A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes

A Generic Algebraic Model for the Analysis ofCryptographic-Key Assignment Schemes

Sabri and Khedri (FPS 2012)

Dhruv Gairola

Algebraic Methods in CS, Ridha Khedri

[email protected] ; dhruvgairola.blogspot.ca

March 31, 2014

Dhruv Gairola (McMaster Univ.) Sabri and Khedri (FPS 2012) March 31, 2014 1 / 25

Overview

1 Problem and Motivation

2 Brief Mathematical Background

3 Proposed structures

4 Akl-Taylor Technique

5 Generalizing Akl-Taylor

6 Chinese Remainder Technique

7 Verification of security properties

8 Conclusion


Problem and Motivation

Problem : Many key assignment schemes. How to evaluate them?

Crampton et. Al. advocate the adoption of generic key assignmentmodel.

Proposed Solution : Algebraic model to analyse these schemes.

Benefit : asserting correctness in preserving confidentiality of info;better understanding of key assignment.


Brief Mathematical Background

Semigroup : (S , ·) where · is an associative binary operator.

Semiring : (S ,+, ·)(S ,+) is a commutative semigroup with identity 0s

(S , ·) is a semigroup with identity 1s

· distributes over + on the left and right0s is absorbing in (S , ·) i.e., (∀x |x ∈ S : 0s · x = x · 0s = 0s)


Brief Mathematical Background (2)

Poset : (C ,≺) where ≺ is a partial order relation (reflexive, transitive,antisymmetric).

Antisymmetry : x ≺ y ∧ y ≺ x =⇒ x = y

Quasi-ordered set : ≺ is only reflexive and transitive.


Proposed key structure

Key structure : K = (K ,+k , ∗k , 0k , 1k)

Interpretation : +k and ∗k can be seen operators which combiningkeys.

Can represent Cesar cipher, Vigenere cipher, Boyd’s RSA cipher usingthe structure.


Proposed scheme structure

Key assignment scheme : S = (K, C,≺, a)

K is key structure(C ,≺) is poseta ⊆ K → C is an onto function (assignment function)C is the set of security classes

k1 ≺d k2 : info revealed by k1 can also be revealed by k2.


Proposed scheme structure (2)

Given ≺d (key derivation relation) S is said to be :

Cluster secure : low class keys cannot reveal info of higher classesClass secure : cluster secure and (C,≺) is a chainUser secure : scheme contains independent keys s.t. no key can revealinfo that can be revealed from other keys

We have our structure. What about theories? (Axioms are obvious)


Proposed scheme structure (3)

Theories (v is a quasi-order relation):1 k1 ≤k k2 =⇒ k1 v k22 k1 ∗k k2 v k23 k1 v k2 =⇒ k1 +k k3 v k2 +k k34 k1 v k2 =⇒ k1 ∗k k3 v k2 ∗k k35 k v 1k

Now we have structure and theories. We can analyze specific keyassignment schemes and construct models.


Akl-Taylor Technique

Each user assigned a key, ki where ki = κti (mod m).

κ is a private numberm is a product of 2 large primesti is a product of n primes

Key idea : one key can be derived from another.


Akl-Taylor Technique (2)

Simple math : ki = κti (mod m)

(Hint- j:=i) kj = κtj (mod m)(Hint- LHS) κtj (mod m) = (κti )tj/ti (mod m)

(Hint- LHS) (κti )tj/ti (mod m) = ktj/tii

Therefore kj = ktj/tii

Conclusion (key derivation) : kj can be derived from ki iff tj isdivisible by ti


Akl-Taylor Example

Example : ki = κti (mod m), let m = 11× 17 = 187, κ = 13

User i : ki = 135×7(mod 187) = 21User j : kj = 133×5×7(mod 187) = 98

ktj/tii = kj

213(mod 187) = 98


Generalizing Akl-Taylor

The sever that distributes keys determines κ and keeps it private.

Once κ and m are fixed, ti determines ki . This is given by log kilog κ = ti .

We can view ti as the key.

Can we generalize ti? Yes!

ti = {2× 3× 7} can be represented as {{2× 3× 7}} ∈ P(P(Np)) fora fixed κ and m.


Generalizing Akl-Taylor (2)

P = {p1 × ...× pn|∃(p1...pn|pi ∈ Np : ∀(pi , pj |pi , pj ∈ Np : i 6= j =⇒pi 6= pj))}P = {p1 × ...× pn|set of product of different primes)

ti = {2× 3× 7} ∈ P

From example in prev slide, generalized tigen ∈ P(P(Np))


Generalizing Akl-Taylor (3)

Function rep :

rep : P → P(P(Np))rep(p1 × ...× pn) = {{p1 × ...× pn}}

Each user is given a set of keys e.g., {{2× 3× 7}, {2× 11× 17}}.


Model for the key structure

F = (P(P(Np)),+k , ∗k , 0, 1). We have a model for key structure K!

∗k : P(P(Np))× P(P(Np))→ P(P(Np))A ∗k B = {a ∪ b : a ∈ A, b ∈ B}+k : P(P(Np))× P(P(Np))→ P(P(Np))A +k B = A ∪ B


Model for the scheme structure

Generalized Akl-Taylor : S ′ = (F, C,≺, a). Model for S.

In Akl-Taylor (C,≺) is a tree but in generalized Akl-Taylor, (C,≺) canbe a forest.


Generalized Akl-Taylor Usefulness

Useful if we need more than one key per user (e.g., user involved inmore than 1 key assignment scheme).

In Akl-Taylor, “one key can be derived from another” i.e., can weshow κti ≺d κ

tj ?

Use the relators ≺d and v which are present in our scheme S ′.We can use the 5 theories defined in slide 9 to obtain interestingproperties in our Generalized scheme.


Chinese Remainder Theorem

Given r , s ∈ Z+ and a, b are coprime, there ∃N ∈ Z s.t.N ≡ a(mod r) and N ≡ b(mod s).

We can find N using basic algebra.


Chinese Remainder Technique

Uses ideas from the solution procedure for chinese remainder theorem.

Key structure same as Akl-Taylor. Even ∗k ,+k are defined the same.

However, we have k1 ≺d k2 ⇔ k2 v k1 (dual), unlike for Akl-Taylorwhere ≺d and v are the same.


Verification of security properties

Properties can be verified :

Ability of user to get info intended for higher class.Ability of using several keys to reveal info that can be revealed by usinganother key.Can use Prover9 to verify each property.


Verification Example

Six classes get assigned keys :

Part-time nurses : key(cpn) = k1 ∗k k2 ∗k k4Overnight nurses : key(cnn) = k1 ∗k k3 ∗k k4Full-time nurses : key(cfn) = k1 ∗k k4Part-time doctors : key(cpd) = k2 ∗k k4Overnight doctors : key(cnd) = k3 ∗k k4Full-time doctors : key(cfd) = k4

Property : any doctor can get info of any nurse in the same class.(key(cpn) ≺d key(cpd)) ∧ (key(cnn) ≺d key(cnd)) ∧ (key(cfn) ≺d

key(cfd))(k1∗k k2∗k k4 ≺d k2∗k k4)∧(k1∗k k3∗k k4 ≺d k3∗k k4)∧(k1∗k k4 ≺d k4)

Prover9 can verify such properties (automated).


Conclusion

Analyse key assignment schemes using algebraic structures.

Generalize existing key assignment schemes using model.

Automate verification of security properties.

Future work : examine other key assignment schemes to assessstrengths and weaknesses.


References

“A Generic Algebraic Model for the Analysis of Cryptographic-KeyAssignment Schemes”, Sabri, Khedri, FPS (2012) pp. 62-77

“Algebraic Framework for the Specification and Analysis ofCryptographic-Key Distribution”, Sabri, Khedri, FundamentaInformaticae 112 (2011) pp. 305335

http://conferences.telecom-bretagne.eu/fps2012/program/slides/24.pdf

http://mathworld.wolfram.com/ChineseRemainderTheorem.html


Thank you.


A Generic Algebraic Model for the Analysis of Cryptographic Key Assignment Schemes

Technology

khedri fps

ti dhruv gairola mcmaster

key structure key structure

b dhruv gairola mcmaster

obvious dhruv gairola

key structure c

key assignment schemes

key structure f