice. We say that we do twin lookaheads for each of the two halves of the simulation, the first of twin lookaheads being called the test run and the second one the real run. It is essential that the simulator does not use the knowledge from a test run in the corresponding real run but only after both are finished. This way test and real run are identically distributed from V ∗ ’s point of view. The four lookaheads involved in the simulation are in turn executed using exactly the same strategy as the simulation itself. When we have reached size 2 simulations, the two rounds are simulated only once, without any rewinds. It is easy to see that the running time of the simulator is L4 nO(1) = nO(1) . Another point worth mentioning is the way we choose our queries: whenever we encounter a situation where we need to choose the ith proof of knowledge message for a proof Π  identified by the message tuple (i1 , i2 ), (p, g, ord(g), q, h, ord(h), Y ), (E, B) , we do a table look-up and check whether this round of Π has occurred before. If this was not the case, we choose a uniformly random query that we will ask in this situation if and when it occurs during the real time line. This is just as if we had randomly chosen all possible queries for the real time line in advance. But what about the other time lines? The best thing to do is the following: we make sure that the queries in the transcripts of twin lookaheads are complementary. From this condition we can easily compute the query in any situation once we have decided on the query for the real time line. This way, whenever the verifier answers a question in a test run and the corresponding real run, we learn the entire edge query. In fact, it suffices if the second answer occurs somewhere in the “future” of the real run. As long as the simulator does not output “fail”, the distribution of prefixes of transcripts generated is computationally indistinguishable from interactions of the honest prover P and V ∗ . The proof system without the initial (2R + 1)round proof of knowledge is computational zero-knowledge and we obtain the same quality simulated messages even though our simulator pretends to be a

88

Olaf M¨ uller and Michael N¨ usken

resettable device. In the proof of knowledge, our messages are uniformly random and independent of all other messages in V ∗ ’s view. Furthermore, we never discard any prover messages we choose for the real transcript. All that remains now is to bound the probability that the simulator ever outputs “fail”, i.e. finishes any proof of knowledge without having learned the edge query. We will show that the probability for this event is negligible. Our proof is an adaptation of the proof in Kilian et al. (2001) that their proof is resettable zero-knowledge. We note two differences: Kilian et al. are satisfied whenever they have obtained one valid answer by the verifier during the preliminary phase and are still in a position to change the previous prover message. Concerning our protocol, the usefulness even of correct verifier messages crucially depends on our challenges, but by using opposite queries in twin lookaheads we have effectively annihilated this disadvantage. The other difference works in our favor: because their simulator needs to commit to highly improbable values in some real runs, these are only computationally indistinguishable from test runs, whereas our real runs and test runs are distributed identically. 3.1

Bounding the Probability of Failure

First, we break down the calculation to the decisive point. Suppose the simulator fails. We are to bound the probability of this event. Recall that a protocol is composed of interleaved proofs Π that are identified by the tuple of the first three messages. Of course, in case of failure there is a proof that breaks the simulator’s neck and the failure occurs on the real time line. Yet, we consider the first proof that forces the simulator to say “fail” even if this happens only in a test. In the actual simulation we then still have a chance, but we show that the probability even for this more probable event is negligible. We will prove the following claim. Claim. The probability that the simulator fails in a proof

it does not Π given R−2 −α fail earlier and Π occurs is bounded by 2 where α = log L+1 . 2

Using this we can bound the probability of failure as follows:  prob (The simulator fails.) ≤ 2−α · 1 · prob (Proof Π occurs.) Π



Now note that Π prob (Proof Π occurs.) is the expected number of occurring 2 proofs which is clearly bounded by the number L2 of message exchanges performed by the simulator. Note that we allow Π to occur anywhere during the simulation and not only on the real time line, thus we cannot bound the latter expected number by L. Since V ∗ is polynomial-time bounded, we have an integer k such that L ≤ nk for almost all n. Then choosing R to be u(n) log22 n yields prob (The simulator fails.) ≤ which is negligible since u is unbounded.

L2 −α 2 ≤ n−Ω(u(n)) , 2

Never Trust Victor

89

For our estimate we look at the entire simulation as a game. A game round is a time interval identifying a pair of twin lookaheads. In Fig. 2 you can easily identify the game rounds, each of them looks like a more or less fuzzy Z. As you can see, a game round consists of four game rounds of half the size unless we are at the bottom of the recursion. At any given point in simulation time, the game rounds touching the current verifier time line form the vertices of the game tree, containment defines the game tree edges. See Fig. 2 for an example; the game tree corresponds to the right most point in the simulation time line. The game tree is always a certain kind of truncated binary tree. We classify game rounds ν according to their significance to a given proof Π: a game round consists of a test lookahead and a real lookahead. Each of the two lookaheads returns a piece of transcript. Note that a certain round of Π may occur several times since V ∗ may repeat some messages after a reset to get to the same point in Π as in an earlier execution. But these repetitions contain no new information. Thus we completely ignore them, and when we say “round j is here and there” we always mean that its first occurrence is “here and there”. We say that a lookahead is good for Π iff for some j ∈ {2, . . . , R − 1} – round j − 2 of Π’s proof of knowledge has happened before, – round j − 1 of Π’s proof of knowledge is in the first half of the returned transcript, – round j of Π’s proof of knowledge is in the second half of the returned transcript, and – round j + 1 of Π’s proof of knowledge is not in the returned transcript. Now we say that the simulator – wins the game round ν for Π iff the test lookahead is good, – gets a pass in the game round ν for Π iff neither the test nor the real lookahead is good, and – loses the game round ν for Π iff the test lookahead is not good but the real lookahead is good.

lose win

pass

Fig. 2. Incomplete simulator time line and corresponding game tree

90

Olaf M¨ uller and Michael N¨ usken

If the simulator wins a single round of a proof Π then, whenever V ∗ finishes the proof, the simulator can calculate V ∗ ’s edge queries and thus produce a locally correct coloring. If the simulator gets a pass then the decision is delayed. Only if the simulator loses all game rounds for a proof Π and the proof is finished then the simulator may fail. The rounds of a given proof are distributed over the simulator time line. Transfer the so-given marks that are on the current time line to the game tree so that some of its leaves are marked. There are now R − 2 such marks and the tree depth is at most log2 L. The following lemma is proven in Kilian et al. (2001). A node in a binary tree is called good iff each of its two sub-trees contains exactly one marked leaf. Tree Lemma 9. In a binary tree of height at most h with exactly r marked r leaves, r ≥ 2, there exist at least ⌈ h+1 ⌉ good nodes.

good lookaThe Tree Lemma 9 guarantees that there are at least α = logR−2 L+1 2 heads on the current time line. Thus there are at least α non-pass game rounds. Before any game round the verifier chooses a strategy to make a lookahead good. Then both lookaheads are “played” with this same strategy. This is because in V ∗ ’s view there is nothing which distinguishes these two lookaheads. Thus if we exchange the two lookaheads we still have the very same chances to win or lose or pass the corresponding round. In fact, whatever strategy V ∗ chooses the simulator’s chance to win is at least as large as its chance to lose. Failure in Π means that all non-pass game rounds are lost. If there are at least α non-pass game rounds the probability of this event is at most 2−α , which we will prove now. To come down to the point of interchanging test and real lookahead, we have to split the failure event a little further. First, note that two lost game rounds cannot overlap. In that case a small lookahead S and a large lookahead L containing S would be good, which is impossible. Clearly, to fail in a proof Π implies to win no game round for Π. A game schedule γ is any set of tree nodes. To a proof Π we associate the game schedule γ(Π) consisting of all non-pass game rounds for Π. So any game round in γ(Π) is either won or lost. In fact, it only remains to bound the probability of winning no game round for Π given additionally the game schedule γ(Π) = γ of Π. This event is now equivalent to losing the game rounds in γ. In case γ contains overlapping game rounds this probability is 0. Otherwise, we can decompose the probability one further step:   The simulator loses all γ(Π) = γ. ∧ The simulator does not fail prob game rounds in γ for Π. before Π terminates. ∧ Proof Π occurs. 

All rounds in γ before ν are lost. ∧ The simulator loses the γ(Π) = γ. ∧ The simulator does not = prob  . fail in another proof before Π termigame round ν for Π. ν∈γ nates. ∧ Proof Π occurs.    =: Cν

Never Trust Victor

91

What does it mean to lose a game round ν? It means that the test lookahead is not good but the real lookahead is good. Once we have shown that each factor is at most 12 we are done. Indeed, by the Tree Lemma 9 γ(Π) consists of at least α rounds and so we obtain a bound of 2−α as stated in the Claim. So consider the probability to win this game round. To win means that the test lookahead is good. Now, we have prob (The simulator wins ν for Π. Cν ) = prob (The test lookahead ν is good for Π. Cν )   The test lookahead ν is good for Π and ≥ prob Cν the real lookahead is not good for Π.   The real lookahead ν is good for Π and Cν = prob the test lookahead is not good for Π. = prob (The simulator loses ν for Π. Cν ) . Since winning and losing exclude each other, the probability to lose ν for Π can be at most 12 . ⊔ ⊓

Acknowledgments We thank the anonymous referees for helpful comments.

References Eric Bach (1988). How to generate factored random numbers. SIAM Journal on Computing 17(2), 179–193. ISSN 0097-5397. Special issue on cryptography. Boaz Barak (2001). How to Go Beyond the Black-Box Simulation Barrier. In Proceedings of the 42nd Annual IEEE Symposium on Foundations of Computer Science, Las Vegas NV. IEEE Computer Society Press. ISBN 0-7695-1390-5. URL http://www.wisdom.weizmann.ac.il/mathusers/boaz/Papers/nonbb.html. Preliminary full version. Jurjen Bos, David Chaum & George Purdy (1988). A Voting Scheme. Presented at the rump session of CYRPTO’88 (does not appear in the proceedings). Joan F. Boyar, Stuart A. Kurtz & Mark W. Krentel (1990). A Discrete Logarithm Implementation of Perfect Zero-Knowledge Blobs. Journal of Cryptology 2(2), 63–76. ISSN 0933-2790. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (1999). Resettable Zero-Knowledge. Electronic Colloquium on Computational Complexity TR99-042, 1–64. ISSN 1433-8092. ftp://ftp.eccc.uni-trier.de/pub/eccc/reports/1999/TR99-042/Paper.ps. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (2000a). Resettable Zero-Knowledge. In Proceedings of the Thirty-second Annual ACM Symposium on the Theory of Computing, Portland OR, 235–244. ACM Press. Ran Canetti, Oded Goldreich, Shafi Goldwasser & Silvio Micali (2000b). Resettable Zero-Knowledge. Electronic Colloquium on Computational Complexity TR99-042(Revision 1), 1–60. ISSN 1433-8092. ftp://ftp.eccc.uni-trier.de /pub/eccc/reports/1999/TR99-042/revisn01.ps.

92

Olaf M¨ uller and Michael N¨ usken

Ran Canetti, Joe Kilian, Erez Petrank & Alon Rosen (2001). Black-Box Con˜ current Zero-Knowledge Requires Ω(log n) Rounds. In Proceedings of the Thirtythird Annual ACM Symposium on the Theory of Computing, Hersonissos, Crete, Greece, 570–579. ACM Press, 1515 Broadway, New York, New York 10036. ISBN 1-58113-349-9. David Chaum, Ivan Damg˚ ard & Jeroen van de Graaf (1987). Multiparty Computations Ensuring Privacy of Each Party’s Input and Correctness of the Result. In Advances in Cryptology: Proceedings of CRYPTO ’87, Santa Barbara CA, Carl Pomerance, editor, number 293 in Lecture Notes in Computer Science, 87–119. Springer-Verlag. ISBN 3-540-18796-0. ISSN 0302-9743. D. Chaum, E. van Heijst & B. Pfitzmann (1992). Cryptograhically strong undeniable signatures, unconditionally secure for the signer. In Feigenbaum (1992), 470– 484. http://link.springer.de/link/service/series/0558/tocs/t0576.htm. Danny Dolev, Cynthia Dwork & Moni Naor (1991). Non-Malleable Cryptography. In Proceedings of the Twenty-third Annual ACM Symposium on the Theory of Computing, New Orleans LA, 542–552. ACM Press. http://citeseer.nj.nec.com/dolev91nonmalleable.html. Uriel Feige, Dror Lapidot & Adi Shamir (1999). Multiple noninteractive zero knowledge proofs under general assumptions. SIAM Journal on Computing 29(1), 1–28. ISSN 0097-5397, 1095-7111. http://epubs.siam.org/ sam-bin/dbq/article/23001. J. Feigenbaum (editor) (1992). Advances in Cryptology: Proceedings of CRYPTO ’91, Santa Barbara CA, number 576 in Lecture Notes in Computer Science. Springer-Verlag, Berlin. ISBN 3-540-55188-3. ISSN 0302-9743. http://link.springer.de/link/service/series/0558/tocs/t0576.htm. Oded Goldreich (2001). Foundations of Cryptography. Cambridge University Press, Cambridge. ISBN 0-521-79172-3. Oded Goldreich & Ariel Kahan (1996). How to construct constant-round zeroknowledge proof systems for NP. Journal of Cryptology 9(3), 167–189. Joe Kilian, Erez Petrank & Charles Rackoff (1998). Lower Bounds for Zero Knowledge on the Internet. In Proceedings of the 39th Annual IEEE Symposium on Foundations of Computer Science, Palo Alto CA, 484–492. IEEE Computer Society Press, Palo Alto, CA. Joe Kilian, Erez Petrank & Ransom Richardson (2001). On Concurrent and Resettable Zero-Knowledge Proofs for NP. http://www.cs.technion.ac.il /~erez/czkub-full.ps. Preprint. Torben Pryds Pedersen (1992). Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Feigenbaum (1992), 129–140. http://link.springer.de/link/service/series/0558/bibs/0576/ 05760129.htm. Ransom Richardson & Joe Kilian (1999). On the concurrent composition of zeroknowledge proofs. In Advances in Cryptology: Proceedings of EUROCRYPT 1999, Prague, Czech Republic, Jacques Stern, editor, number 1592 in Lecture Notes in Computer Science, 415–431. ISBN 3-540-65889-0. ISSN 0302-9743. Alon Rosen (2000). A Note on the Round-Complexity of Concurrent ZeroKnowledge. In Advances in Cryptology: Proceedings of CRYPTO ’00, Santa Barbara CA, M. Bellare, editor, number 1880 in Lecture Notes in Computer Science, 451–468. Springer-Verlag. ISSN 0302-9743. http://link.springer.de/link/service/series/0558/bibs/1880/ 18800451.htm.

Asynchronous Unconditionally Secure Computation: An Efficiency Improvement B. Prabhu ⋆ , K. Srinathan

⋆⋆

, and C. Pandu Rangan

Department of Computer Science and Engineering Indian Institute of Technology Madras, Chennai – 600036, India {prabhu,ksrinath}@cs.iitm.ernet.in [email protected]

Abstract. Consider a set of n players who wish to compute the value of a commonly agreed multi-variate function on their local inputs, whilst keeping their local inputs as private as possible even when a non-trivial subset of players collude and behave maliciously. This is the problem of secure multiparty computation. In this work, we present an efficient protocol for asynchronous secure computation tolerating a computationally unbounded Byzantine adversary that corrupts up to t < n4 players.

1

Introduction

Consider a fully connected asynchronous network of n players (processors), P = {P1 , P2 , . . . , Pn }, who do not trust each other. Nevertheless they want to compute some agreed function of their inputs in a secure way. Security here means maintaining correctness of the output while keeping the players’ inputs as private as possible. This task can be easily accomplished if there exists a trusted third party. But assuming the existence of such a trusted third party is unrealistic. The goal of secure multiparty computation (first stated by Yao [10]) is to transform a given protocol involving a trusted third party into a protocol without need for the trusted third party, by simulating the trusted third party among the n players. An important point to note here is that since the communication is asynchronous, even the trusted third party cannot wait for more than n − t of the inputs, if up to t players could be actively faulty. This is so because the trusted third party cannot differentiate between a delayed message and an unsent message and therefore cannot (indefinitely) wait for more than n − t of the inputs to be entered to the computation. Therefore, any real-life protocol can only simulate a trusted third party that approximates the function on some n − t of the inputs, with the rest set to a default value, say zero. The prominent properties of an asynchronous secure protocol that have been considered are (1) Correctness: The corrupted players should not be able to ⋆

⋆⋆

This work was supported by Defence Research and Development Organization, India under project CSE01-02044DRDOHODX Financial support from Infosys Technologies Limited, India is acknowledged.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 93–107, 2002. c Springer-Verlag Berlin Heidelberg 2002


94

B. Prabhu et al.

prevent the honest (uncorrupted) players from obtaining the correct output. In certain settings, unconditionally secure protocols that have a probability of error that is exponentially small is sufficient[3]. (2) Privacy: The corrupted players should not obtain any information about the uncorrupted players’ inputs beyond what they learn from their local inputs and the output of the computation. (3) Independence: The inputs contributed to the protocol by the corrupted players should be independent of the inputs of the uncorrupted ones. (4) Fault Tolerance: The protocol should achieve the desired functionality in spite of worst case (malicious) behavior of a non-trivial subset of the players. The behaviour of the corrupted players is usually modeled via a centralized adversary that is assumed to have complete control over these players. Many different adversary models have been considered and can be classified based on the adversary’s computational power, control over communication, control over corrupted players, adaptivity, and corruption capacity. We discuss the adversary model of this paper in Section 1.1. 1.1

The Model and Setting

Our model consists of a fully connected, asynchronous network of n players. Every pair of players is connected via a secure and reliable channel of communication. The network does not have broadcast capability; broadcast is simulated via a sub-protocol for Byzantine agreement (BA)1 among the players.2 Since the network is asynchronous, each message may have an arbitrary (finite) delay. Up to t of the players may become faulty at any time during the run of the protocol. To model the faulty players’ behavior, we use a computationally unbounded adversary. This adversary may statically3 choose any t players to corrupt. Once a player is picked by the adversary, the player hands over to him all his private data, and gives the adversary the control on all his subsequent moves. To model the network’s asynchrony, we further assume that the adversary can schedule the communication channel, i.e. he can determine the time delays of all the messages (however, he can neither read nor change those messages). We call such an adversary a t-adversary. computation It was shown in [2] that perfect asynchronous secure multi party 
is possible in the above setting if and only if t < n4 . In [3], an ⌈ n3 ⌉ − 1 -resilient protocol is described that securely computes any function f when exponentially small probability of error is allowed. Although theoretically impressive, the complicated exchanges of messages and zero-knowledge proofs in protocols like [2, 3] might render them impractical. Recently, in the synchronous model of communication [6] significantly improved the message complexity of secure synchronous unconditional multiparty computation through a generic framework 1 2

3

For example, the asynchronous Byzantine Agreement protocol of [4] can be used. In an asynchronous environment, the termination property of broadcast could be much weaker than that of BA. However, in this work, since broadcast is used only as a black-box, we do not distinguish broadcast from BA. By a static adversary, we mean that the adversary decides on the set of players that it would corrupt before the protocol begins its execution.

Asynchronous Unconditionally Secure Computation

95

that strictly distinguishes between fault-detection and fault-correction and uses the techniques of player elimination [7] and circuit randomization [1] to efficiently transform a distributed protocol with fault detection into a fully resilient protocol. The problem of adapting these techniques to reduce the communication complexity of secure multiparty computation over an asynchronous network was left open in [6]. In this work, we concentrate on reducing the communication complexity of unconditional asynchronous secure protocols by incorporating the player elimination technique. We delve into the various concerns that arise while adapting the player elimination technique to the asynchronous setting and also propose ways to address these issues. We analyze the communication complexity (which is the bottleneck for such protocols) of our protocols. The protocols make extensive use of a BA primitive and hence their efficiency depends heavily on the communication complexity of the BA sub-protocol used. Therefore, we count the BA message complexity (BAC) and the message complexity (MC) separately.

2

The Protocol Construction

We assume that a finite field F , with | F |> n, is used by all players. Without loss of generality, the arithmetic circuit computing f : F n → F is known to all the players. The circuit consists of linear combination and multiplication gates. The number of multiplication gates in the circuit is denoted by m. We adapt the player elimination framework of [6] to the asynchronous setting. Our top-level solution approach is similar to that of [6] and proceeds in two phases. In the first phase called the preparation phase, the current set of players tshare m random triples (a(i) , b(i) , c(i) ) with c(i) = a(i) b(i) , for each multiplication gate i = 1, . . . , m. The circuit is divided into blocks each with ℓ multiplication gates and the triples in a block are generated in parallel. Verification is done after each step of generation and if a fault is detected a set of players (of size at most three) of which at least one is faulty is identified and eliminated. The actual evaluation of the function takes place in the second phase called the computation phase. We make use of the strategy proposed in [1]: The function (circuit) is evaluated gate by gate making use of the triples generated in the preparation phase for multiplication gates (see Section 2.2). At the end of the computation phase, the players hold a t-sharing of the function output and any party desirous of the output can reconstruct it from these shares. The protocol offers unconditional security with an arbitrarily small probability of error which arises when the adversary is able to modify his shares without being detected (see Section 4). We use the scheme of [8] as the underlying secret sharing scheme. To t-share a secret s among the players in the player set P, the dealer selects a random polynomial f (x) such that f (0) = s and sends f (αi ) as player Pi ’s share for i = 1, . . . , |P| where αi is a public value associated with player Pi . In an asynchronous network with t faulty players, whenever there is a communication of messages by all the players the recipient cannot wait indefinitely for more than n − t messages to arrive. For example, in the triple generation phase, when the players share random values to generate a (and b), each player

96

B. Prabhu et al.

waits for shares of n − t of the random values and then computes his share of a from these values. But it has to be ensured that all the players use shares of the same set of random values. This is achieved by having the honest players agree on a common subset of at least n − t players who have successfully completed their sharing. The sharings of the players in the agreed set are then used in the computation of the shares of a. We make use of the protocol given in [3] to implement the Agreement on a Common Subset primitive (see Table 1). The idea is to execute a BA protocol for each player, to determine whether he will be in the agreed set. That is, n BA protocols are executed simultaneously, and each player enters his inputs to the BAs asynchronously. Let BAi denote the Byzantine Agreement protocol that determines whether player Pi will be in the agreed set. The input of player Pj , 1 ≤ j ≤ n, to the protocol BAi is a binary value based on whether Pj has received a message from player Pi . Notice that if Pj has received a message from Pi , then eventually all the players will know the same. Thus, we can suppose the existence of a predicate Q that assigns a binary value to each player Pi , denoted Q(i), based on whether Pi has communicated his messages. Note that all the honest players will eventually satisfy the predicate. The agreeset output of Table 1 will be the same for all the honest players. The AgreeSet protocol requires n BAs to be performed.

Table 1. Protocol AgreeSet[Q, P, t] for agreement on a common subset Code for player Pi : 1. For every player Pj for whom Pi knows that Q(j) = 1, Pi participates in the j th -Byzantine Agreement protocol BAj with input 1. 2. Upon completing (|P| − t) BA protocols with output 1, Pi enters input 0 to all BA protocols for which he has not entered a value yet. 3. Upon completing all |P| BA protocols let AgreeSeti be the set of all players Pj for whom protocol BAj had output 1. Output AgreeSeti .

Table 2. Protocol for randomizing the shares of a secret Let β be the t′ -shared secret whose shares βi , i = 1, . . . , n′ are to be randomized. ′ 1. Every player Pi chooses n′ random t′ -degree polynomials f˜ ik (x) for k = 1, . . . , n such that ′ ˜ (α ) = 0. P sends the share set {x = f (α )|k = 1, . . . , n } to player P . f˜ i j j ik k ikj ik 2. Every player Pj sends the share vector [yikj = βj + xikj |i = 1, . . . , n′ ] to player Pk for k = 1, . . . , n′ .

Asynchronous Unconditionally Secure Computation

97

Table 3. Share adjustment protocol Let CheckSet be the set of players whose shares have been verified to be in order. Let β be the t′ -shared secret whose shares have to be adjusted and let βi be player Pi ’s share of β. Let {yjik |Pk ∈ CheckSet} be a set of blinded shares that player Pi received in the randomization step. Pi has at least n′ − t′ such sets one each for each Pj ∈ CheckSet. Each player Pi ∈ P \ CheckSet computes his share of β as follows: 1. Pi reconstructs his values of βi from each set of blinded shares he received in Step 2 of the randomization protocol (Table 2). Pi now has a set of values {βij | Pj ∈ CheckSet}. 2. Pi finds a set G of players from CheckSet, such that |G| ≥ 2t′ + 1 and the values of βij reconstructed from all Pj ∈ G are same. This value is taken as the correct value of βi .

2.1

Preparation Phase

In this phase the players jointly generate m t-shared triples (a(i) , b(i) , c(i) ) of the form c(i) = a(i) b(i) such that the adversary gains no information about the triples. The triples are generated in blocks of ℓ = ⌈ m n ⌉ triples. The basic steps that are to be performed in this phase are similar to those of [6] viz. triple generation, fault detection and localization and fault elimination. But unlike the synchronous case, the verification of the sharings used in the generation of (a, b) and c can not be clubbed together in the asynchronous model. This is due to the fact that the adversary may take advantage of the asynchrony of the network and schedule messages in such a way that the set of players (of size at least n − t) who contribute in the generation of c is different from those involved in the generation of (a, b). Hence verification has to be done separately for each set of sharings viz. the sharings in the generation of (a, b), the sharings in the generation of c and the sharings in the increase of degree to t. As already explained, in all of these sharings, the honest players have to execute the “agreement on a common subset” primitive to decide upon a common set of players who have successfully completed their sharings. In the verification step, the polynomials used by all the players in this common set have to be verified for consistency. But the adversary may schedule messages in such a way that some of the faulty players get included in the common subset in the sharing phase. The adversary can then hold back these faulty players from participating in the verification phase thereby leading to a state of infinite wait. To overcome this, the players communicate the data needed for verification (a random linear combination of the polynomials, as explained in the sequel) along with the shares during the sharing phase. The execution of the agree set primitive ensures that only those players who have communicated both the shares and the verification data are part of the common subset. These polynomials can then be verified for consistency in the verification step. Consequent to the above discussion, the generation of each block of triples consists of three steps: In the first step ℓ + n′ t′ -shared pairs (a(i) , b(i) ), where n′ is the cardinality of the current player set and t′ is the current threshold, are robustly generated. The n′ pairs are used to verify the degree of sharing of the remaining ℓ pairs and are destroyed after verification. In the second step ℓ + n′ products c(i) are generated such that c(i) = a(i) b(i) .

98

B. Prabhu et al.

The triples are then verified for consistency. That is, whether the shares of each of the c(i) s lie on a polynomial of degree t′ and whether the sharings are such that c(i) = a(i) b(i) . In the final step, the players increase the degree of sharing of all the triples in the block from t′ to t. This step is needed to ensure that the triples from different blocks have the same degree of sharing; else the circuit evaluation phase may not be executed properly. The degree of the polynomials used in this step are then verified. If a fault is detected in any of the verification steps (see Section 4), the players localize the fault to a set D containing at most three players of which at least one is faulty. The set D is then eliminated and the block repeated. Since at most t blocks can fail, a total of n + t blocks need to be processed in the worst case. Yet another issue that arises due to the asynchrony of the network is that the shares of some of the honest players may go unverified. This can happen if the adversary schedules the shares communicated by these honest players to the verifiers behind those of the faulty players and hence preclude these honest players from being part of the agreed common subset. In such a case, these honest players can not be sure of the veracity of their shares. Hence, if the verification steps were successful, the players left out of verification reconstruct their shares from those of the rest of the players. This is possible since the shares of the players in the common subset have already been verified for consistency and there are enough honest players in the verified set to enable such a reconstruction. But in the presence of t faults, the shares of at least 3t + 1 players are needed for such a reconstruction. Since the verified subset is of cardinality n − t (= 3t + 1) in the worst case, the “left-out” players can get only 2t − 1 verified shares in the worst case. To overcome this, the players need to exchange their shares (after blinding, to ensure privacy) during the sharing phase. This is done using the share randomization protocol given in Table 2. The underlying idea of this protocol can be explained as follows: For a secret value β t′ -shared among the n′ players with βi being player Pi ’s share, Pi gets the set of blinded shares {β1 + x1 , . . . , βi−1 + xi−1 , βi+1 + xi+1 , . . . , βn′ + x′n }, where xi s are shares of a random value x, from the rest of the players such that this set of shares along with βi lie on a polynomial of degree t′ . For n′ random values of x, one chosen by each player, Pi will get n′ such blinded sets of shares. After the application of the agreeset primitive, Pi will have at least n′ − t′ sets of blinded shares with the cardinality of each set being at least n′ − t′ with up to t′ faulty shares being present in each of the sets in the worst case. In this case, with a single set of blinded shares, error correction may not be possible. The n′ − t′ sets of shares are obtained to overcome this. Since there are at least 2t′ + 1 honest players in the agreed set, values reconstructed from at least 2t′ + 1 of the sets of blinded shares will be the same. This value is the correct share of player Pi (share adjustment protocol, Table 3). The randomization process requires 2n3 field elements to be communicated while the reconstruction process does not require any communication. As players get eliminated, the player set and the threshold are modified to reflect the changes. We denote by P the original player set containing n players and by P ′ the current player set containing n′ players. The original threshold

Asynchronous Unconditionally Secure Computation

99

is denoted by t and the current threshold by t′ . Without loss of generality we assume that P ′ = {P1 , . . . , Pn′ }. Throughout the protocol the inequality 3t′ < n − t holds as an invariant. Initially P ′ = P, n′ = n and t′ = t and the invariant is trivially satisfied since t < n4 . By player elimination, n′ will be decreased at most by 3 and t′ by 1. Hence the invariant is preserved. Step-1: Generating ℓ Random Pairs (a, b) In the first step of the preparation phase the players jointly generate t′ -sharings of ℓ pairs (a(k) , b(k) ). The players also get enough information in this step to reconstruct their shares in case they were not verified for consistency. An additional n′ pairs, called blinding pairs, are generated for use in verification. These additional pairs will be discarded at the end of the block. The protocol (Table 4) proceeds as follows: Every player first distributes a random challenge vector of length ℓ over the field F . This random vector will be used to verify the degree of each of the sharings in this step. The players then jointly generate t′ sharings of two random values a and b (one pair for each of the ℓ triples). Every player t′ -shares two random values, one each for a and b, among the players in the current player set P ′ . In addition, each player sends to every other player (who will act as a verifier) the randomized linear combination (corresponding to the verifier) of the polynomials involved in each of the sharings over the ℓ triples. The random linear combination is blinded using the blinding polynomial corresponding to the verifier. The players then randomize each of the sharings using the protocol in Table 2 so that every player has enough information to reconstruct his original share from the rest of the shares. The set of players who have successfully completed all these steps is agreed upon using the agreement on a common subset primitive. The degree of sharings of each of the dealers in the resultant set is verified for consistency using the verification protocol in Table 7. If a fault is detected the localized set D consisting three players of which at least one is faulty is eliminated. Else the players whose shares have not been verified reconstruct their shares from those shares whose consistency have been verified (using the share adjustment protocol in Table 3). The players finally add the corresponding shares received from players in the agreed set to get his shares of a and b, which are the sum of the corresponding initial random values shared by the players. The degree of sharings of a and b should be less than one third the number of actual players. Hence each of the pairs (a, b) is t′ -shared. If at least one of the players has honestly selected random polynomials fi (x) and gi (x), then the adversary gets no information about a and b. Since the degree of each of the sharings is verified after generation, correctness is assured. As the adversary can not get more than t′ of the shares, privacy is guaranteed. The distribution of the random challenge vectors by all the players requires a total of n2 ℓ field elements to be communicated. 2n(ℓ + n) sharings need to be done to generate the ℓ + n pairs (a, b). This requires 2n2 ℓ + 2n3 field elements to communicated. The communication of randomized polynomials incurs O(2n3 ) field elements. The randomization process requires a total of 4n4 ℓ field elements to be communicated. The single AgreeSet execution calls for n BAs. The verifi-

100

B. Prabhu et al.

Table 4. Protocol for generating ℓ random pairs (a, b)

1. Every player Pj ∈ P ′ selects a random vector [rj1 , . . . , rjℓ ] over the field F and sends it to each player Pi ∈ P ′ . 2. The players jointly generate t′ -shared values a and b (in parallel for all the ℓ triples in the block): (a) For each of the ℓ + n′ triples, in parallel, every player Pi ∈ P ′ selects two random degreet′ polynomials fi (x) and gi (x) and sends the shares aij = fi (αj ) and bij = gi (αj ) to (k) player Pj for j = 1, . . . , n′ . Let a˜i = fi (0) and b˜i = gi (0). Let fi (x) and gi (k) (x), k ∈ {1, . . . , ℓ + n′ }, denote the polynomials used by player Pi for the kth pair. Similarly (k)

denote the shares in the kth pair. aij (k) and bij (b) Each player Pi who received a random vector from Pj in Step 1 sends to Pj the linear combinations fi (c) (d)

(e) (f)

(g)

(Σ)

(x) =

ℓ

k=1

rjk fi

(k)

(x) + fi

(l+j)

(x) and gi (Σ) (x) =

ℓ

k=1

rjk gi (k) (x) +

gi (l+j) (x). The players jointly randomize the shares of each of the secrets a˜i , b˜i for i = 1, . . . , n′ (for ℓ triples) using the randomization protocol given in Table 2. The players jointly execute protocol AgreeSet[Q, P ′ , t′ ]. For i = 1, . . . , n′ , player Pi sets the predicate Q(j) = 1 if he has received messages from player Pj in each one of Steps 1,2a,2b and 2c. Let G1 be the resultant AgreeSet. The players jointly verify the degree of each of the random polynomials fi (x) and gi (x) (over ℓ triples) for each Pi ∈ G1 using the protocol in Table 7. If no fault was detected in Step 2e, each player Pj ∈ P ′ \ CheckSet reconstructs his shares (k) of a˜i (k) and b˜i for Pi ∈ G1 and k = 1, . . . , ℓ using the protocol in Table 3. (CheckSet is the AgreeSet returned by the verification protocol.) computes his shares of a and b (for all the ℓ triples) as aj = Every player Pj ∈ P ′   aij and bj = bij . Pi ∈G1

Pi ∈G1

cation step requires 2n3 + 4n2 field elements to be communicated and at most 2n + 1 BAs. Hence the first step of the preparation phase requires a maximum of 4n4 ℓ + 3n2 ℓ + 6n3 + 4n2 field elements to be communicated and at most 3n + 1 calls to the BA protocol. Step2: Generating c such that c = ab In this step the players jointly generate t′ -sharings of ℓ products c(k) such that c(k) = a(k) b(k) using the technique proposed in [5]. The protocol (Table 5) proceeds as follows: Each player computes the product of his shares of a and b. These products define a 2t′ -sharing of c. Each player then t′ -shares his product shares. Similar to the pair generation step, the players exchange random linear combinations of the polynomials used so that they can be verified for consistency. The set of players who have successfully completed these steps is agreed upon using the agreement on a common subset primitive. The degree of sharings of each of the dealers in the resultant set is verified for consistency using the verification protocol in Table 7. If this verification is successful, the second verification step (Table 8) is carried out to determine if the sharings are consistent with the equation c = ab. If a fault is detected in any of the verification steps, the localized set D containing at least one faulty player is eliminated. Else the players whose shares have not been verified reconstruct their shares from those whose consistency has been verified (using

Asynchronous Unconditionally Secure Computation

101

Table 5. Protocol for generating ℓ values c such that c = ab

1. Every player Pj ∈ P ′ selects a random vector [rj1 , . . . , rjℓ ] over the field F and sends it to each player Pi ∈ P ′ . 2. The players jointly generate t′ -shared value c such that c = ab (in parallel for all the ℓ triples in the block): (a) For each of the ℓ + n′ triples, in parallel, every player Pi in P ′ computes his product share c˜i = ai bi . He then shares it among the players in P ′ using a random degree-t′ polynomial hi (x) such that hi (0) = c˜i . That is, Pi sends c˜ij = hi (αj ) to player Pj for j = 1, . . . , n′ . (b) Each player Pi who received a random vector from Pj in Step 1 sends to Pj the linear combinations hi (ℓ+j)

(c) (d)

(e) (f) (g)

(h)

(Σ)

(Σ)

(x) =

ℓ

ℓ

k=1 (k)

rjk hi

(k)

(ℓ+j)

(x) + hi

(l+j)

(Σ)

(x), ai (Σ) =

ℓ

(k)

ℓ

rjk ai k=1 c˜i (ℓ+j) . ′

(k)

+

+ = rjk c˜i , bi = rjk bi + bi and c˜i ai k=1 k=1 The players jointly randomize the shares of each of the secrets c˜i for i = 1, . . . , n (for ℓ triples) using the randomization protocol in Table 2. The players jointly execute protocol AgreeSet[Q, P ′ , t′ ]. For i = 1, . . . , n′ , player Pi sets the predicate Q(j) = 1 if he has received messages from player Pj in each one of Steps 1,2a,2b and 2c. Let G2 be the resultant AgreeSet. The players jointly verify the degree of each of the random polynomials hi (x) (over ℓ triples) for each Pi ∈ G2 using the protocol in Table 7. If no fault was detected in Step 2e, the players jointly verify if correct values of c have been shared (that is, they verify if c = ab) using the protocol in Table 8. If no fault was detected in Steps 2e and 2f, each player Pj ∈ P ′ \ CheckSet reconstructs his shares of c˜i (k) for Pi ∈ G2 and k = 1, . . . , ℓ using the protocol in Table 3. (CheckSet is the AgreeSet returned by the verification protocol.)  Every player Pj ∈ P ′ computes his share of c as cj = wi c˜ij where wi =



Pj ∈ G2 Pj = Pi

αj αj −αi

Pi ∈G2

.

the share adjustment technique described earlier). The players finally compute their t′ -shares of c as weighted sum of the share-shares received from players in the agreed set, where the weights are the Lagarange coefficients computed over the players in the agreed set. The verification steps ensure that each of the triples (a, b, c) are properly t′ -shared such that c = ab (with a small probability of error as explained in Section 4). From the 2t′ -shares of c, t′ -shares can be obtained using Lagrange interpolation and hence our protocol results in a correct sharing of c.4 Since the adversary cannot get more than t′ of the shares, privacy is guaranteed. The distribution of the random challenge vectors by all the players requires a total of n2 ℓ field elements to be communicated. n(ℓ + n) sharings need to be done to generate the ℓ products c. This requires n2 ℓ + n3 field elements to communicated. The communication of randomized polynomials incurs O(n3 ) field elements. The randomization process requires a total of 2n4 ℓ field elements to be communicated. The single AgreeSet execution calls for n BAs. The verification steps together require n3 + 3n2 field elements to be communicated and at most 3n + 2 BAs. Hence the second step of the preparation phase requires 4

Since, in our case, the agreed set is of size at least n′ − t′ which is greater than 3t′ , interpolation is possible.

102

B. Prabhu et al.

a maximum of 2n4 ℓ + 2n2 ℓ + 3n3 + 3n2 field elements to be communicated and at most 4n + 2 calls to the BA protocol. Step-3: Increasing the Degree of Sharings In this step the players jointly increase the degrees of the sharings of each of the triples (a, b, c) from t′ to t. Consequently, this step needs to be evaluated only if t′ < t. The degree increase is done by generating three random t-sharings of 0 and adding one sharing each to the t′ -sharings of a,b and c respectively. Similar to the first two steps, the degree increase protocol (Table 6) distributes enough information so that the players can verify the degree of each of the sharings and then obtain the correct shares of each of these sharings. In the protocol of Table 6, since the polynomials fi (x), gi (x) and hi (x) chosen by each player Pi are verified to be of degree t− 1, xfi (x), xgi (x) and xhi (x) have degree t and each shares the secret 0. Hence the sum of the shares of these polynomials with the t′ -shares of a, b and c produce t-shares of a, b and c. As in the previous steps, privacy is guaranteed since the adversary can not obtain more than t′ shares of any of the sharings. The distribution of the random challenge vectors by all the players requires a total of n2 ℓ field elements to be communicated. 3n(ℓ+n) sharings need to be done in this step. This requires 3n2 ℓ + 3n3 field elements to communicated. The communication of randomized polynomials incurs O(n3 ) field elements. The randomization process requires a total of 6n4 ℓ field elements to be communicated. The single AgreeSet execution calls for n BAs. The verification step requires 3n3 + 6n2 field elements to be communicated and at most 2n + 1 BAs. Hence the final step of the preparation phase requires a maximum of 6n4 ℓ + 4n2 ℓ + 7n3 + 6n2 field elements to be communicated and at most 3n + 1 calls to the BA protocol. Verification Two kinds of verification are performed in the course of our protocol: the first verifies the degree of sharings of the secrets while the second checks if the triple (a, b, c) is shared such that c = ab. In the first verification step, every player verifies the degree of a random linear combination of the polynomials used in the sharing of the triples in that block. This is done by having the players jointly reconstruct the linear combination towards the challenging player Pv using the random challenge vector [rv1 , . . . , rvℓ ] that player Pv distributed in the corresponding generation phase. Pv then verifies the degree of sharing of the resulting polynomial. In order to preserve the privacy of the involved polynomials (and hence the shares) a blinding polynomial is added for each verifier. If a verifier detects a fault, he chooses one of the sharings in which he found a fault. Let Pi be the owner of this sharing. From the linear combination of the polynomials that he received from Pi in the generation step, the verifier identifies one of the shares that is not consistent with the polynomial. Let Pj be the owner of this share. Pv communicates the indices i and j to all the players. In the synchronous setting, players Pi and Pj will communicate their values of the share in question and the suspect list can be narrowed down to two out of the three players Pi , Pj and Pv . In the asynchronous case, since the adversary has the power to arbitrarily schedule messages, the players can not differentiate

Asynchronous Unconditionally Secure Computation

103

Table 6. Protocol for increasing the degree of sharings of a, b and c from t′ to t

1. Every player Pj ∈ P ′ selects a random vector [rj1 , . . . , rjℓ ] over the field F and sends it to each player Pi ∈ P ′ . 2. The players jointly increase the degree of the sharings of a, b and c from t′ to t (in parallel for all the ℓ triples in the block): (a) For each of the ℓ + n′ triples, in parallel, every player Pi ∈ P ′ selects three random

i (x) and sends the shares a i (αj ), degree-(t − 1) polynomials fi (x), gi (x) and h ij = f

b i (αj ) and cij = hi (αj ) to player Pj for j = 1, . . . , n′ . Let ai , bi and ci represent ij = g the respective secrets. (b) Each player Pi who received a random vector from Pj in Step 1 sends to Pj the linear combinations fi gi

(l+j)

(Σ)

(x) and hi

ℓ ℓ (l+j) (k) (Σ) (k) (x), gi (x) = rjk gi (x) + rjk fi (x) + fi k=1 k=1  (l+j) (k) ℓ i (x). (x) = rjk hi (x) + h k=1 randomize the shares of each of the secrets ai , bi and ci for i =

(x) =

(Σ)

(c) The players jointly 1, . . . , n′ (for ℓ triples) using the randomization protocol in Table 2. (d) The players jointly execute protocol AgreeSet[Q, P ′ , t′ ]. For i = 1, . . . , n′ , player Pi sets the predicate Q(j) = 1 if he has received messages from player Pj in each one of Steps 1,2a,2b and 2c. Let G3 be the resultant AgreeSet. (e) The players jointly verify the degree of each of the random polynomials fi (x), gi (x) and hi (x) (over ℓ triples) for each Pi ∈ G3 using the protocol in Table 7. (f) If no fault was detected in Step 2e, each player Pj ∈ P ′ \ CheckSet reconstructs his (k)

(k)

(k)

and ci for Pi ∈ G3 and k = 1, . . . , ℓ using the protocol in Table 3. shares of ai , bi (CheckSet is the AgreeSet returned by the verification protocol.) ′ (g) Every player Pj ∈ P computes his t-shares of a, b and c as aj = aj + αj



Pi ∈G3

a  ij ,

bj = bj + αj



Pi ∈G3

b ij ,

cj = cj + αj



Pi ∈G3

c ij , where

aj , bj and cj are respectively the t′ -shares of a, b and c computed in the first two steps (Tables 4 and 5).

between a faulty player who has not sent his value of the share and a honest player whose communication has been delayed. Hence the suspect list will include all three players Pv , Pi and Pj . After every verifier has reported his result, the players agree on the set of completed verifications. If a fault was reported by any of the successful verifiers, then the localized set D consisting of the verifier Pv , the dealer Pi and the owner of the faulty share Pj is eliminated. This verification step requires at most n3 + 2n2 field elements to be communicated and at most 2n + 1 invocations of the BA protocol. The second verification step checks if the shares of a, b and c conform to the requirement that c = ab. The idea of this step is to verify if the product shares c˜i for i = 1, . . . , n′ lie on a polynomial of degree 2t′ . Each verifier obtains the product share c˜i (Σ) from the share-shares received by him in the first verification step and then checks if they lie on a polynomial of degree 2t′ . If a fault is detected, the verifier compares the product shares c˜i (Σ) with the linear combination of the (Σ) product of the shares of a and b, namely ai (Σ) and bi . He then identifies one of the shares which is not consistent and communicates the index of this share to every other player. After every verifier has reported his result, the players agree on the set of completed verifications. If a fault was reported in any of these verifications, then the localized set D consisting of the verifier Pv and the

104

B. Prabhu et al.

Table 7. Protocol for verifying the degree of sharing of a secret (k)

(k)

Let {ˇ aij |j = 1, . . . , n} be the set of shares (corresponding to the secret a ˇi ) which are to be verified for each Pi ∈ G, where G is the agreed set of dealers, and for k = 1, . . . , ℓ. (k) Let a ˇ i , k = ℓ + 1, . . . , ℓ + n denote the blinding secrets. (k) (k) ˇ Let fi (x) denote the polynomial used to share the secret a ˇ i and let d be its degree. Let [rv1 , . . . , rvℓ ] be the random vector communicated by verifier Pv . 1. Each player Pj computes and sends to each verifier Pv the following corresponding blinded (Σ)

2. 3. 4. 5.

6. 7.

ℓ

(k)

(ℓ+v)

linear combinations for each Pi ∈ G: a ˇij = rvk a ˇij + a ˇ ij . k=1 The verifiers jointly execute protocol AgreeSet[Q, P ′ , t′ ]. Verifier Pv inputs Q(j) = 1 if he has received a message from player Pj in Step 1. The resultant AgreeSet is denoted by CheckSet. (Σ) aij |Pj ∈ CheckSet} lie on a polynomial of Each Pv verifies for each Pi ∈ G if the shares {ˇ degree at most d. If no fault was detected (the polynomial is of required degree), Pv sends CheckMessage v = ′ OK ′ to all the players. Else Pv selects one of the players Pi for whom he has detected a fault. He then finds the smallest index j such that a ˇ ij received from player Pj in Step 1 does not lie on the polynomial (Σ) fˇi (x) received from Pi in the corresponding generation step. Pv sends the pair (i, j) as his check-message, CheckMessagev . The players jointly execute protocol AgreeSet[Q, P ′ , t′ ]. Player Pi inputs Q(v) = 1 if he has received CheckMessagev from verifier Pv in Step 5. The resultant AgreeSet is denoted by H. If CheckMessage v =′ OK ′ for all Pv ∈ H then no fault has been detected. Else the smallest index v for which CheckMessagev =′ OK ′ is chosen. The players then execute a BA protocol to agree on a single pair (i, j) sent to them by Pv . The set of players to be eliminated, D, is set to {Pv , Pi , Pj }.

owner of the faulty share Pi is eliminated. This verification step requires n2 field elements to be communicated and at most n + 1 invocations of the BA protocol. In the verification steps, if there is a fault, every honest player will detect it with probability at least 1 − |F1 | . For at least n′ − 2t′ ≥ n − 3t honest players (in a verifier set of n′ − t′ ), this gives an overall error probability of |F |−(n−3t) . 2.2

Computation Phase

At the end of the preparation phase we will be left with a new set of n′ players P ′ = {P1 , . . . , Pn′ } containing up to t′ faulty players. In the computation phase, the players first verifiably share their inputs among all the players in the new player set. Then the circuit is evaluated as detailed below. At the end of the evaluation, the players in the set P ′ will have t-shares of the value of the function f (x1 , . . . , xn ). Any player can now reconstruct the secret by getting the shares from the players in P ′ . Our focus in this paper is to improve on the complexity of the circuit evaluation phase. For sharing the inputs we directly adopt the asynchronous verifiable input sharing protocol of [2]. This protocol requires O(n3 log(|F |)+n4 log(n)) field elements to be communicated and n BA protocols to be executed. The evaluation of the circuit is done gate-by-gate using the triples generated in the previous phase for evaluating multiplication gates. Due to the linearity of the sharings used, linear gates in the circuit can be evaluated locally

Asynchronous Unconditionally Secure Computation

105

Table 8. Protocol for checking if the triples have been properly shared (is c = ab?)

1. Each verifier Pv computes the product shares c˜i (Σ) from the sub shares {c˜ij (Σ) |Pj ∈ CheckSet} received in the first verification step, for each Pi ∈ G2 (c˜i (Σ) s can be obtained by interpolating the corresponding sub shares). 2. Each Pv verifies if the product shares c˜i (Σ) , Pi ∈ G2 , lie on a polynomial of degree at most 2t′ . 3. If no fault was detected (the shares lie on a polynomial of degree at most 2t′ ), Pv sends CheckMessage v =′ OK ′ to all the players. 4. Else Pv verifies if the shares {ai (Σ) |Pi ∈ G2 } lie on a polynomial of degree t′ . If not Pv applies error-correction and finds the smallest index i such that ai (Σ) must be corrected. Pv sends the index i as his check-message, CheckMessagev . Similar verification is done for the shares (Σ)

|Pi ∈ G2 }. If no fault was detected then Pv verifies for each Pi ∈ G2 if the values c˜i (Σ) {bi computed in Step 1 are consistent with the values c˜i (Σ) received in Step 2b of the protocol in Table 5. This test will fail for at least one Pi . Pv sends this index i as his check-message, CheckMessage v . 5. The players jointly execute protocol AgreeSet[Q, P ′ , t′ ]. Player Pi inputs Q(v) = 1 if he has received CheckMessage v from verifier Pv in Step 5. The resultant AgreeSet is denoted by G. 6. If CheckMessagev =′ OK ′ for all Pv ∈ G then no fault has been detected. Else the smallest index v for which CheckMessagev =′ OK ′ is chosen. The players then execute a BA protocol to agree on a single index i sent to them by Pv . The set of players to be eliminated, D, is set to {Pv , Pi }.

by applying the linear function to the shares of the inputs. Multiplication gates can be evaluated using the technique of [1]. In essence, we do the following: let x and y be the inputs to the multiplication gates. Let dx = x − a and dy = y − b. The players in the new player set P ′ reconstruct the values dx and dy . As a and b are random, this reconstruction does not reveal any information about x and y. The product xy can be rewritten as: xy = dx dy + dx b + dy a + c. This equation is linear in a, b and c and hence can be computed from the shares of a, b and c and the values dx and dy without any communication among the players. Each multiplication gate requires two secret reconstruction steps. For reconstructing a secret, each player in the player set P ′ sends his shares to every other player. Hence this protocol requires 2n2 field elements to be communicated. For output reconstruction, every player Pi ∈ P ′ sends his share of the output to the player reconstructing the output. This step requires n field elements to be communicated.

3

Complexity Analysis

We analyze the complexity of our protocol in this section. The message complexity(MC), expressed as number of field elements, and the number of invocations of the BA protocol(BAC) for each of the sub-protocols is listed in Table 9. The table also specifies the number of times each sub-protocol is invoked in the worst case. The number of players involved is denoted by n. t denotes an upper bound on the number of actively corrupted players. m is the total number of multipli-

106

B. Prabhu et al.

Table 9. Complexity Analysis of the protocol Protocol Step I Step II Step III Give Input Multiply Get Output

MC (field elements) BAC # Calls (max) Preparation Phase 4n4 ℓ + 3n2 ℓ + 6n3 + 4n2 3n + 1 n+t 2n4 ℓ + 2n2 ℓ + 3n3 + 3n2 4n + 2 n+t 6n4 ℓ + 4n2 ℓ + 7n3 + 6n2 3n + 1 n+t Computation Phase (n3 log(|F|) + n4 log(n)) n nI 2n2 — m n — no

cation gates and ℓ = ⌈ m n ⌉ is the number of multiplication gates per block. nI is the total number of inputs to the function to be computed and no is the number of outputs of the function. The cumulative message complexity when m sufficiently exceeds n is O(mn4 + 3 n nI log(|F | + no n) field elements. The corresponding number of invocations of the BA protocol is O(n2 + nI n). Since BA protocols are very communication intensive (Ω(n2 ) bits communicated per bit of broadcast), the number of bits that are to be agreed upon has a governing influence on the overall communication complexity of the resultant protocol. It is known that protocols that are constructed in line of [2] require O(mn4 log n) bits of broadcast, while those in line of [9] require O(mn2 ) bits of broadcast. In this paper, we have shown that allowing a small error probability, it is possible to design protocols that have a broadcast complexity that is dependent on n rather than m (an improvement of O(m) over the existing protocols) while the message complexity remains unaffected.

4

Conclusion

Asynchrony of communication networks is quite realistic and hence asynchronous secure computation protocols will have substantial influence on real-life secure distributed systems. In a synchronous network, it was shown that secure protocols for computing any function could have a broadcast complexity that is independent of m. All known protocols for the problem in the asynchronous setting have impractical complexities and also depend on m that could be potentially large. In this work, we propose the first protocol for unconditional asynchronous secure computation that has a broadcast complexity that depends only on the number of players. However, the resilience of the proposed protocol, viz. t < n4 , is sub-optimal. It would be interesting to extend the ideas and design efficient protocols that have optimal fault-tolerance, viz. t < n3 .

Asynchronous Unconditionally Secure Computation

107

References [1] D. Beaver. Efficient multiparty protocols using circuit randomization. In CRYPTO ’91, vol. 576 of LNCS, pp. 420–432. Springer-Verlag, 1991. 95, 105 [2] M. Ben-Or, R. Canetti, and O. Goldreich. Asynchronous secure computations. In 25th ACM STOC, pp. 52–61, 1993. 94, 104, 106 [3] M. Ben-Or, B. Kelmer, and T. Rabin. Asynchronous secure computation with optimal resilience. In 13th ACM PODC, pp. 183–192, 1994. 94, 96 [4] R. Canetti and T. Rabin. Optimal asynchronous byzantine agreement. In 25th ACM STOC, pp. 42–51, 1993. 94 [5] R. Gennaro, M. O. Rabin, and T. Rabin. Simplified VSS and fast-track multiparty computations with applications to threshold cryptography. In 17th ACM PODC, pp. 101–111, 1998. 100 [6] M. Hirt and U. Maurer. Robustness for free in unconditional multi-party computation. In CRYPTO’01, vol. 2139 of LNCS, pp. 101–118. Springer-Verlag, 2001. 94, 95, 97 [7] M. Hirt, U. Maurer, and B. Przydatek. Efficient multi-party computation. In ASIACRYPT 2000, vol. 1976 of LNCS, pp. 143–161. Springer-Verlag, 2000. 95 [8] A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979. 95 [9] K. Srinathan and C. Pandu Rangan. Efficient asynchronous secure multiparty distributed computation. In INDOCRYPT’00, vol. 1977 of LNCS, pp. 117–130. Springer-Verlag, 2000. 106 [10] A .C. Yao. Protocols for secure computations. In 23rd IEEE FOCS, pp. 160–164, 1982. 93

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI) Ravi Mukkamala Old Dominion University, Norfolk VA 23529, USA [email protected]

Abstract. With the ever-increasing growth in E-commerce and other internet applications, the need for secure transactions over the internet is also growing. In particular, more and more applications are demanding security services such as authentication, authorization, accounting, confidentiality, and non-repudiation. Since there is a cost associated with each type of service, the applications are demanding a wide variety of quality-of-service (QoS) provisions so they can pick and choose the services based on the value of their transactions. In this paper, we concentrate on one particular element of the end-to-end internet security: the public-key infrastructure (PKI). In particular, we identify the weaknesses of the current PKI systems in meeting the QoS needs and propose QPKI—a new QoS-based PKI architecture. The architecture includes the concepts of recertification and active certificates. The proposed architecture is shown to be much more flexible and cost-effective than the conventional PKI.

1

Introduction

With the ever-increasing need for secure transactions in a wide variety of E-commerce and other distributed applications, the need for systems that offer a wide variety of quality-of-service (QoS) features is also growing. For example, most secure e-mail applications only guarantee confidentiality, i.e., no one else besides the intended user can decipher and understand the mail contents. An access for a secure resource, on the other hand, may need to offer the AAA (authentication, authorization, accounting) services along with non-repudiation [1,6]. Similarly, a resource server may be satisfied with an unexpired certificate for low-value transactions while demanding a strict policy checking, path validation, and certificate status checks for high-value transactions. Some relying parties may be satisfied with the information from a local CRL while others demand a stricter verification with an RA or an OCSP responder [13]. Since digital certificates are the underlying security mechanism for all these schemes, it is necessary to design a public-key infrastructure that provides a wide variety of services. The traditional PKI architecture, however, is not designed with this flexibility in mind [9,10,11,14]. Accordingly, it provides a system that is one-size fits-all. For example, most applications seem to be using it for the purpose of authentication. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 108–121, 2002. c Springer-Verlag Berlin Heidelberg 2002


QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

109

But there are several applications that need not only authentication but also authorization and accounting functions. While some effort is under way to fill the gap using attribute certificates [6], it falls short of the real needs [5,14]. For example, there is no way to modify the authorization amount after each use of an authorization certificate [11]. In this paper, we propose QPKI, a QoS-based PKI architecture, to overcome several of the limitations. The architecture employs two concepts: recertification and active certificates. While recertification combines the cost advantages of long-term certificates with the benefits of increased trust with short-term duration certificates [8,10], active certificates allow more flexibility in the use of a certificate. In addition, they help shifting some of the processing burden from a relying party to a certificate owner [4,11]. The paper is organized as follows. In section 2, we briefly summarize the QoS requirements of different stakeholders of PKI. Section 3 discusses the limitations of the current PKI architectures in meeting these QoS needs. In section 4, we describe the proposed QPKI architecture along with the recertification and active certificate concepts. In section 5, we briefly describe the different QoS features of QPKI that are otherwise absent in current PKI systems. Finally, section 6 summarizes the contributions of the paper and discusses future work.

2

Quality-of-Service Requirements of PKI Stakeholders

To motivate the need for the proposed QoS-based PKI architecture, in this section, we briefly summarize the QoS requirements of different stakeholders of PKI: the relying party, the certificate owner, and the certificate issuer. 2.1

QoS Concerns of Relying Parties

A relying party (RP) is mainly concerned about the validity and trustworthiness of a certificate. In addition, it is concerned about the cost of achieving the required trust. In fact, it may demand different degrees of trust depending on the value of a transaction t is servicing. The following five requirements summarize some of RP’s major QoS concerns. RP1: Certificate freshness. Depending on the application or the type of request, a relying party may desire different degrees of freshness for a certificate to avoid the high cost of status checking. For example, for an identity check, it may accept an older certificate. But for an attribute checking such as verifying the worth of an investment portfolio of a user, it may require a certificate issued, say, within the last 24 hours. RP2: Path validation. Depending on the criticality or the value of demanded service, a relying party may place different requirements on the trustworthiness of the CA that issued the user’s certificate. For example, it may insist that the CA be certified directly by one of its own trust-point CAs. Alternately, it

110

Ravi Mukkamala

may insist that a validation path (from the issuer CA to RP’s trust-point CA) be provided. As a default, it could accept the responsibility of discovering and verifying such a path. RP3: Status validation. A simple relying party may not do any certificate validation and, instead, insist on fresh certificates. Alternately, it may use an OCSP responder [13], if it is available. Otherwise, it may have to get a revocation list (CRL) from a directory provider or a distribution point and determine the status. RP4: Time for validation. Since a relying party is mainly interested in completing its own services related to users’ requests (for which certificates were submitted), it is important that the validation task be completed as quickly as possible, incurring as little cost as possible. However, the validation time itself is a function of the desired confidence or trust that the RP demands. RP5: Cost of validation. In addition to time to validate, a relying party may also be interested in limiting the cost of validation. For example, if path validation requires it to send several messages and involves several computations, then the relying party may want to just be satisfied with what the certificate claims to be and do minimal validations. For high value transactions, however, it may want to do a thorough validation. 2.2

QoS Concerns of Certificate Owners

A certificate owner is primarily interested in a simple process to obtain, to revoke, and to use certificates. The owner wants to expend as few resources as possible in using certificates. Following are a few major QoS concerns of a certificate owner. CO1: Acceptability. The primary concern of certificate owners is the acceptability of a certificate at all relying parties of interest. In other words, the concern is whether or not a certificate and its issuer CA is trusted by a relying party to which it is submitted. CO2: Degree of freshness. An owner is also concerned whether or not a certificate is of a freshness required by a relying party. For example, some relying parties may require a certificate issued within 24-hours for it to be used. An employment certificate issued a year ago may not be acceptable to a mortgage company. Instead they may demand a certificate that was issued within the last one week. Whether or not a CA can reissue a certificate, with low overhead, with a new date of issue is of concern to certificate owners. CO3: Revocation. The third concern of an owner is whether or not a certificate can be revoked quickly. For example, owners may be less concerned of some certificates and, hence, tolerate a delay of a week for the revocation information to propagate. On the other hand, for some critical certificates, they may require

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

111

that the revocation information be immediately (e.g., within an hour) propagated to the appropriate validation entities. A CA should be able to provide this type of flexibility in revocation. CO4: Cost. Finally, an owner is concerned about the cost of achieving each of the operations with a certificate: issue, validation, revocation, and reissue. 2.3

QoS Concerns of Certificate Issuers

As discussed above, the certificate owners and relying parties have a variety of requirements. Certificate issuers or Certificate authorities (CA) are concerned about offering these services as efficiently as possible and with as little cost as possible. Following are a few of these concerns. CA1: Real-time certificate issue. Some users demand real-time issue of certificates from a CA. In other words, when a request is made on-line, the certificate should be issued with no further delays, in real-time. However, this may mean that the issuing CA be on-line. This may often contradict other users’ requirement that it be secure and not be accessible to an on-line hacker. CA2: Multiple attributes. Another issue of concern is the attributes stored within a certificate. While some relying parties may just need the public-key and the expiration period of the certificate, others may also need details such as the authorization limit, etc. This implies that a CA should be prepared to issue certificates with a variety of attributes varying in number and type. CA3: Varying validity periods. Some users may require certificates with long-term validity (e.g., a tenured faculty may be issued a long-term certificate) while others may require short-term validity (e.g., an hourly worker is issued a short-term certificate). A CA should be able to provide certificates of different validity periods to different users. CA4: Real-time revocation. Depending on the criticality and the importance of a certificate, some users may demand that a certificate be revoked immediately. Most others may be satisfied with a reasonable revocation period of a few hours or a day. Others may be satisfied with a weeklong delay. But the CA has to deal with all the variety of requirements. While the above QoS concerns are by no means exhaustive, they are sufficient to motivate us to work towards a QoS-based PKI architecture.

3

Limitations of Current PKI Architectures

Before describing the proposed QPKI architecture, we would like to briefly mention why the current architectures are not suitable to meet the needs of its stakeholders.

112

Ravi Mukkamala

In a typical PKI architecture, the certificates themselves are static [1]. They contain certificate data along with the contact points for the CA and optionally for the directory provider. Certainly, there is a concept of different categories of certificates depending on the content of a certificate. A certificate that is issued on-line (and for free) often contains little information since there was no verification of user information. On the other hand, off-line issued certificates contain much more useful data that has been verified by the RA (registration authority). But, in general, the number of fields is limited. While almost all CAs provide certificate revocation lists (CRLs) as a means to publish certificate revocation information, very few provide OCSP services [1,13]. Even the OCSP service is designed to be on-line but not necessarily upto-date [5,9,12]. Thus, in almost all cases, a relying party has to download the CRLs and check the validity of a certificate. Similarly, in most cases a relying party itself needs to verify CA’s trust path. The concept of providing an SCVP (similar to OCSP) is beginning to emerge [7]. Due to the cost of issue of certificates, most certificates are issued for a long time (one or two years). But several applications would like to see short validity periods such as one or two hours or even a day. Unless, the cost of issuing certificates is significantly reduced, short duration certificates are not economically feasible with the current architectures [8]. Revocation of certificates remains a problem for all stakeholders. In almost all cases, a CA needs to be contacted for all services on a certificate. In fact, there is no means to temporarily suspend a certificate [1]. More importantly, today’s PKI architectures place a significant burden on relying parties, providing almost no options. It is RP’s burden to download the CRLs; it is its responsibility to discover a validation path and validate the path. Other deficiencies of the current architectures are also discussed in [9,10,11]. In this paper, our objective is to overcome some of these deficiencies and provide an architecture that has many more QoS options for all stakeholders.

4

Proposed QPKI Architecture

In order to offer the needed QoS for various stakeholders, we propose a PKI architecture that is more flexible. We achieve the needed flexibility by introducing two new concepts: recertification and active certificates. In the following, we will first summarize the two concepts and then show how they are integrated to achieve the QoS objectives. 4.1

Recertification

The concept of recertification aims to combine the benefits of long-life certificates for a certificate issuer (CA) with the benefits of short-lived certificates for revocation [10]. The main idea is to initially issue a certificate for the normal period of duration (e.g., 1 or 2 years) and then require the certificate-holder (or user) to get the certificate recertified/reissued at certain intervals during

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

113

its lifetime. A relying party not only looks for the lifetime of a certificate but also for its recertification status at the time of verification. To reduce the load on the CA, the recertification task may be assigned to a different entity called the recertification authority (RCA). Certainly, RCA should have been delegated this authority by a CA, say by issuing an attribute certificate to this effect. An RCA does not have to be as trusted and secure as a CA. However, it should be certified by the CA so the relying parties can trust its actions. Since both CA and RCA are involved in recertification, the original PKI X.509 format needs a few changes. An example format is shown in Figure 1. Except for the three fields (shown in italics), along with the fields of RCA identity and its public key, the fields are identical to the X.509 format. The italicized fields are introduced due to recertification and are filled by an RCA. CA signs the remaining fields and its digital signature is included in the certificate. Let us look at the italicized fields more closely. The period of validity has two dates: Not before date and Not after date. These are changed by the RCA when a certificate is initially issued as well as during every recertification. (For further details on implementing recertification, see [10].) As in traditional PKI, the user sends its request for a certificate to an RA/CA. After verifying the credentials, a certificate is issued with a longer expiration time (referred to as original validity period in Figure 1). The CA signs the certificate. The certificate is then forwarded to the assigned RCA (also specified in the certificate). The RCA sets the not before and not after dates for validation, digitally signs the entire certificate, and returns it to the user. The short-term validity period depends on the re-certification frequency initially requested. After the initial issue, the user only needs to submit the certificate to the RCA for recertification. In fact, a user needs to recertify a certificate when a it is to be used. In other words, an unused certificate may never need to be recertified. In order to get an intuitive idea about the benefits of recertification toward revocation, consider a CA that revokes 10,000 certificates each week. Suppose the lifetime of each certificate is 1-year or 52-weeks. Let us assume that a certificate is equally likely to be revoked in any week during its lifetime. So the maximum number of certificate identifiers in a CRL is 52*10,000 or 520,000. The average CRL size would be 260,000 certificates. Now, if we assume that a certificate needs to be recertified once in 4 weeks (that is 13 times during its lifetime) the maximum CRL size would only be 4*10,000 or 40,000. The average size would be 20,000 certificates. In other words, we can reduce the average CRL size from 260K to 20K. This is a significant reduction achieved by requiring recertifying a certificate 13 times during its lifetime. In general, “p” periods of recertification would reduce the CRL to 1/p of its original size. The reduction is possible since the CRL published under this scheme contains only those that have been revoked with valid recertification dates. The additional load of recertifying each certificate p times during its lifetime is taken by an RCA with no involvement of the CA.

114

Ravi Mukkamala

Version Serial Number Signature Algorithm Issuer Name Period of Validity ·

Not Before Date

·

Not After Date

Subject Name Subject's Public Key ·

Algorithm

·

Public Key

Extensions: RCA Identity and Public Key Original Validity Period Re-certification Frequency CA Signature

RCA Signature Fig. 1. Certificate format with recertification In summary, CA issues the certificates; RCA manages recertification and the publication of CRLs. The relying parties have the option of looking at not only the expiration time but also the status of recertification of a certificate. 4.2

Active Certificates

Basically, an active certificate (AC) can be thought of as a combination of executable code and data [11]. The certificate, as in a conventional system, is prepared and issued by a CA to a user. The certificates may reside in a user space (e.g., user specified host machine) or alternately reside at a user-designated location (e.g., a selected secure certificate bank). Whenever a certificate is to be used, its code becomes active and starts running like any other process. The characteristics of an active certificate are as follows. • It contains both executable code and data. • The data has two parts: static (i.e., unchangeable) data and dynamic (i.e., modifiable) data. • The dynamic data is modifiable by the code when authorized by the issuing CA.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

• • • • •

115

It is capable of communicating with a relying party. It can communicate with its issuing CA. It can interact with the certificate-owner. Its code and data are secure. A certificate is capable of self-suspension, resumption, and revocation.

When a user wishes to submit a request to a relying party, the relying party may wish to authenticate the user with a certificate. Then, the user submits the location information of the certificate to the relying party. The relying party can now directly communicate with the certificate and get all the required information to authenticate the user. In this process, a relying party may ask the certificate to first provide a proof of validation. In other words, instead of a relying party going everywhere to validate a user certificate, it is now demanding the certificate to provide the needed proof. It may also specify the degree of freshness of the proof. For example, a relying party may ask the certificate to provide proof of validation that has a freshness of 1-hour or less. It is up to the certificate agent to procure the needed information and submit it to the relying party. Sometimes, the certificate may have cached this information locally and hence provide it immediately. Other times, it may contact CA/RA/directory-servers to get the proof of validation. A user can communicate with its certificate. For example, if a user wishes to suspend a certificate, it could communicate the information to its local certificate. It could then take the appropriate actions. If a user wishes to extend the life of a certificate it could do so by communicating with the certificate itself. In summary, an active certificate is an executable code and data. It has several roles. As a certificate-owner’s proxy (or agent), it presents the necessary information to a relying party. As a CA’s proxy, it can handle certificate owner’s service requests regarding the certificate. It also has the ability to protect itself (code and data) from other’s actions including that of the user. 4.3

QPKI Architecture

We now describe the proposed QoS-based PKI (QPKI) architecture integrating the recertification and active certificate concepts discussed above with the traditional PKI architecture [1,3]. In fact, the architecture includes all features of the traditional PKI (e.g., static certificates, revocation, and CRLs). The additional features offered by recertification and active certificates are optional and may be chosen by a certificate holder at the time of certificate creation. In that sense, it is compatible with the existing PKI systems. (Note: In the below description, when we indicate a set of components such as a set of RCAs as a single module, it is only a logical or functional module. In actual implementation, they are distributed among several autonomous nodes.) As shown in Figure 2, the architecture has six primary modules. 1. The CA/RA module issues certificates after verifying the credentials of a user. The functions of CA and RA are similar to that of any conventional

116

2.

3.

4.

5. 6.

Ravi Mukkamala

PKI system. This module also contains a certificate repository module (CR) that stores all certificates issued by a CA. An interface agent (IA) facilitates communication between other modules and this module. For example, when a relying party wishes to check the status of a certificate directly from the CA/RA, it communicates through the IA. Even requests for certificate creation and revocation are handled through the IA. More than one instance of IA could be created for a module to handle additional traffic to the module. The module with the set of recertification authorities (RCA) is useful for recertification as well as status verification by the relying parties. Generally, each certificate is assigned a specific RCA for recertification. But when fault-tolerance is demanded, alternate RCAs could also be specified within a certificate. The third module is a set of directory servers (DS). Each CA posts its CRL at one or more of the directory servers. This service is also available in a conventional PKI system. The module of certificate banks (CB) supports active certificate when a user is unable to host them on its own machine. An active certificate may be installed either at a user or at one of the certificate banks. The fifth module is a set of relying parties (RP). This is typical of any PKI system. Finally, the sixth module is a set of users (U). They are also referred to as certificate holders or certificate owners. This is also typical of any PKI system.

The interactions between different modules is indicated by numbers I to IX. Among these, the interactions I and IX are important and hence discussed below. I: It represents all communication between the user module and the CA/RA module. In particular, it consists of the following types of communication. • User→CA: This includes user requests for the issue of a new certificate and all related authorization messages. In addition, as an exception, when a user does not get any response from its local active certificate (proxy), it directly communicates with the CA to suspend/revoke/renew/reactivate a certificate. • AC→CA: The active certificate (executing in user space) communicates with the CA on behalf of the user (say to revoke a certificate or to renew a certificate) or to seek the needed validation information to satisfy a relying party. • CA→User: CA installs/reinstalls the user certificate at the user specified host. • CA→AC: CA directly communicates with the certificate proxies in response to their requests. IX: This represents all communication between a user and a relying party. It consists of the following types of communication. This takes place both for static and active certificates.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

117

• User→RP: User sends its requests for service to the relying parties and supplies all the required information. It also indicates to the RP regarding the certificate proxy to which it should communicate with for authentication/authorization. • RP→AC: A relying party directly communicates with the certificate proxy for any authentication/authorization of the user’s request. • RP→User: Once the authentication/authorization is successful, the relying party can directly communicate with the user to deliver the desired services. • AC→RP: The active certificate proxy interacts with the relying party to provide any needed information for authentication/authorization.

CA

RA

CA

CR

RA

CR

IA

IA

VI

VII

VIII

RCA

CB

DS RCA

CB

DS RCA

I

II

III RP

IV RP

RP

V RP

RP

IX

U

U

U

U

U

U

U

Fig. 2. Proposed QoS-based PKI architecture

II

I

118

Ravi Mukkamala

In addition, as an exception, a relying party may also communicate with CA/RA to confirm the status of a certificate or to report any suspected behavior of an active certificate. As discussed in the next section, the addition of RCA and AC enable QPKI to offer many more types of QoS than otherwise possible. Due to space limitations, we have omitted the discussion on the positive impact of the QPKI architecture on other characteristics of a PKI system such as scalability, availability, responsiveness, and communication costs.

5

QoS Features of the QPKI Architecture

As discussed earlier, the traditional system is too inflexible for most applications. In order to address some of these concerns, we have proposed the QPKI architecture. In this section, we shall show how QPKI overcomes the weaknesses of the traditional PKI. First, let us consider a conventional system that uses CRLs. Here, a relying party has two options: (i) Use the certificate expiration and other checks using data within the certificate itself to validate a certificate. (ii) Use the CRL provided by the CA at the directory service to confirm that a certificate has not been revoked. (Alternately, it could use OCSP-like protocol also [13].) Given that the lifetime of conventional certificates is long, it is almost mandatory for a relying party to obtain the latest CRL and check for the submitted certificate status. This is an expensive process. Now, let us consider the options (or QoS) available due recertification feature in the QPKI. Here, a relying party has four options. • Check the original certification expiration time. This is similar to the above option (i) of the conventional scheme. • Check the short-term expiration time (or the expiration of recertification). Since this is more recent (or current) than the original certificate, most relying parties can rely on this for verification. • Check the CRL of RCA. Since RCA’s CRLs are more frequently updated and are much shorter, this is much cheaper than option (ii) in a conventional scheme. Those relying parties that are not satisfied with the above option can do this additional check. • Check the CRL of CA. This is similar to the default option in a conventional scheme. In addition to these general options, the following possibilities exist. • Degree of freshness based on relying party. A relying party can dictate the degree of freshness of a certificate. In other words, it can insist a certificate to have been renewed in the last 1-hour or in the last 24 hours. The user can go to RCA and get it renewed as per the relying party’s requirements. • Renewal frequency. Depending on the type of applications for which a certificate will be used, a user can request a certain period of renewal frequency for a certificate. Thus, a certificate that is used in highly secure or highvalued transactions can have more frequent renewals or shorter lifetimes.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

119

• Need-based renewal. More importantly, a user has the option of renewing a certificate only when needed (e.g., just-in-time). For example, suppose a user has been issued a certificate with a lifetime of 24-months and a renewal frequency of 56. Then, the recertification is valid for only 1 week. This does not mandate a user to recertify it 56 times. Instead, as and when the user wishes to use the certificate to be submitted to a relying party for a service, he could send it to RCA, get it renewed, and submit it to the relying party. This greatly reduces the overhead placed on the user for recertification at the same time offering flexibility to a relying party to dictate its own degree of freshness. • Temporary suspension. It is also possible to temporarily suspend a certificate. For example, if a manager is going to be on leave of absence for 4 weeks, his recertification which is say done everyday, could be stopped during this time. This automatically suspends the certificate without involving any other entity. We find this option to be one of the key advantages of the recertification process not offered by conventional certificates. Now, let us consider the flexibility in QoS offered by QPKI when active certificate feature is used. Clearly, one of the advantages due to AC concept is the ability to transfer the certificate validation responsibility from a relying party to the certificate holder. Following are a few QoS options offered by QPKI due to ACs. • Proof of validation. A relying party can require the executing AC to provide a proof of validation. This may include providing the expiration time, validating the path of trust between the relying party’s trust CAs and the certificate issuing CA. The parent process could include some path information (with respect a selected set of popular CAs) into the AC itself, thus making this process more efficient. This option may enable a relying party to handle more service requests and improve its throughput. • Temporary suspension. In conventional PKI, it is not possible to suspend a certificate temporarily. However, QPKI allows this option. For example, a user can simply communicate with its AC and suspend it for a specified time or until he resumes it again. This can be done with very little overhead. • AC and recertification. In cases where a relying party requires certificates with a specified degree of freshness (e.g., issued within 24-hours), the AC could communicate with the associated RCA and get the recertified data. All this can be achieved with no intervention from the user. • Authorization: One of the interesting applications of active certificates is for authorization. In a typical authorization system, a user may be permitted to use certain amount of a resource. For example, a bank may issue a certificate to a customer indicating a line-of-credit for a certain amount. The credit could be used any number of times at any merchant or service provide and after each use the credit should be reduced. This is not possible with a typical PKI unless the merchant contacts the CA each time to get authorization. An active certificate, on the other hand, obviates the need for this extra burden on the relying party and the CA. Since a relying party actually communicates with the certificate process, it is possible for the certificate

120

Ravi Mukkamala

process to take into account the current transaction and thereby reduce the permitted credit limit for future requests. • Custom-made certificates. In a traditional system, certificate formats are generally standard (e.g., X.509 certificates). While there is a provision for extension (or optional) fields, much more coordination is needed among the issuer, the user, and the relying parties to use the optional fields. In the current scheme, two facts make the process simpler: (i) the data portion of the certificate is in XML format where each field is tagged with a label. Thus it is much easier to add user-specific or application specific labels in a certificate. (ii) The executable code part of the certificate makes the customization simpler. Since the executable code can be customized to specific domains or to specific users, the certificates are easily customizable. For example, a university may always want to add the student major into a student’s certificate field. In addition, it may have fields to indicate the URL’s or IP addresses of student-specific services such as the registrar to verify student status. In summary, QPKI clearly extends the QoS options provided by the conventional PKI and, hence, is more suitable to handle the wide variety of today’s secure applications.

6

Conclusion and Future Work

The traditional X.509 PKI architecture suffers from many limitations in terms of the quality-of-service features that it offers to its stakeholders. In order to overcome some of these deficiencies, we have proposed a new PKI architecture. The new architecture incorporates two new concepts: recertification and active certificates. Recertification helps reduce the size of revocation information (e.g., CRL). In addition, it enables a user to provide a degree of freshness of a certificate desired by a relying party. An active certificate, with executable code and data, transfers much of the responsibility of proof of validation from a relying party to the user. In addition, it provides additional features such as temporary suspension and resumption. It also provides a facility wherein a relying party can request for only the data that it requires from a certificate (need-to-know) rather than obtain an entire certificate. We are currently prototyping the proposed architecture using Java, XML, and XKML. We were able to clearly demonstrate the feasibility of the approach. However, a few problems of trust remain to be solved. We are especially looking into ways to improve the trust a relying party may have on the executable code and the data it receives from it. We are experimenting with several technologies to improve this trust. In summary, we have proposed a new QoS-based PKI (QPKI) architecture that offers much more flexibility to all the stakeholders—the certification authority, the relying party, and the certificate owner. Clearly, QPKI is much better suited to the variety of applications in the real world today than PKI. Further work needs to be done to improve the trust in the system.

QPKI: A QoS-Based Architecture for Public-Key Infrastructure (PKI)

121

References [1] Adams, C., Llyod, S., Kent, S.: Understanding Public-Key Infrastructure Concepts: Standards and Deployment Considerations. Macmillan Technical Publishing (1999) [2] Borisov, N., Brewer, E.: Active Certificates: A Framework for Delegation. Proc. Network and Distributed System Security Symposium, (2002) [3] Denker, G., Millen, J., Miyake, Y.: PKI and Revocation Survey. SRI Technical Report, SRI-CSL-2000-01, (2000) [4] DeTreville, J.: Making certificates programmable. Proc. First Annual PKI Research Workshop, Gaithersburg, MD, USA, (2002), 48-55 [5] Kocher, P. C.: On certificate revocation and validation. Proc. Second International Conf. Financial Cryptography (FC’98), Springer-Verlag, Lecture Notes in Computer Science, Vol. 1465, (1998), 172-177 [6] Laing, S. G.: Attribute certificates - a new initiative in PKI technology. Technical Report, Baltimore Technologies, http://www.baltimore.com/ library/whitepapers/acswp-hm.html, (2001) [7] Malpani, A., Hoffman, P., Housley, R., Freeman, T.: Simple Certificate Validation Protocol (SCVP). IETF PKIX Working Group Internet Draft, (2000) [8] Micali, S.: NOVOMODO: Scalable certificate validation and simplified PKI management. Proc. First Annual PKI Research Workshop, Gaithersburg, MD, USA, (2002), 9-19 [9] Mukkamala, R., Jajodia, S.: A novel approach to certificate revocation management. Proc. Fifteenth IFIP WG 11.3 Working Conf. Database and Applications Security, Niagara on the Lake, Ontario, Canada, (2001), 223-238 [10] Mukkamala, R., Das, S., Halappanavar, M.: Recertification: A technique to improve services in public-key infrastructure. Proc. Sixteenth IFIP WG 11.3 Working Conf. Database and Applications Security, King’s College, Cambridge, England, (2002), 277-293 [11] Mukkamala, R., Balusani, S.: Active certificates: A new paradigm in digital certificate management. Proc. Workshop on Trusted Computing Paradigms, ICPP 2002, Vancouver, British Columbia, Canada, (2002), 30-37 [12] Myers, M.: Revocation: Options and challenges. Proc. Second International Conf. Financial Cryptography (FC’98), Springer-Verlag, Lecture Notes in Computer Science, Vol. 1465, (1998), 165-171 [13] The Online Certificate Status Protocol. http://www.baltimore.com/devzone/pki/ocsp.html [14] Rivest, R. L.: Can we eliminate certificate revocation lists? Proc. Second International Conf. Financial Cryptography (FC’98), Springer-Verlag, Lecture Notes in Computer Science, Vol. 1465, (1998), 178-183

Towards Logically and Physically Secure Public-Key Infrastructures Kapali Viswanathan1 and Ashutosh Saxena2⋆ 1

Information Security Research Centre, Queensland University of Technology GPO Box 2434, Brisbane, Australia, Q 4001 [email protected] 2 IDRBT, Castle Hills, Road No.1,Masab Tank, Hyderabad, (AP), INDIA [email protected]

Abstract. The bootstrapping of security mechanisms to large scale information systems is an important and critical exercise. It is conjectured that the design of bootstrapping procedure is effective, if every such bootstrapping procedure affects (or alters) the behaviour (represented by input data) of all system users (certificate authorities and the users of the public key infrastructure (PKI)). This paper aims to provide public verification for every use of certifying private keys, which are assumed to be stored in multiple physical locations. It provides abstract descriptions of protocols to achieve effective bootstrapping of security mechanisms to large scale PKIs. Keywords: PKI, critical keys, private keys, backup, controlled use.

1

Introduction

Application of cryptography to large-scale systems remains an important area for research. Cryptography provides confidentiality and integrity mechanisms (or services) to transfer the confidentiality or integrity properties of one value to another value. Such mechanisms can be specified using propositions as follows. Confidentiality mechanisms: If the key possesses confidentiality property, then the message may possess the confidentiality property. Integrity mechanisms: If the key possesses integrity and confidentiality properties, then the message possesses the integrity property. Cryptosystems are information systems that use cryptography and suitable key-management infrastructures. KMIs are primarily concerned with storing trees or forests (collections of trees) of keys. KMIs must necessarily assume the confidentiality and integrity properties of some keys, called critical keys, in the trees or forests before the confidentiality and integrity properties of other ⋆

This work was carried out when the author was visiting ISRC, QUT, Australia, on a BOYSCAST fellowship from Ministry of Science and Technology, Government of India. The author acknowledges them.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 122–134, 2002. c Springer-Verlag Berlin Heidelberg 2002


Towards Logically and Physically Secure Public-Key Infrastructures

123

keys can be deduced using suitable cryptographic mechanisms. The confidentiality and integrity properties of the critical keys must be maintained using out-of-band security techniques, which are usually some form of physical security. Cryptography is not, and cannot be, concerned with the protection of these properties of the critical keys. PKIs are a specialised form of KMI. PKIs are interested in the provision of integrity service for a collection of public values, which includes a public key. The critical keys in PKIs are called root keys or root public keys. The integrity properties of the root public keys are an assumption, which cannot be cryptographically verified. Similarly, the confidentiality properties of the root private keys are also an assumption. Depending on the type of the PKI, there may be one or more root public keys. For the sake of clarity and without loss of generality, this paper will assume a PKI with the following structure. Root public key (Level 0): there exists a single root public key which is used for authorising the public keys of certificate issuers; Certificate issuer public keys (Level 1): there exists a set of certificateissuer public keys which are used for authorising the public keys of users; and, User public keys (Level 2): there exists a set of user public keys which are used for in confidentiality and integrity mechanisms. 1.1

Background

Maurer and Schmid [6] present a lucid discussion on bootstrapping cryptographic mechanisms. They study the effects of security bootstrapping on the confidentiality and authenticity properties of various messages securely communicated using the resulting system. Section 4 of their paper has important implications for large-scale secure information systems. In that section, an Axiom (Axiom 1) clearly implies why an out-of-band integrity channel should be employed to communicate the critical keys. In this paper, there exists two such communications (Procedures 1 and 7 in Section 2.4). The model proposed in the next section specifies generic signature and verification algorithms. Therefore, the model can accommodate any general purpose signature systems [7, 9] or specialised signature systems [5, 2]. A concept that is central to model to be proposed is that of a trusted hardware device called a black-box. The model specifies some of the functionalities that are expected of the black-box.

2

A Model for Improved Integrity Verification In PKIs

The verification actions in the traditional PKI are as follows. Verification Action 1: One integrity verification in the form of a signature verification to verify if a certificate was issued by a certificate issuer.

124

Kapali Viswanathan and Ashutosh Saxena

Verification Action 2: Another integrity verification in the form of a certificate path validation, which is a sequence of signature verification operations, to verify if the certificate issuer is authorised to issue certificates. Note that the root certificate issuer authorises itself to authorise other certificate issuers. That is, the certificate for the root public key is a self-signed certificate, which can be verified using the same key1 . The proposed model extends the functionality of traditional PKI by including an additional integrity verification mechanism as follows. Verification Action 3: An integrity verification mechanism verifies if the instance of a black-box, which generated a certificate, was authorised. In other words, the new model requires all users to verify three authorisations before accepting a certificate and the associated public key. The three authorisations are those for: (i) the public key to be used; (ii) the public key of the certificate issuer who issued the authorisation; and, (iii) the instance of the blackbox which was employed by the certificate issuer to generate the authorisation information (certificate). 2.1

Problem Statement

Since the concept of a black-box is central to the problem statement, its description will be presented firstly. Black-box: is a blue-print for the manufacture of a tamper resistant computing device, possibly confirming to FIPS-140, level-3 [8]. Its instances can perform cryptographic operations, such as encryption, decryption, signature generation and signature verification. The instances should have strong quality assurance guarantees. It has the capability to generate secure public-private key pairs and to store the corresponding private key securely. It must provide interfaces for permanently disabling all future configuration actions. It is assumed that the instances of the black-box do not have any cryptographic identity after their manufacture and before their use. Non-secret values, such as serial numbers that the black-box reveals to the outside world, are not considered to be cryptographic identities. The instances of the black-box, after manufacture and before use, are considered to be operational clones. The model, to be proposed in Section 2.4, does not specify, but requires, the following black-box operations. 1. The black-box will re-initialise itself whenever a private key is set to it from the external world. It re-initialises by: 1) deleting any of its previously generated black-box private-public key pair; and, 2) creating a new black-box private-public key pair. It should also have mechanisms to export the newly created black-box public key to the external world. 1

This is the reason why an out-of-band, integrity channel between the root certificate issuer and all the certificate issuers and users of the PKI is essential. In other words, all participants must possess the same value of root public key.

Towards Logically and Physically Secure Public-Key Infrastructures

125

2. The black-box may have an interface to disable all future configuration activities. This allows an initialised black-box to be frozen in time for a specific purpose. Based upon these assumptions for the black-box, the problem statement can be presented as follows. Problem Statement 1 By assuming the above properties of the black box, how can every participant of the system have the capability to distinguish the outputs from two clones of the black-box after their initialisation? The importance and relevance of the problem statements will be appreciated when considering the operational requirements for certificate issuers (certificate authorities) in a large-scale PKI. In such PKIs, it is fundamentally important to protect against the illegal use of certifying private keys. The certificate issuers are usually required, possibly by law, to maintain at least two sets of functionally identical and operational black-boxes — one set for the production systems and the other set for back-up systems. Such a requirement may increase the risk of misuse of the certifying private keys. Certificate issuers may want to restrict the use of the back-up systems in a verifiable fashion. Such a restriction may be useful to prevent the creation of parallel and malicious PKIs, which may be indistinguishable from the original PKI. Additionally, other motivations to pursue the problem statements exists. For example, it may be necessary to notify all users of a PKI whenever a certificate issuer’s black-box clone becomes inoperable, possibly due to hardware malfunction or otherwise. The certificate issuer need not necessarily be trusted to perform such notifications. 2.2

Goals of this Paper

The goal of this paper is expressed by the following equivalent statements. 1. To establish a unique, verifiable relationship between every certificate issued by a certificate issuer, including the root certificate issuer, and the black-box clones that were used to create the certificate. 2. To design a mechanism for uniquely tracing every certificate to the certificate issuer and the black-box clone, which generated the certificate. 2.3

Nomenclature

The paper employs a set-theoretic, state-based specification to specify the proposed model for a PKI. Some notations which may require clarification are explained in this section. Schema N: The current protocol schema is numbered N . X := Y : X is defined to be Y . y = F (x): This statement is true, if and only if y is the output of the function F when the input is x.

126

Kapali Viswanathan and Ashutosh Saxena

y ← f (x): The output of the function f , where x is the input, is assigned to y. y ← ∅: The value of y is initialised to null set. y new ← y old : The value of y after the successful completion of a procedure is y new . The value of y before the completion of and during the execution of every successful procedure is y old . 2.4

Specification of Procedures and Protocols

The model is specified to include ten core procedures. Each procedure has an associated protocol, whose abstract specifications are also included. Procedures 1, 2, 7, and 8 (in Section 2.4) are assumed to be implemented using black-box clones. The following function definitions will be employed in the specification. 1. y = F(x) The one-way function to be employed in the PKI. The tuple of secret values is x and the tuple of public values is y. Without loss of generality, the specification assumes the use of a single type of one-way function. 2. σ = Sigx (m) σ is the signature on m using x as the private key. Let Σ denote the range of the function Sig. It is important to choose a secure signature algorithm. Although the security of digital signature algorithms has not been concretely specified, there exists complexity theoretic specifications for the properties that a “secure” signature algorithm must possess [3]. 3. Very (m, σ) Outputs TRUE if, σ = Sigx(m) and y = F (x), and FALSE otherwise. Let Y be the set of all possible public tuple values (public keys). Y is determined by the choice for one-way function, F . For example, Y may represent the set Z∗n , where n is an RSA modulus [9], if F represents the RSA trapdoor one-way function. Let X be the set of all possible private tuple values (private key) satisfying the following specification. X := {x | ∀y ∈ Y, y = F (x)} The following types of public keys will be employed in the specification. The root certificate-issuer public key, yr ∈ Y A set of certificate issuer public keys, Y ⊇ Yc := {yc1 , yc2 , . . .} A set of user public keys, Y ⊇ Yu := {yu1 , yu2 , . . .} A set of certificate issuer production black-box public keys, Y ⊇ Ypbc {ypbc1 , ypbc2 , . . .} 5. A set of certificate issuer back-up black-box public keys, Y ⊇ Ybbc {ybbc1 , ybbc2 , . . .} 6. A set of root certificate issuer production black-box public keys, Y ⊇ Ypbr {ypbr1 , ypbr2 , . . .} 7. A set of root certificate issuer back-up black-box public keys, Y ⊇ Ybbr {ybbr1 , ybbr2 , . . .}

1. 2. 3. 4.

:= := := :=

Towards Logically and Physically Secure Public-Key Infrastructures

127

In the above types and in the following specifications, the following acronyms are used for convenience. BBR PBR BBC PBC

Back-up Black-box of Root certificate issuer Production Black-box of Root certificate issuer Back-up Black-box of Certificate Issuer Production Black-box of Certificate Issuer

The core procedures and the specification for the associated protocols for the model are as follows. 1. Certificate generation for root public key This phase can be considered to be the bootstrap operation for the entire PKI. In this phase, every public key, such as the root public key and the public keys of all the black-box clones, certifies all the other public keys and itself. The specification2 for these operations can be stated as follows. Schema 1 yr ∈ Y, xr ∈ X : yr = F(xr ) Ypbr , Ybbr ⊆ Y αr ← Sigxr (yr , Ypbr , Ybbr ) Br := {βri | ((∃xi ∈ X, (yi ∈ Ypbr ∨ yi ∈ Ybbr ) | yi = F(xi ))) ∧ βri ← Sigxi (yr , Ypbr , Ybbr )}

The semantics for these equations can be stated as follows. The signature αr binds the root public key, yr , with the set of production black-box public keys, ypbri ∈ Ypbr , and the set of back-up black-box public keys, ybbri ∈ Ybbr . Each βri ∈ Br is meant to suggest that the ith black-box (which is either a production black-box or a back-up black-box) has been initialised with the root private key, xr , and: (a) has generated a black-box public-key pair, (xi , yi ); and, (b) is aware of the value yr and of the sets Ypbr and Ybbr . A black box that can achieve this goal could have the following interfaces: (a) SetCertifyingKey. The input would be a public key pair, which will be used for generating certificates. The output would be a randomly generate public key pair, which will be used to witness every such certificate generation. Every time this interface is used, the black box can overwrite the previously generated outputs. 2

Note that in this specification and in all subsequent specifications, the sequence of logical operations for the protocol is not specified. All specified logical operations must evaluate to TRUE before the schema can be TRUE. The specification language does not correspond to any programming language, rather it is a mathematical language.

128

Kapali Viswanathan and Ashutosh Saxena

(b) WitnessBlackBoxClones. The input would be a set of public keys, which is expected to be the public keys of other black box clones. The output would be a set of signature tuples. This interface could enforce the rule that it can be invoked exactly once after the SetCertifyingKey interface was invoked. The bootstrap information, (yr , Ypbr , Ybbr , αr , Br ), is published in an outof-band integrity channel that can be read by every participant, including the certificate issuers and the users, of the PKI. This information can be considered to be the only static information for the PKI. Note that the specification suggests that Br is a set of signature tuples and not a single value. This does not constrain the possibility of using multisignature systems [1, 4] to reduce the size of the information contained in Br . This is because the specification does not constrain the possible relationships between various instances of signature generation functions that could be used to implement Sigxi (). Such a design for the signature algorithm is an open problem. System Initialisation: After the bootstrap information is created by the root certificate authority, the following system initialisations can be performed. Ybbr ⊇ Wbbr ← ∅ Ybbc ⊇ Wbbc ← ∅ Σ × Σ ⊇ ∆r ← ∅ Σ × Σ ⊇ ∆c ← ∅ Σ × Σ ⊇ Σc ← ∅ Σ × Σ ⊇ Σu ← ∅ The sets Wbbr and Wbbc contain back-up black-box public keys that have become production public keys. The sets ∆r and ∆c contain authorisation information (tuples of signatures) for the elements in Wbbr and Wbbc , respectively. The sets Σc and Σu contain certificates (tuples of signatures) for the certificate issuers and the users, respectively. All these sets must be publicly available to all participants of the PKI in an appropriate fashion. 2. Certificate generation for the certificate issuer public key In this phase the root certifies certificate-issuer public keys and the associated blackbox clones. The root is required to physically examine the black-box clones to be used by the certificate-issuer. The root must make sure that the sets of black-box public-keys, Ypbc and Ybbc , were in fact generated by the blackboxes. It is difficult to specify such operations formally [6]. The specification for these operations can be stated as follows.

Towards Logically and Physically Secure Public-Key Infrastructures

129

Schema 2 yr ∈ Y, xr ∈ X : yr = F(xr ) ypbr ∈ Ypbr ∪ Wbbr , xpbr ∈ X : ypbr = F(xpbr ) yc ∈ Y Ypbc , Ybbc ⊆ Y αc ← Sigxr (yc , Ypbc , Ybbc , ypbr ) βc ← Sigxpbr (αc ) Σcnew Ycnew

← Σcold ∪ {(αc , βc )} ← Ycold ∪ {yc }

3. Certificate generation for user public key In this phase the certificate issuer certifies user public keys. The specification for these operations can be stated as follows. Schema 3 yc ∈ Yc , ∃xc ∈ X : yc = F(xc ) ypbc ∈ Ypbc ∪ Wbbc , ∃xpbc ∈ X : ypbc = F(xpbc ) yu ∈ Y αu ← Sigxc (yu , ypbc ) βu ← Sigxpbc (αu ) Σunew Yunew

← Σuold ∪ {(αu , βu )} ← Yuold ∪ {yu }

4. Verification of certificate for root public key During this phase, every participant, including the certificate issuers and the users, of the PKI may be expected to retrieve the bootstrap information from the out-of-band integrity channel, which are published during Procedure 1. The bootstrap information is verified using the following protocol specification. Schema 4 yr ∈ Y Ypbr , Ybbr ⊆ Y ∃αr ∈ Σ ∃Br ⊆ Σ TRUE = V eryr (yr , Ypbr , Ybbr , αr ) (∀βri ∈ Br , (∃yi ∈ Ypbr ∨ ∃yi ∈ Ybbr ) : TRUE = V eryi (yr , Ypbr , Ybbr , βri )) ∧ (|Br | = |Ypbr | + |Ybbr |)

130

Kapali Viswanathan and Ashutosh Saxena

The participants verify the signature on the root public key, yr , and all blackbox public keys using yr . Additionally, the participants verify the signatures by all the black-box public keys, yi , on the root public key and all black-box public keys. It is also expected that the participants verify that the number of signature tuples in Br is equal to the number of black-box public keys. This procedure may be executed once by every user before securely storing the bootstrap information locally. If such is not the case then the bootstrap information must be retrieved from the out-of-band integrity channel and verified during every path-validation activity (i.e. during Procedures 5 and 6). 5. Verification of certificate issuer public keys This procedure is employed to verify the certificate (αc , βc ) of a particular certificate issuer possessing the public key, yc . Schema 5 yc ∈ Y c (∃yr ∈ Y : Schema 4 = TRUE) (∃ypbr ∈ Ypbr : Schema 4 = TRUE) ∨ (∃ypbr ∈ Wbbr : Schema 9 = TRUE) Ypbc , Ybbc ⊆ Y ∃(αc , βc ) ∈ Σc TRUE = V eryr (yc , Ypbc , Ybbc , ypbr , αc ) TRUE = V erypbr (αc , βc )

The above protocol is meant to suggest the following, if it is executed successfully. The root certificate issuer, through the use of the root public key, yr , and one of the root production black-boxes, ypbr , has certified the particular certificate issuer’s public key to be yc , which is to be employed using the black-boxes represented by the public keys in the sets Ypbc and Ybbc . 6. Verification of certificate for user public key This procedure is employed to verify the user certificates. The specification for the protocol to be followed for such a verification is as follows. Schema 6 yu ∈ Y u ∃yc ∈ Yc : Schema 5 = TRUE (∃ypbc ∈ Ypbc : Schema 5 = TRUE) ∨ (∃ypbc ∈ Wbbc : Schema 10 = TRUE) ∃(αu , βu ) ∈ Σu TRUE = V eryc (yu , ypbc , αu ) TRUE = V erypbc (αu , βu )

Towards Logically and Physically Secure Public-Key Infrastructures

131

The above protocol verifies the validity of the user’s certificate corresponding to the public key, yu . It verifies if some certificate issuer public key, yc , using some certificate-issuer production black-box public key, ypbc , issued the certificate. Additionally, it verifies if yc and ypbc are certified for use by the root public key, yr , and a root black-box public key, ypbr . 7. Induction of elements from BBR to PBR This procedure is employed to notify all the participants in the system that a root back-up black-box is to become a root production black-box. The specification for the protocol to be employed for this procedure is as follows. Schema 7 yr ∈ Y, xr ∈ X : yr = F(xr ) ybbr ∈ Ybbr , xbbr ∈ X : ybbr = F(xbbr ) old δr = Sigxr (yr , ybbr , Wbbr ∪ {ybbr })

ǫr = Sigxbbr (δr ) new old Wbbr ← Wbbr ∪ {ybbr }

← ∆old ∪ {(δr , ǫr )} ∆new r r

The above specification may suggest that a black-box, ybbr , announces itself to be a production black-box, Wbbr , by producing the self-signed tuples, (σr , ǫr ). It is important that the updated PKI information, (Wbbr , ∆r ), are published securely in an out-of-band integrity channel, which can be publicly read by all the participants of the system. It is important that these information are not transmitted electronically. The root certificate issuer must notify all the participants of the PKI of every execution of this protocol. For an efficient system operation, this procedure may be performed as seldom as possible. 8. Induction of elements from BBC to PBC This procedure is employed by the root certificate issuer to certify that a particular certificate issuer, yc , intends to make a particular back-up black-box, ybbc , as its production blackbox. Schema 8 yr ∈ Y, xr ∈ X : yr = F(xr ) ypbr ∈ Ypbr ∪ Wbbr , xpbr ∈ X : ypbr = F(xpbr ) yc ∈ Y c ybbc ∈ Ybbc old δc = Sigxr (yc , ybbc , Wbbc ∪ {ybbc }, ypbr )

ǫc = Sigxpbr (δc ) new Wbbc new ∆c

old ← Wbbc ∪ {ybbc }

← ∆old ∪ {(δc , ǫc )} c

132

Kapali Viswanathan and Ashutosh Saxena

The specification for the protocol requires the root certificate issuer to sign the induction information (Wbbc , ∆c ), and electronically publish the resulting signature tuples,(δc , ǫc ). 9. Verification of the Induction of elements from BBR to PBR All participants in the PKI are expected to respond to the notification from the root certificate issuer during Procedure 7. They are expected to retrieve the update PKI information, (Wbbr , ∆r ), from the out-of-band integrity channel. The following protocol specification should be used to verify the authenticity of the data. Note that the specification uses data, such as yr and Ybbr , from the bootstrap information. Schema 9 ybbr ∈ Wbbr ybbr ∈ Ybbr : Schema 4 = TRUE ∃yr ∈ Y : Schema 4 = TRUE ∃(δr , ǫr ) ∈ ∆r TRUE = V eryr (yr , ybbr , Wbbr , δr ) TRUE = V erybbr (δr , ǫr )

After the successful execution of the above protocol specification, the participants may update their local copies of the bootstrap information, which is assumed to be securely stored in their local cache. 10. Verification of the Induction of elements from BBC to PBC This procedures must be performed prior to Procedures 5 and 6. The specification of the protocol for this phase is as follows. Schema 10 ybbc ∈ Wbbc ybbc ∈ Ybbc : Schema 5 = TRUE ∃yr ∈ Y : Schema 4 = TRUE (∃ypbr ∈ Ypbr : Schema 4 = TRUE) ∨ (∃ypbr ∈ Wbbr : Schema 9 = TRUE) ∃yc ∈ Yc : Schema 5 = TRUE ∃(δc , ǫc ) ∈ ∆c TRUE = V eryr (yc , ybbc , Wbbc , ypbr , δc ) TRUE = V erypbr (δc , ǫc )

The specification is meant to suggest that the root public key, yr , and a root black-box, ypbr , have authorised the induction of a certificate issuer, yc , back-up black-box, ybbc , as a production black-box.

Towards Logically and Physically Secure Public-Key Infrastructures

3

133

Security Analysis

The goals stated in Section 2.2 are achieved by the above model. This section provides a sketch for this claim. Goal 1: The procedures for certification activities, namely Procedures 1, 2, 3, 7 and 8, are designed to achieve this goal. 1. Procedure 1 cryptographically binds the root public key with the root black-box public keys by using the bootstrap information and the outof-band integrity channel. 2. Procedure 2 cryptographically binds the certificate-issuer public key with the corresponding black-box public keys by requiring the root signatures on these values that a root black-box generated. 3. Procedure 3 cryptographically binds the user public key with a certificate-issuer public key and a corresponding issuer black-box public key. 4. Procedures 7 and 8 allow the induction of back-up black-boxes into production at Level 0 and Level 1 of the PKI (refer to Section 1). Goal 2: The procedures for verification activities, namely Procedures 4, 5, 6, 9 and 10, are designed to achieve this goal. 1. Procedure 4 traces the binding between the root public key and all the root black-boxes public keys. 2. Procedure 5 traces the binding between the certificate-issuer public key and all the certificate issuer black-box public keys by tracing all these information to the root public key and a corresponding root production black-box public key. Procedure 5 employs the information generated by Procedures 4 and 9. 3. Procedure 6 traces the binding between the user public key, the certificate-issuer public key, and a corresponding certificate-issuer production black-box public key. It additionally performs the tracing operation specified for Procedure 5. Procedure 6 employs the information generated by Procedures 4, 7, and 9. 4. Procedures 9 and 10 trace the induction information that signalled the move of a black-box from the back-up pool to the production pool. This was achieved by verifying either the information from the out-of-band integrity channel, in the case of Procedure 9, or the certification information generated by Procedure 10. Procedure 10 employs the information generated by Procedures 4 and 9. Thus, the dependency between various verification procedures allow any participant to uniquely trace all the certificates in the set of verifiable certification links.

4

Conclusion

This paper presented a novel approach to bind cryptographically the certificates generated by every certificate issuer, including the root, to the black-box, which was used to generate that certificate. Such an approach allows any neutral

134

Kapali Viswanathan and Ashutosh Saxena

monitor to trace cryptographically all the certificates originating from an issuer organisation to the black-box which the organisation must have used to generate that certificate. Such a mechanism has the capability to uniquely pin-down the geographical location where the certificate was generated, by constraining the location of the black-box. This facilitates improved transparency of operations in the PKI. The most important aspect of the approach is that it, for the first time, provides a cryptographic mechanism to gather evidence information in the case of misuse of certain certifying keys. Such a mechanism will be a very useful tool for the policy and legislative wings of PKI management activities. Although the proposed scheme is cryptographically functionally rich, its operations can be greatly optimised by designing suitable signature and verification algorithms. The use of multi-signature schemes [1, 4] may provide valuable research data in this regard. We hope that the research community will verify the completeness and consistency of our formal specification using formal verification techniques.

Acknowledgements We thank the anonymous referees for their valuable feedback.

References [1] Colin Boyd. Digital multisignatures. In Henry J. Beker and F. C. Piper, editors, Cryptography and Coding - 1986, Oxford Science Publications, pages 241–246. Clarendon Press, Oxford, 1989. 128, 134 [2] David Chaum. Designated confirmer signatures. In Alfredo De Santis, editor, Advances in Cryptology – EUROCRYPT’94, volume 950 of LNCS, pages 86–91. Springer-Verlag, 1994. 123 [3] S. Goldwasser, S.Micali, and R.Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM journal of computing, 17(2):281–308, April 1998. 126 [4] Patrick Horster, Markus Michels, and Holger Petersen. Meta-multisignature schemes based on the discrete logarithm problem. Technical Report TR-94-12-F, Department of Computer Science, University of Technology Chemnitz-Zwickau, September 1994. 128, 134 [5] Masahiro Mambo, Keisuke Usuda, and Eiji Okamoto. Proxy signatures: Delegation of the power to sign messages. In IEICE Trans. Fundamentals, volume E79-A, September 1996. 123 [6] Ueli M. Maurer and Pierre E. Schmid. A calculus for security bootstrapping in distributed systems. Journal of Computer Security, 4(1):55–80, 1996. 123, 128 [7] National Institute of Standards and Technology, Federal Information Process. Standard FIPS Pub 186: Digital Signature Standard (DSS), 1991. 123 [8] NIST, National Institute of Standards and Technology, Gov. of the USA. Security Requirements for Cryptgraphic Modules, FIPS 140-1, January 1994. 124 [9] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120–126, 1978. 123, 126

Cryptanalysis of Optimal Differential Energy Watermarking (DEW) and a Modified Robust Scheme Tanmoy Kanti Das1 and Subhamoy Maitra2 1

Computer Vision and Pattern Recognition Unit, Indian Statistical Institute 203, B T Road, Calcutta 700 108, INDIA das [email protected] 2 Applied Statistics Unit, Indian Statistical Institute 203, B T Road, Calcutta 700 108, INDIA [email protected]

Abstract. In this paper we provide a cryptanalysis of the well known “Optimal Differential Energy Watermarking (DEW)” scheme. The DEW scheme divides the image into some disjoint regions (each region containing two subregions). The watermark is basically a secret binary string where each individual bit information is inserted in one of the regions by modifying the high frequency DCT (Discrete Cosine Transform) coefficients. This modification creates required energy difference between two subregions. We here modify the high frequency components so that this energy difference vanishes and in turn extraction of watermark signal becomes impossible, making the cryptanalysis successful. Moreover, we modify the DEW scheme by inserting the bit information in low frequency components instead of high frequency components and propose an oblivious robust watermarking strategy which can trace the buyer too. Keywords: Cryptanalysis, Digital Watermarking, Discrete Cosine Transform, Subset Sum.

1

Introduction

Over the last decade watermarking technologies have been developed to a large extent for protecting copyright of digital media. A lot of watermarking strategies have been proposed in this period. In the mean time, number of benchmark attacks have been proposed, which the robust watermarking strategies should pass. However, no attempt has been made to analyze each of the popular schemes individually and presenting customized attacks to highlight the weakness of each individual scheme. As it is generally done in cryptology, we here concentrate on a specific scheme, known as “Optimal Differential Energy Watermarking (DEW)” [7] and present a successful cryptanalysis. Further we provide necessary corrections to make the scheme robust. Let us now provide a brief description on images and the watermarking strategies in general. An image I can be interpreted as a two dimensional matrix. If A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 135–148, 2002. c Springer-Verlag Berlin Heidelberg 2002


136

Tanmoy Kanti Das and Subhamoy Maitra

it is a gray scale image, then the integer values stored in each location of the matrix presents the intensity, which is generally in the range of 0 to 255. Higher resolutions may also be achieved by increasing this range. Coloured images can generally be seen as an assorted set of three such matrices, which correspond to the intensity values of red, green and blue channels. These are called the representations in spatial domain. Different transform domain representations are also available, which are Fast Fourier Transform (FFT), Discrete Cosine Transform (DCT) [3], Wavelet Transform etc [8]. These can also be seen as matrices containing either real or complex values. Thus, the best way to interpret an image is as a matrix of values. Note that, if we change the values of this matrix in some range, visually the image quality may not degrade. Given an image I, let us define the neighbourhood of I, N (I), which contains all the images which are visually indistinguishable from I. Even if the image is not in spatial domain, while interpreting the neighbourhood of the image, we must consider the image in the spatial domain (that is we need inverse transform to the spatial domain from the transformed domain) for visual indistinguishability. There are also some measures, e.g., Peak Signal to Noise Ratio (PSNR) [6, Page 112], which can be used as measure of visual indistinguishability. The concept of invisible digital watermarking works as follows. Given an image I, a signal si is added to I, which produces a watermarked image I (i) = I + s(i) ∈ N (I). The addition means some kind of element wise addition in the matrix. This image I (i) is given to the i-th buyer. Now the watermark retrieval algorithm works in two ways. 1. In the non-oblivious schemes (e.g., the CKLS scheme [1]), the original image is used in the retrieval process. The available image (may be attacked using image processing or cryptanalytic techniques) I # is compared to the original image I and a signal s# = I # − I is recovered. Finally from s# , the buyer i is suspected if s(i) possesses some significant correlation with s# . 2. In the oblivious schemes (e.g., the DEW scheme [7]), the original image is not used in the retrieval process but some other information related to the image, generally known as image key, are available. From the available image (may be attacked using image processing or cryptanalytic techniques) I # and the image key, a signal s# is recovered. From s# , the buyer i is suspected if s(i) possesses some significant correlation with s# . The robustness of the watermarking strategy depends on how well the proper buyer is identified (who has intentionally attacked the watermarked image) and how infrequently an honest buyer is wrongly implicated. By cryptanalysis of a digital watermarking scheme we mean the following. Let I (i) be a watermarked copy of I. One has to mount an attack to construct I # from I (i) such that there is no significant correlation between s# and s(i) . Thus, the buyer i will not be identified. Moreover, I (i) , I # need to be visually indistinguishable. To the attacker, only I (i) is available, but I, s(i) are not known. Thus there is no facility for the attacker to directly test that the

Cryptanalysis of Optimal Differential Energy Watermarking (DEW)

137

watermarking signal has been removed. However, the attacker need to be convinced indirectly that the watermark is erased, i.e., the correlation between s(i) and s# has been removed. It is already known that existing correlation based watermarking techniques are susceptible to collusion attacks under a generalized framework [2]. This requires a sufficient number of watermarked
copies. In particular, if the effective document length is n, then at most O( n/ ln n) copies are required to defeat the watermarking scheme. Note that for an image of size 256 × 256 or 512 × 512, for a successful collusion attack, a large number of watermarked images may be required depending on the size of the key information. This may not be practical. On the other hand, we here concentrate on cryptanalytic attack based on a single watermarked copy. Before going for further details, let us highlight why such a cryptanalytic attack is important. 1. The watermarking strategies should survive some standard image transformations. These are cropping, rotation, resizing, JPEG compression [13], wavelet compression [8] etc. Note that most of the current schemes can easily survive these transformations. The existing methods can also survive the attacks related to insertion of random noise in the image, some filtering attacks [5, 6] or nonlinear geometric attacks such as Stirmark [10, 11]. It is clear that once an attack, based on some image processing technique, is proposed then it is expected that there will be some (inverse) image processing methodology to resist such kinds of attack. Thus single copy attacks, based on image processing techniques, should not survive in a long run. 2. The existing watermarking models have never been analyzed using cryptanalytic techniques as it is done in case of any standard cryptographic schemes. We here look into the watermarking scheme as a cryptographic model and provide a very strong attack which can even be considered as a cipher text only attack (for different kinds of cryptanalytic attacks, see [9]). Here we mount the attack on the DEW scheme [7] and provide successful results by removing the watermark. It is important to analyze each of the well known watermarking schemes in detail and it seems that the existing schemes are not robust with respect to customized cryptanalytic attacks on each of the schemes. 3. Further, the cryptanalytic attack motivates us to remove the weakness of the scheme and we propose a modification of the DEW scheme which resists such cryptanalysis. The DEW scheme itself is an oblivious scheme and what we propose after the modification is also an oblivious one. However, it is important to note that in the DEW scheme, the watermark was image specific and it was same for all the buyers. That means the identification of the watermark can only prove the copyright, but it can not trace the buyer who has violated the copyright agreement. In our scheme we present buyer specific watermark, so that it is possible to identify the malicious buyer. In [12, Page 122], a statistical removal attack has been pointed out. The attack was based on a large number of rewatermarks on the watermarked image

138

Tanmoy Kanti Das and Subhamoy Maitra

and then trying to remove each of the rewatermarks using some image transformations. First of all, putting a lot of rewatermarks degrades the visual quality of the image. In the DEW scheme [7], with the standard experimental parameters, we have checked that putting consecutive watermarks degrades the quality of the image. Moreover, the exact image transformations that are required to remove the rewatermarks have not been discussed in [12]. In this paper we present a concrete watermark removal strategy on a specific scheme. We describe the DEW scheme in Subsection 1.1. In Section 2 we present the attack. We first present the basic attack in Subsection 2.1 and then modify its limitation to mount a stronger attack which is described in Subsection 2.2. Next we modify the DEW scheme in Section 3 to present a robust watermarking strategy. 1.1

DEW Scheme

Optimal Differential Energy Watermarking (DEW) scheme [7] introduces the watermark in the DCT (Discrete Cosine Transform) domain. The scheme works on JPEG compressed image, and hence it is natural to interpret the image as a set of small blocks having size 8 × 8. In the DEW scheme, each block is interpreted as a collection of 64 re/pre quantized DCT coefficients. The set is then divided into different groups, each containing n blocks. Each such group is termed as “lc-region”. Now considering a particular lc-region, it can be divided into two “lc-subregions” A, B. The first (respectively last) n2 blocks of lc-region constitute the lc-subregion A (respectively B). Let us now describe how to calculate the high frequency energy EA or EB corresponding to the lc-subregions A or B. We normally calculate energy over the subset S(c) of the 64 values of DCT coefficients (indexed in the zigzag manner) of a particular 8 × 8 block b. This subset is determined by the cutoff index c and given by S(c) = { i ∈ {0, 1, . . . , 63} | i > c}. Now the energy EA , EB can be expressed as  n2 −1  EA (c, n, Qjpeg ) = b=0 ([θi,b ]Qjpeg )2 , n−1 i∈S(c) EB (c, n, Qjpeg ) = b= n i∈S(c) ([θi,b ]Qjpeg )2 , where [θi,b ]Qjpeg is the value 2 of DCT coefficient of block b in lc-subregion either A or B, corresponding to frequency i which is quantized using standard JPEG quantization procedure, setting the quality as Qjpeg . When the parameter values c, n, Qjpeg are obvious, then EA (c, n, Qjpeg ) is represented by EA only. The value of energy difference D is given by D(c, n, Qjpeg ) = EA − EB . The watermark information is represented by an l length string of bits known as the label bit string L. The embedding of a label bit Lj (j = 0, 1, . . . , l − 1) is executed as follows. We concentrate on the j th lc-region. If Lj = 0, then all the DCT coefficient value after cutoff index c is set to zero for the blocks in lc-subregion B, i.e., EB

Cryptanalysis of Optimal Differential Energy Watermarking (DEW)

139

becomes 0. So the value of energy difference D becomes D(c, n, Qjpeg ) = EA − EB = EA . If Lj = 1, then all the DCT coefficient value after cutoff index c is set to zero for the blocks in lc-subregion A, i.e., EA becomes 0. So the value of energy difference D becomes D(c, n, Qjpeg ) = EA − EB = −EB . Thus each label bit is related to one lc-region consisting of n distinct 8 × 8 DCT blocks. A bit is encoded by introducing energy difference D between first n n 2 DCT blocks (known as lc-subregion A) and next 2 DCT blocks (known as lc-subregion B) in an lc-region. Energy difference is created by removing high frequency coefficient in either of the lc-subregion B or A depending on whether to embed 0 or 1. Now the value of D directly influence the perceptual quality of watermarked image. Larger the value of D smaller the value of c, so more and more high frequency DCT coefficients get removed. As a result image quality degrades. So, cutoff index c must be greater than certain minimum cutoff index cmin . At this point let us describe the cutoff index c in terms of D. The cutoff index c is the largest index of the DCT coefficients for which both EA and EB are greater than the required energy difference Dreq . Let us describe the DEW watermark insertion scheme in algorithmic form. Algorithm 1 1. Randomly arrange the 8 × 8 DCT blocks of the JPEG image using a pseudo random generator with an initial random seed S and group them in different lc-regions. 2. FOR j = 0 to l − 1 DO (a) Select j th lc-region consisting of n blocks. (b) FOR cctr = cmin + 1 to 63 DO i. calculate EA (cctr ). ii. calculate EB (cctr ). (c) c = max(cT ) where cT = {cctr ∈ {cmin + 1, 63} | EA (cctr ) > Dreq , EB (cctr ) > Dreq }. (d) IF (Lj = 0) discard coefficients after c in all blocks of lc-subregion B. (e) IF (Lj = 1) discard coefficients after c in all blocks of lc-subregion A. 3. Arrange back the DCT blocks to it’s original position. Thus the seed of the pseudorandom generator S and the bit string L are the secret parameters. To extract a bit from a lc-region one have to find the value of c used in time of embedding. To do this we calculate EA (cctr ) for all possible values of cutoff index cctr such that EA < D′ (the value of D′ can be taken as equal to D) for blocks in lc-subregion A. Now among all the candidate cutoff indices, we take the minimum one as the cutoff index cA for lc-subregion A. Similarly we calculate cB . Now actual cutoff index c = max(cA , cB ). If (cA < cB ) then label bit is 1 else if (cA > cB ) label bit is 0. If (cA = cB ) then we recalculate EA (c), EB (c). If EA (c) < EB (c) then the label bit is 1 else label bit is 0. Extraction procedure is described in detail below.

140

Tanmoy Kanti Das and Subhamoy Maitra

Algorithm 2 1. Arrange the 8 × 8 DCT blocks of the JPEG image as done in watermark insertion stage and use the same grouping of lc-regions available using the same pseudorandom generator and the same seed S in the Algorithm 1. 2. FOR j = 0 to l − 1 DO (a) Select j th lc-region consisting of n blocks (b) FOR cctr = cmin + 1 to 63 DO i. calculate EA (cctr ). ii. calculate EB (cctr ). (c) cA = min(cT ) where cT = {cctr ∈ {cmin + 1, 63}|(EA (ctr) < D′ )} (d) cB = min(cT ) where cT = {cctr ∈ {cmin + 1, 63}|(EB (ctr) < D′ )} (e) Lj = 0 (f ) IF (cA < cB ) Lj = 1 (g) IF ((cA = cB ) & (EA (cA ) < EB (cB ))) Lj = 1;

2

Attacks On DEW Scheme

Though the DEW scheme performs satisfactorily against known attacks as experimented in [7], it fails against the cryptanalytic attacks specially designed for it. In this section we will describe two strategies to defeat the DEW scheme. The second one is refined version of the first one. 2.1

Basic Attack

As in the DEW scheme we also use re/pre quantized DCT coefficients which are available from each of the 8 × 8 blocks of watermarked image. For a particular block it is expected that some of the high frequency DCT coefficients are absent due to two reasons. One is for the JPEG compression itself and another is for the watermark embedding by DEW algorithm. From the nature of the DEW scheme, it should be noted that if it is possible to compensate the removed coefficients then the DEW scheme will fail. Thus our aim is to compensate the removed coefficients (either for JPEG compression or for DEW algorithm) in each of the blocks. The basic algorithm is as follows. Algorithm 3 1. FOR each of the 8 × 8 block DO (a) Read re/pre quantized zigzag scanned DCT coefficients θj (j = 0, . . . , 63). (b) Sort θj (j = 1, . . . , 63) to get θj′ (j = 1, . . . , 63) (not considering the DC value) and index vector V such that θj = θV′ j . (c) Fit a polynomial P of degree d over θ′ with the following points. i. Take the points (j, θj′ ) for which θj′ = 0. ii. Let s be the largest and t be the smallest values such that θs′ = θt′ = 0. ′ Let k = ⌊ s+t 2 ⌋. Take the point (k, θk ). ′ ′ (d) IF θj = 0 THEN θj = P (j) (j = 1, . . . , 63)

Cryptanalysis of Optimal Differential Energy Watermarking (DEW)

141

Table 1. Bit error after cryptanalysis Image WPS QJ P EG = 100% QJ P EG = 75% QJ P EG = 50% QJ P EG = 25% Lena WPS 1 50.7% 42.1% 42.3% 44% Lena WPS 2 47.1% 38.2% 27.1% 16.8%

(e) θj = θV′ j (j = 1, . . . , 63). (f ) Write back θ as the DCT values of the block. 2. Write back the image at 100% JPEG quality. We are actually extrapolating the eliminated values using the polynomial fitting. These values, which are extrapolated, may be very small in some cases, thus they may get eliminated due to quantization while saving as the JPEG image. This is the reason we save the attacked image at 100% quality. Experimental Results We now present the experimental results using similar setup that of [7] using the 512 × 512 Lena image. First we take the watermarking parameters D = 40, cmin = 3, QJP EG = 75%, and n = 16. We call this Watermarking Parameter Set 1 (WPS 1). Next we use the watermarking parameter set D = 500, cmin = 3, QJP EG = 25%, n = 64, which we call WPS 2. Here the label bit pattern L is of size l = 256. The results of the cryptanalysis is given in the Table 2.1. The degree d of polynomial P used to be 3 in cryptanalysis. Note that the bit error is almost close to 50% when after cryptanalysis the image is saved at JPEG quality 100%. Thus the attack works successfully. Though in the cryptanalysis we suggest saving the image at 100%, the watermark detector may again like to save the attacked image at some JPEG quality which is used while embedding the watermark. To elaborate the experiment, we change the last step of cryptanalysis and save the attacked images at JPEG quality factors 100%, 75%, 50% and 25%. We find that at lower quality factor, for WPS 2, the bit error is much less than 50%, which means the attack is not successful. This can be explained from the fact that due to quantization at lower JPEG quality, the coefficients extrapolated by polynomial fitting during cryptanalysis, get removed. Thus extraction procedure performs better. From experimental results it is clear the proposed technique needs modification. We are going to present a modified version next. 2.2

Improved Cryptanalysis

Now we modify the previous strategy. So we have to show that after the cryptanalysis, even if the image is saved at any JPEG quality, the bit error should be close to 50%. Thus our motivation is to create such a situation, so that for any lc-region, the energy difference between EA and EB is minimized (very close to zero). Hence from the attacked image, extraction of label bit (the watermarking signal) is not possible. Towards this, we will select a global cut-off frequency fc

142

Tanmoy Kanti Das and Subhamoy Maitra

for the complete image. In the DCT domain of any 8 × 8 block of the image, we will remove all the frequency components which are greater than fc . Moreover, if some frequency components, having frequency ≤ fc are already zero (either due to JPEG compression or due to the watermark), we will try to extrapolate those values. Thus the DEW algorithm is attacked at two levels. At first level we remove some frequency components and at the second level we add some. We intentionally remove some high frequency coefficients, so that the blocks, which are unaffected by DEW algorithm, get affected in a similar fashion as the blocks which are affected by the algorithm itself. Note that, if removing some of the high frequency coefficients from one set of blocks by DEW algorithm does not degrade the image quality, then it is expected that removing high frequency coefficients from other set of blocks will not degrade the image too. Importantly, it will reduce the energy difference created by DEW algorithm and hence the watermark signal can not be extracted. The detailed algorithm is as follows. Algorithm 4 1. Set the value of fc . 2. FOR each of the block of the image DO (a) Read the zigzag scanned DCT coefficients in θj (j = 0, . . . , 63). (b) Set θj = 0 for j > fc . (c) IF θfc = 0 i. Find f ′ such that θk = 0 for all k, f ′ < k ≤ fc . ii. Sort θj , j = 1 . . . f ′ to get θj′ , j = 1 . . . f ′ and maintain an index vector V such that θj = θV′ j . iii. Fit a polynomial P of degree d using the data points (k, θk′ ) for k = 1, . . . , f ′ and (fc , θfc ). iv. θj′ = P (j) for j = f ′ + 1, . . . , fc . v. θj = θV′ j for j = f ′ + 1, . . . , fc . (d) Write back θ. It is to be noted that selection of fc is very important, as setting the value very small will degrade the image quality. On the other hand, if we set the value very high that may reduce the strength of the attack. As a hypothetical case, consider the situation when all the watermarking information are known for the watermark embedding process. Then for each lc-region, some cut-off c is selected in step 2c of Algorithm 1. It is the best to take fc = c for that lc-region. In that case, the energy difference created in that lc-region will be vanished. Since, the organization of the lc-regions are secret parameter, it is not possible to know the groups and hence, it is not possible to get c as in step 2c of Algorithm 1. Thus we have to estimate that and we estimate that globally for the complete image as follows. We select a random arrangement lc-regions and for each of the lc-region j, we calculate c and call it cj . Then we take the average of those cj ’s and set fc slightly less than that average.

Cryptanalysis of Optimal Differential Energy Watermarking (DEW)

143

Experimental Results Here also we use same experimental setup as in Subsection 2.1. The results are presented below. The watermarking parameter sets are also same as those in Subsection 2.1, which were identified by WPS 1 and WPS 2. Note that all the images are of size 512 × 512. The values of fc are presented in the Table 2.2. The degree d of polynomial P used to be 3 in cryptanalysis. The result in the table shows that in all the cases the bit error rate is close to 50%. Thus, the attack is successful. We present the images in Figure 1. Note that the attacked images are visually indistinguishable from the original or watermarked images.

Fig. 1. Attack on DEW scheme. Top-left : original image. Top-right : watermarked image at 75% JPEG quality. Bottom-left : Attacked image saved at 75% JPEG quality. Bottom-right : Attacked image saved at 25% JPEG quality

144

Tanmoy Kanti Das and Subhamoy Maitra

Table 2. Bit error after modified cryptanalysis Image Lena Baboon Pentagon Lena Baboon Pentagon

3

WPS WPS WPS WPS WPS WPS WPS

1 1 1 2 2 2

fc QJ P EG QJ P EG QJ P EG QJ P EG fc = 100% = 75% = 50% = 25% 23 51% 46% 49% 47% 23 57% 50% 52% 51% 50 55% 48% 48% 48% 21 50% 47% 46% 49% 19 54% 47% 51% 53% 35 48% 48% 48% 47%

Modified DEW Scheme

The vulnerability of DEW scheme comes from the fact that it effectively introduces the watermark at high frequency DCT coefficients. So they can be completely removed without loss of fidelity. On the other hand, if one can introduce the watermark at low frequency region then it is not possible to remove the coefficients and hence it will be very hard to erase or tamper with the watermark. Introduction of watermark at low frequency involves some other issues. For instance how to create energy difference within a lc-region using the low frequency components, because one can not remove the low frequency components without visual degradation of host image. If one decides to reduce the energy of low frequency components by a small percentage rather than removing them to create the energy difference, then that may not fetch the intended result. Consider a scenario where low frequency energy of lc-subregion A is much greater than low frequency energy of lc-subregion B, but one needs to enforce an energy difference in such way that low frequency energy of lc-subregion B has to be greater than that of A. One can not achieve that with small percentage change of low frequency components. So what we need is a proper reorganization of blocks within a lc-region in such manner that energy of lc-subregion A and that of B are close. In such a situation, required energy difference can be enforced with small percentage change of individual low frequency DCT coefficients. Let us now formalize the scheme. 3.1

Watermark Embedding

We are presenting two major modifications of the DEW scheme here. One, energy difference is created by changes in low frequency DCT coefficients. Another is random permutation of blocks such that in any lc-region low frequency energy of lc-subregion A and that of B differ by less than some small quantity δ. Energy of a block b is the sum of absolute values of q many low frequency DCT coefficients

Cryptanalysis of Optimal Differential Energy Watermarking (DEW)

145

excluding the DC coefficient. Thus the energy of lc-subregion A, B is given by n 2 −1

EA (q, n) =

q  b=0 j=1

|θj,b |, EB (q, n) =

n−1 

q 

|θj,b |

j=1 b= n 2

respectively. We are not at all interested about the JPEG quality, since the low frequency components are not seriously disturbed by the JPEG compression. We consider the organization of lc-subregions A, B in such a manner such that |EA − EB | < δ, i.e., EA ≈ EB . If we incorporate a bit 0 (respectively ′ 1) in that region, then we want that EA (EA after the modification) becomes ′ substantially greater (respectively smaller) than EB (EB after the modification). Let α be the fractional change required to enforce the required energy difference, ′ ′ EA −EB i.e., after the modification we need | EA +EB | ≥ α. The exact scheme is presented below. Note that the l length binary pattern L is different for each buyer and hence at the extraction phase, from the recovered bit pattern it is possible to identify the copyright infringer. Algorithm 5 1. Randomly arrange the 8 × 8 DCT blocks of the JPEG image using some pseudo random generator and group them in various lc-regions. Each lcregion should be divided in two lc-subregions such that EA ≈ EB . Store this group information which we call the image key K. 2. FOR j = 0 to l − 1 DO (a) Select the j th lc-region consisting of n blocks. (b) Let 2α = α1 + α2 (c) IF (Lj = 0) THEN i. θj,b = θj,b ∗ (1 + α1 ) for b = 1, . . . , n2 − 1, and j = 1, . . . , q. ii. θj,b = θj,b ∗ (1 − α2 ) for b = n2 , . . . , n − 1, and j = 1, . . . , q. (d) ELSE IF(Lj = 1) THEN i. θj,b = θj,b ∗ (1 − α1 ) for b = 1, . . . , n2 − 1, and j = 1, . . . , q. ii. θj,b = θj,b ∗ (1 + α2 ) for b = n2 , . . . , n − 1, and j = 1, . . . , q. 3. Arrange back the DCT blocks to their original positions and write the image. Note that the most important part of this algorithm is as described in the step 1 of Algorithm 5. We first need to group different blocks to get different lcregions. However, just getting the lc-regions does not suffice. In fact, we further need to divide each lc-region into two lc-subregions A, B such that |EA −EB | < δ, i.e., EA ≈ EB . Getting such a grouping by itself is an NP-complete problem (basically subset sum problem) and hard to find. Thus there are two issues. 1. Given a lc-region, to get two lc-subregions A, B such that EA and EB differ by a very small amount. 2. Moreover, if such lc-subregions are not found, then we need to randomly rearrange the 8 × 8 DCT blocks of the JPEG image once again to group them in lc-regions of a different configuration.

146

Tanmoy Kanti Das and Subhamoy Maitra

However, in the experiments, we always succeeded in getting the lc-subregions with required closeness. qThis is expected for the image data since the energy of the individual blocks j=1 |θj,b | are in some specific range. Moreover, in one lcregion there are collection of blocks, where the energies of the blocks in each collection are very close to each other. The easy availability of such groupings make the watermark embedding procedure very fast even if the underlying problem is hard. Another extremely important advantage of plentiness of such grouping is that the image key space becomes very large. In step 1 of Algorithm 5, we store the group information and use that as image key K. Thus, the observation that almost any rearrangement of lc-regions provide lc-subregions with required closeness of EA , EB values, makes the choice of key K from an exponential space and keeps the system secure. 3.2

Watermark Extraction

Extraction of watermark does not require the original image. It is only dependent on the image key K. Once image key is known then one can reorganize the blocks of the watermarked image in the manner that was used at the time of watermark embedding. Now one can calculate EA , EB and if EA > EB then label bit = 0 else it is 1. Note that the binary patterns for each buyer can be selected from error correcting codes so that the malicious buyer can be identified even if there are some bit errors in the extraction process. 3.3

Experimental Results

We present a summarized result to highlight the robustness of our scheme. See Figure 2, where the images show that original and watermarked copies are visually indistinguishable. The watermarking parameters used in the experiments are as follows : α = .05, α1 = 0, α2 = 2α = 0.1, q = 5, n = 64, l = 64. In [7], re-encoding attack has been mentioned. Re-encoding attack basically means saving the image in different JPEG quality. It has been found [7] that the DEW scheme does not survive if the image is saved at very low JPEG quality. This is due to the fact that the watermark information in the DEW scheme has been incorporated using the high frequency DCT coefficients which can be easily disturbed at low quality JPEG compression. However, in our modified scheme, we propose incorporating the watermark signal in the low frequency components, which are least disturbed by JPEG compression. We have taken three images, Lena, Baboon and Pentagon, each of size 512 × 512 pixels. We incorporated 64 bit watermark (each lc-region contains 64 blocks of size 8 × 8) and saved the watermarked image at JPEG quality 100%. Then to simulate the re-encoding attack, we have saved the image at JPEG quality 90% to 10% at an interval of 10% and then extracted the watermark from the low JPEG quality images. We found no bit error at as low as 20% JPEG quality. At 10% we found a single bit error out of the 64 bits, which is < 2%. Thus our scheme is robust in this aspect. Refer to Figure 2 for the re-encoding attacked image saved at 10% JPEG quality.

Cryptanalysis of Optimal Differential Energy Watermarking (DEW)

147

Fig. 2. Modified DEW scheme. Top-left : original image. Top-right : watermarked image. Bottom-left : watermarked image saved at 10% JPEG quality. Bottom-right : stirmark 3 attack on the watermarked image Even with that low quality image, our scheme can extract the watermark and identify the malicious buyer. We checked the standard image processing attacks like filtering, cropping, addition of noise etc. The scheme survives all such attacks. However, we have checked that in case of rotation or when the pixel positions change, it may not be possible to extract the watermark. This is natural since the scheme is oblivious. However, if we consider that the original image is available during the extraction process (i.e., the scheme becomes non-oblivious), then we can use the original image to properly rotate back the attacked watermarked image. In that case one can successfully recover the watermark. In case of Stirmark attacks [10, 11], if the original image is available, then we can use the block based strategy [4]

148

Tanmoy Kanti Das and Subhamoy Maitra

to recover the watermark properly. In Figure 2, the image after the Stirmark 3 attack has been presented. We could successfully recover the watermark using block based strategy when the original image is available. It is a challenging question to successfully extract the watermark in the oblivious scheme, i.e., when the original image is not available.

References [1] I. J. Cox, J. Kilian, T. Leighton and T. Shamoon. Secure Spread Spectrum Watermarking for Multimedia. IEEE Transactions on Image Processing, 6(12):1673–1687, 1997. 136 [2] F. Ergun, J. Kilian and R. Kumar. A note on the limits of collusion-resistant watermarks. In Eurocrypt 1999, no 1592 in LNCS, pages 140–149, Springer Verlag, 1999. 137 [3] R. C. Gonzalez and P. Wintz. Digital Image Processing. Addison-Wesley Publishing (MA, USA), 1988. 136 [4] F. Hartung, J. K. Su and B. Girod. Spread Spectrum Watermarking : Malicious Attacks and Counterattacks. Proceedings of SPIE, Volume 3657 : Security and Watermarking of Multimedia Contents, January 1999. 147 [5] N. F. Johnson, Z. Duric and S. Jajodia. Information Hiding: Steganography and Watermarking – Attacks and Countermeasures. Kluwer Academic Publishers, USA, 2000. 137 [6] S. Katzenbeisser, F. A. P. Petitcolas (edited). Information Hiding Techniques for Steganography and Digital Watermarking. Artech House, USA, 2000. 136, 137 [7] G. C. Langelaar and R. L. Lagendijk. Optimal Differential Energy Watermarking of DCT Encoded Images and Video. IEEE Transactions on Image Processing, 10(1):148–158, 2001. 135, 136, 137, 138, 140, 141, 146 [8] S. G. Mallet. A theory of multi resolution signal decomposition : the Wavelet representation. IEEE Transactions on PAMI, 11:674–693, 1989. 136, 137 [9] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1997. 137 [10] F. A. P. Petitcolas, R. J. Anderson, M. G. Kuhn and D. Aucsmith. Attacks on Copyright Marking Systems. In 2nd Workshop on Information Hiding, pages 218–238 in volume 1525 of Lecture Notes in Computer Science. Springer Verlag, 1998. 137, 147 [11] F. A. P. Petitcolas and R. J. Anderson. Evaluation of Copyright Marking Systems. In IEEE Multimedia Systems, Florence, Italy, June 1999. 137, 147 [12] J. O. Ruanaidh, H. Petersen, A. Herrigel, S. Pereira and T. Pun. Cryptographic copyright protection for digital images based on watermarking techniques. Theoretical Computer Science 226:117–142, 1999. 137, 138 [13] G. K. Wallace. The JPEG still picture compression standard. Communication of the ACM, April 1991. 137

A 2-Secure Code with Efficient Tracing Algorithm Vu Dong Tˆ o, Reihaneh Safavi-Naini, and Yejing Wang School of Information Technology and Computer Science University of Wollongong, Wollongong 2522, Australia {dong,rei,yejing}@uow.edu.au

Abstract. Collusion secure fingerprinting is used to protect against illegal redistribution of digital documents. Fingerprints are embedded in documents to identify different copies. A group of colluders having access to multiple copies with different fingerprints may construct a pirate object with a fingerprint that cannot be traced. We consider c-secure codes with ε error that allow one of the c possible colluders to be traced and the chance of incorrect tracing to be at most ε. We consider a two layer construction consisting of an inner code and an outer structure and give new constructions for each. Important properties of our new inner code is that innocent users will never be accused and the code can be constructed for any number of codewords. This is particularly important as the number of codewords is the alphabet size of the outer structure. We will show that for the outer structure a c-traceability code, or a perfect hash family can be used and obtain the parameters of the combined code in terms of the parameters of the inner code and those of the outer structure. We apply these constructions to our new inner code and give parameters of the resulting c-secure codes. Keywords: fingerprinting codes, frameproof codes, secure codes, secure frameproof codes, traceability codes.

1

Introduction

Fingerprinting is used to distinguish different copies of the same document or software. A fingerprint is a q-ary mark sequence that is embedded in the object in an imperceptible and robust (hard to remove) way. Collusion secure fingerprinting [3] aims at tracing pirate objects constructed by a collusion of users who have access to multiple copies of the same object, each with a different fingerprint. To construct a pirate object, colluders compare their objects to find the places where their marks are different, and construct a pirate object by using one of their marks in each detected position. Totally c-secure codes allow one of the colluders to be traced if the size of the collusion is at most c. Boneh et al showed that totally c-secure codes do not exist for c ≥ 2 and introduced c-secure codes with ε-error in which a member of collusion will be found with probability of at A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 149–163, 2002. c Springer-Verlag Berlin Heidelberg 2002


150

Vu Dong Tˆ o et al.

least 1 − ε. The ε-error refers to the error of the tracing algorithm. The error could be due to the failure of the algorithm to trace some of the pirate objects, or to output an innocent user in some cases. The latter case is undesirable for realistic scenarios and must be avoided. Important parameters of c-secure codes are the length and the number of codewords. Good codes have shorter length and higher number of codewords. The main construction of c-secure codes is due to Boneh et al. [3, 4] and consists of an outer code which is an error-correcting code, and an inner code. Other constructions retain this structure but give different construction for the inner code. In this paper we present a number of new results on 2-secure codes. The main construction that we consider is a two level construction that consists of an inner code and an outer structure. The outer structure can be an error-correcting code, or a perfect hash family. The set of codewords of the inner code form the alphabet set of the outer code and so we require inner codes to be constructible for a wide range of alphabet sizes. In particular to compare two inner codes we will fix the size of the alphabet. Firstly, we construct a new 2-secure inner code of length n2 with n codewords and give an upper bound on ε which shows that the probability of error decreases exponentially with n. We give an efficient tracing algorithm for this code and show that the tracing algorithm never accuses an innocent user. That is either tracing algorithm fails and does not output, or else it outputs a colluder. An interesting property of the code is that for the same error probability it has shorter length when compared with the inner code in [3, 4], or [9] with the same number of codewords. Although the inner code in [3, 4] is only for c-secure codes with c ≥ 3 but since a c-secure code is also a c′ -secure for c′ < c we will compare our code with an instance of the code with the same number of codewords. Then we consider possible outer structures. First, we show that using a 2-TA code as the outer structure combined with a 2-secure code with ε error results in a 2-secure code with ε′ error and give the value of ε′ . 2-TA codes can be obtained from error-correcting codes whose minimum distance satisfy a lower bound. We will show that equi-distance codes with odd minimum distance are 2-TA codes and can always be used for the outer code. Next we show that perfect hash families (PHF) can be used as the outer structure to construct a c-secure code with more codewords from a smaller csecure code. We will obtain probability of failure of tracing as a function of ε and s, the number of functions in the perfect hash family. The tracing algorithm in the case of error-correcting codes consists of two stages: first using the decoding algorithm of the outer code followed by the tracing algorithm of the inner code. In the case of PHF as outer code, tracing consist of finding a function in the family that satisfies certain property followed by the tracing of the inner code. Efficiency of the former stage of tracing depends on the structure of PHF.

A 2-Secure Code with Efficient Tracing Algorithm

151

We will use both outer structures with our proposed inner code and obtain the parameters of the resulting codes. The final code in all cases will have the property that only colluders will be captured. 1.1

Related Works

Secure fingerprinting codes have been defined with a range of security properties. Frameproof codes Frameproof codes are introduced in [3], and constructed in [3, 4, 12, 13]. A cframeproof code provides a property that any up to c colluders cannot create the fingerprint of an innocent user. Constructions of frameproof codes are given by [3, 12, 10]. Secure frameproof codes A weak notion of secure codes is secure frameproof codes. A c-secure frameproof code is defined and constructed by Stinson et al in [11] requires that two disjoint collusions not be able to create the same pirate word. c-Secure frameproof code do not provide tracing algorithm and only require the structure of the code to support unambiguous tracing. Traceability codes Traceability codes are introduced by Staddon et al in [10]. A c-TA code provide frameproofness and traceability property. That is a group of up to c colluders cannot frame another user and any pirate word that they construct is closet to the codeword of one of the colluders and so a colluder can always be found by finding the codeword with minimum Hamming distance to the pirate word. c-TA codes can be constructed from error-correcting codes. For these codes tracing algorithm is the same as decoding algorithm of the error-correcting code. This is particularly useful for codes that have efficient decoding algorithm. Traitor tracing schemes Traitor tracing schemes are introduced in the context of broadcast encryption systems [6] and data fingerprinting [3]. In a broadcast encryption system, the sender broadcasts an encrypted message through a broadcast channel such that only members of an authorised group of receivers can decrypt the message. To do so, each receiver has a decoder with a unique key set. A group of colluders may use their key information to construct a pirate decoder that can decrypt the broadcast. Traitor tracing schemes allow one of the colluders to be identified when a pirate decoder is found. Known constructions of traitor tracing systems use combinatorial designs [12, 13], and error-correcting codes [12]. Tracing traitors in public key encryption systems are proposed in [2]. It is shown [7] that tracing is impossible when the number of traitors exceeds a certain number. The rest of the paper is organised as follows. In Section 2 we recall the definitions and review the known results that will be used throughout the paper. In Section 3 we define a new inner code, provide an efficient tracing algorithm and show the properties of the code. We construct 2-secure codes by combining our new inner code with error-correcting codes in Section 4, and with perfect hash families in Section 5. Finally, we compare our constructions with existing ones and conclude the paper in Section 6.

152

2

Vu Dong Tˆ o et al.

Preliminaries

Let Γ be a q-ary code of length ℓ and size n. We have Γ ⊆ Qℓ , where Q is a set of alphabets, |Q| = q, and |Γ | = n. An element of Γ , called a codeword, can be written as w = (w1 , w2 , . . . , wℓ ), where wi ∈ Q. Elements of Qℓ in general are called words. Let C = {w(1) , w(2) , . . . , w(c) } ⊆ Γ . A position i is called an undetectable (1) (2) (c) position for C if wi = wi = . . . = wi ; otherwise, it is called a detectable position. We denote the set of all undetectable and detectable positions for C as U (C) and D(C). Define the descendant set of C as (1)

(2)

(c)

Desc(C) = {w ∈ Qℓ : wi ∈ {wi , wi , . . . , wi }, ∀i}. Desc(C) is the set of all words that can be constructed by the coalition C. An element w of Desc(C) is called a descendant of C and elements of C are called parents of w. We use the following Marking Assumption and Embedding Assumption which were first introduced in [3]. Marking Assumption: A collusion is only capable of modifying detectable positions. Embedding Assumption: A user has no knowledge of which mark in the object encodes which bit in the code. Colluders can modify the symbols at detectable positions and can replace them with any symbol in the alphabet or replace it with an unrecognizable symbol, denoted by ‘?’, that is not in the alphabet Q. We call Q′ = Q ∪ {?} as the extended alphabet. And we define the feasible set F (C) of C as ℓ

(j)

F (C) = {w ∈ Q′ : wi = wi

∀i ∈ U (C), w(j) ∈ C}

If Γ is a binary code then Desc(C) contains precisely all the elements of F (C) that do not contain marks ‘?’. If an element of F (C) contains ‘?’ in some positions, if we substitute these marks ‘?’ by any symbol of Q, then the resulting word must belong to Desc(C). This is only true if the code Γ is binary. Lemma 1. Let Γ be a binary code, and C ⊆ Γ . For an element of F (C), substituting all the marks ‘?’ by 0 or 1 arbitrarily will result in an element of Desc(C). Frameproof codes introduced in [3], ensure that subset of colluders of size at most c cannot produce the codeword of another user not in their group. Definition 1. ([10]) A code Γ is called a c-frameproof code (c-FPC) if Desc(C) ∩ Γ = C for every subset C ⊆ Γ of size at most c. A code Γ is called a secure frameproof code if two disjoint coalitions cannot produce the same descendant word.

A 2-Secure Code with Efficient Tracing Algorithm

153

Definition 2. ([10]) A code Γ is called a c-secure frameproof code (c-SFPC) if Desc(C1 ) ∩ Desc(C2 ) = ∅ for any two disjoint subsets C1 , C2 ⊆ Γ of sizes at most c. Obviously, a c-SFPC is a c-frameproof code. Definition 3. A code Γ is called totally c-secure if there exists a tracing algoℓ rithm A : Q′ → Γ such that A(x) ∈ C for every C ⊆ Γ of size at most c and x ∈ F (C). It was proved in [3, 4] that totally c-secure codes do not exist when c ≥ 2 and n ≥ 3. A weakened form of totally secure codes is to allow the tracing to fail with a small chance. Definition 4. ([3]) Let ε > 0. A code Γ is called c-secure with ε-error if there exists a tracing algorithm A satisfying condition: if C ⊆ Γ , |C| ≤ c, creates a word x ∈ F (C), then P r[A(x) ∈ C] > 1 − ε. (1) Boneh et al [3, 4] gave a construction for c-secure codes which combines an inner c-secure code with an error-correcting code. The number of codewords of the inner code is much smaller than its length but in combination with the outer code results in a c-secure code whose length is logarithmic in the number of codewords. This is only an existence result and no explicit construction for the outer code with the required parameters has been given. A drawback of the inner code in Boneh et al’s construction is that an innocent user may be accused and this will hold for the final construction as well. The chance of error can be made arbitrarily small but increasing the code length. Other constructions [5, 9] of c-secure codes use the same structure but employ different inner codes. In [5] a family of 2-secure codes was proposed that uses the dual of the Hamming code as the inner code. The number of codewords of this inner code is nearly the same as its length and so the final code will have higher rate (ratio of the logarithm of the number of codewords to the length) compared to the construction in [3, 4]. Another advantage of this code is that the tracing algorithm uses the decoding algorithm of the dual of the Hamming code, and never outputs an innocent user. The number of codewords is 2n and since the number of codewords of the inner code is the same as the alphabet size of the outer code, the higher rate is when the outer code is over GF (2n ). In [9] a construction of a 3-secure codes using a class of inner codes called scattering codes, and an outer code which is a dual of the Hamming code is given. The tracing algorithm may output an innocent user and the code is shown to outperforms the code in [3, 4] for some parameters. This construction results in false accusation. In all above constructions an ‘inner code’ is combined with an outer code which is an error-correcting code (dual Hamming code in that last construction). The inner code in the first construction is a 2-secure code with n codewords and length (n − 1)d, and in the last one, is a scattering code with 2n codewords and

154

Vu Dong Tˆ o et al.

length (2n + 1)d and is the same as the first construction with an added first column. In Boneh et al construction, d = 2n2 log(2n/ε). That is for n codewords, the length of the inner code is ≈ n3 (log(2n/ε)) and the code is n-secure. In [4], with error ε, the inner code has n codeword and length O(n3 log n/ε), the tracing algorithm may output innocent users. In [5], using dual binary Hamming code, a code of size n length n and error 2n/2n is constructed. However, the code size must of the form n = 2i − 1. In [9], a 3-secure code is introduced with code size of the same form 2i − 1. The length of this code is (n − 1)(2t + 1)d. In the next section, we will construct a new 2-secure inner code with an arbitrary size n. Our tracing algorithm either fails or outputs a real colluder.

3

A New Inner Code

In this section we construct a binary code γ and prove that the code is a 2SFPC. We give an efficient tracing algorithm and show that the code is a 2secure code and calculate the error probability in tracing. We show that if the pirate word contains at least one mark ‘?’ then the tracing algorithm correctly outputs a colluder. 2 The codewords are elements of the set {0, 1}n and can be represented by n × n binary matrices. To construct the code, we choose n base-points b1 , b2 , . . . , bn , each point being a position of the n × n matrix such that there is exactly one base-point on each row and on each column. That is, if we assume the basepoint bi is on the row ri and column ci , then (r1 , r2 , . . . , rn ) and (c1 , c2 , . . . , cn ) are permutations of (1, 2, . . . , n). For a square matrix M of order n, we denote by M (r, c) the entry in the rth row and the cth column. Now n codewords M1 , M2 , . . . , Mn are constructed as follows. For each i, 1 ≤ i ≤ n, Mi is an n × n binary matrix whose (r, c) entry is given by   1, if r = ri and c = ci Mi (r, c) = 1, if r = ri and c = ci  0, otherwise For two base-points bi1 , bi2 , define

Rec(i1 , i2 ) = {(r, c) : r ∈ {ri1 , ri2 }, c ∈ {ci1 , ci2 }} Rec(i1 , i2 ) is the set of four vertices of the rectangle formed by the two basepoints bi1 , bi2 . We call the pair of vertices (ri1 , ci2 ) and (ri2 , ci1 ) opposite basepoints and denote by Opp(i1 , i2 ) = {(ri1 , ci2 ), (ri2 , ci1 )}. For any two codewords Mi1 and Mi2 , it is easy to see that the set of undetectable positions consists of four vertices of Rec(i1 , i2 ) together with all the positions that are not on rows ri1 , ri2 and not on columns ci1 , ci2 . The detectable positions are the positions on the rows ri1 , ri2 and columns ci1 , ci2 , except for the four positions of Rec(i1 , i2 ). The number of detectable positions is 4n − 8. D(C) = {(r, c) : r ∈ {ri1 , ri2 } or c ∈ {ci1 , ci2 }} \ Rec(i1 , i2 ) U (C) = {(r, c) : r = ri1 , ri2 , c = ci1 , ci2 } ∪ Rec(i1 , i2 )

A 2-Secure Code with Efficient Tracing Algorithm

155

2

Theorem 1. For a matrix M ∈ {0, 1, ?}n , M is a member of F (Mi1 , Mi2 ) if and only if 1. M has the values 0 on the two base-points bi1 and bi2 M (ri1 , ci1 ) = M (ri2 , ci2 ) = 0 2. M has the values 1 on the two opposite base-points Opp(i1 , i2 ) M (ri1 , ci2 ) = M (ri2 , ci1 ) = 1 3. M has the values 0 on all the positions that are not on the row ri1 , ri2 , and not on the column ci1 , ci2 M (r, c) = 0 for all r = ri1 , ri2 , c = ci1 , ci2 Theorem 2. For any n ≥ 4, γ is a 2-secure frameproof code. Proof. Let Mi1 , Mi2 , Mi3 and Mi4 be four different codewords. ¿From Theorem 1, for any descendant M of {Mi1 , Mi2 } and M ′ of {Mi3 , Mi4 }, M (ri1 , ci2 ) = M (ri2 , ci1 ) = 1 and M ′ (ri1 , ci2 ) = M ′ (ri2 , ci1 ) = 0. This implies M = M ′ . Definition 5. Let M be a binary matrix of size n. The set ColluderP air(M ) is defined as follows 1. a member of ColluderP air(M ) is a subset of {M1 , M2 , . . . , Mn } with two element 2. {Mi1 , Mi2 } ∈ ColluderP air(M ) if and only if (T1) M (ri1 , ci1 ) = M (ri2 , ci2 ) = 0, (T2) M (ri1 , ci2 ) = M (ri2 , ci1 ) = 1, and (T3) M (r, c) = 0, for all r = ri1 , ri2 , c = ci1 , ci2 . ColluderP air(M ) is the set of all pairs of colluders that could have generated M ColluderP air(M ) = {{Mi1 , Mi2 } : M ∈ Desc(Mi1 , Mi2 )} 3.1

Properties of ColluderP air(M )

In this section, we will look at the properties of the set ColluderP air(M ) which help us to derive tracing algorithm. We need the following lemma. Lemma 2. Suppose {S1 , S2 , . . . , Sk } is a collection of sets such that 1. Each set contains exactly two elements, 2. Any two sets have non-empty intersection, and 3. Union of all these sets contains more than three elements | ∪ki=1 Si | > 3 then ∩ki=1 Si = ∅

156

Vu Dong Tˆ o et al.

Proof. Assume S1 = {x1 , x2 }, S2 = {x1 , x3 }, x4 ∈ S3 . Since S3 has non-empty intersections with both S1 and S2 , we must have S3 = {x1 , x4 }. For any other set Sj , 4 ≤ j ≤ k, since Sj has non-empty intersections with all three sets S1 , S2 and S3 , Sj must contains x1 . Therefore, Lemma 3. Let M be given. If S1 , S2 ∈ ColludeP air(M ), then S1 ∩ S2 = ∅. Proof. Follows from Theorem 2. For any three base-points bi1 , bi2 and bi3 , let SM [i1 , i2 , i3 ] be the binary matrix whose entries are all zeros except for the six opposite base-points Opp(i1 , i2 ), Opp(i2 , i3 ) and Opp(i3 , i1 ). ¿From now on, these matrices SM [i1 , i2 , i3 ] are called special matrices. It is easy to check that the special matrix SM [i1 , i2 , i3 ] belong to all three descendant sets Desc(Mi1 , Mi2 ), Desc(Mi2 , Mi3 ) and Desc(Mi3 , Mi1 ). Special matrices are characterised by the following Lemma. Lemma 4. ColluderP air(M ) = {{Mi1 , Mi2 }, {Mi2 , Mi3 }, {Mi3 , Mi1 }} if and only if M = SM [i1 , i2 , i3 ]. Proof. Firstly, if {Mi1 , Mi2 }, {Mi2 , Mi3 }, {Mi3 , Mi1 } ∈ ColluderP air(M ) then it follows from Definition 5 that the matrix M has all entries equal to zero except for the six opposite base-points Opp(i1 , i2 ), Opp(i2 , i3 ) and Opp(i3 , i1 ). That means M = SM [i1 , i2 , i3 ]. Conversely, if M = SM [i1 , i2 , i3 ] is a special matrix, then the only pairs that satisfy the three conditions (T1), (T2), (T3) are {i1 , i2 }, {i2 , i3 } and {i3 , i1 }. Theorem 3. For any binary matrix M , if M is not a special matrix then  {S : S ∈ ColluderP air(M )} =  ∅

And if M = SM [i1 , i2 , i3 ] then

ColluderP air(M ) = {{Mi1 , Mi2 }, {Mi2 , Mi3 }, {Mi3 , Mi1 }}  Proof. Let Collude(M ) = {S : S ∈ ColluderP air(M )} where M is a nonspecial matrix. Since each member of ColluderP air(M ) is a set that contains two elements and any two members of ColluderP air(M ) have non-empty intersection (Lemma 3), if |Colluder(M )| > 3 it follows from Lemma 2 that intersection of all members of ColluderP air(M ) is not empty. If |Colluder(M )| = 3 then ColluderP air(M ) is either equal to {{i1 , i2 }, {i2 , i3 }} or {{i1, i2 }, {i2 , i3 }, {i3, i1 }}. The latter cannot happen by Lemma 4 because M is not a special matrix. If |Colluder(M  )| = 2, then ColluderP air(M ) has only one member. In all cases, we have {S : S ∈ ColluderP air(M )} =  ∅. Since the pair of the actual colluders is included in the set ColluderP air(M ), if M is not a special matrix then from the above theorem the intersection of all members of ColluderP air(M ) is not empty. This intersection is a subset of the colluders.

A 2-Secure Code with Efficient Tracing Algorithm

3.2

157

Tracing Algorithm

Given a matrix M formed by two colluders. ¿From Theorem 3, we have the following trivial tracing algorithm. We consider two cases: Case 1: M does not have a mark ‘?’ If M is a special matrix, M = SM [i1 , i2 , i3 ], then the two colluders are among i1 , i2 , i3 ; in this case, the algorithm fails to identify them. If M is not a special matrix, then we form the set ColludeP air(M ) that contains all the pairs {i1 , i2 } that satisfy   (T1), (T2), (T3) in Definition 5. A trivial method is to check all n2 pairs {i1 , i2 }. In section 3.3, we use the properties of the set ColludeP air(M ) to give a faster algorithm to search for such pairs. Theorem 3 ensures that the intersection of members of the set ColludeP air(M ) is not empty. This intersection is the colluders. Output this intersection. Case 2: M contains marks ‘?’ In this case, we always can find a colluder. Firstly, we substitute all the marks ‘?’ by an arbitrary values 0 or 1 so that the resulting matrix M ′ is not a special matrix. One way to make this substitution easy is by observing that all special matrices have weight equal to 6. Therefore, when we substitute the marks ‘?’ by 0 or 1, we need only to ensure that M ′ has weight not equal to 6 to guarantee that it is not a special matrix. Since γ is a binary code, from Lemma 1, the binary matrix M ′ is a descendant matrix formed by the two colluders. As in case 1, form the set ColludeP air(M ′ ), and the colluder is in the intersection of all members of ColludeP air(M ′ ). Tracing error: The only case when the tracing algorithm fails is when M is a special matrix. Suppose that the two users 1 and 2 collude and they know that the tracing algorithm is deterministic if the pirate matrix contains at least a mark ‘?’. The number of special matrices that they can form is n − 2. These matrices are SM [1, 2, 3], SM [1, 2, 4], . . . , SM [1, 2, n]. Since there are 4n − 8 detectable positions for {M1 , M2 }. ¿From Embedding Assumption, the best strategy that they have is replacing detectable positions with random marks correspond to 0 or 1. The total number of the matrices that they can form in this way is 24n−8 . It follows that the tracing error is not larger than 2n−2 4n−8 . However, if the colluders have no knowledge about the tracing algorithm then the tracing error is 3n−2 4n−8 . 3.3

Faster Tracing

The main step in tracing algorithm is to determine the set ColluderP   air(M ) for a non-special matrix M . The trivial solution requires at most n2 steps. In this section, we present a faster tracing algorithm that use the weight of the matrices. The weight of a matrix is the number of ones in the matrix. Theorem 4. Let M ∈ Desc(Mi1 , Mi2 ). If weight(M ) > 6, then 1. there exist at least three 1’s on some row or some column;

158

Vu Dong Tˆ o et al.

2. if a row or a column consists of at least three 1’s then this row or column must contain one of the base-points bi1 , bi2 . Proof. The only places that we can find entries 1 in M are rows ri1 , ri2 or columns ci1 , ci2 . We know that at the two opposite base-points (ri1 , ci2 ), (ri2 , ci1 ), we have two 1’s. Therefore, if there are at most two 1’s on each row and column of M then we have at most four other 1’s in these rows ri1 , ri2 and columns ci1 , ci2 . It follows that the weight of M cannot exceed 6. Now suppose that there are at least three 1’s in the same column. This column must be either column ci1 or ci2 as in the other columns there are at most two 1’s. Similarly, if there are at least three 1’s in the same row, this row must be either row ri1 or ri2 . This proves the second part of the theorem. From the above theorem, we can see that if weight(M ) > 6, we only need to identify a row or a column with three 1’s. Since there is exactly one base-point in each row or column, the colluder’s base-point will be identified. If weight(M ) ≤ 6, then to determine the set  ColluderP air(M ), using condition (T2), we only need to check for at most 62 = 15 pairs. Theorem 5. The tracing algorithm either outputs a correct colluder or fails with probability 2n−2 4n−8 . If the pirate matrix contains at least one mark ‘?’ then the algorithm correctly outputs a colluder. 3.4

Reducing the Code Length

Since all codewords have the value 0 at base-points, we can remove n positions corresponding to the n base-points. Moreover, if we choose the n base-point to be bi = (i, i) then every codeword is a symmetric matrix. Therefore, we only need to record the lower part of the matrix and so the code has length n(n − 1)/2.

4

Construction from Traceability Codes

In this section we combine the code γ = {M1 , M2 , . . . , Mn } constructed in the above section with 2-traceability codes to have 2-secure codes with shorter length. c-Traceability codes are defined as follows. Definition 6. ([10]) Let Γ be an n-ary code of length L, C = {u1 , · · · , ub } ⊆ Γ , where ui = (ai1 , ai2 , · · · , aiL ). Γ is called c-traceability code, or c-TA code for short, if the following condition is satisfied: for any C ⊆ Γ, |C| ≤ c, and any (x1 , · · · , xL ) ∈ desc(C), there is a ui ∈ C such that |{j : xj = aij }| > |{j : xj = aj }| for any (a1 , · · · , aL ) ∈ Γ \ C. c-TA codes can tolerate some erased positions (positions with ‘?’). The bound on the maximum number of erasures tolerated by a c-TA code was given in [8]. Let Γ be an n-ary code and C = {u1 , · · · , ub } ⊆ Γ, b ≤ c. Define a set F (C; e) = {(x1 , · · · , xL ) ∈ F (C) : |{j : xj =?}| ≤ e}.

A 2-Secure Code with Efficient Tracing Algorithm

159

Theorem 6. Let Γ be an (L, N, D)q -ECC, and c be an integer. 1. ([10])) If D > (1 −

1 )L c2

(2)

then Γ is a c-TA code. 2. ([8]) If

1 e )L + 2 c2 c then Γ is c-TA code tolerating e erasures. D > (1 −

(3)

Let Γ be an n-ary code of length L and size N over an alphabet {a1 , a2 , . . . , an }. Define a binary code ∆(Γ, γ) in which each codeword has length ℓL, and obtained in the following way U = Mi1 Mi2  . . . MiL , where ai1 ai2 . . . aiL ∈ Γ . Theorem 7. Suppose γ is an (ℓ, n) c-secure code with ε-error, and Γ is an (L, N, D)n c-TA code satisfying (3). Then ∆(Γ, γ) is a c-secure code with error at most (εL)e+1 . Proof. Denote by AO , AI the tracing algorithm for the outer code and the inner code. Define a tracing algorithm for code ∆(Γ, γ) as follows. Suppose a pirate word X = X1 X2  · · · XL is given. Step 1: Apply AI to each Xj , j = 1, 2, · · · , L. Suppose the output is Mij . Step 2: Apply AO to ai1 ai2 . . . aiL . The output U of AO is treated as a traitor. For this tracing, an error happens only if |{j : AI (Xj ) = ∅}| > e. While for AI the  L  e+1 ε < tracing error is ε, so the tracing error for the code ∆(Γ, γ) is at most e+1 e+1 (εL) . The following is an examples of the resulting 2-secure codes. Theorem 8. Let n be a prime power, e, k be positive integers such that k ≤   1 4n−8 e+1 , 4 (n − e − 1). There exists a 2-secure code with error (n − 2)(n − 1)/2 the length of the code is n2 (n − 1) and the number of codewords is nk . Proof. Let Γ be a Reed-Solomon code of length L = n − 1 and dimension k over GF (n). Then from Theorem 7 ∆(Γ, γ) is a 2-secure code with error at most  e+1 (n − 2)(n − 1)/24n−8 . The following is a family of 2-TA codes. A code Γ is called an equidistance code if the Hamming distances between any two codewords are all the same. Theorem 9. Equidistant code with odd distance is 2-TA code. Proof. Let X ∈ desc(U1 , U2 ), then d(X, U1 ) + d(X, U2 ) = d(U1 , U2 ) = d. Since d is odd, it follows that d(X, U1 ) ≤ (d − 1)/2 or d(X, U2 ) ≤ (d − 1)/2.

160

5

Vu Dong Tˆ o et al.

Construction from Perfect Hash Families

In this section we construct 2-secure codes with more codewords by combining a 2-secure code with a perfect hash family. Using this construction with the inner code given in Section 3 and a perfect hash family given in [1, 11] give a code k with 72 codewords and length 16 × 7k . Definition 7. Let N, n, t be integers, X and Y be sets of size N and n, respectively, F be a family of s functions f : X → Y . F is call a perfect hash family, denoted by PHF(s; N, n, t), if for any subset Z ⊆ X of size t, there exists an f ∈ F such that f |Z is one-to-one. Let γ be an (ℓ, n) code, F = {f1 , f2 , · · · , fs : fi : X → Y } be a PHF(s; N, n, t). Define a code Ω(γ, F) consisting of N codewords of length sℓ. Each codeword in Ω(γ, F ) is labelled by an element x ∈ X, and is defined by uf1 (x)  uf2 (x)  · · ·  ufs (x) here  means concatenation, and ufj (x) ∈ Γ for all j. 2 We consider a code Ω(γ, F ), where γ = {M1 , M2 , · · · , Mn } ⊆ {0, 1}n is the code constructed in Section 3, F = {f1 , f2 , · · · , fs : fi : X → Y } is a PHF(s; N, n, 4). Suppose C = {U1 , U2 } ⊆ Ω(γ, F ) is a collusion Ui = Mf1 (xi ) Mf2 (xi )  · · · Mfs (xi ) , i = 1, 2 Then the feasible set of C is given by, F (C) = {X1 X2  · · · Xs : Xj ∈ F (Mfj (x1 ) , Mfj (x2 ) ), 1 ≤ j ≤ s} 2

Every X ∈ {0, 1}sn is naturally represented by X = X1 X2  · · · Xs with Xj ∈ 2 2 {0, 1}n for each j. For a given X ∈ {0, 1}sn , define ColluderP air(X) = {S ⊆ Ω(γ, F ) : |S| = 2, X ∈ F (S)} 2

Lemma 5. Let X ∈ {0, 1}sn be given. If S1 , S2 ∈ ColluderP air(X), then S1 ∩ S2 = ∅. Proof. Assume Ui = Mf1 (xi ) Mf2 (xi )  · · · Mfs (xi ) and S1 = {U1 , U2 }, S2 = {U3 , U4 } are disjoint. Since F is a PHF(s; N, n, 4), there exists an fj ∈ F such that fj (x1 ), fj (x2 ), fj (x3 ), fj (x4 ) are distinct and so the two sets {Mfj (x1 ) , Mfj (x2 ) } and {Mfj (x3 ) , Mfj (x4 ) } are disjoint. It follows that the two descendant sets of S1 and S2 are disjoint. Lemma 6. Let X be given. Then either ∩{S : S ∈ ColluderP air(X)} =  ∅ or there exists distinct U1 , U2 , U3 such that ColluderP air(X) = {{U1 , U2 }, {U2 , U3 }, {U3 , U1 }} Proof. Similar to the proof of Theorem 3.

A 2-Secure Code with Efficient Tracing Algorithm

161

Lemma 7. If ColluderP air(X) = {{U1 , U2 }, {U2 , U3 }, {U3 , U1 }} 2 where X = X1 X2  · · · Xs ∈ {0, 1}sn and Ui = Mf1 (xi ) Mf2 (xi )  · · · Mfs (xi ) , then for each j = 1, 2, . . . , s, either Xj is a special matrix or a codeword matrix. Proof. We have Xj ∈ Desc(Mfj (x1 ) , Mfj (x2 ) ), Xj ∈ Desc(Mfj (x2 ) , Mfj (x3 ) ) and Xj ∈ Desc(Mfj (x3 ) , Mfj (x1 ) ) for each j = 1, . . . , s. If Mfj (x1 ) , Mfj (x2 ) and Mfj (x2 ) are three different codeword matrices then from Lemma 4, Xj must be a special matrix. If Mfj (x1 ) , Mfj (x2 ) and Mfj (x2 ) are not distinct codewords, say Mfj (x1 ) = Mfj (x2 ) , then it follows from Xj ∈ Desc(Mfj (x1 ) , Mfj (x2 ) ) that Xj = Mfj (x1 ) = Mfj (x2 ) . In this case, Xj is a codeword matrix. s Lemma 8. The tracing error is ε = ( 22n−2 4n−8 ) .

Proof. For each j = 1, . . . , s, the number of special matrix that two colluders can produce is n − 2. Therefore, there are 2n − 2 possibilities that Xj is a special matrix or a codeword matrix. The probabilities of producing such a Xj is 22n−2 4n−8 . It follows that the probability to have ColluderP air(X) = s {{U1 , U2 }, {U2 , U3 }, {U3 , U1 }} is ( 22n−2 4n−8 ) . In the following we show the existence of the perfect hash family. k

Theorem 10. ([1, 11]) There exists a PHF(7k+1 ; 72 , 4, 4) for all k ≥ 0. Theorem 11. Let k be an integer. There exists a 2-secure code with error ε =  3 7k+1 k of length L = 16 × 7k+1 and consisting of N = 72 codewords. 27 k

Proof. Use Fk = P HF (7k+1 ; 72 , 4, 4) and the inner code γ with n = 4, Ω(γ, Fk ) 7k+1  3 7k+1  = 27 . is the 2-secure code with error 22×4−2 4×4−8

6

Comparison and Concluding Remarks

We considered 2-secure fingerprinting codes and presented a number of new constructions. A c-Secures code provides a tracing algorithm and an estimate of the highest probability of incorrect tracing. Our main construction, similar to all other known ones, have two layers. A 2-secure code is used as the inner code and then an outer structure is used to increase the number of codewords. All previous inner codes have shortcomings. Our proposed inner codes, improves on all the known codes by having a number of desirable properties simultaneously. Most importantly, it ensures that no other innocent users will be accused. The only other inner code that satisfy this property can exist for very limited range of number of codewords. Noting that this number is the alphabet size of the outer structure means that a much wider range of outer structures can be used and so better c-secure codes can be obtained. We show two general form of outer structures, one based on 2-TA codes and the second on perfect hash families and in both cases obtained the probability of incorrect tracing in terms of the parameters of the inner code and the outer structures.

162

Vu Dong Tˆ o et al.

Acknowledgement The authors would like to thank anonymous referees for useful comments which make an improvement of Theorem 5 from the previous version and for a suggestion which is included in Section 3.4.

References [1] M. Atici, S. S. Magliveras, D. R. Stinson, and W. D. Wei. Some recursive constructions for perfect hash families. Journal of Combinatorial Designs, 4:353– 363, 1996. 160, 161 [2] D. Boneh and M. Franklin. An efficient public key traitor tracing scheme. In Advances in Cryptology - CRYPTO’99, Lecture Notes in Computer Science, volume 1666, pages 338–353. Springer-Verlag, Berlin, Heidelberg, New York, 1999. 151 [3] D. Boneh and J. Shaw. Collusion-secure fingerprinting for digital data. In Advances in Cryptology - CRYPTO’95, Lecture Notes in Computer Science, volume 963, pages 453–465. Springer-Verlag, Berlin, Heidelberg, New York, 1995. 149, 150, 151, 152, 153 [4] D. Boneh and J. Shaw. Collusion-secure fingerprinting for digital data. IEEE Transactions on Information Theory, Vol. 44, No. 5:1897–1905, 1998. 150, 151, 153, 154 [5] J. Domingo-Ferrer and J. Herrera-Joancomarti. Short collusion-secure fingerprints based on dual binary hamming codes. Electronics Letters, Vol. 36, No. 20:1697–1699, 2000. 153, 154 [6] A. Fiat and M. Naor. Broadcast encryption. In Advances in Cryptology – CRYPTO’93, Lecture Notes in Computer Science, volume 773, pages 480–491. Springer-Verlag, Berlin, Heidelberg, New York, 1994. 151 [7] A. Kiayias and M. Yung. Self protecting pirates and black-box traitor tracing. In Advances in Cryptology - CRYPTO’01, Lecture Notes in Computer Science, volume 2139, pages 63–79. Springer-Verlag, Berlin, Heidelberg, New York, 2001. 151 [8] R. Safavi-Naini and Y. Wang. Collusion secure q-ary fingerprinting for perceptual content. In Security and Privacy in Digital Rights Management (SPDRM 2001), Lecture Notes in Computer Science, volume 2320, pages 57–75. Springer-Verlag, Berlin, Heidelberg, New York, 2002. 158, 159 [9] F. Sebe and J. Domingo-Ferrer. Short 3-secure fingerprinting codes for copyright protection. In Proceedings of ACISP’02, Lecture Notes in Computer Science, volume 2384, pages 316–327. Springer-Verlag, Berlin, Heidelberg, New York, 2002. 150, 153, 154 [10] J. N. Staddon, D. R. Stinson, and R. Wei. Combinatorial properties of frameproof and traceability codes. IEEE transactions on information theory, Vol. 47, No. 3:1042–1049, 2001. 151, 152, 153, 158, 159 [11] D. Stinson, T. Trung, and R. Wei. Secure frameproof codes, key distribution patterns, group testing algorithms and related structures. Journal of Statistical Planning and Inference, 86(2):595–617, 2000. 151, 160, 161 [12] D. Stinson and R. Wei. Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM Journal on Discrete Mathematics, 11:41–53, 1998. 151

A 2-Secure Code with Efficient Tracing Algorithm

163

[13] D. R. Stinson and R. Wei. Key preassigned traceability schemes for broadcast encryption. In Proceedings of SAC’98, Lecture Notes in Computer Science, volume 1556, pages 144–156. Springer-Verlag, Berlin, Heidelberg, New York, 1999. 151

Reed Solomon Codes for Digital Fingerprinting Ravi Sankar Veerubhotla, Ashutosh Saxena, and Ved Prakash Gulati Institute for Development and Research in Banking Technology Castle Hills, Masab Tank, Hyderabad 500057, AP, INDIA {vrsankar,asaxena,vpgulati}@idrbt.ac.in

Abstract. Reed Solomon codes are being widely used for errorcorrecting methods and in construction of fault tolerant systems such as RAID. Recent studies [2], [7], [8] revealed that these codes have a potential application in cryptography. The hardness in decoding Reed Solomon codes can be exposed to construct new cryptographic applications. It is in this scenario that we talk about the suitability of Reed Solomon codes for Digital Fingerprinting in particular and cryptography in general. We derive results for bounds on Fingerprint length, design tracing method for Boneh’s broadcast encryption system [2]; and discuss collusion attacks on fingerprint. Pirate strategies and performance issues are also presented.

1

Introduction

Fingerprinting digital data is a possible solution to the problem of copyright violations. By Digital Fingerprinting we refer to the act of embedding a unique identifier in a digital object, in such a way that it will be difficult for others to find, remove or destroy the identifier. Thus every user's copy is made unique, while still being close to the original. This ensures that an illegal copy stands out. Distribution of different copies to valid users will facilitate identifying the illegal users. The problem of Fingerprinting can be divided into two sub-problems, which can be addressed individually: the problem of Embedding and the problem of Coding. The Embedding problem states how to make the alterations by which we encode single digits into the object. The Coding problem describes how to choose the fingerprints in their abstract representation (as vectors of digits) such that the fingerprinting system becomes robust against different types of attacks. The embedding problem involves elements from steganography and watermarking [1], [6] while the coding part incorporates the Tracing methods, bounds on fingerprint length, choice of codes etc. Thus Fingerprinting contains various elements from the areas like steganography, watermarking, coding theory, traitor tracing etc. Here is a brief description of these elements: Steganography is about embedding a secret message in a cover message so that it is not visible and cannot be discovered. This is a means by which two or more parties may communicate using "invisible" or "subliminal" communication. The embedding A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 163-175, 2002.  Springer-Verlag Berlin Heidelberg 2002

164

Ravi Sankar Veerubhotla et al.

can be parameterized by a key that is used when retrieving the secret message. The secret message may be encrypted for added security. Watermarking is much similar to steganography, the only difference being that the scheme should be robust against active attackers, even if the attackers know that, an object not only contains a watermark, but also the algorithmic principle of the method. In Traitor tracing, a distributor broadcasts encrypted data that should be available only to a certain set of users. Each user has a unique decryption key that can be used to decrypt the broadcast data. It is possible that some users collude and create a new key, different from any of theirs, and still able to decrypt the broadcast data. In a traitor tracing scheme [2], [4], if the number of users colluding is less than some given threshold, it is possible, with low probability of error, to trace at least one of the creators of the pirate key.

2

Background

In this section we present some definitions and the terms related to Fingerprinting. -

-

-

-

-

2.1

An object is a collection of digital data. Digitally stored texts, images or audio files are examples of such objects. An object is close to another object if they are so similar that they serve the same purpose for normal use. An original is an object that somebody, who has the legal right to do so, wants to distribute. There is exactly one original in the fingerprinting system. A copy is an object close to the original. A copy in this meaning is not an exact digital copy (digit by digit). Instead, it is an object, which is very similar to the original for all practical purposes. The distributor is the sole entity that has the original, and the right to distribute it. For example, if the original is a book the distributor can be the publisher of that book, that is, the person/company that has the right to distribute the book. The distributor is the only one who is allowed to distribute the copies. Illegal distribution is the distribution of copies by somebody other than the distributor. Distributor considers all other forms of distribution as illegal and unwanted. Pirates are users performing illegal distribution. If the number of pirates is more than one, it is called collusion. Marking Assumption defined in [3] states that the colluding pirates can detect a specific mark if, and only if, it differs between their copies. They cannot change an undetected mark without destroying the fingerprinted object. Goals of Fingerprinting

If an illegal copy is discovered, there can be three different goals: -

To be able to identify the pirate or, in the case of several pirates working together, as many of the pirates as possible. To be able to test whether a certain, proposed user, or group of users, is guilty of having created the illegal copy.

Reed Solomon Codes for Digital Fingerprinting -

165

To be able to achieve a trade off between false alarm error and false dismissal error.

The false alarm error corresponds to accusing a user who is innocent and the false dismissal error corresponds to failing to accuse a user who is guilty. It is desirable to keep the probability of both of these errors to the minimum. Unfortunately they are conflicting goals, so a trade-off has to be made. As a special case when exactly one user is accused after every tracing, the two kinds of error coincide. A false alarm is always a false dismissal and vice versa and thus we get only one kind of error. 2.2

A Model for Fingerprinting

Using the definitions presented earlier we described the working of fingerprinting system [9] as follows: -

-

-

2.3

A public fingerprinting code Ψ is chosen by the distributor for usage in the fingerprinting system. Ψ is of length n and publicly known. The original digital object that is to be fingerprinted is prepared by locating marks in it, and making alterations in such a way that the object as a whole is slightly degraded or not at all. This is done in such a way that the marking assumption holds. A code Γ is chosen randomly, with equal probability, among all codes equivalent to Ψ . The numbering of the codewords is chosen such that Ψ = ψ α1 ,ψ α 2 ,...ψ α M , Γ = γ 1 , γ 2 ,..γ M and γ i is the coordinate-permuted and translated ψ i for all i . The objects that are to be distributed are fingerprinted by embedding the codewords of Γ into them. The fingerprinted objects are distributed to the users so that user i gets the object fingerprinted with codeword γ i . Attacks on Fingerprint

A pirate may try different types of attacks to remove the fingerprint, in order to distribute illegal copies anonymously. Assuming that the pirate has access to a single document copy, that has been marked for him, he may either try to restore the original document by identifying and removing the fingerprint, or try to corrupt the fingerprint by distorting the document. Majority Choice strategy attack requires that the number of pirates is odd and greater than two. Here in every detectable mark the pirates choose to output to the illegal copy the alternative that occurs the greatest number of times in the pirates’ objects. Minority Choice attack is carried out by inverting the result of the majority choice. The difference compared to majority choice is that the illegal fingerprint on an average will be as distant as possible to the fingerprints of the pirates. Binary Addition takes every detectable mark the pirates choose to output to the illegal copy the alternative that occurs an odd number of times in the pirate’s objects. This does not differ significantly from the “normal” binary addition. In Random Pirate Choice the pirates choose randomly every detectable mark, with equal probability among the possible

166

Ravi Sankar Veerubhotla et al.

alternatives, and decides what to output to the illegal copy. A stronger attack results if several pirates collude [4] and compare their independently marked copies. Then they can detect and locate the differences, and combine their copies into a new copy, the fingerprint of which differs from all the pirates. A good fingerprinting scheme should be resistant against all reasonable attacks, while keeping the marking distortion negligible. Fingerprinting should be robust against attacks and if several users collude and create a new object (corresponding to a new key in the traitor tracing scenario), it should be possible to find at least some of the users who colluded. 2.4

Properties of Reed Solomon Codes

Reed Solomon codes are codes over the alphabet F = GF (q) (the Galos field of order q ). Let n, k and q integers such that a finite field of size q exists. The code may be obtained by letting a message m = m0 ...mk −1 denote the coefficients of a degree k −1

k −1

polynomial

f ( x) = ∑ m j x j

and

letting

the

encoding

of

m be

j =0

C (m) = c1 ..cn where ci = f ( xi ) where x1 ,...xn are n distinct elements of F . A Reed Solomon code is specified as RS ( n, k ) with s -bit symbols. This means that the encoder takes k data symbols of s bits each and adds parity symbols to make an n symbol codeword. There are n − k parity symbols of s bits each. A Reed Solomon decoder can correct up to t symbols that contain errors in a codeword, where 2t = n − k . If we want to send a k -digit plaintext message, Reed Solomon code will send n = k + 2 s digits, and guarantee that the correct message can be reconstructed at the other end if there are fewer than s corrupted digits. And for a linear [n, k , d ] code over GF (q) the singleton bound becomes

d ≤ n − k + 1 . A code is called Maximum Distance Separable if it attains the singleton bound with equality. Every Reed-Solomon code is Maximum Distance Separable (MDS).

3

Our Contribution

In our work we present the applicability of Reed Solomon codes for Digital Fingerprinting in particular and cryptography in general. We derive results for bounds on Fingerprint length and design a tracing method for a broadcast encryption system. We also discuss collusion attacks on fingerprint, pirate strategies and performance issues. The tracing method used in encryption scheme can be used as part of Fingerprinting applications to detect a pirate who use any linear combination of codewords.

Reed Solomon Codes for Digital Fingerprinting

3.1

167

Bounds for Collusions

Assume that given an illegal fingerprint z we want to find any collusion of at most c pirates among the total number of M users. For this to be possible there must be at least as many fingerprints as possible collusions of size at most c . The bound we would like to derive is based on the idea that different collusions must be able to generate different fingerprints in order to be distinguishable. This does not reveal about the performance of the tracing method, but it does constitute a lower bound on the size of the fingerprint space necessary for it. The bound requires exactly one unique fingerprint for each collusion, while in fact most collusions have a considerable freedom in their choice of fingerprints (i.e., their feasible sets are large). Consequently, the actual fingerprint length required is expected to be much greater than this lower bound. In binary fingerprinting schemes if the total number of users is M , the number of possible users of size almost c is

M  c M   = ∑   − 1 = V ( M , c) − 1 i =1  i  i =1  i  c

∑

where, V ( M , c) is the volume of a sphere of radius c in an M -dimensional Hamming space. This means that there have to be log(V ( M , c) − 1)  bits in the fingerprint for it to be possible to uniquely accuse each of the possible user sets. Let F be an alphabet of size q . Note that a sphere of radius t in F n is a set of words in F n at Hamming distance t or less, from a given word in

F n . The number of

t  n i words, or the volume, of such a sphere is given by Vq ( n, t ) = ∑   ( q − 1) . For the i i =0   asymptotic versions of the sphere packing bound and the Gilbert-Varshamov bound, we will need estimates for the value t  n i Vq ( n, t ) = ∑   ( q − 1) i i =0  

We know that the binary entropy function H 2 ( x ) given by

H 2 ( x ) = − x log 2 x − (1 − x) log 2 (1 − x) . Making use of the q -ary entropy function H q : [ 0,1] → [ 0,1] , which is defined as

H q ( x ) = − x log q x − (1 − x ) log q (1 − x ) + x log q ( q − 1) , where H q ( 0 ) = H q (1) = 0 , one can verify that the function x a H q ( x ) is strictly

concave, nonnegative, and attains a maximum value 1 at x = 1 − ( 1 q ) .

168

Ravi Sankar Veerubhotla et al.

Lemma 1. For

[n, t ] code over GF (q) if 0 ≤

t

n

Vq ( n, t ) ≤ q

≤ 1 − ( 1 q ) , then nH q ( t n )

Proof. Please see Appendix. Lemma 2. For [n, t ] code over GF (q ) , for 0 ≤ t ≤ n ,

n 1 t nH t .q q ( n ) . Vq ( n, t ) ≥   ( q − 1) ≥ n +1 t Proof. Please see Appendix. 3.2

The Length of Fingerprints

The number of different user sets that we have to point out is one less than the volume of an M -dimensional sphere with radius c . Thus we can say that to be able to identify any user set of at most size c , the length l of the fingerprints has to fulfill the following inequality:

 Vq ( M , c )  l ≥ log q (Vq ( M , c) − 1) > log q   q   = log q (Vq ( M , c) ) − log q q

 1 M .H ( c )  = log q  .q q M  − 1  M +1   1   c = log q   + M .H q   M +1 M  c = − log ( M + 1) − c log  M

  −1 

c    − ( M − c) log 1 − M  

  + c log ( q − 1) − 1 

This result shows that the choice of fingerprint length for all fingerprint applications must be higher than a certain value, inorder to identify any user set of at most size c . The choice of code length chosen for fingerprint should satisfy the above condition, for it should be possible to identify the collusion set. 3.3

Content Distribution Scheme

We first briefly present the elliptic analog Broadcast encryption technique proposed by Boneh [2] for content distribution where there is one public key and k corresponding private keys followed by our tracing method. The security of the

Reed Solomon Codes for Digital Fingerprinting

169

encryption scheme is based on the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (EC-DLP). Our tracing scheme presented later defends against collusion of any number of parties. For tracing, we make use of a certain linear space k

tracing code Γ (Reed Solomon Code), which is collection of k codewords in F , F being a finite field. The construction of the set Γ and its properties are described later. I The Encryption Scheme

Let E be the elliptic curve and G the base point on it. The arithmetic in the following algorithm, which involves additions, subtractions and multiplications, is carried out on the Elliptic Curve E . Key Generation: Perform the following steps Step 1: Let G be the base point of order p on E . Step 2: For i

= 1,2,..., k choose an integer ri ∈ Ζ p and compute points

hi = ri G . k

Step 3: Compute

Y = ∑ (α i hi ) for random α1 , α 2 ,..., α k ∈ Ζ p . i =1

Step 4: The public key is

Y , h1 ,..., hk .

θ i γ (i ) is a representation of Y i th key, θ i , is derived from the i th code

Step 5: A private key is an element θ i ∈ Ζ p such that

with respect to base word

γ

(i )

h1 ,..., hk . The

= (γ 1 ,..., γ k ) ∈ Γ by k

k

j =1

j =1

θ i = (∑ rjα j ) /(∑ rjγ j )(mod p) We frequently refer to the private key as being the representation ever, it may be noted that however that that only

θi

d i = θ i γ (i ) . How-

needs to be kept secret since the

Γ is public. One can verify that d i is indeed a representation of Y with respect to base h1 ,..., hk . Encryption: To encrypt a message m in F2 n first embed the message m onto the

code

elliptic curve

E . Let PM be the message point. Next pick a random element

a ∈ Z p . Then compute:

S = PM + (aY ) and H i = ahi for i = 1,..., k .

170

Ravi Sankar Veerubhotla et al.

Set the ciphertext

C to be C = S , H1 ,..., H k

Decryption: To decrypt a ciphertext

C = S , H1 ,..., H k using the i th user’s private k

key,

θ i , compute PM = S − (θ iU )

where U = ∑ (γ j H j ) . The original message is j =1

recovered as

M = ( x coordinate of PM ). Here γ (i ) = (γ 1 ,..., γ k ) ∈ Γ is the

codeword from which

i th user’s private key θ i is derived. Observe that any private

key θ i correctly decrypts the given ciphertext. II Tracing Scheme

In this section, we show how to get complete information about traitors involved in constructing a pirate decoder. Boneh showed that the efficient way of constructing pirate decryption box is only through convex combinations of existing private keys. The following tracing algorithm is simple, deterministic and traces all the traitors involved in creating a pirate decoder. Linear space tracing: Suppose that the pirate gets hold of m(≤ k ) decryption keys used to create a pirate box D . The decryption scheme is said to be m resistant if there is a tracing algorithm that can determine at least one of the di ’s in the pirate’s possession. The pirate decoder contains at least one representation of Y to correctly decrypt the encrypted content. Further, by examining the decoder, it is possible to obtain one of these representations,

d . Suppose that a pirate key d is constructed by

m keys d 1 ,..., d m . Since d found in the pirate decoder is a convex combination of d i ' s , it must lie in the linear span of d 1 ,..., d m . The construction of tracing algod , it outputs all d i ' s with corresponding weights. The Set Γ : We describe the set Γ containing k codewords over Ζ kp . Since p is large, we can assume p > 2k . We construct Γ with k code words by choosing a matrix B of order k × k as follows. rithm is such that given input

 1   1  12 B =  3  1   M  1k −1 

1

1

K

1

2

3

K

k

22

32

K

k2

3

3

K

k3

2

3

M

M

M

M

2 k −1

3 k −1

K

k k −1

         

Define Γ as the set of rows of matrix B such that Γ contains k codewords each of length k . We show that all the rows of B are linearly independent. If rows of B are Linearly Independent, so do the vectors of Γ . The private keys are constructed using the above set Γ ⊆ Ζ kp containing k codewords. Each of the k users is given a

Reed Solomon Codes for Digital Fingerprinting

private key di ∈ Ζ kp , which is multiple of a codeword in

171

Γ . Let d be the point in the

m codewords γ (1) ,..., γ ( m ) ∈ Γ . Then at least one γ in γ (1) ,..., γ ( m ) must be a member of the coalition that created d . This γ identifies one of the private keys that must have participated in the construction of the d . In fact,

linear span of some

our tracing algorithm will output every

γ (i )

(hence all the traitors) which contributed

d with the corresponding weights in the linear combination. Tracing algorithm: Let d ∈ Ζ kp be the vector formed by taking a linear combina-

to pirate decoder tion of

m (m ≤ k ) vectors from Γ . (Convex combination in d i means a linear

Γ ). We show that given d , one can efficiently determine the unique set vectors in Γ used to construct d . We know that there exists a vector ϖ ∈ Ζ kp of hamming weight (non-zero elements) exactly m such that combination of the vectors in

ϖ BT = d

since the vector

also know that

d = θ .γ

ear combination of

γ

(i )

(θ )

d is linear combination of these rows of matrix B . We

for some

’s so is

γ (θ ) . Since γ (θ )

d . We show how to recover these γ (i ) ’s with their

corresponding weights for which we solve the system ϖ To show

BT = d .

B is linearly independent Consider the matrix

The matrix

is uniquely expressed as lin-

A

  =     

1

x1

x1

2

K

x1

t −1

1

x2

x2

2

K

x2

t −1

1

x3

x3

2

K

x3

t −1

2

K

M

M

M

1

xt

xt

M

M xt

t −1

       

A is in Vandermonde form. One can observe that the matrix A is lineT

arly independent. We see that B is in “Vander Monde” form and we know det B = det BT (≠ 0) . Hence B is linearly independent. As

B is linearly independent matrix, we observe that R [ B T ] = R [ B T : d ]

R [ B T ] denotes the rank of the matrix B T (since d is spanned by rows of B ). T Thus we get k equations in k unknowns. Hence, the system ϖ B = d has a unique solution vector, which is simply ϖ . The i th element of ϖ gives the contribu(i ) tion of the i th user in terms of γ . If the element is zero the corresponding user has no contribution towards the pirate representation d . The tracing is possible since where

γ (i ) ’s are linearly independent.

172

Ravi Sankar Veerubhotla et al.

3.4

Pirate Strategies in Fingerprinting

By “strategy” we mean anything that the pirates choose to create their illegal Fingerprint with, under the restrictions imposed earlier in this paper. In practice this means that they can in each detected mark choose the alternative from among the q alphabets or something else not in the alphabet set, corresponding to an erasure, which we will denote with the symbol e . Given the codewords of the pirate group, a strategy is a mapping from the set of c -tuples of embedded codewords to the set of all possible fingerprints, possibly with erasures

e , f : Γc → ( GF (q) ∪ e )n . Without knowledge of

which codewords the pirates have, the exact result of the pirate’s strategy will in general be unknown to them. To the pirate collusion, a strategy is a random mapping from the set Λ of distinguishable sets of tuple equivalent c -tuples of public codewords to a subset of all possible fingerprints, possibly with erasures, n

f : Λ → S ⊆ ( GF (q ) ∪ e ) where S is the set of words that can be created by some pirate group. A Reed Solomon code can correct

t errors and r erasures, when d min ≥ 2t + r + 1 .

For each code there are cases when this inequality holds with equality. d min tells us that the number of detectable marks in a group of two pirates in a RS code is at least d min . For the situation where the detectable marks can be put in an unreadable state, i.e. be erased, we can state the following lemma. Lemma 3. If colluding pirates create an illegal copy by making erasures in every detectable mark, it may be impossible to trace any of them by decoding the illegal word to the closest codeword.

Proof. Please see Appendix. For a fingerprinting scheme the testing method should counter the simple pirate strategies like binary addition, majority choice, random pirate choice on fingerprints. For tracing to be successful with high probability the fingerprinting method should control the pirate strategy. One such thing that puts limitation on pirate strategy is marking assumption. As per marking assumption there cannot be combining function which is c th order correlation immune. Similarly in Boneh’s encryption scheme the tracing method is successful because the pirate codeword (or privatekey) creation is limited to a convex combination (a sort of linear combination) of existing codewords. 3.5

Performance Measure

As per Marking Assumption users working together are assumed to be unable to make any changes in the objects, other than in places where their objects differ. They can construct a new object embedded with a word from the feasible set of their codewords. If the code is c -IPP and if there are at most c users working together, then with any such newly constructed object z , it is possible to trace to at least one of the users taking part in constructing it (since there is at least one codeword that is a member of all P such that z ∈ FS ( P) where FS ( P) is the feasible set of pirates P under Marking Assumption). c -IPP codes [5], [10], [11] would thus solve the fingerprinting

Reed Solomon Codes for Digital Fingerprinting

173

problem in this setting. However, to construct c -IPP codes with the alphabet size, q , it must be strictly greater than the maximum number of pirates, c. The performance of a fingerprinting scheme depends on tracing algorithm as well as the choice of code. The error correcting capabilities of Reed Solomon codes are already discussed earlier, which can handle modifications and erasures to the embedded fingerprints. The decoding techniques like Berlicamp’s algorithm, which can tolerate erasures and errors, are already used in Boneh’s scheme for tracing purpose.

4

Conclusion

We considered coding methods for fingerprinting digital information, with the aim to discourage users from copyright violation. Reed Solomon codes used to provide certain forms of traceability have been presented for fingerprinting applications that can protect intellectual property rights. Results for Reed Solomon codes related to fingerprinting are derived. A scheme for fingerprinting can make use of these codes with any known embedding methods along with the encryption scheme i.e. the fingerprinted object is encrypted first before broadcast. Different types of attacks are discussed, including attacks from colluding pirates. The tracing presented by us also works for a Digital Fingerprinting scheme when pirates use linear combinations of codewords.

Acknowledgement The first author would like to acknowledge the discussions with his colleague Sanjay Rawat.

References [1] [2] [3] [4] [5]

[6]

R. Anderson, F. A. P. Petitcolas: On The Limits of Steganography IEEE Journal of Selected Areas in Communications, 16(4), 474-481, 1998 D. Boneh, M. Franklin: An Efficient Public Key Traitor Tracing Scheme, Proceedings of Crypto '99, Springer-Verlag, pp. 338-353, 1999 Boneh, J. Shaw: Collusion-Secure Fingerprinting for Digital Data, IEEE Trans. Inform. Theory, vol IT-44, pp. 1897-1905, 1998 Chor, A. Fiat, M. Naor: Tracing Traitors, Proceedings of Crypto '94, SpringerVerlag, pp. 257-270, 1994 H. D. L. Hollman, J. H. van Lint, J. P. Linnartz , L. M. G. M. Tolhui-zen: On Codes with the Identifiable Parent Property, Journal of Combinatorial Theory, pp. 121-133, Series 82, 1998 S. Katzenbeisser, F. A. P. Petitcolas (ed.) : Information Hiding Techniques for Steganography and Digital Watermarking, Artech House, 2000

174

Ravi Sankar Veerubhotla et al.

[7]

Kiayias, M. Yung: Cryptographic Hardness based on the Decoding of ReedSolomon Codes with Applications ECCC Technical Report TR02-017, 2002 Kiayias, M. Yung: Cryptographic Hardness based on the Decoding of Reed-Solomon Codes, Proceedings of ICALP 2002, Springer-Verlag, pp 232243 Löfvenberg, T. Lindkvist: A General Description of Pirate Strategies in a Binary Fingerprinting System, 2000, http://www.it.isy.liu.se/publikationer/LiTH-ISY-R-2259.pdf P. Sarkar, D. R. Stinson: Frameproof and IPP Codes, Indocrypt'01, SpringerVerlag, pp.117-126, 2001 R. Stinson, R. Wei: Combinatorial properties and constructions of traceability schemes and frameproof codes, SIAM Journal of Discrete Mathematics 11, pp. 41-53, 1998

[8]

[9]

[10] [11]

Appendix Lemma 1. For

[n, t ] code over GF (q) if 0 ≤

t

Vq ( n, t ) ≤ q Proof. Let

≤ 1 − ( 1 q ) , then

n

nH q ( t n )

τ = t n . Then,

From the definition of entropy function H q ( x ) we get q Thus

q

− nH q (τ )

.Vq ( n, t ) = τ t (1 − τ )

t

≤ τ (1 − τ )

n −t

( q − 1)

−t

n −t

− nH q (τ )

= τ t (1 − τ )

t

 n

i=0

 

( q − 1) .∑   ( q − 1) i −t

for τ ≤ 1 − (1 q )  n n −i = ∑  τ i (1 − τ ) i =0  i  n

n

= (τ + (1 − τ ) ) = 1 , Hence, we have the result

i

 n i  (1 − τ )( q − 1)  .∑   ( q − 1)   τ i =0  i    t

Vq ( n, t ) ≤ q

nH q (τ )

.

Lemma 2. For [n, t ] code over GF (q) , for 0 ≤ t ≤ n ,

 n 1 t nH ( t n ) Vq ( n, t ) ≥   ( q − 1) ≥ .q q . t + n 1  

n −t

t −i

.

Reed Solomon Codes for Digital Fingerprinting

175

 n n −i N i =  τ i (1 − τ ) . i We first show that N i is maximal when i = t. Since Proof. Let τ = t n and let

 n  i +1 n − i −1  τ (1 − τ ) N i + 1  i + 1 n−i τ = = . . Ni i + 1 1 −τ  n i n −i  τ (1 − τ ) i So, ( N i + 1) N i < 1 if and only if i ≥ t . It follows that n

( n + 1) .Nt ≥ ∑ N i = (τ + (1 − τ ) )

n

=1

i =0

and, so,

Hence,

Nt ≥

1 . On the other hand, n +1  n  n n −t t − nH ( t n ) N t =  τ t (1 − τ ) =   ( q − 1) .q q . t t

 n 1 t nH ( t n ) nH ( t n ) .q q Vq ( n, t ) ≥   ( q − 1) = Nt .q q ≥ t 1 n +  

Lemma 3. If colluding pirates create an illegal copy by making erasures in every detectable mark, it may be impossible to trace any of them by decoding the illegal word to the closes codeword. Proof. Consider exactly two pirates. For certain to be able to correct find one of the pirates, the number of erasures, e must not be greater than d min − 1 , if we are to be sure to be able to do a correct decoding. The minimum Hamming distance between two codewords is d min , which means that the number of detectable marks for the pi-

rates is at least d min . And e = d min ≥ d min − 1 , so it may be impossible to decode this correctly. This is true when the coalation size c = 2 , for any alphabet size q , and adding more pirates will not alter any of the detectable marks undetectable. So this holds for any number of pirates c ≥ 2 .

A Note on the Malleability of the El Gamal Cryptosystem Douglas Wikstr¨om Swedish Institute of Computer Science (SICS) [email protected]

Abstract. The homomorphic property of the El Gamal cryptosystem is useful in the construction of efficient protocols. It is believed that only a small class of transformations of cryptotexts are feasible to compute. In the program of showing that these are the only computable transformations we rule out a large set of natural transformations.

1

Introduction

Several efficient cryptographic protocols are based on the El Gamal cryptosystem. The reasons for this are mainly the algebraic simplicity of the idea, and the homomorphic property it possesses. The latter property makes the El Gamal system malleable, i.e. given c = E(m) it is feasible to compute c′ = E(f (m)), for some nontrivial function f . It is commonly conjectured that the El Gamal cryptosystem is malleable only for a small class of simple functions, and this is sometimes used implicitly in arguments about the security of protocols. Thus it is an important problem to characterize the malleability of the El Gamal cryptosystem. We take a first step in this direction. We formalize the problem, and discuss why restrictions of the problem are necessary. Then we show that the only transformations that can be computed perfectly are those of a well known particularly simple type. Further on we give two examples that show that possible future results are not as strong as we may think. Finally we rule out a large set of natural transformations from being computable. 1.1

The El Gamal Cryptosystem

First we review the El Gamal cryptosystem and introduce some notation. All computations of the El Gamal cryptosystem [2] take place in a group G, such as a subgroup of Z∗p or an elliptic curve group. We assume that |G| = q is prime, and that there is a system wide generator g of G. Keys are generated by choosing x ∈ Zq uniformly and computing y = g x , where the private key is x and the public key is y. Encryption is defined by Ey (m, r) = (g r , y r m) for a message m ∈ G and a random exponent r ∈ Zq chosen uniformly. Decryption is defined by Dx (u, v) = vu−x . A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 176–184, 2002. c Springer-Verlag Berlin Heidelberg 2002 

A Note on the Malleability of the El Gamal Cryptosystem

177

Above we described the system generically for any group of prime order, but to define security we need to consider families of groups. Let q1 , q2 , . . . be an increasing sequence of prime numbers, where ⌈log2 qn ⌉ = n, and let q = {qn }. We denote the family {Zqn } by Zq . Let G = {Gn } be a family of groups such that |Gn | = qn . We use Zq and G generically to denote Zqn and Gn when no reference to n is made. We take n to be the security parameter. Finally we assume that the Decision Diffie-Hellman assumption (DDH) [1, 4] holds in G = {Gn }. Let g be a generator in G, and let a, b and c be uniformly and independently distributed in Zq . Then DDH states that (g a , g b , g ab ) and (g a , g b , g c ) are indistinguishable. Tsiounis and Yung [4] formally proves that this implies that the El Gamal cryptosystem is semantically secure over G. 1.2

Notation

Throughout we denote by PC the set of polynomial size circuit families. We abbreviate uniformly and independently distributed by u.i.d. . To simplify notation we avoid using the security parameter n. For example, if we consider a family of functions φ = {φn }, we use φ generically for φn and each appropriate n. 1.3

The Problem

For any message m ∈ G there exists a unique element me ∈ Zq such that m = g me . Thus any El Gamal encryption (g r , y r m) can be written (g r , y r g me ). The latter notation, is sometimes more natural and we use both conventions. There is a small and well know class of transformations of cryptotexts, used in many protocols, that we summarize in an observation. Observation 1. Set φ(r) = b1 r + b0 and ψ(me ) = b1 me + h0 . Then the map: (g r , y r g me ) → (g φ(r) , y φ(r) g ψ(me ) ) is feasible to compute. Some authors use the term homomorphic cryptosystem, since these transformations can be formulated as group homomorphisms. It is natural to ask what other transformations can or can not be computed “under encryption”. For simplicity we use the non-uniform computational model, i.e. feasible transformations are transformations that can be computed by a deterministic non-uniform circuit family. We restrict our attention to deterministic transformations, since given a probabilistic algorithm that computes a transformation there is a deterministic circuit family that performs at least as well. Given y = g x , each pair (u, v) ∈ G × G can be uniquely represented on the form (u, v) = (g r , y r g me ). This implies that for each function f : G×G → G×G, and y ∈ G, there are unique functions φy , ψy : Zq × Zq → Zq , such that: f (u, v) = f (g r , y r g me ) = (g φy (r,me ) , y φy (r,me ) g ψy (r,me ) ) .

178

Douglas Wikstr¨ om

Most general functions f are not what we intuitively would consider “transformations computed under encryption”, and it seems difficult to prove anything useful if we consider any function f a transformation of cryptotexts. Our approach is therefore to require that a transformation is given by a fixed pair (φ, ψ) of deterministic functions φ, ψ : Zq × Zq → Zq and parametrized by y, i.e. we define a map (y, φ, ψ) : G × G → G × G for each y by the following: (y, φ, ψ) : (g r , y r g me ) → (g φ(r,me ) , y φ(r,me ) g ψ(r,me ) ) . Such transformations act uniformly for all y, i.e. given (ui , vi ) = (g r , yir g me ) for φ(r,me ) ψ(r,me ) i = 1, 2 we have (yi , φ, ψ)(ui , vi ) = (g φ(r,me ) , yi g ). Our method can not be applied to general uniform transformations, and we are forced to further restrict the problem. We require that φ depends only on r, and that ψ depends only on me . Thus we study the special problem posed as follows: Problem 1. Given φ, ψ : Zq → Zq , let (y, φ, ψ)(g r , y r g me ) = (g φ(r) , y φ(r) g ψ(me ) ). For which φ and ψ is the transformation (y, φ, ψ) feasible to compute?

2

Our Results

We exhibit two propositions. The first shows that only transformations of the type described in Observation 1 can be computed perfectly. Then we give two examples that show that strong results can not be hoped for. Finally we give the main proposition, which may have some practical significance. It identifies a set of functions ψ such that the map (y, φ, ψ) is hard to compute for every φ. 2.1

Some Preparation

The hypothesis of the propositions differ only slightly depending on which case is considered. To avoid duplication of the hypothesis, and for increased clarity we give it here. Hypothesis 1. 1. Let G = {Gn } be a family of groups such that |Gn | = qn , where qn is a prime number such that ⌈log2 qn ⌉ = n, and assume that DDH holds in G. Let g = {gn } be a generator of G. 2. Let X = {Xn } be a family of random variables, where Xn is u.i.d. in Zqn , and let Y = {Yn }, where Yn = g Xn . 3. Let R = {Rn } be a family of random variables, where Rn is u.i.d. in Zqn . 4. Let M = {Mn } be a family of random variables on Gn , and define the induced family (U, V ) = {(Un , Vn )} of random variables by setting (Un , Vn ) = EYn (Mn , Rn ).

A Note on the Malleability of the El Gamal Cryptosystem

179

5. Let φ = {φn } and ψ = {ψn } be families of functions over Zq , i.e. φn , ψn : Zqn → Zqn . Define for each family y = {yn } ∈ G a family of maps (y, φ, ψ) = {(yn , φn , ψn )}, where: (yn , φn , ψn ) : Gn × Gn → Gn × Gn (yn , φn , ψn ) : (gnr , ynr gnme ) → (gnφn (r) , ynφn (r) gnψn (me ) ) . Definitions of M , φ, and ψ are given separately in each proposition. The following definition, first given by Goldwasser and Micali [3] define what should be considered randomly guessing the output of a knowledge function. Definition 1. Let M = {Mn } be a family of random variables, where the outcomes of Mn are in Gn , and let f = {fn } be a family of functions fn : Gn → Gn . We define: pn (f, M ) = max Pr[Mn ∈ fn−1 (v)] . v∈Gn

The probability pn (f, M ) is the maximum probability of any algorithm to guess fn (Mn ) using no information on the outcome of Mn except its distribution. Since El Gamal is semantically secure [3, 4] we have under the assumptions in the hypothesis and with arbitrary f = {fn }, that ∀A ∈ PC, ∀c, ∃n0 such that for n > n0 it holds that: Pr[A(Y, (U, V )) = f (M )] < pn (f, M ) + 2.2

1 . nc

The Perfect Case

The following proposition says that if we require a circuit family to succeed with probability 1 in computing the map (y, φ, ψ) the only possible maps are those where ψ is linear. Proposition 1. Let G, X, Y , M , (U, V ), φ and ψ be as in Hypothesis 1, let M be arbitrarily distributed in G, and assume that ψn (x) is non-linear for infinitely many n. Then ∀A ∈ PC, ∃n0 such that ∀n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] < 1 . Proof. The proof is by contradiction. Assume that A, φ, and ψ as above show the proposition false for indices n in some infinite index set N . Then ψ1 (x) = ψ(1 + x) − ψ(x) is not constant. Let g m0 and g m1 be two messages such that ψ1 (m0 ) = ψ1 (m1 ). Let A′ be the circuit family that given a public key y and an encryption (u, v) of the message g mb computes (u0 , v0 ) = A(y, (u, v)) and (u0 , v1 ) = A(y, (u, vg)), and returns b when v1 /v0 = g ψ1 (mb ) . Clearly A′ breaks the polynomial indistinguishability, and thus the semantic security of the El Gamal cryptosystem. ⊔ ⊓

180

2.3

Douglas Wikstr¨ om

Two Examples of Possible Approximations

In general we expect that the difficulty of computing a map (y, φ, ψ) depends on both φ and ψ. On the other hand, in applications we are more interested in how an adversary can transform the cleartext hidden inside a cryptotext. In most situations we expect the adversary to rerandomize its output, but as explained in Section 1.3 such an adversary implies the existence of a deterministic adversary. Thus, given a fixed ψ, a reasonable goal is to bound the probability for any adversary to compute (y, φ, ψ) for any choice of φ. We now present two examples that show that we should not hope for general strong results. Both examples assume that G, X, Y , M , (U, V ), φ and ψ are as in Hypothesis 1, and that M is u.i.d. . Example 1. Let ψ be arbitrary but fixed and let w maximize Pr[M ∈ ψ −1 (w)]. Let A be the circuit family that computes r′ = h(u), where h : G → Zq , and ′ ′ then outputs (g r , y r g w ). Clearly Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] = pn (ψ, M ), where φ(r) = h(g r ). The example shows that for every ψ there is a non-trivial φ such that the map (y, φ, ψ) can be computed with probability at least pn (ψ, M ). Thus the best general result under Hypothesis 1 we could hope for at this point is to show that ∀A ∈ PC, ∀c > 0, ∃n0 > 0, such that for n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )] < pn (ψ, M ) +

1 , nc

but no such result exists as the next example shows. Example 2. Let c > 0 be fixed and define Bn = {x ∈ Zqn : 0 ≤ x ≤ nqnc }, B = {Bn }. Define ψn (x) = x + 1 if x ∈ Bn , and ψn (x) = x2 otherwise, and set φ = id. Let A be the circuit family that assumes that the input (u, v) = (g r , y r g me ) satisfies me ∈ B, and simply outputs (u, vg). We have |ψ −1 (x)| ≤ 3 for all x ∈ Zq , which implies pn (ψ, M ) ≤ q3n , but still A computes (y, φ, ψ) with probability 1/nc for a fixed c. Thus the example shows that we can sometimes compute a transformation with much greater probability than pn (ψ, M ), i.e. the probability of guessing ψ(me ). Intuitively the problem seems to be that our ability to compute transformations from the class described in Observation 1 changes what should be considered guessing. 2.4

A Class of Hard ψ

We now exhibit a class of ψ that are hard in the sense that the map (y, φ, ψ) is hard to compute for all φ. The idea of Proposition 2 below is that given input (y, (u, v)) and an oracle A for computing a transformation (y, φ, ψ) we can ask A several different but related questions. If A answers our questions correctly we are able to compute some derived knowledge function f of the cleartext.

A Note on the Malleability of the El Gamal Cryptosystem

181

Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn , and let s ∈ Zq . Denote by ψs the function given by ψs (x) = ψ(x + s) − ψ(x). We prove below that a ψ that satisfies the following definition has the desired property. Definition 2. Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn , let M = g Me , where Me is a random variable in Zq , and let S be u.i.d. in Zq . If ∀c > 0, ∃n0 > 0 such that ∀n > n0 we have: Pr[pn (ψS , M )
1− c , nc n

then we say that ψ is strongly non-linear with respect to M . The following definition may seem more natural to some readers. Definition 3. Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn , let Me and S be random variables in Zq , where S is u.i.d. . If ∀a ∈ Zq , ∀c > 0, ∃n0 such that ∀n > n0 we have: Pr[ψ(Me + S) − ψ(Me ) = ψ(S) + a]
0, ∃n0 such that ∀n > n0 : Pr[ψ(Me + S) − ψ(Me ) = ψ(S) + a]
= Pr[S = s] Pr[ψ(Me + s) − ψ(Me ) = ψ(s) + a] s∈Zq

≤




Pr[S = s]J(s) = E[J(S)]

s∈Zq

1 1 1 1 ]E[J(S)|J(S) < c ] + Pr[J(S) ≥ c ]E[J(S)|J(S) ≥ c ] nc n n n 1 2 1 < 1· c + c ·1 = c . n n n

= Pr[J(S)
0, ∃n0 > 0, such that for n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )]
0, φ, and ψ, as above shows the proposition false for indices n in some infinite index set N . Define a function fs for each s ∈ Zq by fs (g me ) = g ψs (me ) . We describe a probabilistic circuit family A′ that uses A to compute the knowledge function fs with notable probability. This breaks the semantic security of the El Gamal cryptosystem, if pn (fs , M ) is negligible. Given input (y, (u, v)), where (u, v) = (g r , y r m) ∈ G × G, A′ does the following: 1. It randomly chooses s ∈ Zq . 2. It uses A to compute (u0 , v0 ) = A(y, (u, v)) and (u1 , v1 ) = A(y, (u, vg s )) 3. It returns vv10 . Let S = {Sn } be a u.i.d. random variable over Zq , and let H0 denote the event that A(Y, (U, V )) = (Y, φ, ψ)(U, V ), and H1 denote the event that A(Y, (U, V g S )) = (Y, φ, ψ)(U, V g S ). If the events H0 and H1 take place we have vv10 = fS (M ) by definition of the algorithm. We see that ((U, V )|R = r) and ((U, V g S )|R = r) are independent variables. Since R is u.i.d. we have:
Pr[H0 ∧ H1 ] = Pr[R = r] Pr[H0 ∧ H1 |R = r] r∈Zq

=




Pr[R = r] Pr[H0 |R = r]2

r∈Zq



≥




r∈Zq

2

Pr[R = r] Pr[H0 |R = r]

= Pr[H0 ]2 ≥

1 n2c

where the inequality is implied by the convexity of the function h(x) = x2 and Jensen’s Inequality. We are only interested in outcomes s of S such that pn (ψs , M ) = pn (fs , M ) is negligible (in particular s = 0). Let W denote the event that S has this property. By assumption the probability of W is negligable and we have: Pr[W ∧ A′ (Y, (U, V )) = fS (M )] ≥

1 . 2n2c

A Note on the Malleability of the El Gamal Cryptosystem

183

The inequality implies that there exists for each n ∈ N an outcome sn of Sn such that the inequality still holds. Let A′′ = {A′′n } be the circuit family that is identical to A′ except that A′′n uses this fixed sn instead of choosing it randomly. We set s = {sn } and fs = {fsn }, and conclude that A′′ has the property: Pr[A′′ (Y, (U, V )) = fs (M )] ≥

1 , 2n2c

for n ∈ N . Semantic security of the El Gamal cryptosystem implies that ∀c′ > 0, ∃n0 such that for n > n0 holds: Pr[A′′ (Y, (U, V )) = fs (M )] < pn (fs , M ) +

1 . nc ′

Since fs was constructed such that pn (fs , M ) is negligible we have reached a contradiction. ⊔ ⊓ The proposition can be slightly generalized by considering distributions of the messages that are only almost uniform on its support when the support is sufficiently large. To keep this note simple we omit this analysis. We proceed by defining a special subclass of the strongly non-linear functions that is particularly simple, and may be important in applications. Definition 4. Let ψ = {ψn } be a family of functions, ψn : Zqn → Zqn . We say that ψ has low degree if ∀c > 0, ∃n0 such that for n > n0 it holds that: deg ψn 1 < c . qn n A simple example of a family ψ = {ψn } that satisfies the above definition is where ψn (x) = p(x) for some fixed polynomial p(x) for all n. We have the following corollary almost immediately from the proposition. Corollary 1. Let G, X, Y , M , (U, V ), φ and ψ be as in Hypothesis 1, let M be u.i.d. in G, and assume that ψ has low degree and that deg ψn ≤ 1 for at most finitely many n. Then ∀A ∈ PC, ∀c > 0, ∃n0 > 0, such that for n > n0 : Pr[A(Y, (U, V )) = (Y, φ, ψ)(U, V )]
0 and deg ψs = deg ψ − 1. This implies that when s = 0 we −1 max |ψs−1 (v)| ψ have pn (ψs , M ) = ≤ max |ψqn (v)| ≤ deg qn qn , which is negligible since ψ has low degree. ⊔ ⊓

184

3

Douglas Wikstr¨ om

Conclusion

It seems impossible to prove anything useful about general malleability of the El Gamal cryptosystem as discussed in Section 1.3. Instead we have formalized what we consider a reasonably restricted problem. Under these restrictions we have exhibited a class of transformations that are not feasible to compute, when the message distribution is uniform. This may be of practical value when arguing about the security of certain protocols based on El Gamal. We have also given examples that indicate that the best possible results are not as strong as one may think. It is an open problem to characterize further classes of transformations. A natural generalization is to consider lists of cryptotexts and consider the difficulty of computing transformations on such lists. This and other generalizations are relevant for mix-nets, and mix-net based voting schemes, where robustness is based on repetition and the impossibility of general transformations. Another interesting line of research is to investigate the malleability properties of El Gamal in concrete groups, e.g. the multiplicative group of integers modulo a prime, or an elliptic curve group.

4

Acknowledgement

We had discussions with Gunnar Sj¨odin and Torsten Ekedahl. Johan H˚ astad gave advice on how to simplify this note.

References [1] Dan Boneh, The Decision Diffie-Hellman Problem, Proceedings of the Third Algorithmic Number Theory Symposium, Lecture Notes in Computer Science 1423, pp. 48–63, Springer-Verlag, 1998. 177 [2] Taher El Gamal, A Public Key Cryptosystem and a Signiture Scheme Based on Discrete Logarithms, IEEE Transactions on Information Theory 31, pp. 469-472, 1985. 176 [3] Shafi Goldwasser, Silvio Micali, Probabilistic Encryption, Journal of Computer Science 28, pp. 270-299, 1984. 179 [4] Yiannis Tsiounis, Moti Yung, On the Security of El Gamal based Encryption, International workshop on Public Key Cryptography, Lecture Notes in Computer Science 1431, pp. 117–134, Springer-Verlag, 1998. 177, 179

Authentication of Concast Communication Mohamed Al-Ibrahim1 , Hossein Ghodosi2 , and Josef Pieprzyk3 1

Center for Computer Security Research, University of Wollongong Wollongong, NSW 2522, Australia [email protected] 2 School of Information Technology, James Cook University Townsville, Qld 4811, Australia [email protected] 3 Department of Computing, Macquarie University Sydney, NSW 2109, Australia [email protected]

Abstract. In this paper we tackle the problem of finding an efficient signature verification scheme when the number of signatures is significantly large and the verifier is relatively weak. In particular, we tackle the problem of message authentication in many-to-one communication networks known as concast communication. The paper presents three signature screening algorithms for a variant of ElGamal-type digital signatures. The cost for these schemes is n applications of hash functions, 2n modular multiplications, and n modular additions plus the verification of one digital signature, where n is the number of signatures. The paper also presents a solution to the open problem of finding a fast screening signature for non-RSA digital signature schemes.

1

Introduction

One of the greatest outcomes of the invention of public-key cryptography [10] is the digital signature. It creates a sort of digital encapsulation for the document such that any interference with either its contents or the signature has a very high probability of being detected. Because of this characteristic, the digital signature plays an important role in authentication systems. Authentication systems, however, are subject to a variety of attacks, and therefore the verification of digital signatures is a common practice. A verification of digital signature needs to apply a particular (in general, a publicly-known) algorithm. So, a digital signature scheme is a collection of two algorithms, and it must have the following properties: 1. The signing algorithm SigK : K × M → Σ assigns a signature σ = SigK (M ), where M ∈ M is a message, K ∈ K is the secret key of the signer and Σ is the set of all possible values of the signatures. 2. The signing algorithm executes in polynomial time when the secret key K is known. For an opponent, who does not know the secret key, it should A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 185–198, 2002. c Springer-Verlag Berlin Heidelberg 2002


186

Mohamed Al-Ibrahim et al.

be computationally intractable to forge a signature, that is, to find a valid signature for a given message. 3. The verification algorithm Vk : k × M × Σ → {yes, no} takes public information k ∈ K of the signer, a message M ∈ M and a given signature σ ∈ Σ of the message M . It returns “yes” if σ is the signature of the message M ; otherwise it returns “no”. 4. The verification algorithm, in general, is a publicly known (polynomial time) algorithm. So, anyone can use it to check whether a message M matches the signature σ or not. Several digital signature schemes, for different purposes, have been introduced in the literature of public-key cryptography. In original digital signature schemes (e.g., [16, 11]), both parties of the system (the signer and the verifier) are individuals. The invention of society and group oriented cryptography [7] led to the generation and/or verification of digital signatures by a group of participants rather than individuals (see, for example, [4, 8, 14, 19]). In almost all of these digital signature schemes, the generation/verification of a signature requires the performance of some exponentiation. Since exponentiation is a costly operation, the design of efficient digital signature schemes (from both the generation and verification points of view) was the subject of investigation by several researchers (see, for example, [13, 18, 9, 6]). The efficiency of the system is of paramount importance when the number of verifications is considerably large (e.g., when a bank issues a large number of electronic coins and the customer wishes to verify the correctness of the coins). 1.1

Relevant Work

In our schemes, verification of a digital signature implies modular exponentiation. Thus, previous works on improving the performance of modular exponentiation [5, 17] and batch verification of modular exponentiation [12, 3] are highly relevant to this work. The latest work on batch verification of modular exponentiation is by Bellare et al [3]. In their work, a batch instance consists of a sequence (x1 , y1 ), . . . , (xn , yn ), and the query is whether or not yi = g xi for all i = 1, . . . n (where g is a primitive element in a group). Their proposed algorithms solve this problem with an error probability of 2−ℓ for a predetermined parameter ℓ. They have also considered batch verification for the RSA signatures, where the verification relation is modular exponentiation with a common exponent. That is, given a sequence of pairs (Mi , σi ), one would like to verify the ith signature by checking that σie = H(Mi ) mod N , where H(.) is a hash function and e, N are the RSA public key and modulus respectively. In their solution to this particular case –also called screening algorithm– the batch instance (Mi , σi ), i = 1, 2, . . . , n, passes the test if
n e n   H(Mi ) (mod N ). = σi i=1

i=1

Authentication of Concast Communication

187

It is obvious that the batch instance (M, xα), (M, x/α) is incorrect, but passes their verification test. However, they have shown that this is not really a problem from a screening perspective, since one wants to make sure that M has been sighted by the legitimate signer, even though the signature is not correct. They have proved that if RSA is one-way, then an adversary cannot produce such a batch instance that was never signed by the signer but still passes their test. Note that, in their work [3], fast screening algorithms for other signature schemes and several other issues have been left as open problems. 1.2

Concast Scenario

Multicast is a one-to-many communication mode that has greatly interested the research community in the past few years as a tool for delivering messages to a group of recipients in an efficient way. The main benefit behind deploying multicast is that it minimizes the bandwidth utilization in the already congested network [9, 1]. Multicast communication is usually not a one-way direction communication. A group of recipients, in reliable multicast applications for example, may contact the sender as a feedback acknowledgment. A wide range of many-to-one applications also includes shared-whiteboard, collaborative applications, and report-in style applications. This sort of many-to-one communication is known as concast communication. The well known implosion problem in broadcast communication is addressed here. The problem occurs when a receiver is overwhelmed with messages from different senders and has to process them efficiently. The problem of implosion could be worse if security validation was required to authenticate a group of messages. In this case, an efficient authentication scheme is required to alleviate the burden on the receiver. Therefore, concast communication can be considered from the security perspective as many-signers/one-verifier problem. In this paper, we present different schemes that solve this problem. Our first scheme works with the help of a trusted combiner. The second scheme works with no help from a trusted party, but requires interaction between signatories. The third scheme, however, minimizes the interaction between parties in the system.

2

The Model

Given a sequence of signatures (M1 , σ1 ), . . . , (Mn , σn ), a recipient –with relatively small computing resources accessible to him– wishes to verify these signatures. The naive method is to verify each signature individually and to accept the whole set if all signatures pass the verification algorithm. Obviously, this is a very time consuming task and is not applicable for a recipient with small computing power. An alternative method could be to use the batch verification strategy, in which a randomly selected subset of signatures is verified, and, if that subset passes the verification, then we accept (with some probability) that

188

Mohamed Al-Ibrahim et al.

the whole sequence will pass the verification algorithm. However, this technique might only be acceptable if there is a strong and trusted entity between the receiver and the senders. A desirable solution could be if the verifier can perform a signature screening and accept the whole set of signatures if they pass the test. In other words, screening is the task of determining whether the signer has at some point authenticated the text Mi , rather than the task of checking that the particular string σi provided is a valid signature of Mi . Note that the screening technique of [3] does not seem to be applicable for RSA based signatures in a concast environment. In this paper, we present a signature screening for a variant of ElGamal [11] type digital signatures.

3

Components of the System

This section considers the basic tools which we will use for the implementation of our schemes. 3.1

Communication Channel

Each signer and the verifier is connected to a common broadcast medium with the property that messages sent to the channel instantly reach every party connected to it. We assume that the broadcast channel is public, that is, everybody can listen to all information communicated via the channel, but cannot modify it. These assumptions for this model of communication channel may seem somewhat severe (i.e., does not fit the Internet or cellular network). However, the purpose of these assumptions is to focus on the proposed protocol at a high level. It is worth noting that these assumptions can be substituted with standard cryptographic techniques for achieving privacy and authenticity. 3.2

Signature Scheme

We employ a variant of ElGamal-type digital signature, which is a slightly modified version of a signature that has been used in [15]. Let p, q be large primes such that q|(p − 1), and let g ∈ Zp = GF (p) be an element of order q. Let H(.) be an appropriate hash function that hashes messages of arbitrary length into an element of Zp . Also let xi ∈ Zq be the secret key and yi = g xi (mod p) be the public key associated with user ui . The values p, q, g, yi , and the hash function H(.), are the common parameters in the network. Signature Generation: In order to sign a message m = H(M ) ∈ Zp , the signer chooses a random k and computes r = mg −k ′

s = k − r xi where r′ = r

(mod q).

(mod p) (mod q)

(1) (2)

Authentication of Concast Communication

189

Verification: The verifier accepts the signature (M, s, r) if the following equation holds true: ′

H(M ) = g s yir r 3.3

(mod p)

An Approach to Digital Multisignature

In society and group oriented cryptography it is required that a cryptographic transformation be performed by a group of participants rather than an individual. Let U = {u1 , . . . , un } be the set of all users and assume that the group policy requires that a group signature must be mutually generated by all group members. This is known as a multisignature scheme. The group signature on message m = H(M ) ∈ Zq can be generated using the following protocol: Signature Generation: 1. Each ui chooses a random ki ∈ Zp and computes ri = mg −ki (mod p). 2. After n all participants broadcast their ri , every signatory calculates r = (mod p). i=1 ri 3. Each ui (i = 1, . . . , n) generates his signature as si = ki − r′ xi (mod q), where r′ ≡ r (mod q). 4. Each ui (i = 1, . . . , n) sends his partial signature (si , ri ) of message m to the combiner (through the public channel). 5. Once all partial group signatures are received, the group signature of message m can be generated as (s, r), where s=

n 

si

(mod q).

i=1

Verification: The verification of the group signature is similar to the verification of  an indin vidual signature. Note that, the secret key of thegroup is, in fact, x = i=1 xi n (mod q), and the public key of the group is y = i=1 yi (mod p). The verifier accepts the signature (M, r, s) if the following equation holds true: ′

mn = g s y r r

(mod p)

Note that the concast scenario is different from the multisignature scheme in at least the following ways: – In a concast environment the set of users (signatories) is not fixed. – In a concast environment each user may sign a different message.

4

Scheme 1

This scheme utilizes a particular hash function, known as a sibling hash function [20, 2]. The sibling hash function has the property that given a set of initial

190

Mohamed Al-Ibrahim et al.

strings colliding with one another, it is computationally infeasible to find another string that would collide with the initial strings. The performance of this scheme also requires the employment of a trusted Concast Manager (CM) who designs the sibling hash. Signature Generation: Let a set of n participants wish to sign their own messages. Each participant (using the public channel) sends his message to the CM, who is responsible for designing the sibling hash. After receiving all messages, CM generates the hash value of all messages and transmits it (through the public channel) to all signatories. Note that, although the messages were different, their hash values are the same, and thus, from the signature algorithm’s point of view, a single message needs to be signed. That is, the problem of signing different messages has now been converted to the problem of signing a single message by a set of n participants. This is the multisignature scheme, and the protocol in Section 3.3 can be applied. 4.1

Security Issues

The security analysis of a multisignature system comprises the following: (i) The set of partial signatures and the group signature must not give away any information about the secret keys of the users or the secret key of the group. It is not difficult to see that this requirement is satisfied in the proposed multisignature scheme. (ii) An opponent might try to impersonate user ui and participate in the signing protocol. Since the secret key of each user has chosen randomly and independently from the secret keys of other users, a successful attack implies that the underlying digital signature is not unforgeable. (iii) A pair (s, r) will be accepted as the group signature on message, m, if it passes the signature verification test. Note that, if all partial signatures are genuine then the combined signature is a genuine signature, but the other way around is not necessarily correct. For example, in the proposed multisignature scheme every set of random values {(r1 , s1 ), . . . , (rn , sn )} that satisfy n r = Πi=1 ri

(mod p)

and

n s = Σi=1 si

(mod q)

will generate a correct group signature. However, knowing that a group signature cannot be generated by any unauthorized set of users, generation of faulty partial signatures –that combine to a correct group signature– is only possible by the set of legitimate users. The main drawback of this scheme is that it does not work without the help of a trusted CM. Considering the fact that agreement on who is trusted is not

Authentication of Concast Communication

191

easily reached, cryptographic systems that rely on the use of a trusted party are not very desirable. Remark: In multisignature schemes, if the generated group signature cannot pass the verification test, then the combiner performs partial signature verification, in order to find the malicious user. The commonly used algorithm requires the verification of all partial signatures, that is, in O(n) running time. This is a very time consuming task. In this paper, after providing necessary background information, we will present an algorithm that detects a faulty partial signature in O(log n) running time (see Section 7).

5

Scheme 2

In this scheme we omit the trusted CM. Let users u1 , . . . , un wish to sign the messages m1 , . . . , mn respectively, where mi = H(Mi ). We suggest the following protocol, which works in almost the same manner as multisignature schemes, although the messages are different. Signature Generation 1. Each ui chooses a random ki ∈ Zp and computes ri = mi g −ki (mod p). 2. After n all participants broadcast their ri , every signatory calculates r = (mod p). i=1 ri 3. Each ui (i = 1, . . . , n) generates his signature as si = ki − r′ xi (mod q), where r′ ≡ r (mod q). 4. Each ui (i = 1, . . . , n) sends his signature (Mi , si , ri ) through the public channel. Verification: 1. After receiving n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ), the verifier computes n n   s= H(Mi ) mod p si (mod q), and m = i=1

i=1

2. The verification of the combined signature (m, s, r) is the same as in the underlying signature scheme, that is, the signatures are accepted if ′

m = gsyr r 5.1

(mod p)

Performance Issues

Given n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) the scheme requires n applications of hash functions (to generate H(Mi ), i = 1, . . . , n), n modular multiplications (to compute m), n modular multiplications (to compute r), and n modular additions (to generate s) in order to construct the combined signature (m, s, r). After having the signature (m, s, r), the verifier needs to verify a single signature

192

Mohamed Al-Ibrahim et al.

as in the underlying digital signature scheme. That is, from an efficiency point of view, the cost of our scheme is n applications of hash functions, 2n modular multiplications, and n modular additions plus the verification of one digital signature. However, from a practical point of view, the scheme still needs some interaction between the signatories. Although this is a common practice in almost all society-oriented cryptographic systems, it may not be very reasonable in a concast environment, since the signatories do not form the body of an organization. In the next scheme, we will present a protocol that works with no interaction between the signatories.

6

Scheme 3

In this section, we present a modified version of our algorithm from Scheme 2, which requires no interaction between the signatories. In this algorithm, instead of broadcasting ri = mi g −ki by each user ui and then computing r, in the beginning of each time period, a random value R is broadcast to the network. (This value, R, plays the role of r in the previous algorithm.) The time period is chosen such that no signatory generates more than one signature in a time period. That is, all signatures generated in time period tj use a common parameter Rj which is broadcast by the verifier. Signature Generation: 1. In the beginning of time period tj , the verifier broadcasts a random value Rj ∈R Zp . 2. Each ui chooses a random ki and computes ri = mi g −ki (mod p). 3. Each ui generates his signature as si = ki − Rj′ xi (mod q), where Rj′ ≡ Rj mod q. 4. ui sends his signature (Mi , si , ri ) through the public channel. Verification: 1. After receiving n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) in time period j, the verifier n ri )−1 mod p, – calculates rn+1 = Rj × (Πi=1 – chooses a random kn+1 and calculates sn+1 = kn+1 − Rj′ xn+1 (mod q), where xn+1 is the secret key of the verifier. That is, the verifier signs a message mn+1 = H(Mn+1 ) such that rn+ 1 = mn+1 g −kn+1 (mod p). Note that knowing rn+1 and kn+1 it is easy to calculate mn+1 , although the verifier does not know (and does not need to know) the relevant message Mn+1 (since the underlying hash function is one-way). 2. The verifier computes m=

n+1  i=1

mi mod p

and

s=

n+1  i=1

si

(mod q)

Authentication of Concast Communication

193

3. The combined signature (m, s, r) is accepted if ′

m = g s y Rj Rj

(mod p)

Remark: The purpose of signing a dummy message by the verifier is to transform the verification of the signatures received into the general verification formula used in the proposed multisignature scheme. Note that, this type of signature generation is not a security problem, since the message cannot be chosen by the forgery signer. In fact, if M is chosen first then the pair (s, r) must be cal′ culated such that g s y r r is equal to a predetermined value. Knowing the public values of g and y and choosing one of the parameters r (or s), achieving a correct result requires solving a discrete logarithm problem for the other parameter. Considering the fact that r′ = r mod q, one cannot select r′ and s randomly and ′ then solve the equation r = H(M ) × (g s y r )−1 for calculating r. 6.1

Performance Issues

The cost of our scheme is n applications of hash functions, 2n modular multiplications, and n modular additions, plus the verification of one digital signature. The main advantage of this scheme is that there is no need for any interaction among the users. Indeed, the major shortcoming of all interactive systems is that the system must be highly synchronized. That is, for example, in signature generation applications one cannot generate his signature before all participants have broadcast their computed value (ri , in our protocols).

7

Security

The main issue in security consideration of a digital signature is to determine whether an adversary, without knowing the secret key, is able to generate a signature of a message which has never been signed by the legitimate signer but passes the verification test. This is a general question, and the answer is given in the security analysis of the underlying digital signature. (Obviously, a digital signature that allows forgery will be considered completely useless.) In our signature screening algorithms, however, one would like to check whether it is possible to have a sequence of signatures that passes the test but contains fake signatures. We begin our security analysis in regard to this type of attack by the following theorem. Theorem 1. Given a set, S, consisting of n digital signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) that pass our screening test, it is impossible to find two subsets A and B such that A ∩ B = ∅, S = A ∪ B, and signatures in A (or B) pass the test but signatures in B (or A) fail the test. Proof. Without loss of generality, let A = (M1 , s1 , r1 ), . . . , (Mℓ , sℓ , rℓ ) and B = (Mℓ+1 , sℓ+1 , rℓ+1 ), . . . , (Mn , sn , rn ), for an integer 0 ≤ ℓ ≤ n. Define mA =

ℓ 

i=1

m i , sA =

ℓ  i=1

si , kA =

ℓ  i=1

ki , yA =

ℓ 

i=1

yi , and rA =

ℓ 

i=1

ri

194

Mohamed Al-Ibrahim et al.

Similarly, mB , sB , kB , yB , and rB can be defined. Note that, we have m = mA × mB , s = sA + sB , k = kA + kB , y = yA × yB , and r = rA × rB . Let the sequence of signatures in the set A pass our screening test. The sequence of signatures in A forms a combined signature (mA , sA , rA ) such that sA =

ℓ 

si = kA − r′

ℓ 

xi

(mod q)

i=1

i=1

and thus the verification implies that the following equation must be true ′

r mA = g sA yA rA

(mod p).

(3)

On the other hand, the set of all signatures in the set S also passes the test, that is, ′ m = g s y r r (mod p) which can be written as ′

′

r r × yB × rA × rB mA × mB = g sA × g sB × yA

(mod p).

(4)

Now, dividing both sides of equation (4) by equation (3) gives ′

r mB = g sB yB rB

(mod p)

which indicates that the sequence of signatures in the set B also passes the test. An immediate consequence of Theorem 1 is that: Theorem 2. If a set, S = {(M1 , s1 , r1 ), . . . , (Mn , sn , rn )} that passes our screening test consists of some fake signatures, then the set of all fake signatures must also pass the screening test. Proof. Split the sequence of signatures in S into two sets A and B, such that A consists of all genuine signatures but B consists of all fake signatures. Using Theorem 1, since A passes the test, B must also pass the test. Corollary 1. Given a set S, consisting of n digital signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ) that passes our screening test, it is impossible that S contains only one fake signature. That is, either there exists no fake signature in S or there is more than one fake signature in S. Note that, knowing a signature (M, s, r), it is easy to form a set of fake signatures that passes the screening test. For example, in order to form  a set of ℓ fake signatures, one can form a set of ℓ pairs (si , ri ) such that s = ℓi=1 si ℓ and r = i=1 ri . Clearly, this set of ℓ fake signatures (M, s1 , r1 ), . . . , (M, sℓ , rℓ ) passes our screening test. This is similar to the problem identified in [3]. We observe that it is not difficult to overcome this problem. In particular, it is easy

Authentication of Concast Communication

195

to deal with this problem in the RSA type signatures of [3] (the RSA signature is deterministic and thus a message cannot have different signatures). That is, a sequence with such instances will be easily detected as faulty sequences. However, we observe another way to create a faulty sequence of signatures that passes the screening test. The method is applicable to both our schemes and the scheme introduced in [3]. Let (M1 , σ1 , ), . . . , (Mn , σn ) be a sequence of n genuine signatures. Obviously, this set passes the screening test. On the other hand, the set (M1 , σπ(1) ), . . . , (Mn , σπ(n) ), where π(.) is a random permutation over {1, 2, . . . , n}, also passes the screening test. That is, no matter how secure are the underlying digital signatures, it is always possible to produce a sequence of faulty signatures (in the above manner) that passes the signature screening test. However, as mentioned in [3], this is not a security problem since these attacks do not succeed without knowing the signatures of the messages, that is, the messages must be signed by legitimate signers. A serious threat to the scheme could be if an adversary can select messages of his own choice and then generate a (set of) signature(s) that pass(es) our screening test. The following theorem indicates the security assurance of our screening technique. Theorem 3. Let a set, S, consist of n digital signatures (Mi , si , ri ), i = 1, . . . , n that passes our screening test. If the underlying digital signature is secure then S does not contain a message that has never been signed by a legitimate signer. Proof. Let A ⊆ S and A consist of all messages that have never been signed by legitimate signers. Obviously, the set of all signatures in A passes the verification test and thus a set of unauthorized users can sign a message in a multisignature manner, which is not the case. In multisignature schemes, if a set of unauthorized users tries to forge a signature, or when a malicious user tries to prevent the process of signature generation, the generated group signature is not genuine and fails to pass the verification test. The following theorem presents an efficient algorithm to detect such a faulty signature (malicious user). Theorem 4. Let a set, S, consist of n digital signatures (Mi , si , ri ), i = 1, . . . , n and let S fail to pass our screening test. There exists an O(log n) running time algorithm that detects a faulty signature (a malicious user). Proof. The following algorithm, which is an instance of the binary search algorithm, works properly based on our results so far. 1. Split the set S into two subsets (with almost equal sizes) and submit one of them to the verification algorithm. If the set of signatures in this subset passes the verification test, then the other subset cannot do so (i.e. the faulty signature is in the other subset), otherwise this set contains the faulty signature. 2. Repeat step 1 on the subset that cannot pass the verification test as long as the cardinality of the set is larger than one.

196

8

Mohamed Al-Ibrahim et al.

Fast Screening for a Non-RSA Signature Scheme

In [3], finding fast screening algorithms for signature schemes other than RSA has been left as an open problem. That is, instead of n signatories, a signer generates a large number of signatures and a receiver wishes to verify all these signatures (e.g., when a bank issues a large number of electronic coins and the customer wishes to verify the correctness of coins). We observe that this problem can be solved as a special case in our proposed schemes. In ElGamal-type signatures, however, the signer must use a fresh random number for every signature; otherwise, it compromises the secrecy of the secret key of the signer. Hence, performance of the proposed schemes, which use a common random number in the generation of n different messages in a concast environment, is not acceptable in this case. In order to avoid this problem, the signer needs to follow the original signature scheme (see Section 3.2). Signature Generation: Let x and y = g x be the secret and public keys of the signer respectively. Also, let mi (i = 1, . . . , n) be the hash values (or any other encoding) of messages M1 , . . . , Mn . In order to sign mi , the signer performs the following steps: 1. generates a random ki and computes ri = mi g ki (mod p). 2. generates a signature on message mi as si = ki − ri′ x (mod q), where ri′ = ri mod q. 3. sends all signatures (Mi , si , ri ) to the receiver. Verification: 1. After receiving n signatures (M1 , s1 , r1 ), . . . , (Mn , sn , rn ), the verifier calculates r=

n 

ri

i=1

(mod p),

m=

n 

mi

(mod p),

and s =

n 

si

(mod q)

i=1

i=1

2. The verification of the combined signature (m, s, r) is the same as in the underlying signature scheme, that is, the signatures are accepted if ′

m = gsyr r

(mod p)

References [1] M. Al-Ibrahim and J. Pieprzyk, “Authenticating Multicast Streams in Lossy Channels Using Threshold Techniques,” in Networking – ICN 2001, First International Conference, Colmar, France, Lecture Notes in Computer Science, vol. 2094, P. Lorenz (ed), pp. 239–249, July 2001. 187 [2] M. Al-Ibrahim and J. Pieprzyk, “Authentication of Transit Flows and K-Siblings One Time Signature” in Advanced Communications and Multimedia Security, B. Jerman-Blazic and T. Klobucar, (ed.), pp. 41–55, Kluwer Academic Publisher, CMS’02, Portoroz - Slovenia, September 2002. 189

Authentication of Concast Communication

197

[3] M. Bellare, J. Garay, and T. Rabin, “Fast Batch Verification for Modular Exponentiation and Digital Signatures,” in Advances in Cryptology - Proceedings of EUROCRYPT ’98 (K. Nyberg, ed.), vol. 1403 of Lecture Notes in Computer Science, Springer-Verlag, 1998. 186, 187, 188, 194, 195, 196 [4] C. Boyd, “Digital Multisignatures,” in Cryptography and Coding (H. Beker and F. Piper, eds.), pp. 241–246, Clarendon Press, 1989. 186 [5] E. Brickell, D. Gordon, K. McCurley, and D. Wilson, “Fast Exponentiation with Precomputation,” in Advances in Cryptology - Proceedings of EUROCRYPT ’92 (R. Rueppel, ed.), vol. 658 of Lecture Notes in Computer Science, SpringerVerlag, 1993. 186 [6] R. Cramer and I. Damg˚ ard, “New Generation of Secure and Practical RSABased Signatures,” in Advances in Cryptology - Proceedings of CRYPTO ’96 (N. Koblitz, ed.), vol. 1109 of Lecture Notes in Computer Science, pp. 173–185, Springer-Verlag, 1996. 186 [7] Y. Desmedt, “Society and group oriented cryptography: a new concept,” in Advances in Cryptology - Proceedings of CRYPTO ’87 (C. Pomerance, ed.), vol. 293 of Lecture Notes in Computer Science, pp. 120–127, Springer-Verlag, 1988. 186 [8] Y. Desmedt and Y. Frankel, “Shared generation of authenticators and signatures,” in Advances in Cryptology - Proceedings of CRYPTO ’91 (J. Feigenbaum, ed.), vol. 576 of Lecture Notes in Computer Science, pp. 457–469, SpringerVerlag, 1992. 186 [9] Y. Desmedt, Y. Frankel, and M. Yung, “Multi-receiver/Multi-sender network security: Efficient authenticated multicast/feedback,” IEEE Infocom ’92, pp. 2045– 2054, 1992. 186, 187 [10] W. Diffie and M. Hellman, “New Directions in Cryptography,” IEEE Trans. on Inform. Theory, vol. IT-22, pp. 644–654, Nov. 1976. 185 [11] T. ElGamal, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms,” IEEE Trans. on Inform. Theory, vol. IT-31, pp. 469–472, July 1985. 186, 188 [12] A. Fiat, “Batch RSA,” Journal of Cryptology, vol. 10, no. 2, pp. 75–88, 1997. 186 [13] A. Fiat and A. Shamir, “How To Prove Yourself: Practical Solutions to Identification and Signature Problems,” in Advances in Cryptology - Proceedings of CRYPTO ’86 (A. Odlyzko, ed.), vol. 263 of Lecture Notes in Computer Science, pp. 186–194, Springer-Verlag, 1987. 186 [14] L. Harn, “Group-oriented (t, n) threshold digital signature scheme and digital multisignature,” IEE Proc.-Comput. Digit. Tech., vol. 141, pp. 307–313, Sept. 1994. 186 [15] K. Nyberg and R. Rueppel, “Message Recovery for Signature Schemes Based on the Discrete Logarithm Problem,” Designs, Codes and Cryptography, vol. 7, pp. 61–81, 1996. Also, Advances in Cryptology - Proceedings of EUROCRYPT ’94 Vol. 950 LNCS, pp. 182-193. 188 [16] R. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Communications of the ACM, vol. 21, pp. 120–126, Feb. 1978. 186 [17] P. D. Rooij, “Efficient Exponentiation using Precomputation and Vector Addition Chains,” in Advances in Cryptology - Proceedings of EUROCRYPT ’94 (A. Santis, ed.), vol. 950 of Lecture Notes in Computer Science, Springer-Verlag, 1994. 186 [18] C. Schnorr, “Efficient Signature Generation by Smart Cards,” Journal of Cryptology, vol. 4, no. 3, pp. 161–174, 1991. 186

198

Mohamed Al-Ibrahim et al.

[19] M. De Soete, J.-J. Quisquater, and K. Vedder, “A signature with shared verification scheme,” in Advances in Cryptology - Proceedings of CRYPTO ’89 (J. Brassard, ed.), vol. 435 of Lecture Notes in Computer Science, pp. 253–262, SpringerVerlag, 1990. 186 [20] Y. Zheng, T. Hardjono, and J. Pieprzyk, “The Sibling Intractable Function Family (SIFF): Notion, Construction and Applications,” IEICE Trans. Fundamentals, vol. E76-A, pp. 4–13, Jan. 1993. 189

Self-certified Signatures Byoungcheon Lee1 and Kwangjo Kim2 1 Joongbu University San 2-25, Majon-Ri, Chuboo-Meon, Kumsan-Gun, Chungnam, 312-702, Korea [email protected] 2 International Research center for Information Security (IRIS) Information and Communications University (ICU) 58-4, Hwaam-dong, Yusong-gu, Daejeon, 305-732, Korea [email protected]

Abstract. A digital signature provides the authenticity of a signed message with respect to a public key and a certificate provides the authorization of a signer for a public key. Digital signature and certificate are generated independently by different parties, but they are verified by the same verifier who wants to verify the signature. In the point of a verifier, verifying two independent digital signatures (a digital signature and the corresponding certificate) is a burden. In this paper we propose a new digital signature scheme called selfcertified signature. In this scheme a signer computes a temporary signing key with his long-term signing key and its certification information together, and generates a signature on a message and certification information using the temporary signing key in a highly combined and unforgeable manner. Then, a verifier verifies both signer’s signature on the message and related certification information together. This approach is very advantageous in efficiency. We extend the proposed self-certified signature scheme to multi-certification signature in which multiple certification information are verified. We apply it to public key infrastructure (PKI) and privilege management infrastructure (PMI) environments. Keywords: digital signature, self-certified signature, self-certified key, multi-certification signature, public key infrastructure, privilege management infrastructure

1 1.1

Introduction Digital Signature and Certification

A digital signature is computed by a signer from a message and his signing key. When the signature is verified to be valid with the corresponding public key, it provides the authenticity of the signed message with respect to the public key. But the signature is only linked to the public key and does not provide the authorization of the signer by itself. To provide the authorization of the signer for the public key, a certificate is used, which is signed by a trusted third party. In X.509 [PKI], a certification authority (CA) can provide the signer with A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 199–214, 2002. c Springer-Verlag Berlin Heidelberg 2002


200

Byoungcheon Lee and Kwangjo Kim

a certificate which is a digital signature of CA on the public key and relevant certification information such as serial number, identity of the signer, identity of CA, period of validity, extensions, etc. In other words a certificate provides an unforgeable and trusted link between a public key and a specific signer. Whenever a verifier wants to use the public key to verify a signature, he first has to check the validity of the certificate using CA’s public key. Public key infrastructure (PKI) [PKI] is a hierarchical framework to issue and manage certificates. It is also said that PKI is a trust management infrastructure. It is a key infrastructure for the digital signature technology to be adapted in real world. Recently, many countries over the world enact the digital signature act which provides legal support to the validity of digital signature. Nowadays, PKI industry is booming and digital signature technology is being adapted quickly in our real life. Digital signature and certificate are generated independently by different parties, but they are verified by the same verifier who wants to verify the signature. In the point of a verifier, verifying two independent digital signatures (a digital signature on a message and the corresponding certificate) is a burden. Moreover the verifier has to locate and keep the corresponding certificate by himself. Therefore more elegant and efficient approach for the verification of digital signature and certificate is required. To solve this problem, we propose a new digital signature scheme called selfcertified signature (SCS). In this scheme a signer computes a temporary signing key with his long-term signing key and certification information together, and generates a signature on a message and certification information using the temporary signing key in a highly combined and unforgeable manner. Then, a verifier verifies both signer’s signature on the message and related certification information together. This approach has many advantages in efficiency (computation and communication) and in real world usage. Moreover, in PKI and PMI environment many additional certification information need to be checked together, such as certificate revocation list (CRL), certification path from the root CA to the signer, attribute certificates, etc. We extend the SCS scheme to multi-certification signature (MCS) in which multiple certification information are verified, and apply it to PKI and PMI environment. 1.2

Related Concepts

The concept of SCS has some similarity with identity-based cryptosystem, selfcertified key (SCK), and proxy signature scheme. These concepts commonly deal with the issue how to certify public keys. The most familiar approach to certify a public key is using explicit certificate such as X.509, but these concepts show other possibilities to manage certification. In identity-based scheme, first introduced by Shamir [Sha84], the public key is nothing but the identity of the signer and the related secret key is computed from some trapdoor originated by CA. This scheme is very attractive because it needs no certificate and no verification of certificate, hence reduces the amount

Self-certified Signatures

201

of storage and computation, but it’s disadvantage is that the secret key is known to CA. The concept of self-certified key (SCK), introduced in [Gir91], is a sophisticated combination of certificate-based and identity-based models. Using an RSA cryptosystem a user chooses his secret key, computes his public key, and gives it to the authority. Then the authority computes a certification parameter for the user which satisfies a computationally unforgeable relationship with the public key and the identity. A verifier can compute the public key from the identity and the certification parameter. [PH97] extended [Gir91] to DLP-based cryptosystem in which self-certified key is issued securely using weak blind Schnorr signature protocol. A problem of SCK schemes is that it provides only implicit authentication, i.e., the validity of a SCK is determined only after a successful communication. [LK00] improved [PH97] such that explicit authentication of SCK is provided by using the concept of self-certificate. In the point of cryptographic primitives, SCS is similar to proxy signature schemes [MUO96, PH97, KPW97, LKK01a, LKK01b]. Proxy signature is a signature scheme in which an original signer delegates her signing capability to a proxy signer, and then the proxy signer creates a signature on behalf of the original signer. From a proxy signature a verifier can check both original signer’s delegation and proxy signer’s digital signature. The basic methodology used in proxy signature scheme is that the original signer creates a signature on delegation information (ID of the designated proxy signer, period of validity, specification on message space, or any warrant information) and gives it secretly to the proxy signer, and then the proxy signer uses it to generate a proxy key pair. From a proxy signature computed by using the proxy signing key, any verifier can check original signer’s delegation, because the proxy key pair is generated from original signer’s signature on delegation information. In SCS scheme certification information is used in a similar way as the delegation information in proxy signature scheme. More recently, proxy certificate profile was proposed in [PC]. Proxy certificate can be used for entity A to give the delegation information to entity B in the form of certificate. Then B can authenticate with others as if it were A. These concepts commonly specify how to make key pair. SCK scheme is a key issuing protocol with no specification on signing and verification, but SCS scheme contains signing and verification algorithms together with key generation algorithm. Proxy signature schemes [PH97, KPW97, LKK01a] specify signing and verification algorithms, but they are signatures only on message. As will be shown in later Section, there are possibilities of forgery if a proxy signature is a signature only on message. Proxy signature schemes in [LKK01b] are signatures on message and delegation information together, but detailed analysis was not given. On the other hand, a SCS is a signature both on message and certification information together such that a verifier can verify both the digital signature on message and certification information in an efficient way. Since a SCS contains certification information in a digital signature, it provides more concrete nonrepudiation evidence than a normal digital signature.

202

1.3

Byoungcheon Lee and Kwangjo Kim

Our Contributions

To provide the authenticity of a digital signature and the authorization of a public key together in an efficient way, we introduce a new digital signature scheme called self-certified signature. In this approach the signer generates a temporary signing key using his long-term signing key and CA’s certification information together and signs a message and certification information using this temporary signing key. In the verification stage both the signature on the message and certification information are checked together. We extend the proposed SCS scheme to multi-certification signature (MCS) in which multiple certification information are verified. We apply MCS scheme to public key infrastructure (PKI) and privilege management infrastructure (PMI) environments in which many additional certification information, such as certificate revocation list (CRL), path validation from the root CA to the signer, attribute certificate (AC), etc, have to be verified. A signer can collect all the certification information required to verify the authorization for his public key and compute a MCS. Then it provides more concrete non-repudiation evidence than a normal digital signature. In the point of a verifier, he doesn’t need to locate all the required certification information by himself. The paper is organized as follows: In Section 2 we define SCS scheme and show a general implementation of SCS based on DLP. We also show a distinguished implementation of SCS and discuss its security. In Section 3 we extend the proposed SCS scheme to MCS and apply it to PKI and PMI environments in which many additional certification information have to be verified. We compare the efficiency of MCS scheme with a general multiple signature approach. Finally, we conclude in Section 4.

2

Self-certified Signature

Assume that a signer S has a long-term key pair (x0 , y0 ) where x0 is a secret signing key and y0 is the corresponding public key. The public key y0 is certified by a certification authority CA with a certificate Certs . CA issues Certs as a certificate for the public key y0 and the signer S by signing a certification information CIs prepared by himself. According to X.509, CIs can include information such as serial number, signer’s identity, issuer’s identity, public key y0 , period of validity, extensions, etc. To sign a message using SCS scheme, the signer S computes a temporary key pair (x, y) using his long-term key pair (x0 , y0 ) and the certificate Certs . The basic idea of the proposed SCS scheme is as follows. 1. A signer S computes a temporary signing key x for SCS using his long-term signing key x0 and certificate Certs such that it can be computed only by himself. 2. S signs a message and related certification information using the temporary signing key x to generate a self-certified signature σ.

Self-certified Signatures

203

3. A verifier V computes the temporary public key y from signer’s long-term public key y0 and certification information, and verifies the self-certified signature σ using y. The resulting SCS is a combination of general signature scheme and certification scheme, therefore it should satisfy the non-repudiation requirement of general signature scheme and certification requirement of certification scheme. In this paper we use the following notation. – – – – – – – – – – – – – – 2.1

S: a signer V: a verifier CA: a certification authority (x0 , y0 ): signer’s long-term key pair (secret signing key, public key) (x, y): signer’s temporary key pair for SCS CIs : certification information, prepared by CA, for the public key y0 and the signer S Certs : a certificate, issued by CA, for the public key y0 and the signer S Sx (m): a signing algorithm on message m using a signing key x Vy (s, m): a verification algorithm of a signature s using a public key y Sx (m1 , m2 ): a two-message signing algorithm on messages m1 and m2 using a signing key x Vy (s, m1 , m2 ): a two-message verification algorithm of a signature s on messages m1 and m2 using a public key y h(), h1 (), h2 (): collision resistant hash functions m: a message σ: a self-certified signature Definition of SCS

First, we need to consider how to sign two messages together. Definition 1 (Two-message signature). Let m1 and m2 be two messages that a signer S wants to sign together. Let Sx (m) be a signing algorithm which is a signature on message m using a signing key x. Then two-message signature is a signature on two messages m1 and m2 together and we denote it as Sx (m1 , m2 ), where m1 and m2 are called the first and second message. The most general approach of two-message signature is to prepare a new message by concatenating two messages as m = (m1 ||m2 ) and then sign m using a general signature scheme. But there can be numerous modifications. We will show an example in later Section. Now we define self-certified signature. Definition 2 (Self-certified signature). Let (x0 , y0 ) be a signer’s long-term key pair where x0 and y0 are a secret signing key and the corresponding public key, respectively. Let Certs be a certificate for the public key y0 issued by CA. Self-certified signature scheme consists of the following three algorithms.

204

Byoungcheon Lee and Kwangjo Kim

1. Key generation algorithm takes the long-term key pair (x0 , y0 ) and certificate Certs and outputs a temporary key pair (x, y) x = f (x0 , Certs ), y = g(y0 , Certs ) where f, g are public algorithms. 2. Signing algorithm is a probabilistic algorithm which takes a message m, a certificate Certs , and the temporary signing key x as input and outputs a self-certified signature σ = Sx (m, Certs ) using the two-message signature scheme where the first message is m and the second message is Certs . 3. Verification algorithm takes a self-certified signature σ, a message m, a certificate Certs , a long-term public key y0 as input and outputs a binary value 0 (invalid) or 1 (valid). It is a three-step algorithm. – It computes the temporary public key y = g(y0 , Certs ). ?

– It verifies the self-certified signature using y, Vy (σ, m, Certs ) = 1. – It checks whether y0 is stated in Certs correctly (This is just a document test, not a signature verification). If all the verifications hold, it represents that the signature of the signer on message m is valid and certification by CA is also confirmed. If the document test of Certs is not valid, the self-certified signature is considered to be invalid, although the signature verification was passed. Self-certified signature scheme should satisfy the following security requirements. 1. Non-repudiation: The self-certified signature should be generated only by the signer S who knows the long-term signing key x0 . Therefore the signer should not be able to repudiate his signature creation later. 2. Certification: From the self-certified signature a verifier should be convinced that the signer S is authorized to use the public key y0 by the trusted authority CA. 2.2

Attack Models against SCS

The most powerful attack model on digital signature scheme is the adaptively chosen message attack [PS00] in which an adversary is allowed to access the signing oracle as many times as she wants and get valid signatures for messages of her choice. In SCS scheme the attacker is more advantageous since she has additional knowledge of certification information. There is also possibility for the signer to misuse the temporary signing key. We consider the following additional attack scenarios. 1. Forgery using partial information (by third party): In SCS scheme partial information of the temporary signing key x is known to third parties, i.e., the certification information Certs is published (but the long-term signing key x0 is kept secret). Moreover the algebraic relationship between x

Self-certified Signatures

205

and x0 is publicly known. The long-term signing key x0 can be used to generate normal signatures, while the temporary signing key x is used to generate SCS. If the SCS scheme is not secure, an active attacker can try to change the certification information, induce a valid normal signature from a valid SCS, or induce a valid SCS from a valid normal signature. For the SCS scheme to be secure, this partial information should be of no help for any malicious third party to forge a valid signature. 2. Key generation stage attack (by signer): In SCS scheme the signer computes the temporary signing key x by himself. A malicious signer can try to use it for another malicious purpose. For example, he can get a certificate for (x, y) from another CA without exposing the previous certification information and use it for malicious purpose. He can show the previous certification information later when it is necessary. For the SCS scheme to be secure, this kind of malicious usage of the temporary key pair should be prevented and detected easily. These attacks can work in proxy signature schemes [PH97, KPW97, LKK01a] also if it is a signature only on message. 2.3

General Implementation of SCS Based on DLP

The SCS scheme can be implemented easily using the DLP-based cryptosystem if system parameters are shared among signer’s key pair and CA’s key pair. We consider the Schnorr signature scheme as an underlying signature scheme. Firstly, we review Schnorr signature scheme briefly. Let p and q be large primes with q|p − 1. Let g be a generator of a multiplicative subgroup of Zp∗ with order q. h() denotes a collision resistant cryptographic hash function. Assume that a signer has a secret signing key x and the corresponding public key y = g x mod p. To sign a message m, the signer chooses a random number k ∈R Zq∗ and computes r = g k , s = x · h(m, r) + k. Then the tuple (r, s) becomes a valid signature on message m. The validity of signature is verified ? by g s = y h(m,r) r. Note that the signing process requires one offline modular exponentiation and the verification of signature requires two online modular exponentiations. This signature scheme has been proven to be secure under the random oracle model [PS96, PS00]. They have shown that existential forgery under the adaptively chosen message attack is equivalent to the solution of discrete logarithm problem. We assume that a signer S has a long-term key pair (x0 , y0 ) where y0 = g x0 mod p. He also has a certificate Certs on the public key y0 issued by CA. We also assume that the same system parameters p and q are shared among signer’s key pair and CA’s key pair. Let (xCA , yCA ) be CA’s key pair where yCA = g xCA . The certificate Certs = (rc , sc ) on public key y0 is CA’s Schnorr signature on some certification information CIs prepared by CA, which includes serial number, long-term public key y0 , signer’s identity, issuer’s identity, period of validity, extensions, etc. To issue Certs CA chooses kc ∈R Zq∗ and computes Certs = (rc , sc ) = (g kc , xCA · h(CIs , rc ) + kc ).

206

Byoungcheon Lee and Kwangjo Kim ?

h(CI ,r )

It’s validity is verified by g sc = yCA s c rc . CA has issued Certs = (rc , sc ) to S as a certificate for the public key y0 . Now the self-certified signature scheme on a message m and a certificate Certs is given by the following three algorithms. General Implementation of SCS: 1. Key generation: A signer S computes a temporary key pair (x, y) by using the long-term key pair (x0 , y0 ) and the certificate Certs as h(CIs ,rc )

x = x0 + sc , y = y0 yCA

rc .

2. Signing: Using the temporary signing key x, S computes a self-certified signature σ = (r, s) on message m and certificate Certs as follows. – Prepare a concatenated message m||CIs ||rc . – Chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h(m||CIs ||rc , r) + k. – Gives {(r, s), CIs , rc } as a SCS on message m. 3. Verification: A verifier V checks the validity of {(r, s), CIs , rc } as follows. h(CI ,r ) – Computes a temporary public key y = y0 yCA s c rc . ?

– Verifies the signature (r, s) using y by g s = y h(m||CIs||rc ,r) r. – Checks whether y0 is stated in CIs correctly (This is just a document test, not a signature verification). If the verification holds, it means that the signature of the signer on message m is valid and certification by CA is also confirmed. If the document test of Certs is not valid, the self-certified signature is considered to be invalid, although the signature verification was passed. Therefore the signer should construct a valid temporary key pair using correct certification information. Because the underlying Schnorr signature scheme is secure, the proposed SCS scheme satisfies the security requirements listed above. 1. Non-repudiation: Since the Schnorr signature scheme is a secure signature scheme, any other party who does not know the temporary signing key x cannot forge a valid Schnorr signature on two messages m and Certs . Therefore the signer cannot repudiate his signature creation later. 2. Certification: Since the Schnorr signature (r, s) is verified by using the temh(CI ,r ) porary public key y = y0 yCA s c rc , a verifier is convinced that the signer was authorized to use the public key y0 by CA. Note that {(r, s), CIs , rc } is a signature on a combined message m||CIs ||rc (instead of just m) with a temporary signing key x = x0 + sc . This prevents additional attacks proposed above.

Self-certified Signatures

207

1. Forgery using partial information (by third party): Third party cannot manipulate a valid SCS to generate a new valid SCS (modifying certification information) or a normal signature (deleting certification information), although he knows additional information sc . 2. Key generation stage attack (by signer): A malicious signer cannot try to hide the certification information on purpose and expose it later. He can get a new certificate for x = x0 + sc from other CA and use it as a new certified key. But when he exposes the hidden certification, it is not accepted since certification information should be included explicitly in message. Since a SCS includes both a signature on message and certification, it provides more concrete non-repudiation evidence than a normal signature. For example, assume that a normal signature is verified to be valid, but the corresponding certificate is turned out to be invalid, then the signature is not qualified. But a valid SCS is qualified by itself. A complete non-repudiation evidence is provided in SCS scheme if the signer had computed it correctly, while only partial non-repudiation evidence is provided in normal signature schemes. In the point of communication, a verifier does not need to locate and keep the certification information by himself because it is already included in a SCS. In the point of computation, SCS is more efficient than the general approach of independent signature verification. Detailed efficiency analysis will be given in Section 3. 2.4

Comparison with Self-certified Key

The proposed SCS scheme can be compared with the self-certified key (SCK) scheme as follows. First, SCK scheme is a key issuing protocol and it does not specify how to sign a message using the self-certified key. On the other hand, SCS scheme does not specify how to certify a public key, but specifies how to sign a message and verify a signature using a long-term key pair and the corresponding certificate together. Therefore in SCS scheme already wide-spread PKI environment can be used without any change. SCS can be considered as signer’s additional service to provide more concrete non-repudiation evidence and more efficient verification of signature. As will be shown later, efficiency is provided mainly in verification stage, not in signing stage. Second, SCK scheme provides only implicit authentication. Since any kind of certificate is not used explicitly, the authenticity of a public key is guaranteed only when it is used successfully in application. On the other hand, SCS scheme provides explicit authentication since certificate in PKI environment is used. Only difference is that the certificate is used in highly combined manner with the signature in the signing and verification algorithms. 2.5

Distinguished Implementation of SCS

If the same digital signature scheme (for example, Schnorr signature) is used both as a normal signature scheme and a SCS scheme, then some argument

208

Byoungcheon Lee and Kwangjo Kim

can happen. The SCS (r, s) generated above can also be considered as a normal signature on message m||CIs ||rc using a new signing key x. Anyone can launch the following attacks using the public information sc . – If the signer signs a message something like m||CIs ||rc using his long-term signing key x0 , anyone can compute a valid SCS by adding the certification component. – If the signer generates a SCS on m||CIs ||rc as above, anyone can compute a normal signature on m||CIs ||rc by deleting the certification component. The resulting forgery can be considered not so risky in real world, but the signer should be careful not to sign any maliciously formed message. Although the SCS scheme is secure in cryptographic sense, this kind of argument needs to be removed. Therefore normal signature scheme and SCS scheme need to be implemented in distinguished ways. The first natural approach in designing SCS scheme is to use the message and certification information in distinguished way in the signing algorithm. First, we introduce a distinguished two-message signature scheme in which two messages are used in different hash functions. It is a slight modification of Schnorr signature scheme. Distinguished two-message signature scheme: Let m1 and m2 be two messages to be signed. Let (x, y) be signer’s key pair. 1. Signing algorithm: A signer chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h1 (m1 , r) + k · h2 (m2 , r) where h1 () and h2 () are cryptographic hash functions. Note that the first and the second messages are used in h1 () and h2 (), respectively. 2. Verification algorithm: A verifier verifies the signature (r, s) as ?

g s = y h1 (m1 ,r) rh2 (m2 ,r) . We consider the security of the distinguished two-message signature scheme. It can be proven that the distinguished two-message signature scheme is secure under an adaptively chosen-message attack. Theorem 1. Consider an adaptively chosen message attack in the random oracle model against the distinguished two-message signature scheme. Probabilities are taken over random tapes, random oracles and public keys. If an existential forgery of this scheme has non-negligible probability of success, then the discrete logarithm problem can be solved in polynomial time. Proof. The signer can be simulated by a simulator (who does not know the secret key) with an indistinguishable distribution. We denote the signature scheme as r = g k , s = x · e1 + k · e2

Self-certified Signatures

209

where e1 = h1 (m1 , r) and e2 = h2 (m2 , r). A simulator who does not know secret key x can choose s, e1 , e2 ∈R Zq and compute r = g s/e2 y −e1 /e2 . Then, (r, s) computed by the simulator is indistinguishable from signer’s signature. Then the attacker and the simulator can collude in order to break the signature scheme, and we can solve the discrete logarithm. Assume that an existential forgery of this scheme has non-negligible probability of success. Using the Forking lemma [PS96, PS00], we get two valid signatures (r, s, e1 , e2 ) and (r, s′ , e′1 , e′2 ) ′ ′ ′ such that g s = y e1 re2 and g s = y e1 re2 . Then, from ′

′

′

′

g s/e2 y −e1 /e2 = g s /e2 y −e1 /e2 the signing key x can be computed as x = (s/e2 − s′ /e′2 )/(e1 /e2 − e′1 /e′2 ). ⊔ ⊓ Now, we implement a SCS scheme using the distinguished two-message signature scheme and call it a distinguished implementation. In this scheme the first message is the message to be signed and the second message is certification information for the public key. In this implementation the key generation algorithm is the same, but signing and verification algorithms are modified as follows. Distinguished Implementation of SCS: 1. Key generation: same as the general implementation of SCS. 2. Signing: Chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h1 (m, r) + k · h2 (CIs ||rc , r). 3. Verification: Verifies the signature (r, s) using y by ?

g s = y h1 (m,r) rh2 (CIs ||rc ,r) . Note that message m is used in the first hash function and certification information CIs ||rc is used in the second hash function. Compared with the general implementation, this modification requires one more online exponentiation in verification. Since the distinguished two-message signature scheme is a secure signature scheme, distinguished implementation of SCS also satisfies non-repudiation and certification requirements.

3 3.1

Multi-certification Signature and PKI PKI and PMI Environments

A digital signature provides the authenticity of a signed message with respect to a public key and a certificate issued by a trusted authority provides the

210

Byoungcheon Lee and Kwangjo Kim

authorization of a signer for a public key. Whenever a verifier wants to use the public key to verify a signature, he first has to check the validity of the certificate using CA’s public key. The next question is whether the verifier trusts signer’s CA or not, or how to manage the trust relationship between a signer and a verifier. Public key infrastructure (PKI) [PKI] is a hierarchical framework to issue and manage certificates. It is also said that PKI is a trust management infrastructure. As the trust relationship between a signer and a verifier becomes complex in PKI environment, the verifier should check not only the certificate of the signer, but also various extra certification information related with the certificate. – He has to check CRL [CRL] to check whether the signer’s certificate was revoked or not. – He has to check certification path from signer’s CA to the root CA who is trusted by himself (Check certificates and CRLs of CAs located in the middle of the certification path). Recently, attribute certificate (AC) and PMI [PMI] are becoming an issue. Since the the public key certificate (PKC) provide authentication only for the key pair and is used for relatively long period of time, it is not suitable to authenticate short-term attributes of signer (such as access control, role, authorization, etc.) which are used for short period of time. For these applications attribute authority (AA) issues AC to a signer to certify signer’s specific attribute. PMI is an infrastructure to manage ACs while PKI is an infrastructure to manage PKCs. AC does not use an independent key pair, but has a link to a PKC, therefore same key pair is shared among PKC and AC. When a signer signs a message with the key pair and asserts both certifications of PKC and AC, a verifier has to verify both certifications. – He has to verify certifications related with AC, if it is asserted by the signer. Therefore, in the point of a verifier the verification process of a digital signature is a burden and he should be very careful to check every required certifications. The proposed SCS scheme can be extended to multi-certification situation easily in which multiple certification information should be verified. In this Section we introduce multi-certification signature (MCS) and apply it to PKI and PMI environments. 3.2

Multi-certification Signature

Multi-certification signature (MCS) scheme is a generalization of the self-certified signature scheme in which multiple certification information are verified together. Definition 3 (Multi-certification Signatures). Multi-certification signature is a self-certified signature in which multiple certification information are used.

Self-certified Signatures

211

Let (x0 , y0 ) be signer’s long-term key pair. Let (c1 , . . . , cn ) be n certification information related with y0 , which can be PKCs, CRLs, ACs, etc. Multi-certification signature scheme consists of the following three algorithms. 1. Key generation algorithm takes the long-term key pair (x0 , y0 ) and n certification information (c1 , . . . , cn ) and outputs a temporary key pair (x, y) x = f (x0 , c1 , . . . , cn ), y = g(y0 , c1 , . . . , cn ) where f, g are public algorithms. 2. Signing algorithm is a probabilistic algorithm which takes a message m, n certification information (c1 , . . . , cn ), and the temporary signing key x as input and outputs a multi-certification signature σ = Sx (m, c1 , . . . , cn ) using the two-message signature scheme where the first message is m and the second message is (c1 , . . . , cn ). 3. Verification algorithm takes a multi-certification signature σ, a message m, n certification information (c1 , . . . , cn ), the long-term public key y0 as input and outputs a binary value 0 (invalid) or 1 (valid). It is a three-step algorithm. – It computes the temporary public key y = g(y0 , c1 , . . . , cn ), ?

– It verifies the multi-certification signature using y, Vy (σ, m, c1 , . . . , cn ) = 1. – It checks whether (c1 , . . . , cn ) are valid (This is just a document test, not a signature verification). Now consider a general implementation of MCS based on DLP cryptosystem. We assume that a signer S has a certified key pair (x0 , y0 ) where y0 = g x0 and n certification information (c1 , c2 , . . . , cn ) related with it. ci can be PKCs, CRLs, ACs, etc, which are all represented by digital signatures. Here we assume that the same system parameters p and q are shared among signer’s key pair and n certification information. The certification information ci are digital signatures on some certification messages CIi related with the key pair (x0 , y0 ) in any form and are provided by authorities Ai . Let (xi , yi ) be Ai ’s key pair where yi = g xi . Then ci is a Schnorr signature of the authority Ai on certification message CIi . To generate ci , Ai chooses ki ∈R Zq∗ and computes ci = (ri , si ) = (g ki , xi · h(CIi , ri ) + ki ). ?

h(CI ,r )

i i It’s validity can be verified by g si = yi ri . Ai has issued (ri , si ) as a certification information. The MCS scheme is given by the following three algorithms.

212

Byoungcheon Lee and Kwangjo Kim

General Implementation of MCS: 1. Key generation: A signer S computes a temporary signing key pair (x, y) by using the long-term key pair (x0 , y0 ) and n certification information (c1 , . . . , cn ) as x = x0 + s1 + s2 + · · · + sn , h(CI1 ,r1 )

y = y0 y1

r1 · · · ynh(CIn ,rn ) rn .

2. Signing: Using the temporary signing key x the signer S computes a multicertification signature σ = (r, s) on message m and certification information (CI1 , r1 , . . . , CIn , rn ) as follows. – Prepare a concatenated message m||CI1 ||r1 || · · · ||CIn ||rn . – Chooses a random number k ∈R Zq∗ and computes a signature as r = g k , s = x · h(m||CI1 ||r1 || · · · ||CIn ||rn , r) + k. – Gives {(r, s), CI1 ||r1 || · · · ||CIn ||rn } as a MCS on message m. 3. Verification: A verifier V checks the validity of {(r, s), CI1 ||r1 || · · · ||CIn ||rn } as follows. h(CI ,r ) h(CI ,r ) – Computes a temporary public key y = y0 y1 1 1 r1 · · · yn n n rn . ?

– Verifies the signature (r, s) using y by g s = y h(m||CI1 ||r1 ||···||CIn ||rn ,r) r. – Checks the certification information stated in (CI1 , . . . , CIn ) (This is just a document test, not a signature verification). If the verification holds, it means that the signature of the signer is valid and n certification information are also confirmed. We can consider the distinguished implementation of MCS in the same way. 3.3

Efficiency

To compare the efficiency of the proposed MCS scheme, we consider a general approach that the signer just generates a signature on message m with his signing key x0 , and then the verifier has to verify n + 1 signatures (a signature of the signer and n certification information) independently. We show the comparison result in Table 1. In the point of computation the general approach requires 1 signature generation (1 offline exponentiation) and n + 1 signature verifications (2(n + 1) online exponentiations), while the general implementation of MCS scheme requires 1 signature generation (1 offline exponentiation) and 1 signature verification together with n exponentiations (n + 2 online exponentiations). In distinguished implementation of MCS scheme n + 3 online exponentiations are required in verification. On average the proposed MCS schemes are about 50% more efficient than the general approach. Note that computational efficiency is provided mainly in verification stage, not in signing stage. If we consider a special case that n certification information are somewhat fixed and the verifier can verify them all in advance, then the verifier in MCS

Self-certified Signatures

213

Table 1. Comparison of the efficiency of MCS schemes in computation and communication Process

General approach

No. of Exp. in signing No. of Exp. in verification Signature size

1 (offline) 2(n + 1) (online) (n + 1)(|p| + |q|)

General implementation of MCS 1 (offline) n + 2 (online) (n + 1)|p| + |q|

Distinguished implementation of MCS 1 (offline) n + 3 (online) (n + 1)|p| + |q|

scheme also can compute the temporary public key y in advance and can use it repeatedly. Then the amount of computation in MCS scheme and in general approach are the same. In signature size general approach uses n + 1 independent signatures ((n + 1)(|p| + |q|)) while the proposed MCS schemes require a single signature and (r1 , . . . , rn ) ((n + 1)|p| + |q|). (Note that if the signer sends certificates themselves as certification information to the verifier, communication size will not be changed.) Therefore MCS scheme is more efficient than the general approach in computation and communication. We can consider another efficiency point. In MCS scheme a signer collects all the relevant certification information and provides a verifier with a highly combined digital signature with which both the digital signature on message and all certification information are verified together. If the signature cannot pass the verification process because of wrong certification information, it will not be considered as a valid signature. Therefore, a signer has to provide all the correct certification information and a verifier does not need to locate and keep them by himself. MCS can be considered as signer’s additional service to provide more concrete non-repudiation evidence and more efficient verification of signature.

4

Conclusion

In this paper we have considered the real situation of using digital signatures in PKI and PMI environments and derived the necessity of new digital signature schemes called self-certified signature and multi-certification signature. First, we have shown the necessity of signing a message with a long-term signing key and certification information related with the public key together, and proposed the self-certified signature scheme. Then we have considered the PKI and PMI environments and extended SCS to multi-certification signature scheme in which multiple certification information have to be verified together. The proposed schemes turned out to be very efficient in real usage. In this paper we have implemented SCS and MCS schemes in DLP-based cryptosystems. However, RSA signature schemes are also widely used in practice.

214

Byoungcheon Lee and Kwangjo Kim

Therefore designing RSA-based SCS scheme is an attractive further work. It is also required to provide more concrete security notions and proofs on SCS schemes.

Acknowledgements We would like to thank anonymous reviewers for their valuable comments, which help to make this paper more readable one.

References [CRL]

[Gir91] [KPW97]

[MUO96]

[LK00]

[LKK01a] [LKK01b]

[PC] [PH97]

[PKI] [PMI] [PS96] [PS00]

[Sha84]

RFC 2459, Internet X.509 Public Key Infrastructure Certificate and CRL Profile, IETF, 1999, http://www.ietf.org/html.charters/pkix-charter.html 210 M. Girault, “Self-certified public keys”, Advances in Cryptology: Eurocrypt’91, LNCS 547, Springer-Verlag, 1991, pages 490–497. 201 S. Kim, S. Park, and D. Won, “Proxy signatures, revisited”, In Proc. of ICICS’97, International Conference on Information and Communications Security, Springer, Lecture Notes in Computer Science, LNCS 1334, pages 223–232, 1997. 201, 205 M. Mambo, K. Usuda, and E. Okamoto, “Proxy signatures: Delegation of the power to sign messages”, In IEICE Trans. Fundamentals, Vol. E79-A, No. 9, Sep., pages 1338–1353, 1996. 201 B. Lee and K. Kim, “Self-Certificate: PKI using Self-Certified Key”, Proc. of Conference on Information Security and Cryptology 2000, Vol. 10, No. 1, pages 65–73, 2000. 201 B. Lee, H. Kim and K. Kim, “Strong Proxy Signature and its Applications”, Proc. of SCIS2001, pages 603–608, 2001. 201, 205 B. Lee, H. Kim and K. Kim, “Secure Mobile Agent using Strong Non-designated Proxy Signature”, Proc. of ACISP2001, LNCS Vol.2119, Springer-Verlag, pages 474–486, 2001. 201 S. Tuecke, et. al., “Internet X.509 Public Key Infrastructure Proxy Certificate Profile”, IETF, 2002. 201 H. Petersen and P. Horster, “Self-certified keys – Concepts and Applications”, In Proc. Communications and Multimedia Security’97, pages 102– 116, Chapman & Hall, 1997. 201, 205 Public-Key Infrastructure (X.509) (pkix), http://www.ietf.org/html.charters/pkix-charter.html 199, 200, 210 Request for Comments, An Internet Attribute Certificate Profile for Authorization (RFC 3281), IETF, 2002. 210 D. Pointcheval and J. Stern, “Security Proofs for Signatures”, Advances in Cryptology: Eurocrypt’96, pages 387–398, Springer, 1996. 205, 209 D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures”, Journal of Cryptology, Vol. 13, No. 3, pages 361–396, Springer-Verlag, 2000. 204, 205, 209 A. Shamir, “Identity-based cryptosystems and signature schemes”, Advances in Cryptology: Crypto’84, LNCS 196, Springer-Verlag, pages 47–53, 1985. 200

Identity Based Authenticated Group Key Agreement Protocol K.C. Reddy1 and Divya Nalla2 1

AILab, Dept of Computer/Info. Sciences, University of Hyderabad Gachibowli, Hyderabad, 500046, India [email protected] 2 Center

for Distributed Learning (APSCHE) IIITcampus, Gachibowli, Hyderabad, 500046, India

[email protected]

Abstract. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. One-way function trees can be used to extend two-party Key Agreement protocols to n-party protocols. Tree-based Group Diffie-Hellman [17] is one such protocol. This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement protocol [13] using the One-way function trees. A new function called the transformation function is defined, which is required in generating keys at any level from a lower level key in the key tree. The new protocol provides complete forward and backward secrecy. Authentication is implicit in this protocol, whereas it has to be explicitly dealt with in other Key Agreement protocols. ID-AGKA protocol is more advantageous for systems without a deployed PKI. Keywords: Key Agreement, group Key Agreement, elliptic curves, Weil pairing, cryptography, Identity based, ID-based, Diffie-Hellman, Key Agreement Protocols, key trees, one-way function trees.

1

Introduction

Asymmetric Key Agreement Protocols are multi-party protocols in which entities exchange public information allowing them to create a common secret key with that information. This secret key is known only to those parties which are involved in the key generation and which cannot be determined by any external entity. An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. Many of these newly distributed and other inherently collaborative applications need secure communication. However, security mechanisms for collaborative, Dynamic Peer Groups (DPGs) tend to be both expensive and unexpectedly complex. A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 215-233, 2002.  Springer-Verlag Berlin Heidelberg 2002

216

K.C. Reddy and Divya Nalla

A huge number of two party key agreement protocols have been proposed [2]. The situation where three or more parties share a secret is often called Conference Keying [9]. Boneh and Franklin [7] and Cocks [5] have proposed two Identity based (IDbased) encryption systems which allow the replacement of a Public Key Infrastructure (PKI) with a system where the public key of an entity is given by its identity, and a Key Generation Center (KGC) helps in generating the private key. Cocks' system is based on the Quadratic Residue theorem whereas Boneh and Franklin's system is based on the Weil Pairing. A two pass Identity based (ID-based) Authenticated key agreement protocol based on Weil pairing has been proposed in [13]. Joux [1] proposed a tripartite generalisation of the Diffie-Hellman protocol using the Weil and Tate pairings. Joux's protocol for tripartite Key Agreement has been modified in [15] to provide authentication by including certificates. Tripartite ID-based authenticated key agreement protocols are proposed in [8]. One-Way function trees (OFTs) can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying was first proposed by Sherman in [6], though the idea of using OFTs is not a new one. Merkle [10] proposed an authentication method based on such trees. Fiat and Naor [12] used a one-way function in a top-down fashion in their group keying method for the purpose of reducing the storage requirements of information theoretic group key management. Any two party key agreement protocol satisfying some specific properties [6] can be extended to an n-party key agreement protocol using one-way function trees. Treebased Group Diffie-Hellman (TGDH) [17] is one such protocol which extends the Diffie-Hellman protocol to a group key agreement protocol using one-way function trees. Appendix D provides a comparison [16] of TGDH with other contributory group key agreement protocols STR [16], BD [9], and GDH.3 [11] resulting in a conclusion that TGDH protocol works best in both LAN and WAN settings compared to these protocols i.e., more communication efficient. Hence, using the approach of TGDH for group membership operations is more advantageous. This paper extends the Identity based two-party authenticated key agreement protocol to an authenticated group key agreement protocol, using the one-way function trees to generate the first ID-based group key agreement protocol. The extension is not as obvious as it seems to be. In TGDH protocol, the key generated at one level is directly used to generate the key for the next level since it only needs to do modular exponentiation of the key with the blinded key of the sibling node. But in the new protocol, the key generated by the ID-based authenticated key agreement protocol has to be transformed into some value, that can be used to calculate the key at the next level. Hence, a new function called the transformation function is defined to do this operation. Single or multiple join and leave operations are common in group communication. Coping with group partitions (multiple member leave) and merges (multiple member join) is considered to be a crucial component of group key agreement. Hence these issues are also dealt in the new protocol. The main advantage of this protocol over TGDH is that this protocol is ID-based. Authentication is implicit in this ID-based protocol, and hence this protocol can be named Identity-based Authenticated Group Key Agreement protocol (ID-AGKA).

Identity Based Authenticated Group Key Agreement Protocol

217

The protocol has the novel property that the key generation center is able to recover the agreed session keys from the message flows and its secret key s. And hence, this allows for an efficient ID-based escrow facility. This would enable law enforcement agencies to decrypt messages encrypted with the group keys, after having obtained the necessary warrants. If this property is not desired, or, if a single KGC is not desirable, multiple KGCs can be used where each one of them generates a part of the private key. These parts are then combined by the user to obtain his/her private key. The paper is organised as follows. The next section gives insight into Identity based public-key cryptosystems. Section 3 describes the One-way function trees and the tree based group Diffie-Hellman protocol. The Weil pairing is defined in section 4. The new ID-based group key agreement protocol is discussed in section 5. Section 6 discusses the security properties of the new protocol, and section 7 concludes the paper. Appendix A lists out the advantages of an ID-based system, Appendix B describes the two-party ID-based authenticated key agreement protocol. The desirable group key agreement protocol properties are listed in Appendix C. Appendix D provides the comparison of TGDH with other contributory key agreement protocols.

2

Identity-Based Public Key Cryptosystem

Problems with the traditional Public Key Crypto systems (PKCs) are the high cost of the infrastructure needed to manage and authenticate public keys, and the difficulty in managing multiple communities. Whilst ID-based PKC will not replace the conventional Public Key Infrastructures (PKIs), it offers easier alternative solutions to some of these problems. In ID-based PKC, everyone's public keys are predetermined by information that uniquely identifies them, such as their email address. This concept was first proposed by Shamir [4]. Shamir's original motivation for ID-based encryption was to simplify certificate management in e-mail systems. When Alice sends mail to Bob at [email protected] she simply encrypts her message using the public key string [email protected]. There is no need for Alice to obtain Bob's Public Key Certificate. When Bob receives the encrypted mail he contacts the KGC. He authenticates himself to the KGC and obtains his private key from the KGC. Bob can then read his e-mail. Unlike the existing secure e-mail infrastructure, Alice can send encrypted mail to Bob even if Bob has not yet setup his Public Key Certificate. It should be noted that key escrow is inherent in ID-based systems since the KGC knows Bob's private key. For various reasons, this makes implementation of the technology much easier, and delivers some added information security benefits. ID-based PKC remained a theoretical concept until [5] and [7] were proposed. An ID-based system requires a trusted KGC. The KGC generates the private keys of the entities in the group using the public key, which in turn is based on the identity of the entity. Since a single authority for key generation may present an obvious point of compromise or system failure, and it can masquerade as any given entity, it is split into two or more cooperating parties. The authorities perform a one-time set-up in order to share the system secrets in a secure manner. The user proves itself to each

218

K.C. Reddy and Divya Nalla

authority. Each authority then returns its part of the private key. The user combines these parts to obtain his private key. This provides more security as the private key remains split until use. We can also have n-authorities in the system wherein no n-1 of them can generate a key or compromise the system. With traditional PKI, sending the message implies that the recipient can read it since the private key must exist. This is not true in ID-based PKC. In ID-based PKC, the system (rather than the user / sender) determines whether the recipient is able to read a particular message. Another advantage is that, since the associated private key doesn't necessarily exist, these conditions need not be pre-arranged and can be ephemeral down to a single transaction. ID-based PKI has simple procedure of managing public key list, it has advantages such as automatic key escrow/recovery [7]. Also when the whole ID-based scheme is used by one user, it can be applied for delegation of duties [7] on encryption and proxy signatures in signature. Sometimes key escrow may not be desirable. Also, the key generation center is required to be a trusted authority, and there is computational overhead using pairings (for ID-based encryption and key agreement). Despite these debating issues, the IDbased scheme has many useful applications such as email system, Intranet PKI, and mobile PKI ID-based two party key agreement protocol has been proposed by Smart [13]. This paper extends this protocol to an n-party protocol.

3

One-Way Function Trees

This section discusses the One-way function trees (OFTs), and the OFT algorithm for key establishment in dynamic groups [6]. Diffie-Hellman(DH) protocol is extended to a group key agreement protocol using OFTs [17]. From this section, it can be concluded that, any two-party key agreement protocol can be extended to an n-party key agreement protocol. 3.1

Notations N Mi h

T BKi* p, q

– number of group members – i-th group member; i ∈ { 1, 2,…… N} – height of the tree – v-th node at level l in a tree – A subtree rooted at node – set of Mi s blinded keys – prime integers

G

– unique subgroup of

A A

Z *p of order q

→ B : m - A sends message m to B → * : m - A broadcasts message m

The root is located at level 0 and the lowest leaves are at level h. Each node is associated with the key k and the blinded key BK (explained later)

Identity Based Authenticated Group Key Agreement Protocol

3.2

219

One-Way Function Tree (OFT) Algorithm for Key Establishment

One-Way function trees can be used to compute a tree of keys. The keys are computed up the tree, from the leaves to the root. The bottom-up use of OFTs for group keying, was first proposed by Sherman in [6]. In an OFT, the group manager maintains a binary tree, each node x of which is associated with two cryptographic keys, a node key kx and a blinded key kx' = g (kx). The blinded node key is computed from the node key using a one-way function g; it is blinded in the sense that computing kx from kx’ is a computationally Hard problem. Interior nodes of the tree has exactly two leaves. Every leaf of the tree is associated with a group member. The group manager assigns a randomly chosen key to each member, securely communicates this key to the member (using an external secure channel), and sets the node key of the member's leaf to the member's key. The interior node keys are defined by the rule kx = f(g(kleft(x)), g(kright(x))) ……………..(Rule1) where left(x) and right(x) denote the left and right children of the node x. The function g is a one-way function and the function f is a mixing function. Property 1: The function g is one-way, given g(x), it is computationally infeasible to find x with any non-negligible probability. Property 2: Given a sequence x0 , x1 , ……. , xl-1 , it is computationally infeasible to find kl with any non-negligible probability, where ki+1 = f(xi, g(ki)), and k0 is chosen at random, for any l less than some value lmax. Property 1 makes it impossible to find a node key kx given the blinded key kx' = g (kx). Property 2 makes it impossible for a member who has left the group, whose distance to the root is less than lmax , to find any node key. When a new member is added to the group, or an existing member of the group leaves, the key values of some of the members change, to change the group key. The security of the system depends on the fact that each member's knowledge about the current state of the key tree is limited by the following invariant: System invariant: Each member knows the unblinded node keys on the path from its node to the root, and the blinded node keys that are siblings to its nodes on the path to the root, and no other blinded or unblinded keys. Definition: The OFT method is secure if it is computationally infeasible for an adversary to compute any unblinded node key with non-negligible probability [6]. Thus, from the above properties, and the rule for defining the interior node keys, the group key computed using OFTs satisfies the group key secrecy property, and provides complete forward and backward secrecy (defined in Appendix C). The algorithm provides complete forward and backward secrecy: newly admitted members cannot read previous messages, and members deleted from the group cannot read future messages. Any key agreement protocol in which the key is computed using the rule (Rule 1 defined above, where f and g satisfy the above properties) can use the OFT method to support group key agreement.

220

K.C. Reddy and Divya Nalla

In the OFT method, the functions f and g can be any functions which satisfy the above properties. These functions are replaced by the DH protocol (where we use modular exponentiation function for both f and g), and the TGDH protocols are generated. This is discussed in the next subsection. Similarly, these functions can be replaced by the ID-based two-party key agreement protocol to obtain an ID-based group key agreement protocol. But this cannot be done directly. Some functions are required in between key computations for different levels. These functions are defined and the ID-based twoparty key agreement protocol is extended to ID-AGKA in section 5. 3.3

Tree-Based Group Diffie-Hellman Protocol (TGDH)

Key trees have been suggested in the past for centralised group key distribution systems. TDGH [17] protocols make use of key trees in fully distributed contributory key agreement. Key trees are used in fully distributed contributory key agreement. The concept of a key manager does not exist here. Hence, the members select random secret values for themselves. The root is located at level 0 and the lowest levels are at level h. Binary trees are used here and hence every node is either a leaf or a parent of two nodes. The nodes are denoted by where 0 ≤ v ≤ 2l − 1 since each level l hosts at most 2l nodes. Each node is associated with the key k and the blinded key (Bkey) BK = f (k) where the function f(k) = αk mod p. Assuming a leaf node hosts the member Mi , the node has Mi's session random key K. Furthermore, the member Mi at node knows every key along the path from to , referred to as the key-path and denoted KEYi*. Every key k is computed recursively as follows:

k< l , v > = ( BK ) = ( BK ) =α

k

k

k k

mod p mod p

mod p

= f ( k , k )

Co-path COi* is the set of siblings of each node in the key-path of member Mi. Consequently, every member Mi at leaf node can derive the group secret k from all Bkeys on the co-path COi* and its session random k.. A group key can be computed from any member's secret share (i.e., any leaf value) and all Bkeys on the co-path to the root. For a point-to-point session, the costs of session establishment and key distribution are incurred just once, at the beginning of the session. A group session, on the other hand, may persist for a relatively long time with members joining and leaving the session. After a join, the new member should not come to know the old group keys, and after a leave, the member should not be able to compute future group keys. Large groups whose members join and leave frequently pose a problem since the keys have to be computed frequently. Hence, there is the need for concentration on issues of frequent changes, and the associated scalability problem for large groups. In TGDH, in case of an additive change (join or merge), all group members identify a unique sponsor. This sponsor is responsible for updating its secret key

Identity Based Authenticated Group Key Agreement Protocol

221

share, computing affected [key, Bkey] pairs and broadcasting all Bkeys of the new tree to the rest of the group. The common criteria for sponsor selection is determined by the tree maintenance criteria [17]. ID-AGKA protocol proposed in this paper follows the same approach as the TGDH protocols in dealing with these issues. A complete Group Key Agreement solution should support adjustments to the group key for any membership change in the group. There can be four types of membership changes: Join, Leave, Merge (multiple join or addition of groups), Partition (multiple leaves or splitting a group into smaller groups). TGDH protocol suite addresses these four types of membership changes.

4

The Weil Pairing

The modified Weil pairing which forms the basis for the ID-based Key Agreement protocols is defined here. Definition: Let G be a subgroup of the group of points on the Elliptic curve E over the finite field Fq . Let the order of G be denoted by l and define k to be the smallest integer such that l / qk –1 (this implies that there exists a unique subgroup of Fq* of k

order l). In practical implementations we will require k to be small and so we will usually take E to be a super singular curve over Fq The modified Weil pairing [13] is a map eˆ : G × G → Fq* which satisfies the k

following properties: 1.

Bilinear eˆ( P1 + P2 , Q ) = eˆ( P1 , Q ).eˆ( P2 , Q ) eˆ( P, Q1 + Q2 ) = eˆ( P, Q1 ).eˆ( P, Q2 )

2. 3.

i.e., eˆ( aP, bQ ) = eˆ( P, Q ) ab where a, b ∈ Z q* Non-Degenerate There exists a P∈G such that eˆ( P, P ) ≠ 1 Computable: One can compute eˆ( P, Q ) in polynomial time.

The non-degeneracy defined here does not hold for the standard Weil Pairing e( P, Q ) . A more comprehensive description is provided in [6].

5

ID-Based Authenticated Group Key Agreement (ID-AGKA)

This section discusses the protocol for Authenticated Group Key Agreement. Knowing the advantages of an ID-based system, it would be advantageous to have ID-based key agreement protocols. Smart [13] proposed an ID-based two party

222

K.C. Reddy and Divya Nalla

authenticated key agreement protocol. ID-based tripartite key agreement protocols are proposed in [8]. Extending the same to a group of n parties would be desirable. Also, authentication is implicit in ID-based protocols, whereas it has to be explicitly dealt with in other key agreement protocols. As seen in section 3.2, the ID-based Authenticated Key Agreement protocol [13] can be extended to an n-party ID-based Authenticated Group Key Agreement protocol (ID-AGKA). Key trees are used in fully distributed contributory key agreement. Binary trees are used in this case. The leaves in the tree represent the members of the group, and every other node is a parent of two child nodes. The key associated with this node represents the common key for its two child nodes. The same rule applies to all the non-leaf nodes in the tree. Thus the key associated with the root node becomes the group key, or the common key for all the members in the group. 5.1

Assumptions

Suppose G is a subgroup of an Elliptic curve for which the modified Weil Pairing eˆ maps into the finite field Fq . The following properties are assumed. k

• • • •

•

k

q is large enough to make solving discrete logarithms in a finite field infeasible Elliptic curve contains a large prime subgroup of order l such that solving discrete logarithms in the subgroup of order l is also infeasible. Let V: Fq

* k

→ {0, 1}* is the key derivation function [13]. Such functions can

be readily found in a number of documents. A function H: {0, 1}* → G is also assumed. It denotes a cryptographic hash function. It is generally used to compute the public keys of the members using their identities (which are binary strings). Another hash function H' : {0, 1}* → {0, 1}* is defined. Another important function is defined, which is required to extend the twoparty ID-based protocol to a group key agreement protocol is a transformation function ft defined as f t : Fq* → Z q* . This function is applied over the keys k

associated with the intermediate nodes, to obtain a value, which can be used as the ephemeral private key for the next higher level.

5.2

System Settings

The Key Generation Center chooses a secret key s ∈ {1,….. l-1}. The KGC produces a random P∈G and computes PKGC =[s]P. Then the KGC publishes (P, PKGC): - When a user with identity ID wishes to obtain a public/private key pair, the public key is given by

QID = H (ID)

Identity Based Authenticated Group Key Agreement Protocol -

223

And the KGC computes the private key SID = [s] QID

The (public, private) key pair of the user is given by (QID ,SID) This calculation can be performed using multiple key generation centers, each generating a part of the private key. These are combined by the user to obtain his/her private key. 5.3

Protocol

Figure 1 shows an example of a key tree. Computation of the group key for this tree is as follows. First, A and B compute the common key associated with node by using the IDbased authenticated key agreement protocol by Smart [13]. The two party authenticated ID-based key agreement protocol is described in Appendix B.

A and B choose random values,

*

a , b ∈ Z q , and exchange the values

TA = T< 2,0 > = [ a ]P and TB = T< 2 ,1> = [ b ] P respectively. These two values are called the ephemeral (temporary) public values of A and B whereas, a, and b are their ephemeral private keys.

Fig. 1.

The key computed by A is a

k AB = k = eˆ ([ a ]QB , PKGC ).eˆ( S A , TB ) = eˆ(QB ,[ s ]P ) .eˆ([ s ]QA ,[b ]P ) as

= eˆ(QB , P ) .eˆ(QA , P )

bs

s

= eˆ(QB , TA ) .eˆ(QA , TB )

s

= eˆ([ s ]QB ,[a ]P ).eˆ([b]QA ,[ s ]P ) = eˆ([b]QA , PKGC ).eˆ( S B , TA ) = k BA Thus, A can compute the key associated with its parent node if it knows the identity of B: QB and the ephemeral public key of B: TB . The pair (Q , T ) is called the blinded key or Bkey of B. Similarly, C and D also compute the key associated with the node . These computations are shown in table 1. B

B

224

K.C. Reddy and Divya Nalla Table 1.

A

B

C

D

The public key QA is sent The public key QB is sent The public key QC is sent The public key QA is sent to the KGC to get the to the KGC to get the to the KGC to get the to the KGC to get the private key private key private key private key

S B = [ s ]QB

S A = [ s ]QA

SC = [ s ]QC

S D = [ s ]QD

selects a random value selects a random value selects a random value selects a random value

a ∈ Z q*

b ∈ Z q*

Compute

TA = [a ]P

compute

c ∈ Z q* TB = [b]P

d ∈ Z q*

compute

TC = [c ]P

compute

TD = [ d ]P

Exchange TA and TB

TA = [a ]P

TC = [c ]P TB = [b]P

TD = [ d ]P

eˆ ([ a ]Q B , PKGC ).eˆ ( S A , TB )

eˆ ([ b ]Q A , PKGC ).eˆ ( S B , TA )

eˆ ([ c ]QD , PKGC ). eˆ ( S C , TD )

eˆ ([ d ]QC , PKGC ).eˆ ( S D , TC )

= k AB

= k BA

= k CD

= k DC

The value kAB or kCD is never used directly as a cryptographic key for the purpose of encryption. Instead, such special-purpose sub-keys are derived from the group secret, eg. by setting Key=V(k). The secret key associated with the node , Key = V ( k ) . Thus, the secret key at each node would be a binary string. A function f t : Fq* → Z q* is applied k

over the value k to obtain k ' ∈ Z q* . A, B and C, D compute k ' and k ' respectively. These two values act as the ephemeral private values at this level. These values are used to compute the keys at the next higher level. At this level, each node requires a public and a private key pair. The public key is obtained by adding the public values of its two children, and taking the hash of that value. The public value is then sent to the KGC to obtain its private counterpart. Table 2.

AB

CD

The public key QAB= QBA=H' (QA+QB )is sent to the KGC to get the private key

The public key QCD=QDC= H' (QC+QD )is sent to the KGC to get the private key

S AB = [ s ]QAB

SCD = [ s ]QCD

Compute kAB’ = ft (kAB)

Compute kCD’ = ft (kCD)

Compute

'

TAB = [ k AB ]P

Compute

'

TCD = [ kCD ]P

Exchange TAB and TCD '

TAB = [ k AB ]P '

TCD = [ k CD ]P '

eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD )

'

eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB )

Identity Based Authenticated Group Key Agreement Protocol

The

node

will

have

a

public

value

225

Q = H ′(Q< 2 ,0 > + Q< 2 ,1> ) or

QAB = H ′(QA + QB ) . The KGC computes the private key SAB or S = [ s ]Q from

Q. At node , A does these computations and computes the key at using the identity at the node , Q or QCD, and the ephemeral public key at , T or TCD (as shown in table 2). The pair (Q , T ) is the Bkey of . A and B compute '

k ABCD = eˆ([ k AB ]QCD , PKGC ).eˆ( S AB , TCD ) '

= eˆ([ kCD ]QAB , PKGC ).eˆ( SCD , TAB ) = k CDAB which is computed by C and D.

A can compute the group key, i.e., the key at the root node, if it knows every key along the path from to , referred to as the key-path in section 3, and every Bkey along its Co-path (set of all siblings of all the nodes on the key path) {, }. Similarly, each member in the group can compute the group key if it knows all the blinded keys along its Co-path. For any node in the key tree, the key is given by V(k) where k< l , v > = eˆ([ k ']Q , PKGC ).eˆ( S , T< l +1,2 v +1> ) = eˆ(Q , P )

s . k '

.eˆ(Q , P )

s . k '

= eˆ(Q , Tk ' ) s .eˆ(Q , Tk ' ) s = eˆ([ k ']Q , PKGC ).eˆ( S , T ) and k< x , y > ' = f t ( k< x , y > ) . Assuming an n-party group {M1, M2, …….Mn }, every member Mi at leaf node can derive the group secret k from all the secret keys on the key path, and all the Bkeys on its Co-path. Thus, every key computation involves two Elliptic curve scalar multiplications and two Weil pairings. It can be noted that, instead of including the identity of the node QID in the Bkey, if the KGC knows the key tree structure, it can compute the identities associated with all the nodes in the key tree and send the required secret keys to the corresponding nodes when requested. This would reduce some of the redundant computations. In figure 1, to compute the key associated with the node , the identity QAB = H' (QA + QB) is required. This value is computed by A and B separately, to compute kAB and kBA respectively. This computation can be done only once by the KGC instead of being computed twice by both the members. This computation of the Identities associated with the nodes becomes more redundant at higher levels in the key tree i.e., the same value may have to be computed by more members. Hence computation of the identities associated with the non-leaf nodes by the KGC would be a desirable property. Single or multiple Join or leave operations are common in a group communication. These situations have to be taken care of in a group key agreement solution. The basic idea here is that after any group membership event, every member unambiguously

226

K.C. Reddy and Divya Nalla

adds or removes some nodes related with the event, and validates all the keys and blinded keys related with the affected nodes. A special group member (the sponsor) then, computes the keys and blinded keys and broadcasts the new key tree to the group. The sponsor and the insertion location (in the case of an additive event) are decided by the tree management policy [17]. 5.4

Adding or Deleting a Member in the Key Tree

Firstly, whenever a user Mn+1 wants to join the existing group {M1, M2, …….Mn}, it broadcasts a join request (containing its Bkey) to all the group members. Every member then updates the key tree by adding the new member node and the intermediate node (new member is added at the rightmost shallowest node to maintain the tree height).

Fig. 2. Join operation

Fig. 3. Leave operation

When a new member joins the group, an existing leaf node x is split, the member associated with x is now associated with left(x) and the new member is associated with the right(x). The new member would be having a new long term public/private key pair (private key obtained from the KGC using his ID as public key) and a new ephemeral public/private key pair. The old member should change his ephemeral public key (by choosing a new ephemeral private key), since its former sibling knows its old blinded key, and could use this information in collusion with another member

Identity Based Authenticated Group Key Agreement Protocol

227

in the group to find an unblinded key that is not on his path to the root. This member is called the sponsor. The sponsor, after updating the tree, computes the group key since it knows all the necessary blinded keys. After computing the group key, the sponsor broadcasts the new tree, which contains the blinded keys which have been changed after the join. The whole tree information has to be sent to the new member. When the member associated with the node y is removed from the group, the member assigned to the sibling of y is reassigned to the parent p of y and given a new leaf key value (ephemeral key). If the sibling s of y is the root of a subtree, then p becomes s, moving the subtree closer to the root, and one of the leaves of this subtree is given a new ephemeral key (so that the deleted member no longer knows the blinded key associated with the root of the subtree). The sponsor in this case is the rightmost leaf node of the subtree rooted at the leaving member's sibling node. The sponsor picks up a new secret share, computes all keys on its key path up to the root, and broadcasts the new set of blinded keys to the group which allows all members to recompute the new group key. 5.5

Merge and Partition

Suppose there are two merging groups. In the first round, each sponsor (the rightmost member of each group) broadcasts its tree (with all Bkeys) to the other group after updating the secret share of the sponsor and relevant information (key, Bkey) pairs up to the root node. Upon receiving these messages, all members can uniquely and independently determine how to merge the trees by tree management policy [17]. The merge position is the rightmost shallowest node, which does not increase the tree height. If the two trees have the same height, we join one tree to the root node of the other tree. The rightmost member of the subtree rooted at the merge point becomes the sponsor of the key update operation. The sponsor, then, takes on the role of computing the keys, and the blinded keys and broadcast the entire tree with the blinded keys to all the other members. All the members now have the complete set of blinded keys, which allows them to compute all the keys on their key path. A partition in the key tree would be as follows. In the first round, each member updates its view of the key tree by deleting all leaf nodes associated with partitioned members and (recursively) their parent nodes. All leaving nodes are sorted by depth order. Starting at the deepest level, each pair of leaving siblings is collapsed into its parent, which is then marked as leaving. This node is then re-inserted into the leaving nodes list. The above is repeated until all leaving nodes are processed, i.e., there are no more leaving nodes that can be collapsed. The resulting tree has a number of leaving (leaf) nodes but every such node has a remaining sibling node. Each of these sibling nodes becomes a sponsor. Each sponsor now computes the keys and Bkeys on the key-path as far up the tree as possible. Then, each sponsor broadcasts the set of new Bkeys. Upon receiving the new broadcast, each member checks whether the message contains new Bkeys. This procedure iterates until all members obtain the group key. To prevent reuse of the old group keys, one of the remaining members (the shallowest rightmost sponsor) changes its key share. In the first protocol round, the shallowest rightmost sponsor changes its share.

228

K.C. Reddy and Divya Nalla

6

Security Analysis

This section analyses the security properties and communication and computation costs for join, leave, merge, and partition protocols of ID-AGKA, comparing with the TGDH protocol. In case of a join or a merge operation, the sponsor selects a new key, so that its former siblings who know its blinded key could not use this information in collision with another members in the group to find the group key. Similarly, even in a leave or a partition operation, the sponsor selects a new ephemeral key before broadcasting the changed Bkeys to the other group members. Thus, the protocol maintains both forward secrecy and backward secrecy. Implicit key authentication is provided in the protocol as it is ID-based. The protocol is contributory since each party equally contributes to the group key. The message flows are similar for all the group membership operations (join, leave, merge, and partition) in both TGDH and ID-AGKA protocols, as both the protocols use the same approach. Communication wise, ID-AGKA incurs more cost in the sense that every time a secret key is required for a node, the identity (ID) associated with that node is sent to the KGC, and the KGC sends back the secret key for that ID. This cost can be reduced by giving the key tree information to the KGC, and, as described earlier in section 5.3, the KGC would compute the identities for the intermediate nodes and send all the secret keys related to a single member at once. This would increase the responsibility and the computations at the KGC. The computation cost would definitely be different in both the protocols since the base protocol used is different for both the protocols. Weil pairings, and scalar multiplications over elliptic curves are the basic computations in ID-AGKA whereas TGDH uses modular exponentiations. In ID-AGKA protocol, every key computation involves two elliptic curve scalar multiplications, and two Weil pairings. Computation of blinded keys involves one elliptic curve multiplication. Whereas in TGDH, computation of the blinded key costs one modular exponentiation, and computation of the key also costs one exponentiation. Since evaluating a Weil pairing is a costly operation, this protocol would be an expensive one. Computation cost would not be a constraint in the present world as the computational costs are decreasing day by day. In ID-AGKA, the cost increases, but with an improved security since Elliptic curves provide high security with smaller key lengths [3]. ID-based systems require a trusted KGC. One major attribute of the ID-AGKA protocol is that it is an ID-based system, and does not require computation of signatures, or verifications. ID-based systems simplify key management procedures in certificate-based PKI. However, TGDH requires a deployed PKI so as to authenticate the long- term public keys. In a traditional PKI deployed system, any member wishing to join a group is required to obtain a certificate from the certifying authority, whereas in an ID-based system, this is not required. New users can join the group at any time, and get a private key at that point of time from the KGC. Thus, ID-based systems allow more dynamism. This is another advantage of ID-AGKA. Having studied the advantages of the ID-AGKA protocol, even though the cost increases when compared to TGDH, it would be more desirable to incorporate ID-

Identity Based Authenticated Group Key Agreement Protocol

229

AGKA protocol for improved security. And also, the initial cost of deploying a PKI is null in ID-AGKA protocol.

7

Conclusions and Future Work

A key establishment protocol using one-way function trees is proposed in [6]. It is shown in section 3 that any key agreement function satisfying some given properties can be extended to a group key agreement protocol using one-way function trees. The tree-based group Diffie-Hellman protocol is explained and the four membership change operations (join, leave, merge and partition) are studied for this protocol. The first ID-based group key agreement protocol is proposed based on the twoparty ID-based authenticated key agreement protocol [13] and the one-way function trees. A new transformation function is defined, which is required in generating keys at any level, from a lower level key in the key tree. The protocol has been analysed for performance and it is found that the base computation and communication costs are slightly more than TGDH, but at the same time with an advantage of increased security and saving the cost of deploying a PKI. Key authentication is also provided implicitly in the protocol as it is ID-based which is not the case with TGDH. Also, ID-AGKA protocol is seen to be more dynamic as it is ID-based and not certificate based. The protocol has to be implemented and tested against various other existing group key agreement protocols.

References [1]

[2] [3] [4] [5] [6] [7]

Joux.: A one round protocol for tripartite Diffie-Hellman. In W. Bosma, editor, Proceedings of Algorithmic Number Theory Symposium. ANTS IV, volume 1838 of Lecture notes in Computer Science , pages 385-394, Springer-Verlag, 2000. Menezes, P.C. Van Oorschot, and S. Vanstone.: Handbook of Applied Cryptography. CRC Press, Boca Raton, 1997. Menezes.: Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, 2001. Shamir.: Identity based cryptosystems and signature schemes. Advances in Cryptology – Proceedings of Crypto'84. Cocks.: An Identity based encryption scheme based on quadratic residues. Cryptography and Coding, 2001. D.A. McGrew and A.T. Sherman.: Key establishment in large dynamic groups using one-way function trees. Manuscript, 1998. Boneh and M. Franklin.: Identity-based encryption from the Weil Pairing. In Advances in Cryptology – CRYPTO 2001, Springer-Verlag LNCS 2139, 213229, 2001.

230

K.C. Reddy and Divya Nalla

[8]

Divya Nalla, K.C. Reddy.: ID-based tripartite Key Agreement protocol from pairings, Submitted . M. Burmester and Y. Desmedt.: A secure and efficient conference Key distribution system. In A. De Santis, editor, Advances in Cryptology EUROCRYPT '94, Workshop on the theory and Application of Cryptographic Techniques, volume 950 of Lecture notes in Computer Science, pages 275286, Springer-Verlag, 1995. Merkle, Ralph.C. Secrecy.: Authentication and public-key cryptosystems, Technical Report No. 1979-1, information systems laboratory, Stanford University (Palo Alto, CA, 1979). M. Steiner, G. Tsudik, and M. Waidner.: Key agreement in Dynamic Peer Groups, IEEE Transactions on Parallel and Distributed Systems, August 2000. Fiat, Amor, and Moni Naor: Broadcast encryption, in Advances in Cryptology: Proceedings of Crypto 93, D.R.Stinson, ed., LNCS 773, Springer-Verlag (1993), 481-491. N.P. Smart.: An Identity based authenticated Key Agreement protocol based on the Weil Pairing. Cryptology ePrint Archive, Report 2001/111, 2001. http://eprint.iacr.org/. R. Sakai, K. Ohgishi, and M. Kasahara: Cryptosystems based on pairings. In SCIS 2000, 2000. Sattam S. Al-Riyami, Kenneth G. Paterson: Authenticated Three Party Key Agreement Protocols from Pairings, Information security group, Royal Holloway, University of London, March 2002. Y. Kim, A. Perrig, and G. Tsudik: Communication-efficient group key agreement. In Information systems Security, Proceedings of the 17th International Information Security Conference IFIP SEC'01, 2001. Y. Kim, A. Perrig, and G. Tsudik.: Simple and fault tolerant key agreement for dynamic collaborative groups, in Proceedings of 7th ACM Conference on Computer and Communications Security, pp. 235-244, ACM Press, November 2000.

[9]

[10]

[11] [12]

[13]

[14] [15]

[16]

[17]

Appendix A A. Applications of ID-Based Encryption

The original motivation for ID-based encryption is to simplify certificate management in e-mail systems i.e., to help the deployment of PKI. Several other applications are shown below. A.1 Revocation of Public Keys

Public Key Certificates contain a preset expiration date. In an ID-based system key expiration can be done having Alice encrypt e-mail sent to Bob using the public Key: "[email protected] || current-year". In doing so Bob can use his private Key during the current year only. Note that unlike the existing traditional PKI, Alice does not need to obtain a new certificate from Bob every time Bob refreshes his certificate.

Identity Based Authenticated Group Key Agreement Protocol

231

The public Key can be made [email protected] || current-date so that the private Key needs to be refreshed every day. Key revocation would be simpler in this scenario. A.2 Delegation of Decryption Capabilities

Another application for ID-based systems is delegation of decryption capabilities. Two examples can be considered. In both these applications the user Bob plays the role of a KGC. Bob generates his own ID-based system parameters (his public Key) and his own master Key. Bob obtains certificate from a CA for his public Key. When Alice wishes to send mail to Bob, she first obtains Bob's public Key from Bob's Public Key Certificate. Note that Bob is the only one who knows his master Key and hence there is no Key escrow with this setup. Delegation to a laptop: Suppose Alice encrypts mail to Bob using the current date as the ID-based encryption parameter. Suppose Bob goes on trip for 3 days. Normally, Bob would put the private key on his laptop and if the laptop is stolen his private Key is compromised. But in ID-based system, Bob could simply install three private Keys corresponding to the three days on his laptop. If the laptop is stolen, only those three Keys are compromised. Delegation of duties: Suppose Alice encrypts mail to Bob using the subject line as the ID-based encryption Key. Bob can decrypt the mail using his master Key. Now, suppose Bob has several assistants each responsible for a different task. Bob gives one private key to each of his assistants depending on their responsibility. Each assistant could then decrypt only those messages whose subject line falls within its responsibilities, but it cannot decrypt messages intended for other assistants. Note that here Alice obtains a single public Key to send mail with any subject line of her choice.

Appendix B B. ID-Based Two Party Authenticated Key Agreement Protocol B.1 Protocol

Suppose two users A and B wish to agree on a Key. We denote the private keys of these users by S A = [ s ]QA and S B = [ s ]QB respectively, which have been obtained from the Key Generation Center (KGC) by sending their identities QA and QB. Each user generates an ephemeral private key, say a and b. The data flows of the protocol are as follows. A → B : TA = [ a ]P ; B → A : TB = [b ] P User A then computes k A = eˆ([ a ]QB , PKGC ).eˆ( S A , TB ) and user B computes k B = eˆ([b]QA , PKGC ).eˆ( S B , TA ) k A = k B = k AB = eˆ([ a ]QB + [b ]QA ,[ s ]P )

232

K.C. Reddy and Divya Nalla

Hence the shared secret depends on the identities QA, QB of the two parties, the secret Key s of the Key generation center and the two ephemeral Keys a, b. The KGC can thus compute the key kAB from the message flows and the secret key s, and hence the ID-based escrow facility is possible. The protocol requires each party to compute two elliptic curve multiplications and two Weil pairings and provides the following security properties: • •

Known Key security Forward secrecy: Note, however that compromise of the Key generation centre’s long term secret s will allow anyone to compute the Key via s s eˆ(QB , TA ) .eˆ(QA , TB )

To get rid of the "escrow" property of Smart's protocol, the non-interactive key agreement protocol [14] can be used, where the protocol messages are: A → B : [ a ]P ; B → A : [b] P s

And the common key computed is = hash ( abP, eˆ(QA , QB ) ) . The value of s eˆ(QA , QB ) can be pre-computed before the protocol begins. Using this protocol instead of Smart's key agreement protocol reduces the number of computations. But this protocol is vulnerable to man-in-the-middle attack. Hence we prefer using Smart’s protocol in defining our n-party protocol.

Appendix C C. Group Key Agreement Protocol Properties:

A group Key Agreement protocol is required to have the following properties assuming that a group key is changing. Group Key secrecy, Forward secrecy, Backward secrecy, Key Independence, Key Freshness, Contributory, Implicit Key Authentication, Key Integrity Some more desirable properties of a Key Agreement Protocol are: low communication overhead, minimal number of passes and rounds, and role symmetric (messages transmitted and computations performed by all the entities have the same structure). Two important computational attributes also have to be considered for the Key Agreement Protocol: computation overhead and the ability to perform Precomputation. It may be desirable that some computations may be done offline (i.e., pre-computed or computed during the protocol run).

Identity Based Authenticated Group Key Agreement Protocol

233

Appendix D D. Performance Analysis

The following table summarises the communication and computation costs [16] of the four protocols STR [15], BD [8], and GDH.3 [10].

GDH

TGDH

STR

BD

Join Leave Merge Partition Join Leave Merge Partition Join Leave Merge Partition Join Leave Merge Partition

Communication Rounds Messages 4 n+3 1 1 m+3 n+2m+1 1 1 2 3 1 1 log2k +1 2k min 2h (log2p,h) 2 3 1 1 2 k+1 1 1 2 2n+2 2 2n-2 2 2n+2m 2 2n-2p

n - number of members in the group k – number of merging groups

Exponentiations n+3 n-1 n+2m+1 n-p 3h/2 3h/2 3h/2 3h

Computation Signatures 4 1 m+3 1 2 1 log2k +1 min(log2p,h)

Verifications n+3 1 n+2m+1 1 3 1 log2k min(log2p,h)

4 3n/2 + 2 3m+1 3n/2 + 2 3 3 3 3

2 1 2 1 2 2 2 2

3 1 3 1 n+3 n+1 n+m+2 n-p+2

h – height of the key tree p – number of members partitioned from a group of n members.

Construction of Cryptographically Important Boolean Functions⋆ Soumen Maity1 and Thomas Johansson2 1

Theoretical Statistics and Mathematics Unit Indian Statistical Institute, 203 B. T. Road, Calcutta-700108, INDIA [email protected] 2 Department of Information Technology, Lund University P.O. Box 118, S-221 00 Lund, SWEDEN [email protected]

Abstract. Boolean functions are used as nonlinear combining functions in certain stream ciphers. A Boolean function is said to be correlation immune if its output leaks no information about its input values. Balanced correlation immune functions are called resilient functions. Finding methods for easy construction of resilient functions with additional properties is an active research area. Maitra and Pasalic [3] have constructed 8-variable 1-resilient Boolean functions with nonlinearity 116. Their technique interlinks mathematical results with classical computer search. In this paper we describe a new technique to construct 8-variable 1-resilient Boolean functions with the same nonlinearity. Using a similar technique, we directly construct 10-variable (resp. 12-variable), 1-resilient functions with nonlinearity 488 (resp. 1996). Finally, we describe some results on the construction of n-variable t-resilient functions with maximum nonlinearity. Keywords: Boolean function; Balancedness; Nonlinearity; Perfectly nonlinear function; Bent function; Algebraic degree; Correlation immunity; Resiliency; Stream cipher; Combinatorial problems

1

Introduction

Boolean functions have many applications in computer security practices including the construction of keystream generators based on a set of shift registers. Such a function should possess certain desirable properties to withstand known cryptanalytic attacks. Four such important properties are balancedness, correlation immunity, algebraic degree and nonlinearity. The maximum possible nonlinn earity for n-variable functions is known only for even n and equals 2n−1 − 2 2 −1 . Functions achieving this nonlinearity are called bent and were introduced by Rothaus [6]. Correlation immune functions were introduced by Siegenthaler [8], to withstand a class of “divide and conquer” attacks on certain models of stream ciphers. He also investigated the properties of Boolean functions with ⋆

This research was supported by ReX program of Stichting Nlnet, Netherlands.

A. Menezes, P. Sarkar (Eds.): INDOCRYPT 2002, LNCS 2551, pp. 234–245, 2002. c Springer-Verlag Berlin Heidelberg 2002 

Construction of Cryptographically Important Boolean Functions

235

correlation immunity. Recently, a nontrivial upper bound on the nonlinearity of resilient functions was obtained by Sarkar and Maitra [7]. They proved that the nonlinearity of n-variable (n even) t-resilient function is less then or equal n to 2n−1 −2 2 −1 −2t+1 (resp. 2n−1 −2t+1 ) if t+1 ≤ n2 −1 (resp. t+1 > n2 −1). A similar kind of result has been presented independently by Tarannikov [9] and Zheng and Zhang [11]. Construction of resilient Boolean functions achieving the upper bound on nonlinearity is an important research area. Maitra and Pasalic [3] have constructed 8-variable 1-resilient Boolean functions with nonlinearity 116. In this paper, we describe a new technique to construct other 8-variable 1-resilient Boolean functions with nonlinearity 116. We start with an 8-variable bent function f and suitably change some bits in the output column of the truth table of f to get our 8-variable 1-resilient function with nonlinearity 116. Furthermore, using a similar technique, we directly construct 10-variable (resp. 12-variable), 1-resilient functions with nonlinearity 488 (resp. 1996). Finally we provide some results on the construction of n-variable t-resilient functions with maximum nonlinearity.

2

Preliminaries

Let n be any positive integer. An n-variable Boolean function is a map f : {0, 1}n→{0, 1}. These functions play a major role in stream cipher cryptosystems. Boolean functions are used in many different binary keystream generators based on LFSRs. Their purpose in the keystream generators is often to destroy the linearity introduced by the LFSRs. An n-variable Boolean function f (x1 , x2 , . . . , xn ) can be represented as multivariate polynomial over GF (2). That is, f (x1 , x2 , . . . , xn ) can be written as a0 +

n
i=1

ai xi +




aij xi xj + . . . + a12...n x1 x2 . . . xn ,

1≤i