Advances in Cryptology â€” EUROCRYPT â€™88: Workshop on the Theory and Application of Cryptographic Techniques Davos, Switzerland, May 25â€“27, 1988 Proceedings

Lecture Notes in Computer Science Edited by G. Goos and J. Hartmanis

330

Christoph G. Gunther (Ed.)

Advances in Cryptology - EUROCRYPT '88 Workshop on the Theory and Application of Cryptographic Techniques Davos, Switzerland, May 25-27, 1988 Proceedings

Springer-Verlag Berlin Heidelbera New York London Paris Tokyo

Editorial Board D. Barstow W. Brauer P: Brinch Hansen D. Gries D. Luckham C. Moler A. Pnueli G. Seegrnuller J. Stoer N Wirth

Editor

Christoph G. Gunther Asea Brown Boveri, Corporate Research CH-5405 Baden. Switzerland

CR Subject Classification (1987): D.4.6, E.3, H.2.0

ISBN 3-540-5025 1-3 Springer-Verlag Berlin Heidelberg New York ISBN 0-387-50251 -3 Springer-Verlag New York Berlin Heidelberg

This work is subject to copyright All rights are reserved whether the whole or part of the material IS concerned specifically the riglts of translation reprinting re use of illustrations recitation broadcasting reproduction on microfilms or in other ways and storage in data banks Duplication oi this publication or parts thereof IS only permitted under the provisions of the German Copyrtght Law of September 9 1965 in its version of Junr 24 1985 and a copyright fee must always be paid Violations fall under the prosecution act of the Germdn Copyright Law

S Springer Verlag Berlin Heidelberg 1988 PrintPd in Germdny

Printing and binding Druckhaus Beltz HemsbachIBergstr 2145/3140 5432 10

PREFACE

The International .4ssociation for Cryptologic Research (1.4CR) organizes tmo international conferences every year, one in Europe and one in the 1-nited States. EUROCRYI’T’88. held in the beautiful environment of the S \~ i sb mountains in Davos, was the sixth European conference. T h e number of contributions and of

participants at the meeting has increased substantiall!.. which is an indication of the high interest in cryptography and system security in general.

The interest has not only increased but has also further moved towards authentication. signatures and other protocols. This is easy t o understand in view of the urgent needs for such protocols, in particular in connection with open information systems, and in view of the exciting problems in this area. The equally fascinating classical field of secrecy, 2.e. the theory, design and analysis of stream or block ciphers and of public key cryptosystems. was however also well represented and several significant results mere communicated.

The present proceedings contain all contributions which were accepted for presentation. The chapters correspond to the sessions at the conference.

I am grateful t o all authors of these contributions for the careful preparation and prompt submission of their papers. On behalf of the General Chairman, i t is a pleasure to thank the authors and the members of the Program Committee for having made the conference such an interesting and stimulating meeting. 1f-e are indebted to the sponsors for their generous donations and t o the members of the Organization Committee, who have so perfectly organized the meeting.

Baden, June 1988 C.G.G.

EUROCRYP T'88

was sponsored by t h e

lnternational Association for Cryptologic Research (IACR)

General Chairman:

Program Chairman:

James L. Massej.. Swiss Federal Insti tute of .lechnology. Zurich. Switzerland Ingemar Ingemarsson. Linkiiping Urii\.ersitJ.. Sweden

Organmng Commztttt:

Josk Clarinval. Zurich Christoph G. Giinther, Baden Kirk H. Kirchhofer. Zug Ueli hlaurer. Zurich Rainer .4. Kueppel, Zug Paul Schoebi, Regensdorf Thomas Siegenthaler, Zurich Othmar Staffelbach. Kegensdorf

Program c'om nr a t t P t :

Rolf Blom. Stockholm Lennart Brynielsson, Stockholm Ivan Damgard. Aarhus l-iveke Fak, Linktiping Tor Helleseth. Bergen Rolf Johannesson. Lund

The conference was generously supported b y

Union Bank of Switzerland. Zurich Springer-1-erlag. Heidelberg and Kew York Amstein Walthert Kleiner -4G. Zurich. Switzerland Asea Brown Boveri AG, Zurich, Switzerland Ascom-Radiocom AG. Solothurn. Switzerland Crypto AG. Zug, Switzerland Gretag Ltd., Regensdorf, Switzerland

CONTENTS

SECTION I: KEY DISTRIBUTION

Key Agreements Based on Function Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Ruiner -4. Rueppel

Security of Improved Identity-Based Conference Key Distribution Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Kenji Koyama, Kazuo Ohta

SECTION 11: AUTHENTICATION

Subliminal-Free Authentication and Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Yvo G. Desmedt

Zero-Knowledge Proofs of Identity and Veracity of Transaction Receipts . . . .35 Gustavus J . Simmons, George B. PuTdy

Authentication Codes with Multiple Arbiters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Ernest F. Brickell, Doug R . Stinson

c 3 Some Constructions for A4uthentication-Secrecy Codes ..................... 3 i

Marijke De Soete

Efficient Zero-Knowledge Identification Scheme 3- for Smart Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i I

Thomas Beth

Vlll

SECTION 111: SIGNATURES

.4 Smart Card Implementatiorl of the Fiat-Shamir Identification Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87

H u n $ - Joachzm Knobloch

hlanipulations and Errors. Detection and Localitation . . . . . . . . . . . . . . . . . . . . . 97 Ph. Godleuiskl. P. Camzon

Privacy Protected Payments - Realization uf a I’rotocol that <;uaran tees Pa>w .hon!.mi t y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l o 7

S ~ i f zn J . Knapskng

-4 Practical Zero-Knowledge l’rotocol Fitted t o Security llicroprocessor hlinimizing Both Transmission and hlemor!. . . . . . . . . . . . . . . . . . . . . . . 123

Louzs c. (;ud1ou. Jean-Jacyws @LasqualtT

A Generalized Birthday Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 .flIarc Gzrau11, Robert Cohen. ,\fzrezlk Campanu

SECTION IV: PROTOCOLS

-4n Interactive Data Exchange Protocol Based on Discrete Exponentiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

G. B. i lgnew. R . C. A f d l z n . S . A . Ihns tone

Anonymous and Terifiable Registration in Databases ..................... .167 J ~ r g e n Brandt. Iran B J ~ T T ~ Damgdrd, Pe ter Landrock

Elections with Unconditionally-Secret Ballots and Disruption Equivalent to Breaking RS.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Davnd C h a u m

Passports and l*isas Versus ID’S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Georgt I . Damda, I-Tio G. DPsmedt

IX

SECTION V: COMPLEXITY AND NUMBER THEORY

The Probabilistic Theory of Linear Complexity . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Harald Nzederrtzter

A Probabilistic Primalit! Test Based on the Properties of Certain Generalized Lucas Kumbers . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

i ldzna Dz Porto, Pztro Falzpponz

On the Construction of Random Number Generators and Random Function Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 2 2 5

c. P. Schnorr

SECTION VI: NUMERICAL METHODS

Factorization of Large Integers on a hlassivdy Parallel Computer . . . . . . . . . 235 James A . Darzs. Diane R. Holdridge

A Fast Modular Arithmetic Algorithm Using a Residue Table . . . . . . . . . . . . ,235 Shan-achz Kawumura, Kyoko Hzrano

Fast Exponentiation in GF(2“) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231 G. B. AgntuilL’, R. C. Alullzn, S . A . l a n s t o n t

Fast RSA-Hardware: Dream or Reality? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 2 3 7 Frank Hoornaert, h farc DECTOOS. Joos ?‘andeulalle, Re& Govaerts

X

SECTION VII: CRYPTANALYSIS

Properties of the Euler Totient Function Modulo 24 and Some of its Cryptographic Implications . . . . . . . . . . . . . . . . . . . . . . 267

Raouf N . Gorgui-Xaguib, Satnam S. Dlay

An Observation on the Security of McEliece's Public-Key Cryptosystem . . .275 P. J . Lee , E. F. Brzckell

How to Break Okamoto's Cryptosystern by Reducing Lattice Bases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Brzgitte I h l l e e , Marc Girault, Phzlzppe Tofin

Cryptanalysis of F. E. A. L. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Bert Den Boer

Fast Correlation Attacks on Stream Ciphers .............................. 301 M-il l i hleier, Othmar Staffelbach

SECTION VIII: RUNNING-KEY CIPHERS

A New Class of Nonlinear Functions for Running-Key Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

Shu Tezuka

Windmill Generators: A Generalization and an Observation of How Many There Are . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325

B. J . M . Smeets, 14'. G. Chambers

Lock-in Effect in Cascades of Clock-Controlled Shift-Registers .................................................. . 331

William G. Chambers, Dieter Gollmann

Proof of Massey's Conjectured Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345 Cunshe ng Ding

Linear Recurring m-Arrays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .351 Dongdai Lin? Mulan Liu

XI

SECTION IX: CIPHER THEORY AND THRESHOLD

Substantial Number of Cryptographic Keys and its Application to Encryption Designs ........................................... .361

Eiji Okamoto

A Measure of Semiequivocation .......................................... .375 Andrea SgaTTO

Some New Classes of Geometric Threshold Schemes ...................... .389 Marzjke De Soete, Klaus Vedder

SECTION X: NEW CIPHERS

A Universal Algorithm for Homophonic Coding .......................... .405 Christoph G. Ginther

A New Probabilistic Encryption Scheme ................................. .415 He Jingmin, Lu Kaicheng

Public Quadratic Polynomial-Tuples for Efficient Signature-Verification and Message-Encryption ......................................... 419

Tsutomu Matsumoto, Hideki Imai

Some Applications of Multiple Key Ciphers .............................. .455 Colin Boyd

Author Index ............................................................ 469

Keyword Index .......................................................... .471

KEY AGREEMENTS BASED ON FUNCTION COMPOSITION

Rainer A . Rueppel

Crypto AG

6312 Steinhausen Switzerland

Abstract:

Two protocols are presented that accomplish the same goal as the original Diffie-Hellman protocol, namely, to establish a common secret key using only public messages. They are based on n-fold composition of some suitable elementary function. The first protocol is shown to fail always when the elementary function is chosen to be linear. This does not preclude its use for a suitable nonlinear elementary function. The second protocol is shown to be equivalent to the Diffie-Hellman protocol when the elementary function is chosen to be linear. Some examples are given to illustrate the use of both protocols. It is still an open problem whether the presented approach allows for an improvement in terms of speed and/or security over the original DH-protocol.

Suppose we are given an autonomous finite-state machine with next-state function F. After one time step an initial state SO will be transferred to sl=F(so). After n time steps we have

s n = F ( F ( ... F ( S J . . .))= F " ( S o )

where Fn stands f o r the n-fold application of F to its argument. (Although we do not need the finite-state machine context to derive some results, we use it to illustrate the approach). Now define two functions g and h,

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 3-10, 1988. 0 Springer-Verlag Berlin Heidelberg 1988

4

g : y = F r n ( x )

h : y = F " ( x )

These two functions f and g will commute, i.e..,

h ( g ( x ) ) = g ( h ( x ) )

This commutativity is also the basic requirement in the DH-protocol. Hence, using the number of steps an FSM has taken from a specific starting point as the individual user's secret, we can implement a key agreement as follows:

Kev Asreement Protocol 1:

A and B have agreed on a common FSM with next-state function F and a common starting state S O .

(1) A randomly chooses a secret number n1 and steps its FSM,

loaded with SO, n1 times to obtain

s( ' ) = S,! = F " ' ( s o )

A sends s(l) to B.

B randomly chooses a secret number n2 and steps its FSM,

loaded with SO, n2 times to obtain

s ( 2 ) = S"* = F"'( s o )

B sends s ( ~ ) to A .

( 2 ) A loads the received state s ( 2 ) into its FSM and steps it nl times to obtain

B loads the received state s ( 1 ) into its FSM and steps it "2 times to obtain

5

( 3 ) Since every state has a unique successor the resulting states . ( I2 ) and ~ ( 2 ~ ) must be identical and could serve as a common secret between A and B.

So far we did not impose any restriction on F. But, of course, in order not to render the above protocol useless, the next-state function F must possess the following properties:

(1) to compute sn=Fn(s0) must be tleasyll.

(2) to infer n from SO and sn must be "hard".

( 3 ) to compute s (I2) from S O , s ( l ) , and s(2) must be l'hardll.

Example 1: Suppose we use a linear next-state function F(x) = ax (mod p) and nonzero initial state so. Then computing the nth state directly is easy (using square and multiply),

Inferring n from .so and sn corresponds to taking the discrete log (mod p). B u t computing s(12) from s o , s(1) , and s ( ~ ) can be done at almost no cost,

In fact, the combination of the above protocol with any linear FSM is insecure. Let A be the state transition matrix, i.e.

? , + I ' A . 5 ,

Now the following attack will recover ~ ( 1 2 ) efficiently.

(1) compute

A n ' f rom a n d A

Determine A'' the same way.

( 2 ) form the product

6

which gives away ~ ( 1 2 ) .

ExamDle 2 : Suppose we use F(x) = xe (mod p) as'the next-state function. Then the public messages s(1) and s ( ~ ) to be transmitted are

s ( ~ ) = F n ' ( s o ) = ( s o ) ' ' ( m o d p )

A computes

which is identical to the outcome of B ' s computation and may serve as the common secret.

If an attacker is able to efficiently compute discrete log's mod p, he can also efficiently compute s(12),

Note that at this point the attacker has not yet succeeded in deriving the individual secrets n1 and n2 of parties A and B. To obtain, say "1, he will have to take discrete log's mod p-1, whose factorization may be difficult to find.

ExamDle 3 : (due to C . Thome and R. Schwarzenberger) Suppose we use a nonlinear feedback shift register with next-state function

7

The nth state of this NLFSR will be

where Fn denotes the nth Fibonacci number. Consequently, the nth state is efficiently computable: On the other hand, to break this system cannot be harder than to take discrete log,s mod p, since then we may express a, b, and the nth state relative to some generator g,

a = g e ' ( m o d p )

b = g e 2 ( m o d p )

which, after 2 more log p operations, results in a system of linear congruences which can efficiently be solved.

In a slightly more general approach, we may want to allow that the next-state function of the FSM is changed during the execution of the protocol. Let the two functions g and h be defined as above; then it also holds

g"(x) = hZm(X)

Therefore, the above protocol could be modified as follows:

Kev Aureement Protocol 2:

A and B have agreed on a common FSM with next-state function F

and a common starting state s o .

(1) A randomly chooses a secret number n1 and computes the description of the function

A sends the function description of g1 to B.

E acts correspondingly on its secret "2.

8

(2) A loads the received function description of 42 as next-state function into its FSM and steps it n1 times, started at S O ,

to obtain

B acts correspondingly on the received function description of g1 in order to obtain s21.

(3) The resulting states s12 and s21 are identical and could serve as a common secret between A and B.

Here the conditions on the next-state function F are slightly different (as compared to protocol 1):

(1) to compute g = Fn from F and n must be t@easylv.

(2) to infer n from g and F must be "hard".

( 3 ) to compute s(n1n2) from SO, F, 91, and 92 must be hard.

Example 4: Let the next state function be F(x) = ax (mod p), and suppose SO = 1. Then

g , ( x ) = F " ' ( x ) = a n ' x = u , x ( m o d p )

g , ( x ) = f " ' ( x ) = anzx = u 2 x ( m o d p )

A sends the function description of gl, consisting of the coefficient alr to B. B loads so = 1 and g1 as the next-state function into its FSM, and steps it n2 times to arrive at

s(I2)= ( a n ' ) n 2 ( m o d p )

A acts accordingly on the received 92. (Note that this is the reformulation of the original Diffie-Hellman protocol [l]).

In general, let A be a linear operator on a finite-dimensional vectorspace over a field F. Let g(x) be the minimal polynomial of A, that is, the polynomial of least positive degree k such that g(A)=O. The Cayley-Hamilton theorem states that g(x) must divide the

9

characteristic polynomial of A , and thus, that the degree of g(x) is smaller than or equal to the dimension of the vectorspace A operates on. Applying Euclid we may write

x"=q(x)g(x)+r(x)

where the degree of r(x) is smaller than k. Consequently,

A" = r ( A )

since g ( A ) = O . Thus, any linear map A used in the second protocol leads to the following problem: given two polynomials r(x) and g(x) over F. Find the least positive exponent n such that

xn=r(x) mod g(x)

If g(x) is irreducible, this is the discrete log problem in an extension field. Thus, when used with a linear elementary function F, the second protocol is equivalent to the original Diffie-Hellman protocol.

Examwle 5: Let the next-state function be F(x) = xe (mod p), with l<so<p-l. Then

en' g,(x)=x = x e ' ( m o d p )

g2(x) = xen2 = x e 2 ( m o d p )

A sends the function description of 91, consisting of the exponent el, to B. B computes, based on g1 as next-state function,

A acts accordingly on the received 92.

Note that the security of this system rests on the difficulty of taking logarithms modulo p-1 whose factorization may be difficult to find.

10

Summary:

There exist different protocol versions and different elementary functions F that allow for a Diffie-Hellman type key agreement. Protocol 1 (in this paper) is insecure with linear F, but reveals only intermediate states. Protocol 2 , when used with linear.F, is equivalent to the original Diffie-Hellman key agreement, and reveals whole function descriptions Fn. It is still an open problem whether the presented approach allows for an improvement in terms of speed and/or security over the original DH-protocol.

Acknowledcrment:

I wish to thank Kjell-Ove Widman and Jim Massey for their helpful comments.

References:

[l] W.Diffie, Martin E. Hellman, !#New Directions in Cryptography", IEEE Trans. on Information Theory, Vol. IT-22, Nov. 1976.

Security of Improved Identity-based Conference Key Distribution Systems

Kenji Koyama Kazuo Ohta'

Basic Research Laboratories Nippon Telegraph and Telephone Corporation

3-9-11, Midori-cho, Musashino-shi, Tokyo, 180 Japan

*Communications and Information Processing Laboratories Nippon Telegraph and Telephone Corporation

1-2356, Take, Yokosuka-shi, Kanagawa, 238-03 Japan

Abstract

At Crypto-87 conference, we proposed identity-based key distribution systems for generating a common secret conference key for two or more users. Proto- cols were shown for three configurations: a ring, a complete graph, and a star. Yacobi has made an impersonation attack on the protocols for the complete graph and star networks. This paper proposes improved identity-based key distribution protocols to counter his attack.

1. Introduction

Identity-based cryptosystems can simplify key management in cryptosystems. Shamir and Fiat proposed identity-based signature schemes [l, 21, and Okamoto proposed an identity-based scheme [3] for a public key distribution system [4]. In these schemes for two users, messages among users are authenticated using each user's identification information. If two or more users want to hold a conference, they must derive one common secret communication key for each link in the network. This common key for rn (2 2) users is called a conference key. Ingemarsson et al. [5] presented a conference key distribution system (CKDS) with no authentication, where users are connected in a ring network. At the Crypto-87 conference, we [6] proposed an identity-based system for generating a conference key with authentication, called aa identity-based conference

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 11-19, 1988. 0 Spnnger-Verlag Berlin Heidelberg 1988

12

key distribution system (ICKDS). Protocols in ICKDS were shown for three configurations: ring (Type-1), complete graph (Type-2), and star (Type-3). Yacobi [7] has made a n impersonation attack on the Type-3. His attacking method can be generalized to Type-2. This paper proposes improved identity- based key distribution protocols to counter his attack. The previous protocol can detec‘t a uni-directional attack and it cannot detect a bi-directional attack. However, the new protocol can detect both the uni-directional attack and the bi-directional attack. In Section 2, revised protocols of Type2 and Type-3 axe described, clarifying the difference between the previous and new versions. In Section 3, Secllrity for these protocols is discussed. Details of the attack by Yacobi are stated, and it is shown that our improvement resolves the problem.

2. Improved ICKDSs

All ICKDSs are implemented in two phases: the first phase is carried out at a trusted center, and the second phase at each user’s location. During the first phase, the trusted center generates a secret system key, a public system key, and secret user keys with users’ identification information. The secret system key is known only to the center. The public system key is common to all users. Each secret user key, which is transmitted through secure channel such as smart card, is known only to each user and the center. Once the first phase is carried out, the second phase can be repeated to generate a different conference key. In the second phase, no further interaction with the center is required either to generate a key or to verify proofs of identity.

For simplicity, only improved protocols in a complete graph (Type-2) and in a star (Type-3) are shown in Subsections 2.1 and 2.2, respectively.

During the first phase of Type-2 and Type-3, the center generates three large primes p , q, and r, and the partial product n = pq. It determines integers (el d) in a way similar to that of the RSA cryptosystem [S]:

ed G 1 (mod L ) , L = lcm ( ( p - 1), ( g - l), ( r - l)), (2-1) where e is a prime such that nr /2 < e < nr. Note that every integer in [l, nr] except e is coprime to e. The center also determines an integer g which is a primitive element over GF(p), GF(q), and GF(T) . Note that g is easily generated while the factors of ( p - 1), (4 - l), and ( r - 1) are known. For user i whose identification information is I;, the center calculates integer S;:

Si = If mod nr. (2.2)

13

Note that Ii = Sf mod nr. As a result, the center generates a secret system- key (p, q , d ) , a public system-key (n, T , g , e), and a secret user-key Si for user i.

2.1 Improved protocol in a complete graph (Type-2)

During the second phase of Type-2, the conference key is generated and simultaneously distributed among m users. Users are connected in a complete graph network so that they always send messages to all other users. The key generation algorithm is the same for each user. For convenience, the procedure for two typical users, labeled i and j (1 5 i, j 5 m, i # j ) , can be described as follows:

[Protocol]

step 1: User a' chooses a random number Pi that is coprime to ( r - 1). He computes P;:

Pipi E 1 (mod ( r - l)), (2.3)

and keeps P; and Fi secret. He then sends (Xi, x): Xi = geP' mod nr, (2.4)

Y, = S;gxipi mod nr, (2-5)

to user j .

step 2: User j receives (Xi, Y;). He checks whether the following (m - 1) congruences hold:

v e -- x i - Ii (mod nr) , xx' - If (2.6) holds, user j can verify that the message came from user z. User j chooses a secret random number Rj. He then sends (Aji , Bji):

Aji = X,eR' mod nr, (2.7)

to user i.

14

step 3: User i receives (Aji , Bji). He checks whether the following (rn - 1) congruences hold:

(2-9) Bj"i A j l 8 -- A . . - - I. 3 (mod nr) ,

If (2.9) holds, user i caa ver* that the message came from user j . He then computes conference key Ki:

K; = (n Ajj)'B mod Y. (2.10)

The value of Ki (1 <_ i 5 m) is the same for a l l users, because

Remarks: (1) The exponent terms Xi in (2.5) and (2.6) and Aji in (2.8) and (2.9) in this

version were expressed by a constant c in the previous version [6]. This improvement makes Yacobi's attack on Type-2 and Type-3 ineffective. Details will be discussed in Section 3.

(2) Since e is chosen such that nr/2 < e < nr, Xi and Aji are coprime to e with the probability l- l /nr (= 1). This property in the improved version inherits from the previous version, where c is coprime to e. This property has effect of countermeasure on some attacks other than Yacobi's attack.

(3) The previous protocol [S] contained check congruences such as Zij U. X i ' (mod n), Cij E A; (mod n), and related computations. The pur-

pose of such congruences was to detect a uni-directional impersonation attack [6] other than Yacobi's attack. These check congruences and related computations are omitted in the new protocol because the new protocol can detect such attack in addition to Yacobi's attack.

2.2 Improved protocol in a star (Type-3)

Type-2 can be simplified by restricting the process so that j = 1 and 2 5 i 5 rn. Therefore, users are connected in a star network so that messages are transmitted between user 1 and user i (2 _< i 5 m). In this simplified scheme called Type-3, we assume that user 1 collects and delivers messages. Without

15

loss of generality, this “center user” caa be arbitrarily selected horn among m users.

The improved protocol during the second phase of Type-3 is similar to that of Type-2. Note that user 1 can compute conference key K1 = ge lR1 at any time. User i (2 I. i 5 m) computes conference key Ki at step 3 by:

- Ki = Al; P mod r. (2.12)

The values of K; (2 5 i 5 m) and K1 are the same for all users, because

Note that the value of conference key in Type3 is dependent on only user 1’s secret key R1, while the value of conference key in Type-2 is equally dependent on each user’s secret random number Ri.

3. Security

The security of the proposed systems is based on the difficulty of deriving secret information such as (p, q, d, S;, P;, p;, R,, K;) in Type2 and Type-3 from public keys, transmitted messages, and other user’s secret keys. Secrecy of (p, q, d, Si) is based on the difEculty of factoring a large number n. Secrecy of (Pi, F;, R,, K;) is based on the difficulty of computing discrete logarithm over GF(T). Considering the best known algorithms for factoring n = pq [9] and computing the discrete logarithm over GF(r) [lo], a designer can choose the size of p , q, and r . From the security viewpoint, the size of p and q should be at least 256 bits long, and the size of r should be at least 512 bits long.

The secrecy of the above secret keys is believed to be ensured in the previous version and the new version. However, the authenticity of the previous version has been partly broken by Yacobi’s impersonation attack because it had weak points. The new version described in this paper realizes protocols to detect his attack. In this section, a summary of his attacking method and the effect of our countermeasures are shown.

16

3.1 Yacobi's bi-directional attack [7]

By extending our uni-directional attack [6], Yacobi [7] showed a bi-directional real time attack between user i and user j in Type-3 (2 5 i 5 m, j = 1). Note that his attacking method c m be generalized to Type-2 (1 5 i,j 5 m). Since the attacker can hold both a correct key and a false key, this bi-directional impersonation attack would be successful in the previous protocol.

We summarize the generalized Yacobi's attack on the previous version where the constant term c was used instead of variable exponents X i and Aji-

An attacker cuts the link between user j (or "center user" in the star) and user i. He mediates every communication between them. When communicating with user j he pretends to be user i (denoted by T), and when communicating with user i he pretends to be user j (denoted by 7). First, the attacker chooses random PI, and computes its inverse ?s' modulo T - 1. He also computes the inverse of e (denoted by E) modulo r - 1. For step 1, the attacker eavesdrops the message ( X i , x) from user i to user j . Using the Chinese remainder theorem, he computes (zi, g ) modulo nr satisfying:

and sends the modiiied message (zi, $) to user j . For step 2, user j verifies

I

Yi" -- - = I ; (mod nr). Xf

- c R - B,, = S j X , ' mod nr.

and sends it to user i. The attacker intercepts this communication. He chooses some random number E j . Using the Chinese remainder theorem, he computes ( i j i , Sjj) modulo TLT satisfying:

17

and sends the modified message (&, gjj) to user i. For step 3, user i verifies

Finally, user i creates session key:

Using kj (1 5 j 5 m), attacker I creates the session key: - - - - K~ = Se2(R1+&+...+Rm) mod T . (3.6)

Note that ki = kj. Therefore, this attack succeeds if the attacker mediates every communication between user i and user j.

For Type-3, where user j ( = 1) is a center user, user i finally creates session key: -

(3.7) - -yj. K; = A,; mod T = geaR1 mod T .

Using &, attacker ‘i creates the session key: - -

K1 = gelR1 mod T. (3.8)

User 1, who is center user, creates session key:

K1 = geZR1 mod T . (3-9)

Using Fl, attacker creates the session key:

(3.10)

Note that ki = and K1 = K; (2 5 i 5 m). This attack on Type-3 is more realistic than that on Type-2 because it requires that the attacker manipulates only one link from user i (2 5 i 5 rn) to user 1.

--Ti K; = Ali mod r = geZR1 mod r.

3.2 Improved protocol’s effect against t h e Yacobi’s at tack

Note that the exponent terms Xi and Aji in this improved protocol were expressed by a constant c in the previous protocol [S]. This improvement

18

makes Yacobi's attack on Type-2 and Type3 ineffective. In the improved protocol, if an attacker adopts Yacobi's attack, ID checks mod TIT in (2.6) and (2.9) (or (3.2) and (3.4)) do not pass. Since the purpose and function of (2.6) and (2.9) is the same, the case for (2.6) is described as a4 example. Consider the congruence (2.6) modulo TZT by separating it 'into a congruence modulo n and a congruence modulo T. A check congruence modulo n in (2.6) is not satisfied because

Therefore, (3.11) results in

G e ' i I f Ii (mod nr). 27

Note that a check congruence modulo r in (2.6) is satisfied because

- - y; ( I igXieP ' Be -- - - 1 - = Ii (mod r ) . - - Z? g X ; e P'

Similarly to (3.12), we have

(3.11)

(3.12)

(3.13)

(3.14)

Therefore, the Yacobi's bidirectional attack becomes detectable.

4. Conclusion

Security has been improved in the new protocol with the variable exponents. That is, the improved protocol counters Yacobi's attack. The change of exponent terms has the same effect as the additional check congruences in the previous version. By deleting such additional check congruences, transmission eEciency is also improved in the new protocols. This is a side effect of improving security.

19

Acknowledgement

We would like to thank Dr. Yacov Yacobi for his nice attack on our previous version.

References

[l] SHAMIR, A. : “Identity-based cryptosystems and signature schemes”, Proceedings of Crypto’84, Lecture Notes in Computer Science no. 196, Springer-Verlag, 1985, pp.47-53.

[2] FIAT, A. and SHAMIR, A. :“How to prove yourself: Practical solutions to identification and signature problems”, Proceedings of Crypto’86, Lec- ture Notes in Computer Science no. 263, Springer-Verlag, 1987, pp.186- 194.

[3] OKAMOTO, E.: “Proposal for identity-based key distribution systems”, Electron. Lett., 1986, 22, pp.1283-1284.

[4] DIFFIE, W., and HELLMAN, M. E. :“New directions in cryptography”, IEEE Trans. 1976, IT-22, pp.644-654.

[5] INGEMARSSON, I, TANG, D. T. and WONG, C. K. :“A conference key distribution system”, IEEE lhns . 1982, IT-28, pp.714-720.

[6] KOYAMA, K. and OHTA, K. :“Identity-based conference key distribution systems”, Proceedings of Crypto’87, Lecture Notes in Computer Science no. 293, Springer-Verlag, 1988, pp.175-184.

[7] YACOBI, Y. :“Attack on the Koyama-Ohta identity-based key distribution scheme”, Proceedings of Crypto’87, (presented at the rump session), Lecture Notes in Computer Science no. 293, Springer-Verlag, 1988,

[8] RIVEST, R. L., SHAMIR, A., and ADLEMAN, L.:“A method for obtaining digital signatures and public-key cryptosystems” , Commun. ACM,

[9] LENSTRA, Jr. H. W. :“Factoring integers with elliptic curves”, preprint, May 1986

[lo] COPPERSMITH, D., ODLYZKO, A. M. and SCHROEPPEL, R. :“Dis- crete logarithms in GF(p)” Algorithmica 1986, 1, pp.1-15.

pp.429-433.

1978, 21, pp.120-126.

SUBLIMINALFREE AUTHENTICATION AND SIGNATURE (Extended Abstract)

Yvo Desmedt

Dept. EE & CS, Univ. of Wisconsin - Milwaukee P.O. Box 784, WI 53201 Milwaukee, U.S.A.

ABSTRACT

Simmons [17] introduced the notion of subliminal channel in 1983, by demonstrating how to “hide” secret information inside an authenticated message. In this paper we propose a practical subliminal-free authentication system and extend our results to subliminal-free signatures. The subliminal-freeness of our systems can be proven. We discuss applications in the context of verification of treaty and international bank communications.

I. INTRODUCTION

In the process of peace keeping, the verification of international treaty plays an important role [l]. Discussions of arms reductions include that each party is able to have observation posts in the other country, which can send authenticated (or even signed) messages. This introduces however a major security problem. Indeed, will the observation post be used for spying activities? The problem of message authentication without secrecy was initialized and investigated by Sim- mons [16]. This problem was not solved until today, as a consequence of the possibility of a subliminal channel. Five years ago Simmons discovered that a secret message can be hidden inside the authenticator (for more details see [17]). He called this “hidden” communication channel, the subliminal channel. Other subliminal channels were introduced inside signature systems e.g., [18,19]. The concept of subliminal channel can be formalized and generalized [4].

In our paper we come up with a practical authentication system which &mi- nates d m o s t completely the possibility t o use a subliminal channel. This result is explained in Section W., after having introduced the main ideas in Section 111.. We extend our results to subliminal-free signature systems (see Section V.). How-

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 23-33, 1988. 0 Spnnger-Verlag Berlin Heidelberg 1988

24

ever the last system is less practical. The reader not familiar with the terminology used in modern cryptology, will find a brief introduction to it in Section 11..

11. TERMINOLOGY IN MODERN CRYPTOLOGY

In this section we explain briefly:

0 subliminal channels,

0 the role of a warden,

0 message authentication without secrecy,

0 the Goldwasser-Mid-Rivest signature scheme,

0 commitment in modern cryptology.

To better understand the concept of subliminal channels, let us discuss Sim- mons’ illustration [17]. Two prisoners are communicating authenticated messages in full view of a warden. The warden is able to read the messages. The subliminal consists in hiding a message through the authentication scheme, such that the warden cannot detect its use nor read the hidden part.

Solving the problem of subliminal channels is not s a c i e n t to obtain authentication without secrecy, as is well known. Subliminal information can be sent in an analog way through modulation, time jitter and so on. For a solution to overcome this problem see [20, p. 651. The techniques we use here are digital. By combining our results with [ZO, p. 651, the problem of message authentication without secrecy can be completely solved.

Let us briefly explain the basic ideas used in the Goldwasser-Micali-Rivest signature scheme [14,15]. Their scheme is based on:

0 claw-free permutation pairs,

0 prefix-free mapping,

0 an authentication tree.

Informally, claw-free permutation pairs are permutations fo and fi over a common domain for which its is computationally infeasible to find a triple 2, y and z such that f~(s) = fl(y) = z [14, p. 2901. If factoring numbers of a special form are hard then such claw-free permutations exist [14, pp. 292-2933. These numbers have the form:

1~ = p . q , p and Q primes such that: p 3 3 (mod 8) and Q E 7 (mod 8).

25

Such numbers n are known as Williams integers, due to there first use in cryptology by Williams [21] and are also known as Blum integers. The functions fa,,, = x2 (mod n) and f ~ , ~ = 4x2 (mod n) form permutat ions over the set of quadratic residues modulo n and are claw-free [15] (remark that these functions were slightly modified in [14]). It is essential to know that the Jacobi symbol (217~) = -1 if n is a Williams (Blum) integer, so 2 is a quadratic nonresidue modulo n. If there is no doubt about n we will shortly say fo instead of f ~ , ~ and f1 instead of fl,,,. For authenticity and signature one does not only need claw-freeness for two permutations but a family of permutations which are pairwise claw-free. Hereto fi is defined as fi(z) = f id(f id-- l ( . . . f i l ( f i0(2)) - . .)), where z = Zdzd-1.. .ilia in binary. We define lil = d+ 1. One has to read f;’ as (fi)-’ so that fy‘(fi(z)) = x. In order to exclude that anyone else could compute fj-’(y) from a given f;’(y) ( j # i) Goldwasser, Micali and Rivest use prefix-free mapping (.). A prefix-hee encoding satisfies the property that ( j ) is never a prefix of (i) ( j # i). Finally, to avoid chosen text attacks and forgery, an authentication tree is used [15]. Different authentication trees have been presented, but their differences are not important in this context. We will not discuss these trees in detail, because they are only partially important in order to understand this paper. The motivation for an authentication tree is to make random “signatures” that can be used later on to sign real messages. In order to obtain the security one uses f-claw-free permutations and g-claw-free permutations (for more details see [9,14,15]).

Commitment originates from Blum’s ideas [2]. It allows A to randomly choose a number R and to commit herself to this number, e.g., to B. Hereto A encrypts R and sends the result C = hk(R) to B. If a good encryption system, e.g., a probabilistic encryption system as [12], has been used no information is revealed about R. Later on A is able to reveal R, As a consequence of her commitment A is unable to lie or pretend that her choice was R’ instead of R. B is able to verify if R is correct when A reveals it together with k. A s&cient condition for commitment is that:

. . .

h ~ ( z ) = hp(y) implies 3: = y. (1)

Let us briefly discuss a practical commitment algorithm, which is however not guaranteed secure. To commit herself to the bit 0, A sends ht(O,O, . . . , 0) where h is the DES and key k is chosen randomly; to commit to 1, A sends hk ( l , l , . . . ,1).

26

111. MAIN IDEA

The &n idea to obtain subliminal-freeness is to use an active warden. We call a warden active, if he does not only listen to catch up subliminal channel users, but he also interucts in the communication in a special way to better enforce the subliminal-freeness. Remember that a warden is allowed to send fake messages trying to convince the receiver that they are authentic [17]. So the only trust in the active warden consists in believing he will not help to set-up a subliminal- channel.

The idea of an active warden is not 100% new. Simmons already used a similar idea (without calling it active warden) to exclude the use of analog covert channels [20, p. 651. Our active warden is however digital.

Let us now explain in more detail how to realize the subliminal-freeness. Let us cad A the sender of the message M , B the receiver of M and W the active warden. A first sends the message to W , who sends it to B. A then convinces B that the message is indeed authentic, by answering (random) questions from B. The warden’s role is to guarantee that these answers and questions can not be abused to send secret information in an hidden way. Hereto he will modify the questions and answers. Nevertheless the fact that these questions and answers have been modified, B must be still convincible that indeed A has sent the message and nobody else, the warden included.

Let us now present the technical results.

IV. SUBLIMINAL-FREE AUTHENTICATION

To simplify the presentation, we first reduce the task of the warden to guarantee that A (the sender of the message M ) can not use a subliminal channel; however B (the receiver of the message M ) is allowed to send information in a subliminal way. At the end of this section we will also eliminate the possibility that B can use subliminal channels.

The authentication mechanism we propose is a one-time-valid authentication scheme [5, p. 1541. A one-time-valid authenticated message looses his validity once the authenticity of the message has been checked by the legitimate receiver of the message, or after a certain time. The concept of one-time-validity itself is certainly not new. It can be obtained by adding the actual date and time to the message. It can also be obtained using zero-knowledge 111,131. This approach is now used.

Our system is partially based on the Goldwasser-Micali-Rivest signature

27

scheme, which was briefly explained in Section 11.. We also use some methods which were developed in [7]. From now on we assume that the message M and i are encoded with a prefix-free encoding [15]. Remark that no authentication tree is necessary, because the scheme is not a signature system and because our protocol is zero-knowledge. The need to use two different claw-free pairs (f and g ) also disappears. The authentication mainly consists in proving that A knows fcl(R), where f is based on claw-free permutations, as explained in Section 11.. Let us explain the details of the protocol.

n = p - q a Williams (Slum) integer together with R1, R2,. . . , R k form the public key of the sender (A). The Rj are chosen randomly such that the Jacobi symbol of (Rj I n) = 1. p and q are secret.

Before that A uses the system, W (the active warden) asks A to “prove” that n is indeed the product of two primes, which satisfy the above conditions. This can be done using a zero-knowledge protocol (see e.g., [lo]). This zero-knowledge protocol has only to be used once, because W can store n and label it as being verified.

To authenticate a message M our public key authentication system follows the following protocol, where Steps 2-7 are repeated I times:

Step 1 A sends the message M to W , who sends it to B.

Step 2 A generates a t (not necessarily random) such that gcd(t, n ) = 1 and squares it IMI times and multiplies it with (random) fl to obtain X = ft(’lH’) (mod n) and sends X to W .

Step 3 W checks that the Jacobi symbol (X I n) = 1. If it is not, then W stops the protocol, else W does similar as A did in Step 2 starting from a truZy random t‘ to obtain X’ and sends a = X + X i (mod n) to B.

Step 4 B sends a (random) Boolean vector (El, . . . , Ek) to A (through the active warden).

Step 5 A sends Y = t . n fG’(fRj) (mod n) to W , where +1 is used if Rj E;=l

is a quadratic residue, else -1 is used.

Step 6 W verifies (by squaring and multiplications) if Y is correct. If it is not, then W halts the protocol, else W sends ,O = t’ Y (mod n) to B.

Step 7 B verifies p by using square operations, multiplications, cr and A’s public key. The last multiplication is by fl.

Remark that A would be able to send one bit of information (the fact that the protocol could be halted) in Step 3 or in Step 6, however the warden is then able

28

to arrest A (if appropriated). The fact that this one bit of information, that A could send, is detectable by the warden implies that it is not a subliminal bit. Indeed subliminal as defined by Simmons implies undetectability by the warden. If necessary the warden can ask A to sign all her messages, so that the warden is able to prove later on that A tried to use a subliminal channel. However it is also possible that the warden (or an active eavesdropper) has tried to inject a fake message M and is unable to answer B’s questions, and therefore stops the protocol. So B has no guarantee about the authenticity of this bit.

To discuss the security of the above protocol we need to remind what the mafia fraud is [6]. Suppose that A proves statement S to B using zero-knowledge for example, then A will answer questions from B. If C is able to claim to D that she is proving S, using B as dishonest verifier of A’s proof, then the proof system is not secure against the mafia fraud. Several zero-knowledge protocols allow this fraud in real-time. Hereto B and C have to communicate questions and answers respectively horn D to A and vice-versa. The mafia fraud is important to evaluate the security of authentication, signature and identification. Let us now discuss the security of our subliminal-free authentication system.

Theorem 1 If one ezcludes the mafia fraud, the real sender will convince the prover and a fake prover will fail. This protocol is a zero-knowledge proof.

Proof (sketch): Consider that the warden is not active, so t‘ = X‘ = 1, then the proof is similar as in [7, pp. 214-2151. 0

Theorem 2 Using the assumptions of [15], the protocol cannot be defrauded b y the mafia fraud. To be more precise i f A authenticates M an active eavesdropper can not modify the proof t o authenticate M‘, unless the Goldwasser-Micali-Rivest system can be broken.

Proof (sketch): Drop the effect of the active warden. The effect of the mafia fraud corresponds with an active eavesdropper who modifies M into M’ and tries to convince B about the authenticity of M’. Hereto he can multiply X with X”, exor Ej with and multiply Y with Y”, such that if B checks Y”, he is convinced that A has sent M’. The proof consists in demonstrating that if the active eavesdropper succeeds then he can break the Goldwasser-Micali-Rivest [15] signature system. c7

Theorem 3 If n is of the appropriated form, then A is not able to send subliminal information (a more formal theorem will be given in the final paper).

Proof (sketch): The proof is based on perfect secrecy. 0

29

In the previous protocol, B is able to send a secret message to A, by letting (El, . . . , El;) correspond with a part of the hidden (encrypted) message. This can be avoided by modifying Step 4 and Step 5 using the concept of commitment. The modifications are:

Step 4.a W chooses a random Boolean vector (3'1). . . , Fl;) and random K and sends h ~ ( F 1 , . . . , Fl;) to B, where h satisfies condition (1).

Step 4.b B sends a (random) Boolean vector (El,, . . ,EL.) to W . Step 4.c W sends (Gl,. . . ,Gl;) = (El 3 Fl,. . . ,Ek Fl;) to A, and

reveals (8'1). . . , Fl;) and K to B. Step 4.d B verifies (Fly.. . , Fl;) and the protocol continues if correct.

Step 5 A sends Y = t - n f ~ ( f R j ) (mod n ) to W , where $1 is used if Rj Gj=1

is a quadratic residue, else -1 is used. ~- -

Remark that B will use the Gi at the moment that he checks p . The use of the concept of commitment was extremely important to avoid that the warden could cheat or that B could send subliminal information. The role of the active warden differs from before. Indeed to avoid that A can use a subliminal channel, the warden does not have to interact with A, he has to act similarly as an active eavesdropper. So the warden could interact in such a way that A and B are not conscious that he is intervening. However, to prevent B from sending siibliminal information, the warden and B must contact each other. The proofs of security of these protocols will be fully discussed in the final paper. To prove them a more formal definition of subliminal-freeness will be given. Remark that if B is able to break the security of the encryption E then B is able to cheat and the sublimind- freeness disappears. When one wants stronger guarantees that the protocol is subliminal-free the following adaptation can be used:

Step 4.a B chooses a (random) Boolean vector (E l , . . . , El;) and random K and sends ~ K ( E ~ , . . .,&) to W , where h satisfies condition (1).

Step 4.b W sends a random Boolean vector (Fl,. . . , Fl;) to B. Step 4.c B reveals (El , . . . ,&) and K to W .

Step 4.d first W verifies (El , . . .,El;) and if correct then Mi sends (GI, . . . , G t ) = (El @ Fl, . . . , El; 3 8'k) to A and the protocol continues.

30

However, if W is able to break the security of E this time, then W can impersonate A by sending messages M and B will believe they originate fcom A. So, depending of how the protocol is used, the assumption that E is secure has Merent consequences.

The reader could correctly remark that A is able to send subliminal information at the moment of publication of n, Rj (her public key) by choosing them specially . However these keys are constant, so the subliminal information that they can contain is strongly limited. In case the warden nevertheless worries about it, he is able to eliminate this danger in a similar way as we proceed in Section V. (for more details see [4]).

V. SUBLIMINAL-FREE SIGNATURES

The idea is to make the Goldwasser-Micali-Rest signature system subliminal- free. We use the same notations as in [15].

To make the signature subliminal free the warden has to guarantee that aIZ the Rj, which are used in [15], are truly random. This can be obtained using the commitment idea. Before A starts to use her signature system, W has to be convinced (using zero-knowledge) that n has the appropriated form. To sign the jth message M, the following protocol is used:

Step 1 A chooses a (random) quadratic residue Rj (mod n) and random K and

Step 2 W chooses a truly random quadratic residue R; (mod n) and sends it

Step 3 A calculates Rj = Rj x R; (mod n) and uses this Rj in the same way as in [15]. Then A reveals her R'J. and K and sends the signature Qj and the necessary authenticator (Lj ) to the warden.

Step 4 W (the warden) checks q, the authenticator(s) and the signature. He also checks if the Jacobi symbols (a, 1 n) = (Lj I n) = 1. If one of these does not correspond, then the warden halts the protocol, else he sends (or publishes) M , the authenticator(s) multiplied by fl and the signature multiplied by fl. The warden stores the updated authentication tree, with the fl that he used.

The same idea can be used to guarantee that &, which is a part of the public key of A, is subliminal-free. A is still able to send subliminal information in her public key n, by publishing a special n. It is theoretical possible to avoid this problem, however the implementation is involved (see [4]).

sends ~ K ( R ~ ) as commitment to W , together with the message M .

to A.

31

VI. PRACTICAL ASPECTS

The first protocol discussed in Section IV. is easy to set-up. In case of verification of treaty or international bank communications, the host country can be the warden. The example of international bank communications is important from a commercial point of view. Indeed several banking organizations with international activities frequently face the problem that they are not allowed to use encryption to protect the privacy of their messages. Subliminal-free authentication would make their communications more secure without security objections from the corresponding countries where the banks operate. Subliminal-free authentication can be used in identification systems. By authenticating messages as: “I, A, a m at the moment in Town, Street, House Number, Floor, . . .”, describing the exact location of A and B, more secure identification systems can be made [5, pp. 154- 1551. Making authentication systems subliminal-free, makes the use of it for identification more attractive. Many other applications exist.

It is easy to adapt the first protocol in order to work with two wardens, not trusting each other. This d o w s the phone companies to act as warden in national and in international communications. The other protocols can also be adapted to have two wardens, but the protocols become then more involved.

The speed of the protocols can be compared with the speed of RSA, if several tricks are used. Ideas as described in [9] can be used. Remark in this context that the Rj are constants, so A can significantly speed up the calculations of f i l ( fRj) , nevertheless that M is not constant. Hereto she has to store some values (more details will be given in the h a l paper). A also can speed up the calculation of X using her knowledge of +(n).

Much faster subliminal-free authentication and signature systems can be made partially based on [7,8]. However these schemes have also disadvantages. F’ull details will be given in find paper.

VII. CONCLUSION

The problem of making subliminal-free authentication and signature systems, which was open for five years, is now solved. The applications of subliminal-free authentication go from verification of treaty to international banking communications. One can expect that in the near future more practical subliminal-free authentication and signature schemes will be presented using less interactions. The impact that non-interactive zero-knowledge [3] can have on such improvements has to be investigated.

32

REFERENCES

[l] J. A. Adam. Ways to verify the U.S.-Soviet arms pact. IEEE Spectrum, pp. 30-34, February 1988.

[2] M. Blum. Coin apping by telephone - a protocol for solving impossible problems. In digest of papers COMPCON82, pp. 133-137, IEEE Computer Society, February 1982.

[3] M. Blum, P. Feldman, and S. Micali. Non-interactive zero-knowledge and its applications. In Proceedings of the twentieth ACM Symp. Theory of Com- puting, STOC, pp. 103 - 112, May 2-4, 1988.

[4] Y. Desmedt. Abuses in cryptography and how to fight them. August 1988. To be presented at Crypto’88.

[5] Y. Desmedt. Major security problems with the “dorgeable” (Feige-)Fiat- Shamir proofs of identity and how to overcome them. In Securicom 88, 6th worldwide congress on computer and communications security and protection, pp. 147-159, SEDEP Paris France, March 15-17, 1988.

[S] Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat- Shamir passport protocol. In C. Pomerance, editor, Advances in Cryptology, Proc. of Crypto’87 (Lecture Notes in Computer Science 293), pp. 21-39, Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16-20.

[7] U. Feige, A. Fiat, and A. S h e . Zero knowledge proofs of identity. In Proceedings of the Nineteenth ACM Symp. Theory of Computing, STOC, pp. 210 - 217, May 25-27, 1987.

[8] A. Fiat and A. Sbamir. How to prove yourself: Practical solutions to identification and signature problems. In A. Odlyzko, editor, Advances in Cryptol- ogy, PTOC. of Crypto’86 (Lecture Notes in Computer Science 263)) pp. 186- 194, Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August

[9] 0. Goldreich. Two remarks concerning the Goldwasser-Mid-Rivest signature scheme. In A. Odlyzko, editor, Advances in Cyptology, PTOC. of Cypto’86 (Lecture Notes in Computer Science 263), pp. 104-110, Springer- Verlag, 1987. Santa Barbara, California, U.S.A., August 11-15, 1986.

[lo] 0. Goldreich, S. Micali, and A. Wigderson. How to prove all NP statements in zero-knowledge and a methodolgy of cryptographic protocol design. In A. Odlyzko, editor, Advances in Cryptology, PTOC. of Cypto’86 (Lecture Notes in Computer Science 2631, pp. 171-185, Springer-Verlag, 1987. Santa Bar- bara, California, U. s. A., August 11-15.

[ll] 0. Goldreich, S. Micali, and A. Wigderson. Proofs that yield nothing but their validity and a methodology of cryptographic protocol design. In The Computer Society of IEEE, 27th Annual Symp. on Foundations of Computer Science (FOCS), pp. 174-187, IEEE Computer Society Press, 1986. Toronto, Ontario, Canada, October 27-29, 1986.

[12] S. Goldwasser and S. Micah. Probabilistic encryption. Journal of Computer and System Sciences, 28(2), pp. 270-299, April 1984.

11-15.

33

[13] S. Goldwasser, S. Micali, and C. Rackoff. Knowledge complexity of interactive proofs. In Proc. 17th STOC, pp. 291-304, 1985.

[14] S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. Siam J. Comput., 17(2), pp. 281- 308, April 1988.

[15] S. Goldwasser, S. Micali, and R. Rivest. A paradoxical solution to the signature problem. In Proceedings of 25th Symp. on Foundation of Computer Science, pp. 441-448, 1984.

[16] G. J. Simmons. Message Authentication Without Secrecy, pp. 105-139. AAAS Selected Symposia Series 69, Westview Press, 1982.

[17] G. J. Simmons. The prisoners’ problem and the subliminal channel. In D. Chaum, editor, Advances in Cyptology. PTOC. of Crypto 83, pp. 51-67, Plenum Press N.Y., 1984. Santa Barbara, California, August 1983.

[18] G. J. Simmons. The secure subliminal channel (?). In H. C. Williams, editor, Advances in Cryptology. PTOC. of Crypto 85 (Lecture Notes in Computer Science 218), pp. 33-41, Springer-Verlag, 1986. Santa Barbara, California, August 18-22, 1985.

I191 G. J. Simmons. The subliminal channel and digital signatures. In T. Beth, N. Cot, and I. hgemaxsson, editors, Advances in Cryptology. Proc. of Eurocrypt 84 (Lecture Notes in Computer Science 209), pp. 364-378, Springer-Verlag, Berlin, 1985. Paris, France, April 9-11, 1984.

[20] G. J. Simmons. Verification of treaty compliance-revisited. In Proc. of the 1983 IEEE Symposium on Security and Privacy, pp. 61-66, IEEE Computer Society Press, April 25-27 1983. Oakland, California.

[21] H. C. Williams. A modification of the RSA public-key encryption procedure. IEEE Trans. Inform. Theory, 26(6), pp. 726 - 729, November 1980.

Gustavus J. Simmonsa) and George B. Purdyb'

a)Sandia National Laboratories Albuquerque, NM 87185

b)Univer s i ty of c incinnat i Department of Mathematics

Cincinnati, OH 45221

Abstract

There are two equally important, related, functions involved in the control of One of these is the verification of a potential user's iden- assets and resources.

tity and authority to use or have access to those assets. record (receipt) of each access so that in the event of a later dispute as to whether an illegitimate use was made of the assets, or of the extent of the liability incurred in a Legitimate use, etc., the authenticity and specifics of the access can be demonstrated in a logically compelling (and hence eventually legally binding)

manner to an impartial third party or arbiter. document based protocols to accomplish these functions are central to all commercial and private transactions. When the resources are remotely accessible, however, as in the case of computer data files, electronic funds transfers (EFT), automated bank tellers, and even in many manned point-of-sale systems, no satisfactory counterpart to the established document based protocols for verifying individual identity and/or

authority to use a resource have been found, nor has a fully satisfactory means been devised to provide unforgeable transaction receipts. In this paper, we show how a public authentication channel can be used to certify private (user unique) authentication channels in a protocol that both "proves" a potential user's identity and authority and also provides certified receipts for transactions whose legitimacy can later be verified by impartial arbiters who did not have to be parties to the original transaction.

The other is to provide a

Elaborate, and legally accepted,

We also introduce an authentication scheme to be used in this application based on the legitimate originator of information being able to extract square roots modulo n - pq, where p and q are primes of a special form. We show that these protocols provide a zero-knowledge proof of identity and of veracity transaction receipts, and that they are therefore very secure. owner of the authentication channel can give a zero-knovledge proof that the modulus

a) This author's work performed at Sandia National Laboratories supported by the U. S. Department of Energy under contract no. DE-AC04-76DP00789.

We also show how the legitimate


36

n has the correct form, thereby eliminating the possibility of the existence of several known subliminal channels.

Introduction

There are two parts to the problem of verifying the identity of an individual whom we will refer to as the user, whether remotely or face-to-face. First, the party or device making the identification (the verifier) must have identifying information available to match or check against the information submitted to support a claimed identity. Clearly, the confidence that the verifier has in any particular identification can be no greater than his confidence in the integrity of the cor- roborating information on which the identification is based. Consequently, the first part of the identity verification problem is to devise means by which the verifier can have access to identifying information whose integrity he can trust. This information may either be intrinsic to the individual being identified, such as

physiognomy, fingerprints, voice prints, retinal prints, dynamics of a written signature, etc., or else it may be extrinsic, i.e., a private (secret) piece of information such as a computer access password, a telephone credit card number, a

personal identification number (PIN), etc., not intrinsically associated with the individual, but whose possession is equated with the mer's identity. The second part of the identity verification problem for extrinsic identification is to devise means to protect this identifying information from forgery or fraudulent use, especially to insure that as a consequence of someone eavesdropping on repeated uses

by the legitimate user that they cannot improve their chances of impersonating him. Assuming that there are many users whom a verifier may have to identify, the file of identifying information that he uses for this purpose may take the form of an actual trusted directory, perhaps hidden behind a one-way function [8,12,20] to protect the users against the verifier or his agents impersonating them to other verifiers, or it may be an implicit directory in which the user produces trusted (?) identification credentials, such as drivers licenses, photo ID'S, major credit cards, etc., in support of his access request at the time it is made. It should be pointed out that in transactions where significant liability is involved, these user supplied credentials are often themselves verified by querying a central file; telephone verification of credit cards at the point of sale, etc. having user-supplied means of identification, i.e., to make identification a purely local protocol, but is made necessary by the low level of confidence achievable in conventional user-supplied means of identification. In either case, whether the directory is actually in the possession of the verifier or is merely remotely accessible by him, trust in the directory is derived from trust in the integrity of the issuer of the directory.

This defeats the main purpose of

In the first reported application of public key crypto techniques (fielded by the Sandia National Laboratories in 1978). an authentication channel based on the

37

RSA cryptoalgorithm was used to create trusted credentials that users could carry with them and present to the verifier at the time they requested access, in this case to the very sensitive Zero Power Plutonium Reactor at Idaho Falls, Idaho

[7,16]. decryption exponent d) was used by the issuing office.of the Atomic Energy Commis- sion to authenticate (certify) a text that included physical descriptors for the individual being identified is well as the details of the nature, type, duration, etc., of the access authorized. for each user to carry with him what would have effectively been his entry in the verifier's trusted directory (a trusted credential in this case), that could be authenticated by the verifier, but which would be of no assistance to anyone wishing to produce a fraudulent credential. In this particular application, the identification information was intrinsic to the user (hand geometry, body weight, etc.), however, in other applications [16] the same basic technique has been used with extrinsic information in a manner similar to the protocol to be described here.

The public authentication channel (a publicly known RSA modulus n and

The object of this scheme was to make it possible

The essential concept in the protocol to provide verifiable proof of identity and unforgeable certified receipts is to use a public authentication channel to create trusted credentials which users will keep in their possession which certify, along with various identifying information, the public part of a user-unique authentication channel: the private (secret) part of which is known only to the

legitimate user identified in the credential [19]. kept secret and consequently avoid the necessity of generating, distributing and protecting local trusted directories or of establishing secure communications (authentication) channels to permit access by the verifiers to centralized trusted directories. At the time a user presents a credential (not necessarily his o m ) the verifier can first establish locally, via the public authentication channel that the credential is valid, i.e., that it was created by the issuer, and secondly, that the user identified in the now authenticated credential knows the private part of an authentication channel whose public part is described there. "prove" (in probability) that he is the individual to whom that credential belongs by demonstrating that he can authenticate challenge messages submitted by the verifier whose authenticity the verifier can establish using the (certified) public part of the authentication channel described in the credential.

These credentials need not be

The applicant can then

The Protocol

The protocol described here presupposes the existence of an unconditionally trusted issuer of validated (signed) identification credentials. This could be a government agency, a credit card center or financial institution, a military command

center, a centralized computer facility, etc. The issuer first establishes a public authentication channel to which he retains the secret authenticating function. A s

mentioned earlier, this could be any suitably secure authentication channel. The

38

one we will use to illustrate the protocol is based on the computational equivalence (in probability) of extracting modular square roots and of factoring a composite modulus. q; p = 3 (mod 8) and q = 7 (mod 8). p and q must satisfy the same conditions required to construct a "good" RSA modulus, i.e., p and.q must be chosen so that it is computationally infeasible for anyone to factor the modulus n - pq. two reasons for requiring that p - 3 (mod 8) and q - 7 (mod 8). The first, which is simple to explain, is to make it easy for anyone who knows the factors to extract the modular square root of a square with respect to n.' to explain in detail, but basically it is to guarantee that there is a unique, but publicly determinable, square associated with every message, u, that may need to be authenticated. moment. increase in the computational difficulty of finding suitable primes during the initial set up of the authentication channel. The issuer keeps the factorization of n secret; in fact, the security of the system against fraudulent claims of validated identity is no better than the lesser of

To set up such a channel, the issuer first chooses a pair of primes p and

There are

The second reason is harder

The explanation of why we want this to be true we will defer for the This restriction on the choice of p and q represents no significant

a) the quality of protection provided p and q by the issuer

or, b) The issuer must also have available a polyrandom function f that maps arbitrary

the difficulty of factoring n.

strings of symbols to the range [O,n). distinguished from a truly random function by any polynomially bounded computation. f will be a publicly known function, and need not change over the lifetime of the identification protocol. Many strong, single-key cryptographic functions, such as the DES when used with a fixed publicly known key in a block chain encryption mode, appear to adequately approximate this condition. issuer's authentication channel. only to the issuer, is his knowledge of the factors p and q. square roots is computationally equivalent (in probability) to factoring n, the issuer can prove that he is who he claims to be, i.e., prove that he knows the factorization of n, by being able to produce square roots modulo n. The issuer cannot simply authenticate arbitrary messages submitted to him by public receivers

1.

By polyrandom, we mean that f cannot be

n and f are the public part of the The private (secret) part of the channel, known

Since taking modular

Given a prime p and a quadratic residue, y. of p it is only an O(log p) computational task to find a solution to the quadratic congruence

(i) x - Y (mod P) ,

i.e., to extract a modular square root of y. choice of the prime p, however if p - 3 (mod 4 ) the solution of (i) is particularly simple:

(ii) x f y("')'' (mod p)

where the - indicates the complement (mod p). computational task using the well-known square-and-multiply algorithm [ 6 1 .

2

This is true irrespective of the

Exponentiation is only an O(1Og p)

39

(either users or verifiers), since each time he responded with a square root to a square chosen by someone else he would potentially compromise the factorization of n, and hence the capability to fraudulently authenticate messages in his stead, with probability 1/2. Similarly, a receiver can't accept an arbitrary square and matching square root as proof of the identity of the party possessing them, since anyone could choose an arbitrary x and square'it to calculate a matching square with respect to the issuer's publicly known modulus, n. Consequently, the squares that the issuer will authenticate, i.e., whose square roots he will extract, must be indeterminate to both the issuer and the receiver in order for the public authentication channel to be secure; both against the receiver being deceived as to the identity of the originator of a message and to the issuer against having his identity usurped. The primary purpose of the polyrandom function f is to provide this indeterminacy. It's secondary purpose is to map strings of symbols (whose length may vary) into the range [O,n), i.e., into the principal residues of n.

In the usual communications usage of an authentication channel, a transmitter wishes to send a message, m, to public receivers and to "prove" to them that the communication came from him and not from someone impersonating him, and also that a message hasn't been altered after he signed it. To do this with the authentication channel just described, the transmitter would, if necessary, introduce additional redundant information, typically a field of the message filled with a publicly known symbol, say a terminal block of k zeros, to form an extended message, m. m will be a square modulo n with probability 1/4, in which case the transmitter can extract a square root, s, and send the couplet (m,s) as the authenticated (signed) message. There are four square roots for m modulo n, one of which is chosen with a uniform probability distribution. The computational algorithm (modular square root) takes care of this random choice automatically. The transmitter need only communicate the message, m, not the extended message, m, since the redundant information is publicly known so that the receiver can construct m from m in the same way that the transmitter did. The receiver(s) will accept (m,s) as an authentic communication from the transmitter if and only if

- -

-

- (1) m - s2 (mod n) .

With probability 3 / 4 . however, m will not be a square so that there is no s satisfying (1). In the case of a communications usage of the authentication channel, there are a variety of simple procedures by which the transmitter can cause the extended message m that he uses to be a square but, as we shall see, none of these are available in the present case since the transmitter must not be able to force the choice of the square to a value of his choice. In the identification protocol, the issuer would form the extended message m in exactly the same way the transmitter does in the communications example. random nature of f to protect himself from a compromise of the factorization of n

But he would then form u - f(m), depending on the poly-

40

that could occur if m was chosen (or could be sufficiently influenced) by the receiver and the receiver from deception by someone impersonating the issuer and presenting an arbitrary pair m and s satisfying (l), etc. If log(u) >> k, i.e., if the number of bits in u is much larger than k, then the probability of a randomly selected u actually being the image of some extended Bessage with the proper k bits of redundant information will be 2-k. The probability that u will be a square with respect to n is 1/4 as mentioned earlier, in which case the issuer can sign u by extracting the square root, etc. random function there is no evident way to manipulate m so as to catse u to become a square. In fact, if there were any way to influence the quadratic residuosity of u through f then f would not satisfy the definition of a polyrandom function, and the authentication channel would not be cryptosecure. tionally infeasible for the issuer to cause u - f(m) to be a square, and since being able to extract modular square roots is the only means the issuer has of proving that he knows the factorization of n and hence of authenticating messages, we need a simple and publicly known, means of associating a unique, but publicly determinable square with u, for all residues u.

If u isn't a square, however, since f is a poly-

Therefore, since it is computa-

At this point, we remind the reader of two simple facts from elementary number theory: ratic nonresidues is a quadratic residue, while the product of a quadratic residue with a quadratic nonresidue is a quadratic nonresidue. A quantity, u, (u,n) - 1, is a quadratic residue with respect to a composite modulus n - pq, if and only if it is a quadratic residue with respect to both p and q individually.

the product of either a pair of quadratic residues or of a pair of quad-

We also need tvo further number theoretic results ( 2 1 :

a) 2 is a quadratic residue of all primes of the form P = 1 or 7 (mod 8 ) and a quadratic nonresidue if P - 3 or 5 (mod 8 ) .

-1 is a quadratic residue of all primes of the form P = 1 (mod 4 ) and quadratic nonresidue if P - 3 (mod 4 ) .

b)

The important thing to note is that 2 is a quadratic residue of q but is a quadratic nonresidue of p by (a) and that -1 is a quadratic nonresidue of both p and q by (b). This was why p and q were chosen to satisfy p - 3 (mod 8) and q - 7 (mod 8 ) .

Williams [ 2 2 ] was apparently the first to construct RSA moduli using primes of this special form which he exploited to resolve an ambigufty in the decryption of ciphers in a variant to the RSA cryptoalgorithm proposed by Rabin [ 1 4 ] for which they proved that decryption of (almost all) ciphers and of factoring the modulus were computationally equivalent.

Now consider an arbitrary residue u, (u,n) - 1. u can be classified into one of four classes according as to whether it is a quadratic residue or a quadratic nonresidue with respect to p and with respect to q. as QR,QR; QR,NQR; NQR,QR and NQR,NQR; where the quadratic residuosity with respect to p is indicated first and with respect to q second. tion of the four multipliers 1, - 2 , 2 , -1: these are QR,QR; QR,NQR; NQR,QR and

We represent these four classes

Now consider the classifica-

41

NQR,NQR, respectively. Consequently, there will be precisely one quadratic residue (square) in the set of four residues

( 2 ) (u. -2u. 2u, -u)

for any choice of a residue u, (u,n) - 1. with the multiplier having the same classification as u. to determine the class that u belongs to since he knows the factorization of n and hence easy for him to determine which of u, -u, 2u or -2u is a quadratic residue with respect to n. The issuer can therefore extract a (random) square root, s , of the unique quadratic residue associated with u and sign u with s. In the protocol described here, he also appends two additional bits b2b-l so that an authenticated message is of the form

The square residue is the product of u It is easy for the issuer

to inform whoever wishes to validate the authenticated message which one of the residues u, -2u, 2u or -u, respectively, he should expect to recover from the quadratic congruence,

( 3 ) 2 s2 = 7 (mod n) .

It isn’t essential that the issuer append the two bits that tell which of the four cases to expect, since the verifier could compute t and then check to see whether t is one of u, -2u, 2u or u. If it is, then m would be accepted as an authentic message.

authenticated message than to have the verifier make the four tests. information, i.e., no information not otherwise available, is conveyed by the appended pair of bits. By the convention used here (in arranging the entries in the array ( 2 ) ) . b2 - 1 says multiply u by 2 while b-l - 1 says to multiply by -1 to form the expected residue.

It is simply computationally more efficient to append the two bits to the No extra

2 . The reader may recall a digital signature scheme proposed by Ong, Schnorr and Shamir [9,10] which superficially resembles the scheme described here. In their scheme, a composite modulus n and a residue k were made public. message, in, was any triple (x,y;m) such that

(i) x + ky2 = m (mod n)

x and y were easy to calculate if one knew the factorization of n, but thought to be as hard as factoring otherwise. not to be the case however. The problem is that in this signature scheme each message m has on the order of n signatures, i.e., pairs of integers x and y satisfying (i), hence it is computationally feasible to find some one out of these many pairs. each message, so that the cryptographic weakness arising from having multiple signatures does not occur.

A signed

2

Pollard and Schnorr [ll] have shown this

In the scheme described here there is a unique signature for

42

The probability that an opponent can find a u and s that satisfy (3) and have the required redundant information present in the preimage of u under f without knowing the factorization of n is 2-k as has already been pointed out.

In the protocol, user i's identity is completely specified in an identifier (string of symbols), IF, consisting of such information as his social security number, his bank account or credit card number, his military ID, etc., which could also include intrinsic physical descriptors, as well as any limitations on the authorization conveyed in the signed identifier, such as credit limits, expiration date, levels of access, etc. Host importantly, Ii must include the public part of the user's personal authentication channel consisting in the present example of an M A

modulus ni, where nI - pigi and pi = 3 (mod 8) and qi - 7 (mod 8) as required in setting up the issuer's public authentication channel; n < n. In addition, since

anyone wishing to forge a credential could construct an identifier, I, to suit his purposes, Ii must include sufficiently much publicly known redundant information, such as message format, fixed fields of symbols common to all identifiers, Ii, etc, to make a forward search type attack [15] infeasible.

i

The issuer first calculates

(4)

and determines the classification of di according to its quadratic residuosity with respect to p and q. unique quadratic residue associated with di. The authenticated (signed) credential

He then calculates the (least positive) square root of the

is given to user i. user must keep secret his private authentication function: His security against impersonation is totally dependent on him protecting this information, since his proof of identity in the scheme is equated to knowing the factorization of n

No part of this credential need be kept secret. However, the the factors pi and qi.

i - The public part of the (issuer's) authentication channel is the issuer's modu-

lus n, the polyrandom function f and a knowledge of the redundant information present in all of the Ii, which, as has been noted, must be sufficient to prevent a foward search cryptanalytic attack [15] on the polyrandom function f. In other words, the redundancy must be adequate to prevent someone wishing to fraudulently validate an identity from simply calculating s2 - t for randomly chosen signatures sj until he finds a match with an sJ - f (1) for some usable I - - this is the forward search attack. ity of success of this sort of attack can be made as small as desired.

j

By making I contain sufficient redundant information, the probabil-

When user i wishes to prove his identity to a party A , say to gain access to a

restricted facility or to l o g on to a computer or to withdraw money from an A M .

43

etc., he initiates the exchange by identifying himself to A using his identification credential and making h i s access request;

Ii;si:(b b ) ):t A 2 - 1 i 1 i STEP 1

t is a string of symbols that describes or identifies the transaction user 1 is requesting; t could be the date, the amount of the withdrawal, etc. A , who need n o t have an identification credential issued by the trusted issuer first verifies that the credential submitted to him is actually an authentic credential signed by the issuer.

genuine if and only if the quadratic congruence

j

1

He accepts the credential (and the information contained in Ii) as

(5) (mod n)

is satisfied. A is confident that the credential that user i identified in Ii can authenticate messages using the private authentication channel described in Ii, in other words, for the example of an authentication channel being used here, that user i knows the factorization of ni. The remaining

question to A is whether the applicant who submitted the credential [Ii;si:(b b )

is actually user i. private authentication channel.

A replies to the access request with a string of symbols, T

At this paint in the protocol, if the test in (5) has been satisfied, was issued by the issuer and

1 P P i This question can be answered by using the, now validated,

that describe the 1'

transaction from his standpoint: terminal ID, transaction number, confirmation of withdrawal amount, etc.

LA STEP 2 i

Both user i and the verifier A form the concatenation of t. and T 1, vj - tj;Tj. and calculate the polyrandom function f(v ) of the resulting string

J 1

Since v is the joint result of contributions by user 1 and A, it is indeterminate t o both, hence no additional redundant information is needed to insure that z will also be indeterminate to both of them.

j j

Both i and A now know z (a residue mod ni) which may or may not be a quadratic

user i calculates a square root, rj. and sends

j residue with respect to ni. unique quadratic residue with z

Using the by now familiar procedure to associate a

j'

44

Note that z and A because of the polyrandom nature of f, to permit user i to give to A an encrypted function of vj in a form that will allow A to'satisfy himself that whoever he is in communication with had to know the factors of ni. provide any information about the factors themselves because of the polyrandom nature of f.

is being used effectively as a one-time key, indeterminate to both i j

This exchange does not

If the person seeking to be recognized as user i really is who he claims to be, i.e., if he knows pi and qi, then

(mod n.)

will be satisfied. However, if he is not user i, so that he doesn't know the factorization of ni, then in order for him to be able to impersonate i, he must find a number x such that

( 7 ) (mod n ) i

which is computationally as difficult as factoring ni. by the applicant from Ii, which he accepts as the proven identity of the applicant if and only if equality (5) is satisfied:

A keeps the &-tuple (I ;s.):(v.;r ) as his certified receipt for the trans-

A knows the identity claimed

[ i l J j I action. first by validating the credential (Ii;si) in exactly the same way that A did using the public part of the issuer's authentication channel, and then by validating the receipt (vj,rj) using the public part of user i's authentication channel. This proves, in probability, that the complete description of the transaction, v. was endorsed by user i, or at least by someone knowing the factorization of ni. tioned, the missing B2B-1 and (b b ) . can be (effectively) calculated when needed, and since the frequency of arbitration is expected to be very low compared with the frequency of authentication and retention of receipts which must occur for every transaction, it is more efficient to not store the bits indicating which of the four test residues should be a quadratic residue.

Anyone can later verify all aspects of the transaction:

3 ' As has already been men-

2 -1 1

If both communicants require a certified receipt the one-way protocol described above can be easily modified into a two-way protocol between two parties, i and k, both of whom must possess identification credentials validated by the issuer. The exchange in this case is of the form

45

i I.;s '(b b ) -t. 1 i' 2 -1 i' 1

L

I.;s.:(b b ) :T. 1 2 - 1 1 1

'i

k STEP 1

STEP 2

STEP 3

STEP 4 'k

where user i would keep the 4-tuple (I.,s ):(v r ) as his certified receipt, etc. Lj j ' k 1 We will next prove that the protocol just described is secure. As a matter of

fact, we will prove rather substantially more. A number of authors [3,17,18] have devised schemes for embedding a sublfminal channel into digital signature or identification schemes. Consequently, for some applications (such as treaty verification) where a subliminal channel could be exploited by one of the parties to cheat the other, it may be essential for a scheme to be acceptable that a means be available to prove that no subliminal channel has been concealed. In (41 van de Graaf and Peralta present a scheme for proving that a modulus n is a B l u m integer, and this provides some protection against subliminal channels in identification schemes using B l u m integers. We present a zero-knowledge scheme for proving that a modulus n is of the form used here. channels arising from the modulus n being of either of the forms n - p q, r n - pqr or n - p pqr. A great advantage of the identification scheme described here over schemes based on Blum integers is the avoidance of computing Jacobi symbols. Our proof that a modulus n is of the correct form also avoids computing Jacobi symbols.

Since one of the authors is from Texas where the effete Alice and Bob of cryp-

This will eliminate the possibility of those subliminal 2

2

tology fame haven't gained acceptance, and the other is an engineer accustomed to using the notation Tx and R x to indicate the transmitter and receiver, respectively, in a communications channel, the communicants here will be called Tex and Rex (pro- nounced with a nasal Texas drawl). we start by assuming that Tex wishes to establish his identity to Rex. description of the protocol described above is:

With this explanation of the change in notation, A simplified

1) 2) After receiving x, Rex chooses a string y and sends it to Tex. 3 )

Tex chooses a string of symbols x and sends it to Rex.

They compute z - f(v), where f is a polyrandom function, and v - x;y is the concatenation of the strings x and y.

4 ) Tex determines which one of the four'numbers z , -2, 22, -22 is a square. Let's say that uz is a square. one out of the four possible square roots of uz, say s. along with a two-bit suffix (b2b-1) indicating which of the four numbers

Then Tex calculates and chooses at random He gives s to Rex

46

1, 2. -1, or -2 must be used as a multiplier for u to make the product be a square.

Rex accepts the communication as authentic if and only if the equality 5 )

is satisfied.

As pointed out earlier, there is a potentially troubling aspect to this scheme: Every time that Tex uses it, Rex might conceivably learn something about n - pq. If

Tex identifies himself k times to Rex, or if k different people to whom Tex has identified himself pool their knowledge, then Rex obtains 2k bits of information about p and q which - - we might naively assume - - have required 22k guesses in order for him to simulate for himself.

for factoring the modulus which required these numbers, and he didn't have them,

then he would have had to run his algorithm qk times, once for each guess. Instead

the algorithm is a zero-knowledge proof, and contrary to intuition, Rex can, on his

own, come up with number triples (z,s,u), where z is random, u is in the set S - [1,-1,2,-2}, and s2 - uz. by Tex's responses that he couldn't get for himself.

no participation by Tex, Rex carries out the following sequence of steps.

That is, if we postulate that he had a procedure

In other words, we show that he gains no information

Acting purely on his o m . with

1) Pick a random s, 2) pick u randomly in S, and

3) define z by z - u"s2 (mod n). These steps can be carried out without knowing the factorization of the modulus n.

Rex can form as many such triples (z,s,u) as he wishes, and they come from the

same probability distribution as the ones he obtains from Tex.

to his knowledge, and the protocol is a zero-knowledge proof. square root s be chosen at random from among the four possible square roots of UZ.

This is necessary in order that the zero-knowledge argument will hold.

the one annoying feature that we must arrange that the probability that Tex chooses

the same x twice be negligibly small, since a repetition of z would enable Rex to factor the modulus with probability 1/2.

n is of the form n - pq, p - 3 (mod 8) and n .I 7 (mod 8), as claimed. This proof '

process requires two steps.

demonstrating Tex's ability to take n-th roots. Simmons [18] has embedded a subliminal channel into a digital signature scheme devised by Brickell and DeLaurentis

[l] using a modulus of the form n - p q, which shows that even a modulus with only two distinct prime factors can be a problem.

Hence they don't add

We required that the

It does have

We next prove that the protocol permits a zero-knowledge proof that the modulus

The first protocol proves that n is square-free by

2

The second protocol then establishes that the modulus n is indeed of the claimed form: n - pq. This is needed, of course, to eliminate the first known

47

subliminal channel (due also to Simmons [17]) which requires a modulus that is the product of three primes: either n - pqr or n - p qr. At the same time, a new subliminal channel based on n - pq, where p and q are not of the right form, is eliminated also.

2

Protocol for Dr-e fre e, 1) Tex chooses x and sends it to Rex.

2) 3) 4 ) Tex finds the n-th root s of z, and sends s to Rex. 5) They repeat steps 1-4 a total of k times.

After receiving x, Rex chooses y and sends it to Tax. They both compute z - f(v), where v - x;y is the concatenation of x and y.

The basic observation, as explained in [ 2 ] , is that if n is square free, then every number will have an n-th root, whereas if n is divisible by p2, where p is a prime, then at most l/p of the numbers will have n-th roots. that p 2 3, there is a probability of at most 3-k that a modulus which is not square free would survive the protocol.

Since n is presumably odd, SO

It is important that Tex sends x to Rex before Rex chooses y. to prevent Tex from using the following forward search [ll] technique:

1) 2) 3)

Tex receives y from Rex. Tex chooses x at random and computes z - f(v), where v - x;y. Tex checks whether z has an n-th root. l/p if, e.g., n - p q.

This will happen with probability 2

4) If z has an n-th root s, then Tex sends x and then s to Rex.

5) If z does not have an n-th root, then go to step 2. We remark that the choice of a prime p as small as p - 3 is not impossible, since the malefactor may be willing to take risks in order to conceal a subliminal channel. Thus would give Tex’s forward search strategy a probability of 1 - 2/3)k of working within k tries. We could, of course, test n for divisibility by primes 3,5 ,...,pr and reduce this probability to 1 - (l-l/pr) .

form. exactly, or if q divides p-1 exactly. roots, and so n would appear to be a bad modulus even though it is not. a serious restriction.

k

As explained in [13], the protocol doesn’t work if the primes are of a special

For our purposes, n - pq, and the protocol will fail if p divides q-1 In these cases not all numbers will have n-th

This 1s not

The algorithm gives a zero-knowledge proof, since Rex could produce random pairs (x,z), by choosing z at random and computing x - zn (mod n). the same probability distribution as the pairs (x,z) occurring in the protocol.

These pairs have

Protocol for Drwine n is of the D r o D e r form, Tex convinces Rex that n - pq, where p is a prime - 3 (mod 8) and q is a prime - 7

(mod 8 ) :

Using the following protocol,

4a

1) Tex chooses x. Rex chooses y, they compute z - f(x,y). 2) Tex finds the u in [1,-1,2,-2) such that uz is a square, and randomly

chooses s, one of the four square roots of uz. 3) Tex sends s and u to Rex.

4 ) Steps 1 to 3 are repeated k times. We may assume that the n-th root algorithm has already been applied and hence that n is square-free. bers are squares, and the probability that one of the four numbers z , -2, 22, - 2 2 is a square is at most 50%.

at most zek.

If n has three or more prime factors, then at most n/8 of the num-

Hence the probability of Tex fooling Rex after k steps is

How do we know that p - 3 (mod 8) and q - 7 (mod 8)? The answer is that if the modulus isn't of the proper form, that for some choices of a residue u, that no member of the set (u.-u,~u,-~u) will be a square so that Tex can't respond to the challenge value u. For example, p - 1 (mod 8) and q - 3 (mod 8), then 2 is a square mod p and a nonsquare mod q, and -1 is a square mod p and a nonsquare mod q. This means that 2 will be a square whenever -22 is, 0s that a 2 5 % probability exists that for any particular z, none of the numbers z, -2, 22, -22 are squares.

In such a case, the probability that Tex will fool Rex into accepting a modulus k which is not of the proper form is at most (3/4) .

References

1.

2 .

3 .

4 .

5.

6 .

7.

8.

E. F. Brickell and J. M. DeLaurentis, "An Attack on a Signature Scheme Proposed by Okamoto and Shiraishi," Crypto'85, Santa Barbara, CA, Aug. 19-22, 1985, in Advances in Cn-ntoloev, Ed. by H. C. Willfams, Springer-Verlag, Berlin, 1986, pp. 28-32.

David M. Burton, Elementam Number Theory, Allyn and Bacon, Inc., Bostvn, MA, 1976.

Y. Desmedt, C. Goutier and S. Bengio, "Special Uses and Abuses of the Fiat- Shamir Passport Protocol," preprint obtained from authors.

J. van de Graaf and R. Peralta, "A Simple and Secure Way to Show the Validity of your Public Key," Crypto'B7, Santa Barbara, CA, Aug. 16-20, 1987, in Advances in Cmtology, Ed. By Carl Pomerance, Springer-Verlag, Berlin, 1988, pp. 128-134.

D. E. Knuth, The Art of Comvuter Proaramming, Addison-Wesley, Reading, MA, 1969; 2nd ed., 1981.

D. H. Lehmer, "Computer Technology Applied to the Theory of Numbers," in PIAA Studies in Mathematics, Vol. 6, Studies in Number Theory, W. J. LeVeque, ed., Prentice-Hall, NJ, 1969, pp. 117-151.

P. D. Merillat, "Secure Stand-Alone Posftive Personnel Identity Verification System (SSA-PPIV)," Sandia National Laboratories Tech. Rpt. SAND79-0070, brch.

R. M. Needham and M. Schroeder, "Using Encryption for Authentication in Large Networks of Computers," Comm. ACM, Vol. 21(12), Dec. 1978, pp. 993-999.

49

9.

10.

11.

12.

13.

14.

15

16.

17.

18.

19.

20.

21.

H. Ong, C. P. Schnorr and A. Shamir, "An Efficient Signature Scheme Based on Quadratic Equations." in Eroc. 16th S V ~ D . on the Theorv of ComDuting, Washington, 1984, pp. 208-216.

H. Gng. C. P. Schnorr and A. Shamir, "Efficient Signature Schemes Based on Polynomial Equations," in proc. Advances in Crwtoloev - - Cmto'84 (G. R. Blakley and D. Chaum, Eds.), Lecture Notes in Computer Science 196. New York: Springer-Verlag, 1985, pp. 37-46.

J. M. Pollard and C. P. Schnorr, "An Efficient Solution of the Congruence xz + ky2 - m(mod n)," --, V. IT-33, No. 5, Sept. 1987, pp. 702-709.

G . P. Purdy, "A High Security Log-in Procedure," C u , Vol. 17(8), Aug. 1974, pp. 442-445.

G . P. Purdy, "A Zero-Knowledge Proof Scheme Showing that n - p q , " preprint.

M. 0. Rabin, "Digitized Signatures and Public-key Functions as Intractable as Factorization," M.I.T. Lab. for Computer Science, Tech. Report LCS/TK-212, 1979.

G . J. Simmons and D. B. Holdridge, "Forward Search as a Cryptanalytic Tool Against a public Key Privacy Channel," proc. of the IEEE Comu uter SOC. 1982 S YUID. on Securitv and Pri vac Y , Oakland, CA, April 26-28, 1982, pp. 117-128.

G . J. Simmons. "A System for Verifying User Identity and Authorization at the Point-of-Sale or Access," CAT toloviil, Vol. 8(1), Jan. 1984, pp. 1-21.

G . J. Simmons, "The Subliminal Channel and Digital Signatures," Eurocrypt'84, Paris, France, April 9-11, 1984, in Advances in Cmtology, Ed. by T. Beth, et al., Springer-Verlag, Berlin, 1985, pp. 364-378.

G . J. Simmons, "A Secure Subliminal Channel ( ? ) , " Crypto'85, Santa Barbara, CA, Aug. 19-22, 1985, in Ldvances in Crmtoloq, Ed. by H. C. Williams, Springer- Verlag, Berlin, 1986, pp. 33-41.

G. J. Simmons, "An Impersonation-Proof Identity Verification Scheme," Proceed- ings of Crypto'87, Santa Barbara, CA, August 16-20, 1987, in Advances in Cmtolori, Ed. by Carl Pomerance, Springer-Verlag, Berlin, to appear.

J. Stein, "Computational Problems Associated with Racah Algebra," J. Como. &I Vol. 1, 1967, pp. 397-405.

M. V. Wilkes, Time-Sharine ComDutinF Svstems, ElsevierflacDonald. New York, 1968; 3rd ed., 1975.

22. H. C. Williams, "A Modification of the RSA Public-Key Encryption Procedure," IEEE Trans. on Info. Theory, Vol. IT-26, No. 6, Nov. 1980, pp. 726-729.

Authentication Codes with Wtiple Arbiters

(Extended Abstract)

Ernest F. Brickell* Sandia National Laboratories

Albuquerque, NM 87185

+& Doug R. Stinson

Dept. of Computer Science University of Manitoba Winnipeg, Manitoba

Canada R3T 2N2

An authentication system provides a means for a transmitter to send a message to a receiver so that the receiver is convinced that the message was sent by the transmitter and not by an opponent. which are unconditionally secure. security which depends on the parameters of the code but which does not depend on any assumptions (for instance assumptions about the computational complexity of some problem).

Authentication codes provide a design for authentication systems

Specifically, the codes provide a provable level of

In 1987, Simmons [Sill introduced authentication codes that permit arbitration. These codes allow for an arbiter who can settle disputes between the transmitter and receiver. have received a certain message when in fact he didn't, or the transmitter might try to disavow a message that he actually sent. The arbiter cannot resolve a dispute in which the transmitter claims to have sent a message and the receiver claims that he did not receive a message. These systems are also unconditionally secure. system is that the transmitter and receiver must have complete trust in the arbiter, because an arbiter has the potential to cheat in many ways.

The disputes that an arbiter can resolve are that the receiver might claim to

One drawback to the

In this paper, we show that by having multiple arbiters, the probability that any individual arbiter can successfully cheat is greatly reduced.

The Model

We will be using the same terminology and the same model of authentication with arbitration that was used by Simmons [Sill, [SiZ]. known to all players, i.e., transmitter, receiver, opponent, and arbiter. This includes a

fixed set of source states that the transmitter might send to the receiver.

The system that will be used must be

The receiver

* "his work performed in part at Sandia National Laboratories supported by the U. S Department of Energy under contract No. DE-AC04-76DP00789.

** This work partially supported by NSERC operating grant No. A9287.

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCs 330. PP. 51-55, 198*. 0 Spnnger-Verlag Berlin Heidelberg 1988

52

and arbiter secretly agree on which messages the receiver will accept as authentic for

each source state. Then the arbiter gives the transmitter one message for each source

state that the receiver will accept as authentic,

unless there is a dispute.

The arbiter will no longer be used

There are five types of cheating that this system is designed to protect against.

Opponent cheating:

Oo Impersonation:

message to the receiver. He wins if it is accepted as authentic.

Without waiting to see any communication, the opponent sends a

Ol Substitution:

He wins if his message is accepted as authentic .and the receiver is misled about the

state of the source.

The opponent intercepts a message and substitutes a different message.

Receiver cheating :

Ro The receiver, without receiving any message from the transmitter, tries to convince

the arbiter that he did receive a message.

R1 The receiver, after receiving a message from the transmitter, tries to convince the

arbiter that he received a different message.

Transmitter cheating:

T The transmitter, after sending a message to the receiver that the receiver

authenticated, tries to deny that he sent a message.

The model does not attempt to protect against all types of cheating. For example,

the transmitter could claim that he sent a message that he did not send or the opponent

could disrupt communications between the transmitter and receiver.

X, let P be the probability that the cheating will be successful. Let PR - max[P p 1

For cheating of type

x R,’ R,

and P - 0 max

The problem presented here cannot be directly solved by the general multi-party

protocols of [CCD] and [BGW] because in those protocols, it is necessary for all parties in the protocol (transmitter, receiver, and arbiters) to play an active part in acy communication.

53

MultiDle Arbi te rs

Simmons showed how t o cons t ruc t authent icat ion with a r b i t r a t i o n codes, which he

2 ca l led A

1 i s - f o r each of the five types of cheat ing. q

systems required complete trust i n the a r b i t e r .

opponent, rece iver , o r t r a n s m i t t e r and cheat i n any of the f i v e types.

by having mul t ip le a r b i t e r s , the power of any individual a r b i t e r t o cheat is g r e a t l y

reduced.

codes, f o r any q a prime power such t h a t the probabi l i ty of successful cheat ing

He expressed concern, however, t h a t these

A cheating a r b i t e r could a s s i s t the

We now show t h a t

Suppose we have a r b i t e r s Al , . . . ,A and f o r each a r b i t e r , we have an a u t h e n t i c a t i o n n

1 9

with a r b i t r a t i o n code w i t h t h e p r o b a b i l i t y of deception of - f o r each of t h e f i v e types of

cheating. Each of the communications between the receiver and an a r b i t e r o r the

t ransmit ter and an a r b i t e r w i l l be in s e c r e t from a l l of the other a r b i t e r s . These

communications w i l l be handled i n t h e same way a s i n the s ingle a r b i t e r case.

a r b i t e r , Ai, and each source s ta te , s j , the receiver w i l l give the a r b i t e r Ai a s e t of

messages, M i j , t h a t he will accept as authent ic and the a r b i t e r Ai w i l l give t h e

So f o r each

t ransmit ter a s ingle message, m c M t h a t the a r b i t e r A. w i l l va l ida te as an authent ic i j i j '

transmission o f s When t h e t r a n s m i t t e r wants t o send a source s t a t e , s t o t h e

receiver , he must send m.. f o r 1 I i I n. j . j '

The receiver u i l l only accept such a 1J

communication a s a u t h e n t i c if and only i f m c M. f o r 11 i 5 n. I f a d ispute a r i s e s , a i j ij

judge w i l l accept a communication pl, . . . , p as an authent ic transmission of source s t a t e n

s . i f and only i f a t least d of t h e a r b i t e r s claim the communication is a u t h e n t i c , i . e . , 3

for a t l e a s t d of the i's, 1 I i 5 n, a r b i t e r A. claims t h a t p i - mij .

Let us now examine t h e p r o b a b i l i t i e s of cheating given t h a t t a r b i t e r s a r e bad. To

simplify t h e d iscuss ion , assume t h a t A l , . . . , A

t bad a r b i t e r s and learn ?4 f o r 1 5 i 5 t . To deceive the rece iver , he must c h e a t

successful ly on each o f o t h e r n - t A2 codes.

a r e bad. An opponent can co l lude with the t

i j

Since these a re independent, h i s p r o b a b i l i t y

. Thus - pol of success is

The rece iver can co l lude wi th the t bad a r b i t e r s and learn m. f o r 1 I i I t . To 13

deceive the judge, he must chea t successfu l ly on at l e a s t d - t of the other n - t A' codes.

His probabi l i ty of success i s

54

[r;t][ii[g-l]n-t-i is - the probability of cheating successfully on exactly i of the

1 independent n-t A' codes.

Assuming that the transmitter knows M.. for 1 5 i 5 t, his best strategy for success 1J

at deceit of type T is to send m!. E M. / m . . for 1 s i 5 t, m.. f o r t + 1 I i 5 d + t-1,

and then try to cheat successfully on the n-(d+t-1) remaining A2 codes.

1 J Ij 1J LJ

1 n-d-t+l so PT - [<] .

To achieve PR < 1 and P < 1, we must have t < ;. If t - Pi1], - and if d - T then for fixed n, q can be chosen large enough to satisfy any desired level of confidence.

For example, If n - 2t+l and setting d - t+l we obtain P - -

Additional Comments

A bad arbiter could completely disrupt the communication by sending the transmitter

an m with m i,

allowing the receiver to accept a communication if it is authentic in "most" of the A

codes. However, this reduces the security against the opponent.

M r j . It is possible to protect against a few arbiters doing this by

2 ij

To be more precise, assume that the receiver will accepc a communication pl, . . . , pn as

transmitting source state s . if p. E M for at least a of the i's, 1 I i 5 n. and that a

judge will accept it as authentic if at least d of the arbiters claim it is authentic.

Assume that at most u arbitors will try to disrupt the communication and at most t arbitors will try to help one of the other participants to cheat.

the possibility that a particular arbitor might try to disrupt the communication but might

not help any participant to cheat.

J 1 ij

This model allows for

The transmitter and receiver can successfully cheat only when the judge is deceived.

When computing P R, ,PR,, and PT, we will assume that no arbitors are disrupting (i.e. , u-0)

since this assumption provides the worst case (i.e., maximizes) P

the criterion for the judge's decision is unchanged from the previous model, PRO, PR, , an*

P are a lso unchanged.

and P,. Since R, ' 'R, '

T

55

To compute Po, assume that the opponent knows M.. for 1 5 i 5 t. To deceive the 1J

transmitter, ?'ie must successfully cheat on at least a-t of the other n-t independent

A' codes. His probability of success is

Finally, the u arbitors can disrupt the communication if and only if

n 2 -

u > n-a or u 2 a. In the case - > u b a, the bad arbitors could deceive the transmitter

into sending a message that, according to protocol, the receiver would accept as

transmitting two different source states.

To achieve u I n-a and u < a, we must have u < 4. If u - t - [y] , and if

d - Q - p+], then for fixed n, q can be chosen large enough to satisfy any desired level

of confidence .

References

Michael Ben-Or, Shafi Goldwasser and Avi Wigderson. "Completeness Theorems for Non- Cryptographic Fault-Tolerant Distributed Computation," to appear in Proceedines of the 20th ACM Smosium on the Theorv of Comuut u, 1988.

David Chaum, Claude Crepeau and Ivan Damgard "Multiparty Unconditionally Secure Protocols, " to appear in Proceedines of the 20th ACM SGuosium on the Theory of Comuutinv, 1988.

G . J. Simmons, "Message Authentication with Arbitration of Transmitter/Receiver Disputes," to appear in Advances in Crvntoloey, Eurocrypt'87, Springer-Verlag. 1987.

G. J. Simmons. "A Cartesian Product Construction for Unconditionally Secure Authentication Codes that Permit Arbitration," submitted to Journal of Crvutolozy.

SOME CONSTRUCTIONS FOR AUTHENTICATION - SECRECY CODES

Marijke De Soete

Seminar of Geometry and Combinatorics State University of Ghent

Krijgslaan, 281 B-9000 Ghent , Belgium

ABSTRACT

We deal with authentication / secrecy codes having unconditional security. Besides some new results for a "spoofing attack of order L", we give several constructions using finite incidence structures (designs, generalized quadrangles).

1 AUTHENTICATION-SECRECY

It is the aim to deal in this paper with codes having unconditional security, which means that the security is independent of the computing power. Analogously to the theory of unconditional secrecy due to Shan- non [12], Simmons developed a theory of unconditional authentication

~ 4 1 -

Consider a transmitter who wants t o communicate a source to a remote receiver by sending messages through an imperfect communication channel. Then there are two fundamentally different ways in which the receiver can be deceived. The channel may be noisy so that the symbols in the transmitted message can be received in error, or the channel may be under control of an opponent who can either deliberately modify legitimate messages or else introduce fraudulent ones. Simmons [14] showed that both problems could be modeled in complete generality by replacing the classical noisy communications channel of coding theory with a


58

game - theoretic noiseless channel in which an intelligent opponent, who knows the system and can observe the channel, plays so as to optimize his chances of deceiving the receiver. To provide some degree of immunity to deception (of the receiver), the transmitter also introduces redundancy in this case, but does so in such a way that, for any message the transmitter may send, the altered messages that the opponent would introduce using his optimal strategy, are spread randomly. Authentication is concerned with devising and analyzing schemes (codes) to achieve this "spreading".

In the model some simplifying assumptions are made. We suppose that the transmitter and receiver trust each other completely and that neither acts to deceive the other. We also assume that only the receiver need be convinced of the authenticity of a message, so there is no third party (arbiter) involved here. In addition, we also agree that all successful deceptions of the receiver are of equal value to the opponent. We have to distinguish the authentication schemes in which the opponent knows the state of source (message authentication without secrecy) from the message authentication in situations in which the opponent is ignorant of the information being communicated to the receiver by the transmitter.

2 A MATHEMATICAL AUTHENTICATION MODEL

In this model (see [14], [15], [16], [17], [lS]) there are three participants: a transmit ter , a receiver and an opponent. The transmitter wants to communicate some information t o the receiver. The opponent wanting to deceive the receiver, can either impersonate the receiver, making him accept a fraudulent message as authentic, or, modify a message which has been sent by the transmitter. Let S denote the set of k source states, n/r the set of ZI messages and E the set of b encoding rules. A source state s E S is the information that the transmitter wishes to communicate to the receiver. The transnitter and receiver will have secretly chosen an encoding ruZe e E E beforehand. An encoding rule will

59

be used t o determine the message e(s) to be sent to communicate any source state s. In a model with splitting, several messages can be used to determine a particular source state, However, in order for a receiver to be able to uniquely determine the source state from. the message sent, there can be at most one source state which is encoded by any given message m E M , for a given encoding rule e E E (this means: e(s) $ e(s') if s # s').

An opponent will play impersonation or substitution. When the opponent plays impersonation, he sends a message to the receiver, attempting to have the receiver accept the message as authentic. When the opponent plays substitution, he waits until a message m has been sent, and then replaces m with another message m', so that the receiver is misled as to the state of source. More generally, an opponent can observe i (2 0) distinct messages being sent over the channel knowing that the same key is used to transmit them, but ignoring this key. If we consider the code as a secrecy system, then we make the assumption that the opponent can only observe the messages being sent. Our goal is that the opponent be unable to determine any information regarding the i source states from the i messages he has observed.

The following scenario for authentication is investigated. After the observation of i messages M' c M , the opponent sends a message m' to the receiver, rn' 6 M' , hoping to have it accepted as authentic. This is called a spoofing attack of order i [9], with the special cases i = 0 and i = 1 corresponding respectively to the impersonation and substitution game. The last games have been studied extensively by several authors

(see [41, PI, ~ 3 1 , ~ 4 1 , 1161).

For any i, there will be a probability on the set of i source states which occur. We ignore the order in which the i source states occur, and assume that no source state occurs more than once. Also, we assume that any set of i source states has a non-zero probability of occurring. Given a set of i source states, we define p ( S ) to be the probability that the source

60

states in S occur.

Given the probability distributions on the source states described above, the receiver and transmitter will choose a probability distribution for E , called an encoding strategy. If splitting occurs, then they will also determine a spli t t ing strategy to determine m E M , given s E S and e E E (this corresponds to non-deterministic encoding). The transmitter/receiver will determine these strategies to minimize the chance that an opponent can deceive them.

Once the transmitter/receiver have chosen encoding and splitting strategies, we can define for each i 2 0 a probability denoted P4, which is the probability that the opponent can deceive the transmitter/receiver with a spoofing attack of order i.

In this paper, we consider only codes without splitting. We shall use the following notation. Given an encoding rule e, we define M ( e ) = {e(s) I s E S}, i.e. the set of messages permitted by encoding rule e. For a set M' of distinct messages, and an encoding rule e, define f e ( M ' ) = {s 1 e(s) E M'} , i.e. the set of source states which will be encoded under encoding rule e by a message in M'. Define also E(M') = {e E E I M' & M ( e ) } , i.e. the set of encoding rules under which all the messages in M' are permitted. It is useful to think of a code as being represented by a b x k matrix A, where the rows are indexed by encoding rules, the columns are indexed by source states and the entry in row e and column s is e(s). We cm also define a b x v incidence matrix X in which the rows represent the encoding rules, the columns the messages and the entry on row e and column m is 0 or 1 according m @ M ( e ) or m E M(e) . Finally we denote by AC(k, v, b) an authentication system with k source states, v messages and b encoding rules.

Example. Consider the following code on 2 source states using 4 encoding rules given by:

61

A = s 2 s4 s3 \ and X =

s1 s 2 s 3 s4 I 1 0 0 1 Y 0 1 1 0

This is the "best" authentication system possible for k = 2, b = 4, since we have Pd,, = Pdl = 112 = I/&.

3 BOUNDS ON Pd,

Many of the bounds on Pd depend on entropies of the various probability distributions. For a probability distribution on a set X, we define the entropy of X , H ( X ) as follows:

H ( X ) = - c P ( 4 * k l P ( Z ) * 2 EX

As well, the conditional entropy H ( X / Y ) is defined to be

Theorem 3.1 (Simmons [14]) In an authentication system without splitting Pb > klv.

An authentication system which satisfies the bound of this theorem with equality is said t o be perfect.

In a perfect authentication code without splitting, the following properties hold (Brickell 141):

1. for all messages m, Pdo = C I ~ ~ ~ ( ~ ) ) p ( e ) = k/v

2. for any message m, p ( s ) is constant for all s such that there is an e such that es = m.

The following bound is for substitution with secrecy.

62

Theorem 3.4 (SchZbi [ll], Stinson [17]) In an authentication sys- t e m without spli t t ing

k - i u - i Pd, 2 - (i 2 0).

Following Massey [9], an authentication system is L-fold secure against spoofing if

k - i Pd, = - .) fo ra l l i , O S i s L .

U - - 2

Remarks. An authentication code which is perfect (in the sense of 3.1) is O-fold secure against spoofing (see [4]).

The first bound for Pdl , found by Gilbert, MacWilliams and Sloane [6] using an uniform source distribution, is given by

They called a system with this bound perfect. Examples of such a systems are included in [6], [2].

Afterwards this bound was proven under general conditions by Sim- mons and Brickell. They obtained

UG = rnaxC(P4, pdl) 2 2 - + H ( E )

and if equality holds, then UG = 2H(E/M)-" (E) a d vG = 2a(s)-H('w) (in a

system without splitting). They called a system with this bound doubly perfect. Hence doubly perfect implies perfect (in the sense defined in 3.2).

63

4 SECRECY

Considering the secrecy properties of a code, we desire that no information be conveyed by the observation of the messages. A code has perfect L-fold secrecy (Stinson [17]) if, for every set MI of at most L messages observed in the channel, and for every set S1 of at most IMII source states, we have p(SI/Ml) = p(S1). This means that observing a set of at most L messages in the channel does not help the opponent to determine the L source states. On the other hand, a code is said to be Cartesian ([4], [IS]) if any message uniquely determines the source state, independent of the particular encoding rule being used. In terms of entropy, this is expressed by H ( S / M ) = 0. Hence in a Carte- sian authentication code there is no secrecy (it has O-fold secrecy).

5 BOUNDS O N THE NUMBER O F KEYS b

The first example of an authentication code with Pdl = l/& was given by Gilbert, MacWilliams and Sloane [6] using a finite projective plane PG(2,q). However it has the disadvantage that the number of keys q2 is much larger then the number of source states q + 1. Codes with k >> b have more interest.

The number of keys is basically influenced by the following two aspects:

0 the distribution on the source states

0 the secrecy of the code.

To illustrate this we mention the following theorems.

Theorem 5.1 (Massey 191, Schijbi [ll]) For a n authenf ica t ion system which i s L-fold secure against spoofing there holds

64

Theorem 5.2 (Stinson [17]) If a code achieves perfect L-fold secrecy and is ( L - 1)-fold secure against spoofing, then

b > (1). Theorem 5.3 If a n authent icat ion sys tem without splitting achieves perfect Lt-fold secrecy and i f it i s L-fold secwe against spoofing, L' < L + 1, t hen

* ( ;[)- b > ( L L )

(L:J

Proof. Let MI be a set of i 5 L messages which are permitted under a particular encoding rule. Let 2 be any message not in MI. Let us suppose there is no encoding rule under which all messages in MI U {z}

are valid. Then it follows from the proof of 3.4 in [17] that we would obtain Pd, > (k - i ) / ( v - i), a contradiction. Hence, it follows that every (L + 1)-subset of messages is valid under at least one encoding rule.

Now pick any L'-subset M2, such that M2 C M I . In order to achieve perfect L'-fold secrecy, the messages in M2 must encode every possible L'- subset of source states. Hence every L'-subset M2 is a valid set of messages

under at least ( i, ) encoding rules. We remark that the same L'-subset

k - L' occurs in exactly (I, + 1)-subsets. Hence counting L'-

subsets of messages we obtain:

65

or

We define an optimal (L' , L)-code, 0 5 L' 5 L + 1, to be a code which achieves perfect L'-fold secrecy and is L-fold secure against spoofing and for which b meets the bound given in 5.3. According to Stinson [17], for L' = L + 1, w e cal l it an optimal ( L + 1)-code.

6 CONSTRUCTIONS OF AUTHENTICATION CODES FOR AN ARBITRARY SOURCE DIS- TRIBUTION

6.1 Authent icat ion codes derived from generalized quadrangles

A (finite) generalized quadrangle (GQ) is an incidence structure G = ( P , 0,Z) in which P and B are disjoint (nonempty) sets of objects called points and lines resp., and for which I is a symmetric point-line incidence relation satisfymg the following axioms:

1. Each point is incident with 1 +t lines ( t 2 1) and two distinct points are incident with at most one line.

2. Each line is incident with 1 + s points (s 2 1) and two distinct lines are incident with at most one point.

3. If z is a point and L a line not incident with 2, then there is a unique pair (y, M ) E P x B for which z I iM I y I L.

66

The integers s and t are the parameters of the GQ and G is said to have order ( s , t ) . There is a point-line duality for GQ (of order ( s , t ) ) for which in any definition or theorem the words "point" and "Line" are interchanged and the parameters s and t are interchanged. There holds IPI = ( s + l ) ( s t + l ) , IBI = ( t + l ) ( s t + l ) and s f t divides s t ( s + l ) ( t + l ) .

Let x , y E P , we write x w y and say that x and y are collinear, provided that there is some line L for which 1: I L I y. And x $ y means that x and y are not collinear. For x E P , put 1:' = {y E P ly - z},

and note that x E xL. For x, y E P , 1: f y) the trace of the pair (z,y) is the set {z,y}' = z1 n y'. We have I { ~ , y } ~ l = s + 1 or t + 1 according as x - y or x + y. The span of the pair (z,y) is the set

{x,y}" = {U E P(u E z' Vz E {z,y}'}. For z - y, th;s is the set of points of the line xy, while for x $ y, l { ~ , y } ~ ~ / _< t + 1. A spread of a GQ G is a set R of lines of G such that each point of G is incident with a unique line of R. Hence there holds In( = s t + 1. Further information about GQ can be found in [ l o ] .

Let G be a GQ of order ( s , t ) , s , t > 1. Take an arbitrary point 2. Let the sources be defined by the t + 1 lines which are incident with x, the messages are the points of z'\{x} and the encoding rules are the points of P\xl.

Theorem 6.1 If there exists a GQ of order ( s , t ) then there i s a Cartesian AC(t + 1, ( t + l ) s , t s 2 ) which is 0-fold secwe against spoofing.

Proof. It is easy to verify that k = t + 1 , v = ( t + l ) s and b = ( s f l ) ( s t + 1 ) - ( t + 1)s - 1 = s2t. We define an encoding rule in the following way. Given a point y zl, we define for a source state L, z l L , the message e,,(L) = z with t the unique point on L such that y - z I L. We use each encoding rule with probability l / s 2 t . We verify that Pdo = k/v. For an arbitrary message m, there exists s t encoding rules containing m. Hence payoff(m), the probability that the message rn is accepted by the receiver is given by

67

s t 1 k payoff(m) = C p ( e ) = - = - = -.

s2t s U eEE(m)

We also remark that Pdl = 1/s > (k - l ) / ( u - 1). Indeed, let rn, m’ be two distinct messages. We obtain

1 - - E{eEE(m,m’)} P ( s = f e ( m ’ ) ) - - - C { e E E ( m f ) } P(S = f e ( m ’ ) ) st s ’

since there are t encoding rules for which both m, m‘ occur. payoff(m, m‘)=I/s.

Hence

Remarks 1. Using the same set of source states and messages we can define an AC(t + 1, ( t + l)s,ts2(t + 1)) with P4 = l/s, pd, = l/s, which is 0-fold secure against spoofing and which has perfect 1-fold secrecy. From each encoding rule of the preceding theorem we d e h e t + 1 new encoding rules in the following way. Let M(ey) = My = {zl, ..., then we define for each 0 5 i 5 t

e(My,i) = (e j I 1 5 j 5 t + 1) where ej = zj+; (modt+l).

This illustrates the influence of the secrecy of the code on the number of encoding rules b.

2. If the point z is regular, this means that I { ~ , y } ’ - ~ l = t + 1, Vy E P , y # z (see [lo]), the foregoing code can be improved to an AC(t + 1, ( t -t l)s , ( t + 1)s’) with Ph = l/s, pd, = l /s , which is 0-fold secure against spoofing and which has perfect 1-fold secrecy. Therefore we take M(ey) = {z,y}”, Vy E P , y + 2. Since we have s2 different sets Me, the number of encoding rules (using the same procedure as in 1.) now equals s 2 ( t + 1).

3. A complete description of the ”known” GQ of order (s,t) is given in

P O I *

68

Consider again a GQ G of order (s, t ) which contains a spread

R={Ll,. . . ,&+I]. Define the source states as the lines of R (Ic = st+ 1) and the messages as the points of G (v = ( s t + l)(s + 1)). Denote the points as ~ 1 , 1 , ~ 1 , 2 , . . . , zi,j7. . . , ~ , t + l , , + i , with zi,j I Li7 1 5 j 5 s + 1, 15 i 5 s t + 1. Then we define an encoding rule in the following way. We associate with each point xivj a n encoding rule

ezij (Lk) = Zi+k,lr7

with zi+k,It the unique point on the line Li+k which is collinear with X i , j

(where i + k is taken (mod s t f l ) ) . In this way we obtain b = ( l + s ) ( l + s t ) encoding rules.

Theorem 6.2 If there exists a GQ of order ( s , t ) containing a spread R, then there is a n optimal 1-code f o r s t + 1 sowce states and ( s t + 1)(s + 1 ) messages.

Proof. We shall use each encoding rule with probability l / ( s+ l ) ( s t + 1). Let us first verify that Pk = k / v . Consider a message m. Then rn occurs in s t + 1 encoding rules (since there are s t points collinear with m, not on the line of the spread incident with n). Hence payoff(m) is given by

k - -. - 1 - - - s t + 1 ( S + l ) ( S t + l ) s + l z1

~ a ~ o f f ( m ) = C p ( e ) = e E E ( M )

So the system is 0-fold secure against spoofing. The code has perfect 1-fold secrecy since each message occurs exactly once in each column of the b x Ic matrix. Since b = v , equality is valid in 5.2 and we have an optimal 1-code.

Remark. For the known spreads in GQ of order (s, t ) we refer again to

[101.

Implementation of the optimal 1-code.

We implement the optimal 1-code derived from the GQ T . ( O ) of order ( q - 1 , q + l), q = 2h (see [lo]). Therefore we use the coordinatization of

69

this quadrangle given in [ 5 ] .

Consider an automorphism CY of GF(q) , q = Z h , such that Oa = 0, la = 1 and{( l ,z ,xa) ,x E GF(q)}~((O,O,1)}definesanovalinPG(Z,q).

The source states are the lines of the spread [[m,k]], m,k E GF(q) . Denote them by L ' L + ~ . The messages are the points ( m , g , k ) , m , g , k E GF(q) , which will be denoted by z k + m q , g .

The encoding rules are given by

e k + m q , g ( L j ) = z k + k t + ( m + m / ) q , g t

with j = Ic' + m'q and g' = g + ( k ' n ~ ' - l ) ~ m . Hereby is z k + k f + ( m + m j ) q , g t the unique point (m + m', g + (k'n~'-')~, k + k') on the line L k + p + ( m + m / ) q collinear with (m, g, k).

6.2 Authentication codes derived from Steiner systems

Consider a t-(v, I c , A) design 23. For X = I, these are the so called Steiner systems (see El], [3], [S]).

Theorem 6.3 A Steiner system2) defines an AC(k , v , v ! ( k - t ) ! / ( v - t ) ! ) which has perfect t-fold secrecy and ( t - 1)-fold security against spoofing.

Proof. In a t-(v, k, 1) design D, each element occurs in T = (v - 1) - - . (v - t + l ) / ( k - 1) - - . (k - t + 1) blocks and the total number of blocks is given byv.(v-1) - - . ( ~ - t + l ) / k - ( k - l ) . . - ( k - t + l ) . Weconstruct k! encoding rules from every block of D , since for each block A = (21,. . . , xk} this is the number of keys required to do a perfect enciphering on the k points. Denote the keys, derived from the block A by eAl , . . . , eAk!. Hence we obtain

21 * (v - 1) * - * (21 - t + 1) v!(k - t ) ! b = . k ! = k . (k - 1)**-(k - t + 1 ) (v - t ) !

eqcoding rules, which we shall use with probability l / b . We first verify that the code is ( t - 1)-fold secure against spoofing. Let M' C M , IM'I = i , i 5 t - 1, rn E M\M', then we obtain:

70

since we use the uniform encoding strategy. First we remark that the messages of M', resp. M' U {m}, occur in A' = (v - i) . ' . (v - t + l)/(k - i) . . . ( k - t + l), resp. Xh = (v - (i + 1)) . + - (v - t + 1)/( k - (i + 1)) 1 . - ( k - t + 1) blocks. For each such block there are exactly (k-i)! encoding rules e k such that M' C M(eA,), resp. M ' U {m} C M ( e A ) and f e (M') = S' c S with JS'l = i. There results

k - i A' v - 2

- A:, P& = - - -. The authentication code has perfect t-fold secrecy since p(S'/M') = p(S') , for every S' C S, M' c M with IS'\ = JM'J = t . ~

Remark. The foregoing construction of an optimal t-code can be applied to a more general structure, nl. a group-divisible t-design. A group-divisible t-design GD(k, A, n, t , v) is a triple (X, G, A ) satisfying:

1. X is a set of v elements called points

2. G is a partition of X into v/n subsets of .n points, called groups

3. A is a set of subsets of X (called blacks), each of size k , such that a group and a block contain at most one common point

4. every t points of distinct groups occur in exactly X blocks.

Note that a G D ( k , A, n, t , k . n) is equivalent with a transversal t-design

Applying the same construction as in 6.3 a GD(L,X,n,t,v) defines an (see [71).

X - v f (v - n> . - (v - (t - 1)n) a

k!) v7 k . (k - 1) . . . (k - t + 1) which has perfect t-fold secrecy and for which Pk = (k - i ) / ( v - i - n) , for 0 5 i 5 t - 1. Moreover the code is ( t - 1)-fold secure against spoofing if and only if n = 1, in which case we have a t-(v, k, A) design.

71

7 AUTHENTICATION CODES FOR UNIFORM SOURCE DISTRIBUTION

We consider the construction of authentication codes for uniform source distributions ( p ( s ) = l / k , for any source state s). As before we are dealing only with codes without splitting. We know that the best bound is given by PA = ( k - i ) / (v - i ) , for a spoofing attack of order i.

Theorem 7.1 An authentication system is L-fold secure against spoofing w.T.t. the uni form probability distribution on the souTce states i f and only if, f o r every i , 0 5 i 5 L and for every &I' c M , IM'I = i + 1,

k k - 1 k - i c 244 = ; * = - - - = *

e E E ( M ' )

PTOO~. Stinson [18] proved the theorem for L = 0 , l . We procede by induction. Suppose that the system is ( L - 1)-fold secure against spoofing, then for every i, 0 5 i 5 I, - 1, and for every M' C M , IM'I = i + 1,

k k - 1 k - i c P ( 4 = ; * ~ * * * ~ ~

eE E (M')

There holds PdL = (k - L ) / ( v - L ) if and only if, for every M" C M , IM"I = L, m E M\M", we have

Since the source distribution is uniform, this is equivalent to:

z { e E E ( M " L ' { m } ) ) de> - - L . - c{ eE E (M ")} P ( e ) v - L

Taking account of the induction hypothesis,

k k - 1 k - ( L - - l ) C p ( e ) 1 -.- . . . eEE( M " ) ZI v - 1 v - ( L - l ) '

and hence

k k - 1 k - L * a c +) = -.-...-

eEE( M " L J { ~ ; ) v v - 1 ' U - L

72

Remarks. In many authentication codes, the encoding strategy is to choose every encoding rule with probability l /b . If we assume that this encoding strategy is in fact optimal, then the properties of the foregoing theorem are of purely combinatorial nature. We can formulate the following theorem.

Theorem 7.2 An authentication s y s t e m is L-fold secure against spoofing with respect to a un i form encoding strategy and a uniform probability distribution o n the source states if and only .if the following property is valid f o r every i, 0 5 i 5 L and every M‘ c M , IM‘I = i + 1,

k k - i v v - i

IE(M’)( = b - - a --

Example. A t - ( v , k , X ) design (see 111, 131, [S]) defines a n authentication system f o r a uniform source distribution and a uniform encoding strategy AC(k , v, b) which is ( t - 1) -fold secure against spoofing.

Indeed, let D be a t - ( v , k , X ) design. Then 2) is also a t ’ - ( v , k ,&) design, 0 5 t’ 5 t , with

(v - t’) * (21 - t’ + 1) - * - (21 - t + 1) A:, = x -

(k - t‘) * (k - t‘ + 1) * - * (k - t + 1)’

Since for a 2-design v . T = b . k and (k - 1) T = (v - 1) - A;, we obtain

v * T 21 - (v - 1) *-*(?I - t + 1) b = - = A - k k - ( k - 1) * * * ( k - t + 1)‘

Using the uniform encoding strategy and uniform source probability, we define a code, identifying blocks with keys and points with messages. Any t’ messages occur in A’ blocks and hence for M’ C M , IM’I = t’, 15 t’ 5 t,

- - (v - t‘) * . * (v - t + 1) (k - t’) * * * (k - t + 1)

/E(M‘)I = A;, = x *

k . ( k - l ) - - * ( k - t ’ + l ) b .

21 1 (v - 1) . * * (v - t’ + 1)

73

and theorem 7.2 is satisfied.

Using known families of t-(v, k, A) designs we can define many authentication codes for uniform source distributions.'

Consider the symmetric Hadamard 2-(n-I,; n-1,:n-I) design and the Hadamard 3-(n,in,in-l) design, derived from a Hadamard matrix of order n. We remark that there exist Hadamard matrices for each power 2k,

Hence we can derive l-fold secure AC(2k-1 - 1, 2k - 1, 2k - 1) and 2-fold secure AC(2k-1, 2k, 2(2k - 1)) authentication systems. A Hadamard matrix of order 4k2, k > 1, defines a symmetric 2-(4k2, 2k2- k, k2 - k) design and hence a l-fold secure AC(2k2 - k, 4k2, 4k2). Note that it is a conjecture that Hadamard matrices exist for all n (mod4), n > 0. (the smallest unsettled case at the present is n = 188). We also want to mention the following nice property of Hadamard matrices. If there exist Hadamard matrices of order m, resp. n, then there

k 2 2 (see PI, [31, [11).

0

exists a Hadamard matrix of order m - n. This unables us to define new authentication systems derived from those systems which are associated with Hadamard designs.

Acknowledgement

We would like to thank D. Stinson and J. J. Quisquater for the interesting suggestions and valuable discussions on the subject. We are also mostly indebted to the Philips Research Laboratory Brussels for the facilities they offered during the preparation of this paper.

References

[l] T. Beth, D. Jungnickel, H. Lenz, Design Theory, Wissenschaftsverlag Bibliografisches Institut Mannheim, 1985.

14

[2] A. Beutelspacher, Perfect and essentially perfect authentication schemes, Extended abstract, Eurocrypt 1987, Amsterdam.

[3] P. J. Cameron, J. H. Van Lint, Graph The.ory, Coding Theory and Block Designs, Lond. Math. SOC. Lect. Notes 19, Camb. Univ. Press, 1975.

[4] E. F. Brickell, A f e w results in message authentication, Proc. of the 15th Southeastern Conf. on Combinatorics, Graph theory and Com- puting, Boca Raton LA (1984), 141-154.

[5] M. De Soete, J. A. Thas, A coordinatization of the generalized quadrangles of order ( s , s + 2) , to appear in J. C. T. (A).

[6] E. N. Gilbert, F. J. MacWilliams, N. J. A. Sloane, Codes which detect deception, Bell Sys. Techn. J., Vo1.53-3 (1974), 405-424.

[7] Hanani H., A CIass of Three-Designs. J.C.T.(A) 26 (1979)) 1-19.

[8] D. R. Hughes, F. C. Piper, Design theory, Cambridge University Press, 1985.

[9] J. L. Massey, Cryptography - A Selective Survey, Proc. of 1985 Int. Tirrenia Workshop on Digital Communications, Tirrenia, Italy, 1985, Digital Communications, ed. E. Biglieri and G. Prati, Elsevier Sci- ence Publ., 1986, 3-25.

[lo] S. E. Payne, J. A. Thas, Finite generalized quadrangles, Research Notes in Math. # l l O , Pitman Publ. Inc. 1984.

[ll] P. Schobi, Perfect authent icat ion systems for data sources w i th arbitrary statist ics, Eurocrypt 1986, Preprint.

[12] C. E. Shannon, Communica t ion Theory of Secrecy Sys tems . Bell Technical Journal, Vo1.28 (1949)) 656-715.

[13] G. J. Simmons, Message Authentication: A Game on Hypergraphs, Proc. of the 15th Southeastern Conf. on Combinatorics, Graph The- ory and Computing, Baton Rouge LA Mar 5-8 1984, Coiig. Sum. 45 (1984), 161- 192.

75

[14] G. J. Simmons, Authentication theory / Coding theory, Proc. of Crypto’84, Santa Barbara, CA, Aug 19-22,1984, Advances in Cryp- tology, ed. R. Blakley, Lect. Notes Comp. Science 196, Springer 1985, 41 1-432.

[15] G. J. Simmons, A natural taxonomy for digital information authentication schemes, Proc. of Crypto ’87, Santa Barbara, CA, Aug 16- 20, 1987, t o appear in Advances in Cryptology, ed. C. Pomerance, Springer-Verlag, Berlin.

[16] D. R. Stinson, Some constructions and bounds for authentication codes, Crypto’86, Santa Barbara, CA, Aug 12-15,1986, Advances in Cryptology, ed. A. M. Odlyzko, Springer-Verlag, Berlin, 1987, 418- 425.

[17] D. R. Stinson, A construction for authentication / secrecy codes from certain combinatorial designs, Crypto ’87, Santa Barbara, CA, Aug 16-20, 1987, to appear in Journal of Cryptology.

[18] D. R. Stinson, S o m e constructions and bounds for authentication codes, J. Cryptalogy, Vol.1 nr l (1988), 37-51.

EFFICIENT ZERO-KNOWLEDGE IDENTIFICATION SCHEME FOR SMART CARDS

Thomas Beth Universitat Karlsruhe Fakultat fur lnformatik

lnstitut fur Algorithmen und Kognitive Systeme Haid-und-Neu-Str. 7 Technologie-Fabrik D-7500 Karlsruhe

ABSTRACT: In this paper we present a Fiat-Sharnir like authentication protocol for the El-Gamal Scheme.

1. Introduction

The invention of the El-Gamal Scheme [ l ] has provided another Public-Key-Cryptosystem besides the renowned RSA-System, for which in addition to the Key-Exchange feature both Public-Key-Encryption and Signature Schemes are available. The availability of fast exponentiation hardware for the fields GF(2”), cf [ Z ] , [3] makes this algorithm very attractive for implementation in high-speed-communications. The recent invention of the Fiat-Shamir Authentication Protocol [4] has again attracted wide attention to the RSA-Scheme.

The purpose of this note is to show that a similar type of authentication protocol is available for the El-Gamal-Scheme based on the Diffie- Hellman One-Way-Function, with complexity, and/or error-probability considerably reduced as compared to the Fiat-Shamir-Scheme.

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 77-84, 1988. 0 Spnnger-Verlag Berlin Heidelberg 1988

78

2. The Basic Protocol

Suppose Alice (A) wants to authenticate herself to Bob (B). For this purpose A has visited a trusted authority, which for obvious reasons we shall call the Secure Key Issuing Authority (SKIA).

Initiation Phase

The SKlA possesses secret logarithms x1 ,..., xm , whose exponentiated

values Yj = axj are public. Here a is a primitive element of GF(q) known

publicly. The SKIA also publishes the one-way-hashing function f.

Setting-up Phase

A goes to the SKIA, identifying herself by <name>.

b SKIA name

A

Then the SKlA produces m identification numbers ID1 ,. . ., ID, for A by using the public (random) one-way-function f.

ID, +- f (name,j)

The SKlA chooses a (secret) random logarithm k=kA and forms

r + ak. The SKlA also determines rn signatures sj as solutions of

(ID) Xjr + ksj IDj mod(q-1) for j E [I :m].

Eventually the SKlA issues a card (with secure memory)' to A.

A 1 SKIA

*) see sect. 5

79

Authentication Phase (Protocol &g&j

A now approaches B identifying herself by her name and the parameter r.

b B name, r A

B computes A's identification numbers and the values p1, ..., Pm

For j E [l:m] : IDj f (name, 1)

and pj Yjr The following procedure is iterated for i=l to h:

Do

A chooses a random element ti E q - 1 , forms

zi + r-ti

and sends it to B

e B 'i A

B chooses a random string hi = (bi,) E Rm and sends it to A, where R = q - 1 is a suitably chosen subset

hi B A 4

A computes

ui + ti + bij sj mod (q-1) i

and sends it to B

+ B 'i A

6 computes vi + b.:I D. IJ 1 i

80

B accepts the authenticity of A if for all i E [l : h] yi = 0 . In this case

we say that Protocol Auth ends successfully.

3. Analysis of the Protocol

3.1. Observation (Verification)

If A and B are genuine, the Protocol Auth ends successfully.

m: For all i E [I :h]

can be computed by B based on B s knowledge. From the definition we have

B can also compute r"i from Ui . Having received Zi, by definition

3.2. Observation (Correctness)

Assume, that A cannot compute El-Gamal signatures in polynomial time: If A is false, i.e. does not possess the signatures s,, then the protocol Auth ends successfully w'ith a false-right probability

Proof: As long as IRl is small enough as compared to qm (see remarks), A would have to guess the challenge vectors hi in advance, analogously to the method described in the proof of lemma 2 by Fiat and Shamir [4].

81

3.3. Remark

The cheating method discussed in the proof of lemma 3.2 is only interesting if the size of choice space Rm for the is small compared to the complexity of forging El-Gamal signatures, which itself is at most as hard as taking discrete logs, cf. sect. 4.

3.4. Lemma (Security)

For arbitrary q and h, with fixed m and the Protocol Auth is a Zero-Knowledge Protocol.

IRI E O((1og q)w) for given w E N

Proof: Following the papers by Berger/Kannan/Peralta [9] and Chaum, Evertse, van de Graaf [5] it can be seen that the size of the choice space Rm is the decisive parameter for the construction of a poly-time-simulator S for a cheating B: to guarantee a probability for S to "guess" the challenge hi correctly in poly-time, we have to provide lRlm such that

1 PolY(log(q)) < c-los q

PIrn prob ("badluck") = (1 - -)

for some constant c > 1.

4. Practical Security Considerations

The system (ID) gives m linear equations for (m+l) unknowns (w.r.t. the assumption that the discrete log problem is unfeasible). As consequences we note:

( i ) Not even A can forge new signatures. (ii) The requirement of storing the signatures s, in the secure memory of

the card is only needed as protection against copying the card. ( i i i ) This requirement could be dropped if the one-way-hash function f

(when stored on the card) could be employed by the card as a means of testing the user's identity before the card is authenticated. For this test several user features can be challenged, in each case requiring an interface between user and card, however!

( iv) To bring the security of the signatures closer to the level of the discrete log-problem it may be feasible to make the computation of the lDj additionally dependent on the public random number r.

82

5 ~ Implementation Aspects

In view of the demand for low cost designs of security processors for chip cards we suggest considering the following case for practical implementation :

q = 2n,

where n should be suitably chosen, roughly in the interval [z9: 2' ' 1 depending on the required security. For these cases fast VLSl exponentiators have been suggested (Beth/Cook/Gollmann [3], Vanstone/ Mullin [2], Massey/Omura/Wang [7]).

For q = 2n the Discrete Log Problem can be solved in

steps [6]. Therefore a suitable amount of security can be guaranteed.

5.1. Tuning the Protocol

Using the fact that squaring is a field automorphisrn in GF(2n) we suggest to use the following refinements of the protocol in order to save on computational effort and required storage area as well as on the length h of the protocol:

*) Choose the random string only from binary words of weight less than w, i.e. choose bij equally distributed in

R = {b E Zq-l I wgt (binary (b)) 5 w}

5.1.1 .Corollary

With these additional restrictions if A is false the protocol ends successfully with probability

p <- I - 1.rn.h

2 where

X X ) Choosing the further simplification m = 1, the number of computational steps especially in computing

is reduced considerably.

***) Combining ( * x ) and (*) for w = 1 the exponent of p being a power of two requires a fast squaring operation only.

5.1.2. Technical Observation

With rn = 1 and h = 3 and log q >z9 the Protocol Auth allows an authentication procedure at a residual false-right error probability smaller than

1 0 - 8 for w = 1 10-15 for w = 2 10-22 for w = 3.

5.2. Conclusion

With one signature (m = 1) and a small number of iterations (I 2 3) this protocol provides a security level appropriate to many smart card applications. In comparison to Fiat-Shamir‘s protocol [4] the memory consumption on the smart card is considerably reduced for the proposed protocol, as the signature Sj and the number r only require approximately 64 Bytes each, and the representations of GF(2”-arithmetics can be compressed to considerably less bits. If the application requires only to authenticate the card through a trusted terminal, the public keys y need not to be stored on the card. Otherwise, the same protocol of course would be used by A to challenge B.

Note that an additional advantage to this protocol is provided by the fact, that based on purpose-made-algorithms the GF(2n)-arithmetics can be carried out at a higher speed than modular arithmetic required for the Fiat-Shamir-Scheme.

84

In summary, the present scheme provides a user-friendly zero-knowledge authentication and signature protocol that offers itself as a small, fast and low cost verification tool for the use in token technology as it is presented by smart cards, intelligent tokens and other identification mechanisms.

Acknowledgement The author is grateful to Dr. Ivan DamgArd for his helpful critical remarks.

6. References

El-Gamal: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. IEEE-IT-31,469-472, 1985

Vanstone, Mullin: Communication 1986, Cryptech, Waterloo, Ontario, Canada

Beth, Cook, Gollmann: Architectures for Exponentiation in GF(2"), Proceedings of Crypto 86, Santa Barbara, Springer WCS 263,302-31 0, 1987

Fiat, Shamir: How to prove yourself: Practical solutions to identification and signature problems, Proceedings of Crypto 86, 1987

Santa Barbara, Springer LNCS 263, 186-1 94,

Cham, Everts, van de Graaf: An unproved Protocol for Demonstrating Possession of Discrete Logarithms and some Generalizations, Proceedings EUROCRYPT'87, Springer LNCS 304,127-141.1988

Coppersmith: Fast Evaluation of Logarithms in Fields of Characteristic Two, IEEE-IT-30,587-594.1984

Wang: Exponentiation in Finite Fields, Ph.D. dissertation , University of California, Los Angeles, 1985

Goldwasser, S.: Micali, S.; Rackoff, C.: The Knowlege Complexity of Interactive Proof Systems, Proc. 17th ACM Symp. on Theory of Computing, 1985

Berger, Kannan, Peralta: A Framework for the Study of Cryptographic Protocols, Proc. CRYPT085 Springer LNCS 218,87-103

A Smart Card Implementation of the Fiat-Shamir Identification Scheme

Hans-Joachim Knobloch

Institut fib Algorithmen und Kognirive Systeme

Universitat Karlsruhe (TH)

D-7500 Karlsruhe, FR Germany

Abstract

This paper describes results and experiences gained from the test implementation of an interactive

identification scheme. It was intended to exploit the feasibility of an asymmetric crypt0 protocol for a state-

of-the-art smart card environment. For that reason the identification scheme proposed by Fiat and Shamir

was implemented between an actual smart card microprocessor and an industry standard personal computer

with a smart card interface. The limits of a current smart card processor in terms of volatile and nonvolatile

memory capacity and insmaion set turned out to be a rather smct linritation for the choice of the algorithm

used. The most time consuming task during the protocol is modular multiplication. Due to the processor

structure it is performed as separate multiplication and reduction, where reduction is I d back to integer

multiplication. The current implementation allows the authentication of a 120 byte idenaficadon smng at a

security level of 2-20 within an average time of about 6 seconds. The experiences gained during this

implementation led to a set of requirements for a future specidised prccessor for asymmetric cryptographic

protocols that will be needed to increase this performance by some orders of magnitude.


0a

I. Introduction

During the last years, with the forthcoming of the commercial use of smart cards, some cryptographic

protocols based on asymmetric ciphexs have been proposed to use smart cards for identification, signatures,

as elecnonic wallet etc. One may note that nearly all commercially available smart card systems use, if at dl,

only symmetric block ciphers, as asymmetric protocols are considered too complex for current smart card

processors.

The F ia t -Shad identification scheme is one of the simplest of the above mentioned asymmemc

protocols as it does not need large amounts of stored data nor extensive communication or many protocol

steps and it is therefore one of the most suitable for a test implementation on a smart card system.

11. The Processor

The smart card used in OUT project has an 8-bit microprocessor with 256 byte RAM and 2K byte E'PROM

(Electrically Erasable Programmable ROM) on chip for nonvolatile storage of data and program Therefore

the processor could be reprogrammed by the personal computer which was also its partner for the protocol.

Thus several algorithms could be tested without having to wait for the production of a new ROM mask

The I S 0 draft standard on identification cards [3] requires that all communication is done serially using

only one contact pin for both input and output. Since the processor doesn't have a serial UO unit the

communication had to be implemented in software and thus needed code space and computing time. The

mentioned draft standard includes a parity-generation-, parity-checking- and error-retry-protocol for the

bidirectional UO line. In order to save space for the protocol code and data, only a simple 9600 baud serial

communication without parity generation was implemented.

The chip card processor's instruction set is similar to that of any conventional 8-bit microprocessor.

Relevant details are an &Eimes-&to-l6-bit multiplication instruction, requiring about 5 times the execution

time of an 8-bit addition, whereas the instruction to program one byte into the E2PROM, requires about

3300 times the execution time of an 8-bit addition. To gain better performance the latter fact implies that

intermediate results have to be stored in RAM, but not in E2PROM.

89

III. The Scheme

For a detailed discussion of the Fiat-Sharnir identification scheme the reader is referred to the original

publication [l], we will give a short review of this technique with emphasis on the particularities of the

implementation.

The center issueing the cards chooses a public modulus n as the product of two secret primes p and q.

For reasons explained below the implementation requires

2512 > n 2 2512 - 2256.

Now be

I a 960 bit (120 byte) ID-smng of a user applying for a card,

j E [0,216) and

ei the ith 48 bit unit vector.

The center forms for i = 1 , 2, .. 48

ti = 2976ei + 2161 + j , ui = Lri / 25'21

(where @ means bitwise addition modulo 2),

(tj mod 2512)

V i = Lui I 2256.! @ (ui mod 2256) and

wi = f ( v i )

(whereffk) means enciphering a fixed 512 bit plaintext with a block cipher with key k).

The term j is used to ensure that wj is a quadratic residue mod n for at least 20 distinct values of i. For

simplicity of notation from now on it will be assumed that these d u e s of i are 1, ... ,20.

For i = 1, ... ,20 the center computes a

square root sj of wj (mod n)

using the knowledge of p and q and applying the Chinese remainder theorem.

The card is personalized by storing

S i for i = 1, .__ , 20 and

20 16 P = 2976 ( C e i + 2 I + j

i = l

An identification device knows n and how to compute the wis from P.

90

The identification protocol between a smart card S and an identification device P c is:

1. S sends P to PC.

2. PC computes the wi's-

3. S picks a pseudo random number r' E [0,2256), sets r = 2x6~ and sends x = rz mod n to Pc.

4. PC sends to S a (pseudo) random binary vector c = (q, .. , cu)).

5. S sends to PC:

y = r n s , modn. ci = I

6. PC accepts P if and only if:

ci =1

If a forger guesses the vector c, he may send a value

ci = 1

instead of x in step 3 and r instead of the product in step 5. The probability that PC accepts P if S doesn't

know the Si'S is 2-z0 (assuming equidistribution probability for c), if S performs only polynomial time

computations and cannot compute in polynomial time a square root mod n of any product of some wi'S or

their reciprocals. The proof for this statement is almost identical to the proof in Fiat's and Shamir's

publication.

Remarks:

1. Since its inversion includes a known plaintext attack on the involved block cipher, the function used to

compute the wi's from the ID-smng I should be strong enough to prevent a potential attacker from

computing an ID-smng out of known square mots moddo n.

2. Fiat's and Shamir's o r iba l protocol requires to use the multiplicative inverse of the sis on the smart

card side. The check on step 6 of the protocol would then be, if

x = y 2 n w i modn c = I

91

Using the sis rather than si-1 makes it possible that PC performs only one modular multiplication at step 6

of the protocol instead of two. The other multiplication can be done while the smart card still computes y .

As the smart card will usually be the slower partner in the protocol, this fact slightly speeds up the overall

execution time. However, if the inverse sis have to be used on the card side for some other reasons, only

changes of the PC's program, not of the smart cards would be required

3. The original protocol also requires a full 512 bit pseudo random number r. But since r must be

stored somewhere in the card while it's squared modulo n, and since it cannot be stored in E2PROM for the

above mentioned reasons, the available amount of RAM only allows to use a 256 bit pseudo random value.

4. Fiat and Shamir allow r to be taken from the range [0, n). Obviously, if r might be 0, all 10 do for a

foreged identification were always to send x = 0 in step 3 of the protocol. The implemented pseudo random

generator also may produce r = 0 with 3 very small probability, but the PC program prevents a successful

identification with x = 0.

IV. The Algorithms

In addition to the virtually 'mvial' tasks like communication or managing the protocol itself there are two

subroutines in the protocol runtime programs that have to be carefully considered, namely the pseudo

random number generator and the modular multiplication.

The pseudo random number generator consists of 12 cascaded cyclic shift registers implemented in

software. Gollmann 121 p v e d that the linear complexity of the sequence generated by cascaded cyclic shift

registers grows exponentially with their number. The initial state of some of these registers is derived from

the uninitialized RAM immediately after power-on or from the value of a free running on chip timer. The

statistical properties and the possibility of physical manipulation of these physical or pseudo-physical

random processes are not yet further examined. However, the remaining pseudo random generator should

be strong enough to prevent tampering even if they could be made deterministic.

The modular multiplication is done as a full integer multiplication with successive reduction. Owing to

the shortage of RAM space, recursive multiplication algorithms like Toom-Karatsuba seem not 10 be

feasible. Thus a bytewise multiplication and addition using the processor's built-in multiplication instruction

92

is performed. As the architecture of the smart card processor enforces to use this algorithm, the optimization

of this arithmetic was a main goal. As a result some self-modifying code was developed, that must be

executed in RAM. However this code does not require as much space as the data of a recursive algorithm

would.

In a first version of the implementation the reduction was done bitwise. This solution had two major

disadvantages. Firstly, considering time, the bitwise reduction dominated over the bytewise multiplication.

Secondly, as the lack of RAM prevented the modulus being shifted bitwise during the reduction, it had to be

stored eight times, each time shifted by one bit, and so occupied space that c o u l d better be used for more

signature values Si. Although the protocol may be repeated several times to increase its security, every

repetidon has a considable communication and computation overhead. Thus it is desirable to store as much

signature values as possible to gain an acceptable security with only one protocol pass.

The final implementation uses a method to lead back reduction to multiplication published by Mohan and

Adiga [q. Let Qo be the value to be reduced modulo n, with

Qk = 2512 zk i Rk for k = 0, 1, ... and

Zk.Rk E [o,2512).

Obviously for

&+I = Qk - 2512 z k

= Qk - Z5l2 Zk

i Z512 zk - n zk + (Z512 - n) Zk

= Rk + (2512 - zk we have

Qk =- Qt+i (mod 4. Hence all to be done is to multiply the "upper half' of Q k by d = Z512 - n and add the result to the

"lower half' of Qk. This is a rather straightforward extension of the widely known method for performing

reductions modulo 2m-1 (cf. [4] p. 272). Let #X denote the length of the binary representation of X in

bits. We get

#Qk+l 5 #d i #Zk if #zk 2 #Rk or #d 2 #Rk and

#Qk+l I m a x ( # d + # Z k + l , # R k + l ) i f # Z k < # R k a n d # d < # R k ,

what implies that if

#d 5 256

can be achieved, then

93

#Q2 S513.

This means that after two iterations of multiplication and addition there are at most two additions of d to

be done to obtain a result rwfuced to be less than 2512. The complete reduction eventually necessary may be

left to the superior computing capabilities of the PC. Due to the simple multiplication algorithm used, the

addition of d z k to Rk can be combined with the multiplication to have no extra cost in computing time.

The greatest advantage of this reduction algorithm is however that only one 256 bit value d instead of eight

512 bit values n have to be stored within the cards scarce memory.

Concerning the precomputation programs, the condition #d I 2 5 6 leads to the above mentioned

condition 2512 > n 2 z5I2 - 2256. The remaining problem is to find p and q so that R satisfies this interval

condition. Mohan and Adiga propose to use a modulus that has not only two large but also some small

prime factors. During the implementation of the reduction it med out that enough prime pairs can be found

which satisfy this condition, so that no additional small primes are needed.

Trying to combine two primes out of a precomputed set of large primes could be shown to be

impractical. The simple but effective method implemented is to find a suitable prime p , perform a large

integer division to compute a factor q so that p q is within the desired range and to test whether 4 is also

prime. In detail:

Given

p < 2256, p prime and chosen at random

then

satisfies

2512 > p q 2 2512 - 2256

The prime number theorem tells us that randomly chosen value p of a magnitude of order 2256 is prime

with a probability of about 1 / In 2256 = 0.0056 (cf. [6] p. 64). Chosingp to be less than 2256 ensures that

at least one multiple kp of p falls into the interval [2512-2256 , $'12) of length 2256. q is the least such k.

All integers within a small interval around q are slightly larger than 2256. Thus the probability for any of

them to be prime is slightly less than 1 / In 2256.

The probabilistic Rabin-Miller test ([4] p. 379), is fast enough to find a suitable prime pair within some

dozens of hours on a SUN-3.

94

V. The Implementation

The smart cards part of the scheme is implemented in its processor's assembly language. The complete

program including serial communication and programming of the data (x i , P, d) into E2PROM, excluding

this data itself, consists of less than 700 bytes of code. As the data programming routine is used only once,

it is transfered to and executed in RAM and reprograms itself with data. All 256 bytes RAM are needed for

data or code storage or as stack

The personal computer as the smart cards counterpart is programmed in C. Due to its greater

performance it can use the same modular multiplication algorithm as the card without effect on overall

execution time. The primality testing was done as background job on some SUN-3 computers.

The current implementation allows the authentication of a 120 byte identification string at a security level

of 2-;so within an average time of about 6 seconds from card initialisation to acceptance of the identification

string.

VI. The Conclusions

The goal of specialised processor architecture must be to implement the most time and space consuming

tasks in silicon. So a cryptographic protocol processor for asymmetric protocols should include:

- a 512 bit modulus register and at least two 512 bit registers

- instructions for loading and storing these registers and mcddar arithmetics

- a buffered serial VO unit, working independently from the CPU

- a physical random number generator or at least a hardware pseudo random number generator

- some general purpose registers and some RAM as return stack

- a reduced general purpose instruction set

- as much E2PROM as possible

95

VII. Acknowledgements

I would like to thank Dr. L Schaumiiller, W. Schlapak and H. Eilmsteiner (VOEST-ALPINE AG) as well

as Prof. Dr. Th. Beth, Dr. M. Clausen, Dr. D. Gollmann and H.-P. RieD (University of Karlsruhe) for the

support, ideas and discussions coniributing to this project.

VIII. Bibliography

[I1 A. Fiat, A. Shamir: How To Prove Yourself: Practical Solutions to Identification and

Signature. Problems, Roc. of CRYPT0 86, Springer LNCS 263, pp. 186 - 194,1987

D. Gollmann: Linear Recursions of Cascaded Sequences, Conmb. to General Algebra 3,

Proceedings of the Vienna Conference 1984, Holder-Pichler-Tempsky, 1985

ISO: Draft International Standard ISODIS 7816-3, Identification cards - Integrated

circuit(s) cards with contacts - Part 3: Electronic signals and exchange protocols, 1987

D. E. Knuth: The Art of Computer Programming, vol. 2: Seminumerical Algorithms,

Addison-Wesley, 2nd ed. 198 1

S. B. Mohan, B. S. Adiga: Fast Algorithms for Implementing RSA Public Key

Cryptosystem, Electronics Letters Vol. 21 No. 15, p. 761, August 1985

H. Riesel: Prime Numbers and Computer Methods for Factorization, Birkhauser 1985

P I

131

141

151

[61

MANIPULATIONS AND ERRORS,

DETECTION AND LOCALIZATION

Ph. Godlewski (1) & P. Camion (2)

"'ENST d6p. RESeaux et CNRS UA 820, 75634 Paris, France

m, B.P. 105,78153 Le Chesnay, France

ABSTRACT

We investigate the possibility of using error correcting codes in digital signatures.

A scheme combining one way functions and a MDS code is presented and analyzed.

We then study an attack upon this scheme and upon more general ones called

"random knapsack schemes" involving a linear combination Xi T(xi,i) of the

message elements x i .

I. INTRODUCTION

Digital signature schemes provide two kinds of authentication services : integrity of

messages and identification of users. This paper is concerned with integrity aspects of

digital signatures. Various terminologies and techniques are used in this context :

MAC, MDC; MIC, seal, cryptographic checksum, one way hash function,

compression, condensation ...([ 1],[2],[3]). The motivation is to prevent malicious

changes in a transmitted or stored message x . The basic process is the following :

associate with x a short "certificate" s(x) which is transmitted or stored in a secure C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 97-106, 1988. 0 Spnnger-Verlag Berlin Heidelberg 1988

98

manner (i.e. with protection against active attack). We will restrict ourselves to

systems which do not require the sender and the receiver to share a secret key K .

The basic requirements are :

(i) s(.) is easily computable, s(x) is concise (e.g. from 8 up to 128 bytes),

(ii) s(.) is unforgeable : given y in the signature domain, it is computationally

unfeasible to calculate a quasi inverse +(y) of y.

To avoid small falsifications (e.g. change of a name, of an amount in a payment

message), we add an extra condition :

(iii) Two messages with the same length must differ from d symbols or blocks.

In the following we assume that the message x is composed of symbols x i

belonging to an alphabet X, then x = (x l , XZ, ... x k ) , we set [k]={ 1,2,...,k}+

We distinguish two types of attacks :

(a) Given x find x' such that s(x')=s(x).

(b) Find two messages x and x' such that s(x')=s(x).

This two types have some similarities with the so called "known plaintext" and

"chosen plaintext" attacks in a classical cryptographic system for confidentiality.

A more realistic attack of type (a), productive for the intruder, is the following :

(a') Given a message x and y = s(x), a fraudulent message x' partially specified

in a subset I of symbol positions, find x ) fo r j E J =[k]V such that s(x)=s(x').

A similar attack (b') of type (b) can be defined.

In data networks, a reasonable goal should be to gather together different aspects

of integrity, in particular :

- error detection and correction

- manipulation detection and localization.

Merging these items brings some "technical" problems. One major difficulty comes

from the following fact : nearly all constructing methods for error-correcting codes

99

are based on linear computations which are well known for their cryptographic

weakness.

We studyseveral schemes which use linear combinations of the different elements

of the message.

II. RANDOM KNAPSACK SCHEMES

When designing an integrity signature scheme without secrete key, a basic need is

to dispose of a one-way function 6. In contrast with well known public key

algorithms such as RSA, there is no necessity here to invert $J with the help of some

hidden trap door information. Then we can consider purely random generated

knapsack :

Generate k random numbers a l , a2, ..., ak bounded by M ; and calculate sfx) = Ci Xi ai . In this paragraph, the alphabet X is binary, X = (0,1} .

When k is large enough, this scheme is deeply insecure against attack of type (b)

as shown by our next proposition.

Proposition 1 : Given k integers aI, a2, .... ak with a i I M , it is always possible

to find I , J E { 1,2 ,..., k }, I d , such that C iEI ai = C j E l a,

in O(kZog(k)) operations when M I k W k J l 4 .

For instance if k =220 (message with 128 Kbyte) and M = 2loo, an attack needs

about 20.106 additions.

Proof : After sorting, we can assume ai-1 I ai for 1 < i I k . We derive a new

sequence of length k : bl=al and bi =ai -ai-l for 1 <i S k. There exists an element a;

100

in { bi } such that u', I M/k. If = bj , we then discard from the sequence { U i 1, the two elements uj and u,-l involved in u ) . Then we determine an other element u'2

such that u'2 I M / ( k - 2 ) . Iterating the process k'=k/4 times, we then obtain k'

elements a']. a'2. ..., u',,, such that a'i < M/(k-2 i ) I 2Mlk.

Assuming than k=2U, M=2', we have at our disposal a new sequence {a'i 1 of length k'=2"-' wjth elements bounded by M'=2-+'. We consider the recursion :

u('+') = uc!, - 9

vO+V = Vet) - -@) + 1, with uCOJ = and do) = v,

then we obtain :

u(')= u - 2t and

d')= v - tu + tz .

Note that vW reaches its minimum vmin for r=tdn=u/2, then vmin= v-u2/4 . If v - 4 all the elements of the sequence { ui(tmid } vanish. This occurs if v<u2/4 or M I k 1 0 d W . Each step of the algorithm requires kW2 = 2u(') -1 additions and a sorting,

that is O(kcrjZog(kct))) additions. Then the total complexity is less than k Zogk + (2k/3)(k+Zogk) c 4 k Zog(k) additions ; that is O(k Zogk). The algorithm needs no

more than O(kZog(k)Zog(M)) binary operations.

Notice that this algorithm is not probabilistic : at each step, the worst case is

considered. To perform attack of type (a), algorithms which require more

computational effort exist. A probabilistic algorithm will appear as a consequence of

proposition 2.

III . ERROR-LOCALIZING CODES SCHEME

We present a scheme combining one way function and error correcting code :

Split the message x into blocks xi E Fi of length u (e.g. u = loo), x = (XIJZ,

... , xk) , then use a one way injective function &(.) from F; to F' (e.g. IF'I =q =

101

212*). For instance @(xi) can be written as $;(xi) = $(i hi), where "I" stands for

concatenation. We therefore obtain k symbols n = $jjlxi) in F. Encode (yj, B, ... , yk) with a [n,k,d 1 error correcting code over F . The n-k (e.g. n-k = 4 )

redundancy symbols %+I, %+2, ... , yi form the signature s.

Detection and correction

We consider codes over very large alphabet I? of cardinality q . Then n < q, and

we can restrict ourselves to MDS code. It is well known that most of the error

correcting codes are far from perfection. More precisely, the density A = 2-5 of the

packing is small ; A is the fraction of the space Fn which lies inside the spheres Bt

of radius t centered on the code words. Therefore, most of space may be used for

detection. For a [n,k,d] code C, we have .t = [ ( & I ) /2] and A = ICI . lBtl / 1F"I. One

can consider than a part log IBJ of the redundancy (i.e. (n-k)log(q) bits) is used for

correction, the remaining part 6 = (n -k ) log (q ) - log lBtl for detection. A

straightforward estimation gives :

S=log(q) [ n - k - t ( 1+ logqn -log,t) 3 n-k For our application, we have t = [- 3 (cf. MDS codes), and possible order of 2

magnitude of the parameters is : 1 I t I 10, n < 232, q > 2100 . Then, we have

t < n << q and S = Zog(q) [ (n-k) /2] . Half of the signature symbols are used to

detect error or manipulation.

Localization or correction

Using Berlekamp-Massey algorithm, it is possible to localized errors in O(n.d) operations over F. But, due to the presence of the one way functions &, the error

evaluation on the can not be exploited to correct errors on the xi. . However, for

some type of messages, errors can perhaps be corrected by try and error procedures

for instance, by exploiting natural redundancy of a language.

The error correction algorithm can be carried out only if it is possible to invert

each q5i for each position i in error using some (secret) trap door information.

102

Weakness of the scheme in low characteristic

It is important to select the field F with a high characteristic. For instance if the

characteristic of F' is 2, i.e. q = 2v, then it is possible to perform an attack of type

(a') by modifying U I=O((n-k)v) blocks of a arbitrary fraudulent message x' . In

this case the signature s is computed in FZ(n*' following the formula :

where n and HW are respectively lxv and vxv(n-k) binary matrices. The binary

image of the [n,k] MDS code over F is then a [nv,kv] code over F2 with parity

check matrix H = [ZW, ..., IN]. Let J the set of position used to adapt the fraudulent message to the desired

signature, we consider the cheating procedure :

- For the legitimate message, compute y(iJ = and then a = X i , ikl y(i) . - For a fraudulent message x', choose randomly {x; ] for jgJ ,

compute similar quantities,

for i.s [k]

y'i = $i(x'i) , y'(j) = y 'i ;

0' = E i E i k ] Y'(i) *

- Find { Ej ; E ~ E F2, j E J } such that U-U' = C j E , Ej (y(jj-y'(j,) ;

this is possible if the vectors (yo)-y'o) ), j g J , generate F;(n-k) ,

which is true with high probability if IJI = 2 (n-k)v.

- Let x:= E j X j + ( I - E j ) x ) be the values of the final message x' in the positions

j E J .

The complexity of this procedure resides essentially in the computation of

O((n-k)v) additional one-way functions @,i(x)). It is possible to specify similar

procedures with smaller IJ I and for code defined on other fields with low

characteristic. For such fields, the proposed scheme is therefore very weak.

In the following paragraph, we present an attack adapted for high characteristic.

103

Iv . AN ATTACK UPON SCHEMES BASED ON LINEAR COMPUTATIONS

We consider a generalization proposed by Gaston Gonnet, Waterloo of the binary

knapsack scheme for signature. To precise this scheme it is sufficient to present an

attack of type (a') which consists in solving the following problem :

Problem A :

Given a finite set of indices J , an integer a<M, and a function T(.,.) from X X J

into 2, fiid a sequence in Xm, X = ( X , ) , ~ J which satisfies

E j E l T(xj,j) = a (1)

Remark : Notice that solving problem A reduces to solving the following knapsack :

z(xj, J f l &,j) T ( x j j ) = a

subject to

v k.j7, &,j, E {O,1} V j , xx E X { (x , j ) = 1.

When we exhibit a sequence x for a set of indices J which verifies (l), we say that

set J is a support for a . The goal is to find an algorithm to resolve the problem for

small or medium support size V 1.

In [4], this kind of problem has been studied in a algebraic structure different

from the additive group (Z,+) of integers. The considered structure G is the group

of invertible 2x2 matrices with entries in the field Fp . The algorithm proposed in

[4] supposes the existence of a chain of subgroups Hi, G I, Hp-l 2 H p - z z ! ... a HI

such that the indexes [ H , : H,-1] are not too large. The method can be applied to

commutative groups with small prime exponent. When G contains a (cyclic)

subgroup Z l P Z with large prime P , a similar method can be used embedding Z l P Z in Z and using the Chinese remainder theorem.

1 04

A probabilistic algorithm to solve Problem A

Let M be an upper bound for the possible values of a. We choose M as a product of coprime numbers M = I I r E w ] P, where P r z P , P <2P. We assume that

IJ I= 2p b. It will appear that Wl> 2P. Setting J = 4’’ and by successive dichotomies over J, we obtain :

J”’ - f-1’ f-1’ f - f ) J”-”= 0 , d:)l = 2r-1 b s - 2s-1 2s where 2s In 2s

We thus get p partitions of J for r+l = p, p-l , . . . , 2,l :

J = v 4). SE [ul-.]

The algorithm has p steps. The principle is to determine for each step I and each set J’ = .(’, s E [2’-7, a set of K ( P , ~ ) solutions to the equation

C j E r T(xi,i) = a 61 (s) modulo Plr)’= I I iE[r ] P i ,

where 131 (s) =1 if s = 1, and 0 otherwise. Grossly, we choose K(P,r)=O(P).

Basic procedure : It consists in determining from 2 sets V1 et V2, each with O(P) elements of the form (T(xil, il), ..., T(xi,, it,)), t = 2‘-’b, for r 1 1, a set V’, VI XV2 2

V’, and IV’I = O ( P ) in which every 2%-tuple’s components add up to 0 (or a )

modulo P i , i <r. If a l l the numbers are specified modulo P, this procedure requires

essentially a sorting and then O(PlogP) additions. Indeed V I (resp. V2) is sorted

according to the value of the component’s sum of its elements modulo P,. After the

two sortings are performed, then selecting the matching couples needs O ( P )

comparisons. More precisely, if IVI I = alp and IV2 I = a2P , finding out all

matching couples need (a] + a z ) P comparisons since two elements have been compared, the smallest is dropped.

For a fixed step r of the algorithm, this procedure is applied 2C1-7 times for Each set V‘I’, SE [D-r], contains O(P) elements with determining 9 - r sets

105

support J y .

Algorithm complexity :

The basic procedure is applied W-1+ 2@+ ...+ 20 = 3 times. If we assume that the

complexity of computing one value T(xj j ) is O( l), the overall complexity is K = 2P

P log(P) p = p2 D + p for a number U I=% b of symbols used to adapt the signature.

If, we set K I=2a, M =2m, P =D, we then get : m =pp, & =2p.

For a = 1, we obtain b = 2p = 2 m / p , K = ~ J J + ~ / P ( m / p ) 2 which reaches its

minimum for p - 6 , we then have K = 22G m and = U 1=2&+1 G&. If we consider larger blocks (e.g. a =loo) we can choose b =I, and we obtain the

same type of result : @ 2 2 G m and = UI = 2 G .

Proposition 2 : Using a probabilistic algorithm, it is possible to solve problem A in

O ( 2 2 G ) operations modifying only U 1=2G+1 4% symbols (U 1=2& if 1x1 >

Application : M = 2100, in the binary case (cf. paragraph 2) , it is possible to forge a

(fraudulent) message with the same signature by adapting U I = 2* 2 = 20

OOO bits, the process needs about 106 operations.

If the signature domain is sufficiently large (say m=1000 bits) this attack is

clearly ineffective. The security of the scheme proposed in 9 III remains an open problem when the field F is Z/qZ where q is a prime such that Zog(q) = 128,

and C is a [n,k] code with n-k =8, leading to a signature which is m = (n-k)log(q)

= 128.8=210 bits long.

106

REFERENCES

[ l ] D.W. Davies and W.L. Price, "Security for computer Networks", John Wiley and

Sons, Chichester 1984.

[2] R.R. Jueneman, "A High Speed Manipulation Detection Codes", Proceeding of

crypt0 86, Springer-Verlag 1987, pp.327-346.

[3] M. Campana and M. Girault, "How to Use Compressed Encoding Mechanisms in

Data Protection", Securicom 88, March 15-17, pp.91-110.

[4] P. Camion, "Can a Fast signature Scheme Without Secret Key be Secure?", in AAECC, Lecture Notes in Computer Science, n"228, Springer-Verlag.

PRIVACY PROTECTED PAYMENTS - REALIZATION OF A PROTOCOL THAT GUARANTEES PAYER ANONYMITY

Svein J-Knapskog Division of Computer Systems and Telematics,

University of Trondheim, The Norwegian Institute of Technology N-7034 Trondheim

Introduction

There is a growing consern that the total traceability of users in a conventional electronic card based payment system may become a major argument against these new, more convenient and more cost effective systems. To circumvent this problem, electronic card (smart card) based systems can still be used, but in connection with new data communication protocols involving banks, shops and customers (of banks and shops). Some new ideas regarding use of "electronic coins" will have to be accepted, also.

The basic idea for this new way of using known systems and assets is first presented by David Chaum at CWI, Amsterdam (1). It is based upon the usage of home terminals (personal computers) and POS

- terminals in the different shops, much in the same way as we already are exposed to and getting familiar with in our everyday life today. This new concept, however, will be dependent upon a smart card with an order of magnitude more memory available on it than todays technology permits, and in addition it will rely heavily upon online data communication between shops and banks. The remaining prerequisite is that banks, shops and customers can agree upon a public key algorithm that is considered safe and operationally acceptable to carry out the necessary mathematical operations underlying the new protocol. Banks must also build and maintain the necessary data bases to support the system. With these assumptions accepted, it will be demonstrated that a practical, smoothly operating system is feasible.


108

The Crypto - algorithm

The most common public key crypto-algorithm today is the RSA-

algorithm. Given a message M, the encrypted version C is obtained by raising M to the power of e, the publicly known part of the key :

C = MeMod m

Decryption involves the secret part of the key, d:

M = C%od m

All operations are performed on a closed set of integer numbers, less than or equal to the modulus m. The security of- the RSA- algorithm rests upon the fact that factoring large numbers are a mathematical difficult (hard) problem.

The RSA-algorithm has one vital property:

(Md)e = M

This property is exploited when users of the system want to authenticate themselves. Authentic users will be another necessity in the system to avoid fraud.

The "Electronic coins" - concept

Money (coins and banknotes) are virtually untraceable. To keep track of an individual note by its number would be an almost impossible task. Therefore, the basic idea in the consept of "electronic coins", is to keep the benefit of untraceability of traditional money, and add the benefits of electronically stored and transmitted data representing specific value. This we can obtain by creating electronic coins and storing them in a smart card. When these coins are used, no one would be able to trace the coin itself, neither the user of the coin. An electronic coin is created by:

1 a9

eC M = S

where S is a random number designated 'seed" and ec is the public part of a RSA-key of which "no one" knows the secret part, so that exponentiation with ec is a true oneway function.

Before sending this coin to the bank to get it signed (approved) by the bank, it must be covered by an envelope:

< 1 >=Mire

where r is another random number and e is the public part of the RSA-key for the bank.

The bank signs the coin still covered by its envelope:

The signed coin is returned to the customer, and at the same time the customers account is debited for the amount of money that the coin represent. The customer is now able to remove the envelope and check if the transmission and the banks routines have worked properly :

(2)"r-l = * r) r-1 = Md d e ( M ) = M ?

Equality tells that the coin is ready for use.

Use of electronic coins

The coins created are valid for use in shops which are customers of the same bank as that of the payer, or another bank that has direct data communications with the payers bank. Generally, the latter is the case. When a payer presents his money (electronic coins) in the shop, the shop sends to the bank:

110

The bank searches the database to check if the money has already been used. If not, it request the seed, S, from the shop (stored in the customers smart card and read by the shops terminal). S is used to check the validity of the money:

Sec = (Md)e ?

If equal, the shop's account is credited the correct amount, and the database for used money in the bank is updated.

Giving change to electronic coins

The motivation fo r implementing new payment systems has up till now been strongest f o r the banks and possibly large shops or chains of shops. The new systems, based on plastic cards of different kinds has raised the effectivity and lowered the risk involved with physically handling large amounts of money. The protocols suggested by D. Chaum, further elaborated by our work, have also taken into account the need fo r protection of individuals, and in that respect this payment system should be more acceptable to the general public. However, the protocols as described till now are too simple to be seen as equal to or better than existing systems from the users point of view. One facility that quite obviously must be taken care of, is how to give change in the system. As long as the user (payer) has a positivly balanced bankaccount, he (or she) must be able to use his card for whatever amount of money necessary. An extension of the protocol, showed in the following, sketches a non- trivial solution to this trivial problem.

The smart card must be able to perform some mathematical calculations, namely encryption of an envelope r with a publicly known key for that specific date and coin type, and multiply the unsigned coins with it:

The bank performs checking of the coins in the previously described way, and returns them to the card via the shop. The card must then strip off the envelope:

111

The money generated as change is stored in the card and can be used in the same way as the ordinary money in the card.

later

The protocols

In the following paragraph is given a description of the protocols used for the data communication between the customers, shops and banks. Six different sequence diagrams pictures the messages between the communicating parties for different cases. Sequence no. 1 shows how the card is filled with money for the first time. Sequence no.2 shows an ordinary transaction without complications. The last four sequences picture events where some check or other fails, and how the systems deals with this kind of anomalies.

Sequence 1.

a) the card is empty (new) and is filled with money for the first time.

b) A used card is refilled with "fresh" money, discarding earlier loaded coins that are getting old or having impractical values. These coins will be returned to the bank and the account balanced accordingly.

Sequence 2.

This is the protocol for the normal use of the card. The transaction is completed without any malfunction or error. Two different banks may be involved in the data- communication, and change will be given if appropriate.

Sequence 3 .

In a real world system there will always be users that are tempted to take advantage of any weakness that can be exploited. Some user could for instance try to obtain goods or services even if he knows that there isn't enough money in his card to pay for this.( An absent minded person could

112

also trigger this sequence without any harm intended.) The money is checked (as always) against a "used money"-list in the customers bank, and this time the check gives a positive answer. A s the card doesn't contain valid money to pay for the goods or services requested,. the transaction is terminated and an "unable-to-pay'' -message issued to the customer.

Sequence 4.

One can imagine that the check for used money could give a positive answer even if there where no intention of fraud from the user, for instance some kind of off-line transaction that has taken place without properly updating the card. In this case, there will probably also be valid money in the card that can be correctly used after the first attempt has failed.

Sequence 5 .

In addition to the check for used money, the money offered as payment are always tested for validness by requesting the seed used in creating the particular coins offered for the payment. If the test fails, no attempt is made to discover what are the reason fo r the failing test. The bank is simply stating the fact that this money is not valid, and the offered money is returned to the customer. If the card does not contain any other money, the transaction is terminated with the "unable-to-pay" response. It will be the customers own responsibility to clear this discreapancy with his bank, so that money that doesn't comply with the "valid-seed" - check is removed from the card.

Sequence 6.

In many cases it will be appropriate to try other coins from the same card if the "seed-check'' is negative. This is shown in the last protocol sequence.

113

Protocol operations

In the sequence diagrams, the following notation is used:

e - encryption key fo r a particular class of coins d - decryption key for a particular class of coins e - public encryption key for seed S - seed M - unsigned coin r - envelope r - r - inverse defined for the particular class of coins

C

and its modulus

The operations that the actors in the protocol will be executing, are the following:

A 1 - The user activates his home terminal and decides what amount of money he wants in his card by typing it on his terminal. If the card already contains money, he will have to give his PIN - code to get access to the card.

A2 - The user is notified that his card is filled and ready for use.

A 3 - The customer types his secret number on the shop’s terminal.

A 4 - The customer is notified whether the payment was successful or not.

B1 - Reading the PIN-code.

B2 - Information about sum total to be paid, and transfer of encryption keys for all classes of coins for that particular day.

B3 - Transfer of signed coins and unsigned change from shop to bank.

114

B4 - Negative respons on the "used-money" - check and request for seed from shop to card.

B5 - Transfer of seed from shop to bank. B6 - Transfer of change from shop to card.

B7 - Change acknowledgement, payment session terminated. B8 - Status of used coins from shop to card. Request for money

needed to fulfill the payment.

B9 - Break signal from shop to bank. "Unable-to-pay" to customer.

B10- Status of false/unvalid coins from shop to card.

B11- Transfer of unsigned coins to shop's bank.

C1 - PIN - code check.

C2 - Transfer of old/unvalid coins from card.

C3 - Transfer of seed.

C4 - Storing signed and unsigned coins In the card.

C5 - Payment with signed coins. If change is needed, also unsigned coins must be transferred to the shop.

C6 - Storage of signed change. The card generates r-l for each envelope and modulus.

C? - Termination of payment session due to low balance. C8 - Transfer of more coins after alarm due to "money-not-valid".

D1 - Generating new coins.

D2 - Check of PIN - code.

D3 - Request for clearing the card for old or impractical coins.

115

D4 - Transfer of old or impractical coins from home terminal to bank.

D5 - Request fo r seed.

D6 - Transfer of seed to bank.

D7 - Removal of envelope and signature check. Seed and unsigned coins to fill the card's memory are generated after loading with signed coins.

D8 - Acknowledgement of filling session.

S1 - Transfer of coins from shop's bank to customer's bank.

S2 - "valid-money'' .

S3 - Transfer of seed.

S4 - Transfer of change for signing. Account updating.

SS - Receiving signed change.

S6 - Information transfer regarding used coins.

S7 - Payment session terminated.

S8 - Information transfer regarding false/unvalid coins.

T1 - Check f o r used coins.

T2 - Check for "money-valid''

T3 - Signing coins. Balancing account. Transfer of signed coins.

T4 - Signing of change. Balancing account.

T5 - Request for terminating checking session.

116

Implementation

The protocols described in this paper have been developed during a diploma thesis work by Audun Josang <2>. They are implemented on a small Token Ring network at the premises of University of Trondheim,Norwegian Institute of Technology, using IBM -AT personal computers as home terminal, POS - terminal and banks. The personal computers have extra cards installed f o r the Token Ring communication and for the aritmetic functions needed to do the RSA- calculations with reasonable speed. All programs are written in the C programming 1anguage.The implementation has shown, allthough in a small scale, that it is quite feasible to realize this kind of payment system with todays technology. The only assumption resting upon further development, i s that the smart card will have more memory and. the ability to do some straigtforward arithmetic operations. This assumption is believed to be met in the near future .

<1> David Chaum: Privacy Protected Payments. Unconditional payer and/or payer untraceability. Offprint.

<2> Audun Josang: Transaksjonssystemer som skjuler identitet. NTH Diploma thesis 1987. (in norwegian)

117

L

a) c

c

b, c

r

I

L-J

I

Fig. 1. a) Filling an empty card b) Refilling a used card

118

1 61 - chcbc I I I r

Fig. 2 . Ordinary payment ( w i t h change)

119

Fiq. 3 . A t t e m F t e d payment with f a l s e o r u n v a l i d money

120

L

c

I I-] CPRD

F i g . 4. Noneyr used. Card able to ~ a v

121

SEOP L=J SHOP ' S USER'S Ll

F i q . 5 . False or unvalid coins.Transaction terminated.

I I I I I

i paying-finished r-

A PRACTICAL ZERO-KNOWLEDGE PROTOCOL FITTED TO

SECURITY MICROPROCESSOR MINIMIZING BOTH TRANSMISSION AND MEMORY

Louis C. Guillou and Jean-Jacques Quisquater 2,

'1 Centre Commun d'Etudes de TClddifFusion et TCltkommunications CCETT, BP 59

F-35 512 Cesson-Sevignd CCdex, France

2, Philips Research Laboratory Brussels Avenue Van Becelaere, 2

B-1 170 Brussels, Belgium E-mail: [email protected]

ABSTRACT

Zero-knowledge interactive proofs are very promising for the problems related to the verification of identity. After their (mainly theoretical) introduction by S. Goldwasser, S. Micali and C. Rackoff (1985), A. Fiat and A. Shamir (1986) proposed a first practical solution: the scheme of Fiat-Shamir is a trade-off between the number of authentication numbers stored in each security microprocessor and the number of witness numbers to be checked at each verification.

This paper proposes a new scheme which requires the storage of only one authentication number in each security microprocessor and the check of only one witness number. The needed computations are only 2 or 3 more than for the scheme of Fiat-Shamir.

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 123-128, 1988 0 Spnnger-Verlag Berlin Heidelberg 1988

124

1 INTRODUCTION

Interactive proofs and zero-knowledge protocols were recently introduced (Goldwasser, Micali and Rackoff, 1985). These concepts are very interesting but, at the moment, it is not possible to imagine such protocols in very small components (security microprocessor, tamperfree devices, smart c a d s , etc).

A new method based on these concepts was found by Fiat and Shamir (1986) and is very promising. But the main problems are the number of iterations (interaction between the prover and the verifier) and/or the memory needed by the prover. We propose an optimization of this protocol where we attain very few steps (3 steps, that is, one iteration) and low memory. The price to pay is longer computations.

Before explaining the new protocol, we need some definitions. We recall also the basic protocol of Fiat-Shamir.

2 DEFINITIONS: SHADOWS AND IMPRINTS FOR (RSA- BASED) SIGNATURES

0 Shadow: One fist completes a short message (half the length of the public modulus n) with a similar-sized redundancy, named shadow, then extracts the dh root of this element in the chosen ring based on the composite integer n. The composition of these two consecutive operations is the secret operation S. The dh power of a random element has a negligible probability of being shadowed. This method with shadow produces credentials, the most compact signatures. Due to multiplicative properties of RSA, the shadow must not be expressed multiplicatively in terms of the message.

0 Imprint: Rather than signing long messages as chained blocks, one first uses a hash function to compute an imprint (shorter than n> of message M , then extracts as appendix H the vth root of this imprint h. The composition of these two consecutive operations now is the secret operation S. The hash function must be one-way, such that it is infeasible to construct collisions of equivalent messages.

125

3 THE BASIC PROTOCOL OF FIAT AND SHAMIR

Let us remember that one must use factorization of n in order to extract efficiently a dh root (such as a credential A = X'/" mod n) in the ring of integers modulo n. The verification of such a credential reveals an element X carrying some identification data reflected by a redundant shadow. Let us name 2, the identification data, and X, the resulting shadowed identity.

Suppose there exist a security device able to pick values at random and to multiply numbers modulo n (with about 512 bits) in a fast way. Each device receives from some trusted authority an authentication value A related to x using the method just described.

To authenticate such a processor claiming identification data z, the verifier negotiates a transaction with this device by repeating 20 to 30 times the elementary sequence described in the following paragraph. The number of iterations is a security parameter which exponentially limits the chances of a cheater.

The elementary sequence is (here = 3): 0 The processor picks at random an element in the ring

(1 < T < n - l), raises it to the cube ( T ~ mod n), and sends this cube to the verifier as a test T with the identity z.

0 The verifier tosses a coin and transmits the outcome as a question q: head or t a i l .

The processor transmits as witness t : either element T

for head, or product T - A mod n for t a i l . The verifier raises this witness t to the cube modn in order to reveal, according to head or t a i l , either test T , or its product modn by shadowed identity X.

Each successful exchange increases verifier's confidence, because the value of credential A is needed to produce simultaneously the two values of witness t , while the first error reveals an unlucky cheater. Provers and verifiers make use of similar computing resources; they are both using the same composite number n. This method may, as well, be reversed. This method may use any exponent in place of the cube, with some caution for the square.

This was a first version of the method; various optimizations are possible, and some are already published. The ne.xt section will show a very

126

interesting new version. This zero-knowledge interactive procedure of demonstration leads to

the emergence of new methods of signature, by replacing the random role of the verifier by a deterministic function, accepted by everybody, and difficult to invert, that is to say a one-way fuction. This is a summary of a method, due to A& Shamir (for security reasons, k, the equivalent number of elementary iterations, is now about 60 so as to avoid forgery of signed messages). Our new method is also possible for this scheme of signature (see forthcoming paper: same authors).

4 THE NEW PROTOCOL: A DEEP VERSION

In this version, each security device with identity I receives an authentication value B (the inverse of A modulo n) computed by some authority from

A = J1/” mod n

where J is the shadowed identity I; the factorization of n is only known by the authority.

The composite integer TZ (ala RSA) is distributed to everybody. Here is the complete protocol for one verification:

0 The processor picks at random an element T in the ring (1 < T < n - l), computes (T’ modn), and sends the result to the verifier as a test T (or at least a part of the result) with the identity I.

0 The verifier “tosses” a “deep” coin with integer values - 1 and transmits the outcome as a between 0 and

question d.

0 The processor transmits as witness t :

T - Bd mod n

0 The verifier computes

J d . tv mod n

and compares with the given bits of T . In this version, there are only one exchange between the prover and

the verifier (after the sending of the witness) and only one authentication

127

value needed in the security device!

the possibilities of a cheater. By definition, a cheater does not know B. Let us precisely evaluate

0 If a cheater guesses the question d, he can pick at random any new witness number t and then deduce the corresponding test number T by computing exactly as the verifier will do. There is an evident winning strategy for any lucky guesser.

0 When the test number T has been transmitted to the verifier, let us evaluate the situation of a cheater which would be able to propose two witness numbers t' and t" for two different questions d' and d". The following short technical demonstration proves that such a cheater should no more be a cheater because he should easily deduce authentication number B from any pair (t ' , t " ) of such witness numb ers .

Proof of security By hypothesis, 0 5 d" < d' 5 v - 1

Let us write the equation:

Jd' . trU mod n = Jd" - t"' mod n,

which may transformed into:

Let us notice that d' - d" is a positive integer, smaller than v , and prime with v (because v is prime). So, there exists a unique pair of positive integers k and m, in the range from 1 to 21 - 1, currently named Bezout coefficients of v and d' - d", easily computed by the Euclidean algorithm, such that

m - v - k . (d' - d") = &I.

Let us raise the last equation to the power k and substitute: thus,

Q.E.D. At each use of the procedure, a cheater has exactly one chance on v to

fool the verifier. The verifier has exactly 21 - 1 chances on v to defeat a cheater. After the procedure, the verifier has essentially learned nothing about the authentication value B because he cannot distinguish between an honest user and a very very lucky cheater.

128

No repetition of the procedure is needed as long as the size of the exponent v is sufficient to reach directly the level of security requested by the application. It is easy to specify: ten to sixteen bits for a local authentication, twenty to thirty bits for a remote authentication, and at least sixty bits for signature schemes based upon non-interactive zero- knowledge techniques.

The complete paper will give more explanations about the number of operations which related to the size of v.

A paper by Shamir (1984) uses a similar function but in a very different context.

REFERENCES

1.

2.

3.

4.

5.

Gilles Brassard, David Chaum and Claude CrCpreau, LMinirnum disclosure prooh of howledge, July 1987.

Amos Fiat and Adi Shamir, How to prove yourself: practical solutions to identification and signature problems. Springer-Verlag, Lecture notes in computer science, No 263, Advances in cryptology, Proceedings of CRYPTO '86, pp. 186-194, 1987.

Shafi Goldwasser, S. Micali and C. Rackoff, The knowledge of interactive proof systems, 17th ACM symposium on theory of computing, 1985, pp. 291-304.

Oded Goldreich, Silvio Micali and Avi Wigderson, Proofs that yields nothing but the validity of the proof, Workshop on probabilistic algorithms, Marseille, March 1986.

Adi Shamir, Identity-based cryptosystems and signatures schemes, Springer-Verlag, Lecture notes in computer science, No 196, Ad- vances in cryptology, Proceedings of CRYPTO '84, pp. 47-53, 1985.

GENERALIZED BIRTHDAY ATTACK

Marc Giraultl) Robert Cohen2) Mireille Campana2)

) SEPT 42 rue des Coutures

BP 6243, 14066 Caen-Cedex, France

CNET Paris-A TIM

38-40 rue du G6n6ral Leclerc 92131 Issy-Les-Moulineaux, Paris, France

ABSTRACT

We generalize the birthday attack presented by Coppersmith at Crypto'8S which defrauded a Davies-Price message authentication scheme. We first study the birthday paradox and a variant f o r which some convergence results and related bounds are provided. Secondly, we generalize the Davies-Price scheme and show how the Coppersmith attack can be extended to this case. AS a consequence, the case p=4 with DES (important when RSA with a 512-bit modulus is used €or signature) appears not to be secure enough.


130

INTRODUCTION

The public-key algorithms, which appeared in 1976 [l], permit among other things the attachment of digital signatures to messages. These signatures are generally produced in two steps. Firstly, the message is condensed (or hashed) into a short value: the imprint. Secondly, the secret function of a public-key digital signature scheme (for example RSA [ Z ] or its variants) is applied to the imprint. This method of producing Signatures is particularly convenient when the messages are long, because it would take too much time to apply the secret function to the entire message.

The main problem is to design hash-functions which are both efficient to compute and cryptographically secure. The first point can be achieved by using (properly) a secret-key block-cipher algorithm f o r which fast chips already exist (for example DES [ 3 ] ) . The second point requires the hash-function to be collision-free, i.e. it must be computationally infeasible to find distinct messages which hash to the same value. For if such messages were found, then a fraudor could, in an undetected manner, replace a properly signed message with another bogus one which has the same imprint (and hence the same signature).

Some general attacks on hash-functions have been described in the cryptanalytic literature [ 4 ] . Some of them (Yuval's attack [ 5 ] , meet-in-the-middle attack [ 6 ] ) are closely related to the famous "birthday paradox" and its variants. This paradox can be stated as follows: let r be the number of the pupils in a classroom and let q(r) be the probability that at least two pupils of this classroom have the same birthday: what is the

minimal value of r such that q(r) 2 - ? The answer is 23, much

smaller than the value usually suggested by intuition (at least ours).

1 2

A variant of the birthday paradox is as follows: let r be the number of the pupils in two different classrooms and let p(r) be the probability that at least two pupils belonging to

131

different classrooms have the same birthday; what is the

minimal value of r such that p(r) 2 - ? The answer is now 17,

but is somewhat more complicated to calculate, due to the fact that each classroom may itself contain some "twins".

1 2

In [7], Rabin introduced an efficient hash-function based on DES. However it was later shown that this scheme was subject to a meet-in-the-middle attack. In order to thwart such an attack, Davies & Price have proposed an improvement to the Rabin scheme, which consists of repeating the message twice [ 8 ]

-or, by extension, using two initializing values and passing the message twice- but the new schemes were broken by Coppersmith [ 61, using a "triple birthday attack".

This paper aims at extending the Coppersmith attack to a general scheme using p initializing values and passing the message p times. It is organized in two main and almost independent parts: we first present a rigorous approach of the birthday paradox and its variant. We show in particular that, in both cases and under particular assumptions, the probability distribution of the number of "coincidences" converges towards a Poisson distribution, and we provide bounds for the error committed when using this limit to approximate a probability or a frequency distribution.

Secondly, we use these approximations to prove by induction that the Coppersmith attack can be extended to break the general scheme and we provide the number of "constrained" message blocks and the running time as a function of the number of initializing values.

AS a consequence, the 4-pass Davies-Price scheme with DES appears not to be secure enough (Coppersmith already claimed it f o r the 3-pass scheme but without details). This result is particularly important when the imprint is obtained by concatenating the initializing values and the end-values. For, in that case, p=4 is the maximum number of possible passes if the modulus length of the signer is equal to 512 bits (a very usual length),

132

PART I: THE BIRTHDAY PARADOX

This part provides a rigorous analysis of the birthday paradox and its variant, as stated in the introduction. After having defined some symbols and recalled some classical results (section l), we calculate (section 2 ) the exact probability to find i “coincidences“ in:

a) a sample of size r drawn from a set of n elements with replacements (initial birthday problem):

elements without replacements: and finally, b) in t w o samples of sizes r and s drawn from a set of n

C) in t w o samples of sizes r and s drawn from a set of n elements with replacements (variant of birthday problem). (The calculation of the last probability is a combination of the two previous ones.)

The asymptotical behaviour of these probabilities is then r2 s2 examined (section 3 ) in a particular but important case: - - 2n’ 2n

and - have finite limits when r,s and n -.) +a; for each problem, the limit-distribution is shown to be a Poisson distribution, and this convergence is illustrated by some numerical results (section 4 ) . Moreover, we provide very Small bounds for the difference between a probability (or a frequency distribution) and its limit. This permits us to give some precise results (section 5) which will be used in the cryptanalysis of part II.

rs n

1.1 SYMBOLS AND DEFINITIONS

Let us define some symbols :

- El is the symbol €or a sample of size r (drawn with or without replacements) - IEl denotes the number of elements of the set E

133

n! - (9 is the notation for the binomial coefficient: (n-k) ! k! - let Q(x,y) be a quantity depending on x and y. Let L be a set of limit conditions on x and y. We denote by L-lim Q(x,y) the limit of Q ( x , y ) when the conditions of L are satisfied - the probability of the occurrence of the natural integer k in a Poisson distribution with parameter X is equal to:

Xk Fh(k) = e-’ - k!

- the frequency distribution at OL of a Poisson distribution with parameter X is equal to:

U A ”

9ih(a) = C e-’ - k=O k!

Let us recall that in the discrete case, anc when a1 the possible events are equally probable, the probability P(E) of an event E is given by the ratio of the number of favorable events N(E) to the number of possible events N :

“El P(E) = - N

When drawings are made with replacements from a population Of Size n, we define the number of coincidences as the difference between the number of drawings and the number of distinct elements that have been drawn.

1 . 2 CALCULATION OF PROBABILITY

The meet-in-the-middle attack is related to the following problem, a variant of the birthday problem:

The drawing with replacements of r elements from a population of size n yields a first sample E,. The drawing with replacements of s elements from the same population of size n yields a second sample Es. What is the probability that exactly i elements belong to the two samples?

The probability P(IE,n EsI=i) that there are i distinct

134

elements in the intersection of the two samples is denoted by P(n,r,s,i) and is equal to:

r-i s-i P(n,r,s,i) = P(u u {IErl=r-k, IE,I=s-l, IErn E,I=i})

k=O 1=0

r-i s-i

k=O 1=0 =c c p( I E r n Ee I =i/ I Er I =r-k, I Es I =s-1) IP( I Er I =r-k, I E, I =s-l)

r-i s-i - -c I?( lErn Es I=i/lEr I=r-k, IE, I=s-1) P ( IEr I=r-k) IP( IES I=s -1) k=O 1=0

(the last equality stands since the drawings are independent). Hence,

r-i s-i

k=O 1=0 P(n,r,s,i) = c c Q(n,r,k) H(n,r-k,s-1,i) Q(n,s,l)

where : - Q(n,r,k) = P(IErl=r-k) denotes the probability that k coincidences occur in the sample with replacements of r drawings from a population of size n, - H(n,r-k,s-1,i) = P ( IErn Es I=i / I E r I=r-k Ti IE, I=s-l) is the probability that exactly i distinct elements have been drawn in the two (independent) samples (drawn with replacements, of respective sizes r and s ) with respectively r-k and s-1 distinct elements: in other words, H(n,r-k,s-1,i) is the probability that the intersection of two independent samples drawn without replacement of respective sizes r -k and s-1 is made up of exactly i distinct elements.

1.2.1 EVALUATION OF PROBABILITY H

We first evaluate H(n,r,s,i). The problem can be stated as follows:

The drawing without replacement of r elements f r o m a population of size n yields a first sample Er . The drawing without replacement of s elements from the same population of

135

size n yields a second sample Es. What is the probability that the intersection of the two samples is made up by exactly i elements?

The first sample yields r distinct elements drawn from n elements. Thus, i elements are drawn from among the r elements of the first sample and s-i among the n-r elements that have not been drawn. The probability distribution is the hypergeometric distribution:

1.2.2 EVALUATION OF PROBABILITY Q

We now evaluate Q(n,r,c), related to the birthday problem. The drawing with replacements of r elements from a

population of size n yields a sample Er . What is the probability Q(n,r,c) that c coincidences occur in the sample?

The probability Q(n,r,c) is equal to the ratio of the number of favorable events to the number of possible events. If rln and c<r-n then Q(n,r,c) = 0. If rln, or if r2n and c2r-n, then : - the number of samples with replacements of size r drawn from a set of size n is equal to nr, - the r-c distinct elements drawn from among the n elements can

be chosen in (mc) ways, - the c coincidences are drawn from among the r-c elements. We choose from among the r drawings of the sample a1 ones which correspond to the element n"1, then z2 ones from among the remaining r-al which correspond to the element n"2, etc. up to the r-c distinct elements of the sample. There are

136

(r-c)-vector of the set %={(a,, ..., a,-,), with c+l L a j 2 1 for all j, having a sum equal to r}. The product of these binomial

coefficients can be simplified as: r! a, !. . .a,-= !

The number of favorable events is obtained by taking the sum over the set %. Therefore the probability is:

Remarks :

a) By direct computation, the probability that r distinct elements are drawn is also equal to the ratio of the n(n-1). ..(n-r+l) favorable events to the nr possible events.

Hence: Q(n,r,O) = . For the "birthday paradox", this

formula yields the number r: for n=365, r=23 is the lowest integer such that: Q(365,r,0) < 0 . 5 .

n! (n-r)! nr

b) Using, as in [91, the Poincari! formula, one obtains a formula which is easier to program. Let A, denote the event "the element k is not drawn". Then the event "r-c elements in the sample Er" can be written as:

n {IE, I = r-c} =

Ci, , - . . ,in F9'r-c

where F'=-, is the set, having (rye) elements, of partitions of {I, ..., n} in sets of r-c, and n-r+c elements. Using the relation P(MB) = P ( A / B ) P(B), it follows:

137

The second term is easy to compute; for the first one we can use the Poincare formula, since: (P(ACn B C ) = 1 - P ( A U B).

Since the probability does not depend on the partition of {1, ..., n), it follows that:

This formula differs from the one of [9] because the definitions of the coincidences are not the same.

1.3 ASYMPTOTICAL BEHAVIOUR

We now study the asymptotical behaviour of P(n,r,s,i) when r2 S Z rs - -t A , - - P, - - v , r,s,n + +-. We show that Q(n,r,c) 2n 2n n converges towards a Poisson distribution with parameter A .

Combining this result with the well-known convergence of the hypergeometric distribution of parameters n,r,s towards a Poisson distribution with parameter A , we finally prove that P(n,r,s,i) converges also towards this distribution. In other words, the number of elements belonging to both Er and E, is

only slightly dependent on the fact that the samples have been drawn with or without replacements. This is due to the fact that we expect a very small number (about A ) of coincidences inside each sample.

Before starting, we recall that f o r any natural integer I and when N,K -.+ +OO :

K2 KZ -- -- K3 N! N ! N K - I e 2N N2 (N-K) ! ( N - K + I ) !

If - ---+ 0 then - - NKe 2N and

138

More precisely, one can

KZ K K3

e 2N 2N 3N2 2 - - + - - -

N

K 1 prove that, for - < - * N 2 ’

1.3.1 THE CONVERGENCE OF H

rs If {n + u , r,s,n -+ +m), it is well known [9] that the

limit distribution of H(n,r,s,.) is a Poisson distribution:

rs n Wi fixed, if - -+ “ for r,s,n + +m, then H(n,r,s,i) -+ F’,(i)

In particular, H(n,r,s,O) + e - ” .

Remark :

In order to obtain bounds on the error for the probability P(n,r,s,i) with respect to the Poisson distribution with

parameter u = - , we first need to compute bounds relatively to H(n,r,s,i). Using the inequality (l), we obtain:

rs n

Therefore the error on the frequency distribution function 5, related to H, with respect to the frequency distribution function F., related to the Poisson distribution with parameter

rs v = - is: n

Iff(a) - F,(a)l I - (r+s 1 a2 + 3(r+s) - a +

sr2+rs2 n2 rs n

Example: If n= Z 6 4 , r=s= 2 3 6 , then l f f (256) - F, , , (256)1 5

139

1.3.2 THE CONVERGENCE OF Q

We study here the asymptotical behaviour of Q(n,r,c) if r2 /2n --. X ~ when r, n - +=.

The most important part of Q(n,r,c) comes from event "there are only pairs of coincidences". We wish to evaluate the contribution of every configuration of coincidences. Remember that:

We are going to divide ft into some interesting subsets.In an event a of 3, only at most c components are not equal to 1 (if there are exactly c such components, then a j = 2 for every index and the others are equal to 1).

Let o! be an (r-c)-vector of 3 with k components which are not equal to 1. A s the product a, ! . . .a,- ! is invariant by

permutation, then the ratio r!/al will appear

times in the sum. So

k where 5$ = { ( al , . . . ,ak )E { 2, . . . , c+l Jk ;c a. =c+k, and a , 5. . .<a, 1 -

J j =1

r! (r-c-k) !

For c fixed, and k<c, - r c l k , when r + +8. Hence:

n! 2= c - - nr ( n-r-c) ! 2c c!

with

140

( Y c = 2-', only element of Tic ).

for the c-vector defined by orj = 2, j = l , . . . ,c is the

Finally, using obvious notation:

n! r2 Q(n,r,c) - - (1 + Z) nr (n-r+c)t . 2c c!

Hence the convergence:

I r2 2n

Wc fixed, if - -+ X for r , n -+ +w, then Q(n,r,c) + F,(c)

The limit is a Poisson distribution with parameter

r, n++w 2n' r2

X = lim -

Remarks :

a) The probability of event "at least a coincidence is not a pair" can be dominated by the probability of event "an

element is drawn at least three times", that is . so:

Y r3 - 5 - c=l nr(n-r-c)! (r-2c)! 2'c! 6nZ

n! r!

b) Using the inequality (l), we obtain the inequality on Q(n,r,c) related to the Poisson distribution Fk with parameter

141

W e can e v a l u a t e t h e p r e c i s i o n of approximation of f requency

d i s t r i b u t i o n F of t h e Q d i s t r i b u t i o n by t h e frequency

d i s t r i b u t i o n FA of t h e Poisson d i s t r i b u t i o n wi th parameter

3r r3 a + - 5 r n

IF(&) - F , , ( ~ r ) l I - a 2 + - 3n2

Example: I f n = Z 6 ' , r = Z36, then lF(256) - F128(Z56)l I Ti'

1.3.3 THE CONVERGENCE O F P ( n , r , s , i )

-+ F, r - +-, r2 S2

2n L e t L be t h e s e t of condi t ions cz;; -+ A , - s -. +m, n -. +a>. We s t u d y t h e L - l i m i t of :

r-i s-i

k=O 120 P ( n , r , s , i ) = c c Q ( n , r , k ) H ( n , r - k , s - l , i ) Q ( n , s , l )

1) Using (1) we o b t a i n t h e fol lowing bounds f o r H ( n , r - k , s - 1 , i ) :

H ( n , r , s , i ) 'pi ( n , r , s , i , k , l ) I H(n,r-k,s-1, i ) , k+ 1 -~

with p i ( n , r , s , i , k , l ) = * ( r , i , k ; s , i , l ) q ( n , r , k ; n , s , l ) e n-r -s

1 1 2 - - - - k k2 - - - - where * ( r , i , k ; s , j , l ) = e r-i (1 - $)k e '-j (1 - $', and :

H ( n , r - k , s - l , i ) I H ( n , r , s , i ) v = ( n , r , s , i , k , l ) ,

( k + l ) 2 r+s - + 2 ( k + l ) - with p s ( n , r , s , i , k , l ) = T ( n , r , i , k ) ?!(n,s , i , l ) en-r-s n

k k + - + - k2 - where ? ( n , r , i , k ) = er-i r-i n-r.

142

For k and 1 f i x e d , we have:

L - l i m 'pi ( n , r , s , i , k , l ) = L - l i m 9, ( n , r , s , i , k , l ) = 1.

2 ) S ince t h e terms of t h e sum a r e p o s i t i v e , for a and P f i x e d :

P ( n , r , s , i ) 2 c c Q ( n , r , k ) H ( n , r - k , s - 1 , i ) Q ( n , s , l ) k=O 1=0

a P

k=O 1=0 1 H ( n , r , s , i ) v i ( n , r , s , i , a , P ) 1 Q ( n , r , k ) Q ( n , s , l )

Taking t h e L - l i m i t :

L - l i r n P ( n , r , s , i ) 2 L - l i r n H ( n , r , s , i ) F A ( = ) F + ( P )

3) The double sum i s broken i n t o four p a r t s , and we o v e r

e s t i m a t e H ( n , r - k , s - 1 , i ) by 1 (it i s a p r o b a b i l i t y ) for kzz or 12P, and by a f u n c t i o n of H ( n , r , s , i ) for t h e l a s t double sum.

Therefore , P ( n , r , s , i ) is bounded by: a P

k=O 1=0 H ( n , r , s , i ) (P, ( n , r , s , i , a , P ) Q ( n , r , k ) Q ( n , s , l )

By t a k i n g t h e L - l i m i t , we g e t :

143

are

v =

4 ) If Q and f3 tend to + m, the frequency distributions tend to 1 and the probabilities of drawings with or without replacement

identical:

I:-lim P(n,r,s,i) = L-lim H(n,r,s,i)

rs n If we add to I: the condition - - v of I .3.1, we get:

r2 S2 rs 2n 2n n

v for r,s,n + fa tli fixed, if - -+ A, - -+ w , --+

P(n,r,s,i) -+ 9,(i) I then: I I I

The limit is a Poisson distribution of parameter

1 im - . In particular for r=s=k\r;;, we get a Poisson rs r,s,n++ao

distribution with parameter k2.

Remark:

Using the bounds on H, together with the previous inequalities, we obtain that the lower bound f o r P(n,r,s,i) is:

and the upper bound is:

where here Fr is the frequency distribution of the Q(n,r,.) distribution, and for arbitrary o! and P .

144

C

c = o c = l c = 2 c = 3 c = 4 c = 5

1.4. NUMERICAL RESULTS

Q( 100,10,c) Q(256,16,c) Q(625,25,c) To, (C)

0.628 0.619 0.611 0.607 0.310 0.308 0.307 0.303 0.056 0.064 0.068 0.076 0.004 0.007 0.009 0.013 0.000 0.000 0.000 0.002 0.000 0.000 0.000 0.000

Some values of Q(n,r,c) and P(n,r,s,i) have been computed using the formulas of 91.2 (the formula used for Q was taken from remark b of 91.2.2). The numerical results illustrate the convergences when r = s = fi . The corresponding values of the Poisson distribution with parameter 0.5 and 1 are given for comparison.

P(625,25,25,i)

0.365 0.379 0.182 0 . 0 5 3 0.010 0.001 0.000 0.000

F1 (i)

0.368 0.368 0.184 0.061 0.015 0.003 0.001 0.000

i = l i = 2 i = 3 i = 4 i = 5 i = 6 i = 7

P( 100,10,10, i)

0.366 0.405 0.179 0.041 0.005 0.000 0.000 0.000

P(256,16,16,i)

0.367 0.391 0.182 0.049 0.008 0.001 0.000 0.000

145

1.5 SOME USEFUL RESULTS FOR PART It

In the next part, some cryptanalytic attacks are exposed, based on the paradoxes we just have studied in previous sections. The probability of success of these attacks is calculated according to the numerical results we provide in this section.

We define the number nx of twins between the samples

Er =(xl,. . . ,xr ) and E, =(y, , . . . . ,ys ) as the number of pairs (i,j ) such that xi = yj . Since nc 2 I E r n E, I , we have:

P(nc 2 i) 2 [P( l E r n Es12i) In the particular case i=l, the two probabilities are equal.

SO, the meet-in-the-middle attack exposed in section II.1 has a probability of success S equal to ff( l E r n E, 121) with

r = s a 3 ' and n=264 (hence u = - =1) and : rs n

S = 1 - P(n,r,s,O) = 1 - 9,(0) + E = 1 - e-l+ E 2 0.632

(because the bounds provided in sections 1.2 and 1.3 allow us to show that I & 1110- ) .

If we now want the probability of success S to be 1 1-10-4, by changing only r and s (but preserving r=s both powers of 2) ,

we can choose r=s=234 because u=16 and: S = 1 - F I 6 ( O ) + E ' = 1 - .-I6+ E ' 2 1-10-4

(because I € ' lS10-5 ) .

The attack provided in section It.3 also needs an integer x and two other integers r and s , equal, powers of two, as small as possible and such that x4 2 r and P(nc 2 x) 2 1 - . The minimal choice €or r (and s ) is 237 and we can take x=609 (the smallest integer whose 4-th power is greater than 237) since:

f'(nc 2 6 0 9 ) 1 [P( lE,n Es 11609) = 1-F,,24(608)+E". Now, an easy lemma shows that lnFv (i) I [i-u+i( lnu -1ni) 1, SO

that F l O z 4 ( 6 0 8 ) I and I & " I can be shown to be smaller than . Hence, we can conclude that: P(nc 2 6 0 9 ) 2 1 -

146

PART 11: THE BIRTHDAY ATTACK

This part provides a generalization of Coppersmith’s attack to a general scheme using p initializing values and passing the message p times. We first present the Rabin scheme and its evolutions (section l), then present our main result (section 2) and its proof (section 3).

II.1 THE RABIN SCHEME AND ITS EVOLUTIONS

For continuity, we use (almost) the same notations (and sometimes the same expressions!) as Coppersmith did in 161. In particular, E K ( X ) denotes throughout the paper the DES

encipherment of the cleartext x under the key K and D , ( Y )

denotes the decipherment of the ciphertext Y under the key K.

In the Rabin scheme, the message JI is divided into n 56-bit blocks Mj , used as keys fo r the iterated encipherment of some initial value H, . The final encipherment, along with the initial value, forms the hash value:

H, = random

H. = E M . (Hj - 1 3 J

RSA-Sign( H, , Hn ) ! l l j l n

This scheme is subject to a so-called “meet-in-the-middle attack”, whose invention is attributed to Merkle by Winternitz and which works as shown below. F o r convenience, if M is a message made up of message blocks MI, ...., M,, we will use the following notation:

147

The meet-in-the-middle attack allows the opponent, given a message Jl and its hash value (Ho,Hn) , to construct a bogus message N' without affecting the hash value. The opponent can then replace Jl with Jl' without being detected, since the signatures of both messages are identical.

In order to achieve this, the opponent generates 232 messages A, and M, of arbitrary length (the shorter they are, the faster the attack is). He may for example create a few ( 3 2 )

variations of a unique message and combine these variations together. F o r each message A, (respectively A r ) , he computes: H, = EN, (Ho ) (respectively Hr = DJ.~, ( Hn ) ) , sorts and Stores these values.

If E is supposed to have good "random" properties, then the set of all the H, and the set of a l l the H, can be considered

as two "random" and "independent" samples of Z3 drawings with replacements from a population of size 2 " . Therefore, as shown

I in Part I, the probability is greater than - (about 1-e-') that

a coincidence exists (i.e. : 31,r such that H, = Hr 1. This coincidence will appear while sorting the values.

2

Let now Jl be the concatenation of A, and Jlr for these particular values of 1 and r. Then:

We say that H, and Hn have been "linked up" or "joined up" by A. In this way, the opponent succeeds in constructing a bogus message Jl'.

This attack is plausible because the total number of Operations is not too large, considering today's technology: for example, if the attacker chooses single-block messages 4, and Hr (in order to speed up the computation), he will have to perform 2.232 = 233 = 1O1O encipherments. To that must be added the time taken to sort values H, and H,, which can be evaluated to about 238 = 3.1011 operations. No doubt the high-speed and large-memory computers available today can achieve this (and

148

<

even more).

/

H, = random

H, = E,. ( H j v l 1

H n + j = EMj(Hn+j-1)

J

RSA-Sign( H, , H, )

\

<

l l j l n

l l j l n

/

H, ,HA = random

H. = E H ( H j - l ) J

H i - - ( H J - l ) J

RSA-Sign( H, , Hn ,HA , H i ) \

A variant of this scheme consists of choosing two initializing values and also passing the message twice:

Of course, the Davies-Price scheme is easier to break than the last one (it suffices for the enemy to choose H i = Hn 1. At Crypto'85 [6], Coppersmith showed that a "triple birthday attack" permits the attacker to construct bogus messages in both above schemes, with not much larger computational requirements than fo r the Rabin scheme. He also claimed that the Davies-Price scheme remained insecure with three passes instead of two, but without providing details.

In the next section, by generalizing Coppersmith's attack, we show rigorously that the Davies-Price scheme and its extension are insecure even if the message is passed four times, provided the enemy can accept a number of encipherments in the magnitude range of 2 4 6 and messages of length 14 Kbytes.

149

II.2 THE GENERALIZED SCHEME

We now consider the following general scheme, with p initializing values:

Hi ,Hi, . . . , Ht; random Hf = EM. (Hi-,)

RSA-Sign( Ht ,HA, . . . , Ht; , J

For p=l, it becomes the Rabin scheme: for p=2, it becomes the Davies-Price scheme ( o r , rather, its strong variant). The question is: does Coppersmith's attack extend to p greater than 2? The answer is yes. More precisely, we claim the following result:

A message of 2.10p-1 blocks joining the Ht and the HA for each i in [l,p] can be found using less t h a n 233 .lop encipherments with probability very close t o 1.

Before providing the proof in the following section, we first give a few comments about this result:

a) The above values result from a trade-off between four different parameters: the degree of significance placed on the message obtained, the length of this message, the number of encipherments and the probability of success. Of course, it is possible to improve some of them but at the detriment of the others. For example, the enemy can get a "more meaningful" message, which will necessarily becomes longer. Or he can get a shorter message but the number of encipherrnents will increase etc.

b) The number of blocks indicated is only, other things being equal, a minimum: these are "constrained blocks" generated by the attack, on which the attacker has no (or very little) control. But he can design his attack in such a way

150

that the final message will also contain an arbitrary number of othgr blocks completely selected by him. The proportion of bogus blocks can, in that way, be made as small as wanted (hence less visible!).

c) Though it is highly unlikely, it could theoretically occur that the attack as described below might not succeed. In practice, it suffices to (slightly) increase the number of trials at the step where the attack fails in order to render it effective.

d) Of course, the time of sorting must be added to the time of enciphering in order to get the total computation time. But a close look at the proof shows that the time of sorting grows much slower than the number of encipherments (the ratio of the geometric progression is only 3 ) .

e) if E is replaced with a block-cipher algorithm whose block-length is L, the number of encipherments becomes L -+ 1

22 . l o p .

n.3 THE CRYPTANALYSIS

We come now to the proof of our result. In fact, we will prove the more precise following theorem:

Theorem: Let p be an integer 2 1, let ( A 1 , .. . , A p ) be distinct 64-bit values and let (B1, ..., B p ) be distinct 64-bit values.

1) A message M of up blocks can be found using tp encipherments (or less) with probability Q,, which is such that :

EM ( A i ) = Bi l l i l p

where :

151

up = 2.1op-1

f o r p = 1

2 3 6 (3p-2+ 4.10~-2

3 p Q, 2 1 - -

2.104

2 )

encipherments (or less) with probability Qp such that :

609 distinct messages M of up blocks can be found using ti

where :

3 p Q i Z l - -

2.104

Comments :

a) The result claimed in the previous section is clearly a consequence of the part 1 of this theorem (that t, is less than

233.10p is very easy and figures in the proof).

b) The apparition of the integer 609 (somewhat mysterious!) has been explained in section 1.5.

c) The proof below implicitly assumes (as always in birthday attack literature) that good encipherment algorithms have good random properties. In particular, f o r any given distinct inputs X and Y, the values taken by E , ( X ) and E , ( Y ) ,

when K runs through the key space, should be independent events.

152

d) if E is replaced with a block-cipher algorithm whose block-length is L, the proof remains almost unchanged and the part 1 of the theorem is still valid after having replaced 235

L L -+3 -+ 4 with 22 , and 236 with 22 in t, .

Proof: by induction on p .

The meet-in-the-middle-attack, exposed in section E.1, permits the enemy to find (as already shown in section 1 .5 ) :

1) at least one two-block junction between A, and B, (i.e. a

message Jl such that E&(A,) = B 1 ) using 2.234 encipherments with

probability Q12 l-10-4.

2) at least 609 two-block junctions between A, and B, using

2.237 encipherments with probability Q; 2 l-10-4.

so : u1 = 2 t, = 235 t; = 238

Q, 2 1-10-4 Q; I 1-10-4

assumed to be true at rank p

Let ( A 1 , . . . . , A p + , ) be p+l distinct values. Let (B, , . . . . , B p + , ) be p+l distinct values.

We now have to make Ai and Bi meet, for each i in [l,p+l] with the same message $ + l . This can be done in three steps:

Step 1: Choose arbitrarily Z,, ...., Z p p distinct values. Then find a set & of 609 up -block messages Nj which link up the Zi to themselves for each i:

153

EJYI~ (Z, ) = Zi for all i and all j.

From the induction hypothesis, the set E can be found using ti encipherments with probability Qi (note that this step, called "precomputation" by Coppersmith, needs only to be done once and can be used for any Ai and B, ) .

Step 2: Find a u,-block message J.1, such that A, and Zi meet f o r each ) . This message can be found Using t,encipherments with probability Q,.

i and let C, = E% ( A p +

Find also a up-block message A, such that Z, and 3i meet for each i and let C, = D A , ( B p + , ) .

Step 3.1: (It remains now to link up C and D while "preSerVing" each Z, )

Perform a meet-in-the-middle attack between C and D using only elements of €. More precisely: let .MI = ( M l , $ , A 3 ,A, 1 E E4 and

let M, = (M5,.M6,.M7,.M8) E E 4 and H, = E J . ~ ~ (C, )

Hr = DNr (Cf ).

A s there are ( 6 0 9 ) 4 > 234 elements in E 4 , we can obtain two random and independent samples of 234 H, and 2 3 4 Hr . We will therefore find a coincidence between the two samples with a probability of Q , .

In other words, we can find one junction J.1 between C, and C, preserving each Z, , constituted of 8up blocks and using 4 . 2 . 23 up encipherments .

Thus, the message J tp+l which is equal to the concatenation of A,, A and JI, links up A, to Bi fo r each i in [l,p+l].

The total number of blocks of J$,+l is: - - up + 8uP+ up = 10 up up + 1

t, + 1 = ti + 2tp + 237up The number of encipherments is:

154

The probability of success is :

Q,,, = Q i Qi 8,

S t e p 3.2: In step 3.1, we do not need ali the elements of E4 to find a coincidence, since 234 (at each side) will probably suffice. If we now use all the (609)4 2 237 elements of e 4 , we will find (at least) 609 junctions with probability Q;.

The number of encipherments is: t i c 1 = t;, + zt, + 240up

The probability of success is:

Q,,, = Qi Qi Q;

It remains now to solve the recurrence relations in up, t,, ti, Q, and Qi -

The sequence (up) is geometric and we have immediately :

u p = U , . ~ O P - ~ = Z.lOP-l for any p 2 1

Let (ap ) be the sequence equal to ti + 2tp - We have: ap+1- - t,+1 + 2tPtl= 3aP+ 240up+ 23aUp= 3ap+ 23810,

F o r p = 0 this equation becomes: 236

el = 3a, + 238, so we put: a, = - 3

So for p 2 2 :

= 236 3 p - 2 + 4 . 1 o p - 2 1+- t,= P - 1 + 2 3 7up-l [ [ :” [1-[&3)p-1]))

155

Now let q = 1 - We have:

Q, 2 q * Q2 2 q4 * Q3 2 q 1 3 . . .

3” -1 - 3 p 10-4 2 1 - -. 2 > I - - 3P-1

2 2.104 More generally : Qp 2 q

Note that Q, 2 0.995 for p = 4.

CONCLUSION

This paper generalizes the birthday attack presented by Coppersmith at Crypto’85.

In the first part, we analyse the mathematical aspects of the birthday problem, fo r which exact and asymptotical results (with bounds) are provided. In particular, under some natural hypothesis, the underlying distributions are proved to converge towards Poisson distributions.

In the second part, the Coppersmith attack is generalized to schemes which cycle through the message blocks p times (instead of twice). A lower bound for the probability of success of the attack is given. F o r example, if DES is used and if p = 4 , a bogus message of 14 Kbytes can be forged with (almost Surely) less than 2 4 7 encipherments. A s a consequence, the 4-pass Davies-Price scheme appears not to be secure enough.

This last result is of importance when the signature is obtained by signing the initializing values and the end-values.

156

For, in that case, p=4 is the maximum number of possible passes if the modulus length of the signer is equal to 512 bits (a very usual length).

REFERENCES

[I] W. Diffie and M. Hellman, "New directions in cryptography", IEEE Transactions on Information Theory, Vol. IT-22, Nov. 1976, pp. 644-654.

[2] R.L. Rivest, A . Shamir and L. Adleman, " A method for obtaining digital signatures and public-key cryptosystems", CACM, Vol. 21, n"2, Feb. 1978, pp. 120-126.

[3 ] Data Encryption Standard, FIPS Pub 4 6 , N . B . S . , U.S. Dep. Of Comm., Jan. 1977.

[41 M. Campana and M. Girault, "Comment utiliser les fonctions de condensation dans la protection des donn&es", SECURICOM 1988, pp. 91-110.

[5] G. Yuval, "How to swindle Rabin", Cryptologia, Vol. 3 , N03, Ju1.1979, pp. 187-189.

161 D. Coppersmith, "Another birthday attack", Advances in Cryptology, Proc. of Crypto'85, LNCS, voi. 218, Springer- Verlag, 1986, pp. 14-17.

[ 71 M. Rabin, "Digital signatures", Foundations of Secure Computation, Academic Press, New York, 1978.

[8] D.W. Davies and W.L. Price, "The application of digital signatures based on public key cryptosystems", Proc. of the 5th Int. Conf. on Computer Communications, Atlanta, Georgia, Oct. 1980, pp. 525-530.

[9] W . Feller, "An Introduction to Probability theory and its Applications", Volume 1, Wiley, 1968.

An Interactive Data Exchange Protocol Based on Discrete Exponentiation

G. Agnew, R. Mullin, S. Vanstone University of Waterloo

Waterloo, Ontario, Canada

Introduction

In the following paper, we propose a protocol for interactive data exchange. An interactive data exchange session can be divided into three phases as shown in Fig. 1:

i)a Session Key Exchange/User Authentication phase ii)a Data Exchange Phase, and iii)a Resynchronization phase (for error recovery).

The cryptographic system proposed for this system is based on discrete exponentiation, that is, all operations (though not shown) involve reduction modulo p for a large prime p. The security of the system is based on the difficulty of determining logarithms in a finite field GF(p) [l]. We also assume the existence of a trusted Public Key Notary (PKN). The PKN provides a certification service for each of the users' "public" keys and is not required to be on line.

Key Exchange Phase

In this phase, a session key is passed between two users. This exchange provides mutual authentication of the users involved the session and is resistant to spoofing by impersonation. The sequence begins with each user in possession of its secret exponent value ( a for user A), the common modulus p , the common primitive element Q and the "well-known" public key of the PIiN a

The P K N produces entries of the form [a-' , S'], for each of the network

users where a-* is user 2's "public" key and S, is a s i g n d version ol that key.

The certificale, S, is the pair (w,x) formed such 111il.t x is solved for the

congruency

P KJV .

a-* = p k n * am + w2' for a random vaIue w (pkn is the private information of the PKN). This


160

procedure and the key exchange protocol are described by ElGamal [Z]. This is shown in Fig. 2. The procedure begins when user A initiates a call to user B (initiator/respondent respectively). The protocol proceeds as follows:

i)User A generates a random injtial key I<, and a random value r. ii)User A obtains the pair [~2-~, ,5~) in a .public manner (e.g., from a

public key directory, from B or by other means). iii)User A verifies user B's public key by computing

iv)If the verification the message

This is forwarded to

passes, user A applies the ElGamal protocol to form

[d , [a-bl' * I<]

user B along with a request for setting up a session. v)Upon receipt, B recovers the initial session key from the message by using its secret exponent 6

At this point, data communications could proceed, but no authentication of User A has been performed.

vi)For mutual authentication, user B obtains [a-. , S,) by public means

and verifies the key (as before) vii)The actual session key is now formed as

It can be seen that user A can also form this key from its secret and authenticated data. This completes the Key Exchange phase of the protocol. In the next section, we examine a "conventional" cryptographic system based on discrete exponentiation.

Data Exchange Phase

The Key Exchange phase established a common, mutually authenticated key KO between users A and B. From KO, two sub-session keys I<: and K t are

derived one for each direction of data exchange (session initiator, session

161

respondent respectively).

Before any data is exchanged, each user verifies the correct exchange of the initial keys. To do this, user A calculates the pattern

and forwards this t o B. Similarly, user B calculates the pattern,

and forwards this t o A. received from the other user (see Fig. 3).

Each end verifies that the correct image has been

Once verification has been performed, the actuaI data exchange may begin. Ciphertext blocks are formed as

where j = I or Ir' depending on the direction of data flow, and i indicates the message block number. The key, I{; used for each block is unique and is derived

from the appropriate sub-session key as

(this can be done in many ways). Using this technique, plus some error detection bits added to the plaintext, will allow for the detection of inserted, deleted or modified blocks.

Rendezvous Phase

The data exchange protocol will now proceed until the end of the session or until an error occurs. If an error cannot be corrected by simple retransmission, or if synchronization is lost, then a "Rendezvous" must be executed (see Fig.1). In this phase, the receiving user (B in Fig. 4) must notify the sending user that synchronization has been lost. The sender then determines the last correctly received message block (we assume that a communication protocol is present on the link to provide acknowledgments for correctly received blocks). The sender then increments the state of the key by a value n such that

where 1 is the last correctly received block. The sender then calculates the image

162

and sends this to the receiving user. The receiving user increments its key state

by an amount n--q and calculates successive values of LY until the pattern is matched (note: since synchronization has been lost, the state of either end is unknown, thus the "hunt" process must cover a sufficiently large number of exponents as to make resynchronization highly probable). Once resynchronization has been established, the data exchange phase may proceed once again.

K;

As shown in Fig. 1 and 4, a provision has been made to try the rendezvous procedure only two times, if resynchronization is not established in this time, then the session is considered unusable and a key exchange phase is started once again. (It is also possible that the key exchange phase may fail a number of times, though not indicated, and provisions must be included to limit the number of tries for key exchange. If this occurs, then the channel must be deemed unusable.)

Conclusions

In this paper, we have described a protocol for interactive data exchange which provides strong mutual authentication of the users and data integrity. The protocols used are baaed on a cryptographic system using discrete exponentiation for public key exchange and conventional data exchange. The protocol is robust to data/protocol errors and active attacks. While it has been shown as an interactive protocol, a one-way data exchange protocol (for email or file transfer) can easily be derived from this protocol.

References

1. W. Diffie, M. Hellman, "New directions in cryptography", IEEE Trans. on Info. Theory, Vol. IT-22, pp.472-492, 1976.

2. T. ElGamal, "A public key cryptosystem and a signature scheme based on discrete logarithms", IEEE Trans. on Info. Theory, Vol. IT-31, pp.469-472, 1985.

163

Figure 1 - INTERACTIVE PROTOCOL

PROTOCOL

EXCHANGE PHASE

DATA E XC HA NGE

PHASE

N

PHASE

MANY TRIES ;

Figure 2 - K E Y EXCHANGE PHASE

USER A PUBLIC K E Y USER 8

Ibl

t K = ( ~ z ' ) ~ . ( a - ~ ~ - K ) K b

* \ K K Z J

Figure 3 - DATA

USER A

165

EXCHANGE PHASE

USER 8

KR

/ Q K O

Q O

I

I /

0 0 0

166

Figure 4 - RESY NCHRONIZATION PHASE

USER A USER 8

/

AC-.

LAST CORRECT STATE = t

[ oK!]

[SYNC LOSS]

0

LAST STATE = h

x = h + ( n - q )

l y RESYNC

ESTABLISH ED

ANONYMOUS AND VERIFIABLE REGISTRATION IN DATABASES

Jorgen Brundt

Ivan Bjerre Dumgdrd'

Peter Lundrock

Dept. of Mathematics and Computer Science, Aarhus University Ny Munkegade,

DK 8000 Aarhus C , Denmark.

Abstract Methods are given by which personal data about a large number of individuals

can be registered in a large central database without having to trust this register not to give away information linked to a given individual. Personal information arriving from many different sources can be placed correctly in the register. The registration is done in a verifiable way: Each individual can be given access to the register to check that his information is correct, and can even, if he chooses to do so, prove to anyone that he is or is not identical to a given person in the register. This can all be done without compromising the anonymity of any other individual.

1. Introduction . . . , D,, which collect information on a large

number of individuals. Examples could be tax authorities, banks, hospitals etc. The institutions would like to set up a large common register C , which is to contain all information from all institutions. There may be numerous reasons for this, C may be convenient for economical or practical reasons, or it may be just a temporary register which is set up for statistical purposes.

This raises of course some security problems: the individuals may be willing to trust each of the Di , but unwilhg to accept a new central register, since

1) Outsiders can now get access to a complete set of personal data about anyone, just by breaking into one database; and

2) The Di 's, who have legal access to C may now read data about any individual, including those that they have had no contact with before.

Consider a set of institutions D

'This research was supported by the Danish Natunl Science Research Counnl.


168

How can we make C secure against unwanted use of the information? It is well hown that preventing access, physical or otherwise, to a database is very hard and expensive. A cryptographic solution, however, can make the information useless to intruders, and therefore seems a better alternative.

Recall that in this case the personal information itself is not secret, the confidential part is the linking of names to particular records in the register. What we need is therefore a system by which the Di ’s can send information to C in such a way that data arriving from Merent places concerning the same person can be identified as such, but without this giving away the true identity of the individual involved. In other words, we want the registration to be anonymous: given an individual and a person registered in C , it should be hard to tell whether they are identical. Moreover, it is desirable that the system is verifiable, i.e. an individual i can be given access to C to check that his data are correct, and even more important: if needed, i can produce a proof that he is or is not identical to a given person registered in C. Of course, this must all be done without compromising the anonymity of anybody else.

2. Related Work Other researchers, in particular Chaum [Ch], have designed systems to prevent the

linking of a large amount of personal data. Cham’s system is based on each individual having different pseudonyms with each organisation they talk to. This makes the infomation unconditionally unlinkable. On the other hand, data which is to be exchanged between organisations must travel through the individual they apply to. With a nationwide database, this may not be a practical solution. In our system the individuals are known by their real name in the institutions we have to begin with (D 1, . . . ,On). This means of course that the individuals must trust the Di ’s and that we loose the unconditional unlinkability. On the other hand, information can now be sent to the new register directly, and since our system is identity based, it can be verifiable. This is much harder to acheve with a system where individuals choose their own pseudonyms at random: how can person i prove that he did or did not choose this particular random number?

3. Our Solution We assume that each person is known to each D, by some unique piece of mfor-

mation, like name, address, ect. For person j this wlll be called ID (j). Consider now a solution where data will be sent to C such that information about the individual j is accompanied by an “encryption” of ID (j), i.e. the image of ID (j) under some suitable function F. We let J denote the set of all possible individuals. We assume that this set is very large, so that the set of individuals registered in C at any given time is of negligible size compared to I J I .

169

We can now formulate the properties we need a little more precisely: Anonymity: given F (ID 0’)) and the unordered pair (ID (j)JD (j’)), it is hard to decide whether ID 0’) or ID 0’) is the preimage of F (ID 0’)). Verifiability: for each ID ti), there exists a witness, w (ID (j)) with the property that ID 0’) and F (ID 0’)) are easily computable from w (ID (j )), Independence: The anonymity condition still holds, even when one is also given a set of pairs {(ID (i),w (ID (i))) I i + j ,;I) , where the i ’s are chosen at random from J. The independence condition is meant to protect against the case where an enemy

knows the identity of some registered individuals. The condition says that this does not help him to find other identities. Note, however, that since we assume that the given identities are randomly distributed in J , the condition does not cover the case where an enemy can choose freely individuals for which he would like to see corresponding F-values (c.f. known plaintext versus chosen plaintext attacks on a crypto system).

The verifiability condition assigns to each individual a unique wimess, which can thought of as a certificate of the connection between corresponding ID and F -values. This allows an individual to prove to anyone that he is or is not identical to a given person registered in C . More details can be found in Section 5.

The anonymity condition is as restrictive as possible: it says that even when given that an unhown person registered in C is identical to one out of two individuals, it is still hard to tell whch one. This and the independence condition means that some of the more obvious solutions will not work:

Consider for example using as F a publicly known one way function. This means at least that one cannot compute j from F (ID 0’)). But since it is mvial to test from ID (j ’) and F (ID 0’)) whether j = j ’ , the anonymity condition is violated. One way to repah this could be to use a function depending on some secret parameter, like a pseudo random function [GGM] or a conventional cipher, i.e. setting F = f K , where K is secret. This may satisfy the anonymity condition, but the only way we can get verifiability is by setting w (ID (j)) = K for all j , which clearly violates the independence condition.

The solution we suggest can be informally described as follows: Select a trapdoor one way permutation f and a one way function g with the same domain as f. By redefining ID , we make sure that ID (j ) E domain cf ) for all j .

We describe one way of doing this in the following: To be specific, let ID 0’) consist of a number of fields, such as firstname (j), secondname (j), srreef (j), city 0’ ), etc., where Prstnarne 0 ) beIongs to some set FIRS7iVAMES , and similarly for the other fields. This makes ID (j) an element of

170

J = FIRSTNAMES x SECONDNAMES x STREET x .

considered as a concatenation of ASCII characters. The set J has a certain redundancy, and using an ideal encoding rule c : J + (0 , I ) k, which is nearly a bijection for

k = lOg2( I FIRSTNAMES I ) + logz( I SECONDNAMES I ) + . * *

we may represent the set of possible ID ‘s as binary strings of length k. The parameter k should be chosen such that domain cf ) = (0,l } k. In practice, k will be a security parameter, and the number of fields in ID must be chosen accordingly. Also, we must of course admit that the cardinality of domain c f ) will not in general be an exact 2- power, so we have to content ourselves with approximations in practice.

With this scheme, choosing a random person in J and applying c produces an (almost) uniformly distributed element in dumain (f ). Moreover, it is a reasonable assumption that choosing a random set of strings corresponding to persons registered in the data base gives a good approximation to a uniform choice from all of J , where “good” is defined relative to the behavior of polynomial time algorithms using the strings as input. More specifically, we are assuming that no feasible algorithm is able to exploit the fact that the individuals in C are not really uniformly chosen, but are selected by some specific (incredibly complicated) random process.

Wethenset F(IDG))=gCf-’(ZDCi)))andw(IDO’))=f-’(ID0’)). Actually this definition is a bit too restrictive. It is clearly sufficient that both

ID 0’) and F (ID 0’)) are easily computable from w (ID (j)), and with some choices of f and g , there are other ways to meet this condition.

Theorem 3.1 With F , w and ID defined as above, the verifiability and independence conditions are satisfied. Proof. Given w (ID G)), one can directly compute F (ID 0’)) = g (w (ID (j))). Thus the verifiability condition is satisfied. With the definition of ID given above, we may assume that selection of a random individual i will produce an element ID (i) uniformly distributed in the domain of f . Therefore a randomly chosen set [(ZD(i),w (ID (i))} can always be produced without knowing the identity of any indi-

vidual, just by starting with a set of randomly chosen wimesses and computing f on each of them. Therefore an algorithm which would break the anonymity condition given a set of corresponding identities and witnesses can easily be modified to do without ttus just by producing the required set from schratch as above.

171

It is much harder to say something conclusive about the anonymity condition. It is clearly a necessary condition that it is hard to compute x from F ( x ) and vice versa. But it is not necessarily true that in order to solve the resn’ng problem, i.e. find out whether x = x ’ given x and F (x ’ ) , one must be able to actually compute F or F - l . For example, it is proved below that if both f and g are independently selected trapdoor permutations, then F is in fact hard to compute “both ways”. Suppose now that there exists a large class of trapdoor one way permutations which commute for all choices of trapdoor, which sounds, if not likely, then at least conceivable. Then iff and g are chosen from this class, ir is trivial to see that testing is always easy. Another trivial necessary condition is therefore that f and g do not commute.

One could of course try to prove that testing is equivalent to computing function values for all functions. But there is little hope of this: in [BoLa] it is proved that this is equivalent to a long standing, and hard problem about separation of complexity classes. Indeed if the problem was settled such that testing was equivalent to computing for ALL functions, then functions like discrete log and squaring modulo a composite would not be one way!

Thus, for the concrete constructions we propose, all we can say is that the necessary conditions are satisfied, and that independent choice off and g does seem to be sufficient to ensure anonymity in those cases.

It remains an open problem, however, to formulate precisely what kind of “independence” one needs betweenf and g to get anonymity in general.

As a final observation about the anonymity condition, consider the obvious attack starting with a randomly chosen witness w and computing f (w ), which will be ID 0’) for some j , and g (w ), which is equal to F (ID 0)). If j happens to be registered in C , we have broken the anonymity of j . This attack will not work, however, because we have assumed that the number of individuals actually registered is negligible compared to the number of possible individuals in J . Thus there is only a negligible probability that this attack will result in a known identity for any “useful” individual. This does not exclude that there could be some way to cleverly choose w in a way that would ensure that f (w ) was in fact ID of somebody in C , corresponding to what one mes to do in an attack on a signature scheme with redundancy build into the messages. Note, however, that when such redundancy schemes can be cracked, it is always because there exists some simple algebraic description of rhe set of valid messages. This description, together with for example the multiplicative property of RSA, can then be used to breake the system. It seems extremely unlikely, though, that such a description would exist for the set of individuals registered in C at some random point of the. Unfortunately, for precisely the same reason, it seem to be very hard to actually prove something about this question!

But at least, we can prove that with right choice off and g , F is hard to compute in “both directions”:

172

Theorem 3.2 Suppose F is constructed using randomly and independently chosen trapdoor permutations f and g . Suppose also that it is infeasible to compute f -1 and g-' for more than a negligible fraction of the possible choices o f f and g . Then both F =gf-' and F-' =fg-' are infeasible to compute for more than a negligible fraction of the possible choices of pairs (f ,g )- Proof. Suppose we have an eficient algorithm for computing F. Then this algorithm can be used to compute f-' for a randomly chosen f with &own trapdoor as follows: select a g with known trapdoor at random, and run the algorithm on F constructed from f and g . By assumption, the algorithm can compute F -images with nonnegligi- ble probability, and €or each x for which it tells us what F (x) is, we can use the trapdoor forg to computef-'(x) = g-'F ( x ) . The case with F-' is symmetric. 0

There is a price to pay in order to be able to prove that F and F-' have the claimed properties, namely the assumption that g is trapdoor, which introduces the risk of having the trapdoor revealed to an enemy. One can do away with this by developing systems, where g , and therefore F is a one way function with no (known) trapdoor. This would mean that even organisations with maximal information on the system would be unable to "decrypt" randomly chosen identities in C , although knowledge of the trapdoor for f would enable them to test given identities against F - values. This would be of little use to an enemy, however, if C was only willing to release data on an individual to Di , if Di had previously provided data on that individual. This could be implemented by including a protocol by which any Di could indent* itself to C before getting access to any data.

One way to implement the system in practice is to assume a trusted center which selects f and g together with the trapdoor information for f , computes and sends secretly f -'(ZD Cj)) to each j , then forgets the trapdoor information and stops functioning. Alternatively the center can be made permanent if new persons have to enter the system later. The individuals can venfy that they have correct information from the center, can compute their own F -value, and later convince each Dj that this value is correct. This can be done simply by showing w (ID (j >> to Di . In any case, no w - values have to remembered by the Di ' s . This solution protects optimally against the Dj 's reading data they should not have access to: each Di can find data about individual j , precisely if j has given F (100')) to Dj. For all other individuals, Di is in exactly the same position as an outside enemy, by the independence condition.

Another way is to make the trapdoor for f known to all Di ' s , but not to C . Then the D; 's can have their information stored in clear, and compute F -values as needed when they communicate with C. This removes the need for a trusted center, but on

173

the other hand all Di ' s are now faced with the security problem of safeguarding the trapdoor of f. Also the protection against the Di's themselves is reduced: since knowledge of the trapdoor for f implies abihty to compute F-values, the D j * s can check if a given individual is identical to a person registered in C , but they are not able to find the identity of a randomly chosen person in C , by the one way property of g .

At this point we must address the ultimate disaster for the proposed model: the disclosure of both trapdoors to an enemy. Obviously, the enemy may then calculate ID 0') from F (ID 0')) and vice versa, and the entire database is seriously comprom- ised. It therefore seems natural to introduce some messure that would make this impossible. One scheme is to apply a one-way funtion h to ID 0 ) and then use the above model on h (ID 0')). If h is uuely one-way this makes it impossible for anyone to get from F ( h (ID 0'))) to ID u) except by exhaustive search which, by the very nature of the problem, we can never prevent if the trapdoors are revealed. There are many choices for practical implementations of h . It could be a hash function from a set of long ID'S to a much smaller set of binary strings. Here one should take care to ensure injectivity on the set of actual ID'S.

4. Concrete Constructions 1) F ( x ) = (G mod n ) 3 mod n'. The function F can be constructed from

f ( x ) = x 2 mod n and g (x) = x 3 mod n I,

where n and n ' are products of two large and strong primes, chosen independently of each other. Moreover n and n ' must be of compatible size (to prevent F ( x ) = x !). Also f in only injective on the elements of odd order in Z,*, which, as mentioned earlier is compensated for through the definition of ID.

Obviously, f and g do not commute and Theorem 3.2 indicates that F and F-' are infeasible to compute for a non vanishing fraction of choices of n and n '. Note that if the factorization of n ' is known, mod n and hence probably x can be computed from F ( x ) . But as mentioned earlier, the trapdoor for g is never used in an application, so the factorization of n ' can be deleted immediately after choosing n I.

Note that using squaring for both f and g will not work: given a consistent pair (ID ,F (ID )), the witness can be computed using the Chinese Remainder Theorem and without knowledge of the factorizations! The generalization of this attack by Hastad [Ha] does not seem to work with our choice of exponents, since there is o d y 2 equations involving the witness, and this is insufficient to make the attack work. The number of equations needed to compute the wimess becomes much larger, when the exponents get large, and therefore better security may be achieved by choosing random RSA-exponents in stead of 2 and 3.

174

2) F (x) = aG F can also be constructed from

mod n ’.

f ( x ) = x2 mod n and g ( x ) = CS mod n ’

where n is chosen as above. n ’ can be chosen as n or as a large prime, it is important that a is chosen such that it generates a large subgroup of Z,**, whence discrete log’s base a is (presumably) hard to compute. The same remarks as those relevant to case 1) applies here, except the fact that g is not trapdoor in this case. This means that Theorem 3.2 does not apply, on the other hand there is no risk of accidental release of a trapdoor for g .

For convenience, it might even be reasonable to choose n = n ‘, except for the fact that f and g will then not be independently chosen.

3 ) F ( x ) = x IC;rnodn modn. Here, it is not so transparent how to choose f and g . However if we set

f ( x ) = x x mod n and g ( x ) = x 2 mod n

then r

F ( x ) = x mod n = G2(” n, mod n = gfg-’(x).

So F is conjugate to f under the action of the symmetric group on the elements of odd order in Z,* - on which g is a bijection.

The function{ is not one to one. In fact it has some of the properties one would expect from a “typical” random function from 2: to 2:. Indeed, as is well known:

Lemma 4.1 Consider the set of functions from a set A into itself, where A has cardinality n . Then the average size of Zm (f ) is

(1 - e-’)n = 0.63n 0

From practical experiments, this seems to hold for f. Consequently, it is reasonable to assume that f is one to one on very small subsets of its domain - l k e the set of existing ID ’s, for example. We then define

f =sf-‘ to obtain F ( x ) = g f - ’ ( x ) . In this setup, however, we cannot define w ( x ) = f - ‘ ( x ) as in the previous section, since x would then not be computable from w ( x ) . In stead we simply define w ( x ) = 6 mod n , from which both x and F (x) can be easily computed, as required in the verifiability condition.

175

5. A Solution Using Bit Commitments A bit commitment scheme is a method by which A can “encrypt” a bit in such a

way that

(1) No one else can guess from the encryption which bit it encrypts. (2) After releasing the encryption, A is committed to her choice of the bit, i.e. she can

convince everyboby about her original choice - typically by releasing some more information - but she cannot change her mind about the choice. The encryption is computed using a random input which is also chosen by A . For

a bit string s , we will let BC (s , r ) denote a string of encryptions, one for each bit in s , computed using the binary string T as random input. We wdl talk about this as a bit commitment to s .

Such bit commitment schemes exist relative to many of the widely accepted intractability assumptions, such as the hardness of factoring, discrete log, graph isomorphism, etc. More details about bit commitments can be found in [Da] or [BrCr].

A very simple idea to solve our basic problem is now to let

F ( I D ( i ) ) = B C ( I D ( j ) , r ) , andput w ( I D ( j ) ) = r .

F (ID 0’)) can be computed by j himself, and j can prove the correctness of F (ID 0))

By property 1 above, this solution satisfies both the anonymity condition and the independence condition, even in a strict information theoretic sense, if the bit commitment scheme is chosen correctly. Property 2 prevents cheating by individuals, such as having several identities represented by the same F -value. Unfortunately, there is still one problem left: the verifiability condition is not satisfied, because the witness is not a function of the identity, but is independently chosen, and therefore ID (j) is not computable from w (ID (‘j )).

To see what this means in practice, consider the diEerence to the earlier described solutions: there, it is possible for j to prove that ID (j) is NOT connected to F (ID (j ’)) without having to reveal F (ID (i)), i.e. give up his own anonymity. This can be done by setting up a boolean circuit doing the following computation: it takes as input w(ID u)), and is given ID 0’) and F (ID (j’)) as constants. It checks w(ID 0’)) by computing ID 0’) from it, then computes F (ID 0)) and compares with F (ID 0’)). The output is two bits, b 1, which is 1 precisely if the witness is correct, and b2, which is 1 precisely if F (ID u) ) = F (ID 0’‘)).

Using this circuit, j can convince anyone in minimum knowledge that he knows how to choose input for it that gives output b = 1 and b2 = 0. This is clearly equivalent to proving that he is not identical to the individual registered under

to Di , Simply by showing w (ID (i)) to Di .

176

F (ID (’j I)). The proof can be executed using for example the general protocol from [BrChCr].

With the solution from this section, the above protocol does not work, simply because it is not possible to check the correctness of a witness, and without this check, the protocol does not prove anydung.

The only way to repair this is to ensure that j is committed, also to his choice of w (ID 0’)). This can be done by introducing a public directory, containing entries for all individuals. For person j , the entry is BC (w (ID ( j ) ) , r 3. This entry can be computed and proven correct by j himself initially, We can now make the above protocol work once again, since a witness can now be checked by testing whether the appropn- ate entry in the public file contains a commitment to the witness in question.

Thus this solution is of theoretical interest because it shows the existence of systems that provably satisfy the anonymity condition, but it is not of great practical importance, because we must introduce additional complications to get a complete solution.

Conclusion. We have shown a practical solution to anonymous and verifiable registration in

databases, and we have pointed out 3 basic conditions that such a solution should satisfy. We have also shown the existence of solutions that satisfy all 3 conditions.

References. G.Brassard, D.Chaum and CCrepeau: “Minimum Disclosure Proofs of Knowledge”, tech. report PM-R87 10, C W , Amsterdam 1987. G.Brassard and C.Crepeau: ‘ “on-Transitive Transfer of Confidence: a perjfect zero-knowledge Protocol for SAT and beyond”, Proc. of FOCS

D.Chaum: “Security Without Identification: Transaction Systems to make Big Brother Obsolete”, CACM, vol28, 1985. I. Damghd: “The Application of Clawfree Functions in Cryptography; Unconditional Protection in Cryptographic Protocols”, Ph.D-thesis, Aarhus University, 1988. J.Hastad: “On Using RSA with Low Exponent in a Public Key Net- work”, Proceedings of Crypto 85, Springer. M.Boppana and L.Lagarias: “One Way Functions and Circuit Complex- ity’’, Information and Computation, vol74, pp.226-240, 1987.

86, pp.188-195.

Elections with Unconditionally-Secret Ballots and Disruption Equivalent to Breaking RSA

David Chaum Centre for Mathematics and Computer Science

Kruislaan 413 1098 SJ Amsterdam

introduction

An election protocol is presented that has the following properties:

0 A voter's privacy can be violated only by cooperation of all other voters.

0 Voters can ensure that their ballots can be counted.

Voters wishing to disrupt an election can cause only a M t e d delay before being disenfranchised, unless RSA is broken.

It is assumed, for simplicity, that a single organization z is empowered to decide who can register and that z acts faithfully to complete elections. (T~B assumption is relaxed somewhat in the final section.) Nevertheless, even if z were endowed with infinite computational power, z could not learn who votes which way or falsely convince voters that their votes are counted.

The remaining sections may be summarized as follows: (1) previous work on voting protocols and some related protocols underlying the present proposal are surveyed; (2) the ballot issuing protocol and its properties are presented separately, being the heart of the present contribution; (3) the model and overall voting protocol are presented based on the ballot issuing protocol; (4) some simple ways to apply the techniques to payment and credential systems are mentioned; and ( 5 ) the assumptions and several further points related to the protocols are discussed.

1. Relation to Previous Work

The first multi-party secure election protocol in the literature [Chaum 811 could not prevent someone able to break RSA from tracing ballots back to particular voters, although some properties about it could be proved under reasonable assumptions [Merritt 831. A subsequent proposal did not at all protect the confidentiality of ballots from those conducting elections [Cohen & Fischer 851. An extension [Cohen 861, similar in nature to


the original [Chaum 811 proposal, divides the “government” into parts, in such a way that all parts must cooperate to violate participants’ privacy. Using such a protocol to obtain the optimal privacy protection obtained here, however, would allow any single participant to disrupt the entire election. Also, it has security against cheating that is only linear in the effort required of each participant, in contrast to the.exponentia1 security proved here.

The present work draws on two previous basic results. One is a “sender untraceability” system detailed in [Chaum 88b]. It provides unconditional security against tracing the senders of messages and limits the disruption that can be caused by participants. The second is the notion of “blind signatures,” which serves as a basis for untraceable payments and credentials, as introduced in [Chaum 851 and detailed in [Chaum 88c] and [Chaum & Evertse 871.

2. Ballot Issuing Protocol

The protocol defined in this section in essence allows an applicant y to gve very high certainty to z that the ballot provided byy is of a form that allowsy only to cast a single vote.

Consider the following protocol between an applicant y and organization z :

(1) Once, and for all applicants, z broadcasts: a small integer security parameter s; a second integer parameter n; an RSA modulus N ; a prime d > N ; and n distinct random units of the ring of residue classes modulo N (called units modulo N for short), denoted v j , where j E { 1, ..., n } throughout. (In ths protocol “random” is used to mean uniformly distributed and independent of everythmg else.)

y- t : (read ‘) sends to 2”) M=(mi,,), mi,, -vfl ,(;)r& (mod N ) , where i E { 1, ..., s},

with q random permutations of { 1, ..., n } , and with ri,, random units modulo N .

z-y: C, a random nonempty proper subset of { 1, ..., s}.

y-z: k ~ { l , ..., SI-C; ~ = ( p i , ; ) , p , , , = ~ ~ ( j ) , for i E C ; p i , j = r L 1 ( r l ( j ) j , for ~ F C ; Q=(qi,j), qi,, Eri,, (mod N ) , for i E C; and qi., ~ r k . ~ ; l ( ~ , ( , ) ) r G * (mod N ) , for i 9 C.

t verifies that every row of P is a permutation of { 1, ..., n } ; that mi,; G vp;,, ql,; (mod N ) , for i E C; and that qf, = mkg,,, mG1 (mod X ) , for i $Z C.

(2)

(3)

(4)

d ( 5 )

Theorem: For y following the protocol, Tk is statistical@ independent of the messages transmitted.

Pro08 (sketch) Without loss of generality, fix k. The tuple ( P , Q, M j defines the messages transmitted in an instance of the protocol. and A denotes the set of all possible such tuples. Similarly, B is the set of all possible tuples (q, ri,,) with l f k , 1CiGs and

179

1 G j G n . It follows easily from the protocol that each ITk defines a one-to-one correspondence between A and B. Moreover, by the mutual independence and uniformity of all the IT; and r,,,, the conditional probability distribution of B given ITk is uniform for each instance of the protocol. Therefore the conditional probability distribution of A given ?rk is always uniform and hence independent of ITk. 0

Theorem Assuming y cannot form dth roots of random units modulo N, then when z reveals dth roots modulo N of h distinct mk,j, with k j x e d and 1 <j<n, the probability of allowing y to learn dth roots of other than exact4 h of the vi does not exceed 1 / (2s - 2).

Proof (Sketch) It is sufficient to show that, with probability 2 1 - 1 / (2s - 2), there exists exactly one permutation 7~ such that for each j , l<j<n.y knows an rj such that mkJ = v 4 ) r f . With probability 2 1 / (2s - 2) there exists at least one permutation d such thaty can express each entry M k J as mk,j ' vnr ( i y ;d (mod N ) , since otherwise only one c allows y to succeed. (Notice that for y to successfully cheat, the mi,,'s must be properly constructed for each i E C and improperly constructed for each i C. But this implies that only one C allowsy to cheat.) It remains to be shown that there cannot be two permutations IT' and ?r" such that y knows r'k,, and r"+ with mk,, = vdvy'i , , = v,qf'jf,,(mod N ) for j E { 1, ..., n } . If there were two such permutations, theny would have been able to learn the dth root of a quotient v ~ u ~ v ; ' z . ~ for some j with d(j)#ta'(j). But it is easy to see that the ability to compute roots on random quotients is polynomial time reducible to the abilty to compute roots on random units.U

3. Overall Voting Protocol

Elections are in three phases:

first step of the ballot issuing protocol above. This is done only once for the entire election. Additionally, z broadcasts an assignment of an outcome to each vi, thus partitioning the vi into fixed, disjoint equivalence classes, such that each class corresponds with a distinct outcome. For example, assuming the election allows each voter to cast a single vote (as is assumed throughout) for at most one of two candidates, then the vj are partitioned into two outcome classes, one for each candidate.

Preliminary: In the preliminary phase, z broadcasts those thlngs mentioned in the

Registration: During the registration phase, each applicant communicates with z . If z agrees to allow a particular applicant to register, then the applicant and t conduct an instance of the ballot issuing protocol of the previous section. The result of this is a tuple of n elements, mk,,, one element of which is selected by the applicant. This selected element is denoted 61 for the lth registered voter. (It is now assumed that n>>m). The final result of the registration phase, which is broadcast by z, is the set of bl, for 1 GI =Zm, where m is the number of registered voters. It will stdl be possible for disputes regarding

180

the b’s to be resolved at this point without revealing anything about the votes.

Voting: The voting phase is begun by z broadcasting the dth roots of all of the bl. (Naturally, if this is not carried out properly, everyone wi l l know.) Then, the I t h voter recovers the dth root on a vi, simply by dividing the dth root of bl by the corresponding rh,j. Each voter then broadcasts, under the sender untraceability protocol mentioned above, the root of the single v i recovered. Finally, each voter can venfy that the root of the vi sent by that voter was in fact available from the broadcast channel. The number of votes for a particular outcome is just the number of distinct dth roots of vi’s corresponding to that outcome.

4. Payments and Credentials

The election protocol can be used to directly realize untraceable payments: each vi stands for, say, one dollar; registration is withdrawal from a bank account; payment is made by providing a shop with a dth rood on a vi that has not yet been accepted for deposit by the bank.

mechanism” [Chaum 85 and C h a m & Evertse 871. The vi serve as unique personal identifiers, one selected by each individual. Let di be distinct primes, with dkld and (dk,@((N))= 1, for suitably many k’s. Each individual participates in an instance of the election protocol with each organization, using a dk unique to that organization. (see [Shamir 831 for why such use of the d, is secure.) If not all m votes are cast in any organization’s “election,” at least one participant is cheating. In this case, people reveal all their rk, , and 7rk, and those who are unable to show that their b1 corresponds to a Vj that was broadcast are revealed as cheaters and excluded from the protocol. This is repeated with different vi until no cheating is detected.

issues the kth credential to a person by providing the dk th root of the person’s selected element, br; then and only then can the dkth root of the person’s selected element with any other organization be shown.

A variation on the election protocol can also be used to implement a “credential

The remaining unused k‘s each correspond to a type of credential. An organization

5. Discussion

It has been assumed that n was large enough to make the possibility of the same Vi being chosen accidentally by two voters acceptably small. This might require something like n =loom2, which might be impractical for large m. Another approach allows n =m. It is based on the idea that voters will be able to reserve vi’s anonymously. One way to do this by is using the “slot reservation” protocol of [Chaum 84a], which has been

181

improved by [den Boer 871. A simple variation allows reservations to be made and confbmed one at a time, using any sender untraceability system. (Reducing from 2m to m could be accomplished by elections using one dk for each type of vote.)

If less than m disjoint roots of vi are broadcast, z could form and broadcast extra votes. Thus people who register and do not vote, in effect, allow t to steal their vote. Someone might entrap z, however, by allowing a vote to be stolen and latter broadcasting the real (different) vote, possibly untraceably.

The essential requirements of the communication channel are that z must not be able to provide inconsistent or incomplete messages to different voters, and that voters must be able to broadcast the messages required to untraceably submit votes. The lint property could be achieved in some cases simply by z making digital signatures on all messages including some kind of hash or (even all previous messages) and a time stamp, since if inconsistent messages become known, z would be incriminated.

The requirement that d be prime and > N ensures that (d ,NN))= 1. To get certainty that a small d has this property seem diE6cult in general. It is easy, however, to modify the protocol presented to give exponential certainty that (d,+(N))= 1 using the idea that y and t can “fip coins by telephone’’ [Blum 821 to develop t mutually trusted random units, after which z is required to reveal their dth roots. The probability that t can cheat is then t2-‘, assuming that z cannot cheat during the coin tlipping. This can be ensured if, for example, z provides the modulus used in coin flipping and is then required to reveal its factorization afterwards.

A natural extension is to divide among several entities various functions of t, such as: creating the random vi’s; making the registration (withdrawal) decision; and signing the hi's.

Summary and Conclusion

Election protocols embodying robustness, verifiability of returns by voters, and unconditional security for voters’ privacy have been presented. The techniques also allow untraceable payments and credentials.

182

References

Blum, M., “Coin flipping by telephone,” Proceedings of IEEE Compcon, 1982, pp. 133- 137.

Boer, B. den, private communication.

Chaum, D., “Untraceable electronic mail, return addresses and digital pseudonyms,” Comm ACM 24, 2 (February 1981), pp. 84-88.

Chaum, D., “Security without identification: transaction systems to make big brother obsolete,” Comm. ACM 28, 10 (October 1985), pp. 1030-1044.

Cham, D., Evertse, J.-H., “A secure and privacy-protecting protocol for transmitting personal information between organizations,” Advances in Cryprology: Proceedings of C R Y P T 0 86, A.M. Odlyzko, Ed., Springer-Verlag, pp. 118-167, 1987.

Chaum, D., “Blinding for unanticipated signatures,” Advances in Cryptology: Proceedings of Ewocrypt 87, D. Chaum and W.L. Price, Eds., Springer-Verlag, pp. 227-233, 1988a

C h a w D., ‘The dining cryptographers problem: unconditional sender and recipient untraceability,” Journal of Cryprolog, Vol. 1 No. 1, pp. 65-75, 1988b.

Chaum, D., “Privacy protected payments: unconditional payer and / or payee untraceability,” to appear in Smart Curd 2000, North-Holland, 1988c.

Cohen, J. and Fischer, M., “A robust and verifiable cryptographically secure election scheme,” Proceedings 26th FOCS, 1985, pp. 372-382.

Cohen, J.D., “Improving Privacy in Cryptograhpic Elections,” Yale University Computer Science Department Technical Report YALEU / DCS / TR-454, February 1986.

Merritt, M., Gyptographic Protocols, Ph.D. Thesis, Georgia Institute of Technology, GIT-ICS-83 / 06, 1983.

Shamir, A., “On the generation of cryptographcally strong pseudorandom sequences,” ACM Transactions on Computer Systems, Vol. 1 No. 1. pp. 31-44. February 1983.

PASSPORTS AND VISAS VERSUS IDS (Extended Abstract)

George I. Davida Yvo G. Desmedt

Dept. of EE & CS, Univ. of Wisconsin - Milwaukee

P.O. Box 784, Milwaukee, WI 53201, U.S.-i.

ABSTRACT

Most of the proposed cryptographic based electronic IDS are not adequate when used in international identification protocols. In this paper we extend the concept of a cryptographic electronic ID to a system of electronic passports and visas that surpass existing paper versions.

I. INTRODUCTION

The need to identify oneself arises in zany situations: cashing a check, using a credit card, checking into hotels, etc. Some employers require the employees to wear badges for identification and/or access privileges to certain areas of the place of employment.

Identifications schemes have become an increasingly important subject in cryptology. The use of cryptography in identification was first proposed by Diffie and Hellman [5] who suggested that identification corresponded to authenticating a message of the type “I a m User X”. Simmons suggested the use of the physical description of a person signed by a trusted center [8]. Recently Fiat and Shamir (and later Feige, Fiat and Shamir [S]) have proposed that identification corresponds with proving that one has knowledge of a secret without divulging the secret itself using zero-knowledge proofs [7]. These schemes have problems if the testing of the physical description of a person cannot be adequately done. Furthermore if the testing of physical description is adequately done, then the security of the Fiat-Shamir and Feige-Fiat-Shamir schemes need not depend on zero-knowledge proofs (see [3] and [4]).

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 183-188, 1988. 0 Springer-Verlag Berlin Heidelberg 1988

184

The very definition of what a digital identification is, needs to be studied. The most recent definition given in [2], which is an adaptation of the definition given in [7, p. 1861 is:

In a secure identification system at least one trusted center knows which unique individual corresponds with a certain public ID. Based on his ID A is able to convince B that he is A, but B can not convince others that he is A.

Proposed solutions to the problem of identification have to be studied more thoroughly and new methods need to be investigated. In [l] new methods are proposed in the context of classification of the fundamental techniques of identification namely:

1. Methods that rely on the “complete” physical description.

2. Methods that use the “complete” natural knowledge of the individual.

3. Methods that use artificial knowledge.

In the next section it will become clear that a normal ID can not be used for international purposes. An electronic version of passports and visas is necessary to have higher security than existing systems (see Section 111.).

11. PASSPORTS AND VISAS

Fiat and Shamir considered a passport as an example of an ID [7, p. 1861. We will see that making secure passports requires more than what is necessary for having a simple (secure) ID-card.

In an international environment there will be many centers that issue IDS. The above definition works only if one trusts the center that issues an ID. It is however clear that many countries do not necessarily trust each other. So the assvmptions on which the security of ID-cards is based are inadequate in an international environment. Electronic passports are a better solution. However passports are much mow than just IDS. So extra requirements, beside those involving trust, are necessary.

Paper passports allow another country to stamp the passport at entry or upon leaving a country. These stamps are mostly date stamps and contain the name of the country which stamps, and other information such as the maximum allowed length of stay. The fact that this information is stamped inside a passport allows anyone who inspects a passport to read this information, particularly the center

1 as

that issued the passport. Sometimes access to a country is denied because of a lengthy stay in another non-friendly country. The center that issues the passport can also decide to issue a new passport such that a part of your record of visits is hidden from outsiders, while retaining this information at the center.

The above stamps should not be confused with visa stamps, which are another issue, because these stamps are delivered before one visits a foreign country. Visas serve to add to the passport host country controls. These controls may be multiple. Their purposes are to better control foreign visitors. Visas are also used to implement controls by differentiating between temporary work-visas, permanent-work-visas, tourist-visas, etc. Visas also allow the host country to keep information about a person, by numbering the visas and by transferring the visas from one’s old passport to a new one. Finally the visas allow the host country to become an issuing center that does not have to rely on trusting the passport issuing country. Indeed the passport issuing country can carry out many deceptions. They can for example issue different persons the same passport and even use the same name. The visa issuing country can detect such a fraud if it keeps track of the visitors and their physical description. The visa issuing country can also use more advanced techniques to check the physical description of the persons than the passport issuing country does. It is clear that such a need for control exists, in particular when a citizen of a terrorist sponsoring country applies for a visa. There are many other needs for visas.

The security of the actual passports, stamps and visas is very low. They rely on the myth that tamperproof paper and/or plastic documents and ink- stamps would exist. False passports are well known and are used by criminals, terrorist and spies. So there is a need for a secure version of passports and visas which satisfy the same functionalities as actual passports and visas. Waiting too long to implement electronic passports would create the bizarre situation where cryptographic based ID-cards are issued for local use, but on an international level paper documents would still be acceptable. However many more deceptions are possible in international activities than in national ones, so better techniques are necessary.

The reader familiar with the modern cryptographic techniques for identification understands easily that the techniques of ID-cards themselves can not fulfill the needs of passports. We now discuss our solution in the next section.

186

111. ELECTRONIC PASSPORTS AND VISAS

From now on we assume that a secure simple identification system exists. We will use such identification system to come up with the passport, but it will be clear that more is necessary.

The main idea behind electronic passports is the use of a tamperproof device which uses an ID-card technology which additionally contains a n area (special memory) where data can be appended and read by everybody. This special memory, which we call an Append and Read Only Memory (AROM), is mainly intended for stamping activities (see Section 11. for a description of stamps). The stamp can contain information other than the date, such as a sequence number, and may include the entire history of visits by the passport holder. The stamp itself can be signed by the host country. It is the discretion of the host country to make entries and to determine which data it wishes to append in this area.

Appending data to the AROM can be controlled to prevent the abuse of the passport by other organizations which may want to write information that is not relevant to the proper use of a passport. This can be accomplished by encapsulating in the passport a list of public keys of organizations authorized to write into the electronic passport card. The passport card first checks to determine if the candidate writer is allowed to write. If so, the writer presents a signed message. The passport-card checks the signature before appending the data. If finally there is no room left over for new stamps, the carrier of the passport goes back to his country issuing center and asks for a new passport. The center can then read and record all this information, if it wishes, and deliver a new passport. The issuing country can compress the data and leave it in the original passport or issue a new one.

The tamperfreeness of the passport-card is necessary to guarantee the AROM properties. Because tamperfreeness is used, identification systems that are simple to implement can be used [4].

Let us now discuss how visas are included in the system. Because tamperfreeness and trustworthiness of the passport are a function of the issuing country and its technology, a visa being created as a separate ID device by the host country is better than (the current paper system of) placing visas in issuing countries passports. We therefore propose physically separate visa devices, which are issued by the host country. The visa is a special crypto ID-card, using the host country preferred identification system. The information written in such a visa can depend on all the passport data of relevance, on a sequence number, history of the carrier related to previous visits and other visas and even on the carrier physical description. The idea of including in the visa-card information about the

I a7

passport (e.g., number, name, country) increases dramatically the security of the whole system. Indeed the rental problem of crypto ID cards, due to inadequacy of checking the physical description [3], can then be significantly reduced. Other- wise, use of passports independent of visas, can lead to the possibility of two users simultaneously presenting the “same” passport at different locations. Advantages of renting passports are discussed in [3]. Additional methods to dramatically reduce the risk that IDS can be rented are discussed in [l]. It is important t o point out that the separation that we propose is physical and not logical The idea of logical link between IDS can be generalized. Evidently all this information caa be signed by the host country.

The visa proposed here is not to be considered a stamp, which is appended to the above AROM. If the host country wishes to leave a trace in the passport, then it can create the visa, give it a sequence number and append the following message to the AROM in the passport: “The carrier of this passport possesses a visa with: number, type, issuing date, location and issuing country”. However such a trace is not necessary. In fact in some cases it is even recommended not to use such a trace. Indeed, because these passports are electronic and tamperfree the passport issuing country may be able to restrict its citizens hom visiting certain countries. If, however, a citizen obtains a visa for such a country, the passport could destroy itself before the carrier reaches the host country. This, for example, would prevent the carrier from asking for political asylum. A visa issuing country that wants to cooperate with the carrier could choose to not leave a trace of the visa in the passport. This, however, still leaves the visa issuing country free to use passport information in the visa itself. Therefore the proposed scheme again contributes to improvement of functionality of passports and visas. Again, the tamperfieeness of the visa device is important in this scheme.

We finally remark that our system is compatible with actual passports and visas. Visa issuing centers can, independently from the passport issuing centers, decide to use electronic visas, while the passport can still be a paper document. To allow countries that do not have adequate technological means to use electronic systems, a paper version is attached to the electronic one.

IV. CONCLUSION

Recent crypto based ID schemes do not have the functionality necessary for international use. Ln this paper a new scheme for electronic passports and visas is presented that is as functional as current schemes but more secure.

188

REFERENCES

[l] G. Davida and Y. Desmedt. “Complete” Identification Systems. Tech. Re- port TR-CS-8s-15, Dept. of EE & CS, Univ. of Wisconsin - Milwaukee, May 1988.

[2] Y. Desmedt. Major security problems with the “unforgeable” (Feige-)Fiat- Shamir proofs of identity and how to overcome them. In Securicom 88, 6th worldwide congress on computer and communications security and protection, pp. 147-159, SEDEP Paris France, March 15-17, 1988.

[3] Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the Fiat- Shamir passport protocol. In C. Pomerance, editor, Advances in CryptoI- ogy, Proc. of Crypto’87 (Lecture Notes in Computer Science 293), pp. 21-39, Springer-Verlag, 1988. Santa Barbara, California, U.S.A., August 16-20.

[4] Y. Desmedt and J.-J. Quisquater. Public key systems based on the difficulty of tampering (Is there a difference between DES and MA?). In A. Odlyzko, editor, Advances in Cryptology, Proc. of Crypto ’86 (Lecture Notes in Computer Science 2631, pp. 11 1-1 17, Springer-Verlag, 1987. Santa Barbara, California,

[5] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. Inform. Theory, IT-22(6), pp. 644-654, November 1976.

[6] U. Feige, A. Fiat, and A. Shamir. Zero knowledge proofs of identity. In Pro- ceedings of the Nineteenth ACM Symp. Theory of Computing, STOC, pp. 210 - 217, May 25-27, 1987.

[7] A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification and signature problems. In A. Odlyzko, editor, Advances in CryptoZogy, Proc. of Crypto’86 (Lecture Notes in Compvter Science 263), pp. 186-194, Springer-Verlag, 1987. Santa Barbara, California, U. S. A., August 11-15.

[8] G. J. Simmons. A system for verifying user identity and authorization at the point-of sale or access. Cryptologia, 8(1), pp. 1-21, January 1984.

U.S.A., August 11-15.

THE PROBABILISTIC THEORY OF LINEAR COHPLEXITY

Harald Niederreiter

Mathematical Institute, Austrian Academy of Sciences Dr.-Ignaz-Seipel-Platz 2

A-1010 Vienna, Austria

1. INTRODUCTION

Linear complexity is a widely accepted measure for unpredictability and randomness

of keystream sequences in the context of stream ciphers (see Rueppel [ l o ] , [ll, Ch.

4 1 ) . In this paper we develop a detailed probabilistic theory of linear complexity

and linear complexity profiles for sequences of elements of a finite field. The bas-

ic t o o l s are the connection between linear complexity and continued fractions for

formal Laurent series established in Niederreiter [8] as well as techniques from probability theory and the theory of dynamical systems.

In practice, keystream sequences are sequences of bits, and we identify bits with elements of the binary field

arbitrary finite fields. We denote by F the finite field with q elements, where

q is an arbitrary prime power. A sequence s1,s2, ... of elements of F is called

a kth-order (linear feedback) shift register sequence if there exist constant coeffi-

cients ak,. . . ,ao E F with ak f 0 such that

F2. However, the methods of this paper work for

q 9

9 ak s ~ + ~ + ... + a si+l + a. si = 0 for i = 1,2,. .. . (1)

The zero sequence O , O , ... is viewed as a shift regrscer sequence of order 0. A

kth-order shift register sequence is uniquely determined by the recursion (1) and by

the initial values k' s1,s2, ..., s

Definition 1. Let S be an arbitrary sequence s1,s2, ... of elements 3f F and

let n be a positive integer. Then the linear complexity L (S) is defined as the

least k such tharr st,s2, ..., s form the first n terms of a kth-order shift

reg is t e r sequence.

4

Definition 2. With :he notation of Definition 1, the sequence

called the linear complexity profile of S. L1(Sf,L2(S) ,... is

It is clear that 0 6 L ( S ) l n and L n ( S ) I L n C l ( S ) for all n and S.

Therefore :he linear complexity profile is a nondecreasing sequence of nonnegative

integers. Rueppe? ZlS:, [ll, Ch. 4 j proposed the linear complexity profile as a test


192

for randomness and set up the following stochastic model. Let n be fixed and con-

sider L ( S ) for random sequences of bits. Since L ( S ) just depends on the first

n terms of S, it suffices to consider the linear complexity for all choices of

s1,s2, ..., s

able on

expected value of this random variable is with O & c n L - and its variance is roughly -. This suggests that Ln(S) should be close to 7 for a random

sequence of bits.

from F2. Then the linear complexity can be viewed as a random vari-

F;, where each string s1,s2, ..., s is equiprobable. It turns out that the 5 2 + c 2 n 18

86 n 81

To arrive at a statistically meaningful use of the linear complexity profile,

the following question has to be answered: for a randomly chosen and then fixed se-

quence S, what is the behavior of Ln(S) as n varies? We settle this question

for sequences S of elements of F and also discuss related questions. The nec-

essary background and basic results on continued fractions and dynamical systems are

established in Sections 2 and 3 . These results yield, first of all, the probabilis-

tic limit theorems for continued fractions in Section 4 . Exploiting the connection

between continudfractions and linear complexity, we deduce the probabilistic limit

theorems for linear complexity in Section 5. These limit theorems describe the as-

ymptotic behavior of Ln(S) as n 3 m and the deviations from the asymptotic be-

havior for random S. In Section 6 we scudy frequency distributions associated with

the linear complexity for random S. The detailed information on the behavior of

L (S) for random S is used in Section 7 to set up new types of randomness tests

f o r keystream sequences.

9

2 . CONTINUED FRACTIONS

We use the approach in Niederreiter [8] which is based on identifying a sequence

of elements s1,s2, ... of F

[81 we view S as an element of the field G = F ((x-')) of formal Laurent series

in x over F For S E G let Pol(S) be its polynomial part and Fr(S) =

S - Pol(S) its fractional part. Thus Fr(S) is the part of S containing the neg-

ative powers of x . We introduce the valuarion v on G which extends the degree

function on the polynomial ring Fq[x] as follows. For S E G , S 4 0, we put

S m

i=l with its generating function S =x si x-~. As in

9

-1 9

9'

00

. l v(S) = - r if S = > s . x - ~ and s f 0.

i=r

For S = 0 we put v(S) = - w . We have the Eollowing properties for S1,S2E C:

V(S1SZ) = V(S,) + V(S,),

v(S1 + s2) L max(v(Sl),v(S2)), v(S1 + S2) = max(v(Sl),v(S2)) if v(s,) # v(s2).

193

For P ~ , P ~ E F ~ [ X I . P ~ f 0 , we have Let H be the set of all generating functions, thus H = { S E G : v(S) < 0).

v(p 1 2 /p ) = deg(pl) - deg(p2).

Every S L H has a unique continued fraction expansion of the form

S = 0 + l/(A1(S) + 1/(A2(S) + ... ) ) = :[A1(S),A2(S) ,... 1,

where Aj(S)E Fq[x] and deg(A.(S)) 2 1 for j 1 1. This expansion is finite for

rational S and infinite for irrational S . The polynomials A.(S) are obtained

recursively by the following algorithm:

J

1

AO(S) = 0,

A. ( S ) = Pol(B.(S)-l), B . ( S ) = Fr(B.(S)-') for j AO, BO(S) = S

J + l J J+1 1

which can be continued as long as B.(S) f 0. If the continued fraction expansion is broken off after the term A.(S), we get the rational convergent

The polynomials P.(S) and Q.(S) can be calculated recursively by

J P.(S)/Qj(S).

J J

J J P (s) = 1, P ( s ) = 0 , P . ( s ) = A.(S)P. ( s ) + P. ( s ) for j 2 1,

Q-,(S) = 0 , Q,(S) = 1, Q.(S) = A.(S)Q. ( S ) + Qj-2(S) for j 2 1. J J J-1

-1 0 3 1 1-1 J-2

We have then j

deg(Q.(S)) = deg(Am(S)) for j 1. ( 2 ) m = l 1

For rational S we interpret deg(A.(S)) = deg(Q.(S)) = M whenever A.(S) and

Q.(S) do not exist. From [8] we note the formula J J J

3 v(Q.(S)S - P . ( S ) ) = - v(Q~+~(S)) for j 2 0. ( 3 )

J J For S E H we write Ln(S) for the Linear complexity of the sequence which corre-

sponds t o the generating function S. The following is a special case of a result

in [a ] .

Lemma 1. For any n 1 1 and S E H we have Ln(S) = deg(Q.(S)), where j 2 0 is

uniquely determined by the condition J

deg(Q. ( S ) ) + deg(Q.(S)) & n < deg(Q.(S)) + deg(Qjcl(S)). J-1 J 1

V(S1 - S2) With the metric d(S1.S2) = 2 for S l , S 2 E H , the set H is a compact

ultrametric space. Since H is also an additive subgroup of G and addition is a

continuous operation in this metric topology, it follows that H is a compact abe-

lian group. Let !B be the 6-algebra of Bore1 sets in H. Then there exists a

unique Haar measure h on H, i.e. a translation-invariant probability measure de-

fined on B. then the translation invariance of h implies that

I f D(SO;r): ={SEH: v ( S - S o ) < - r), S o E H , r = 0,1, ..., is a disk,

h(D(So;r)) = cj-r. ( 4 )

We write P for the set of polynomials over F of positive degree. q

Lemma 2. For A1 ,..., %E P let R(A1, ..., \ ) = { S E H : A . ( S ) = A. for 1 & j L k). J J

194

Then -Z(deg(A1) + ... + deg(Ak))

h(R(A lr...,%)) = q

Proof. For any S € R(A l,...,A ) we have the same value of Pk(S) = Pk k Qk, thus

'k

'k v(S - -)= - 2v(Qk) - vCA,+,(S)) < - 2v(Qk)

by ( 3 ) . Conversely, if v(S - Pk/Qk) < - 2v(Qk), then v(Qk S - Pk)< by [a , Lemma 31 we get Q, = CQn(S) and P = CP ( S ) € o r some n 2 1 k n

and Qk(S) =

so from the uniqueness of the continued fraction expansion we obtain n = k and

A.(S) = A . for 1 & j & k. Thus we have shown R(A l,...,%) = D(Pk/Qk;2v(Q,)), and

the desired result follows from (2) and ( 4 ) . 1 1

3 . DYNAMICAL SYSTEMS

We recall that a dynamical system is a probability space together with a measure-

preserving transformation acting on it. We consider now the transformation T on

(H,a,h) defined by T(S) = Fr(S-l) for S f 0 and T(0) = 0.

Lemma 3 . T is measure preserving with respect to h.

Proof. We have to prove h(T-l(B)) = h(B) for all BE&, where T-'(B) is :he in-

verse image of B under T. By [l, Theorem 1-11 it suffices to show this for every

disk D = D(S ;r).

€ o r some PEP. The latter condition can only be satisfied if v(X- = v(So + p),

and from this we see that for fixed p~ P we have v(X- - So - p)< - r if and on-

ly if X€D((SO + p)-';r + Zv(p)).

with

v(p2), and

For X f 0 we have XE T-l(D) if and only if v(X-l - So - p)<- r 1 0

1

If D(Wil;r + 2v(p1))nD(Wj1;r + 2v(p2)) f 0 + p2, and p1 f p2 in P , then v(W ) = V(~~),~JI'J~) = W 1 = S 0 + PI' ,J2 = so 1

v(~,l - wil) < - r - 2 min(v(Wl),v(W2)).

On the other hand,

v(w-' - w-') = v ( ~ - w1) - V(W ) - v(w2)2 - 2 nin(v(vl),v(W2)), 1 2 2 1

where the last inequality is seen by distinguishing the cases

v(W = v(FIz). This conrradiction shows that the disks D((So + p)- ' ;r + 2v(p)) are

pairwise disjoint as p ranges over P. Since such a disk has h-measure q

by ( 4 ) and since for fixed d 2 1 there are exactly (q - l)qd polynomials p E P

v(Wl) f v(W2) and

1 -r-2v(p)

195

with v(p) = d, we obtain M -r h(T-l(o)) => = ( q - l)q- Cd = q = h(D). d= 1 PEP

Lemma 3 shows that (H,B,h,T) is a dynamical syscem. A second dynamical sys-

tem is obtained as follows. Let p be the probability measilre defined on the power

set 6 of P and determined by ,u(p) = q -2 deg(p) for p~ P. We consider the m

n= 1 Cartesian product POo= Pn with P = P for all n and the corresponding pro-

duct probability space (Pa, P m , p w ) . On this space the transformation TI is de-

fined by

T1(p1.p2,..-) = (p2,p3 ,... ) for (p1,p2 ,... )EPm. Then (P", [Pm,pm,T1)

Bernoulli shift on Pm. See Krengel [ 3 , Sec. 1.41 € o r general idormation on

Bernoulli shifts. We use the following concept of isomorphism f o r dynamical systems

from Billingsley [I, p . 531.

is a dynamical system, called rhe one-sided (or unilateral)

h _

Definition 3. The dynamical systems (fl,F,m,~) and (n ,F,E,f) are said to be isomorphic if there exist sets R in 3 and no in 3 of measure 1 and a bijec-

tion 4 of no onto 'R, with the following properties:

(i) If A & no and = @ ( A ) , then A C T if and only if a€!?, in which case m(A) = m " ( l ) ;

(ii) ' t ( n o ) G no (iii) @ ( ~ ( w ) ) =5($(0))

- +

0 -

and ? ( ? i , ) C a,; 0'

for all ~ E R

Theorem 1. The dynamical system (H,B,h,T) is isomorphic t o the one-sided Bernoulli

shift on Pa.

n - Proo€. We use Definirion 3 with (fl,F,m,T) = (Pm,6(D,~"D,T1) and (fl,F,S,?) =

(H,Q,h,T). We take no = Pm and no = I, the set of irrationals in H. Since

there are just countably many rationals in H, we have h(I) = 1. The mapping @ from Pm onto I is defined by

-

@(p1,p 2,...) = !p1,p2 ,... ] E X for (p1,p2 ,... )EP. It follows from the uniqueness of the continued fraction expansion chat

jec t ion. 4 is a bi-

,., To prove ( i ) in Definition 3 , we first show thaE if A E G ' ~ , then A € @ % and pm(A)

= h(z).

for I L j k], where k 1 and A1 ,..., %EP are fixed. But then

It suffices to prove this for cylinder s e t s A = ( (pl,p 2,...)EPm: p . = A . 1 1

= R ( A l , . . . ,%) f l I, and since we have shown in the p r o o f of Lemma 2 that R(A1,. . * ,%) - is a disk, we get A € @ . Furthermore by Lemma 2 ,

196

k k -2 deg(A.) N

pw(A) = p(Aj) = q ' = h(R(A1, ...,% ) ) = h(A).

Now we have to show that if A C_ I and x€@, then A = $-'(x)Ep*. It Suf- j=l u

j=1

fices to prove this for sets that are intersections of I with a disk. We first

consider the special case where %

A = { S 6 I: v(S - So) 4 - v(Qk(S0)) - v(Q~+~(S~))) with k 2 0 and S O € I. If S E X : , then

by ( 3 ) , and s o S has the continued fraction expansion

S = [A1(So), -. . ~qC(So)~~+l(S)~-*-I by an argument in the proof of Lemma 2. Now

and Qk(s) = Qk(So) imply v(A~+~(S))& v(A~+~(S~)) =: n. Conversely, if S has a

continued fraction expansion as above with

ately that S E X . Thus

v(A~+~(S)) 2 n, then it is seen immedi-

v(AkCl k n

hence r$-'(T) = ((pl,p *,... )6 POo: p. = A . ( S )

a countable union of cylinder sets and so in

where

element of D can serve as the center of D ( H is ultrametric!), we can assume

that So is irrational. For every U E A and every integer k 2 0 with

v(Qk(U)) t v(Q~+~(U)) 2 r

f o r 1 j L k and V ( P ~ + ~ ) 2 n) is J 1 0

p m . Now we consider the general case

= DnI with a disk D = {SEH: v(S - So) L - r), SO€ H, r 2 0 . Since any

*

we define

Dk(U) = < S E H : v(S - U) & - v(Qk(U)) - V(Q~+~(U))). Every disk Dk(U) is contained in D. We claim that the family of all Dk(U) COV-

ers D. For this it suffices to show that every rarional S E D lies in some Dk(U).

Let S = [A1(S),A2(S) ,..., At(S)] and S E D (if S = 0, p u t t = 0 and Q ( S ) = 1

in the following). If v(Qt(S)) 2 ri2, put 0

u = [ A 1 ( S ) , A ~ ( S ) , . - . , A t ( S ) , x , x ,... 1. Then

Pt (U) v ( S - U) = v(- Qt(U) - U) = - v(Q,(U)) - v(Q,+,(L'))

and v(Qt(U)) + V(Q,+~(U))> 2v(Qt(S)) A r, thus S C D t ( U ) and U€S. If

v(QtfS)) < r / 2 , put

u = [A1(S),A2(S),. ..,A,(S),At+,(S,),x,x, ... !.

197

We have

and S O A . ( S O ) = A . ( S ) for 14 j L t by an argument in the proof of Lemma 2. It 1 3

hence SEDt(U) and V E X ; . Thus we have shown that the closed (and also open) disks

Dk(U)

Dk(U), say El, ..., Eb, already cover D. Therefore

b b

form an open cover of the compact set D, and so finitely many of the sets

Each E.nI is of the special form considered earlier, thus C#l-'(;) =

u @-'(EiflI)€ Prn as a finite union of elements of 6". Property (ii) in Defini- i=l tion 3 is trivially satisfied and (iii) follows from an easy calculation using the

algorithm €or the A . ( S ) and B.(S) in Section 2 . n J J

b 1

4. LIMIT THEOREMS FOR CONTINUED FRACTIONS

It follows from Theorem 1 that (H,&h,T) inherits all dynamical properties of the

one-sided Bernoulli shift on P a (compare with [ l , Ch. 2 1 ) . In particular, since

every one-sided Bernoulli shift is ergodic (see [ 3 , Sec. 1.41, [ 4 , p . 183]), we ob-

tain that T is ergodic with respect to h, i.e. T-'(B) = B for some B € & im-

plies that h(B) = 0 or 1. The individual ergodic theorem, in the form given in

[ 4 , p . 1831, yields the following result. Here and in the following we say that a

stated property holds h-almost everywhere (h-a.e.) i F che property holds for a set

of S E H of h-measure 1.

Theorem 2 . For any h-integrable function f on H we have

n- 1 lim '> f(TJ(S)) = ,( fdh n - m j = O

h-a.e. n . H

We note that since Tj denotes the jth iterate of T (w'ith To the identity

mapping), we have TJ(S) = B . ( S ) for all j 2 0 and SEI. Rational S can be

ignored since they form a set of h-measure 0. J

198

Theorem 3 . For any function g on

Proof. We apply Theorem 2 with f(S) = g(Pol(S-')) for S 6 O,f(O) = 0. For S € I

we have then f(TJ(S)) = f(B.(S)) = g(A. ( S ) ) for all j 5 0 . In particular

f(S) = g(A1(S)), hence J J + 1

by Lemma 2 . The condition on g guarantees that f is h-integrable on H . 0

Corollary 1. lim 1 deg(Q,(S)) = h-a.e. n+m q - 1

Proof. This follows from Theorem 3 with g(p) = deg(p) for PEP. We also use ( 2 )

and the identity dzd = z(l - z ) with z = q . 0 a, -2 -1

d= 1

Corollary 2 . We have h-a.e.

lim - #{1 & j 4 n: A . . n+Co

f o r all k 1 1 and all Al, ...,\ E P .

1 -2(deg(A1) + ... + deg(\)) ( S ) = Ai f o r 1 L i & k)= q J+l-1

Proof. We apply Theorem 2 with f being the characteristic function of the set

R(A1, ...,\ ) and use Lemma 2. Since there are just countably many choices for A1 ,..., \, the result follows.

For k = 1 Corollary 2 gives the distribution of the partial quotients A . ( S ) J

in the continued fraction expansion of a random generating function S.

Lemma 4 . Let g be an arbitrary real-valued funccion on P. If X . ( S ) = g(A.(S))

for j 1 1 , then X1,X2, ... i s a sequence of independent and identically distributed

random variables on (H,E&,h).

J 3

Proof. Strictly speaking, X. i s only defined on I, b u t we may define X. arbi-

trarily on the set of h-measure 0 formed by the rationals. For S E I and any

j 1 1 we have

J 3

Xj(S) = g(Pol(3. i(S)-l)) = g(A (B ( S ) ) ) = Xl(Bj-l(S)) = X1(TJ-'(S)), J- 1 j-1 hence Lemma 3 implies chat the X . are identically distributed. To prove that

J

199

X1, ...,% 4,

are independent, it suffices to show that the events A1(S) = A1,...,%(S) =

are independent for any A1, ..., A E P , and this follows from Lemma 2. n k

Theorem 4 (Law of the Iterated Logarithm for Continued Fractions). Let g be a non-

constant real-valued function on P with ~ ( p ) ~ q-2 deg(p) < m. Put PEP

Then h-a.e.

PKOO€. Let the random variables X . be as in Lemma L. Then E is the expected Val-

ue and G the standard deviation of X., and the conditions on g guarantee that

the second moment of X. exists and 6 > O . The result Follows then from the

Hartman-Wintner law of the iterated logarithm in the f o n given in Bingham [2]. 3

3

J

J

Corollary 3 . We have h-a.e.

(deg(Qn(S)) - = 1, - q - 1 1 im n+c4 (2qn log log n ) 1/2 q - 1

Proof. We apply Theorem 4 with g(p) = deg(p) f o r PEP. Then E = q/(q - 1) by the

identity in the proof of Corollary 1. The identity

with z = q yields

00 -3 d2 zd = ( z 2 + z)(l - 2) -1 d= 1

2

- *= +- (9 - l)* ( q - 1) ( 9 - 1)

6 = 2 q 2 + q

Together with (2) the result follows. n

Theorem 5 (Central Lixit Theorem for Continued Fractions). Let g,E,b be a s in

Theorem 4. Then for any a < b (where we can have a = -to o r b = w ) ,

n lim h({SEH: a 6 G L n+ m j=1 .I fi

g(A.(S)) - nE L bG&/;;j.) = - 1 1 e-t2i2 dt. a

Proof. We proceed as in the p r o o f of Theorem 4 and u s e the central limit theorem for

200

independent and identically distributed random variables (see [9, pp. 22-23] ). 0

Theorem 6. Let f be a nonnegative function on the positive integers. If m

j=1 q-€(J)< M , then h-a.e. we have

If T q - f ( j ) = m , then h-a.e. we have deg(A.(S))> f ( j ) for infinitely many

deg(A.(S)) & f(j) for all sufficiently large J

J j-

j.

j=1

Proof. The events deg(A.(S))> f ( j ) for j = 1,2, ... are independent by Lemma 4 .

If k(j) is the least integer 7 f ( j ) , then these events are identical with the

events deg(A,(S))& k(j). For each j we have .

J

m 9 q-f ( j) by Lemma 2 . Since ql-k(J) converges (resp. diverges) if and only if

j=1 j=1

converges (resp. diverges), the theorem follows from the Bore1 zero-one law (see [6, p. 2281). 0.

5. LIMIT THEOREMS FOR LINEAR COMPLEXITY

Because of the connection between continued fractions and linear complexity expressed

in Lemma 1, the results in Section 4 have implications for the linear complexity

Ln(S).

Ln(S) Theorem 7. lim - - - - h-a.e

n+w

Proof. If n and j are related as in Lemma 1, then from this result we get

20 1

Corollary 1 yields

hence the desired result follows.

n The deviation of Ln(S) from its asymptotic expected value is described

more precisely by the following results.

Theorem 8. Let f be a nonnegative nondecreasing function on the positive integers

with q-f(n)<m. Then h-a.e. m

all sufficiently large n.

Proof. Theorem 6 shows that h-a e. we have J

large j. For such an S we deduce from ( 5 ) that

deg(A.(S))L f ( j ) for all sufficiently

n 1 IL,(s) - ?IL f(j + 1) for all sufficiently large n.

Now n 2 deg(Qj-l ( S ) ) + deg(Q.(S)) 11 2j - 12 j + 1 f(j + 1) L f(n). u

for all j 2 2 , and SO J

Theorem 9. Let f be a nonnegative nondecreasing function on the positive integers 00

with q-f(n) = O D . Then h-a.e. n=l

1

1

L,(s) > 4 + 7 f(n) for infinitely many n,

L~(s) < 4 - -j f(n) for infinitely many n.

Proof. From the conditions on f we get q-f(5n) = m . Thus Theorem 6 implies

that h-a.e. we have deg(Aj(S)) > f(5j) for infinitely many j. For such s and j

we take n = deg(Q. ( S ) ) + deg(Q.(S)), then

n= 1

J-1 J 1 Ln(S) - 5 = deg(A.(S))> 7 f(5j)

J by Lemma 1. By Corollary 1 we can assume that S satisfies lim deg(Q.(S))/j =

q/(q - 1). Then j+ 00 J

1 5 - deg(Q.(S)) 4 7 for all sufficiently large j. j 1

Thus for infinitely many j we have n = deg(Q. ( S ) ) + deg(Q.(S)) < 2 deg(Qj(S)) < 5-i~ hence

J-1 J

1 L,(s) - > - f(5j) 2 1. f(n) 2 2 2

for infinitely many n. The second part is shown similarly, using that h-a.e. we

202

have deg(A. (S)) > f(5j + 5) + 1 for infinitely many j and taking

n = deg(Q.(S)) + deg(Q. (S)) - 1. n J + 1

J J+1

Theorem 10 (Law O F the Logarithm for Linear Complexity),. We have h-a.e.

- Ln(S) - (n/2) 1 *m log " - 2 log q'

-- 1 im

Proof. We use Theorem 8 with f(n) = (1 +€)(log n)/log q for arbitrary E 7 0 and

Theorem 9 with f ( n ) = ( l o g n)/log q . U

6. FREQUENCY DISTRIBUTIONS FOR LINEAR COMPLEXITY

For any integers c and N with N 11 let Z(N;c;S) be the number of n,

1 L n L N, with L ( S ) = (n + c)/2. We note that the cases c = 0 and c = 1 COT-

respond to perfect linear complexity (compare with [ a ] , [ l o ] , [ll]).

Theorem 11. We have h-a.e.

q - 1 - for all integers c. Z(N;c;S) - N - ( 1 / 2 ) 1 + ( 1 1 2 )

1 im N+ m 2ql

Proof. From Corollary 1 we get

i 1 im - sll h-a.e. j jm deg(Qj-l(S)) + deg(Q.(S)) - 2q

J Let j ( N , S ) be the largest index j with deg(Qj-l(S)) + deg(Q.(S))& N. Then with

j'= j(N,S) we have J

deg(QjLl(S)) + deg(Q.,(S)) N < deg(Q.,(S)) + deg(Q., (S)), 1 J J A 1

and so

Now let c 2 1. Whenever deg(Q. (S)) + deg(Q.(S))& n <deg(Q.(S)) + deg(QjAl(S)),

then Lemma 1 shows that L ( S ) = (n c ) / 2 if and only if n = 2 deg(Q.(S)) - C with j 2 1. This value of n lies i n the indicated range if and only if

deg(Qj-l(S)) + deg(Q.(S)) L 2 deg(Q.(S)) - c, which is equivalent to Therefore

J-1 J J

J

deg(A.(S)) 2 C. J J J

Z(N;c;S) = B(j(N,S);c;S) - E(N;c;S),

203

where B(r;c;S) denotes the number of j, 1 & j L r , with deg(A.(S)) c and

where E ( N ; . c ; S ) = 0 or 1. Let g be the function on P defined by g(p) = 1 if

deg(p) 2 c and g(p) = 0 otherwise. Then Theorem 3 yields

J

It follows from (6) that h-a.e.

For c L 0 the result is shown similarly. 0

For c = 0 and c = 1 we define Y:')(S),n = 1,2,..,, by YAc)(S) = 1 if

L2n-c(S) = n and YLc)(S) = 0 if L2n-c(S) # n.

Lemma 5. If c = 0 or c = 1, then Y~c),Y~c),...

identically distributed random variables on (H,O,h).

is a sequence of independent and

Proof. It follows from Lemma 1 that

for some j 1. Since the last condition is independent of c, we have

and we write Yn for YL'). We have

L2n-c(S) = n if and only if deg(Q.(S)) = n. y ( o ) = Yn (1) ,

n h({SEH: Y,(S) = 1)) = h({SEH: deg(Q.(S)) = n)).

j=1 J

For fixed

h({SEH: deg(Q.(S)) = n)) = >- h({SE H: deg(Am(S)) = dm for 1 L m & j])

j, 1 & j & n, we obtain from (2) and Lemma 2:

3 dl,...,d.hl

dl+. . .+d .=n 3

3

d. -2(dl + ... + d . ) = 7 (q - l)q dl ... (q - 1)q 3 9 3

dl,. . . ,d 2 1 dl+ ...+ d.=n J

J

= (q - l)J q-" >- 1 = (q - 1)J q-" '7::). dl, . . . ,d .21 dl+ ... td.=n J

3 Thus

which shows in particular that the Yn are identically distributed. To prove that

Y1, ..., Yk are independent, we choose E1,...,EkE{O,l) arbitrarily and let 1 L rl 4 r2 < . .. < rt L k = 1. By the

'ri be exactly those indices for which

204

remark at the beginning of the proof we have

only if rlr...,r appear as values of deg(Q.(S)) for some j 2 1 and the other

elements of {1,2, ..., k] do not. This condition is equivalent to deg(Q1(S)) =

rl, ..., deg(Qt(S)) = rt,deg(Qt+l(S)) > k, which is in turn equivalent to rl,deg(A2(S)) = r2 - rl, ..., deg(At(S)) = rt - rt-l,deg(At+l(S))> k - rt, where we put ro = 0 if t = 0. Therefore Lemma 2 yields

h({SEH: Y (S) = El, ..., Y ( S ) =Ek)) =

Y ( S ) = El, ..., Y (S) = Ek

J

if and 1 k

deg(A1(S)) =

1 k

m=k-r +l t

-r t -k t+l = ( q - 1) =k-r +1

t On the other hand, it follows from ( 7 ) that

and so Y1,...,Yk are independent. 0

Theorem 12 (Law of the Iterated Logarithm for Perfect Linear Complexity, First Ver-

sion). For c = 0 and c = 1 we have h-a.e.

Proof. By ( 7 ) the expected value of Yn is ( q - l)/q and the variance of Yn is

g2 =(Y2 dh - (*)2 = & - (fi)2 = fi. 2

q q 9 q H

It follows from Lemma 5 and the Hartman-Wintner law of the iterated logarithm that

Putting n = L(N + c ) /2J , where LtJ denotes the greatest integer L t, and using

for c = 0 and c = 1, we obtain the the0rem.O

Theorem 13 (Law of the Iterated Logarithm for Perfect Linear Complexity, Second Ver- sion). If W(N;S) is the number of n, 1I n & N, with L ( S ) = or 7, nsl then

2

205

h-a.e.

Proof. We pu t n = LN/zJ i n (8) and use

wi th e (N;S) = 0 o r 1, a s f o l l o w s from ( 9 ) .

Theorem 14 ( C e n t r a l L i m i t Theorem f o r P e r f e c t Linear Complexity, F i r s t Ver s ion ) .

c = 0 and c = 1 ve have f o r any a < b (where we can have a = -00 o r b = m ) ,

For

Proof . The expec ted v a l u e and t h e va r i ance of

of Theorem 12. From Lemma 5 and t h e c e n t r a l l i m i t theorem we o b t a i n Yn

have been c a l c u l a t e d i n t h e proof

Applying t h i s w i th n = L(N + c)/2_1 and us ing (9 ) we g e t

l i m h ( B N ( a , b , c ) ) = d t , W m

where

For g iven E > 0 ve have % ( a , b , c ) C BN(a - ~ , b + E,c) f o r a l l s u f f i c i e n t l y l a r g e

N , hence b+E I -t " d t . e

a-E

- l i m h ( % ( a , b , c ) ) & i% h(BN(a - & , b + E , c ) ) = - W m N+ m v%

With E + O + we o b t a i n

- l i m h ( % ( a , b , c ) ) L - w m fi

Using B (a + E,b - E , c ) & AN(a ,b , c ) f o r a l l s u f f i c i e n t l y l a rge N , w e g e t s i m i l a r l y N

206

a n d t h e d e s i r e d r e s u l t f o l l o w s . 0

Theorem 15 ( C e n t r a l L i m i t Theorem f o r P e r f e c t L i n e a r Complexi ty , Second V e r s i o n ) . I f

W(N;S) is as i n Theorem 13, t h e n w e have f o r any a < b (where we c a n h a v e a = -to

o r b =OD),

P r o o f . We a p p l y (11) w i t h n = !N/~J, u s e (101, and proceed a s i n t h e p r o o f o f

Theorem 14. 0

Theorem 16. We h a v e h-a .e .

f o r a l l i n t e g e r s C .

P r o o f . F o r c = 0 a n d c = 1 t h i s f o l l o w s from Theorem 12. Now l e t c 1 2 . From

t h e p r o o f of Theorem 11 w e o b t a i n

Z(N;c;S) & B ( j ( N , S ) ; c ; S ) (12) r

w i t h B ( r ; c ; S ) = g ( A j ( S ) ) , where g i s t h e f u n c t i o n on P d e f i n e d by g ( p ) = 1

i f d e g ( p ) 2 c a n d g ( p ) = 0 o t h e r w i s e . By Theorem 4 we have j = 1

1-c 1/2 (B(r;c;S) - r q ) = 1 h-a .e . , 1 - 1 i m r+oo 6(2r l o g log r)

where

6 2 = g ( p ) 2 q-2 d e g ( p ) - q2-2c 1-c 2-2c 1-2c = q - q = q ( q C - q )

PEP For a n S E H w i t h t h e p r o p e r t y

1-c B(j(N,S);c;S) - j(N,S)q f o r a l l s u f f i c i e n t l y l a r g e N.

c o n s i d e r a t i o n s a t i s f i e s

d e g ( Q , ( S ) ) & - Ice q - L q - 1

above and f o r a g i v e n 0 < E < 1 we t h e r e f o r e g e t

( 1 3 ) L (1 + E ) 6 ( 2 j ( N , S ) l o g log J ( N , S ) ) 112

9y C o r o l l a r y 3 w e c a n assume t h a t t h e S E H u n d e r

112 ( 2 q n l o g l o g n )

207

for all sufficiently large n. By the definition of j(N,S) in the proof of

for all sufficiently large N. Put

F(j) = - ( 2 q j log log j) 112. q - 1 q - 1

Then F(j) is an increasing function of j for sufficiently large j and it is

easily checked that

( - 1)N + 1 * 2E ( ( q - l)N log l og N)'") > N F( 2q q

for all sufficiently large N. It follows that

(14) 1 / 2 j(N,S) 4 (' - + 1+2E ( ( 9 - l)N log log N ) 2q 4

for all sufficiently large N.

for all sufficiently large N. Now (12), (13), and ( 1 4 ) yield

In particular, we have j ( N , S ) & (1 + E)2(q - 1)N/(2q)

( q - 1)N L_ Z(N;c;S) - 2 qC

( - l)N 1-c ) 9

1 -c & B(j(N,S);c;S) - j(N,S)q + (j(N,S) - 2q

4 (1 + If2 N log log N)1'2 + ((q - 1)N log log N )

qc

(qc - q)1'2+1 ( q - 1)'/* (N log log N ) 112 L ( 1 + 3E) qc

f o r all sufficiently large

c 2 2. The 'remaining cases are proved similarly. 0

N, and so the first part of the theorem is shown for

7. CONTINUED FRACTICN TESTS

From Lemma 1 we see that a linear complexity pro€ite always has the following form:

0 , ..., O,dl,,.., dl,dl + d2, ..., d l + d2, ..., (15)

.I

with 0 repeated d? - 1- times and z di repeated d . + d. times for all i=l J J + I

j 2 1, where dl,d2, ... are positive integers given by d . = deg(A.(S)). Therefore, J J prescribing a linear complexity profite is equivalent to prescribing I f

an arbitrary sequence dl,d 2,...

algorithm in Niederreiter [8] generates a sequence s1,s2,,.. of elements Of F

dl,d2,--. . of positive integers is given, then the following

q 1

whose linear complexity profile is as in ( 1 5 ) . We put q . = i d i for j 2 1. We re- J i=l

k ak x

+ ... + a x + a. associated with the linear recursion 1 call that the polyncsrial

208

(1) is called the characteristic polynomial of the linear recursion.

Algorithm

Initialization: Q, = 1

A1 over F with deg(A ) = dl and let Q, = A l - l Step 1: Choose a polynomial

Calculate the terms s . with 1 L- i & q + q2 - 1 by the linear recursion with

(considered as a polynomial over F ). q

9

characteristic polynomia 1 Q, and initial values s . = 0 for 1 & i L 91 - 1, -1 si = c for i = q , where c is the leading coefficient of Q,.

Step j (for j 2 2) : Suppose the polynomials Q,,...,Qj-l and the terms s . with

14 i L q. + q . - 1 have already been calculated. Choose a polynomial A . over

F with deg(A.1 = d. and let Q. = A . Q. J - ~ + Qj-2. Calculate the terms si with q J J qj-l + qj & i& q. + q . J J-1 cursion with characteristic polynomial Q..

1

J-1 1 J

- 1 from the previously calculated terms by the linear re-

J

If this procedure is continued indefinitely, it yields a nonperiodic sequence with the prescribed linear complexity profile. If the procedure is broken off after

finitely many steps, then a minor modification in the last step is needed (see [81) .

Let S be an arbitrary sequence of elements of F and let A.(S),j = 1,2,.--,

as usual be the polynomials appearing in the continued fraction expansion of the gen-

erating function S. If we put d.(S) = deg(A.(S)), then each d. can be viewed as

a random variable on the probability space (H,&,h) and the values of d are pOS-

itive integers. By L e m a 4 the random variables dl,d2,.,. are independent and

identically distributed. For every positive integer m, the probability that d. = m

is equal to (q - 1)q-O by Lemma 2 .

the linear complexity profile of a random sequence of elements of F has the form

(15) , where dld2, ... are independent and identically distributed with the proba-

bility distribution Prob(d. = m) = ( q - l)q note that each d. has expected value q/(q - 1) and variance q / ( q - l)’, as shown

in the proof of Corollary 3 . In particular, in (15) we can expect an average step

height of q/(q - 1) and an average step length of 2q/(q - 1). For q = 2 this

agrees with a result of Rueppel [ll, p. 451 that was proved by a different method.

9 J

J J J

j

J Thus, in a statistical sense we can say that

9

for all positive integers m. We -m J

J

This description of the linear complexity pro€ile of a random sequence of ele-

ments of F can ser-Je as the basis for new types of randomness tests. For a con-

cretely given sequence S, we can calculate d. = d . ( S ) by the Berlekamp-Massey a l -

gorithm (see [ 5 , Ch. 61, [7]). The sequence dl,d2, ... is then subjected to con-

ventional statistical tests for randomness, the null hypothesis being that

are independent and identically distributed with the probability distribution given

above. More generally, we can calculate the A.(S) by the continued fraction algo-

rithm or the Berlekamp-Massey algorithm, take an arbitrary real-valued function g

on P, and use the independent and identically distributed random variables X . in

9

J J

dl,d2, ...

J

J

209

Lemma 4 as the basis for a randomness test. These types of randomness tests may be

called continued fraction tests.

Other types of randomness tests may be based on the independent and identically

distributed random variables Y = Y(') in Lemma 5 for which the probability dis-

tribution is given by n n

Prob(Yn = 0) = l/q,Prob(Yn = 1) = ( q - l)/q according to ( 7 ) .

REFERENCES

P. Billingsley: Ergodic Theory and Information, Wiley, New York, 1965. N. H. Bingham: Variants on the law of the iterated logarithm, Bull. London Math. SOC. 18, 433-467 (1986) . U. Krengel: Ergodic Theorems, de Gruyter, Berlin, 1985. L. Kuipers and H. Niederreiter: Uniform Distribution of Sequences, Wiley, New York, 1974. R. Lid1 and H. Niederreiter: Introduction to Finite Fields and Their Applica- tions, Cambridge Univ. Press, Cambridge, 1986. M. Loeve: Probability Theory, 3rd ed., Van Nostrand, New York, 1963. J . L. Massey: Shift-register synthesis and BCH decoding, IEEE Trans. Informa- tion Theory 15, 122-127 (1969). H. Niederreiter: Sequences with almost perfect linear complexity profile, Ad- vances in Cryptology - EUROCRYPT '87 (D. Chaum and W. L. Price, eds.), Lecture Notes in Computer Science, Vol. 3 0 4 , pp. 37-51, Springer, Berlin, 1988. M. Rosenblatt: Random Processes, 2nd ed., Springer, New York, 1974. R. A. Rueppel: Linear complexity and random sequences, Advances in Cryptology - EUROCRYPT ' 8 5 (F. Pichler, ed.), Lecture Notes in Computer Science, Vol. 219, pp. 167-188, Springer, Berlin, 1986. R. A. Rueppel: Analysis and Design of Stream Ciphers, Springer, Berlin, 1986.

The author gratefully acknowledges support for this research project by the Austrian Ministry for Science and Research.

A PROBABILISTIC PRIMALITY TEST BASED ON THE PROPERTIES OF CERTAIN GENERALIZED LUCAS

NUMBERS

Adina Di Port0 and Piero Filipponi Fondazione Ugo Bordoni

140142 Ronia, Italy

Abstract

After defining a class of generalized Fibonacci numbers and Lucas numbers, we characterize the Fibonacci pseudoprimes of the mth kind.

In virtue of the apparent paucity of the composite numbers which are Fibonacci pseudoprimes of the mth kind for distinct values o f the integral parameter m , a method, which we believe to be new, for finding large probable primes is proposed. An efficient computational algorithm is outlined.

1. Introduction and generalities

In this paper, after defining the generalized Fibonacci numbers V , and the generalized Lucas numbers V , (Set-1), the Fibonacci Pseudoprimes of the m th kind are characterized (Sec.2).

In virtue of the scarceness of the pseudoprimes which are simultaneously of the m* kind for distinct values of m , a method for finding probable primes is proposed in Sec.3 (for a definition of probable primes see [ 11).

In Sec.4 some theoretical aspects concerning the above said pseudoprimes are considered.

Let m be an arbitrary natural number. The generalized Fibonacci numbers U,(m) (or simply U, , if there is no fear of confusion) and the generalized Lucas numbers V,(m ) (or simply V , ) are defined (e.g., see [2]) by the second order recurrence relations

Work carried out in the framework of the Agreement between the Italian PT Administration and the Fondazioiie "Ugo Bordorii".


21 2

Un+2= + U, ; UO = 0, Ul = 1

and

Vn+2=,mV,+1 + V , ; Vo = 2, Vl = m ,

respectively. These numbers can also be expressed [2] by means of the closed forms (Binet forms)

where

A = ( m 2 + 4 ) l n

p = ( m - A ) / 2 . a = ( m + A ) / 2 (1 - 5 )

The notations %, &, and A, will be employed whenever the meaning of a, p and A can be misunderstood (e.g., see Lemma 2). By (1.5) it can be seen that a/3 = -1 and a+ p = m . Moreover, it can be noted that, letting m = 1 in (1.1) and (1.2), the usual Fibonacci numbers F, and Lucas numbers L, turn out, respectively.

A further interesting expression for V , is [3]

In121

where

Rewriting (1.6) as

[n / 21

i = 1 V, = mn+ n C

noting that, if n is a theorem, the following

prime then C,t, / n is ;in integer and using Fermat's little fundmenial propcriy of [lie numbers V , is established

Vn(m) = m (mod n ) Y m ( if n is ;I prime) . (1.9)

213

2. The Fibonacci pseudoprimes of the mth kind : definition and numerical aspects

Observing (1.9), the following question arises spontaneously: "Do odd composites exist which satisfy this congruence?" The answer is affirmative..

We define as Fibonacci Pseudoprimes of the m th kind ( m-F.Psps.) all odd composite integers n for which Vn(m) = m (mod n ) and denote them by sk(m) ( k = 1, 2, ...). The corresponding sets will be denoted by S, , while the sets of all m-F.Psps. not exceeding a given n will be denoted by Sm, n . For example, we found

The numbers sk(1) have been analyzed in previous papers [4], [5]. In particular, we found that all composite integers belonging to Sl, (for n = 108) are square-free and most of them are congruent to 1 both modulo 4 (82.3 S) and modulo 10 (63.2 %). Moreover, we noted that this behavior seems to become more marked as n increases, but we were not able to find any justification of these facts.

Now, another question arises:"Do odd composite integers exist which are m-F.Psps. for distinct values of m ?" Once again, the answer is affirmative. For example, the number 34,561 = I7 - 19 . 107 is the smallest number belonging to both

A computer experiment was carried out essentially to determine the cardinality of

that ~ l ( 1 ) = 705 = 3 * 5 * 47, ~ l ( 2 ) = 169 = 132 and ~ i ( 3 ) = 33 = 3 * 11 .

S1 and S2 .

the intersections

Namely, we found that, for n = l o g ,

The fact that Gn, 3 and Gn, (Sec.4). The numbers (below 108) belonging to these two sets are

have the same cardinality will be justified by Theor.6

~89(l) = 1,034,881 = 41 * 43 * 587 ~ ~ ~ ~ ( 1 ) = 2,184,533 = 13 - 197.853 ~ 3 ~ ( 1 ) = 15,485,185 = 5.79.197 * 199 s561(l) = 39,002,041 = 13 .19 * 269 .5S7 ~ 8 0 2 ( l ) = 87,318,001 = 17 * 71 . 73 .991

of which the latter belongs also to Gn, , besides being a Carmichael number [I I .

vs. n is shown in fig.1, while the behavior of I Gn Let o,(n) = I §m, I be the rn-F.Psp.-counting function. The behavior of ol(n)

I is shown in table 1.

214

1 07 2.107 3*107 4*107 5*107

1200

1000

800

600

400

200

0

18 27 30 36 38

0 20 40 60 80

n (millions) +

Fig.1- Behavior of ol(n) vs n .

Table 1

n

6*107 7.107 8*107 9*107 108

39 41 44 45 48

100

Numerically,q(n) seems asymptotically related to the prime-counting function z (n).The inspection of fig.1 suggests the following

CONJECTURE I : “There exists a positive constant c not exceeding 1 such that cT~(n) is asymptotic to c ~ ( . l n ) . ~ ~

3. A possible probabilistic prirniility test

The numerical evidence that turns out from the experimental results suggests a

Let c a >b denote the remainder of a divided by b. For given integers n (odd) method for obtaining probable primes .

and M ( n > M ), let us calculate

215

r, = < V,(rn) >, for rn = 1,2, ... , M . (3.1)

If r, f m for some value of m , then n is composite. If n passes M consecutive tests, that is if r, = m for all values of m (1 I m 5 M ) , then n is a probable prime (with probability P, ). A thorough investigation of the properties of the m-F.Psps. could suggest a suitable value for M depending on the order of magnitude of n . This will be the aim of a future work.

It must be noted that, if Conj.1 were proved, a sufficiently large n which passes the first test ( m = 1) would be prime with probability

P , = 1 - 2 c / d n . (3.2)

Due to the apparent extreme scarceness of the composites n E 5, ( m = 1,2, ... , M 1, the probability PM seems to rapidly increase as M increases, The choice of the most suitable set of tests to which submit n is still an open problem.

By suitably modifying the algorithm for obtaining r1 = < L, >, [4], an efficient calculation of V , reduced modulo n can be performed. The so-obtained algorithm finds r , after [log, n] recursive calculations. For example, ascertaining that the 81-digit composite

1 10,221,474,294,665,636,794,O 1 6,854,99 1,608,758,669,69 1,745,119, 008,792,721,304,656,075,481,680,733,031,679

belongs to S, required a calculation time of about 25 seconds on a VAX 11 / 750 computer.

4. Some properties of the m-F.Psps.

In this section several properties of the m-F.Psps. are demonstrated . We hope that they can lead to the discovery of further properties of these numbers. In particular, a formula which gives the minimum value of M ( or an upper bound for this value) for which I G,, I = 0, once n is given, would be greatly appreciated.

First, let us state some theorems concerning the case rn = 1.

THEOREM I : If n is an odd integer not divisible by 3 and L, = 1 (mod n ), then

L = 1 (mod L , ) . =?I

Proof: Since it is known [6] that L, is odd, we can write L n = 4 h + 1 = l ( m o d n ) ( h E N = { 0 , 1 , 2 ,... I ) .

216

We have 2h = 0 (mod n ), whence [7]

F2h 0 (mod L, ) .

From the identities available in [8, p.951, we can write

whence, by (4.1),

L - l = 5 - 0 . F u t + l =O(modL,). Ln

Case2: Ln=4h-1=1(modn)

We have 2h - 1 = 0 (mod n ), whence [7]

Again from [8, p.951, we can write

whence, by (4.3),

L - I = ~h-O'o(mOdL,) . Q.E.D. 4

From Theor.l we can derive the following corollaries.

COROLLARY I : If p 2 5 is a prime and Lp is composite, then Lp E $1 .

COROLLARY 2 : If n is not divisible by 3 and belongs to S, , then L, E S1.

Proof:

( i ) From Theor.1 we have L = 1 (mod L, ).

( ii ) By hypothesis n = s t , with s and t odd integers not divisible by 3. Hence L, is odd and composite [7]. This completes the proof. It can be noted that also L, is not divisible by 3, as n is odd [6].

=n

Q.E.D.

21 7

If n is not divisible by 3 and belongs to S,, then the number L, fulfils the same conditions. Therefore, we can claim that

and such a statement can be iterated ad infinitum , so that

LL E s, .

Consequently, since there exists at least a number sk( 1) not divisible by 3 (the smallest among them is ~ ~ ( 1 ) = 2,465) the following proposition can be stated

PROPOSi77ON I (Conj. 3 in [4]) : There exist infinitely many I -F.Psps.

THEOREM 2 : For k E N ,

Proof : The statement holds clearly for k = 0,l. In fact, we have = 1 (mod 3). Hence, let us consider k 2 2. It is known [ 9 ] that

b k + 1 = 0 (mod 2k ),

so, b k can be rewritten as

In order to satisfy the congruence

L -1 =O(modL;?k) L 2 k

L1 = 1 (mod 1) and L3

(4.5)

(4.8)

it suffices that the left factor on the right-hand side of (4.7) is divisible by Gk, that is, it

218

suffices [7] that h2k-1 is an odd multiple of 2k. Equivalently, we can say that the fulfilment of the equality h = 2(21 + 1 ) ( t E N ), that is of the equality (see (4.6))

L2k+ 1 =(2 t+ 1)2k+1 ( I E N ) , (4.9)

is a sufficient condition for the congruence (4.8) to be satisfied.

identity I,, [lo] which allows us to write To establish the general validity of (4.9) we shall use induction on k and the

The equality (4.9) holds for k = 2. In fact, we have L, + 1 = 8 = (2 - 0 + l)z3 . k t us suppose that (4.9) holds up to a certain k > 2. For the inductive step k + k + 1, from (4.10) and (4.9) we can write

COROLLARY 3 : If L2k is composite, then L2k E Sl.

To prove the next theorem we need the following

LEMMA 1 : If L , = 0 (mod n ), then L, 5 0 (mod 3n ).

Proof: The congruence L, E 0 (mod n ) implies (8, Theor. F, p.721 that

n = 6 ( 2 k + l ) = 2 * 3 ' + ' ( 6 h f l ) ( k , r , h E N ) . (4.1 1)

Therefore, it suffices to prove that

L, = &.3r+1(6M1) 5 0 (mod 3r+2). (4.12)

Let us invoke induction on r . The congruence (4.12) holds for r = 0. In fact, considering the sequence ( L, ) reduced modulo 9 [6], it is readily seen that L6(,9&1) I 0 (mod 9). Let us suppose that (4.12) holds up to a certain r > 0. For the inductive step r + r + 1, using the identity L,+l = LAf - L,, ( r even) [lo], we write

219

It is known [6] that L4.3'+1(6Ml) = 1 (mod 3). Then, by (4.13) and hypothesis we obtain the congruence 4 . 3 r + 2 ( 6 f i l ) = 0 (mod 3'+3 ). Q.E.D.

THEOREM.? : If L, = 0 (mod n ), then

= 1 (mod L, - 1). L Ln-1

Proof: Since we have necessarily (see (4.1 1)) n = 6(2h + 1) and, therefore [6] L, = 4k + 2 ( k E N ), from Lemnia 1 we have Ln = 4k + 2 = 0 (mod 18(2h + 1)) ( h E N), that is

2k + 1 = 0 (mod 9(2h + 1)).

From [8, p.951 we can write

Ln - = L4(3h+1)+2 - = F3[2(3h+l)+l] /F2(3h+l )+ l

whence

(4.14)

(4.15)

(4.16)

(4.17)

Since, by (4.16) and (4.14). we see that L, - 1 I F9(2h+l) and [71 F,(,h+,) I Fzk+l, from (4.17) we obtain

L - 1 = S F 2 - O = O ( m o d L,-1) . Q.E.D. Ln-1

COROLLARY 4 : If L, = 0 (mod n ) and L, - 1 (necessarily odd) is composite, then L,-1 E s , .

COROLLARY 5 (see [ 111): If L2.3k - 1 ( k 2 1) is composite, then L2.3k - 1 E S 1 .

THEOREM 4 : If n = p l p2 * - p k , with p i = 5hi i 1 (1 5 i I k ) is a Carmichael number, then n E S1 .

220

Proof: Let Pi be a repetition period (not necessarily the shortest period) of the Lucas sequence reduced modulo the prime pi and let A = l.c.m.(PI, P 2 ... Qk ).

A sufficient condition for n to belong to Sl is that

M + l = n ( h ~ N). (4.18)

In fact, the fulfilment of this condition implies that LhA+l 5 L, = 1 (modpl p2 ...pk ). On the other hand, it is known [6] tliat if pi = 5hi k 1, tlicn Pi = pi - 1. Therefore, it is immediately seen that A equals the Caniiichael A function [l]. Since , by hypothesis, A I n - 1, from (4.18) the theorem is proved. Q.E.D.

The smallest Carmichael number of the above type which is also a l-F.Psp. is s44(l) = 252,601 = 4Z - 61 - ZOI, while the absolutely smallest Carmichael number which is also a 1-F.Psp. is s2( 1) = 2,465 = 5 . I 7 * 29.

Now, let us state some theorems concerning the case m 2 1.

THEOREM5 : If p 2 5 is a prime such that A2 is not divisible by p , then

V m (mod U p ) . UP

Proof: On the basis of the periodicity of the sequence ( U,, ) reduced modulo 4 [6] , it can be readily proved that, if p 2 5 , then Up has the form 4h + 1 ( h E M ). Since we have [121 Up = +1 (modp ) (except for the case A2 = 0 (modp ) which implies Up 3 0 (modp )), we can write Up = 4h + 1 E 51 (mod p ).

CaseI : Up=4h+ 1 = 1 (modp)

We have 2h = 0 (mod p ) and, since [ 121 Un I U, ,

U2h = 0 (mod Up )

By using the identity

easily obtainable with the aid of (1.3) and (1,4), we have

V - m = V&+1 -m = A2U2,CT2,1+1 UP

whence, by (4.19)

(4.19)

(4.20)

(4.21)

221

V - m I Az.0-U2h+l=O(rnodUp). UP

Cme2: Up =4h+ 1 r-1 (rnodp)

The proof is analogous to that of Case 1 and is omitted for brevity. Q.E.D.

It must be noted that, for m = 1 and p = 5 . the statement of Theor.5 is true even though A2 = 5 = 0 (mod 5). In fact, we have

LFs = L5 = 11 3 1 (mod F ). 5

COROLLARY 6: If p 2 5 is a prime, A2 is not divisible by p and Up (necessarily odd) is composite, then Up E Sm .

COROLLARY 7 : If p is a prime and Fp is composite, then Fp E S1 .

In order to prove the last theorem, we need to prove the following two lemmata.

(4.22)

Using (1.4), (4.22) becomes

2k+ 1 2k+l = {% + p:k+'+ (a,,2k+' -pm2k+')} / 2 = % . (4.23)

Analogously, it is seen that

(4.24)

The statement of the lemma follows directly from (4.23), (4.24) and (1.4). Q.E.D.

222

LEMMA 3: If h E N and n E Sm,, then V h ( m ) = Vh(m) (mod n 1.

Proof: Let us rewrite the result established in [13, Cor. 71 as

(4.25)

By hypothesis, (4.25) and (1.6), we can write

THEOREM 6: If an odd composite n passes the m th test, then it passes also the Va+l(m)th tests ( k = 1,2, ...).

As particular cases, we see that

199,521, 1364, _.. - if n passes the 1st test ( m = l), then it passes also the tests for m = 4, 11,29,76,

- if n passes the 2nd test ( m = 2), then it passes also for m = 14,232,478,2786, ... - if n passes the 3'd test ( m = 3), then it passes also for m = 36,393,4287,46764, ... - if n passes the 4* test ( m = 4), then it passes also for rn = 76,1364, .__ (cf. the

tests passed for m = 1) .

5. Conclusion

Public-key cryptosystems make use of primes having approximately 100 digits, so we wish to conclude this paper with two questions.

Pessimist's question : "Do odd composites n I 1O*m exist which are m-F.Psps. for all values of m I n - 1 ?"

If such numbers exist, they will never reveal their compositeness under our test. Optimist's question : "Let M' be the maximum number of consecutive tests (m = 1,

2, ... , M") passed by any odd composite n I Is M' comparatively small (say M' I 5 0 ) ?

If the answer is in affirmative, then the method proposed in Sec.3 can readily find primes for cryptographic purposes. The calculation time is slightly less than that

223

required by the method proposed by Solovay & Strassen [ 141 for finding numbers that are prime with probability greater than or equal to 1 - 1 / 2M' .

The authors offer a prize of 50,000 Italian Lire to the first person who communicates to them an odd composite (below lo1(@) which is an rn-F.Psp. for m = 1, 2, ... , 8. Of course, at least one of its factors is also requested. A decuple pnze is offered to the first person who sends to them a proof that no such number exists.

A table of l-F.Psps to 10s was compiled by the authors. It will be sent, free of charges, upon request.

References

[l] H.Riese1, Prime Numbers and Computer Methods for Factorization . Boston: BirWuser Inc., 1985.

[2] M.Bicknell, "A Primer on the Pel1 Sequence and Related Sequences", The Fibonacci Quurteriy , vo1.13, pp. 345-349, no.4,1975.

[3] O.Brugia, P.Filipponi, "Waring Formulae and Certain Combinatonal Identities", Fondaz. Ugo Bordoni Techn. Rep. 3B5986, Oct. 1986.

[4] A.Di Porto, P.Filipponi, "More on the Fibonacci Pseudoprimes", Fondaz-Ugo Bordoni Techn. Rep. 3t0687, May 1987. The Fibonacci Quarterly (to appear).

[5] A.Di Porto, P-Filipponi, "Un Metodo di Prova di Primalit3 Basato sulle Propnet3 dei Numeri di Lucas Generalizzati", Proc. of the Prim0 Simposio Nazionale su: Stato e Prospertive della Ricerca Crittograjica in Italia , Roma, Oct. 1987, pp.

[a Bro. A.Brousseau, An Introduction to Fibonacci Discovery . Santa Clara (Cal.): The Fibonacci Association, 1965.

[A L.Carlitz, "A Note on Fibonacci Numbers", The Fibonacci Quarterly, vol. 2, pp. 15-28, no.1, 1964.

[81 D.Jarden, Recurring Sequences, 3rd ed., Jerusalem : Riveon Lematematika, 1973. [9] V.E.Hoggatt, Jr., M.Bicknel1, "Some Congruences of the Fibonacci Numbers

Modulo a Prime P ", Math. Magazine , vol. 47, pp. 210-214,no.3, 1974. [ 101 V.E.Hoggatt, Jr., Fibonacci and Lucas Numbers, Boston: Houghton Mifflin Co.,

1969. [ 111 V.E.Hoggatt, Jr., G.E.Bergum, "Divisibility and Congruence Relations", The

Fibonacci Quarterly , vol. 12, pp. 189-195, no. 2, 1974. [ 121 P.Filipponi:"On the Divisibility of Certain Generalized Fibonacci Numbers by

Their Subscripts", Proc. XIII Congresso Unione Matematica Ztaliana, Torino, Sept. 1987, Sezione VII-18.

[13] Jin-Zai Lee, Jia-Sheng Lee, "Some Properties of the Sequence (W,(a, b ; p , q )I", The Fibonacci Quarterly , vol. 25, pp. 268-278,283, no. 3, 1987.

[ 141 RSolovay, V.Strassen, "A Fast Monte-Carlo Test for Primality", SIAM Journal on Comput., vol. 6, pp. 84-85, no.1, 1977.

141 - 146.

O N T H E CONSTRUCTION OF RANDOM NUMBER GENERATORS A N D RANDOM FUNCTION GENERATORS

C. P. Schnor r

U n i v ers i tE t F r a n k f u r t

F a c h b e r e i c h M a t h e m a t i k / I n f o r m a t i k

6000 F r a n k f u r t , West Germany

Abstract . B lum, M i c a l i (1982), Yao (1982). Goldreich, Go ldwassa r a n d M i c a l i

(1984). a n d L u b y , R a c k o f f (1986) have constructed r a n d o m n u m b e r g e n e r a t o r s , r andom f u n c t i o n g e n e r a t o r s a n d r a n d o m pe rmuta t ion generators t h a t a r e p e r f e c t i f

c e r t a i n c o m p l e x i t y a s s u m p t i o n s hold. We propose random n u m b e r g e n e r a t o r s t h a t

pass a l l s t a t i s t i c a l t e s t s t h a t d e p e n d on a small f r a c t i o n of t h e b i t s t r i n g . T h i s does

not r e ly on a n y u n p r o v e n hypo thes i s . We propose improved r a n d o m f u n c t i o n

gene ra to r s w i t h s h o r t f u n c t i o n names a n d wh ich m i n i m i z e t h e n u m b e r of

p seudo- random b i t s t h a t a r e necessary f o r t he e v a l u a t i o n of p seudo- random func t ions . We a n n o u n c e a n e w v e r y e f f i c i e n t pe r f ec t r andom n u m b e r g e n e r a t o r .

1. R a n d o m g e n e r a t o r s without unproven assumptions

I Let I, = (0,l)". H, = 1; = " t h e set of a l l func t ions f : I, -, I,". A r a n d o m f u n c t i o n

gene ra to r i s a n e f f i c i e n t a l g o r i t h m F t h a t generates f r o m names x E I, a f u n c t i o n

Fm,x E Hk(,) f o r s o m e f u n c t i o n k(m); when given f o r i n p u t m,x.y t h e a l g o r i t h m

computes Fm,Jy ) . W e a s s o c i a t e w i t h f E H, a f u n c t i o n F,,f E H2, d e f i n e d b y

Fn , f ( l , r ) = ( r , l @ f ( r ) ) f o r a l l I,r E I , . (1)

T h e f u n c t i o n F,,f r o u g h l y c o r r e s p o n d s to a l aye r i n the DES-a lgo r i thm. We c o n s i d e r

$1 = Fn,f F,,f Fn,f as a r a n d o m f u n c t i o n gene ra to r f o r the f u n c t i o n s Fg1 i n Hzn a n d

wi th n a m e s f E H,. T h e f u n c t i o n s F g i a r e permutat ions, a n d F g l i s c a l l e d a random

permutat ion g e n e r a t o r . L u b y a n d R a c k o f f h a v e considered t h e r a n d o m f u n c t i o n

gene ra to r Fn , fg Fn,f2 Fn,fl w h e r e i n d e p e n d e n t r andom f u n c t i o n s f l , f 2 , f s E H, a r e used

a t e a c h s tage. We o b s e r v e t h a t t h e ana lys i s of Luby a n d R a c k o f f r e m a i n s v a l i d f o r

the case t h a t f l = f 2 = f s . T h i s y i e lds the fol lowing version o f t h e m a i n t h e o r e m in L u b y , R a c k o f f (1986) .

Theorem 1. ( L u b y , R a c k o f f (1986)) For random / E Hn the f u n c t i o n F t , i = Fn,f F n , f


226

F,,f passes a l l s t a t i s t i c a l func t ion t e s t s that are res t r ic ted t o 2 ° ( n ) orac le quer i e s .

T h e c o n c e p t o f s t a t i s t i c a l f u n c t i o n t es t has been in t roduced by G o l d r e i c h , Goldwasser;, M i c a l i (1984). A tes t T is a p robab i l i s t i c a lgo r i thm w i t h O,l-outPut ,

wh ich i s e n d o w e d w i t h a n o r a c l e 0 , f o r eva lua t ing the f u n c t i o n g a t i n p u t s Y

computed b y t h e tes t T; t h e v a l u e g ( y ) is computed by a s ingle s t ep us ing t h e o rac l e .

One a s soc ia t e s t h e f o l l o w i n g p r o b a b i l i t i e s to a s t a t i s t i ca l tes t T a n d a r a n d o m

f u n c t i o n g e n e r a t o r F. L e t p," ( p f , resp.) be the p robab i l i t y t h a t T w i t h o r a c l e 0,

gives o u t p u t 1 w h e n g E H, i s chosen a t r andom w i t h un i fo rm p r o b a b i l i t y ( g E Hn i s

chosen a t r a n d o m f r o m F, resp.) . T h e p r o b a b i l i t y space is the set of a l l i n t e r n a l co in

tosses of T a n d o f a l l c h o i c e s f o r g. I n the proof of Theorem 1 L u b y a n d R a c k o f f

have shown t h a t t h e a b o v e g e n e r a t o r FZ] sa t i s f i e s

f o r eve ry s t a t i s t i c a l f u n c t i o n tes t T t h a t is l imi t ed to a t most m o rac l e que r i e s .

One d e f i n e s t h a t a f u n c t i o n g e n e r a t o r F passes t he f u n c t i o n test T i f

A r a n d o m f u n c t i o n g e n e r a t o r i s ca l l ed perfec t if i t passes a i l s t a t i s t i c a l f u n c t i o n

tests w i t h p o l y n o m i a l t i m e b o u n d no(11. T h e f u n c t i o n s gene ra t ed by a p e r f e c t

r andom f u n c t i o n g e n e r a t o r a r e c a l l e d pseudo-random.

Theorem 1 i s s t r o n g i n t h e sense t h a t t he re is no t ime bound f o r t h e s t a t i s t i c a l tes ts

a n d the b o u n d 2"") on t h e n u m b e r of o rac l e que r i e s is supe rpo lynomia l i n n. O n t h e

o the r h a n d t h e name f E H, f o r t h e f u n c t i o n FZ1 E H,, is n2" b i t s long w h e r e a s

Go ld re i ch , Go ldwasse r , M i c a l i (1984) cons t ruc t pseudo-random f u n c t i o n s i n H, w i t h names i n I,. T h e p r o o f o f T h e o r e m 1 fo l lows f r o m t h e ana lys i s of t h e L u b y , R a c k o f f

(1986) r a n d o m p e r m u t a t i o n g e n e r a t o r . T h e t echn ica l proof is q u i t e i nvo lved .

A random number genera tor is a n e f f i c i e n t a lgo r i thm which t r a n s f o r m s s h o r t r a n d o m

seeds i n t o long p s e u d o - r a n d o m s t r i n g s . Eve ry random f u n c t i o n gene ra to r g i v e s r ise to a c o r r e s p o n d i n g r a n d o m n u m b e r gene ra to r a n d vice-versa . T h e r e is a n a t u r a l b i j ec t ion 0, : H, + InZn w h i c h m a p s f u n c t i o n s f E H, in to the c o n c a t e n a t i o n @,(f) =

f ( x ) w h e r e x r a n g e s o v e r a l l s t r i ngs x E I, in a l p h a b e t i c a l o rde r . BY t h i s XEI,

b i j ec t ion t h e a b o v e f u n c t i o n FCI y i e l d s a f u n c t i o n

We g ive a m o r e c o n c r e t e d e s c r i p t i o n of t he r andom number gene ra to r

227

We w r i t e t h e i n p u t s t r i n g x E I n a s conca tena t ion of 2n s t r ings i n I,, a n d w e

e n u m e r a t e these 2n s u b s t r i n g s o f x us ing ind ices i n I,: n2

We l ikewise p a r t i t i o n t h e o u t p u t s t r i n g y E I a n : ant

For e v e r y s t r i n g y E I z n let L ( y ) , R ( y ) be t h e l e f t a n d r i g h t ha l f s t r i ng i n I,:

Ian 3 Y = L(Y) R ( Y ) €(In)' .

Algori thm f o r Gn input X = n K i .

iEI, 0

1. yi := i f o r a l l i E 12, . 2. Fo r j = 0,1,2 d o

yi+' := R ( y i ) ( L ( y i ) @ XR(,,:)) . output ys = y;

iE12,

Each i t e r a t i o n s t e p s w i t c h e s t h e l e f t a n d r i g h t p a r t of y E I z n a n d a d d s t o the new r i g h t p a r t t h e s u b s t r i n g X R ( ~ ) of t h e i n p u t x; here @ i s t h e vec to r a d d i t i o n m o d u l o 2.

Accord ing t o t h e b i j e c t i o n s 4, , .@za T h e o r e m 1 t r ans l a t e s i n t o Theorem 2.

Theorem 2 .

s ta t i s t i ca l number t e s t s tha t depend o n at most 2"") b i t s of Gn(x) .

The r a n d o m number genera tor ( G n ) n ~ ~ , G, : I n - I z n 2 z n , passes a l l n 2

A s ta t i s t i ca l number t e s t T is a p r o b a b i l i s t i c a lgo r i thm which t akes f o r i n p u t a

b i n a r y s t r i n g , a n d g i v e s a 0 , l - o u t p u t (Yao , 1982). O n e associates w i t h T a n d a

r andom n u m b e r g e n e r a t o r G t h e f o l l o w i n g p robab i l i t i e s . L e t pk ( p k , resp.) b e t h e

p r o b a b i l i t y t h a t T o u t p u t s 1 w h e n g i v e n f o r i n p u t a r a n d o m s t r i n g x E I k w i t h

u n i f o r m d i s t r i b u t i o n (a s t r i n g y E I k chosen a t random f r o m G, resp.). T h e n u m b e r gene ra to r G passes t h e t e s t i f

I G

l p i - pFl = O ( k - t ) f o r a l l t > 0 . A r a n d o m n u m b e r g e n e r a t o r i s cal led perfec t i f i t passes a l l p o l y n o m i a l t i m e

s t a t i s t i c a l n u m b e r t e s t s . T h e b i t s t r i ngs generated by a p e r f e c t r a n d o m n u m b e r gene ra to r a r e c a l l e d pseudo-random.

Theorem 2 m e a n s t h a t e v e r y se l ec t ion of a t most m = 2"(") bits f r o m G,(x) passes a l l

s t a t i s t i c a l n u m b e r t e s t s T ( e y e n tes ts w i t h a r b i t r a r y t ime bounds) p r o v i d e d t h a t x E Inan i s r a n d o m w i t h u n i f o r m p r o b a b i l i t y . T h e b i t s t r ings G,(x) a re , f o r r a n d o m seed x E Inan, c o m p l e t e l y r a n d o m i z e d local ly . Eve ry s t a t i s t i ca l n u m b e r t e s t t h a t

d i s t i ngu i shes t h e d i s t r i b u t i o n o f G n ( x ) E I a n Z a n f r o m the u n i f o r m d i s t r i b u t i o n on

228

Iznzan depends on a t least a po lynomia l f rac t ion of the bi t s t r ing G,(x).

So f a r we have seen t h a t t h e a b o v e number generator G, is based on a powerfu l

construct ion p r i n c i p l e f o r local randomizat ion. I t is an impor tan t quest ion whether this construct ion p r i n c i p l e also yields good global random properties. We n e x t prove

that a l l s t r ings t h a t a r e local ly randomized sat isfy the law of large numbers.

Theorem 3 Let (€,),EN be a r a n d o m number generator c, : I, -., Ian such that

G,(x), for random x E I, p a s s e s a l l s ta t i s t i ca l tes t that depend o n a t most 2 ° ( n ) bits of G n ( x ) . Then the f r e q u e n c y of ones and zereex in G,(x) is a p p r o x i m a t e l y I / 2 .

-

Proof . Consider t h e s t a t i s t i c a l test tha t selects m = 2"(,) independent random bi ts

y1, ..., y m f r o m the b i t s t r i n g E,(x) and computes #I(y) = "the number of ones i n

these bits". These b i t s t r ings y pass a l l s ta t is t ical tests. B y Chebyshev's inequal i ty this impl ies

1 prob[ (#t(y) /m - 1 1 t E] _i l / (eam) + O(m-t) f o r a l l E > 0 a n d a l l t > 0 .

The probabi l i ty space i s the set of a l l seeds x E I, and of a l l possible select ions of

substr ings y. Note t h a t t h e expected value of #I(y)/m and of # l ( ~ , ( x ) ) / 2 " coincide.

Therefore we o b t a i n f o r E - (l/m)'" and m = 2"""' '

We next show t h a t t h e upper bound 2'("), l imit ing the number of oracle queries . i n

Theorem 1 is sharp . We associate to f E H, the funct ion generator

F g ) = F,,f F,,f .... Fn,f v-times.

Theorem 4 . There i s a s t a t i s t i c a l funct ion tes t that r e j e c t s the funct ion g e n e r a t o r s

f o r a l l u E W, u s i n g 0(2") o r a c l e quer ies .

P r o o f . We have f o r a l l r , 1 E I, :

F n , d L r ) - ( r , l @ f ( r ) )

Fi:f(l,r) = ( r @ f ( l ) , l ) .

F&)(l,r) = F t f " ( r @ f ( l ) , 1) ,

This impl ies t h a t f o r a l l Y t 1

and thus

L Fgl(1.r) = R F g ) ( r @ f ( l ) , I ) . (2 )

A s ta t i s t ica l test f o r v e r i f y i n g the relat ion ( 2 ) f ixes r a n d I a n d tries f o r f(1) E In

all b i t s t r ings y E I,. Once f(1) has been found the relation (2 ) holds f o r a l l r. T h e

229

stat is t ical test requi res a t most O(2") oracle queries i n o rder to f i n d f(1); i t

evaluates F g ) ( l , r ) and F t ) ( r 0 y , I ) f o r a l l strings y E In . 0

The above s ta t i s t ica l tes t does not re ject funct ion generators

Fn,fS Fa,fZ Fn,r1

where d is t inc t f u n c t i o n s f l . f 2 , fS a r e used a t each stage.

2 . Improved random f u n c t i o n generators

Goldreich, Goldwasser a n d Mica l i (1984) show that every perfect random number

generator (G,),EIN, c, : I, - Izn, can be transformed in to a per fec t random

funct ion genera tor (F,),SN, F n a x E H, with x E I,, such tha t func t ions F,,x E H n

have names x of length n a n d can be evaluated using O(n2) pseudo-random bi ts

generated by Gn. We improve th i s construction via the Luby, Rackoff permuta t ion generator.

-

Theorem 5 . For e v e r y e > 0 every p e r f e c t random number generutor (G, ) ,EN, with

G, : I, -+ Ian, can b e t r a n s f o r m e d in to a perfec t random function genera tor (Fn),~IN such that

(1) F n , x E Hn has numes x o f Iength (log n)'".

( 2 ) eva lua t ion of F,, can be d o n e using O(n(1og n)"') pseudo-random b i t s genera ted f r o m C,.

Ske tch of proof . By the construct ion of Goldreich, Goldwasser, Mica l i (1984) w e generate , f r o m pseudo-random bi t s obtained from G,(X), a pseudo-random f u n c t i o n

00) f E Hm(c) , m(e) = (log n)'+', t h a t passes a l l funct ion tests with t ime bound n ,

These func t ions f E Hm(.) h a v e names in Irn(*) a n d can be evaluated using ( log n )

pseudo-random bi ts . I t fol lows f r o m Theorem 1 and since n t = 2°("0g n ) l + r ) f o r a l l t

> 0 a n d a l l e > 0 , t h a t t h e func t ions Fc),),f E Hzm(.) pass a l l s ta t i s t ica l func t ion

tests t h a t have t i m e bound no(').

2+2r

In a way s imi la r to (1) we associate with f E Hrn(.) a funct ion p,,r E H, d e f i n e d by

for a l l B1, ..., Bk E Im(s) with k = n/m(E). By the same argument tha t proves Theorem

1, we can show t h a t

230

passes a l l s t a t i s t i c a l f u n c t i o n t e s t s w i t h t i m e bound no(*’. 0

3 . New e f f i c i e n t a n d p e r f e c t p seudo- random number g e n e r a t o r s

S. M i c a l i a n d C.P. S c h n o r r (1988) i n t r o d u c e new random number g e n e r a t o r s ( R N G )

t h a t a r e p e r f e c t u n d e r a r e a s o n a b l e complex i ty a s sumpt ion a n d t h a t a r e n e a r l y a s

e f f i c i e n t a s t h e p o p u l a r l i n e a r c o n g r u e n t i a l gene ra to r wh ich is k n o w n t o be

imper fec t .

A R N G i s p e r f e c t i f i t passes a l l po lynomia l t ime s t a t i s t i ca l tests, i.e. t he d i s t r i b u t i o n of o u t p u t s e q u e n c e s c a n n o t be d i s t ingu i shed , by p r o b a b i l i s t i c

p o l y n o m i a l t i m e a l g o r i t h m s , f r o m t h e u n i f o r m d i s t r i b u t i o n of sequences of t h e s a m e

length. So f a r t h e p r o o f s o f pe r f ec tness a r e a l l based on u n p r o v e n c o m p l e x i t y assumptions. T h i s is b e c a u s e w e c a n n o t p rove supe rpo lynomia l c o m p l e x i t y lower bounds.

Pe r fec t r a n d o m n u m b e r g e n e r a t o r s h a v e been establ ished f o r e x a m p l e based o n t h e

d i sc re t e l o g a r i t h m b y B lum, M i c a l i (1982), based on q u a d r a t i c r e s iduos i ty b y B lum, Blum, S h u b (19861, b a s e d on o n e w a y f u n c t i o n s by Yao (1982), based o n RSA

e n c r y p t i o n a n d f a c t o r i n g b y A l e x i , C h o r , Go ld re i ch a n d Schnor r (1984). A l l these

RNG’s a r e less e f f i c i e n t t h a n t h e l i nea r congruen t i a l g e n e r a t o r . T h e R S A / R A B I N - g e n e r a t o r is the most e f f i c i e n t of these generators . I t successively

gene ra t e s log n p s e u d o - r a n d o m b i t s b y o n e modu la r mul t ip l i ca t ion w i t h a m o d u l u s N

t h a t i s n b i t s long.

T h e R S A - g e n e r a t o r c a n b e e x t e n d e d a n d acce le ra t ed in v a r i o u s ways . A new

p o w e r f u l c o m p l e x i t y a s s u m p t i o n s y i e lds more e f f i c i e n t generators . L e t N = p q be

p r o d u c t o f t w o l a r g e r a n d o m p r i m e s p a n d q a n d let d be a n a t u r a l n u m b e r t h a t is

r e l a t ive ly p r i m e t o p ( N ) = (p - l ) (q - I ) . I t is con jec tu red t h a t t h e f o l l o w i n g d i s t r i b u t i o n s a r e i n d i s t i n g u i s h a b l e by e f f i c i e n t s t a t i s t i ca l tests:

t h e d i s t r i b u t i o n o f x d ( m o d N ) f o r r a n d o m x E [I,NZ’dJ.

the u n i f o r m d i s t r i b u t i o n on [1,N].

T h i s hypo thes i s is c lose ly r e l a t e d to the secu r i ty of t he RSA-scheme. U n d e r th i s hypo thes i s t h e t r a n s f o r m a t i o n

[ l ,N”d] 3 x - xd(mod N) E [1,N]

231

d s t re tches s h o r t r a n d o m seeds x E [ l , N a l d ] i n t o pseudo-random numbers x ( m o d N ) in t h e i n t e r v a l [ l ,N] . V a r i o u s r a n d o m n u m b e r generators can be b u i l t on t h i s

t r a n s f o r m a t i o n . T h e s e q u e n t i a l p o l y n o m i a l gene ra to r generates f r o m r a n d o m seed x E

[1,N ] a sequence o f n u m b e r s x = x l ,xz ,..., x, ,... E [l,N"']. T h e n ( l - 2 / d ) l ea s t

s i g n i f i c a n t b i t s of t h e b i n a r y r e p r e s e n t a t i o n of x!(mod N ) a r e the o u t p u t of xi a n d

t h e 2n /d most s i g n i f i c a n t b i t s f o r m t h e successor x i + l of x i .

2 / d

I t fo l lows f r o m a g e n e r a l a r g u m e n t of Go ld re i ch , Goldwasser, Mica l i (1984) a n d t h e

above hypo thes i s t h a t a l l t hese g e n e r a t o r s a r e p e r f e c t , i.e. t he d i s t r i b u t i o n of o u t p u t

s t r ings is i n d i s t i n g u i s h a b l e , b y p o l y n o m i a l t i m e s t a t i s t i ca l tests, f r o m t h e u n i f o r m

d i s t r i b u t i o n of b i n a r y s t r i n g s o f t h e s a m e length. T h e sequen t i a l gene ra to r i s n e a r l y

as e f f i c i e n t a s t h e l i n e a r c o n g r u e n t i a l gene ra to r . Us ing a modulus N , t h a t i s n b i t long, i t Outputs n ( l - 2 / d ) p s e u d o - r a n d o m b i t s p e r i t e r a t ion s tep. T h e costs o f a n

i t e r a t ion Step x - x d ( m o d N ) w i t h x E [1,N2'd] corresponds to the costs of a b o u t o n e

f u l l m u l t i p l i c a t i o n m o d u l o N. T h i s is because t h e eva lua t ion of x (mod N ) o v e r

numbers x 5 N21d cons i s t s a lmos t e n t i r e l y of mul t ip l i ca t ions wi th small n u m b e r s t h a t d o no t r e q u i r e m o d u l a r r e d u c t i o n .

d

Mica l i a n d S c h n o r r e x t e n d t h e s e q u e n t i a l po lynomia l gene ra to r to a p a r a l l e l

po lynomia l g e n e r a t o r (PPG) . T h e P P G gene ra t e s f r o m random seed x E [l,N"dl a

tree. T h e nodes o f t h i s i t e r a t i o n t r e e a r e pseudo-random numbers i n [1,N2ld] w i t h ou tdegree a t most d /2 . To c o m p u t e t h e successor nodes y(l), ...,y( s) a n d t h e o u t p u t

s t r ing of n o d e y one s t r e t c h e s y i n t o a pseudo- random number yd(mod N ) t h a t is n b i t s long. T h e n t h e successors y ( l ) , ...,y( s) o f y a r e ob ta ined by p a r t i t i o n i n g t h e most

s i g n i f i c a n t b i t s o f y d ( m o d N ) i n t o s -< d j 2 b i t s t r i ngs of length L 2 n / d J . T h e o u t p u t

of node y consis ts o f t h e r e m a i n i n g least s i g n i f i c a n t bi ts of yd (mod N). A n y

col lect ion of s u b t r e e s o f t h e i t e r a t i o n t r e e c a n be independen t ly processed i n p a r a l l e l

once the c o r r e s p o n d i n g r o o t s a r e g i v e n . In t h i s way m paral le l processors c a n speed

the g e n e r a t i o n of p s e u d o - r a n d o m b i t s b y a f a c t o r m. These pa ra l l e l processors need

n o t to c o m m u n i c a t e ; t h e y a r e g i v e n pseudo- independen t i n p u t s t r ings a n d t h e i r

o u t p u t s t r i n g s a r e s i m p l y c o n c a t e n a t e d . T h e conca tena ted o u t p u t of a l l nodes Of t h e i t e r a t ion t r ee i s p s e u d o - r a n d o m , i.e. t h e pa ra l l e l generator is pe r f ec t . T h e PPG

enables f a s t r e t r i e v a l of s u b s t r i n g s of t h e pseudo-random o u t p u t . T o access a node

of the i t e r a t i o n t r ee w e f o l l o w t h e p a t h f r o m the root to this node. A f t e r r e t r i e v i n g

a b i t t he s u b s e q u e n t b i t s i n t h e o u t p u t c a n be gene ra t ed a t f u l l speed. I t e r a t i o n t rees

of d e p t h a t mas t 60 a r e s u f f i c i e n t f o r p rac t i ca l purposes; t h e y g e n e r a t e

pseudo-random s t r i n g s o f l e n g t h lo2* ( f o r ou tdegree 2 ) such t h a t i n d i v i d u a l b i t s can be r e t r i eved w i t h i n a f e w seconds .

T h e pa ra l l e l g e n e r a t o r i s based on a me thod t h a t has been i n v e n t e d by G o l d r e i c h ,

232

Goldwasser a n d

Schnorr observe M i c a i i ( 1 9 8 4 ) f o r t h e construction of random funct ions. M i c a l i a n d

t h a t t h i s cons t ruc t ion can be applied to speed every p e r f e c t random number generator by a f a c t o r m using m parallel processors. Using this p r i n c i p l e and

suff ic ient ly many p a r a l l e l processors we can generate pseudo-random bits with

almost a n y speed. T h i s i m p o r t a n t method of parallekization appl ies to a l l Perfect

random number genera tors b u t t h e RSA-generator is par t icular ly sui ted f o r this

method. T h e method of para l le l iza t ion does not apply to imperfect random number

generators l ike t h e l i n e a r congruent ia l generator since this method c a n f u r t h e r

detor ia te a weak genera tor .

References

Alexi, W., Chor, B., Goldre ich , O., and Schnorr , C.P.: RSA and R a b i n Funct ions:

cer ta in par t s a r e a s h a r d a s t h e whole. Proceeding of the 25th Symposium on Foundat ions of Computer Science, 198,

(1988).

Blum, L., B l u m , M. a n d Shub, M.: A

generator. Siam J. on C o m p u t i n g (1986

pp. 449-457; also: Siam Journal on Comput.,

simple unpredictable pseudo-random number

, pp. 364-383.

B l u m , M. a n d Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. Proceedings of the 25th IEEE Symposium on Foundat ions Of Computer Science, IEEE, New York (1982); also Siam J. Comput. 13 ( 1 9 8 4 ) PP.

850-864.

Goldreich, O., Goldwasser , S., Micali, S.: How to Construct Random Funct ions. Proceedings of t h e 25th I E E E Symposium on Foundations of Computer Science,

IEEE, New York. (1984); also J o u r n a l ACM 33,4 (1986) pp. 792-807.

L u b y , M. a n d R a c k o f f , Ch.: Pseudo-random permutation generators and

cryptographic composi t ion. Proceedings of the 18th ACM Symposium on t h e Theory of Computing, ACM, New York (1986) p p . 356-363.

hficali, S. and Schnorr , C.P.: E f f i c i e n t , perfect random number generators. u reur in t

MIT, Univers i ta t F r a n k f u r t 1 9 8 8 .

Yao, A.C.: Theory a n d a p p l i c a t i o n s of t rapdoor functions. Proceedings of the 25th

IEEE Symposium on F o u n d a t i o n s of Computer Science, IEEE, New York (1982) . PP- 80-91.

FACTORIZATION OF LARGE INTEGERS ON A MRBBIVELY PARALLEL COMPUTER*

James A. Davis and Diane B. Holdridge Sandia National Laboratories Albuquerque, New Mexico ' U S A

I. INTRODUCTION

Our interest in integer factorization at Sandia National Laboratories is motivated by cryptographic applications and in particular the security of the RSA encryption-decryption algorithm. We have implemented our version of the quadratic sieve procedure on the NCUBE computer with 1024 processors (nodes). The new code is significantly different in all important aspects from the program used to factor numbers of order 1070 on a single processor CRAY Computer. Capabilities of parallel processing and limitation of small local memory necessitated this entirely new implementation. This effort involved several restarts as realizations of program structures that seemed appealing bogged down due to inter-processor communications. We are presently working with integers of magnitude about 1070 in tuning this code to the novel hardware.

11. NCUBE COMPUTER

The basic element of the NCUBE computer is a 32-bit VLSI processor of the super-minicomputer range (106 integer operations per second). These processors are interconnected in the configuration of an N-dimensional cube. That is, an NCUBE of order k has 2k nodes, k = 0,1,2 ... and one of order k + 1 is formed by connecting two cubes of order k at corresponding nodes. There is no common memory shared among the processors: each has one-half megabyte of local memory. Each node operates on its own stored program and data. They achieve cooperation by passing messages to one another. A very slow host board controls input-output and subcube allocation.

*This Work was performed at Sandia National Laboratories and supported by the U.S. Department of Energy under contract number DE-AC04-76DP00789.


236

order

0

1

2

conf iuuration

a

Figure 1 NCUBES of Small Order

111. THE QUADRATIC 81- ALGORITHM

The quadratic sieve factorization procedure is one of several methods of decomposing positive integers based on the difference-of-squares identity. If N is a composite integer and I,J are integers such that I2 = J2 mod N

with I + 2 J mod N , then GCD (I + J,N) is a non-trivial factor of N . The difference between the various algorithms is in the means by which the quadratic conqruence is generated.

237

In the quadratic sieve, as originally proposed by Dr. Carl Pomerance of the University of Georgia and inplemented at Sandia National Laboratories on a CRAY 1s computer, many relatively small quadratic residues for N are generated by the polynomial X2 - N (X near JN) . attempts to factor a sufficient number of these residues into a set of powers of "small1* primes, B, called the prime base. Gaussian elimination is then employed to determine a binary dependency: that is, a set S of factored residues such that

One

T x , 2 - ll-Pj2=j mod N. X'ES P j c B

If Tx, + 5 T p A a j we have factorization; otherwise another x; is PjiB '

quadratic congruence is formed and we try again.

The procedure is called a sieve because of its similarity to the prime number Sieve (sieve of Eratosthenes). That is, if a prime p divides Xp2 - N then it divides residues at the entire arithmetic progression of arguments Xp + kp, k = 0, f 1, f 2 ... So once a residue divisible by p is identified, the prime may be divided out of the functional values defined by arguments in this progression. This operation is done very efficiently, particularly on a vector computer such as the c R A Y .

with large integers the frequency with which the residues factor completely is Small, SO we merely identify these successes by operating on the residues with single-precision logarithms, rather than multiple-precision division. After the array of residues has been sieved with each member of the prime base, B, the remainders are compared with a threshold value which indicates factorization. When enough of the factorable residues are identified (approximately the number of distinct primes in the base, B) the sieving portion of the algorithm is terminated.

When one is dealing

The sieving and searching described above constitutes the lion's share of the computation. After the set of residues that factor is identified, the actual functional values are calculated in multiple-precision and decomposed into the primes by division. The final step is to determine a binary dependency by Gaussian elimination.

238

IV. MODIFICATIONS TO BASIC ALGORITHM

As one increases the size of the integers to be factored the size of the prime base must grow in order to have significant probability of factoring residues. Thus a larger number of factored residues is needed; hence a larger interval must be sieved. almost linearly as the distance between X and JN, and as the magnitudes increase the frequency of factorization decreases. At Sandia we were able to factor integers of size about 1055 with the basic algorithm, but for larger numbers computing time was becoming intolerable.

The functional values of X2 - N increase

We were able to modify the algorithm such that the size of the residues to be sieved was periodically reduced and hence our factorization success rate remained relatively constant. The means by which we obtained these sequences of smaller residues was by identifying large primes which divide a residue, then sieving on the subsequences guaranteed divisible by the primes. That is if q I X2 - N, then q I (X + kq)2 - N for all integer k. If more than one factorization is obtained in the subsequence, the large prime can be eliminated and we have quadratic residues factored entirely into the prime base, B.

Independently, Peter Montgomery [MI suggested a somewhat different procedure by which polynomials may be selected such that they generate quadratic residues and the coefficients adjusted to minimize magnitudes. Also, with some modification, the sieving procedure still applies. RobePt Silverman [S] has enjoyed great success using these polynomials with his parallel implementation of the quadratic sieve. Our latest code uses further variations of this idea.

Several other additions and modifications to the basic algorithm have enhanced its capability. The "large prime" variation locates prime divisors of residues beyond the prime base and uses these to generate completely factored residues. Also, one can use a multiplier with the number to be factored to enrich the prime base with small primes; hence making residue factorization more likely.

V. FALSE STARTS

Having no experience with parallel processing and because of limited local

239

memory, we were initially tempted to rely heavily on interprocessor communications and the use of different units to perform very different tasks. Each of these attempts bogged down because of overloading of the channels that enable the processors to talk to one another.

Because generation of polynomials, as suggested by Peter Montgomery, requires considerable multiple-precision arithmetic, we asked certain processors to generate these polynomials and initialization parameters, and to distribute this information to other nodes which could then do the sieving without multiple-precision. This idea seemed good in several respects. It frees up storage to be used for efficient sieving, and load balancing could be achieved by varying the number of nodes supplied by one polynomial generator. There is, of course, considerable information needed by a processor in order to begin the sieving, and apparently this was more than the lines could handle: communication time became prohibitive.

Another approach that was implemented was to apportion the prime base among a ring of processors, all sieving the same polynomial. Each processor in the ring would sieve with the set of primes it was given, then pass these to a neighbor. ring, the sieving would be complete. successful factorizations, a new polynomial would be started.

When each prime had visited each member of the After searching for and saving

The above and other plans that would have used memory efficiently at the expense of increased interprocessor communication were programmed, but stymied by the traffic.

VI. CURRENT I M P L ~ A T I O I

We used quadratic polynomials of the form A2 X2 + 2 B x + C to generate the residues to be factored. It must be the case that B2 - A2 - C = 0 mod N; hence we take B2 - A2C = k N , a small multiple of N (k is the multiplier used to enrich the set of small primes which divide residues). In order to minimize the amount of multiple-precision necessary, we choose our leading coefficient to be "small". We take A from a set of primes just larger than those in the base. parameters to be done in single precision. Montgomery and Silverman choose their coefficients much larger in order that roots of the quadratic are Sufficiently close together that a sieving interval may contain both.

This enables much of the computation of sieving

Our

240

choice of much smaller coefficients forces the roots to be very far apart; hence we sieve over a pair of disjoint intervals each about a root of the polynomial. by this choice.

The magnitudes of the residues to be factored are not affected

(X + [JN] ) ’ - N

Silverman Montgomery Interval

Sondia Interval

Figure 2 . Sieving Intervals

24 1

As described earlier, communication overhead is an extreme problem with the NCUBE, hence for the major portion of the computation (sieving) we are asking each processor to do the same program with different parameter sets. It is efficient to sieve a long contiguous block in memory so the need to minimize stored program and data in each.processor is pressing. order to save memory for a large sieve array, we have eliminated as much multiprecision code as possible and actually recompute some values that could be stored. After the sieving is done with each prime power in the base, the array is searched for residues which are completely factored and those that factor except for one prime somewhat larger than those in the base (large prime variation). Identifiers of these residues are saved in order that the polynomials may be reconstructed and factored by division. In addition to the sieving operation, the above-mentioned search and multiple-precision division were identified as major consumers of computing time. A rewrite of the division package achieved a 13-fold speed-up. The sieve and search routine are particularly expensive for the NCUBE because it does not vectorize. When these were written in assembly code however, a great reduction in overhead was realized.

In

The final stages of the algorithm are the set-up and solution of the matrix used in the Gaussian elimination. that must be processed, we must use memory more efficiently. processor is allocated identifiers f o r a certain set of the factored residues and a certain portion of the factor base. The functional values are calculated at each node and the available set of primes divided out. Results are then transferred to a neighboring node which operates on the residues with its assigned primes. When the residues have passed through all nodes, factorization is simultaneously completed. Each residue that Completely factors forms a row, as does each large prime which repeats in another factorization. The abundance of large prime factorizations and hardware limitations on array size introduce complications into the matching algorithm. frequency of occurrence of large primes of various sizes and assigning a large Prime to a given block according to its magnitude. Then, the matching algorithm needs only operate within a bin without crossing boundaries.

Because of the very large matrix Each

These we overcome by asymptotic estimation of the

At this point, the matrix is ready for processing by Gaussian elimination. efficiently. to factored residues.

TO deal with a large prime base, we must use available memory Each node is assigned an equal number of rows corresponding

Each bit of a row represents the parity of the

242

exponent to which the corresponding prime in B is raised in this factored residue. At this point we apply a Gaussian elimination procedure [PN] which is particularly memory efficient and suited to parallel processing. This yields the binary dependency which is then evaluated, and if non- trivial, we have factorization.

VII. Results

As stated earlier, we are still adapting this procedure to the hardware. A s we attack larger integers, additional complications arise and changes are necessary. In terms of the numbers we have factored for comparison, we have been able to remain well below the computing times achieved on the CRAY. Below we list some of the integers we have factored with both of our codes for comparison. The figures in parentheses refer to the CRAY code, and designation refers to the Cunningham Tables [BLSTW].

Designation I ~[2,193-1 I c[5,79-1 I v 471* I ~[2,211-1

I I I I

Magnitude I 9.1 x 1050 t 4.1 x 10 54 I 2.5 x 1056 I 2.2 x 1059 I I I I

Primes in I 999 I 1278 I 1366 I 2036 Base I (6514) I (6800) I (5000) I (6671)

I I I I I I I I

Number of I 6518 I 1648 I 899 I 4042 Polynomials I (188) I (81) I (1000) I (27)

In Hours I (.425) I (.66) I (.22) I (22.0)

I I I I I

Sieve Time I .043 I .044 I .047 I I 193

FIGURE 3 Comparison of Factorization

*A Fibonacci number suggested by Peter Montgomery.

243

References

[BLSTW] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman, S. S. Wagstaff, Jr., Factorization of bn k 1 up to Hish Powers, American Math. SOC., 1983.

J. A. Davis, D. B. Holdridge, Factorization Usinu the Ouadratic Sieve Aluorithm, Sandia National Laboratories Report, SAND 83- 1346, Dec., 1983

Quadratic Sieve, Sandia National Laboratories Report, SAND 84-

[DHl]

[DH2] J. A. Davis, D. B. Holdridge, 8 8

1658, A U ~ . , 1984 [MI P. Montgomery, Personal Communications, 19 Feb. 1984

[PWI D. Parkinson, M. C. Wunderlich, " A Memory Efficient Algorithm for Gaussian Elimination over GF( 2) on Parallel Computers", Personal Communication, Feb., 1983.

[Sl R. D. Silverman, "The Multiple Polynomial Quadratic Sieve"; Math. Comp. V. 48 No. 177, Jan., 1987.

A Bast Modular Arithmetic Algorithm Using a Residue Table (EXTENDED ABSTRACT)

Shin-ichi KAWAMURA and Kyoko HIRANO

TOSHIBA CORPORATION RESEARCH AND DEVELOPMENT CENTER

- 1. INTRODUCTION

Many public key cryptosystems and key distribution systems

have been developed making use of a one-way (trap door) function

XI- -> y such that y=a mod p or y=x mod n. Modular

multiplication is indispensable for computing these functions. In

other words, fast multiple precision modular arithmetic will

become increasingly useful for realizing an efficient security

system using a public-key cryptosystem, like RSACl], Rabin's

scheme[2], and so on.

X e

Several methods using a pre-computed residue table have

been proposed for the efficient computation of A*B modulo a large

integer N. In these methods, the size of the number to be

processed is successively reduced in each stage of the

computation by using a congruent relation over the modulo N. The

method proposed in this paper is also included in this category.

It achieves further table size reduction by recursively applying

the same table to different digits of the number to be processed.

2. BASIC RULES --- The basic idea for table lookup is very simple. If one wants

to know the value of X mod N for a fixed N frequently for various

X, then it is helpful for him to compute and store the value Of X

mod N f o r many X in advance. However, the pre-computed residue

table must be reduced to a reasonable size because a full-scale

exhaustive pre-computation is impossible in principle. ( Note


246

that the security of the RSA scheme is based on this fact.) SO

the following rules are applied for the table reduction. Bold

printing represents pre-computed terms. U u *'

(1) ( A * 2 +B) mod N f (A.2 mod N) + B (mod N)

( 2 ) ( A 1 * 2 + A 2 ) mod N z ( A 1 * 2 mod N) + (A2 mod N) (mod N) b b

U U ( 3 ) ( A * 2 + B) mod N f (A mod N)*2 + B (mod N)

Rule (1) means that in making the table, one may ignore the

lower portion of X which is less than N. Rule (2) means that the b

table should be divided into some segments. The table for ( A 1 * 2

+ A21 mod N is always greater than the summation of the two

tables, ( A l * 2 mod N) and ( A 2 mod N) . The self-evident rule (3) , b

which is introduced in this paper, enables the repeated use of

one table to any digit. The method in [3)-[5] is derived by

applying the above two rules, (1) and ( 2 ) . The next section

describes our method based on the additional rule (3).

- 3. TABLE-LOOK-UP

In order to formulate the problem, it is assumed that X j ,

the number to be processed in the j-th stage, is divided into 1j

blocks and that each block consists of b bits. Then

Now, X j + l should be so defined that it satisfies the following

reduction ,condition;

247

Two alternative definitions for X j + l are derived;

Definition 1:

where k is an integer which satisfies

and Definition 2:

&-I

Eq. ( 4 )

2'1

where u is the number of bits of modulo N.

Definition 1 can be called a parallel

and Def. 2 is named a recursive table

underlined terms in the above equations have

can be pre-computed and stored in memory if

As a result, modular arithmetic is executed

table lookup method

lookup method. The

2 values each. They b

b is a modest value.

not by division, but

by table-lookup and addition. Definition 1 appears in some of the

former papers. A s described in section 2, the main idea of this

method is that the memory size is reduced by dividing the number

into blocks. Definition 2 is our proposal. The table in this

method is independent of the block number (i) . The same table is applied to any portion of the number to be processed.

Accordingly, the size of the table is reduced by a large factor.

Furthermore, Def. 1's idea that the table size is reduced by

block division is also applicable to Def. 2 . The underlined

portion of the Def. 2 can be divided into small segments, each of

which consists of s bits. Thus a third definition is derived.

Definition 3:

This method can be called a recursive parallel table lookup

method, which includes two system description parameters b and s.

These parameters can be determined from the trade-off between

execution time and memory reduction.

- 4. NUMBER OF ITERATIONS

It is important to evaluate the number of iterations

required in reducing the initial value X to a number less than

2 . In order to evaluate the most critical case, let us consider U 0

the model depicted in F i g . 1. S is the number to be processed

which is divided into two portions A and 2 . A, the higher block,

is greater than or equal to 2 . Z, the lower block, is less than

2 . If A is greater than 1, another table look up will result in

the next value SO=ZO + RO which is a u+l bits number at most. In

U

U

other words, Al, the higher block of SO, equals 0 or 1. In the

case of 0, no further reduction can be achieved by table look up.

If A 1 equals 1, the next residue from the table is almost always

R1=2 - N except when N is 2 . As a result, the k-th summation U u- 1

Sk is represented as U

Sk = 2 + (20 - k*N). At the moment Sk becomes less than u bits in length, the

procedure stops. Considering the range of ZO and N, K is 2 at

most .

249

PROCEDURE( JJ 1

According to the above discussion, we can get the upper

bound of the iteration by the procedure listed in Fig. 2. The

input f o r this program is b and s, and the output is SS. Assuming

ReSlW Tabla

read b , s :

B <- b; j Rn I 5.

0 0 4

ss <- ss + 2 ; E 0

ss <- SS*(u/s) :

write SS:

p: W m z 3 2

S ~ I ‘Zn +Rn

Fig.1 SIMPLE TABLE LOOKUP MODEL

KEY LENGTH = 512 bits 1 be6 500

: l b . 6 b.4

I I I I 100 I K IOK lOOK 1M

1 TABLE SIZE (bytes) Fig.2 ITERATION EVALUATION Fig.3 ADDITION VS. MEMORY

- 5 . DISCUSSION

Let A*B and N be 1024 and 512 bits in length, respectively.

The total memory capacity Mt is evaluated as follows: S

Mt(brS) = 2 *(b/S)*U Eq. (9)

Reduction of both the number of additions and the memory

size can be achieved by choosing appropriate parameters(see Fig.

250

3). For example, the parameter set (b,s)=(4,4) can reduce the

memory size by a factor of 1/64 compared with the ( 5 1 2 , 4 ) set,

which corresponds to the former method, Eq. (4), in spite of the

fact that the t w o cases require about the same processing time.

6.CONCLUSION

This paper proposes a fast modular arithmetic which can

reduce the table size. It also implies the reduction of prc-

computation time.

[References]

[lIR.L.Rivest, A. Shamir, L. Ad1eman:"A method of obtaining digital signatures and public key cryptosystern",Comm. of ACM, pp.120-126(Feb.1978).

[2]M.Rabin:"Digitalized signatures and public-key cryptosystems", MIT/LCS/TR-212,Technical Report MIT (1979)

[d]N.Torii, €4. Azuma, R. Akiyama:"A study on RSA parallel processing method"(in Japanese),Proc. of Workshop on cryptography and information security, pp.15-17(Aug.1986).

(4lY.Nagai,T.Takaragi,F.Nakagawa,R.Sasaki:'iDevelopment of trial production for electronic contract authentication system"(in Japanese),Proc. of Workshop on cryptography and information security, pp.109-121(Ju1.1987).

[51Y.Kano,N.Matsu~aki,M.Tatebayashi:~'A modulo exponentiation L S I using high-order modified Booth's algorithm"(in Japanese),Proc. of workshop on cryptography and information security, pp.133-142.

Fast Exponentiation in GF( 2 ")

G.B. Agnew R.C. Mullin S.A. Vanstone

University of Waterloo Waterloo, Ontario, Canada

1. Introduct ion

In this article we will be concerned with arithmetic operations in the finite In particular, we examine methods of exploiting parallelism to field GF(2") .

improve the speed of exponentiation.

We can think of the elements in GF(2") as being n-tuples which form an TL

dimensional vector space over GF(2) . If /32--1 P,P2,pQ, * - j

is a basis for this space then we call it a normal basis and we call p a generator of the normal basis. It is well known ([I]) that GF(2") contains a normal basis for every n 2 1. For a E GF(2") let (u,,lall...,an~l) be the coordinate vector of u relative to the ordered normal basis N generated by p. It follows that a2 then has coordinate vector (un-l,a0,ul,...,an-2), so squaring is simply a cyclic shift of the

vector representation of a. In a hardware implementation squaring an element takes one clock cycle and so is negligible. For the remainder of this article we will assume that squaring an element is "free".

2. Discrete exponent ia t ion

Suppose that we want to compute ae E GF(2'") where n-I .

i=o e = C U ~ Z ' , ai E {O11},

Then

"-1 a,2' a e = n a

1 4

n-1

1 4

and this requires A = ( Ca,)-I multiplications. 011 average for randomly chosen

e, A will be about - and so we require - multiplications to do the exponentia-

tion. We now examine ways of doing better.

n n 2 2


252

r+1

e = c c c ~ , ~ 2''

Select a positive integer k and rewrite the exponent e as

w, c ~ , ~ E {0,1)

or

e = ( 210+28+24) (1+(0 )2 )+2~(0 (1 ) +2)+(z6+z0)(1+2)

r p If we let X(w) = C Ci,w 2ki then

i d

n On average X(w) will have - nonzero terms in i t and, hence, will require

-- 1 multiplications to evaluate. Since w is represented by a binary I;-tuple, w

k 2k n

k 2 k k k 2 2

will have on average - non-zero terms and require --1 multiplications to evalu-

ate p". Therefore, to evaluate ax(w)u' we need t = [$+T-Z] niultiplications.

Finally, to compute ae we need t multiplications for each r0 E Zk\{O} and then

2"2 multiplications t o multiply the results together. In total we require

k

M ( k ) = (2"l) [$ +--2 ; 1 +2x'--2

253

multiplications.

If we use 2'-1 processors in parallel to evaluate each simultaneously then the number of multiplications is on average

n k T ( k ) = - + - + 2 k - 4 k2k 2

Example 2. For n = 2" and various values of k we compute M ( k ) and T ( k ) .

6 293

5 244 37

4 254 3 0

3 315 4 I3

ill (k) is minimized by I; = 5 and T ( I ; ) by k = 4.

Example 3. For n = 216 and various values of k we compute Ill(&) and T ( k ) .

- k M ( k ) T ( k ) - 11 15165 2052

10 10638 11!31

9 9055 527

8 8924 :m

7 9605 201

6 10877 234

M ( k ) is minimized by k = 8 and T ( k ) by k = 7

254

A more extensive tabulation of the functions M ( k ) and T ( k ) is given in the appendix. It appears at least for small values of n that M ( k ) and T ( k ) are minimized for k about log,dfi .

Summary

In this paper, we have examined techiques for exponentiating in GF(Zn). These techniques take advantage of parallelism in exponentiation and use processor/time tradeoffs to greatly improve the speed. A more complete study of this problem and other techniques for exploiting parallelism in operation in GF(2R) is presented in [2].

Refer en ces

[l] 0. Ore, On a special class of polynomials, Trans. A7n.e~. Math. SOC. 35

[2] G.B. Agnew, R.C. Mullin, S.A. Vanstone, Arithmetic Operations in GF(Zn), Submitted to the Journal of Cryptology

(1933) 559-584.

255

Appendix Table 1 below lists the values of k which minimize M ( k ) and T ( k ) for vari-

ous values of n. where n. is a power of 2. Table 2 below is similar for values of TI

in increment of 100.

n

64 128 256 512 1024 2048 4096 8 192

k for Min &I( k)

Table 1

Min value A,I( k)

2 1 39 74 134 243 442 797 1469

W ) a 10 16 22 30 43 56 a1

n

100 200 300 400 500 600 700 800 900 1000 1100 1200 1300 1400 1500 lG00 1700 1800 1900 2000

k for Min

M ( k ) 3 3 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 5 5 5

TP) 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5

:able 2

Min value ll!! (k)

31 60 84 107 131 154 178 200 2 19 239 258 278 297 316 336 355 374 394 413 433

T ( k ) - 9 13 18 20 21 23 24 26 28 29 31 32 34 35 37 39 40 41 42 43

FAST RSA-HARDWARE : DREAM OR REALITY ?

Frank Hoornaertl Marc Decroos' Joos Vandewde' Renb Govaerts'

CRYPTECH NV/SA Av. Lloyd George '7

1050 Brussels, Belgium

ESAT K.U.LEUVEN K. Mercierlaan 94

3030 Heverlee Belgium

ABSTRACT

This paper describes a successful hardware implementation of the RSA algorithm. It is implemented as an 120-bit bit-slice processor, which may be interconnected without additional circuitry to obtain arbitrary word lengths. With 512-bit operands, exponentiation takes less than 30 milliseconds.

I. INTRODUCTION

The actual explosion of electronic data communication and manipulation creates a still growing need for cryptography. This need exists as well for secret- key systems (using e.g. DES [l]) as for public-key systems (using e.g. RSA [2]). While DES can be efficiently implemented in software and hardware, the implementation of RSA is a lot more difficult in order to obtain a reasonable speed, especially for a software implementation. This drawback is certainly the main reason why up to now the RSA system has not been used more frequently, in spite of its very interesting cryptographic properties. (e.g. authentication, electronic signature, key management, etc . . .). Although a few RSA implementations already exist or have been announced [4,5,6,7], a real breaktrough has not been achieved yet, niainly due to practical or economical reasons.


258

In this context, CRYPTECH has started a project in cooperation with the K.U.Leuven to study and build an RSA implementation. These chips should be used in a first pilot project, which is the BISTEL system of the Belgian government [8]. The system requirements were the following :

0 fast enough to allow on line encryption.

0 making use of secure key lengths (e.g. 512 bit). 0 compact enough to allow integration in existing equipment.

0 it must be in conformity with cryptographical principles.

0 low cost to make an RSA solution economical.

0 available for commercial applications.

Now the project is finished and a hardware implementation using ASIC’s (Application Specific Integrated Circuit) has been designed and built with success. The tests of the prototypes show RSA calculations at 9600 bit/sec and faster using 672 bit (= 200 digit) modulus and exponent.

11. ALGORITHMS

During the first development phase, different calculation methods were analysed. Very soon it appeared that hardware knowledge had to be integrated in the algorithmic study in order to obtain an optimal calculation scheme. Therefore, cooperation with IMEC [3] was set up to get necessary input from hardware engineers. The result was that an arithmetically simple calculation scheme evolved into an arithmetically complex calculation scheme in order to allow faster and more compact hardware implementation.

The original simple calculation scheme partitions the exponentiation with the well-known square-and-multiply algorithm [9] into subsequent multiplications. Then these multiplications are divided by the shift-and-add algorithm in subsequent additions and shifts. The additions are done according to the carry-save principle so that the addit,ion is not delayed by the length of the numbers. The entire exponentiation must be calculated modulo n and this is performed by doing after each shift-and-add operation a reduction modulo n. The basic principle of that reduction is summarised in following algorithm.

259

Reduction algorithm.

Given modulus n, multiplicand A, multiplier B , intermediate result R, intermediate quotient q.

repeat for all bits b of B (starting with msb) begin R := 2 * R+ b * A ; q :=I R/n I ; R := R - q * n ; end.

However, a direct implementation of this reduction algorithm is very in- efficient because three of the operations require a lot of time and/or hardware due to the length of the numbers, namely

0 division R/n 0 multiplication q * n. 0 subtraction R - q * n.

Therefore some modifications are applied in order to simplify and speed

1. The subtraction is replaced by an addition combined with the subtraction of all the overflow bits appearing after the addition. This gives the correct result only if the added value equals the value of the overflow bits minus the intented value to subtract.

up the hardware implementation :

Example : (supposing 2 digit arithmetic) (xx - 33) is equivalent to (xx + 37) only if the overflow equals “100”. (e.g. xx = 75 is OK, but xx = 16 is not OK.)

2. The number of possible quotients will be limited to the values 0,1,2 and 3 so that the multiplication can be replaced by a small table of precomputed values [lo].

3. The values in the table are not the values to subtract, but are the values to add corresponding the above described modification. This implies that with every table entry (= possible quotient) a needed overflow is associated.

260

4. The division is replaced by a sub-estimation of the quotient which uses only a very small part of the bits of R and n. This estimation function must at the same time take care of following problems :

0 In spite of all the imposed limitations on'the quotient q, the estimation has to remain accurate enough t o avoid a systematic increase of R which would create a divergence.

0 For every intermediate result R, the quotient q may only take those values which guarantee that the condition of the correct overflow after the addition of the table value will be fulfilled. This problem can be solved thanks to the limited carry propagation of the carry- save addition.

It is clear that these modifications result in an arithmetically more complex algorithm. The hardware mapping of the algorithm however is more optimal because only two additions on long numbers are needed every cycle. The subtraction of the overflow is performed by wiping out some bits and the subestimation of the quotient can be done by a small and fast combinatorial circuit ( < 20 nsec.)

111. IMPLEMENTATION

The chip architecture is a direct mapping of the algorithm. A first adder stage performs the conditional addition of the multiplicand and a second adder stage performs the modulo reduction. The result is stored and simultaneously the decision is made about the most optimal quotient for the next modulo reduction.

Each chip contains a datapath for 120 bits and chips can be hardware concatenated to arbitrary datapath lengths. (e.g. 720 bit or longer). In any case, the datapath must be at least as long as the used modulus. Even after concatenating a fixed number of chips, the used keylength can still be changed arbitrarily between 32 bit and the mxcimum value imposed by the hardware.

Besides the arithmetic part, the general structure and behaviour has also been optimised in order to get a universally useful module. For instance :

261

RESET - CLK - - INAC - I UCS - RW __I .... 6E-1

ADDRESS BUS (13)

PQR6- MODULE

- vcc

- GND

Figure 1: Architecture of the communciation.

1. Powerful tasks can be done without external aid. E.g. a complete RSA

2. A self-kill instruction destroys all internally stored keys in case of detec-

3. Keys can be entered and during this process, the keys can be read out in order to check proper hardware functioning. After the entering is completed, the key can never again be read out or can’t even be changed partially.

calculation.

tion of an intruder.

4. Up to 16 complete keys (e and n) can be memorised by the module.

5. The external interface of the module is very similar to the interface of a standard RAM. Therefore it can be coupled with almost every microprocessor bus (fig. 1).

262

IV. PERFORMANCE

The following table gives-an overview of the datarates which have been achieved with the RSA hardware. The speed is linearly dependent on the exponent length, so that the use of very short exponents (e.g. 3, 65537) can boot up the speed [9,11]. By putting modules in parallel, a supplementary speed gain factor up to 10 is possible. The module is completely built in the latest CMOS technology (1.5pm) and consumes about 400 mA at maximum speed. A total of about 200,000 transistors are incorporated in a 6 chips module (maximum 712 bit modulus) which has the size of an actual pocketcalculator (13.9 x 6.4 cm2) (fig. 2) .

I modulus length 1 256 bit 512 bit 672 bit rexponent = 65537 i 512 Kb/s 512 Kb/s 512 Kb/s

35 Kb/s 17 Kb/s 13 Kb/s exponentlength =

moduluslength

Table 1: Speed of a single module (14 MHz clock).

V. CONCLUSIONS

In the paper it is shown that a compact and fast (17 Kb/s for 512 bit) gate array chip design is feasible. The actual chip development is in the commercial phase. Testsamples are already tested and fully approved. Mass production quantities of the chips are available and the first RSA security systems using these production chips are actually under test (BISTEL [8]). An evaluation package including a 712-bit module, an interface card for the IBM PC, sources of driver software (C-language) and Hot-line problem support, is now available.

Future actions are on one hand the support of these RSA chips and derived products (PC-encryptors, key generators, high-speed encryptors, . . . ). On the other hand the availability of fast RSA implementations should stim- ulate the research and development of public key cryptography, which was forced too long in the past to proceed without actual fast hardware.

263

Figure 2: Photograph of the RSA module for keys up to 712 bit.

264

References

[I] National Bureau of Standards, Data Encryption Standard, U.S. Depart- ment of Commerce, FIPS Pub. no. 46, January 1977.

[2] R.L.Rivest, A.Shamir and L.Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, Cornrnun. ACM, vol. 21, pp. 120-126, February 1978.

[3] IMEC (Interuniversitair Micro Electronica Centrum), Kapeldreef 75, B- 3030 Heverlee Belgium, Tel. 32-(0)16-281211.

[4] R.L. Rivest, “A Description of a Single Chip Implementation of the RSA Cipher”, LAMBDA Magazine, Vol. 1, No.3 (Fourth Quarter 1980), pp.14- 18.

[5] M. Kochanski, “Split Key” , Systems International, October 1986. [6] S. Miyaguchi, “Fast encryption algorithm for the RSA cryptographic sys-

tem”, Proceedings COMPCON 1982 - Twenty-fifth IEEE Computer So- ciety International Conference, September 1982.

[7] J.C.Pailles and M.Girault, “The Security Processor CRIPT”, Pre-prints of the Fourth IFIP Conference on Information System Security, Monte- Carlo, December 1986.

[8] J.VandewaJle, R. Govaerts, W. De Becker and MDecroos, “Implementa- tion study of public key cryptography protection in an existing electronic mail and document handling system”, Advances in Cryptology, Proc. of EUROCRYPT ’85 (Lecture Notes in Computer Science ; 219), F. Pichler, Ed., Springer-Verlag, Berlin, 1986, pp. 43-49.

[9] D.E.Knuth, The art of computer programming. Vol. 2 : Seminumerical algorithms, Addison-Wesley, Reading, MA, 1981.

[lo] E.F. Brickell,“A Fast Modular Multiplication Algorithm with Application to Two Key Cryptography”, Advances in Cryptology, Proc. of CRYPT0 ’82, D. Chaum. R.L. Rivest and A.T. Sherman, Eds., Plenum, New- York,

[ll] H. Sedlak, “The RSA Cryptography Processor“, Advances in Cryptology, Proc. of EUROCRYPT ’87 (Lecture Notes in Computer Science ; 304), D. Chaum and W.L.Price, Eds.. Springer-Verlag. Berlin, 1988, pp. 95-105.

1983, pp. 51-60.

PROPERTIES OF THE EULER TOTIENT FUNCTION MODULO 24 AND SOME OF ITS CRYPTOGRAPHIC

IMPLICATIONS

Raouf N. Gorgui-Naguib and Satnam S. Dlay

Cryptology Research Group Department of Electrical and Electronic Engineering

University of Newcastle upon Tyne Newcastle upon Tyne NE1 7RU, England

ABSTRACT

The work reported in this paper is directed towards the mathematical proof of the existence of a consistent structure for the Euler totient function +(n) given n. This structure is extremely simple and follows from the exploitation of some of the very interesting properties relating t o the integer 24 as demonstrated in the proofs. This result is of particular concern to cryptologists who are either attempting to break the RSA or ascertain its cryptographic viability. Furthermore, it is stipulated that the methods and properties relating to the integer 24, taken as a modulo, may have strong implications on the different attempts to solve the factorisation problem.

I . INTRODUCTION

Rivest et. al. [l] (RSA) have presented a method for public-key cryptosystems, whose security depends predominantly on being able to factorise large numbers. This has stimulated research on the factorisation problem which would ultimately threaten the security of the RSA and has resulted in numerous papers being published on this work, such as Williams' overview of factoring procedures [2]. However, the validity of the different cryptanalytic attacks of the RSA has always been contested [3,4] and a fast algorithm for factorising large numbers has not yet appeared.

This paper does not set out to break the RSA, but approaches the factorisation problem from a n original viewpoint and consequently raises some doubts about its security. The approach taken is the development of a mathematical proof of


268

the existence of a structure for the Euler totient function d(n) in terms of the argument n. This structure could enable the computation of the decryption key, which is secret in the RSA cryptosystem, from a knowledge of the encryption key and the parameter n which both reside in the public directory. The derivation of the structure for the Euler totient function and its interesting implications is based on the extremely simple, but powerful, number theoretical properties of the integer 24.

1 1 . NUMBER THEORETIC PROPERTIES OF THE INTEGER 24

In this section, we prove the existence of some extremely interesting properties relating to the integer 24. The most important of these properties may be expressed in terms of the following theorem:

Theorem 1 For any prime p , p > 3,

p 2 = 1 (mod 24)

Proof The congruence given i n (1) can be expressed in the form of the Diophan- tine equation:

for a particular value of k .

Hence,

p 2 - 1 = 24k (2)

( p - l ) ( p + 1) = 24k = 4!k

where ”!” denotes the factorial operation. proving that ( p - l ) ( p + 1) is divisible by 4, 3 and 2.

Since p is a prime? then its negative and positive differences about 1 can be expressed in the form:

The proof for (1) then consists in

( p - 1) = 2m, ( p + 1) = 3 m + 2

where m is any positive integer.

Hence,

( p - l ) ( p + 1) = 2m(2m + 2) = 4m(m + 1)

269

If rn is even, then rn = 2m’. Conversely, if it is odd then (rn + 1) = 2m’, so tha t the product m(m + 1) is always a n even integer of the form 2rn”. Thus

( p - l)(p + 1) = 4.2711,’‘

which establishes the fact t ha t 2 and 4 are indeed factors of p 2 - 1.

To prove tha t the las t factor 3 is also a factor of p 2 - 1, we present the following development.

Any three consecutive numbers about p will be of the form

and since 3 y p ( p is a prime), then,

either 3 I ( p - 1) or 3 I ( P + 1)

In either case, the product ( p - l)(p + 1) will consist of a factor of 3. This completes the proof.

111. DEDUCTION OF A STRUCTURE FOR THE EULER TOTIENT FUNCTION - CRYPTANALYSIS OF THE RSA MODULO 24

In this section, we present a stepwise mathematical deduction of the Euler totient function, $(n), from a knowledge of n. This deduction is based on the theorem reported in the previous section.

In the case of the RSA [l],

n = PQ

where p and q are the two primes involved in the encryption process.

The security of the RSA is based on the fact that a knowledge of, bo th , n and the encryption key. e (chosen at random from the interval [2 , + ( n ) - 11 such that, gcd(e, $(n)) = l)), does not allow the straightforward deduction of the decryption key, d, where d is t he multiplicative inverse of e modulo d ( n ) :

ed 1 (mod d ( n ) )

since, due to the factorisation problem and the nature of p and q , it is impossible to compute the value of d(n) given n.

270

For two primes p a n d q , such tha t p , q > 3:

p 2 = 1 (mod 24) q2 = 1 (mod 24)

Then, for n = p q ,

n2 = p2q2 = 1 (mod 24)

Also, since +(pa) = p*-'(p - I), [5], then

4 b ' ) = P(P - 1) 2 = P - P

or,

4 ( p 2 ) = 1 - p (mod 24)

(3)

(4)

Consequently, since gcd(p2, q') = 1, then

d b 2 ) = 4b2)+(!12) G (1 - p ) ( l - q) = 1 + p q - ( p + q) (mod 24)

(mod 24)

However,

44 = ( P - l)(q - 1)

From (5) and (6) we can then establish that

$(n2) = +(n) (mod 24) (7)

Also, since d ( p ' ) = p ( p - l ) , then congruence (5) can be interpreted as follows:

d(n2) = + ( p 2 ) 4 ( q L ) = P(P - 1) q(q - 1)

= P d P - l ) ( q - 1)

Thus,

4 ( n 2 ) = n 4 ( 4

271

On the other hand, congruence (7) may be written in its Diophantine equation form:

(b(n2) = 242 + 4(n) ; z = 1,2, ... (9)

Now, equating the RHS of equations (8) and (9) yields

nq!~(n) = 242 + 4(n) Hence

Equation (10) shows tha t there exists a definite structure for the Euler totient function in terms of its argument. In what concerns the RSA, such a structure is of particular importance since, for decryption purposes, b(n) is the crucial secret number in the system. The ability to compute $(n) given n renders the system vulnerable to cryptanalytic attacks and, although the practical evaluation of the factor z may still be complicated, it is thought that, in theory at least, the existence of such a structure may lead the way towards developing a fast algorithm for the evaluation of 4(n). This is currently being investigated.

IV . FURTHER PROPERTIES MODULO 24 AND AN ALGORITHM FOR EVALUATING +(n)

The primes p and q involved in the RSA can be shown to have specific properties in terms of the integer 24, namely,

Theorem 2 p + q = 2i (mod 24) ; i = 0,1, ..., 11 (11)

The proof of this theorem is rather simple and shall not be presented here.

Conjecture 1 T h e residue of n = p q is always 1 or an odd prime, taken modulo 24. In general, we can write

n z p (mod 24) (12)

where p = 1 or a p r i m e E [3,23].

Conjecture 2 T h e residue of x in equation (10) i3 always a n even integer, modulo 24:

z = 2 j (mod 24) (13) where j is a n even or odd integer.

272

The development of t h e following algorithm depends on the two conjectures given above. From (12) a n d (13), we can write

z - n 3 2 j - p (mod 24)

or, that

z G n + 2 j - p (mod 24) (14)

In congruence (14) , n is given and p can be simply evaluated. Hence, t he only missing parameter is j . Consequently, from this congruence, we may write

z = 24y + (n + 2 j - p) (15)

for a particular value of y. Replacing 5 in equation (10) by its corresponding expression in (15), we obtain

24(24y + (n + 2 j - p)] n - 1

- 24(n - p) + 24(24y + 2j)

$(n> =

- n - 1

However, (24y + 2 j ) will always yield an even value which may be expressed as 22 for any integer i. Hence,

24(n - p) + 24.21 n - 1 d(n) =

24(n - p) + 48i n - 1

- -

As a result, the following algorithm may be developed based on equation (16) which searches for possible values of $(n):

Step 1: Compute p = n Step 2: $(n) is O ( n - 1);

(mod 24)

hence the numerator in equation (16) is O ( ( n - 1 ) 2 . Set numerator= ( n - I)'

Step 3: Calculate a starting value of z , such that z = [[(n - 1)2 - 24(n - p)]/48]

Step 4: Check if (n - 1) I numerator in equation (16): Yes --+ possible value for d(n) obtained, then

No -+ decrement i, and check equation (16), else

repeat Step 4.

273

The above algorithm is by no means optimal. It suffers from two drawbacks: first, the magnitude of (n - 1)’ and, second, decrementing i by 1 results in a slow process. It is thought that a better approach may be to test for values of 5, directly, in equation (10). This is currently being investigated and attempts to increase the multiplier of 5 from 24 to other larger integers, while maintaining a constant structure for d(n) , are also being studied.

V . CONCLUSIONS

In this paper we have presented a stepwise mathematical deduction of the Euler totient function #(n) from a knowledge of n. This deduction is based on some interesting number theoretic properties relating to the integer 24. These properties, together with their proofs were presented in detail. An algorithm for the final evaluation of 4(n) was also given. However, it must be stressed that the aim of the paper was mainly directed towards proving the existence of a consistent structure for d(n) in terms of n and the integer 24. It is believed tha t it may also have strong implications on the different attempts to solve the factorisation problem.

VI . ACKNOWLEDGEMENTS

The authors are grateful t o their colleagues and postgraduate students in the Cryptology Research Group of the Department of Electrical and Electronic Engi- neering, the University of Newcastle upon Tyne, for many interesting discussions and comments on this work. They are particularly indebted to Jalil Tabatabaian for providing the simple proof of Theorem 1.

References

[l] R.L. Rivest, A. Shamir and L. Adleman, ” A Method for Obtaining Digital Signature and Public-Key Cryptosystems” , Communica- tions of the ACM, vol. 21, No. 2, Feb. 1978, pp. 120-126.

[2] H.C. Williams, ” A n Overview of Factoring“, Proceedings of

[3] R.L. Rivest, “Remarks on a Proposed Cryptanalytic Attack on the M.I.T. Public-Key Cryptosystem”, Cryptologia, vol. 2, No. 1, Jan. 1978, pp. 62-65.

CRYPT0’83, pp. 71-80.

274

[4] ibid, ”Critical Remarks on ’Critical Remarks on Some Public-Key Cryptosystems’ by T. Herlestam”, BIT, vol. 19, 1979, pp. 274-275.

[ S ] G.H. Hardy and E.M. Wright, An Int~odvction to the Theory of Numbers, Oxford University Press, 1981.

An Observation on the Security of McEliece's Public-Key Cryptosystem

P. J . Lee and E. F. Brickell ' Bell Communications Research

Morristown, N. J., W%O U. S . A.

Abstract

The best known cryptanalytic attack on McEliece's public-key cryptosystem

based on algebraic coding theory is to repeatedly select k bits at random from an

n-bit ciphertext vector, which is corrupted by at most f errors, in hope that none

of the selected k bits are in error until the cryptanalyst recovers the correct

message. The method of determining whether the recovered message is the

correct one has not been throughly investigated. In this paper, we suggest a

systematic method of checking, and describe a generalized version of the

cryptanalytic attack which reduces the work factor sigdicantly (factor of 211 for

the commonly used example of n=1024 Goppa code case). Some more

improvements are also given. We also note that these cryptanalytic algorithms

can be viewed as generalized probabilistic decoding algorithms for any linear error

correcting codes.

I. Introduction

McEliece [l] introduced a public-key cryptosystem based on algebraic coding

theory. Specifically, an ( n , k ) binary Goppa code [2] was chosen for this purpose since

the error correction capability grows linearly with its dimension for a given code rate k / n .

The correctable number of errors f for an (n , k ) Goppa code with n = 2' is given by :

f 2 (n-k) /I. (1)

A ' E. F. Brickell is now with Sandia National Laboratories, Albuquerque, NM 87183 U.S.A.


276

The vectors, matrices and operations in the following discussion are all binary.

The next section describes McEliece’s cryptosystem and the following section

explains the best known cryptanalytic attack. After describing a systematic method of

checking whether the recovered message is correct or not, we will suggest a generalization

of the attack. Our analysis will show that the factor of improvement will be significant.

Further improvements will also be discussed and conclusions and other discussions will

follow.

II. Description of McEliece’s Public-Key Cryptosystem

McEliece’s system works as follows: The system user (receiver) secretly constructs

a linear t e r ro r correcting Goppa code with kXn code generator matrix G , a kXk

scrambler matrix S that has an inverse over GF(2), and an nXn permutation matrix P .

Then he computes

G = S G P (2) which is also a linear code (but supposedly hard-to-decode) with the same rate and error

correction capability as the original code generated by G . He publishes G as his public

encryption key. The sender encrypts a k-bit message vector m into an n-bit ciphertext

vector c as

c = m G + e (3) where e is a random n -bit error vector of weight less than or equal to t . The receiver

computes c P-’ = (m S) G + e P-’ and uses the decoding algorithm for the original

code with G to get rid of e P-‘. Finally to get m he descrambles m S by multiplying

s-l.

III. The Best Known Cryptanalytic Attack

There have been several methods proposed for attacking McEliece’s system, El],

[3], [4], etc. Among them, the best attack with least complexity is to repeatedly select k

bits at random from the n-bit ciphertext vector c to form ck in hope that none of the

selected k bits are in error. If there is no error in them, then ck GL1 is equal to m

where G k is the kXk matrix obtained by choosing k columns of G according to the same

selection of c k .

277

The work factor for the matrix inversion is O(k') for some 7 between 2 and 3.

However, ail of the known algorithms for 7 < 2.7 have enormous constants that make

them infeasible for matrices of a reasonable size. Perhaps the Winograd algorithm ( [5] , p.

481) with 7 =: 2.8 might be the best for these matrices of size between 500 and 1oOO.

However, for the following analysis, we will use as in [4] the elementary algorithm with

7 = 3 and small constant a.

The probability that there is no error in randomly selected k bits, among n bits

with r errors, is (nk') / (E). Therefore, the total expected work factor for this attack is ;

[31, [41

w = a k 3 (E) / (",') . (4)

Originally, in [l], the values of Z=10 and t=50 (or n=1024, k=524 ) were suggested,

which result in the work factor of approximately 280.7 (with a = 1). More recently, in [4],

the optimum value of t that maximizes the work factor for n=1024 was shown to be 37

(or equivalently, k 4 5 4 ) providing W = 284.'.

Iv. Systematic Method of Checking ck Gpl

Notice that the work factors for checking whether the obtained ck Gcl is really m

was not discussed in [l] and [4]. While, [3] just suggested that the validity of ck Gc' may

be determined by the redundancy in m , which might not be practical.

Here, we provide a systematic and practical method of checking whether the

obtained ck Gcl is rn or not. Since G is also a code generator matrix having

minimum distance larger than 2, if ck crl is not the true m , then m G + Ck GF1 G must have weight at least 2 t . Hence if c + ck crl G has weight less than or equal to t ,

then the cryptanalyst can claim that ck cr' = m .

V. Generalization of the Above Attack

The above cryptanalysis can be generalized by allowing a very small number of

errors in the selected ck . The following describes the algorithm :

Algorithm j :

Step 1) Randomly choose k bits from an n-bit ciphertext c (denoted as ck) . Let Gk be the k x k matrix obtained by choosing the corresponding columns of G. Calculate GL' G and c + ck (GL' G).

Step 2) Choose an unused k-bit error pattern ek with less than or equal to j ones. If

(C -I- Ck Gr' G ) 4- e k (GL' G) has weight I or less, then stop (rn = c k GLl).

Step 3) If there are no more unused k-bit error patterns with less than or equal to i ones, go to Step (1). Otherwise, go to Step (2).

Notice that Algorithm 0 is the attack discussed in Section I11 including our

systematic checking of ck GL'.

Let Qi be the probability that there are exactly i errors among the randomly

chosen k-bit vector c k . It can be shown that

( 5 ) t n-f Qi = (i> (k-i) / .

Hence, the probability that the algorithm completes successfully is CiLoQi. Therefore,

the expected number of executions of Step l), T j , is

Tj = 1 / CiLoQj . (6)

Let N , be the number of k-bit error patterns with less than or equal to j ones.

Then,

(7) k Nj = Cji, (i).

Hence, N j is the number of executions of Step 2 ) for a given choice of ck with more than

j errors in it.

The work factor involved in Step 1) is approximately a k 3 with small Q when

k>n/2. The work factor involved in Step 2) is approximately p k with small p since

we can just update the vector ek (G;' G ) for each choice of f?k which differs in at

most two positions from the previous choice of e k . Therefore, the average overall work

factor for Algorithm j , W, , is

Wj =T; ( a k 3 + N ; p k ) . (8)

279

Notice that W = Wo. Also notice that for any reasonable value of Q and ,8, Wj decreases and then increases as j increases. With CY = 0, we can show that the optimum

j which minimizes the work factor is 2 for all values of useful code parameters. With

CY = ,8 = 1, the minimum work factor W , 273.4 for the case of n = 1024 and t = 37,

which is a factor of 2'l reduction as compared to W,. For n = 1024 case, the value of 1

which maximizes W2 is 38 (k=644), for which W 2 is also approximately 273.4.

VI. Further Improvements

Instead of calculating the vector (c + ck G r l G) + e k (Gcl G ) ( = e ) first

and then checking whether F has weight t or less in Step 2) , one can calculate one bit

by one bit of the vector if and check the accumulated weight until it exceeds t . When

we assume that the vector F has average weight n/2 for incorrect cases, we can expect

that the number of bits to be tested in this improved Step 2)' is 2t in average. Hence,

the work factor for Step 2)' is less than that of Step 2) by a factor of k / 2 t in average.

For the previous example, this is a factor of 10 improvement.

For each Step 1) the new ck is selected randomly. However, one can just

randomly update only one bit of ck each time. The work factor in this Step 1)' is then

reduced to a' k2 for updating (GL' G). In this case, however, we could nat find the

expected number of excutions of Step 1)' before success, Ti' . If one assumes that Ti' is

the same as T j , it can be shown that the optimum j which minimizes Wj' is 1 when

CY' = p (with Step 2) ). And for the previous example of I = 10, the value of t that

maximize the W,' is also 38 resulting W,' = 269.6. And, together with Step 2 ) ' , we can

improve another factor of 10.

W. Conclusions and Discussion

In conclusion, we have described a systematic method of checking the validity of

the recovered cleartext. And we suggested an improved crytanalytic attack which is a

factor of 211 more efficient than the previously known best attack. We also suggested

some more improvements over the new attack.

280

In [6], it was shown that the syndrome decoding of general linear algebraic code is

an NP-complete problem and the running time for the syndrome decoding is an

exponential function of its input dimension k , and it is claimed that the discovery of an

algorithm which runs significantly faster than this would be an important achievement.

The cryptanalytic attack of [l] described in Section I11 and our generalizations are

general probabilistic decoding algorithms for any general linear error correction code

which can run more efficiently (although still in exponential time) than the syndrome

decoding of a general code when the number of errors in a code word seldom exceeds its

error correcting capability.

References

[l] R. J. McEliece, "A public-key cryptosystem based on algebraic coding theory," CA,

May 1978.

[Z] E. R. Berlekamp, "Goppa codes," ZEEE Trans. Info. Theory, Vol. IT-19, pp. 590- 592, Sept. 1913.

[3] T.R.N. Rao and K.-H. Nam, "Private-key algebraic-coded cryptosystems," Proc. Crypt0 '86, pp- 35-48, Aug. 1986

C. M. Adams and H. Meijer, "Security-related comments regarding McEliece's [4]

public-key cryptosystem," to appear in Roc. CTpto '87, Aug. 1987

[5] D. E. Knuth, The Art of Computer Programming, Vol. 2. Seminumerical Algorithms,

Addison-Wesley, 1981

[6] E. R. Berlekamp, et al., "On the inherent intactability of certain coding problems,"

IEEE Trans. Info. Theory, Vol. IT-22, pp. 644 - 654, May 1978.

HOW T O BREAK OKAMOTO’S CRYPTOSYSTEM BY REDUCING LATTICE BASES

Brigitte V.4LLEE1) pvlarc GIRAULT2) Philippe TOFFINI)

Dkpar tement de Mat hCmat iques Universitk 14032 Caen Cedex, France

2)Service d’Etudes communes des Postes et TdCcommunications BP 6243 14066 Caen Cedex. France

ABSTRACT

The security of several signature schemes and cryptosystems, essentially proposed by Oliamoto, is based on the difficulty of solving polynomial equations or inequations modulo n. The encryption and the decryption of these schemes are very simple when the factorisation of the modulus, a large composite number, is known.

We show here that we can, for any odd n, solve, in polynomial probabilistic time, quadratic equations modulo n, even if the factorisation of n is hidden, provided we are given a sufficiently good approximation of the solutions. We thus deduce how to break Okamoto’s second degree cryptosystem and we extend, in this way, Brickell’s and Shamir’s previous attacks.

Our main tool is lattices that we use after a linearisation of the problem, and the success of our method depends on the geometrical regularity of a particular kind of lattices.

Our paper is organized a s follows:

First we recall the problems already posed, their partial solutions and describe how OUT results solve extensions of these problems. We then introduce our main tool, lattices and show how their geometrical properties fit in our subject. Finally, we deduce our results. These methods can be generalized to higher dimensions.

This work was supported in part by PRC Math6rnatiques et Informatique and in part by a convention between SEPT and University of Caen.

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT ’88, LNCS 330, pp. 281-291, 1988. 0 Springer-Verlag Berlin Heidelberg 1988

262

I. INTRODUCTION

In this section, after some definitions, we describe the problems posed by the security of Okamoto schemes, and the partial solutions given by Brickell and Shamir. Then, we state our main results and show how they extend the previous ones.

1.1. Definitions and notations

For an odd integer n, Z(n) denotes the ring of the integers modulo n which is identified with [0, n - 11.

We will use approximations of a number z0 in Z(n). So, we adopt the following definitions and notations:

IuI denotes, for u E Z(n) , the minimum of ZL and n - u,

I(a,xo) denotes the set of 2 E Z(n) such that 2 = 20 +u, Iu[ I na, J ( a , z o ) denotes the set of 2 E Z ( n ) such that

The subsets I ( a , z o ) -resp J ( a , ~0)- and I(b, yo) are said compatibk if there exists x in I ( a , Q) -resp J ( u , ~ 0 ) - and y in I(b, yo) such that y z x2 [n].

1.2. Okamoto’s cryptographic proposals and questions

In this section, the modulus n is particular: n = p 2 q where p and Q are distinct primes ( p < q). An element $0 of Z(n) is called easy when it is smaller than (1/2)- modulo pq.

The following cryptographic schemes are based on the difficulty of extracting square roots modulo n, when the factors of n are unknown:

Cryptosystems

In [6], Okamoto proposed a first public key cryptosystem:

The public key is the pair ( n , x o ) , where zo is an easy element of Z(n) . From a message u, which is small compared to n, the cipher text y is built as follows:

y = (20 + uy [n]

283

As quoted in [7], Shamir [8] has two attacks to break this system: the first one works for any pair (n,zo) while the second one uses the particular form of the public key.

Okamoto [7] then proposed a new cryptosystem: 50 is the known quotient modulo n of two secret easy numbers of Z(n). A message (211, u2), where the u;’s are s m a l l compared to n, gives a cipher text y such that

y = ( U I X O +u2)2 [.I. Okamoto stated as an open question the breaking of this second system.

We show here that we can break this new cryptosystem without using the particular form of the public key (n , Q).

Signature Scheme

In [5] , Okamoto and Shiraishi proposed a signature scheme:

Given a ‘one-way’ function h, a signature x is considered as valid for a message u if

h(u) 5 (x2 mod YZ) 5 h(u) + O ( ~ Z ’ / ~ ) with 1x1 not ‘too small’.

Brickell [2] broke this scheme, without using the particular form of n.

Now, we state and solve problems which are natural extensions of all the questions that we described above.

1.3. Two Problems

Problem 1.

Given a square yo and a subset I (a , so ) (resp J ( a , z o ) ) which is known to contain a square root x of yo, find x.

Problem 2.

Given I(b, yo) a subset of Z(n) , find s such that z2 belongs to I ( b , yo).

Solving the first problem with the intervals I breaks the first version of Okamoto’s cryptosystem, while the second version of Okamoto’s cryptosystem is attacked by solving this problem with the subsets J . The second problem is linked with improvements of Brickell’s results.

284

1.4. Our main results: Three theorems

We state here OUT main results which solve generalisations of each of the problems. On the one hand, Theorem 1 and Theorem Ibis, which are uniqueness results, allow us to break the second version of Okamoto’s cryptosystems, but also to make precise some points of Shamir’s attack on the first version. On the other hand, Theorem 2, which is an existence result, improves Brickell’s previous attack of the signature scheme.

THEOREM 1.

For a n y n , ~ > 0,a and b reals in [0,1] satisfying

2a + b = 1 - 3~ and b 2 a,

there exists an exceptional subset T ( E ) of Z(n) such that the following is true:

i) Card T ( E ) 5 nl-‘

ii) For anyzo, not in T(E) and any yo in Z(n): intervals J ( a , zo) and I(b, yo) have a t most two compatible pairs, say (2, y) and (n - x, y).

Moreover, there exists a probabilistic polynomial algorithm A which provides one of the following three answem:

‘exceptional case’ if xo is in T(E) ‘no compatible couple’

(5, y) and ( n - z, y) are the two compatible pairs.

THEOREM 1 BIS. For any n, E > 0, a and b reals in [0,1] satisfymg

a + b = 1 - 2~ and b 2 2a,

there exists an exceptional subset T’(E) of Z ( n ) such that the following is true:

i) Card T‘(E) 5 nl-€

ii) For any XO, not in T’(E) and any yo in Z(n) , intervals I ( a , 20) and I (b , yo), have at most one compatible pair.

Moreover, there exists a probabilistic polynomial algorithm B which provides one of the following three answers:

285

‘exceptional case’ if ro is in T’(E) ‘no compatible couple’ (2, y) is the only compatible pair.

THEOREM 2.

For any n , E > 0, a and b reals in [0, I] satisfying

a + b = 1 + 2~ and b 2 2a,

there exists an exceptional subset T’(E) of Z(n) , such that the following is true:

i) Card T’(E) 5 nl-‘ ii) For any ZO, not in T ” ( E ) and for any yo in Z(n) , intervals I (a , zo )

and I(b, yo) are compatible.

Moreover, there exists a probabilistic polynomial algorithm C which provides one of the following answers:

‘exceptional case’ if zo is in T” ( E )

a compatible pair (z, y) otherwise.

We give now the proofs of our results, mainly for Theorem 1, in the case of subsets J , and see how our methods work for the intervals I , in the proof of theorems lbis and 2. The main tool is lattices for which there are two basic facts:

a) There is a high proportion of lattices with given determinant having their smallest vector not too small.

b) Given a lattice and a point m in the space, one can find -using an algorithm based on LLL reduction algorithm [4]- one point t which belongs to the Iattice and which is close to rn.

11. THE BREAKING OF OKAMOTO’S CRYPTOSYSTEM: proof of Theorem 1

Given n, XO, yo, a, b, we must find u1 and u2 that satisfy

I - u l / < na/2 , luzl 5 na/2 , lul 5 nb

and that are solutions of the equation

( ~ 1 x 0 + u2)’ = yo + v fn]

286

11.1. How lattices are involved

We must solve

(2) 2 2 ulzo + 2 x 0 ~ 1 ~ 2 + ZG: - TI = yo En]

Replacing us, 7 . 4 1 ~ 2 , lattice:

- u$ by independent variables, we consider a first

L(z0) := {w = (wo,wl, w2) E z3 ; ziwo + 2x0wl - w2 = o [n] }

L(z0) is spanned by the three column vectors of the matrix:

:) which has determinant n. ( x: 2x0 n

Since lull, Iuzl, 1.1 are small, we have to look for w in L(x0) with the following approximations:

two1 5 na, lwil 5 na, 1 ~ 2 -yo[ I 2nb (a I b)

These approximations are not of the same order, and since we will work with the norm sup, it is natural to consider a second lattice M(z0) .

If l o , k l , k2 are three positive rationals, whose product is equal to 1, we define

M(zo) := {t E Q3 ; t ; = kiwi, 0 5 i 5 2 and w E L(z0) }.

M(z0) has then for matrix

which has still determinant n. ( ? k l 0

kzx: 2k2xo k2n

With a suitable choice of (ko, kl, k ~ ) , we get the same approximation order on each component. So, we have to find a point t in M ( s 0 ) which is close to the point m = (O,O, k2yo) for the norm sup.

Now, we are lead to some important questions:

1) How to get, in a given lattice M of Q3 a point t close to a given

2) How to be sure that such a point will be unique ?

point m ?

We answer now these two questions.

207

11.2. The ClosePoint Algorithm

We get a reduced basis Q = (QO, q, ( ~ 2 ) o f M by using the LLL algorithm [4]. We express m in the basis a: rn = r n o c ~ o + mlal + m 2 ~ 2 (rn; E Q ) and finally take t = t o a o + t l q + t 2 a 2 where t; is the closest integer to ti. This algorithm gives the point t nearest to m within a factor K which is analysed in [l]. If n is sufficiently large compared to 1/~ , this factor will be of order n'I3.

11.3. The uniqueness problem

Here come up some geometrical facts about lattices M which have their shortest vector A1 ( M ) not too small, namely

If we define p1 = p o / K , we then have the following facts for any euclidean ball B(m, T ) :

i) If T < po/2, then B(m,r) contains at most one point of M. ii) Moreover, if T < pl, the ClosePoint algorithm outputs 'empty' if no

point of &I is in B(m, T ) , and t if t is the only point of n/r in B(m, T ) .

So, in a such a lattice, we can get our uniqueness result.

11.4. The analysis of the lattices M(z0)

Are there many lattices M(z0) which have their shortest vector not too long ? We have the following answer ([3], [9])

For any n, E > 0, for any triple k = (ko, kl, k2) of product 1, there exists an exceptional subset T(E) o f Z (n ) such that the following is true:

i) Card T ( E ) 5 nl-' ii) For anyzo, not in T ( E ) , the shortest vector Xl(i%f(zo)) of the lattice

M(z0) satisfies p l ( M ( z o ) ) ~ ~ m 2 n(1-2c)'3 ( 3 )

We deduce that we can apply the facts described in 2.3 to most of lattices iLf(z0) provided we choose

po = 72(1-2')/3 and also p1 = n1/3--c.

We know also that we can decide whether we are in T ( E ) .

288

11.5. The end of the proof

If (z,y) is a compatible pair in J ( a , z o ) x I ( b , y o ) , we want to find it. This pair (2, y) gives a point w = (uf , u1u2, yo + v - u;) of L(zo), then a point t = (kouf , k12llu2, k2(yO + v - u;)) of M(z0) .

We now choose the triple k so that all the approximations be bounded by : if we let ko = Icl = rncl , we require

2a + b = 1 - 3~ and c = ( b - a ) / 3 (4)

Let m = ( O , O , k ~ y o ) ; then t is in the ball B(m,p1). The ClosePoint algorithm hds a point t’ in B(m,pl). As this ball contains only one point belonging to M(zo) , we must then have t = t‘. From t’, it is then easy to get u1 by ordinary square root extraction, and then 212 and v; we then verify if 211, u2, v satisfy (1). This ends the proof of Theorem 1.

We remark that the optimal choice for the pair (a , b) is

u = b = 1/3 - E .

11.6. Back to the breaking of Okamoto’s cryptosystem

Okamoto’s second cryptosystem hypotheses are a particular case of ours. He takes a = 2 / 9 , v = 0; we remark that our results indeed allow to decrypt the message y, because most of the 50’s used -here, the quotients of two easy numbers- are outside the exceptional set. Furthermore, our algorithm works even if

i) the 1/3 of the least sigmficant bits of y are lost

ii) the pair (n,zo) has no particular form.

111. PROOFS OF THEOREM lBIS AND THEOREM 2

Given n , 20, yo, a, b, we must find u, u, that satisfy

and that are solutions of the equation

289

As before, replacing u by 200 and v - u2 by wl, we then have the lattice L(z0) which has for matrix:

with determinant n. We also use a second lattice M(zo) , with a suitable choice of (ko, kl) and the point rn is now (0, kl(yo - zi)).

111.1. Outline of the proof of Theorem Ibis; precisions a b o u t Shamir’s attack

The proof of Theorem lbis is similar to the proof of Theorem 1: The condition (3) of lattice regularity is just replaced by

This result allows to make precise some points of Shamir’s first attack: The underlying framework of this attack is the one of Theorem Ibis.

Why is it so often successful? We remark that the exceptional set T ( E ) associated to the value of E defined by the equality

does not contain any easy point zo provided that n‘ > 2. Shamir’s attack almost always succeeds !

This attack also works even if the 2/3 least significant bits of the message are lost or erroneous

111.2. P r o o f of Theorem 2; an improvement of Brickell’s result

There are two facts for this proof

easy to get u and v satisfying ( 5 ) ; we have

there are no compatibility conditions as in Theorem 1.

2) We have one more property of lattices M(z0) satisfying (3bis), which has to do with existence and not with uniqueness:

If p-2 = nl/’+‘, the ball B(m, p2) contains at least one point of the lattice.

1) Once we get w = (wo, wl) of L(zo) close to the point rn, it is very

u = w o , ~ ~ v = w ~ + u , 2

290

Taking ko = rnCl and kl = l /ko , one then must have:

1 2

u + c = b - c = - f E ,

so we then take c = ( b - u ) / 2 . The proof ends then as in Theorem 1.

Theorem 2 gives a n improvement of Brickell’s breaking of the signature scheme: If one looks for an z such that x2 is in I(b, yo), one finds x in almost any prescribed I (u , zo) as soon as a > 1/3.

111.3. Extensions to higher degrees

Most of our uniqueness results can be generalized : a s is shown in [9], we can recover, in polynomial probabilistic time, roots of polynomial equations of higher degree provided that we are given a suf3ciently good approximation of these roots.

IV. BIBLIOGRAPHIC REFERENCES

[l] L. Babai: On Lovasz’s lattice reduction and the nearest lattice point problem, Combinatorica 6 (1986)) pp 1-14..

[2] E. Brickell, J. Delaurentis: An attack on a signature scheme proposed by Okamoto and Shiraishi, Proc. of Crypto’85, pp 10-14.

[3] A. Frieze, J. Hastad, R. Kannan, J.C. Lagarias, A. Shamir: Recon- struc ting truncated variables satisfying linear congruences, to appear in SIAM Journal o f Computing.

[4] A.K. Lenstra, H.W. Lenstra, L. Lovasz : Factoring polynomials with integer coefficients, Mathematische Annalen, 261, (1982) pp 513-534.

[5] T. Okamoto, A. Shiraishi: A fast signature scheme based on quadratic inequalities, Proc. of the 1985 Symposium on Security and Privacy, April 1985, Oakland, CA.

[6] T. Okamoto: Fast public-key cryptosystem using congruent polynomial equations, Electronics Letters, 1986, 22, pp 581-582.

[7] T. Okamoto: Modification of a public-key cryptosystem, Electronics Letters, 1987, 23, pp 814-815.

29 1

[8] A. Shamir: Private communications to Okamoto, quoted in [7], Au- gust and October 1986.

[9] B. Vallke, M. Girault, P. Toffin: How to guess P t h roots modulo n by reducing lattices bases, preprint of Universit6 de Caen, to appear in Proceedings of First International Joint Conference of ISSAC-88 and AAECC-6 (July 88).

Cryptanalysis of F.E.A.L. BERT DEN BOER

C e m e for mathematics and computerscience (*) Kruislaan 413 1098 SJ AMSTERDAM, The NETHERLANDS

Summary

At Eurocrypt 87 the blockcipher F.E.A.L. was presented [2]. Earlier

algorithms called F.E.A.L-1 and F.E.A.L-2 had been submitted to standarization

organizations but this was presumably the final version. It is a Feistel cipher, but

in contrast to D.E.S., a software implementation does not require a table look-up.

The intention was a fast software implementation and also an avoidance of

discussions about random tables. As Walter Fumy indicated at Crypto 87 [11 a

certain transformation on 32 bits used by the cipher was not complete in contrast

to a remark made during the presentation of F.E.A.L. at Eurocrypt 87.

Furthermore, the transformation is too close to a quadratic function on the input.

I am informed that after my informal expose at Crypto 87 about certain

vulnerabilities of F.E.A.L, its designers have created F.E.A.L.4 with twice as

many rounds.Later on again versions were renamed. The (definite?) version in

the abstracts [2] without a serial number got version number 1 .OO and F.E.A.L.4

got version number 2.00 in the proceedings of Eurocrypt '87 [3]. In this paper we

shall show that F.E.A.L. as presented at Eurocrypt 87 is vulnerable for a chosen

plaintext attack which requires at most ten thousand plaintexts.

Encryption Algorithm

For convenience and definiteness we first reformulate the encipherment

algorithm. The FEAL-algorithm is a blockcipher acting on 64 bits of plaintext to

produce a 64 bit ciphertext controlled by a 64 bit key.

One of the buildingblocks of the cipher is a transformation S from F28 * Fzg * F;? to F28 defined by

S(x,y,a)=Rot((x+y+a)mod 256)

"This research was supporred by the Netherlands Organization for Advancement of Pure

Research

C.G. Guenther (Ed.): Advances in Cryptology - EUROCRYPT '88, LNCS 330, pp. 293-299, 1988 0 Spnnger-Verlag Berlin Heidelberg 1988

294

i.e. the 8 bit numbers x and y are considered as residues mod 256, a is the residue

class of 0 or 1 and Rot cyclicly rotates the bits of its input 2 places such that the 6

least significant bits become the 6 most significant bits. Another building

block is the exclusive-or on two bytes denoted by El. The Same notation will be

used for the exclusive-or sums of four byte strings. We define a fk-box as

follows: fk transforms 2 smngs of 4 bytes L and R into a four byte string 0 as follows: (In shorthand fk(L,R)=O.)

denote the input by L(0) up to L(3) and R(0) up to R(3) and the output by O(0) up

to O(3) then:

h~lp=L(2) @ L(3)

0(1?=S((L(O) @ L(l),Olulp tB R(0)),1)

o (o )=s~L(o) , (o (~ ) @ R(2)),0)

0(3)=S((W) @ R(3)),L(3),1)

0(2)=S(O( 1) @ R( l),hulp,O)

The function G transforms one string of four bytes into one string of four bytes as

follows:(In shorthand G(I)=O.)

output by 0(1) up to O(3) , then:

denote the input by I(0) up to 1(3) and the

h~lp=I(2) @ 1(3)

O(I)=S(I(O) @ I(l),hUlp,l)

0(2)=S(O( I),hulp,O)

0(3)=S(0(2),1(3),1)

O(O)=S(O( 1 ),O(O),O).

The blockcipher consists of a key schedule and a data randomizer. The

keyschedule operates as follows: The eight byte input is considered as two strings

A0 and Bo of four bytes each. Further a four byte string Co with all 32 bits zero

is introduced. Iteratively Ai,Bi,Ci,i=l, ..., 6 are defined by

Bi+l= fk(Ai,(ci @ Bi?) Ci+l=Ai

Ai+l=Bi.

Further we need two simple functions PL and PR transforming four byte strings

as follows:

295

PL(u,v,w,x)=(0,u,v,0)

PR(u,v,w,x)=(O,W,X,O).

The strings B1, ...,I36 of the keyschedule are transformed into 6 strings Mi,

i=O, ..., 5 as follows:

%=B3 @ PR(B1) M1=B3 @ B4 @ PL(B1)

M2=PL(B1) @ PL(B2)

M3=PR(B1) @ PR(B2,

M4=B5 @ Bg @ PR(B1)

M5=B5 @ PL(B1).

The datarandomizer operates as follows ( see fig 2): The 64 bit input is viewed as

two strings Po and Pi of four bytes. Now we define

DFPO @ Mo

D 1 = b E ~ = D o @ G(E0)

E2=D1 @ G(E1)

%=Po @ Pi @ Mi

D2=E1

D3=E2

E3=D2 @ G(E2 @ M2)

D4=D3 @ G(E3 @ M3) @ M5 E4=E3 @ M4

%=D4 C1=D4 @ E4

Finally the two strings Co and C1 of four bytes each are concatenated to form the 64-bit ciphertext.

Cryptanalysis

To determine the key we use a chosen plaintext attack. The choice of the

plaintext depends on results derived from previous plaintext and ciphertext. We

are going to determine the 160 unknown bits in the Mi's as though there is no

relation between them. Once they are determined we can decipher any ciphertext

but we also can use the keyschedule from the bottom to determine the 64-bit

296

key.This process will not require more than tenthousand plaintexts.

Observe the value G3 C1.It is equal to

Po @ @ Mo CB G(Q) @ G(E0 @ M2 @ G(G(E0) @ Mo @ Po).

Assume that Po @ P1 is a constant, then Eo and G(E0) are constants too. Define

%=GPO) G3 Mo KI=EO @ M2

K2=M4 @ Mo @ G(E0).

CP=cO@C~ @Po

then:

(1) CP=K2 @ G(K1 @ G(K0 @ PO).

Formule (1) is the crucial formule.By keeping the exclusive-or sum of Po and P1

constant it is possible to determine the constants KO up to K2 with at most say 300

choices of Po.

Define

Ko=(xO,X' ,x2,x3)

K1=(yo,yl ,x2,x3)

K2=(zo,z1 ,z2,z3)

Pg=(aO,al ,a2,a3)

CP=(P,fl ,f2,f3).

See figure 1 w ..ere internal bytes bk,ck,dk,ek are defined within the picture.

The idea is to solve KO first. The first bits to solve are the 6 least

significant bits of xo. l k s starts by keeping a3,a2,a1 @ ao constant and also the

two most significant bits ao and study the behaviour of one particular bit f15 for

the remaining 64 cases. Observe that b1,b2,b3,c1,c2,c3,d2,d3 are constant in those

cases. Let bol=bomod 64 and cll=c*mod 64 and carry=(bOl+cll)div 64. Then it

holds for the bits c07,d07,d17,e1 5,f15 that their value is of the form "constant 7

carry ". The value is a constant and as the 6 least significant bits of ao assume

all 64 possibilities and so bol assumes all 64 possible values. Counting the number

of times f15 is equal to one, leaves us with at most two possibilities for c l l .

In order to determine which possibility holds for c1 observe that

changing a1 1 or a10 the six most significant bits of c1 and therefore the four most

significant bits of cl remain constant. Combining the results of two or three

297

counts will give only one consistent possibilty for the two or three values of c1

The actual counting never requires the full 192 ciphertexts but at most 127

ciphertexts in special cases (in a very favourable case 10 is enough).

To determine the 6 least significant bits of xo note that at least one of the

two or three actual values of c is o d d h that case there exist exactly one value

bol such that bol will give c q = l and bol 631 will give carry=O.From this we

conclude that bol equals 64-c1 l.We know the corresponding value of ao so indeed

we can determine the six least significant bits of xo.

To proceed we use this knowledge and start changing the lowest bit of ao

63 a1 .Two well-chosen plaintexts and the corresponding values of f 5 is enough to

determine the least significant bit of xo 63 xl. The Same is true for the next two

bits of xo G3 x1 .Simultaneously the three least significant bits of x2 G3 x3 are

determined. To determine the next three bits of xo G3 x1 and x2 63 x3 might

require 42 plaintexts in the worst case. Still only the value of f15 is all what we

need of the ciphertext.

Along similar lines we can determine xo x1 , x2 63 x3 , the seven least

significant bits of xo and the seven least significant bits of x3. For the moment we

are allowed to assume that xog and x30 are zero. In other words KO is determined

and at the cost of at most 250 plaintexts.

Once Ko is determined the determination of KI and K2 is easy and will

cost at most 30 well chosen plaintexts with the corresponding

ciphertexts. There is a freedom in K1 of two bits but we can just do a choice.

Now observe what happens if we change Po $PI. Then the new value of

K1 is known. With the above described technique we establish the new value of

KO. Then K2 follows directly because of a linear relation.

This results in knowledge of Mo 63G(M1 €B (Po @PI)) for values

Po63P1 of our own choosing. With say at most 30 values we can establish Mo and

M1 except for a freedom of two bits.

Finally we study the values Co we have encountered up to this

moment.Those give equations of the form

Q1=M5 @GW3 @Qd where Q1 and are known. Considering the fact that up to now we have between

298

100 and 10000 ciphertexts it is safe to assume that we have enough data to

determine M3 and M5. Combining this knowledge we can decipher any ciphertext. If we want to

recover the original key we use the restricted possibilities for M2 and M3 to

reduce the uncertainty in Mo up to M5 . Given those Mi's we can use these data

and the last fk-box to solve Bg and B4 and a few more bytes. After that we can

simply try the 256 possibilties for B3(2) and resolve the keyschedule.

Conclusions

In the presented version the G-box is too regular. If one wants this small

number of rounds(4) a better design should be possible. In [3] the algorithm with

twice as many rounds is considered by the authors to be secure because four

statistical values are close or equal to theoretical values but the same argument was

used for the algorithm presented at Eurocrypt '87. As this turned out not to be

sufficient one should use other arguments for the security of an encipherment

algorithm.

Acknowledgement

The author wishes to thank D. Chaum and W. Fumy for a

challenging remark which made me start the investigations. Further the author

wishes to thank D. Chaum for stimulation during the investigations.The author

also wishes to thank TSiegenthaler for remarks on a draft version of this article.

Refer en ces

1 W. Fumy, On the F-function of FEAL, lecture at Crypt0 87.

2 A. Shimizu & S. Miyaguchi, Fast data encipherment algorithm FEAL,

Abstracts of Eurocrypt 87.

3 A. Shimizu & S . Miyaguchi, Fast Data Encipherment Algorithm FEAL,

Advances in Cryptology - Eurocrypt '87, Lecture Notes in Computer Science

304.

299

a

X0 4

bo

L

F Y 4

0 . P

M 4

f ' f 2 f 3 fig 1

f 0

FAST CORRELATION ATTACKS ON STREAM CIPHERS

(Extended Abstract)

Willi Meier Othmar Staff elbach

HTL Brugg-Windisch CH-5200 Windisch, Switzerland

GRETAG Aktiengesellschaf t Althardstr. 7 0 , CH-8105 Regensdorf

Switzerland

For proofs and further explanations of the results presented herein we refer the reader to the full paper ([l]). A description of the cryptanalytic algorithms is appended.

1. Extended Abstract

A common type of running key generator employed in stream cipher systems consists Of n (mostly maximum-length) binary linear feedback shift registers (LFSR's) whose output sequences are combined by a nonlinear Boolean function f . The output of several combining functions previously proposed in the literature is known to be correlated to some input variables with probabilities p up to 0.75 (this holds, e.g. for the generators of Geffe, Pless, or Bruer). These generators have been broken in [ 2 ] for LFSR-lengths k < 50 (roughly), according to the computational complexity of the attack (based on an exhaustive search over all phases of the LFSR). But also other generators, e.g. certain types of multi- plexed sequence generators, are known to be correlated to LFSR-

components. In fact any generator having such correlations may be vulnerable to a correlation attack.

Let the output sequence I . of a running key generator be correlated to a linear feedback shift register sequence (LFSR-sequence) 2 with COT- rGlatiOn probability p > 0 .5 . Then two new correlation attacks (algorithms A and B) are presented to determine the initial digits of 5 , Pro-


302

vided that the number t of feedback taps is small (t < 10 if p 2 0 . 7 5 ) .

The computational complexity of algorithm A is of order O ( Zck) , where k denotes the length of the LFSR and c c 1 depends on the input parameters of the attack, and algorithm B is polynomial (in fact, even linear) in the length k of the LFSR. These algorithms are much faster than an exhaustive search over all phases of the LFSR, and are demonstrated to be successful on shift registers of considerable length k (typically k = 1000). On the other hand, for correlation probabilities p 5 0.75 the attacks are proven to be infeasible on long LFSR's if they have a greater number of taps (roughly k 2 100 and t 2 10).

In order to set out our results in more detail, suppose that N digits of the output sequence 2 are given, and correlated to an LFSR- sequence 5 , produced by a LFSR with t taps. We assume that the feedback connection is known. Observe that this is no essential restriction as there is only a very limited number of maximum-length feedback connections with few taps. Hence an exhaustive search over all primitive feedback connections is possible.

The sequence 5 may be viewed as perturbation of the LFSR-sequence by a binary asymmetric memoryless noise source (with Prob(0) = p). For the purpose of reconstructing the LFSR-sequence 5 from 5 the following principle is essential to the algorithms: Every digit an of several linear relations derived from the basic feedback relation, all of them involving t other digits of 2. By substituting the corresponding digits of 2 in these relations, we obtain equations for each digit zn, which either may or may not hold. To test whether zn = an, we count the number of all equations which turn out to hold for zn. Then the more of these equations hold, the higher is the probability for zn to agree with an. This can be justified by a statistical model, computing the corresponding conditional probabilities.

satisfies

On the basis of this idea, we roughly outline algorithm A: We use the test to search for correct digits (i.e. digits zn with zn = a,). This is done by selecting those digits which satisfy the most equations. In this way we obtain an estimate of the sequence 9 at the corresponding positions. Under favourable conditions these digits have high probability of being correct, which means that only a slight modification of our estimate is necessary. This results in a considerably reduced exhaustive search to rule out sufficiently many correct digits, in order to

303

determine the LFSR-sequence by solving linear equations.

We can give precise conditions under which this procedure is successful, and determine its computational complexity, which in general is of order 0(zCk) , where c < 1 is a function of t; p and N/k . To illustrate this estimate we mention that for t = 2 taps, N/k = l o 6 , and p 2 0.6, the number c is smaller than 0 . 2 5 , and for p > 0 . 6 7 Table 1 shows that c is below 0 . 0 0 1 . This is a considerable improvement compared to exhaustive search, where c = 1. On the other hand, for large t (t 2 1 6 ) o.ur estimate shows, that c comes very close to H(p), where H(p) denotes the binary entropy function. This proves that algorithm A for large t gives no advantage over (a modified) exhaustive search.

P\t

0 . 5 1 0 .53 0 . 5 5 0 .57 0 .59 0 . 6 1 0 . 6 3 0 . 6 5 0 . 6 7 0 .69 0 . 7 1 0 . 7 3 0 . 7 5

2 4 6 8 1 0 1 2 1 4 1 6

0 . 9 9 9 0 . 9 7 6 0 . 8 7 0 0 . 6 4 2 0 . 3 6 2 0 . 1 3 2 0 . 0 3 9 0 . 0 0 7 0 . 0 0 1 0 .000 0 .000 0.000

0.. 000

1 . 0 0 0 0 . 9 9 7 0 . 9 9 2 0 . 9 8 2 0 . 9 6 3 0 . 9 2 6 0 . 8 5 6 0.734 0.555 0 . 3 2 7 0.150 0 . 0 4 3 0 . 0 0 9

1 . 0 0 0 0 . 9 9 7 0 . 9 9 3 0 . 9 8 6 0 . 9 7 6 0 . 9 6 3 0 . 9 4 5 0 . 9 1 7 0 . 8 7 5 0 . 8 0 5 0 . 6 9 2 0 . 5 1 5 0 . 3 1 1

1 . 0 0 0 0 . 9 9 7 0 . 9 9 3 0 . 9 8 6 0 . 9 7 6 0 . 9 6 5 0 . 9 5 0 0 . 9 3 2 0 . 9 1 0 0 . 8 8 0 0 . 8 3 6 0 . 7 6 8 0 . 6 6 0

1 . 0 0 0 0 . 9 9 7 0 . 9 9 3 0 .986 0 .976 0 . 9 6 5 0 , 9 5 1 0 .934 0 .914 0 . 8 9 1 0 . 8 6 3 0 . 8 2 5 0 . 7 7 1

1 . 0 0 0 1 . 0 0 0 0 . 9 9 7 0 . 9 9 7 0 . 9 9 3 0 . 9 9 3 0 . 9 8 6 0 . 9 8 6 0 .977 0 . 9 7 7 0 . 9 6 5 0 . 9 6 5 0 . 9 5 1 0 . 9 5 1 0 .934 0 . 9 3 4 0 . 9 1 5 0 . 9 1 5 0 . 8 9 3 0 . 8 9 3 0 .868 0 . 8 6 8 0 . 8 3 8 0 . 8 4 1 0 .800 0 . 8 0 8

1 . 0 0 0 0 . 9 9 7 0 . 9 9 3 0 . 9 8 6 0 . 9 7 7 0 . 9 6 5 0 . 9 5 1 0 . 9 3 4 0 . 9 1 5 0 . 8 9 3 0 . 8 6 9 0 . 8 4 1 0 . 8 1 1

m

1 . 0 0 0 0 . 9 9 7 0 . 9 9 3 0 . 9 8 6 0 . 9 7 7 0 . 9 6 5 0 . 9 5 1 0 . 9 3 4 0 . 9 1 5 0 . 8 9 3 0 . 8 6 9 0 . 8 4 1 0 . 8 1 1

Table 1: c(p,t,N/k) for N/k = l o 6

In algorithm B we do not search for the most reliable digits. In- stead we take into account a l l digits, together with their probabilities of being correct. A priori, with probability p a digit of f agrees with the corresponding digit of 5 . Now to each digit zn of 5 we assign a new probability p*, which is the probability for zn = an, conditioned on the number of equations satisfied. This procedure can be iterated with the varied new probabilities p* as input to every round. After a few rounds, all those digits of are complemented whose probability p* is lower

304

than a certain threshold. Under suitable conditions we can expect that the number of incorrect digits decreases. In this case we restart the whole process several times, with the new sequence in place of 2, until we end up with the original LFSR-sequence 5 .

To obtain conditions under which algorithm B succeeds, a function F(p,t,N/k) is introduced to measure the correction effect. Thus if F(p,t,N/k) S 0 there is no correction effect and algorithm B will not be able to reproduce the LFSR-sequence 5 . Therefore we get a definite limit to this attack (which is attained for t 2 10, if p 5 0 . 7 5 ) . In the other direction, investigations of F(p,t,N/k) show, that for t = 2 or t = 4 taps algorithm B still remains effective f o r correlation probabilities quite close to 0 . 5 (cf. Table 2 ) . This implies in particular that a LFSR with two feedback taps is completely breakable if its output shows correlation to a known sequence f. The striking efficiency of algorithm B, as observed in numerous experiments, is explained by the fact that its computational complexity is of order O(k) (i.e. linear in the length k of the LFSR, f o r fixed t, p and N/k).

For given t and d = N/k Table 2 shows the value p = p(t,d) with F(p,t,d) = 0. p(t,d) turns out to be the limit probability where algorithm B may still be successful

d/t 2 4 6 8 1 0 1 2 1 4 1 6 1 8

0 . 5 8 4

0 . 5 3 3

0 . 5 2 1

0 . 5 1 4

0 . 5 1 1

0 . 5 0 9

0 . 5 0 8

0 . 5 0 7

0 . 5 0 6

0 . 5 0 5

0 . 7 3 9 0 . 8 0 4 0 . 8 4 1

0 . 6 7 3 0 . 7 5 0 0 . 7 9 6

0 . 6 4 8 0 . 7 2 7 0 . 7 7 6

0 . 6 2 9 0 . 7 0 9 0 . 7 6 0

0 . 6 2 0 0 . 6 9 9 0 . 7 5 2

0 . 6 1 2 0 . 6 9 2 0 . 7 4 5

0 . 6 0 5 0 . 6 8 4 0 . 7 3 8

0 . 6 0 1 0 . 6 8 0 0 . 7 3 3

0 . 5 9 7 0 . 6 7 6 0 . 7 2 9

0 . 5 9 2 0 . 6 7 1 0 . 7 2 5

0 . 8 6 4

0 . 8 2 7

0 . 8 0 9

0 . 7 9 5

0 . 7 8 7

0 .782

0 . 7 7 5

0 . 7 7 1

0 . 7 6 8

0 . 7 6 4

0 . 8 8 1 0 . 8 9 4 0 . 9 0 4 0 . 9 1 2

0.849 0 . 8 6 5 0 . 8 7 8 0 . 8 9 0

0 .833 0 . 8 5 2 0 . 8 6 6 0 . 8 7 8

0 . 8 2 1 0 . 8 4 1 0 . 8 5 6 0 . 8 6 9

0.815 0 . 8 3 4 0 . 8 5 0 0 . 8 6 3

0 .809 0 , 8 3 0 0 . 8 4 6 0 . 8 6 0

0 . 8 0 3 0 . 8 2 5 0 . 8 4 2 0 . 8 5 5

0 . 8 0 0 0 . 8 2 1 0 . 8 3 8 0 . 8 5 2

0.797 0 , 8 1 8 0 . 8 3 6 0 . 8 5 0

0 . 7 9 3 0 . 8 1 5 0 . 8 3 2 0 . 8 4 7

Table 2: p with F(p,t,d) = 0

305

Algorithms A and B enable attacks on LFSR's of considerable length (e.g. k = 1000 or greater) with software implementation. However, a comparison shows that algorithm A is preferable if c < c 1 and p is near 0 . 7 5 , whereas algorithm B becomes more efficient for probabilities p near 0.5. (Simulations of algorithm B have shown to be successful in attacks with p = 0.55 even on a personal computer).

The methods developed for algorithms A and B allow several generalizations and conclusions. To prevent attacks based on these methods, suitable precautions are necessary. This leads to new design criteria for stream ciphers:

1. Any correlation to a LFSR with less than 10 taps should be avoided.

2 . There should be no correlation to a general LFSR of length shorter than 100 (especially when the feedback connection is assumed to be known).

It is remarkable that the importance of the number of LFSR taps for the correlation analysis was not recognized in cryptologic literature SO

far.

I I . Appendix: Description of the Algorithms

In this appendix we give a brief outline of the algorithms. Proofs and further explanations are contained in [l].

11.1. Algorithm A

Suppose that N digits of the sequence 5, the length k of the LFSR with t taps as well as the correlation probability p are given.

Our method exploits the linear relations of the LFSR-sequence 5 to find correct digits, i.e. digits with zn = an. Linear relations can be described in terms of their feedback polynomials. By iterated squaring of the feedback polynomial, a variety of linear relations is generated for every digit an, all of them involving t other digits of 5 . The

306

average number m of relations obtained in this way can be computed as (cf. [ I l l

m = m(N,k,t) = log2(&) (t + 1) 2k

The probability p* for zn = an, given that h of m relations are satisfied, is

p sh( 1-s)m-h p* =

p sh(l-s)m-h + (1-p)(l-s) h s m-h

where s = s(plt) can be comuted using the recursion

S(Plt) = p s(p,t-l) + (l-P)(l - s(p,t-l)), S(Pt1) = p.

( 3 )

Moreover, the probability that a digit zn satisfies at least h of these m relations is given by

and the probability that zn = an and that at least h of m relations are satisfied

m

i=h R(p,m,h) = c ( y ) p s i(i-~) m-i ( 5 )

Thus the probability for zn = an, given that at least h of m relations are satisfied, is the quotient T(m,p,h) = R(p,m,h)/Q(p,m,h). These formulas show that with increasing m we have more freedom to choose a suitable h such that at the same time the two probabilities Q(p,m,h) and T(p,m,h) will be sufficiently large f o r an attack. The following examples illustrate these facts.

307

Example 1: Assume that 5 has length N = 5 0 0 0 correlated with probability p = 0 .75 to a LFSR of length k = 100 having t = 2 feedback taps. Hence in the average we obtain m = 1 2 relations to test the digits of f. TO determine the optimum number h of relations to be satisfied we generate the following table:

h = # of relations new prob. satisfied P*

1 2 11 10

9 8 7 6 5 4 3 2 1 0

0 . 9 9 9 3 0 . 9 9 8 0 0 . 9 9 4 4 0 . 9 8 4 7 0 . 9 5 8 6 0 . 8 9 2 9 0 . 7 5 0 0 0 . 5 1 9 2 0 . 2 8 0 0 0 . 1 2 2 8 0 . 0 4 8 0 0 . 0 1 7 8 0 . 0 0 6 5

0 .002666 0 .021890 0 .085554 0 . 2 1 4 1 4 1 0 . 3 9 2 4 6 1 0 . 5 7 6 2 5 1 0 .729409 0 .843183 0 .922315 0 .970429 0 .992595 0 .999106 1.000000

0 . 0 0 0 7 2 5 0 . 0 0 1 8 5 5 0 . 0 0 4 6 1 8 0 . 0 1 1 0 4 0 0 . 0 2 4 8 4 0 0 . 0 5 1 0 9 0 0 . 0 9 2 8 5 6 0 . 1 4 5 1 9 9 0 . 1 9 4 5 1 9 0 . 2 2 8 3 6 7 0 . 2 4 4 5 2 8 0 . 2 4 9 3 3 5 0 . 2 5 0 0 0 0

Table 3

A digit that satisfies h = m = 12 relations has the highest probability p* = 0 . 9 9 9 3 to be correct. But according to Table 3 we can only expect 0 . 0 0 2 6 6 . 5 0 0 0 J 13 digits to satisfy this condition which obviously do not determine the phase of the LFSR-sequence. However h 2 11 relations are expected to hold for 0 . 0 2 1 8 9 . 5 0 0 0 J 1 0 9 digits, hence a number which is greater than k = 100. Furthermore the entry in the 4th column shows that 0 . 0 0 1 8 5 5 * 1 0 9 = 0 .2 < 1 digits among these are expected to be wrong. Thus we can expect to have already found more than k = 100 correct digits. In fact this can be confirmed experimentally.

Example 2: We extend the above example to the situation N = 2 5 0 0 0 , k = 500 , and let p = 0 . 7 5 and t = 2 unaltered. Thus again m = 1 2 , and Table 3 also applies to this case. Hence h 2 11 relations hold for 0 . 0 2 1 8 9 . 2 5 0 0 0 = 5 4 7 > k digits. However 0 .001855 .547 = 1 digit among these may be wrong. Thus in order to find at least k = 5 0 0 correct digits one would have to perform a number of trials of magnitude 500,

using the correlation method as referred to in [ 2 ] .

308

In the general case the algorithm proceeds as follows.

Algorithm A

Step 1: Determine m according to formula (1)

Step 2: Find the maximum value of h such that Q(p,m,h)*N Z k (e.g. by generating a table similar to Table 1). Then the average number r of errors is determined by r = (1 - T(p,m,h))-k.

Step 3: Search for the digits of z satisfying at least h relations and use these digits as a reference guess I~ of ding index positions.

at the correspon-

Step 4 : Find the correct guess by testing modifications of 10 having Hamming distance 0,1,2, ... , by correlation of the corresponding LFSR-sequence with the sequence 2

Under favorite conditions (cf. Example 1, where r << 1) step 4 is not necessary. In general it can be shown that the computational complexity of algorithm A is of order O(2H(e)) , where 8 = r/k and where H(x) denotes the binary entropy function (cf. [I]).

11.2. Algorithm B

Table 3 shows that the ccnditional probability p* is small if a digit satisfies only a few relations, and hence tends to be incorrect. Roughly speaking this observation leads us to the following method of attack: Any digit of the sequence 5 is complemented if it satisfies less than a certain number of relations. Under favourable conditions we can expect that the "corrected" sequence has less digits differing from the LFSR- sequence 2.

An alternative and better approach is to leave the whole sequence unchanged in the first instance and to assign instead the new probability p* to every digit. This allows to iterate this process with varied new probabilities p* at each round, After a few rounds, the wrong digits tend to have low, and the correct ones tend to have high probability.

309

This gives us a refined criterion to correct the sequence 2 by complementing the digits which have a probability p* lower than a suitable threshold Pthr. Then we can restart the whole process with the new sequence in place of z I this time assigning the original probability to every digit. The intuitive idea is to repeat the procedure until we end up by reproducing the LFSR-sequence d .

To give a more precise description we need some additional formulas for computing probabilities:

a) The probability that a digit zn satisfies at most h of m relations

i h

i=O U(p,m,h) = ( y ) ( p s (1-s) m-i+ (1-p)(l-s) is m-i)

b) The probability that zn = an and that at most h of m relations are satified

c) The probability that zn # an and that at most h of m relations are satisfied

With regard to the described method to correct digits if they satisfy at most h relations, these formulas enable us to compute the total number of digits of z changed by

Moreover the number of erroneously changed digits is

310

and the number of correctly changed digits is

Thus the increase of correct digits is the difference of the values in (11) and ( l o ) , and the relative increase is

Next we determine the value h = kax such that I(p,m,h) is maximum for given p and m. To this purpose we generate a table as illustrated in the following example:

Example 3: As in example 1 let N = 5000, p = 0.75, t = 2 and k = 100. Then m = 1 2 and we obtain the table

h = # of relations new prob. U(Pimrh) I(Prm,h) satisfied P* (P rmr h 1

0 1 2 3 4 5 6 7 8 9

1 0 11 1 2

0 .0065 0 . 0 1 7 8 0 . 0 4 8 0 0 . 1 2 2 8 0 . 2 8 0 0 0 . 5 1 9 2 0 . 7 5 0 0 0 . 8 9 2 9 0 . 9 5 8 6 0 . 9 8 4 7 0 . 9 9 4 4 0 . 9 9 8 0 0 . 9 9 9 3

0 .000894 0.007405 0 . 0 2 9 5 7 1 0 .077685 0 .156817 0 . 2 7 0 5 9 1 0 .423749 0 .607539 0 .785859 0 .914446 0 .978110 0 .997334 1 .000000

O.OG0882 0 . 0 0 7 1 6 1 0 . 0 2 7 2 0 1 0 .063500 0 . 0 9 8 3 2 5 0 . 0 9 3 9 4 9 0 . 0 1 7 3 7 0

- 0 . 1 2 7 0 3 6 - 0 . 2 9 0 5 8 7 - 0 . 4 1 5 2 3 7 - 0 . 4 7 8 1 9 1 - 0 . 4 9 7 3 3 7 -0 .500000

Thus we see that I(p,m,h) is maximum for hmax = 4 relations. Under these conditions 1 2 5 0 digits are expected to be wrong. Carrying out the correction with respect to 4 relations, 0 . 1 5 6 8 . 5 0 0 0 = 7 9 3 digits are complemented. According to the fourth column, the number of wrong digits decreases by 0 . 0 9 8 3 . 5 0 0 0 = 4 9 2 from 1 2 5 0 to 7 5 8 digits.

For our (alternative) refined method as described above , taking p* into account, we need a appropriate probability threshold. A n optimum correction effect is obtained with the choice

31 1

After the first round the expected number Nw of digits with p* below

Pthr is

Basically, the whole attack will swap between two phases:

I.

11. A correction phase complementing those digits with p* below Pthr and resetting the probability of each digit to the original value p.

A computation phase assigning the new probability p* to every digit of 2.

Phase I can be iterated. To this purpose, formula (2) for s(p,t) has to be generalized to the situation where each of the t digits may have different probabilities pl, pzf ... pt:

This generalization carries over to all other formulas, in particular to formula ( 2 ) for pi.

It is natural to iterate phase I until there are enough digits with p* below Pthr. However, after a few iterations a strong polarization can be observed between digits having probability p* either very close to 0

or very close to I. Apart from a few digits, this polarization tends to become stable, which means that we needn't iterate phase I any longer. This gives us another criterion to terminate phase I after a limited number a of iterations. (In many cases a = 5 is a suitable choice.) Based on these ideas we are now prepared to formulate algorithm B.

Algorithm B

Step 1: Determine m according to formula (1).

Step 2 : Find the value of h = hma, such that I(p,m,h) is maximum. If Imax = I(p,mrhmax) 5 0 there will be no correction effect in phase I which means that the attack fails. If I,,, > 0 compute Pthr and Nthr according to (13) and (14), else terminate.

31 2

Step 3: Initialize the iteration counter i = 0

Step 4 : For every digit of f compute the new probability p* (cf . (2) and (15)) with respect to the individual number of relations satisfied (phase I). Determine the number Nw of digits with P* ' Pthr.

Step 5: If Nw < Nthr or i < a increment i and go to step 4

Step 6 : Complement those digits of f with p* < Pthr and reset the probability of each digit to the original value p (phase 11).

Step 7 : If there are digits of 2 not satisfying the basic feedback relation go to step 3 .

Step 8 : Terminate with = 5 .

Under conditions for which algorithm B succeeds, its computational complexity is of order O(k), i.e. linear in the length k of the LFSR. To obtain such conditions a function F(p,t,N/k) is introduced in [l] to measure the correction effect (F(p,t,N/k) = I(p,m,hmax)*(N/k), for details we refer to [l]). If F(p,t,N/k) S 0 algorithm B definitely fails.

We conlude with a simulation of algorithm B.

Example 4 : We consider the following situation; N = 20,000, k = 200, t = 4 and p = 0.60. Then N/k = 100 and F(p,t,N/k) turns out to be 0.615. The parameters of the algorithm B can be computed as Pthr = 0.481, Nthr = 1154. Thus 1154 digits are expected to be changed in the first iteration resulting in a decrease of wrong digits by 0 . 6 1 5 - 2 0 0 = 123. The following table shows the intermediate results after each step. The terms round and iteration refer to the outer loop and the inner loop, respectively. The entry in the third column always indicates the decrease of wrong digits if phase I1 had been applied.

31 3

# of digits with

p* < Pthr

# of wrong digits with p < Pthr

decrease # of wrong of wrong digits after digits phase I1

round 1 iteration 1 phase I1

round 2 iteration 1 iteration 2 phase I1

iteration 1 iteration 2 iteration 3 phase I1

iteration 1 iteration 2 iteration 3 phase 11

iteration 1 iteration 2 iteration 3 phase I1




round 3

round 4

round 5

round 6

round 7

round 8

round 9 iteration 1 iteration 2 iteration 3 iteration 4 iteration 5 phase I1

1 7 8 4 0

9 9 8 0

212 7 9 9 8 0 7 7 8 6

2 6 4 1 3 5 4

0

1 5 1 8 3 8

0

38 7 7 8 6 3 2 2 7 7 8 6

0 7 4 6 4

1 3 3 8 8 0

27 7 4 6 4 3 2 2 7 4 6 4 7 1 0 7 4 6 4

0 6 7 5 4

8 0 6 0 1

1 5 3 7 0

2 3 6 4 0

6 2 6 2 3

1 6 9 3 0

44 474

1 2 4 4 0

26 6 7 5 4 325 6 7 5 4 795 6 7 5 4

0 5 9 5 9

2 6 5 1 5

1 4 9 9 0

26 5 9 5 9 3 7 1 5 9 5 9 947 5 9 5 9

0 5 0 1 2

2 6 4 4 3

1 2 2 3 0

3 6 6 1 7

1 5 9 4 0

28 5 5 0

1 3 8 3 0

20 5 0 1 2 483 5 0 1 2

1 1 7 2 5 0 1 2 0 3 8 4 0

5 2 6 7 5

1 5 7 8 0

5 0 6 1 9

1 4 2 5 0

48 3 8 4 0 563 3 8 4 0

1 2 7 2 3 8 4 0 0 2 5 6 8

7 1 2 5 6 8 558 2 5 6 8

1 1 4 5 2 5 6 8 0 1 4 2 3

7 3 6 5 0

1 3 1 7 0

7 2 604

1 2 3 1 0

6 6 5 0 9 9 2 1

1 0 0 2 1 0 3 9

0

6 6 498 905 984

1 0 2 2 0

66 1 4 2 3 487 1 4 2 3 889 1 4 2 3 966 1 4 2 3

1 0 0 5 1 4 2 3 0 4 1 8

314

round 10 iteration 1 iteration 2 iteration 3 iteration 4 iteration 5 phase I1

round 11 iteration 1 iteration 2 iteration 3 iteration 4 phase 11

# of digits with

p* ' Pthr

32 183 289 306 314

0

4 62 96 106 0

# of wrong digits with p ' Pthr

32 183 287 305 313

0

4 62 96

106 0

decrease of wrong digits

32 183 285 304 312

0

4 62 96 106 0

# of wrong digits after phase I1

418 418 418 418 418 106

106 106 106 106

0

Rounds 1 to 8 are terminated by Nw Z Nthr, and rounds 9 to 10 by the criterion i = a (a = 5). Observe that iteration 4 and 5 in rounds 9 and 10 have only small correction effect. This justifies the termination Of a round after a certain number of iterations. It also shows that a = 3 would have been a suitable choice as well. Finally round 11 is terminated since the corrected sequence after iteration 4 satisfies the basic feedback relation. Thus we have reconstructed the original LFSR- sequence after 35 iterations in total.

References:

[l] W. Meier and 0. Staffelbach, "Fast correlation attack on stream ciphers", full paper, to appear.

[2] T. Siegenthaler, "Decrypting a class of stream ciphers using ciphertext only", IEEE Trans. Comput., vol. C-34, pp. 81-85, Jan. 1985

A New Class of Nonlinear Functions for Running- key Generators

(Extended Abstract)

Shu Tezuka

ATR Communication Systems Research Laboratory

Twin 21 MID Tower, 2-1-61 Shiromi Higashi-ku, Osaka 540, Japan

ABSTRACT

A systematic approach to the design of running-key generators in stream cipher systems is proposed using a new class of nonlinear functions based on integer arithmetic operations. This approach is applicable to both feedforward- and feedback-types running-key generators. Most practical nonlinear functions that use bnly one addition and one multiplication are fully analyzed. Cryptographic properties, such as 0-1 balance, linear complexity, and correlation, of the key-sequence generated by this scheme are examined and several important criteria for determining the parameters of such generators are derived. This approach will prove valuable in designing running-key generators.

I . INTRODUCTION

Most common running-key generators in stream cipher systems are based on a Combination of shift registers and several nonlinear Boolean functions[l, 31. According to the method of combination, the generators are mainly divided into two categories; One is of the feedback type and the other, feedforward. The first type of generator is an n-stage shift register together with a feedback loop which computes the next term for the first stage of the shift register based on a nonlinear Boolean function using the previous n tenns. The latter consists of n driving linear feedback shift


31 8

registers and a nonlinear Boolean function that operates on the n output sequences to generate a key sequence[8, lo].

Golomb conducted a comprehensive study on the characteristics of feedback-type generators, particularly the distribution of cycle lengths from both theoretical and empirical viewpoints. On the other hand, several authors are continuing their efforts in analyzing the sequences produced by feedforward-type generators. In either case, however, few systematic methods for synthesizing nonlinear functions can be found.

In this paper, a new nonlinear function design approach for running- key generators is proposed on the basis of integer arithmetic operations such as addition, multiplication. This approach is used for both types of feedback and feedforward generators. The paper is organized as follows. In Section 2, we overview the theory of nonlinear functions for running-key generators in stream cipher systems. In Section 3, a new class of nonlinear functions based on integer arithmetic operations is introduced and some fundamental properties are derived. Section 4, using most practical generators that require only one addition and one multiplication, continues the analysis of cryptographic strength, such as 0-1 balance, linear complexity, and correlation. Section 5 describes some examples of running-key generators based on this scheme. The last section summarizes the advantages of this approach and discusses further research topics.

I1 . Overview of Nonlinear Functions

A nonlinear Boolean function F(zl , ..., 2,) is represented in the following general form ( the so-called algebraic normal form )[8]:

where ao, a;, ajj , ... are in GF(2), the Galois Field with two elements.

In particular, if F(z1, ..., 2,) has the following form:

it is of great importance.

31 9

Golomb[3] obtained important results concerning the characteristics of binary sequences generated by this type of feedback shift registers. Some of the major results are described as follows:

Theorem A. In the case of the feedback type, the nonlinear function has the form of (1) if and only if the cycle of the key-sequence generated has no branch points.

Theorem B. In the feedback type, the truth table of Fl(x2, ..., z,) has an odd/even number of 1's if and only if the generator yields a,n odd/even number of cycles.

The following two theorems are applicable to the feedforward-type generators [5, lo].

Theorem C. In the feedforward type where an >I-sequence generator is equipped with a nonlinear function, if the function has the form of (l), then the key-sequence will be 0-1 balanced.

Theorem D. In the feedforward type, the linear complexity L of the key sequence produced by the function of nonlinear order d operating on the contents of an n-stage M-sequence generator is bounded by

Moreover, when the function Fl(z2, ..., zn) of (1) has a balanced truth table, there are two additional theorems that must be considered[3, 91.

Theorem E. In the feedback type, the function Fl(z2, ..., 5,) has a balanced truth table if and only if the autocorrelation with delay n of the key-sequence con>-erges zero as the cycle length approaches 2".

Theorem F. In the feedforward type, the function Fl(q, ..., z,) has a balanced truth table if and only if probability P(z = xi) = 1/2, for i = 1 , 2 , ,.., n, where z is the output of the nonlinear function F(z1, ...: xn), provided that zl, ..., z, are independent and identically distributed balanced binary variables.

320

From above results, we can see that when F(x1, ..., xn) has the form of (1) it is very significant for both types of feedback and feedforward generators. Therefore, we will concentrate on this type of nonlinear function in this paper.

I11 . A New Class of Nonlinear Functions

Define f as a mapping; f : I , to I,, where I , = {0,1, ..., Zn - 11, and fm(x) = f ( ~ ) ( m o d 2 ~ ) , x E I,, rn = 1, ..., n. Consider a set of mappings satisfying the following two conditions for all rn, m = I, 2, ..., n,:

1. fm(x) is bijective on Im = {0,1, ..., 2" - l}, and

2. fm(x) = fm(z(modZm)) for any z E I,.

Note that f(z) fundamental.

fn(x). Denote the set by rn. The next theorem is

Theorem 1. I?, is a group with respect to the composition of mappings.

The following theorems are important when we apply this set of mappings to the design of stream cipher systems.

Theorem 2. If f E rn, then the most significant bit z of f (x ) ,x E I,, is given in GF(2) as follows:

where x; is the i-th bit of an integerx.

Theorem 3. The following sets of mappings are the subsets of r, as defined above. (1). f ( x ) = ax + b(mod2"), where a is odd and b is any integer. (2). f(x) is a polynomial with integer coefficient modulo 2" such that f'(x) # O(rnod2), for any x E I,, and f(0) # f ( l ) (mod2) . (3). f (x) = [b2+"/4](mod2"), where b = 5(mod8),a is any integer, and [x] is the integer part of x. (4). f(x) = [(b"+" + 1)/4](rn0d2~), where b = 3(mod8), and a is any integer. (5). All the inverse mappings of the above ones form a subset of rn.

32 1

Example. If f ( x ) = x +. l(mod2"), then the most significant bit z of f(z) is given in GF(2) as

where xi is the i-th leading bit of an integer x .

The above theorems mean that any mapping f f rn caa be exploited as a nonlinear function for running-key generators in stream cipher systems. In the following sections, f(x) is said to be of order d if the nonlinear order of Fl(x2, ..., 2,) is d.

IV . Analysis of Mapping f (x ) = ux + b ( m 0 d 2 ~ )

The mapping of f(x) = ax + b(rnodZn) , which we refer to hereafter as an affine mapping, is of great importance from a practical viewpoint. It requires only one addition and one multiplication, thereby making the implementation much easier and speeding up the generation of the key- sequences. Another merit is theoretical due to the fact that the linearity in the integer arithmetic sense makes the analysis of the key-sequence characteristics easier. First, we obtain the theorem that deals with the total number of distinct truth tables provided by &ne mappings.

Theorem 4. Let fl(x), f2(z) be two affine mappings. For all II: E In

f l ( 4 + f2(2) = 2-l- l ( m o d Y )

if and only if the truth table associated with f l (x) is identical with that of f 2 (x ) .

The following corollary is easily obtained.

Corollary 1. af€ine mappings is given as 22n-2.

The total number of distinct truth tables provided by

The next theorem is important since this theorem holds for not only affine mappings but also for any mappings in rn. Theorem 5. The number of 1's in the truth table of Fl(x2, ...: zn) is given as follows:

322

2"-l - Sn(f), where Sn(f) denotes the number of points (z,f(z)) in the range 0 4 x,f(z) < 2-l.

The value of Sn(f) can be calculated by exploiting the exponential sum, which plays a crucial role in calculating the discrepancy in the field of numerical integration[4, 6, 71.

Theorem 6. The truth table of Fl(x2, ..., 5,) is balanced if and only if

~ n - 2

t;+1 + t;-b = 0, c (tg - l ) ( t k - 1)

k= 1

where t k = u2'-', and w is the 2"-th root of one.

The next corollary is useful for the practical design of nonlinear functions.

Corollary 2. Fl(z2, ..., 2,) has a balanced truth table if

a - 2b - 1 = 2n-l(mod2"),

where a is odd and b is any integer with 0 5 a, b < 2".

As shown in Theorems C and D, the order of nonlinearity is highly associated with the linear complexity of the sequence produced by the feedforward-type generator. As for the feedback-type generator, it is known that nonlinear order is equal to n - 1 if the key-sequence is a de Bruijn sequence[2]. The following theorems deal with this property for &e mappings.

Theorem 7. The nonlinear order of F~(zz, ..., 2,) is equal to n - 1 if a = 2" + 1, s > 1. b = odd, or if a = 3, b = even.

This theorem ca.n be generalized to the case of any mapping in rn in the following way.

Theorem 8. Let f ( z ) = g ( h ( ~ ) ) ( m o d 2 ~ ) for any two mappings g(z): h(z) in I?". Then, the nonlinear order of f(z) is equal to n - 1 if and only if one of the two mappings is of order n - 1 and the rest is of order less than n - 1.

323

V . Discussions

DES ( Data Encryption Standard ) can be regarded a s a nonlinear function when used in the output-feedback or in cipher-feedback modes. This cipher scheme, as well as classical ones, consists of two basic elements: permutation and substitution. However, in this paper we have proposed a new approach to building nonlinear functions by using integer arithmetic operations such as addition, multiplication. This approach has the following advantages:

1. It makes theoretical analysis of the cryptographic strength of the generated key-sequence easier.

2. It makes the implementation of the system easier and cheaper because integer arithmetic operation units are accessible or available in both software and hardware.

3. It provides wide variety in selecting nonlinear functions when designing a stream cipher system.

Future major research topics will be to analyze the characteristics of other mappings such as those in sets (2) through ( 5 ) in Theorem 3, and to determine the order of rn as well as the total number of distinct truth tables provided by rn for any n.

REFERENCES

[l] H.Beker and F.Piper, Cipher Systems: The Protection of Communi-

[2] HRedricksen, A Survey of Full Length Nonlinear Shift Register Cy-

[3] S.W.Golomb, Shift Register Sequences, Holden-Day, San Francisco,

cations, Wiley Interscience, New York, 1982.

cle Algorithms, SIAM RevZew,Vol.Z4,pp. 195-221 (1982).

Calif., 1967.

[4] G.H.Hardy and E.M.Wright, An Introduction to the Theory of Num- bers, 5th ed.,Oxford University Press, Oxford, 1983.

[5] E.L.Key, An Analysis of the Structure and Complexity of Nonlinear Binary Sequences Generators, IEEE Transactions on Information Theory, l-01. IT-22, pp.732-736 (1976).

324

[6] D.E.Knuth, The Art of Computer Programming: V01.2, Seminumer- ical Algorithms, 2nd ed., Addison-Wesley, 1981.

[7] H-Niederreiter, Quasi-Monte Car10 Methods and Pseudorandom Num- bers, Bull. Amer. Math. Soc.,V01.84,pp.957-1041 (1978).

[8] R.A.Rueppe1, Analysis and Resign of Stream Ciphers, Springer-Verlag, Berlin, 1986.

[9] T.Siegenthaler, Decrypting A Class of Stream Ciphers Using Cipher- texts Only, IEEE Transactions on Computers, Vo1.C-34, pp.81-85 (1985).

[lo] M.K.Simon, J.K.Omura, R.A.Scholtz, and B.K.Levitt, Spread Spec- trum Communications, vol. I , Computer Science Press, Maryland, 1985.

Windmill Generators A generalization and an observation

of how many there are

B.J.M. Smeets') W.G. Chambers')

'1 Dept of Inform. Theory University of Lund

Box 118, S-222 46, Lund, Sweden

2, Dept of Eletronic and Electrical Engineering King's College London

Strand, London, WCZR ZLS, United Kingdom

ABSTRACT

The windmill technique has several practical advantageous over other techniques for high-speed generation or blockwise generation of pn-sequences. In this paper we generalize previous results by showing that if f ( t )=a(t") - p(t-") tL is the minimal polynomial of a pn-sequence, then the sequence can be generated by a windmill generator. For L = 1, . . .127, and v = 4,8,16 such that L = 1 3 mod 8 no irreducible polynomials f ( t> were found. When L E f l mod 8 the number of primitive f(t)'s was found to be approximately twice the expected number.

I INTRODUCTION

In various crypto systems m-sequence generators are used as building blocks in more complex systems. In such systems like the EBL proposal [l] for the encryption of TV-pictures, the m-sequence generators are used to generate blocks of (pseudo-)random symbols. A straightforward method to generate blocks of v , say, symbols is to operate the m-sequence generator at c times the rate at which the blocks are needed. This method, for instance, is used in the above mentioned EBU proposal. Other methods which do not require this rate increase were described, for instance, in 121, (31, [4], and [5]. The windmill technique is one of such methods. It offers several practical advantages over all the other methods.

Part of this work was supported by the National Swedish Board for Technical Development under grant 863759 a t the University of Lund.


326

0 No initialization problems as found in the type of generators discussed in [2].

0 the generator can produce all the distinct phases of s when s is a maximal- length sequence (m-sequence) unlike the example in [4].

0 The generators exhibit a structural parallelism which is useful in VLSI realizations.

0 The construction of the generator is easily derived from the feedback polynomial f ( t ) that corresponds with the generated sequence s. This makes it simple to alter the generator to let it produce a sequence s associated with another feedback polynomial.

The latter fact is very useful for cryptographic purposes because it will make it easy to use the generating polynomial as part of the key information.

In this extended abstract we describe a generalization of the windmill technique for generating m-sequences. The windmill structure is more general than the ones discussed in [3] and [5 ] . We state a new result that generalizes Theorem 7.4 in [5] and that gives the sdicient and necessary conditions for a feedback polynomial to be a primitive windmill polynomial. With this result it becomes easy to devise a straightforward search for all the primitive windmill polynomials.

Furthermore, we investigate the number of distinct windmill generators that can generate m-sequences of period 2L - 1 in blocks of size v = 4 , s and 16. When L f 3 mod 8 no irreducible windmill polynomials for L = 7,. . . ,127. When L E fl mod 8 the number of primitive windmill polynomials was found to be approximately twice the expected number which is 2 F ( L ) / L , where F ( L ) = +(2L - 1). If the number of primitive windmill polynomials is small then the possibility to change easily the feedback polynomial of the generated sequence has not much value for cryptographic applications. Hence, the latter result, combined with the simple mechanism to change the generating (windmill) polynomial in a windmill generator, shows that it is realistic to use the windmill polynomials as part of the key information.

I1 THE WINDMILL CONFIGURATION

A windmill consists of a cyclic cascade connection of u , u 2 1, linear feedback shift registers as shown in Figure 1. Each shift register together with its linear feedback polynomial and a linear feedforward network is called a vane of the windmill. The k-th vane has feedback, respectively feedforward connection described by the polynomials a ( t ) = 1 - Cjm=l cy j t J , respectively, the polynomial y h ( t ) = t L ( k ) p ( t - l ) , where’ ,B(t-’) = Cj”=o Pjt -J and l(k) denotes the number of shift register stages of

‘For convenience we say that deg$(t-’) = n

327

vane v-1

I permutation 0 I I 1

I I I

Figure 1: A [cr(t), P(t - ' ) , (, v , u] windmill with u vanes.

the vane. Evidently I(k) 2 max(m,n). Each vane has identical a ( t ) and p( t - ' ) . The contents of the first stage of each vane is used to form a v-tuple. The manner in which the v symbols are combined to form the final v-tuple is governed by a permutation 0. The output sequence z is the sequence

The whole generator is conveniently referred to as a [ a ( t ) , p ( t - l ) , e, v, 01 windmill, where

- I = ( ! (O) , . . . , e(v - 1)).

For each vane k, t = 0,1,. . . , v - 1 and i E N we have the initial state, zi, z b l , . . . , " - e ( k ) + l and the recurrence relationzf+l = xjml Let xk = x k ( t ) be the generating function of the sequence (&,), i.e.

k k k k-1 P j z i + j - e ( k - l ) + l .

00

X k = x"t) = c " ; t i . i=O

The blocks of length v are consecutive blocks from a sequence z which is given by the expression.

z ( t ) = g t Q ( k ) X k ( t " ) (2) k=O

In general the sequences corresponding to z(t) is an interleaving of z1 sequences each generated by LFSR's with feedback polynomial 4(t> = (a(t>>' - tL(a(t- '))", so that z ( t ) may be expressed as a rational-form with a denominator 4(t") of degree Lv, c.f. [ 5 ] . However under the conditions stated in the next theorem the rational-form simplifies considerably.

328

Theorem Let L , u be integers such that 1 5 v < L and let L and u be relatively prime. Furthermore, let a( t ) , respectively p(t-') be two polynomials over GF(q) of positive degree m < L / u and n < L / v respectively such that a(0) = 1 and P(0) # 0. Suppose f ( t ) = a ( t ' ) - p(t-") tL is a primitive feedback polynomial over GF(q). Then there exist a permutation u of the numbers 0, 1, . . . , v - 1, and a set & of length parameters given by

a(k) = L k + c (modv), f(k) = ( u ( k ) - a ( k + 1) + L ) / . ,

for c, k = 0, 1, . . . , v - 1 and c fixed, such that the windmill [a( t ) , p(t-'), &, u , 01

generates the m-sequence z with generating function

where pk is defined by equation m i - 1 n -j-1 c p , k - l t i + l ( k - l )

3 i+l Pk = P k ( t > = 2; + c c ajx,"_jt' + c j = 1 i=l j=O i=-f(k-l)+l

Before we will look at the number of f ( t ) ' s of the above type which are primitive we want to make some comments. First, if the polynomial f ( t ) in the above theorem is a primitive polynomial, then the sequence z is an m-sequence. Secondly, if degP(t-') = [L/vJ then at least one of the vanes will have its input connected by the feedforward connection to the output of the vme. Such a connection could be source of timing problems in practical applications. Windmill polynomials which do not result in such connections will be called proper windmills. A windmill is certainly proper if it satisfies the additional restriction v(degp(t-l) + 1) 5 L . Thirdly, without loss of generality we may put c = 0 and hence the values of t(k) and u ( k ) depend only on L and v. Fourthly, the theorem can easily be generalized to arbitrary polynomials of the type f ( t ) .

I11 The number of binary windmill polynomials

Let us call a polynomial f ( t ) a windmill polynomial if it has the form f ( t ) = a ( t " ) - P ( t - ' ) t L , where a ( t ) and p( t - ' ) satisfy the conditions stated in the above theorem. Those windmill polynomials which are irreducible over GF(q) we call irreducible windmill polynomials and those that are even primitive we call prirnitive windmill polynomials, (ML=maximum length). In this section we will investigate the number of binary irreducible ( and primitive ) windmill polynomials. We present mainly our investigations done for values of v that are powers of 2.

The desired estimates are obtained by assuming that the windmill polynomials form a random subset of all the polynomials of degree L with f(0) = 1. Under

329

this assumption we expect the find the same fraction of windmill-type polynomials to be irreducible respectively to be primitive. We find that the number of binary windmill polynomials of degree L which satisfy the condition f(0) = 1 and thbt are irreducible should be roughly

21+21WJ L

For the corresponding number of primitive windmill polynomials we find the estimate

where F(L)=4(2L - 1)/2L=(1 - 1/2L) np(l - i). In the latter formulas the p ’ s are the distinct prime divisors of 2L - 1 and 4 is Euler’s 4 function.

We counted also the number of polynomials that were proper. The quality of our estimates is investigated by determining the exact counts for L = 7 to 127. We obtained the following results. When L = f 3 mod 8 then there are no windmill polynomials at all!. However if L 51 mod 8 the number of windmill polynomials is about twice the number we predicted by using our probabilistic model.

Recently S.D. Cohen proved that if L G f 3 mod 8 and L , v co-prime, then every polynomial over GF(q”), with m odd is reducible [7]. In his proof the analogue of Stickelberger’s theorem over fields with characteristic two plays a similar role as in the derivation of Swan’s corrolary on the reducibility of binary trinomials [S].

References

[l] European Broadcasting Union: ”Specification of the systems of the MAC/packet family)”, Tech 3258-E (Brussels: EBU technical centre), 1986.

[2] A. Lempel, W.L. Eastman, ” High speed generation of maximal length sequences”, IEEE Trans. on Comput., Vol. C-20, ( l g i l ) , pp. 227-229.

[3] A.C. Arvillias. D.G. Maritsas, ”Combinational logicfree realisations for high- speed m-sequence generation”, Electronics Letters. Vo1.13, no.17, (1977), PP. 500-502.

[4] F. Surbock, H. Weinrichter, ”Interlacing properties of shift-register sequences with generator polynomials irreducible over GF(p)”, IEEE Trans. on Inform. , Theory, Vol. IT-24, (1978), pp. 386-389.

[5] B.J.M. Smeets. On Linear Recurring SepGences, PhD dissertation, rniversity of Lund, 1987.

330

[S] R. Lid, H. Niederreiter, Finite Fields, Encyclopedia of Mathematics and its Applications, Vol. 20, Addison-Wesley, Reading, Mass, 1983.

[7] S.D. Cohen, "Windmill polynomials over fields of characteristic two", preprint.

[S] E.R. Berlekamp, Algebraic Coding Theory, McGraw-Hill, New York, 1968.

LOCK-IN EFFECT IN CASCADES OF CLOCK-CONTROLLED SHIFT-REGISTERS

William G Chambers') Dieter Gollmann2)

')Department of Electronic and Electrical Engineering, King's College (KQC), Strand,

London WC2R 2LS, United Kingdom

*)Fakul&t fir Informatik, Universitit Karlsruhe, Technologie-Fabrik Karlsruhe, Haid-und-Neu-Strasse 7,

7500 Karlsruhe 1, W Germany.

ABSTRACT

Cascaded cryptographic keystream generators as proposed by Gollmann possess a cryptanalytic weakness termed "lock-in'' in this article. If the initial state has been guessed correctly apart from its phase a decryption cascade can be set up in which the effects of each stage of the original cascade are unravelled in reverse order. Once the decryption cascade has "locked in" on the original cascade, the state of the latter is known, and hence its future output and its output in the remote past. This weakness is studied; its effects are readily mitigated by taking certain precautions. Lock-in may also be used constructively as a synchronization technique.

I. INTRODUCTION

Cryptographic binary sequences produced with the aid of shift-registers have been much studied in the open literature over the last twenty years. An hportant parameter is the linear equivalence, which measures the resistance of a sequence generator to attacks using linear algebra [I, ~1991. A good discussion of ways of increasing the linear equivalence is given by Rueppel [91.


332

One method is to use a non-linear function to combine the simultaneous outputs of several shift-registers. The use of clock-controlled shift-registers has also been proposed by several authors [2, 5, 12, 131. Typical of such systems is a cascade of clock-controlled shift-registers [63. The periods and linear equivalences are readily made very large, and the statistical properties of at least the original versions have been proved to be good [7].

The fact that these systems are readily designed to have a high linear equivalence and hence be immune against the algebraic attack does not preclude other types of weakness. Thus attacks on sequences produced by nonlinear combining functions have been studied by Siegenthaler [lo, 111. In this article a weakness which may occur in systems using clock-controlled shift registers is examined. This weakness can readily be guarded against by taking suitable precautions; nonetheless the user should be made aware of the possibility, since the weakness is not obvious. Of course this does not guarantee that there are no other hazards.

The cryptanalytic problem is the following: Assume that an enemy knows a) the construction of the generator and b) a large number of consecutive bits of the output, which for the sake of definiteness will be assumed to start at the beginning of the sequence. Then with limited computing resources can he deduce the initial setting of the generator, or at least the future output?

II. THE CASCADE GENERATOR

The keystream generator proposed in [6] consists of a number of stages, K say, each like that shown in Fig 1. The main component of each stage is 8

clock-controlled cycling register (CR) of length p , this length being the same for each stage. If regularly clocked (or stepped), CR produces an endless repetition b" of the binary sequence b={ b (0), b (l), . . . b (p -l)}, where the b ( i ) are determined by the initial setting for this stage. (The only restriction on b is that b" should have shortest period p . Thus with p =3 the choices b = { 000) and b = { 11 1 } are excluded for then bm has period 1 .) The binary input a, is added (mod 2) to the output of CR to give the output c, of this stage, which then becomes the input of the next. The binary input also causes CR to be stepped (afterwards) if ut=l, but not if a,*. The "slight delay" is put in the figure to emphasise that the step takes place after addition, that is, the rule is "add then step". We shall say that the stage uses the sequence b. The input to the first stage is 111.., . The output of the final stage is the output of the generator.

333

The sequences {c, } and {a, } of the stage in Fig 1 are related by

C,q,+b(S,-J mod 2, Sr=St- lM, mod p . f=OJJ,-. (la)

with the initial condition

I Evidently S, is the s u m C alemod p . Since it determines where CR has got

to in its cycle it will be called the phase of CR. (By a m o d p for positive p we mean the value x satisfying O l x < p obtained by adding (subtracting) a suitable integer multiple of p to (from) a .)

A modified system (the "m-sequence cascade") consists of a similar cascade of clock-controlled linear feedback shift registers of length n with primitive feedback polynomials [1, ~1871. The regularly clocked output of such a register has period p =2" -1, and the sequence ( b (0), b (l), . . . b (p -l)} is a period of the m-sequence.

The output of a Gollmann cascade of length K has period pK if p is an odd prime [6]. I f p satisfies a further fairly weak condition (that (2'-1) is not a multiple of p for any j satisfying 0c j -q -1 ) then the linear equivalence is either p K or pK-1 [6, 41. Among the small primes 3, 5, 11, 13, 19 and 29 satisfy this condition whereas 7, 17, 23, and 31 do not. In an m-sequence cascade of length K the period is (2n-1)K and the linear equivalence exceeds n (2" -l)K-l [3].

r ' = O

III. THEATTACK

We now suppose that the stage just described is the fmal stage of the genexa- tor, so that [c , } is the final output, some of which has been intercepted by the cryptanalyst X. (How much he needs is considered below.) In the attack to be described he tries to reverse the transformation from {a, } to {cl } effected by the final stage. Iteration of this technique should then enable him to "unravel" the cascade, starting with the f d stage.

The reversing transform is carried out as follows: X guesses a sequence b' and a value S'-l, and then sets

a',=c,-b'(S'I-l) mod 2, S',=S'f-l+a'I mod p , t=0,1,2 ,... (2)

where the primed quantities are guesses or deductions from guesses. W e n

334

b ‘=b and S we find that { a ’, }={a, ) .) Such a transform may be implemented by a decryption stage (Fig 2) using the sequence b’ with initial phase S’-l. In the case when b’(t)=b((t +$)mod p ) for some $ we say that b has been guessed correctly except for phase. (Thus for p=3 there are only two non-trivial choices for b differing by more than phase.)

We now make Assumption A (to be examined below): Suppose that X has guessed the sequence b’ correctly except possibly for the phase. Let ct in (2) be the output from (1). We may instead presume that b‘=b and that the initial guess S’-l needed for (2) may be incorrect. Then as the iteration (2) proceeds the phase S’, may be expected to bounce around in some manner until it happens to take the correct value S,. Thereafter it will be locked in into its correct value, so that for all future r we find S’, =S, and a’, =at . (Investigations described in Sec 4 indicate that this takes a number of steps roughly equal to Yip2 on average.)

When the whole cascade is unravelled, the original input 111 ... is recreated. This is how X knows whether he has succeeded. At the same time he learns the phase of each CR in the generating cascade, not, it is true, at the start t =0, but at a value of t ( to say) where it is fairly safe to assume that lock-in has taken place. Thus the output from the generator after to can be predicted. It is also possible to work backwards from to to t =0, so that the initial setting can be deduced. Let us consider (la) as applying to the first stage of the generator, where X knows the input a, for all t (as 1). Let us suppose moreover that X knows for r>tP Then he may frnd St-2 as S,-l-al-l mod p , and so proceed backwards to Thus the c, may also be found all the way back to the start. But {c, } is the input to the second stage, and thus the process can be iterated.

Assumption A is now examined. There are situations where it is valid for every stage without further ado: a) If for ease of manufacture the contents of each CR are laid down in advance, with the key determining how many steps are taken by each CR in preparing the initialization, then X knows each CR except for phase. b) In the m-sequence cascade with registers of length n the period of each register is p = 2” -1. If the feedback polynomial of each stage is specified in manufacture, the outputs are again known apart from their phase, since all m-sequences associated with a given primitive feedback polynomial are cyclic shifts of one another [l, ~1861.

In other cases X has to make a number of trials, in only one of which Assumption A is valid for every stage. Thus in Gollmann’s cascade with p prime there are 2 P -2 initial settings for CR, and (2p - 2 ) l p initial s e b g s that differ by more than phase. For a cascade of length K the number of

335

possible trials is thus ( ( 2 p - 2) / p >K, that is 2K with p = 3.

IV. NUMBER OF STEPS NEEDED

In this section the number of steps needed to achieve lock-in is discussed, firstly just for the final stage, and then for the whole cascade. Assumption A is taken as valid for every stage. Evidently this number is also the minimum length of the sequence needed for the attack described in Section 3.

The number of steps needed on average to get a decryption stage (using the correct sequence apart from phase) to lock-in to the final stage of a cascade can be estimated as follows. The previous stages of the cascade are regarded as a random binary generator G . The output (a, } of G is then passed through the final encryption stage E to produce an output [ c, ) according to (1). The sequence {ct ] is then passed through the decryption stage D to produce an output (u’, } according to (2). The stage D uses the same sequence b as is used by E , but the initial phases may not agree. Until lock- in is achieved the input to D will be regarded as random, and so the difference of the phases A, =S, -S‘, behaves as though in the problem of the random walk [8, ~2131, either increasing or decreasing by unity with equal probability, or staying the same. Initially A, is taken to have any value between 0 and p -1 with equal probability, so that its mean is approximately % p . Lock-in takes place when At reaches either of the values 0 or p . For a random walk to cover a distance d requires a number of steps of the order of d’, and so in this case we may expect the mean number of steps needed to achieve lock-in to be of order p 2 .

This conclusion is borne out for p up to 31 by the more careful treatment described in the appendix. The mean pp and standard deviation oP of the number of steps to lock-in for a single stage have been computed for p taking the prime values from 3 to 31 to give the results shown in Table 1, which lists the values p’p = p p / p 2 and dP =crP / p 2 . The results are approximate to about 6 percent for p 219.

336

TABLE 1

Complete lock-in for the whole cascade E l , E,, . . . EK (with K the number of stages) requires a similar cascade of decryption stages D 1, D,, * * * D,, with D, having the same sequence as El:. The output from D, is the input to Dk-l . By an iterative argument starting with k = K it is evident that once D, has locked in on Ek the input to Dk-l is the same as the output from Ek-1, and so Dk-l can start to lock-in on Ek-l. It is conceivable that Dk-l might already have started to lock in on Ek-1 before D, had locked in properly on E, , but we shall assume that each lock-in starts with random initial conditions as soon as the previous stage has locked in. Thus the number of steps needed to achieve over-all lock-in is the sum of K independent identically distributed random variables, and so its mean is K p’, p 2, and its standard deviation is K Lh dp p ’.

Computer simulations (for p = 3, 5 , 11, and 13) bear out these conclusions. The only surprise was that for p = 5 , 11 and 13 in about 10% of the cases D l and D , failed to lock-in. This is presumably because the input 111 ... to E l can hardly be regarded as random. Although this may be an embarrassment to the cryptanalyst it is probably not a serious obstacle.

V. USE OF ‘STEP THEN ADD’

It might appear that the arrangement where the “slight delay” of Fig 1 is put instead at the point X would give a different problem, with a, implicitly dependent on c, , rather than explicitly as in (2). For then we have

c, =ar +b(S,)mod 2, St=St - l+ar m o d p . ( 3 )

Appearances are however deceptive, and the inversion may be carried out by

a, =c, - b ( S , ) m d 2, S f _ 1 = S , - a , m o d p , (4)

337

where we let r run downwards from some large value N to 0, and all we need to guess is the initial value S,. Thus lock-in can be made to occur if the output sequence from (3) is fed backwards into (4).

This suggests that if the cryptographer arranges that a choice between "add then step" and "step then add' be made for each stage under the control of the key, then the use of lock-in as a cryptanalytic technique is made more difficult. It may however be better to spend the additional cryptographic effort on extending the length of the cascade, with a corresponding increase in the linear equivalence and the period [6].

VI. GUARDING AGAINST CRYPTANALYSIS BY LOCK-IN

First suppose the validity of Assumption A. Then the length of the bit-string needed for the attack by lock-in is of the order of S = Kp2, where p is the length of the cycling sequence b and K is the number of stages in the cascade. Since the decryption involves passing the string through K decryption stages the computing complexity, that is the number of computing steps needed, is of the order of C, = K2p2. If on the other hand Assumption A is not valid then every possible instance of b has to be med in each stage and so the computing complexity is of the order of C = K2p2.((2p - 2) / p >K . To give examples of these values we note that C exceeds Id' for p = 3, K = 56, or for p = 11, K =8, with S less than 1000 in both cases.

For an m-sequence cascade we set p =2" - 1 where n is the register length. It may be necessary to use fixed feedback connections, so that Assumption A is valid. Then we find that C, > lpl for n = 34, K =2, or for n =29, K =59. Huge string-lengths are needed in these cases. We find S = 5 . 9 ~ 1 0 ~ ~ and 1.7 x lOI9 respectively. On the other hand small values of n would not be safe.

Without Assumption A the attack may be improved by a "meet-in-the- middle" technique. The encryption cascade is regarded as being in two sections, of length a at the top and b at the bottom, with a + b =K. All (2p - 2 y possible initializations of the top section are tried and the initial part of each sequence thus generated is stored in order, together with the sening that generated it. All ((2p - 2 ) l ~ ) ~ initializations of the lower part are used in a decryption cascade of length b to lock-in on to the sequence to be bn>- ken. Again the output strings are ordered. Then the analyst looks for matching pairs in the two ordered lists. If a matching pair is found it is

338

investigated further. Optimally the two lists should be roughly of the same size, so that for smal l values of p the size of b is around two-thirds to three- quarters of K. This vdue should perhaps replace K in the above considerations.

VII. USE OF LOCK-IN FOR SYNCHRONIZATION

So far it has been assumed that the cascade is used as a pseudo-random binary sequence generator, with the all-1’s sequence fed in at the top. Under these conditions lock-in is a cryptanalytic hazard. However it may be employed more constructively by the cryptographer. Suppose that the plaintext is fed into the top of the cascade, and the ciphertext taken from the bottom. Then the legitimate receiver will use a decryption cascade. Here the key given to the receiver specifies the contents of each register and Assumption A is certainly satisfied. Then it is almost certain that the lock-in property ensures the self-synchronization of the decryption, even if it is not properly synchronized at any stage. Under these circumstances we would want fairly quick lock-in, so that short registers (say p =3) would be used in a long cascade (say K=100). A long cascade is of course vital for security, the effective keylength being K bits with p = 3. The mean time to lock-in with p = 3 and K=100 is about 0 . 3 2 1 0 ~ 3 ~ ~ 1 0 0 = 2 9 0 steps.

We have also studied the effects of a single-bit error on lock-in. There are three types of such an error, the alteration, the insertion and the loss of a bit. Computer simulations (carried out for p = 3 , 5 , 7 and 11 with K =31) suggest that lock-in times after a single-bit error have a distribution very like that for lock-in starting with random phases. Thus for the cascade with p = 3 and K = 100 the mean recovery time would be around 290 steps. This is just over twice the recovery time for a 64-bit block cipher such as DES [I, p2671 used in the cipher-feedback mode [l, ~2871. Moreover as far as a cascade cipher is concerned the loss or insertion of a bit is no worse than the alteration of a bit, whereas for a block cipher such an error causes misalignment of the blocks, and some method for maintaining synchronization is needed.

339

APPENDIX: Number of steps for lock-in of a single stage

We develop further the model of Sec 4 in which a random binary input (a, 1 is fed into an encryption stage E using a given .sequence b of given least period p, and the output { c, ] generated according to (1) is fed to a decryption stage D also using b. We find easily computed expressions for the mean and variance of the number of steps to lock-in for any given b, averaged over the initial states of D and E . By a random binary sequence {a, ] we mean that the a, are independent identically distributed random variables taking just the values 0 and 1 with equal probabilities, or equivalently that for any n all sequences of length n are equally likely. Since the sequences {a, ] and ( c, } (for given b and S - , ) are in one-to-one reciprocal correspondence it is readily shown that [c, } is also a random binary sequence in the above sense.

Equations (la) and (2) may be written as

S, = ((C, + b (Sl-1)) mod 2) + Sl-1 mod p 9

S’ , =((ct +b(S’,-,)) mod 2)+S’ , - , mud p .

(5 4

(5b)

Lock-in occurs as soon as S, = S’ , mod p . The value pair (S, , S’*) specifies the state of the system at time t. We first show that, starting from any state, lock-in can take place with non-zero probability after p (p - 1) steps. This result will be used to show that lock-in takes place eventually with probability one, and it guarantees the convergence of the theory below, as well as the existence of the mean and variance of the time to lock-in. To do this we suppose that {a, } happens to be the all-ones sequence. Then by (la) S, increases by 1 on every step (mod p of course). Now suppose that lock-in does not take place. Then beyond some step to the quantity S’, must keep some fsed distance s ahead (0 < s < p ), so that S ’, =S, +s mud p for f > to. Then from (5 ) it follows that b(( i + s ) mod p ) = b ( i ) for all i such that O I i < p , and SO b“ has a period less than p , in fact the highest common factor of s and P . This contradicts the assumption that p is the least period. This catching up needs at most p (p - 1) steps. For S, must gain on S’, by at least 1 every time it goes round the cycle (0, 1, , . . . p - 1). However S’, cannot be more than p - 1 ahead of S, at the beginning, and hence the result.

To compute the mean and variance we use a state-transition matrix T whose rows and columns are labelled by states of the system. The ”coalesced’ states (with S, = S ’ , ) need not be included among these, and there

340

is no need to distinguish between S, and S ',, so the states may be represented as number pairs ( a , b ) with 0 I a c b cp , the numbers being of course values of S, and S',. There are altogether %p(P -1) such states, and they will be denoted by Greek suffices a, p and y. Let Tgu denote the probability of a transition from a to p. Then we find that TPa20 , and that c,TPall with

xTpa< 1 if a can go to a coalesced state in one step. Let p a ( t ) denote the P probability of the system being in the state a at step t . We find p p(f + 1) = Z T m p ,(t ) or in vector-matrix notation p(t + 1) = Tp(t ), so that

p(n)=T"p(O). The probability of "no lock-in after n steps" may be written as P, = e'p(n ) where e is the all-ones vector. With a start from any state a, lock-in takes place with a probability not less than h= 2-Q after Q = p (p - 1) steps. (The quantity h is the probability that {q} starts with Q consecutive 1's.) Now the probability distribution after n steps starting from the state a is p P = (T")pa, so that X(TQ)Ba I 1 - h. Thus for any integer 1 2 0 we find

P

a

B

By iteration this is then less than or equal to (1 -h)l+l, and hence so is each term in the sum on the left. We are using the fact that all these matrix components are non-negative. Thus we fmd that T" + 0 as n + 00. From this it follows (by reductio ad absurdum) that the eigenvalues of T are strictly less than unity in magnitude. This approach may well give a hopelessly pessimistic estimate of the rate of convergence of T" to 0, but it is all that is needed for the theory.

The initial probability distribution will be taken as uniform, with p(0) = (2/p2)e; this takes account of the possibility of coalescence at the start, since P o = e'p(0) = 1 - Up. The mean time to coalescence is then given by

00

P= C (n +1)(P, - P n + l ) n = O

since a fraction P, - P, + coalesces at step n + 1. Thus we find that 00 oa

p= c Pn =(Up2) c e'TRe=(2/p2)e'(I-T)-'e n = O n = O

where I is the unit matrix. Here a matrix geometric progression has been summed, which is possible since all the eigenvalues are less than one in magnitude.

341

In like manner the mean square time to coalescence is given by

from which we find

v = (2/p *)e'(I 3- T)(I - T)-2 e.

For reasonable values of p (say up to 31) these computations are not too hard. They involve the solution of linear equations rather than matrix inversions, and they are assisted by the facts that T is sparse, with all the non-zero elements equal to ?4, and that it is a banded matrix if the states are ordered by increasing separation of the locations.

As an example we consider a case with p = 5 . The matrix T is then of size lox 10. The states used for labelling are preferentially ordered as 01, 12, 23, 34, 04, 02, 13, 24, 03, 14. Here 01 stands for (0, 1) etc. With b={0,1,1,0,1} the possible transitions a+p are 01+02, 12+12, 12-23, 23-24, 34-03, 04-14, 02+12, 0 2 4 3 , 13+23, 13+14, 24403, 24+24, 03+03, 03-14, 14-14, 1 4 4 2 . For these Tpa is %. The other elements of T are zero.

The final part of the calculation is to average p and v over all possible b with p specified. These averages are denoted by pp and vp. The standard deviation op of the lock-in time is given by o i=vp -pi. Since for p 2 19 the number of instances of b is rather large (being equal to (2p - 2) / p ), the computations were restricted to averaging over 300 quasi-random choices, giving an accuracy of a few percent.

342

REFERENCES

[l] H Beker, F Piper, Cipher Systems: The Protection of Communications, (New York: Wiley) 1982

[2] T Beth, F C Piper, "The Stop-and-Go Generator", Advances in Cryptology: Proceedings of Eurocrypt 84 (T Beth, N Cot, I Ingemarsson, eds) Lecture Notes in Computer Science 209, 88-92 (Berlin: Springer- Verlag) 1985

[3] W G Chambers "Clock-controlled Shift Registers in Binary Sequence Gen- erators", IEE R o c E, 1988, 135, 17-24

[4] W G Chambers and D Gollmann, "Generators for Sequences with Near- maximal Linear Equivalence", IEE Proc E, 1988, 135, 67-69

[5] W G Chambers, S M Jennings, "Linear Equivalence of Certain BRM Shift Register Sequences", Electronics Letters, 1984,20, 1018-1019

[6] D Gollmann, "Linear Recursions of Cascaded Sequences" Contributions fo General Algebra 3, Proceedings of the Vienna Conference June 1984 (Verlag Holder-Pichler-Tempsky, Wien 1985 - Verlag B G Teubner, Stuttgart)

[7] D Gollmann, "Pseudo Random Properties of Cascade Connections of Clock Controlled Shift Registers" in Advances in Cryptology, Proceedings of Eurocrypt 84, (ed T Beth, N Cot, I Ingemarsson) Lecture Notes in Computer Science 209, pp93-98 (Berlin: Springer Verlag 1985)

[8] A Papoulis, Probability, Ramlorn Variables, and Stochastic Processes 2nd ed, (Singapore: McGraw-Hill) 1984

[9] R A Rueppel, Analysis and Design of Stream Ciphers, (Heidelberg: Springer-Verlag) 1986

[lo] T SiegenthaIer, "Correlation Immunity of Nonlinear Combining Functions for Cryptographic Applications", IEEE Trans Info Theory, 1984,

[ l l ] T Siegenthaler, "Decrypting a Class of Stream Ciphers Using Ciphertext only", IEEE Trans Computers, 1985, C-34, 81-85

[12] B Smeets, "A Note on Sequences Generated by Clock Controlled Shift Registers", Advances in Cryptology: Eurocrypt '85, (F Pichler ed), Lecture Notes in Computer Science 219, pp142-148 (Berlin: Springer-Verlag) 1986

[13] R Vogel, "On the linear complexity of cascaded sequences", Advances in Cryptology: Proceedings of Eurocrypr 84 (T Beth, N Cot, I Ingemarsson, eds) Lecture Notes in Computer Science 209, 99-109 (Berlin: Springer-Verlag 1985)

IT-30, 776-780

343

- C R

c

1

C t delay

X - -

%

FIG 1: A stage of Gollmann's cascade, as described in Sec 2. The input bit a, is added to the output from the cycling register CR to give the output c,. It is also used to clock CR after the addition. In another arrangement (Sec 5) the "slight delay" is put at X instead, so that CR is clocked before the addition.

sl ight I b'(.)

I . . . . I delay 1 c +

FIG 2: A decryption stage for reversing the transformation accomplished by the stage in Fig 1. Here the "slight delay" prevents a race round the loop.

PBOOF OF WASSEY'S CONJECTURED ALCORITHH

Cwsheng Ding Department o f Applied Mathematics

X i a n , People 's Republic o f China Nor thwes t Telecommunication Engineering I n s t i t u t e

ABSTRACT: Massey's c o n j e c t u r e d a lgor i thm f o r multi-sequence s h i f t r e g i s t e r

s y n t h e s i s i s proved, and i t s s u i t a b i l i t y for t h e minimal r e a l i z a t i o n o f any l i n e a r system is also v e r i f i e d .

I . INTRODUCTION

It i s well known that the SLFSR(shortest l i n e a r feedback s h i f t register)

s y n t h e s i s o f s ingle-sequence is o f great importance i n p r a c t i c e ( 1)( 2 ) .

Berlekamp-Nassey a l g o r i t h m gives an e f f i c i e n t one( 2) . The problem of synthe-

s i z i n g mult i -sequence w i t h LZSR has been given much concern by many s c h o l a r s in information and c o n t r o l s o c i e t y . J.L. Wassey gave a conjectured a l g o r i t h m for t h e SLFSRsyntheais of mult i -sequence i n 1972. I n 1985 Fen Cuei l iang and K.K. Tzeng also gave a n o t h e r one(3) . I n t h i s paper we are going t o prove Massey's

conjec tured a l g o r i t h m , and v e r i f y that it is an u n i v e r s a l one and i s s u i t e d f o r

t h e minimal r e a l i z a t i o n o f any l i n e a r system.

The

I1 . PROOF OF MASSEY'S CONJECTURED ALGOBITl33

L e t Bi= ail... as, ill, ... , M , be H sequences of l e n g t h N i n t h e f i e l d F

t sri) , %(B1 B2 ... BM)t, Si=S I...S and Si-(ali aZi ... conjec tured a l g o r i t h m in F i g . 1 can be s t a t e d as

Then t h e Massey's i'

MASSEY'S CONJECTUREr Assume t h a t ( f i , l i ) i s t h e SLF'SR which g e n e r a t e s Si,

and d i=f i (S i+l ) is t h e ith d i s c r e p a n c y , i -0 , ... , n. Then

( i ) i f dn=O, t h e n ln+l=l

(11) if d 3 0 , and is a l inear combination o f di, i -0 , ... , n-l, l e t %, ,... and fn+l=fn. n

'

\,be a b a s i s o f d . : O S i S n - 1

and (kl, k2, ... , k ) i s m a x i m a l i n a lphabet ic order . Let

such t h a t max{n-ki+lki : 1SiSx-r) is minimal

r

dn = - 2 ui&Ki , I= t i : u i k o , 1 6 i s r ) i= 1


346

( i i i ) i f dn is not a l i n e a r combination o f d i , L O , ... , n-1, then ln+l =

n+l and fn+l can be any polynomial i n F[x] o f degree n+1.

F i r s t , w e give some n o t a t i o n s and simple r e s u l t s :

L e t fi= l+fi , ls + ,Ii, and ffi-(O ... 0 fiYl ... f i , l i l 0 ... 0) = * * + fi,li

t be a v e c t o r of l e n g t h n+l. Denote Dn+l=(do dl ... dn) , An+l-(sl 82 ..a 6 n+ 1 )t

and Fn+I=(ffO f f l ... ffn)t . Then it i s easy t o know that

(i) Fn+l is a lower t r i a n g u l a r matrix, and i s inver tab le .

(1') Dn+1 = Fn+l *n+1- An+l Cn+l Dn+l' -1 where C n+l= Fn+l, and is a l s o a lower triangular matrix.

Let us s p l i t the m a t r i o e e Fn+l, Cn+l, Dn+l and p a r t i t i o n them by u r i t i n g

[ n-L )xn

t where B-(0 ... 0 '4. ... ul) , 0 c (0 ... O)t. By d e f i n i t i o n , it is a p p a r e n t that

t h e f o l l o w i n g theorem 1 holds.

Theorem 1. L e t f (x ) = 1 + ulx + ... + uLxL ( L < n + l ) , then ( f ,L) g e n e r a t e s

Sn+l i f and o n l y if U(n-L)x(n)GnDn - 0 and BGnD, f g ,Dn + dn = 0 -

Theorem 2, If ( f , L ) can g e n e r a t e Sn+l , L d n + l , then t h e r e must e x i s t a v e c t o r

u such t h a t

i Theorem 3. A s s u m e that (f i ,L) i s t h e SLFSR uhich genera tes S , G O , . a . n *

Then ln+l=n+l if and o n l y i f dn i s n o t a l i n e a r combination of di, 160, ... , n-1.

n-ki Theorem 4. Assume t h a t g c f n + ZCl ui x fki, uifO, i=l, ... , B. i Let 1; be t h e s h o r t e s t L s u c h t h a t ( f i , L ) can generate S . If (g,L) g e n e r a t e s

347

Sn+', then we have

Lzmax 4 1;) n-kl+l& , . .., n-ks+%,>

I n order t o prove theorem 4, we now prove the following lemma:

Lemma: Assume 0 - fm + ulx ' fk, , ulfO, kl<m, and (fm,lm), ( fk ,

m a { ln, n-kl+\, , ... , n-ks+\,}

m-k a r e

the SLFSR's whioh gene ra t e Sm and Sk' respeotively, then if (g,L) generate Sw1,

we have

L a m a r {l;, m-kl+Gl) = m a x {lm, m-kl+ h,} Proofs Prom the d e f i n i t i o n of 1; and lm, w e obtain that l=lm and -

I lk,. Becauae L a l m , 80 L>,ln- 1;. Suppose lksL<m-kl+ 1$, . Let j be the last j =oh

tha t fk ,*O. 9 3

1) i f j+m-k1sY, because L a l k , so L-m+kl~l~-m+kl>,j. Put LLGm+kl and

h(x)-l+hlx+ ...+ h x j , where h f ill, ..., j. Then j i' kt ,i'

g(x)=fn+ P ~ X " - ~ ' h( I), js LL (5, . Because (g,L) genera tes Sm and L 2 1 m , so g(S")= ... -g(S )=O, and f(S")= - = *

-f(Sbl)-O. T h u s h(S ' 1- ... =h(SLL+l)-O.This meas that (h,LL)=(g,LL) genera te

Sk', but LL<$ . It is con t ra ry t o t h e minimality o f

L + l

k

, henoe L',m-kl+ GI - I

m= ilk, *kl+ %'} - nax {I", h,). 2) i f j+n-kl>lk, regard g(x) and fm+ xm-k' fk, as polynomials o f degree m y

msn. Then t h e degenera t ing terms of fm+ xmek'fk, is m-(m-kl+j), so m-Lsm-(m-

k l+ j ) . Put LLL-m+kl, t hen j a L L C 5 . For the same reason we know t h a t (h (x ) ,

LL) generates Sk' , but LL<l;Cl . T h i s i s a l so contrary t o t h e minimality of 5,. Thus L2ma.x i l k , m-kl+ s,} = max {lm, m-kl+lkl}.

I

PROOF O F THIEoBE# 4 1 By us ing t h e above lemma and induction on 8 , it is not

d i f f i c u l t t o s ee that Theorem 4 i s t rue . i+l

Theorem 5 . Let ( f i l l i ) be t h e SLFSR which generate Si, and di=fi(S 1, i-

0 , -..) n-1, n. I f dn(=%O) can be expressed as a l i nea r oombination of di , b 0 ,

. . a 9 n-1, say dn= 4n-l L - z u . d . . Let Iu= { O s i s n - l t ui*O) . Put 1 1

min m a r {ln, n-i+li I i E I ~ ) ... (a) U

l n + l

dn= -0,

348

n-1 n-i 1

where u'- (ub, ... , i ts minimal value. Then (fn+l,ln+l) i s a shor tes t LFSR that generate Sn+l.

is t h e vector which makes the r i g h t a ide of (a) t ake

Proof: L e t L denote t h e r i g h t s ide o f (a). It is obvious that l n + l S L . Let

, and ln+l-=n+l. By theorem 2 t h e r e mast n+ 1 (f, ln+l) is a SLFSB t h a t gene ra t e S

ex i s t a vec tor u snoh t h a t

f - fn + ui I n-i f i , di - YDn I -YE: uidi,

Then theorem 4 t e l l us that ln+l),max {In, n-ki+lk, : i E xu) aL, t he re fo re ln+l

= L. Thus (fn+l,ln+l) is a SLFSB which generate S.

From tho base chosen i n Massey's algorithm and Theorem 5 we can e a s i l y C o b

olude that t h e p a r t ( i i) i n Hassey's algorithm is t rue . Pa r t ( i i i ) has been

proved i n theorem 3. P u t (i) is apparently true. "hue we have comletelg proved

Masscry's oonjectured a lgor i thm unt i l now.

Let V be a v e o t o r spaoe ove r the f i e l d P, S-sl...s be a vector sequence of n length n. t h e problem of f i n d i n g a p a i r ( fn (x ) , l n ) such that ( fn , ln ) genera tes

S and ln is minimal is r e f e r e d t o as the problem of minimal r e a l i z a t i o n f o r

veotor sequence.

n

Notioe that t h e proofs o f al l the theorems and lemma i s independent o f what

the si 'a are , but o n l y require t h a t si's belong t o a vector space over F. So

a l l t h e r e s u l t s a r e t r u e f o r vec to r sequence. This means t h a t Yarrsey's algorithm

is an un ive r sa l one, it is s u i t e d f o r the minimal r ea l i za t ion of any l i n e a r

system. We now g i v e some s p e c i a l cases of t h e universal algorithms

1 ) I f V = F, t h e n it i s t h e B-M a l g o r i t b .

2 ) If V - Fm, t hen it is t h e Massey's one f o r multi-sequence LFSR syn thes i s .

3) If V - Fnxn, t hen it g ives a minimal rea l iza t ion algorithm f o r matrix

sequence.

4) If F - CF(q), V - G F ( 4 , then it gives a minimal r e a l i z a t i o n a lgor i thm

f o r t he sequence i n CF(qm) o v e r CF(q) . ACKNOWLEDMWT

The au thor wishes t o thank Prof. Xiao Cuozhen for h i s guidanoe. Also much

thanks t o Shan Uei juan , Cuo Baoan and the people i n the 'Seminar f o r t h e Theory

of Coding and Cryptologg' f o r t h e i r he lpfu l l suggestions.

349

Does t h e r e exist 5, ... , a such that dry$+ ...+ yes - e

Inn a,<?

"CES

(1) X i s a Ouoeheng et.al, 'Pseudorandom squenoes and the i r applications' . The

( 2 ) J.L. Mirssey, 'Shif t - regis ter synthesis and BCH deooding' . IgEE T r a n s . Infor.

(3) Fang Gueilian and K.K. Teeng, ' A I t a r a t ive Algorithm for Wulti-aequenoeS

National Defense Induetry Press of China.

Theory, Vol. IT-15, Jan. 1969.

Synthesis with Shortaet LFSB' . Soientia Sinioa(Scienoa i n China), A. Angust

&al+. . .+aedt I-- ( i i a i x o }

d;cmar{Lgi+Ii I i E I }

c ( D ) + l n + l c.-i Dn+ 1 COHMENT: any ~ ( D ) - l + c ~ D + . . . + c ~ + ~

can be used a t the point marked 0 .

o*,(D) +c( D) %--L c(D)+l

L + n+l aeDq oz( D) 1

Fig. 1 Massey' s Conjectured Algorithm for Multi-sequence Shift Synthesis.

LINEAR RECURRING m-ARXAYS

Dongdai Lin,-Mulan Liu.

Institute of Systems Science, Academia Sinica

Beijing, 100080, China

ABSTRACT

In this paper, the properties, structures and translation equivalence relations

of linear recurring m-arrays are systematically studied. The number of linear recurr-

ing m-arrays is given.

1. Intrduction

Reed and Steward [ll], Spann [5] and [2] have studied the arrays of so-called

perfact maps. This has ied I IO research on various types of window properties for

arrays(see [2]-[11]).

In this paper, we make a systematic study of the linear recurring m-arrays of

dimension 2 . We characterize their structure, discuss their properties of translation

- addition, pseudo-random and sampling. We also give the number of linear recurring m-arrays,

A11 the results in this paper are obtained over the finite field GF(2). One can

easily generalize the results to any finite field GF(q).

2 . Basic concepts

Let A = ( a . ) . be z n array. An mxn submatrix A(i,jj=(a..) of A i s iJ lPo,j&o i j OLi<m,O<j<n

called an mxn window o f A at ( i , j ) . A(i,j) is the r o w vector (a ) of dimension t O&t(mn mn, where a =a. i'=the integer part [t/n] of t i n , and j(=(t/n)=t-n[t/n]. t i+i',j+j''

Definition 2.1: Let A be an array of period rxs. If all mxn windows in a period

Of A are exactly all non-zero mxn matrices o v e r GF(2), then we call A an mxnth order

m-array of period rxs or (r,s;m,n) m-array in short.

mn Corollary 2 . 1 . 1 : T h e r ~ exists an Ir,s;m,n) m-array only if rs=2 -1.

Definition 2 .2 : Let A = ( a . . ) . be an array, v and n are t w o positive integers. 1~ l> ,O, j>O

If there exist two mnxmn matrices T and T . a s in ( 2 . 2 ) such that h

and

for all i,j@ ( 2 . 1 )


352

. 0 0 . . .O" . . ." 3 0 . . . O " . . ."

.

T = 00 . . . 0" . . . " V

1 0 . . .O" . . . * 01 . . . 0" . . . "

. D O . . .1* . . ." ,

T = h ( 2 . 2 )

0 0 . . . O " O . . - 0 4 . . . o . . .O" 10 . . . O " 0 ... o*...o . . . 0" 01...0*0...0". . . O...O* 0 0 . . . 1 " O . . . 0". .. o...o* OO...O"O . . . 0". .. o...o* OO...O"l. . . O"...O...O" 00 . . . 0 * 0 . . . 1" . . . 0...0*

. . . . . . . . . . . . . .

. . . . . . . . . . . . . .

00 . . . O"0 . . . o* . . . o...o+ 0 0 . . . 0 * 0 . . . 0"...1 . . . 0" 0 0 . . . O " 0 . . . 0" ... 0...1" . . . . . . . . . . . . .

where the entries at * s ' positions are elements in F 2 , t i e n we say A is an LR array

of order mxn. The window A(0,O) (or A(0,O)) is called t52 initial state of A .

Definition 2.3: If an LR array of order mxn is alsc +n m-array oE order mxn, then

we call it an LR m-array of order mxn.

Definition 2.4 : Lec A=(a..). " u ( b . . ) . 5s two periodic arravs. If ij 130, j50 ' i j ip0,j)O

there exist two non-negative integers p , q such that

b. .=a. f o r all it0, j20 1J l+P.J'q

then B is called (p,q)-translation of A , denoted by B=X . P . 9

Obviously, the translation relation is an equivalence relation.

Proposition 2 . 1 : Given T T with linear recurring relations ( 2 . 1 ) and let A , B EG(T - ) . Then

a s in ( 2 . 2 ) , let G(Th,T ) be the set of a l l LR arrays h' v

h e i " 1) Ap,q€G(Th,TV)

2 ) Define l * A = A , O"A=O. Then G(T ,T ) is a vector s?ace over GF(2).

3) If chere exists one LR m-array of order mxn in z . ( T h,TV), then every one in

G(T ,T ) is an LR m-array o f order mxn. Futhermcre T h v T =T v h T and Th,TV a r e

non-degenerate.

f o r any integers p,q30.

h v

h v

Definition 2.5: 'ie call an array A non-degenerate. L E ( 2 . 1 ) holds f o r some non-

degenerate matrices T. and T a s in ( 2 . 2 ) . n V

Corollary 2.5.1: .:. non-degenerate LR array m u s t be ?eriodic.

Since we are interested in studying LK m-arrays. f r : ~ now on, WE always assume

that Th,TV are non-dezenerate and chat they commute.

3. +Array

4e call an array $=(a..). *-array it its ccrponent a . .=~ia'@J> f o r all i, I J i>,O,jpO 1 J

j ? O , where U , @ C G F ( a i , L is a linear function o n CF(q' zyer GF(2)(CF(2)CSFlq!).

In this section, -ie will mainly study linear recur:;?., relacions o f d a - a r r a y s

and the necessary and sufficient condition f o r an a b - a r r a y to b e a n m-arr?y. 'Ye wil!

353

also compute the number of equivalence classes of dg-m-arrays.

mn Lemma 3.1: Let rs=2 -1, (r,s)=l, o ( 2 mod r)=m(i.e. the order of 2 in& is m) Or

1 J l>oO,dRO' 1 J mn

is+jr. o ( 2 mod s)=n and let A=(a. . ) . where a. .=Lo) 1 for all i)O, j30, L is a

non-zero linear function on GF(Z Then A is an (r,s;m,n) LR m-array.

) over G C ( 2 ) , 3 is a primitive element of GF(2

Proof: See [13].

Let L be a non-zero funcrioi, on the field GF(q) over its prime field GF(p). We

define L* to be an elementwise transformation between vectors or matrices over GF(q)

and those over GF(p) respectively a s follows

(at)L*=(L(at)) and (a. .)L*=(L(a. ) ) 1 J 1j

where ( a is a row or column vector over GF(q) and ( a , . ) is a finite or infinite

mdtix over GF(q). 1 J

Proposition 3 . 2 : Let ~ , @ ~ G F ( Z ~ ) , o ( d ) = r , o(P)=s . If rs=Zm-l for some m and

(r,s)=l, then there exists a primitive element '$ of GF(Zrn) such that a d B= fr.

be an ap-array, where L is a non-zero linear function i j Theorem 3.3: Let A = ( U @ )L*

on F2(a(,P). Then A is a non-degenerate LR arrays. Furtermore, A is an (r,s;m,n)

m-array if and only if the following conditions are satisfied. mn

1) o(p)=s, o(a)=r and rs=2 -1.

2 )

3)

mn (&'I O(i<s,OdjCr) is the set of all non-zero elements of GF(2

pi$/ O&m,Ogj<n) is a basis of GF(2

1 - mn

) over GF(2).

In fact, A is an (r,s;m,n) LR m-array.

Corollary 3.3.1: Let rxs be the period of an dp-m-array. Then (r,s)=1.

Let f(x)=x + xi=l c.x m m m- i be a monic polynomial of degree m over GF(2). L e t

T=(d. , ) be an mxn matrix over GF(2) and A=(a..). an arbitrary array.

If 1 J O(i<m,Ogj<n I J l)O,j@

(3.1)

we say A G ( f , T ) .

Proposition 3.b: Suppose f, T as above. Then there e x i s t T h, TV, such rhat

T h v T =T v h T ,G(Th,Tv)=Zlf,T).

Proposition 3.5: Let f , T be as in p r o p . 3 . h . If a l l non-zero arrays ir, ; ! f , T )

are m-array oE order mxn, then f(x) must be irreducible.

Proposition 3.6: Let AEG(€,T) be a n m-array of order mzn and period rss. Then

r=the period p(f) of f(x) a n d o ( 2 mod r)=m.

Proposition 3.1: If rs=Zmn-l, then either o ( 2 mod r)=mn or 0 ( 2 mod s ) = F ^ .

Proposition 3.8: Let f, T be as in prop. 3.4, all arrays in G(f,T) be (r,s;m,n) m-arrays, o(2 mod r)=m and u be a root of f(x). Construct a polynomial g(x) of degree

n over F (~)=cF(z"') a s fol1ows: 2

then g(x) is irreducible over F (00 and p(g)=s. 2

Theorem 3.9: Let A = ( L ( @: ot:))i30, j>,o, B='(L( p i ' i at)!. be two ap-m-arrays of 1?O,j>O

period ris. Then A and B are equivalent if and only if the following statements are satisfied.

1) d and c( aye conjugate over GF(2).

2) if CX1 ='atb (for some io), then @, and pii are conjugate over 1

F2(a1)=F2(N2).

Theorem 3.10: The number of equivalence classes of +m-arrays of period rxs is

+(rs)/log2(rs+l), where 9 i s Euler function.

4 . General LR m-Array

In this section, we discuss general LR in-arrays. The main results are about their

structure, enumeration and the necessary and sufficient conditions f o r existence of

arrays with given period rxs.

Proposition 4.1: Suppose AEG(T T ) is an (r,s:m,n) LR m-array. Then p(Th)=s, h' v p(T )=r and the order of any eigenvalue of T (T res?.) is s(r resp.). h v

Proposition 4 . 2 : Suppose AcG(Th,T ) is an (r,s;m.n> LR m-array and o(2 mod s)=mn.

Then

1) the characteristic polynomial of Th is irreducible, and both Th and Tv are similar to a diagonal fo rm under same transformation.

2 ) the minimal polynomial gtx) of T is irrelccible and deg(g(x))=m'if o ( 2 mod

r ) =m?

Theorem 4.3(Existence): For given positive i n t e g - r s r and s , there exists an

m-array with period rxs, if and only if (r,s)=l and rs=2m-1(for some m ) .

Theorem 4.4(Structure): Any LR m-array must be a n dg-n-array.

Remark 4 . 5 : By Prop. 3.2, we know that there i s a srinitive element in C,F(Zmn)

such that

Therefore each LR a-array can be determined by a pri~itive elementfand a Linear

function L. We denote X by A ( p , L ) , where r x s is :he period O E A . Obviously, for

different linear functions, X r x s ( r' ,L)'s are equivalent. rxs

Corollary 4 . L . 1 : A n (r,s;m,n) L R m-array is alss a n ( r , s ; r n n , l ) or (r,s:l,mn) LR

355

m-array according which one of o(2 mod r) and o(2 mod s ) is mn.

Corollary 4.4.2: The number of equivalence classes of LR m-arrays of period rxs is $(rs)llog2(rs+l).

Remark 4 . 6 : By Prop. 3.9, it is easy to prove thac, for any two conjugate primi-

tive elements 9, and v2 of GF(2mn) with respect to GF(2), A

are equivalent. But the number o f conjugate classes of primitive elements of GF(2mn)

with respect to GF(2) is also #(rs)/log (rs+l), so that there is a 1-1 correspondence

between the equivalence classes of rss periodic LR m-arrays and the conjugate classes

of primitive elements of GF(Zmn) (or a l l primitive polynomials of degree mn over GF( 2))(see Remark 4.5 and Corollary 4.4.2). This map can be obtained by (4.1) of Remark

4 . 5 .

(fl,L) and Arxs(Y2,L) rx s

2

The above correspondence is very powerful in Section 5 f o r studying the properties

of LR m-arrays. From now on, Grxs(f) will 5enote the set of all the arrays of period

rxs which are corresponded to a primitive polynomial f.

5. Properties of LR m-Arrays

LR m-arrays can be thought of as generalized m-sequences. LR m-arrays have many

good properties, as m-sequences do. In this section, we study the properties of

translation-addition, sampling and correlation.

Proposition 5.1: An infinite matrix A of period rxs is an LR m-array if and only

if

1) (r,s)=l

=O or =A for 2) F o r any given integers p1,p2,q1,q2b0, eithsr A +A Pi*ql P2'92 P9q

some p.430.

The property given above is a characteristic property of LR m-arrays called the

translation-addition property of LR m-arrays.

Proposition 5.2: For any LR m-array of order rnxn, the mn vectors X(i,j)(O<i<m,

O<j<n) are linearly independent and all A(i,j) can be linearly expressed by them.

Let A=(a. ~ j , ~ ~ ~ , j ~ o , ) . (r,s) be a pair of positive integers. We Definition 5.1:

an (r,s)-sample oE A . Especilly, is called a (air,js)iaO, jzo call

diagonal sample of A.

Theorem 5 . 3 : Let A be an LR array with period P xP and (r,s) be a pair of posi- v h

tive integers. If ( r , P )=l=!s,Ph), then

P X P

A. Furthermore, if (r',P )=(r,P )=(s;,P )=(s,P )=l, then A("') and

equivalent if and oniy if

is again an LR m-array with period

and any LR m-array of period P xPh are equivalent to some (diagonal) sample o f v h are h h

m t+mnt r'=r2t nod 2 -1 and s'zs2 mod Zmn-l for some t and t'

Definition 5 . 2 : Let A=(a, . ) , be an arrav of period rgs. The autoc3rrelation L J i)O,j>O

function of A is defined a s the function

where 2's a function from GF(2) to <1,-13 such that z(O:=l, 1(1)=-1.

Difinition 5 .3 : Let A be a binary array with period r s. If

rs when p ~ 0 modr and q10 mod s

CA(PA)' (-1 others

then we call A a pseudo-random array.

Theorem 5.4: Suppose A is a pseudo-random array with period rxs. Then rs=3 mod 4

and the difference between the numbers o f 1 ' s and 0 ' s in a period of A is 1.

Theorem 5.5: Any LR m-array is a pseudo-random array.

Definition 5 . 4 : Let A=(a..). B=(b . . ) . be two arrays of period rxs. 1 J 130, j@' 1 J i a O , j > , O

Define their crosscorrelation function as follows:

CA,B: 2x2- Z : C (p,q)= x:Ii x3lfi ?(aij) T(bi+p,j+q ) A , B

where l i s just as in Definition 5.2.

Theorem 5.6: Sppose is a primitive element of GF(2n), Yu', q U z , ..., ?"" (O<K<Zn-l) are the first roots of primitive polynomials f

u >u >..>uk, (r,s)=l, rs=Zn-l. Then for any arrays A E G

any tl, t2>0, we have

( x ) , ..., f u1 'k

(f ) , BECmS(fU,) and

(x) respectively,

J 1 2 rrs u.

k CA,B (t t ) ,< zn-1-2" 1' 2

Theorem 5.7(gold Optimum Pair): Let 3 be a primitive element of GF(2"). n- 1 u = 2 -1 1

-1 if 2jn (n-1)/2 -2

-1 if 21n but 4./n 2n / 2

REFERENCE

[l]. Zhe-xian Wan, "Algebra and Coding Theory." Science Press, B e i j i n g . LT'SO,

revised edition.

[ 2 ] . B. Gordon, "On the existence of perfect maps" !EEE T r a n s . Inform. Thezry Val.

IT-12 486-487 1966.

[ 3 ] . F.J. Macwilliams and N.J.A. Sloane, "Pseudo-random sequences and arrays". Proc.

357

~ 4 1 .

[lo].

IEEE vo1.64 pp 1715-1729. 1976.

T . Normura, H. Miyakawa, H. Imai and A . Fukuda, "A theory of two dimensional

linear recurring arrays". IEEE Trans. Inform. Theory vol. IT-18 pp 775-785,

1972.

R. Spann, "A two-dimensionaL correlation p r o p e r 5 y of pseudo-random maximal-

length sequences". Proc. IEEE vol.53 pp 2137, 1963.

J . H. van Lint, F. J. Macwilliams and N. J . A . Sloane, "On pseudo-random

arrays". S1.W J. Appl. Math. vol 36 pp 62-72, 1979.

C. T. Fan. S. 3. Fan, S. L. Ma and M. K. Siu, "On de-Bruijn arrays". AXS Combin.

vol. 19A (1985), 205-213.

S. Homer, J e r r y Goldman, "Doubly-periodic sequences and two-dimensional recur-

rence", SIAM J . Alg. disc. Math. v o l 6 (1985), 360-370.

S.L. Ma, "A note on binary arrays with a certair: window property", IEEE Tran.

Inform. T h e o r y vol IT-30 (19841, 774-775.

T. Nomura and A . Fukuda, "Linear recurring planes and two-dimensional cyclic

codes" Trans. Inst. Electron. Commun. Eng. Jap. V O ~ . 54-A pp 147-154 Mar. 1971

I. S . Reed and R. M. Stewart, "Notes on t h e existence of perfect maps: IEEE

Trans. Inform. Theory vol. IT-8 pp 10-12 Jan. 1962.

D. CaLabro and J. K. Wolf, "On the synthesis of two-dimensional arrays with desirabLe correlation properties:, Inform. Contr. vol. 11 pp 537-560 Nov/Dec.

1967.

M. K. Siu, "m-Arrays and M-Arrays." (1985).

L. E. Diccson, "On the cyclotomic function", h e r . Nath. Monthly vol. 1 2

(1905) 86-89.

SUBSTANTIAL NUMBER OF CRYPTOGRAPHIC KEYS AND ITS APPLICATION TO ENCRYPTION DESIGNS

Eiji OKAMOTO

C&C Information Research Laboratories NEC corporation

4-1-1, Miyazaki, Miyamae-ku Kawasaki, 213 JAPAN

ABSTRACT

A new concept of the substantial number of cryptographic keys (SNK) in key spaces is proposed and is applied to encryption designs. SNK is defined as the number of keys which is far from each other. It must be greater than 256, for instance, to have essentially the same number of keys in DES. This SNK condition restricts design parameters of encryption systems. In this paper, SNK is strictly defined in key spaces, followed by illustrations of SNK's in fundamental encryption algorithms and product ciphers. Then SNK is applied to the design of encryption systems to decide the design parameters. It is usefui for designing product cipher in particular. SNK should be considered as one of the criteria of encipherment strength.

I . INTRODUCTION

In encryption designs, the technique of combining two or more fundamental encryption algorithms is very useful, because it produces a complicated encryption scheme and a lot of keys. The product of the numbers of keys in the fundamental encryption algorithms is usually regarded as the number of keys in the combined encryption scheme. Some product ciphers, however, do not have so many keys. In Fig.1, for example, the total number of keys in the product cipher of an n bit block substitution cipher and an n bit block transposition cipher is not substantially equal to n ! 2 " ! , but 2"!. This shows all encryption scheme inust have the property of key independence from each other. In other words, the deciphered message with a wrong key must be totally different from the original message.


362

There are two methods of designing encryption schemes to overcome the mutual dependence of keys. The first method is based on the key selection such that the keys to select are separated from each other in the key space, called ‘sphere packing cipher’. Na.kamura[l] showed this kind of seKsynchronizing stream cipher scheme using error correcting codes. The design of transposition ciphers using Reed-Solomon codes in [2] is also based on the same idea.

The second method is based on the design scheme such that the probability of any key lying in the neighborhood of any other key is to be made as small as 2-56, for instance. This method does not require special selection of keys as in the first method. Users can select any key in the key space.

The second method leads to a new concept of the number of keys, Substantial Number of Keys (SNK). Roughly speaking, SNK is the number of keys which are different from each other in the sense that the close keys are regarded as one key. In this paper, the difference of two keys in the key space is defined precisely and SNK is discussed in this space. The design parameters of any encryption scheme are restricted by the condition that the encryption scheme should have enough SNK to avoid exhaustive key attacks. The sphere packing cipher is also reviewed from the point of SNK. The SNK should be considered as one of the criteria of encipherment strength.

11. SUBSTANTIAL NUMBER OF KEYS (SNK)

1. Definition of SNK A key space consists of a set of all keys, probabilities of selecting any key and differences between any two keys. The key set of transposition cipher, for example, contains all transpositions including the through one of input data. Let Qd(K) be the probability of selecting a key lying in the sphere of radius d from key K . Then, the substantial number of keys, SN&, regarding any two keys within difference d of each other as same, is defined as

where A[ ] means the average with respect to the probability of selecting keys. This definition is justified by the following example: the total number N of stones is given by l / Q when the probability of selecting any one stone from all stones is Q , because Q = 1 / N .

Although the difference of two keys in the key space could be defined variously, this paper employs reversed-bits rate[l], r (K1, K 2 ) , to define it.

363

p(Kl,K2) = - - - - T(Kl,K2) 2 2 l 1

Here, M is any message, and EK( ), DK( ) are encryption and decryption with key K , respectively. Key K2 is not necessarily the corresponding decryption key of K1. Function h( , ) shows Hamming distance, and L( ) shows length. In the Eq.(2), A [ ] is the average when message M is randomly selected from the message space which contains all messages. Then, the difference p(Kl,K2) between two keys K1 and K2 is defined as

. (3)

The difference p is the reversed-bits rate T when T 5 1/2, or 1 - T when r > 1/2. In other words, it means the minimum difference between the reversed-bits rate and 0 or 1. The measure is useful especially for voice data.

2. Examples of SNK

This section illustrates SNK's of four block ciphers in Fig.2. In the figure, (a),(b) and (c) are examples of fundamental ciphers and (d) is an example of a product cipher. Every key is selected with equal probability. The integer n meam block length of ciphers.

a) Exclusive-or cipher

An exclusive-or cipher has vector P as a key. The key space is an n dimensional space which contains 2" keys in all. If the Hamming distance between the encrypting key P1 and the decrypting key P2 is h, the reversed-bits rate r is given by

h n

r = - . (4)

If P2 is a uniform random variable, the distance h is a binomial random variable. Then the probability of Q d = A[Qd(Pl)] is

+<d - h<dn r > l - d h>(l-d)n

Since binomial distribution is approximated by Gaussian:

k k - np c (n) p'qn-' 21 1 - e7-f a

i=O

p + q = l

364

The probability Q d is nearly equal to

Qd N 2 erf ((1 - 2 d ) L ) . (9)

Therefore SNKd is 1

Figure 3 (a) shows the SNK curve of exclusive-or ciphers with respect to n, where d is regarded as a parameter. The number k is a length of SNK:

k = log, S N K . (11)

The data block length n should be more than 500, if S N K > 256 and the reversed-bits rate lies between 0.3 and 0.7.

b) Substitution cipher

A substitution cipher of n-bit block is a permutation of n-bit patterns, hence the total number of keys is 2"!. Let Kl,K2 denote keys of encryption and decryption transformations, respectively, and D K , E K ~ be the composite transformation of the two transformations. The reversed-bits rate between any input bit to D K Z E K ~ and any output bit from it is equal to that of between the MSB's (most significant bit) of the input and the output. Figure 4 illustrates an example of substitution ciphers when n = 3. When Hamming distance between column I1 (MSB in the input bits) and 01 (MSB in the output bits) is 2h, which is always even, the reversed-bits rate is

2h N '

r = -

and the total number of substitution ciphers is given by:

Therefore, a probability of T < d or T > 1 - d is

4.. h<dM

h > ( l - d ) M

365

where M = N / 2 = 2"-'. As the binomial distribution is approximated by

the probability Qd is approximately equal to

The equation (14) is the same as Eq.(9), if the integer n in Eq.(9) is replaced with 2". This means substitution ciphers might be exponentially stronger than exclusive-or ciphers. Hence, SNK of substitution ciphers is equal to:

Figure 3 (b) shows the SNK curve of exclusive-or ciphers with respect to n, where d is regarded as a parameter. The data block length n should be more than 8, if S N K > 256 and the reversed-bits rate lie between 0.3 and 0.7.

c) Transposition cipher

There are n! transposition ciphers of n-bit block in all. Since an inverse of a transposition cipher and a composite transformation of two transposition ciphers are transposition ciphers, the transformation D K ~ E K I is another transposition cipher. An example of D ~ z l . 3 ~ 1 is illustrated by Fig.5. In the figure, the integer h is the number of bits permutated actually in the product transposition. The reversed-bits rate of the product transposition cipher is

h 1 2n 2

r = - < - .

The total number of transposition ciphers whose h bits are actually permuted is

The symbol Dh means h

j = o

366

In other words, Dh is the number of transpositions (ul, u2,. . . , a h ) of (1,2, ..., h ) such that a1 # 1, a2 # 2,. . . , Uh # h. When h is large enough, Dh is approximately equal to h!/e:

Dh - - e-' h!

(h - m) .

more than 2 When h > 5 , &/h! coincides with Y- < d is obtained by

(18)

digits. The probability of

Though Dh is not equal to h!/e if h is small, we can ignore it in Eq.(19), because then both (L) and Dh are much smaller than that of other terms and so is h!/e. Therefore,

2 dn

= F((1 - 2d)n, 1) ,

where F is Poisson distribution:

Since Poisson distribution citn be approximated by Gaussian distribution, SNK is approximately

SNKd M e L( 1 - 2d)nJ ! . (22)

The symbol L.1 denotes the maximum integer not greater than 2. Figure 3 (c) shows the SNK curve of exclusive-or ciphers with respect to n, regarding d as a parameter. The data block length n should be more than 45, if S N K > 256 and the reversed-bits rate lie between 0.3 and 0.7.

d) Transposition & Exclusive-or ciphers

The substantial number of keys in a product cipher of a transposition cipher and an exclusive-or cipher is calculated as an example of SNK in product ciphers. The product cipher has 2"n! keys in all. Although this product cipher is simple, it is rather important in radio transmission, for instance, because it is the general form with no error propagation[3]. That is, the decryption process does not expand errors occurred in transmission, and the cipher with no error propagation is only the transposition and exclusive-or product cipher.

The composite transformation of the encryption with key K1 and the decryption with key 11'2 is another transposition and exclusive-or transformation. Figure

367

6 shows an example of the product cipher L ) K ~ E K I . In the figure, the reversed-bits rate is

h

( 2 3 ) U f T r=-. n

The integer h is the number of actually permutated bits, and a is the number of 1's in P that are not permutated. The total number of transposition and exclusive- or ciphers which have h bits permutated actually and a bits of 1's in P as just

Using Eq.(18), the total number equals to

Z h n! e (n - h - a)! a!

Hence, the probability of r < d or r > 1 - d is

j - [ : e v e n

1 2e-' c fi

I= ( 1 - 2 d)n

Here, the second and third w hold because the terms corresponding with j = 2 and 1 = (1 - 2 d ) n are much larger than other terms. Therefore, SNK of the transposition and exclusive-or cipher is obtained by

The length of SNK of the transposition and exclusive-or ciphers, JCTkE, is nearly equal to

kT&E kT + (1 - 2d)n - 1, ( 2 6 ) where kT indicates the length of SNK of the transposition cipher. This shows the SNK length of the transposition cipher increases owing to exclusive-or of bit pattern P. Figure 3 d) illustrates the SNK. The data block length of the transposition

368

and exclusive-or ciphers should be more than 37, when SNK is more than 256 and the reversed-bits rate lies between 0.3 and 0.7.

111. BOUNDARY OF SNK

The substantial number of keys are closely related with sphere packing. In this section, boundary of SNK is given with the number of spheres packed in key spaces. Though the difference defined by Eq.(3) does not necessarily constitute distance in key spaces, the key spaces are assumed to be metric spaces in this section. The differences in exclusive-or ciphers or nonlinear feedback shift register stream ciphers[l], for instance, are proved to be distance.

Sphere packing is to pack as many spheres in thP key space as possible. The maximum number of spheres of diameter d, that is the number of keys of the sphere packing cipher Nd, is less than or equal to SNKd:

This inequality may be considered as nearly equal. However, Nd is much larger than SNKd in general, because the radius of the sphere is d / 2 :

Hence, SNKd is bounded by:

IV . APPLICATION T O ENCRYPTION DESIGN

In encryption designs, both substantial number of keys SNK and difference d (or reversed-bits rate T) are given as design parameters. When S N K = 256 and the reversed-bits rate is more than 0.3 and less than 0.7 ( d = 0.3), for example, Fig.3 shows the block size n should be

369

~ T & E 2 38.

Under these SNK conditions, one can pick up any key in the key space as an encryption key. One does not have to select special keys. An arbitrary n-bit pattern P can be used as a key in the exclusive-or cipher. You don’t have to worry about an eavesdropper happening to pick up a decipher key close to the right key, because the probability is less than SNK-’ = 2-56.

The sphere packing ciphers have to satisfy the SNK condition too. Though N d is the number of keys of the ciphers, the condition N d 2 Z56 is not enough. The ciphers must also satisfy SNKd 2 256. Otherwise, the key picked up by an eavesdropper, which is not necessarily the key of this scheme, is close to the right key with probability greater than 2-56. This shows the condition Nd 2 256 is meaningless. Eq.(28) shows SNKd, not Nd, is critical.

DES probably satisfies the SNK condition, because SNK of DES is much larger than 256. SNK of DES is approximately given by 2 e(217(1--2d)2)/7r using EQ.(15), if DES is treated as a huge substitution cipher. When DES is considered as a product cipher, SNK would be less than that, but much larger than 256 , though actual calculation is very complicated.

The SNK condition is useful when one wishes to construct a rather simple encryption scheme by the combination of fundamental ciphers.

V . CONCLUSION

The substantial number of keys, SNK, is defined and illustrated with examples of fundamental ciphers and a product cipher, SNK is one of the encipherment strength criteria. In encryption designs, SNK is used to condition design parameters. The SNK is useful for designs of product cipher in particular.

I would like to thank Mr. Nakamura and Ms. Tanaka for lots of helpful discussions.

REFERENCES

[ 11 K. Nakamura, “On Self-synchronization Encryption Systems,” 24th ALlerton Conf., pp.1057-1063, 1986, (also in Proc. of SITmO, pp.371-377, in Japanese).

[2] E. Okamoto and K. Nakamura,“Permutation Ciphers Based on Reed-Solomon Codes,” 1983 IECE Conf., pp.1.463-1.464 (in Japanese).

131 E. Okamoto and K. Nakamura,“Relation between Error Propagation and Non- linearity in Cryptosystems,” I985 IECE Cod., p.6.27 (in Japanese).

370

Tr a n s p o s i t i o n Subs t i tu t i on

F i g . 1 Product C i p h e r

P

n n n n

(a> Excl us ive-or (b) Substitution

P

( c > Transposition ( d ) Transposition & Exclusive-or

Fig. 2 Examples of Cipher

371

l o g z SNK

1 d = 0 . 2 0 . 3 0 . 4 l o g z SNK

100 I d=O. 3 d=O. 2

00 c 0, a x z rn

+n 500 1000 1500 ZOO0 2600

Block Length (a> Exclusive-or

l o g z SNK

lWt d z 0 . 2 d = 0 . 3 d=O. 4

1 l n 0 20 40 60 80 100 120

Block Length (c> Transposit ion

0 7 n 10 20

Block Length

(b) Substitution

l o g z SNK

d z 0 . 2 d = 0 . 3 d=O. 4

L n 0 20 40 60 80 100

Block Length

( d ) Transposition & Exclusive-or

F i g . 3 Examples o f SNK

372

Input

0 0 0 0 0 1 0 1 0 0 1 1 1 0 0 1 0 1 I 1 0 1 1 1

--------I--

Output

1 0 1 O i l 1 1 0 I l l 0 0 1 0 0 0 I 0 0

-

-----

- 0 1 0

Fig. 4 Substitution Cipher

D;* GI

h = 3

Fig. 5 Transposition Cipher

G 2 E L

373

I p w -

n - h h

T I E ET&E K I Fig.6 Product Cipher OK,

A MEASURE O F SEMIEQUIVOCATION

Andrea Sgarro

Department of Mathematics and Computer Science University of Udine 33100 Udine, Italy

ABSTRACT

A Shannon-theoretic cryptographic model is described in which the purpose of the cryptanalist is to find a set of M elements containing the solution, rather than finding the solution itself. For h.l = 2 we introduce the notions of semientropy, semiequivocation and duplicity distance, which are counterparts to well-known notions met in the case M = 1. It is argued that in some situation our model takes into account the semantical competence of the cryptanalist.(as opposed to his statistical competence) better than the usual model does.

I. Introduction

In Shannon-theoretic cryptography the clearmessage source is usually described as a stochastic process. In the literature results have appeared for substitution and transposition ciphers (cf e.g. /1/ to / 5 / ) which hold assuming that the message source has a well-defined statistical behaviour, for example that it is memoryless and stationary; the letter probabilities might be given, as in /1/ to /5/, or might be left unspecified. The latter point of view is called "universal" in non-secret coding theory, but we feel that this term is rather misleading in the context to follow (statisticians prefer the less ambitious term "robust"). In /6/ also the case of Markov sources is covered.

Let us assume that the clearmessage is written in a natural language like English. Describing English as a Markov process with memory 3 is often considered to be reasonably adequate; actually, in non-secret coding much coarser descriptions have brought forth considerable practical


376

success, starting with the Morse code of 1838. As a matter of fact, a natural language results from the superposition of comparatively simple frequency-type dependences and extremely complicated semantical dependences which can act even on a very large range. In principle, also this latter type of dependences can be captured in a single all-comprehensive statistical description: its intricacy, however, is far past the possibility of numerical assessments.

In cryptography, unlike in non-secret coding, keeping only short- range frequency-type dependences does not seem to be a wise policy. Frequency-type descriptions are too optimistic, because they ignore the semantical competence of the cryptanalyst. This is the opposite of what one should do in cryptography, where, if need be, models have to be over-pessimistic, and not the other way round.

In /6/ and / 5 / this author has pointed out certain unpleasant "paradoxes" which result from assuming that the clearmessage source has a simple and well-defined statistical behaviour, like, say, niemoryless and stationary, or Markov with given memory. Certainly, no paradox arises in the case of results which are "universal" in the proper sense of this term. Take the perfection of the one-time pad (cf e.g. /8/), which holds true whatever the message statistics may be; no assumption is needed, not even ergodicity or stationarity. This result, covering even the most misterious long-range dependences, is perfectly sound and ready to be used. Unfortunately, accepting only results which have such universal validity is a very restrictive policy, indeed.

Below we describe an alternative Shannon-theoretic model which takes inspiration from historical cryptanalytic practice. The idea is the following: a cryptanalyst would first use his frequency-type Statistical knowledge to curtail the number of possible solutions; when this number is small, semantics gets the upper hand of frequency-type statistics, and he can find directly the solution without further bother. 111 other words, the purpose of the spy is not to find the solution by frequency- type arguments, but only to find a "small" set of possible solutions. In the following we shall fix an integer M and declare "smalY a set with M elements; actually in calculations we shall go so far as to take 111 = 2. Of course, this is quite arbitrary; however, our purpose here is to explore the quantitative variations in the new case M = 2 with respect to the classical case n/r = 1 to derive qualitative information for the more general situation M > 1. Observe that since we assume that the first part of the spy's job is statistical "strict0 sensu" we are justified in using those

377

neat descriptions for the behaviour of the message source which we have argued to be fishy in the case M = 1.

Our approach leads us to define a new measure of equivocation, which we call semiequivocation. Key equivocation, say, represents the uncertainty of the spy who has intercepted the cryptogram and wants to identify the correct key (cf e.g. /8/); instead, key semiequivocation will represent the uncertainty of the spy who only wants to find a doubleton containing the correct key. Equivocation is a conditional entropy; its meaning is based on the fact that Shannon's entropy is an adequate measure of statistical uncertainty. Before introducing our new measure of semiequivocation, we shall have to introduce an (unconditional) new measure of "semi-uncertainty", called sernientropy, which will be the counterpart to Shannon's entropy. This will be done in section 11, while section I11 is devoted to the notions of semiequivocation and duplicity distance, the latter being the counterpart to that of unicity distance (cf e.g. / 8 / ) ; an example is given. Section IV contains a final comment.

We adopt the notation of /9/ for information-theoretic concepts; in particular, H ( X ) = H ( P ) is the entropy of the random variable (r.v.) X with probability distribution (p.d.), or probability vector, P = @I,

p2 , . . . , p ~ ) , while I ( X ; Y ) = I (P , W ) is the mutual information between the r.v.'s X and Y , the probability distribution of this random couple being determined by the p.d. P of X and the stochastic matrix W which gives the conditional probabilities of Y given X; h(p) is the hi- nary entropy function: h(p) = H ( P ) with P = ( p , 1 - p ) ; D(P I &) is the informational divergence (cross-entropy) of P and Q, in this order. Logarithms are to any base greater than 1. The source alphabet is N = {ul , a2, . . . , a K } , K 2 2; we s h d write indifferently p i or P(a;) .

11. Semientropy

Shannon's entropy is considered to be an adequate measure of statistical uncertainty. There are several justifications, both "axiomatic" and "pragmatic", to this interpretation (cf e.g. /9/). The pragmatic point of view derives the meaning of entropy from coding theorems which, roughly speaking, state that H ( X ) = H ( P ) is the minimum (not necessarily integer) number of bits needed to reliably describe the outcome of r.v. X; these bits are "nearly" independent and equidistributed, so that each hi- nary digit contains almost exactly one binary bit of information (cf /9/);

378

(we suppose here that the logs are to the base 2). In our setting a '7re- liable description" of the outcome of X must be understood in a slacker sense. Actually, we are not interested in knowing the exact value of X, but rather in finding out a n M-set to which this value belongs. We shall take inspiration from rate-distortion theory. Let us take a reproduction alphabet whose "letters" are the M-sets of primary letters (we assume M 5 K ) ; let us consider a distortion measure d(a,y) which is zero iff (if and only if) letter a belongs t o set y (one may define d(a ,y ) = 1 otherwise, but this is irrelevant for zero distortions). We shall resort to R p ( O ) , the rate-distortion function computed for distortion level 0, to measure the "reduced uncertainty" contained in X which is relevant to us. Of course, for M = 1 one re-finds Shannon's entropy; for M = 2, R p ( 0 ) will be called the semientropy of X , or of P , and denoted by S ( X ) = S ( P ) . In the following, unless otherwise specified, we assume M = 2.

S ( P ) represents the minimum (not necessarily integer) number of bits (of D-its if logs to the base D are used) needed to reliably describe the outcome of X, taking into account our reduced needs of fidelity with respect to the classical case A4 = 1.

Definition 1. The semientropy S ( X ) = S ( P ) of r.v. X with p.d. P is defined as

Above the first minimum is taken with respect to stochastic matrices W such that W ( y I a ) > 0 implies a E y, or d(a ,y ) = 0; the second with respect to a random couple X Y with distribution given by P and W , Ty as above. Corollary 2.3.7. in /9/ allows us to give an alternative definition of S( P ) :

Above Q = ((11, q z , . . . , QK) is a d.p. over the primary alphabet H. The theorem below gives an explicit formula for S ( P ) .

Theorem 1. S ( P ) = H ( P ) - log2 if p* 5 3,

S ( P ) = H ( P ) - h(p*) if p a 2 $, p' being the largest probability in P .

379

Proof. The bound S ( P ) 2 H ( P ) - log 2 follows from I ( X ; Y ) = H ( X ) - H ( X I Y ) = H ( P ) - H(X I Y ) because, given doubleton Y , X takes at most two values with positive probability, the two elements of Y . We explore the conditions for equality in that bound. The bound is attained when an admissible W exists such that P(u I y) = P(b I y) = f for any y = {a ,b} such that R(y) > 0 (the notation is self-explaning; R is the marginal distribution over the secondary alphabet). Therefore the criterion for having equality in the bound is W(y 1 u ) = a, a E y. Suppose R has been fmed over the set of couples. A W giving that R exists iff, for each a:

(non-negativity for W is ensured by non-negativity for P). Therefore the lower bound is attained iff the system:

has non-negative solutions R(y) (these sum to 1 as ensured by Cpi = 1: the sum of the first sides is 2 Cy R(y)). For p* > the system is clearly impossible. In the Appendix we prove that the system does admit of positive solutions for p' 5 i. Then S ( P ) = H ( P ) - log 2 for p* 5 i, S ( P ) > H ( P ) - log 2 for p* > 4. Fix letter a and use a test matrix W defined as follows (u # b):

A computation shows that in this case I ( P , bV) = H ( P ) - h(P(a) ) . Then, for all i : S ( P ) 5 H ( P ) - h ( p i ) . Consider now the alternative definition (1) of S ( P ) . Without real restriction assume p l = p'; we shall use the test distribution Q with components proportional to ( p * , 1 - p', 1 - p * , ..., 1 - p ' ) . I f p ' ? f , o r p ' > l - p ' > o n e o b t a i n s a f t e r a f e w calculations:

Therefore, for p' 2 i: S ( P ) 2 H ( P ) - h(p*) . Combining the two inequalities for S ( P ) one has S ( P ) = H ( P ) - h(p') for p' > +. QED

380

As a corollary to the theorem we soon obtain a list of properties of S ( P ) which vindicate its interpretation as an uncertainty measure to be used when the ”experimenter” does not care about the precise value taken by r.v. X , but is satisfied as soon as he knows a doubleton containing X:

Corollary 1.

i) S ( P ) is a concave function of P;

ii) 0 5 S ( P ) 5 log 5; S ( P ) = 0 iff P has at most two positive components; for K > 2: S ( P ) = log 4 iff P is uniform;

iii) H ( P ) - log 2 5 S ( P ) 5 H ( P ) ; S ( P ) = H ( P ) - log 2 iff p* 5 3 (cf theorem 1); S ( P ) = H ( P ) iff H ( P ) = 0: that is iff X is deterministic.

The properties in i) and ii) are obvious counterparts to similar properties of Shannon’s entropy H ( P ) ; we stress that, as soon as there are at least three positive probability letters, S ( P ) is positive too. In iii) S ( P ) and H ( P ) are compared; the inequality S ( P ) 5 H ( P ) is always strict in the non-deterministic case. The difference H ( P ) - S ( P ) is largest when the uncertainty H ( P ) is ”large”, in the sense there is no single 77event” of ”high” probability.

Remark. Observe that similar properties with M instead of 2 can be derived also in the general case 2 5 M 5 K directly from the definition of S ( P ) extended to the case M > 2 (take the secondary alphabet to be the set of M-sets of primary letters; in the alternative definition (1) one has to consider the sum of the M , and not of the two, most Q- probable letters). Property i) is a general property of the rate-distortion function for fixed distortion-level and follows from the (weak) concavity in P of I ( P , W ) (cf /9/); the left side of ii) is trivial; the right side can be obtained from representation (1) computing the maximum in P of the right side of (1) and interchanging the two extrema; the left side of iii) can be obtained generalizing the arguments given at the beginning of the proof of the theorem; the right side is trivial. We go back to the case M = 2.

The concavity of S ( P ) is not strict, since S ( P ) = 0 for all P with at most two positive components. Theorem 2 below deepens property i). It turns out that there is more linearity than that brought about by the case S ( P ) = 0; therefore, from the point of view of concavity S ( P ) and H ( P ) exhibit an important difference of behaviour (cf the discussion after corollary 2 below).

381

Theorem 2. Consider the closed segments of p.d.'s of the following form:

i) [R,Q], with R and Q deterministic, R # Q;

ii) [R,Q], with ri = $ ) q i = 1.

S ( P ) is linear over all segments of this form and nowhere else. If P is a p.d. over a segment of type i) one has S ( P ) = 0; if P is a p.d. over a segment of type ii) one has S ( P ) = 2(1 - pi)S(R) = 2(1 - p i ) [ H ( R ) - log 21.

Proof. In the "inner region" maxp; 5 , S ( P ) is strictly concave, H ( P ) being so. Let us go to the "outer region" maxpi 2 $ (the regions' fron- tiers overlap). The case i) when S ( P ) = 0 has already been disposed of. We go to case ii) assuming K 2 3 else S ( P ) is identically zero. A p.d. P over [R, Q] has the form P = ( p l , e n , pr3,. . . , p K ) , fr 5 p l I 1, e = 2(1 -PI), 0 5 e 5 1 (we have taken i = 1 without real restriction). A computation shows that:

S ( P ) = H ( P ) - h(p1) = e [ H ( R ) - log21 = eS(R) (3)

Clearly, S ( P ) cannot be linear over a proper super-segment of [R,Q], else one would trespass into the inner region. We have still to prove that S ( P ) is linear only over segments i) and ii). Take R and Q distinct in the outer region. First assume that R and Q have their maximum in the same position, say the first. Then this is true also of the outer region point V = $ R + $Q. Assume S ( P ) is linear over segment [R,Q]. Then S ( V ) can be computed in two ways (use linearity and (3)):

1 1 2 2 S ( V ) = -S(R) + - S ( Q ) = (1 - T l ) S ( - I l ) + (1 - qr)S(Q)

and S ( V ) = 2(1 - ?Jl)S(iq

Above R, Q, V are suitable p.d.'s over the region intersection with = g1 = ijl = I 2 . By comparison, recalling that ~ 1 1 = + &Q:

or:

u H ( f i ) + (1 - a ) H ( Q ) = H ( c ) , with Q = 2--rl'ql 1-r

(the denominator is not zero, because R and Q are distinct). Actually, = O R + (1 - a)Q, as a computation shows (convert the definition of V

382

into a n equality for p7 R and a) . It is enough to observe that H ( P ) is strictly concave to conclude = R = Q; then V , R and Q lie on one of the old segments. Assume now that R has its maximum in the first position, while Q in the second, say. If r1 = q2 = 1 2 ' the open segment ]R, &[ lies in the inner region, and there S ( P ) is strictly concave. If T I > 3, say, there is a sub-segment of [R, Q] with positive length for whose points the first component is at least $. Taking into account this sub-segment, we go back to the cases already dealt with. QED

The figure shows some of the Linearity segments in the case K = 3; the dotted lines show the region intersection.

III. Semiequivocation and dupl ic i ty distance

Below we deal with the case iW = 2; however. much of what follows can be extended to the case of any M (cf the remark in section I1 ).

So far we have defined a measure of unconditional "semi-uncertainty". Now we define a measure of conditional semi-uncertainty. Assume S C is a finite random couple; for convenience S will he interpreted as the random key (also the random message would be a suitable interpretation) and C as the random cryptogram. For an observed cryptogram c. S(X I c;' = c), the unconditional semientropy of the conditional distribution of S given C = c, is well-defined unless c has zero probability. We set:

303

Definitzon 2. The semiequivocation of r.v. X given r.v. C is

S ( X I C) = x P r o b { C = c} S ( X I C = c ) ,

the sum being extended to all c's of positive probability.

can be defined in a similar way.

rives properties for the semiequivocation S ( X 1 G) (use corollary 1):

Corollary 2.

Recall that the usual equivocation (conditional entropy) H ( X I C)

From the properties of the semientropies S(X I C = c) one soon de-

j ) S ( X 1 C) 5 S ( X ) ; if X and C are independent S ( X I C) = S ( X ) ;

jj) o 5 S ( X I C ) 5 log C; S ( X I C ) = o iff for any cryptogram of positive probability there are at most two keys with positive conditional probability; for IC > 2: S ( X 1 C ) = Eog5 iff for any such cryptogram the conditional probability of the random key is uniform.

The inequality in j), which is an essential requirement for any measure of conditional uncertainty, follows from concavity; note that the independence of X and C is not a necessary condition to have S ( X I C)= S ( X ) : actually S ( X I C ) = S ( X ) iff the conditional distributions of X given the cryptograms c of positive probabilities lie all on the same linearity segment (use theorem 2), or if they coincide, that is if X and C are independent. This is at variance with the case of the usual equivocation H ( X 1 C), where independence is also a necessary condition to have H ( X I G) = H ( X ) . An explicit expression for S ( X I C) follows (use theorem 1).

Corollary 3. Set h * ( p ) = h(p) if p 2 f , h*(p) = log 2 else. Then

S(X I C ) = H ( X I C ) + Prob{G = c } h*(maxProh{X = z I C = c } ) 2

the sum being extended to all cryptograms c of positive probability and the max to all keys z.

We can now consider two functions of the non-negative integer n. Below C, is the random cryptogram of length n made up of the first n random outputs of the cryptogram letter source. We use the equivocation function e ( n ) and define a semiequivocation function s(n):

s(,n) = S ( X 1 C J , s(0) = S ( X ) .

384

It is known that e (n ) is non-increasing; using j ) one obtains a similar property for s ( n ) . The corollary below lists also properties derived from corollary 1:

Corol lary 4 . The semiequivocation function s ( n ) is a non-negative non- increasing function of n. One has:

e ( n ) - log2 5 s ( n ) 5 e ( n ) ,

with equality on the left iff there are no keys with a conditional probability exceeding 3, and equality on the right iff e (n ) = 0.

Now we fix a "negligible" positive real number E . We use the u n i c - i t y d i s tance d l and define a duplici ty dis tance dz. The former is the least integer for which e(n) 5 E , the latter is the least integer for which s ( n ) 5 E ; if one or both of these integers do not exist, the corresponding distance is set equal to +m . As for their meaning, d l and d2 represent the least number of cryptogram letters to be intercepted before the key equivocation, or the key semiequivocation, respectively, become negligible. If d l = +a, the cipher system with random key X and random cryptogram C, is called (simply) ideal, if d2 = +oo the cipher system is called doubly ideal. (Note that different definitions of unicity distance and ideal ciphers are found in the literature; the notions to be captured, however, are similar). As s ( n ) 5 e ( n ) , one has d2 5 d l . In particular: any doubly ideal cipher is also simply ideal. The possibly void set of integers {n : s ( n ) _< ~ , e ( n ) > E } = {n : d2 _< n < d l } is of relevance here: if the cryptogram length is in that set the cipher is unbreakable for a cryptanalyst who is devoid of "semantical competence" ( M = l), but is breakable for a cryptanalyst whose "semantical competence" is M = 2.

E x a m p l e . Take a single-letter substitution cipher for a memoryless and stationary source (cf /1/ to /3 / , /6/ or / B / ) . Assume that the cipher is complete (all t! alphabet permutations are allowed to be used as keys, t being the number of distinct message letters in the message alphabet) and canonical (keys are equiprobable). Set:

A = t l ! t z ! . . . t,!

where r is the number of distinct components in the message letter p.d., each appearing t l , t 2 , . . . , tr times, respectively ( t l + t 2 + . . . + t r = t ) . One has 1 5 A 5 t ! ; A = 1 when all the t letter probabilities are distinct, A = t! when the message letter p.d. is uniform. Then, for a suitable infinitesimal S(n):

e (n) = H ( X I C,) = logA + E(n)

385

(cf /1/ where more information on the asymptotic behaviour of b(n) is given). This cipher has no asymptotic security for A = 1; in the sequel we assume that there are at least two source letters with the same probability. Then, for each key z and each cryptogram c, Prob{X = 5 1 C, = c } = Prob{X = 2 I C, = c} 5 3, 5 being .the alphabet permutation obtained from 2 by interchanging those two letters. Therefore (corollary 4):

s (n> = e(n) - log 2 = log 4 + 6(n)

In particular, for A = 2 (only two letters have the same probability) the cipher is simply ideal ( d l = +m) and so cannot be broken however long the intercepted cryptogram is; instead, d2 is finite (we assume E < log2) and so, a t least for sufficiently long cryptograms, the cipher can be broken by a semantically equipped cryptanalyst.

N. A final comment

From the point of view of cryptographic applications our model based on the notions of semiequivocation and duplicity distance appears only as a mathematical abstraction: measuring the "semantical competence" of the cryptanalyst by an integer hi!, e.g. by M = 2, is certainly not a practical approach. On the other hand, in spite of all its drawbacks) the new model is more adequate than the classical one ( M = 1)) when the statisticd description of the message source is not sufficiently robust so as to cover subtle and possibly long-range semaitical dependences. The weakness of a frequency-type description has already been emphasized by exibiting certain paradoxes which it brings about (cf /6/ and /7/). Our new model serves as a warning against the dangers of using "clean7' statistical message-source descriptions in crypt.ographic applications.

Appendix. We show that the system (2) has solutions when p' 5 4. We proceed by induction on K . For K = 2 there is nothing to prove. For K = 3, H = { a , b, c } , the system is solved by R(a, b) , R(a, c) and R ( b , C)

given by

R(z,y) = P(.) + P ( y ) - P(.), zy. = abc,acb,bca

Non-negativity holds since there is 110 single P-probability exceeding the sum of the other two (p' 5 f ; we have writt.en R ( a , b ) etc. instead of R(b, b ) ) etc).

386

In the induction step from K - 1 to K we shall blend the two smallest-probability letters, c and d, say; observe that, sinre K 2 4, P(c) + P(d) cannot exceed $. To improve readability we shall c o n h e ourselves to describing the step from 3 to 4: i t , will be transparent that the restriction is only in the notation. We shall be contented with solutions with R(c ,d ) = 0 and so the system to solve is:

R ( a , b ) + R ( a , c ) + R ( a , d ) = 2P(a)

R ( a , b) + R(b , c ) + R(b, d ) = 2P(b) R (a , c) + R(b, c) = 2P(c)

R( a , d ) + R( 6, d ) = 2P( d )

We blend c and d to form a super-letter e = {c ,d} ; we set P(e ) = P(c) + P(d) , R(z ,e) = R ( z , c ) + R(z ,d ) , z = a , z = b. The reduced system is as the one we have already solved for icI = 3, with e instead of c. We obtain a non-negative solution R(a , b ) , R(a, e), R(b, e). Now we have to split R ( a , e ) and R(b,e) as the sum of two non-negative terms, R(u,c) + R ( a , d ) and R(b,c) + R ( b , d ) respectively, in such a way as to solve the unreduced system. As for the first two equations there (for the first I( - 2 equations in the generic induction step) any such non-negative splitting will do. As for the last two equations, a splitting as requested is feasible since we already know that one has

[R(a , C) + R(b, c)] + [ R ( a , d ) + R(b, d ) ] = 2[P(c) + P ( d ) ] = 2P(e)

References

/1/ R. J. Blom, Bounds on k e y equivocation for simple substitution ciphers, IEEE Trans. Inform. Theory, vol. IT-25, pp.8-18, Jan. 19’79

/ 2 / J . G. Dunham, Bounds on message equivocation f o r simple substitution ciphers, IEEE Trans. Inform. Theory, vol. IT-26, pp.522-527, Sept. 1980

/3/ A. Sgarro, Error probabilities for simple substitution ciphers, IEEE Trans. Inform. Theory, vol.IT-29, pp.190-198, March 1983

/4/ A. Sgarro, Equivocations for homophonic ciphers, in Advances in Cryptology, Proceedings of Eurocrypt 1984. pp. 51-61, Springer-Ver- lag, 1985

387

/ 5 / A. Sgarro, Equivocations for transposition ciphers, Rivista di mate- maticn per le scienze economiche e sociali, Anno 8, fasc. 2 , pp.107- 114, 1985

/6/ A. Sgarro, Exponential-type parameters and substitution ciphers, Prbls. of Control and Inform. Theory, vo1.14, pp. 393-403, 1985

/7/ A. Sgarro, Inforrnation- theore tic versus d ecision-theore tic cryp togra- phy, E und K, Sonderheft "Kryptologie und Datensicherheit", v.12, pp. 562-564, Springer-Verlag, 1987

/8/ H. Beker, F. Piper, Cipher Systems, Northwood Books, London, 1982

/9/ I. Csiszzir, J . Komer, Information Theory, Academic Press, New York, 1982

SOME NEW CLASSES O F

GEOMETRIC THRESHOLD SCHEMES

Marijke De Soetel) and Klaus Vedder')

')Seminar of Geometry and Combinatorics State University of Ghent

Krijgslaan 281 B-9000 Ghent, Belgium

')GAO Gesellschaft fur Automation

und Organisation mbH Euckecstrafle 1 2

D-8000 Miinchen 70, West Germany

Abstract We construct and discuss new infinite classes of t-threshold schemes with t = 2 and 3 which are based on generalized quadrangles. The paper also contains threshold schemes which deal with the case where the group of trustees is made up of mutually distrusting parties.

1 INTRODUCTION

Any scheme which is to protect information has to be designed with the following three main points in mind: possible loss or destruction of the information or parts thereof, attack from inside or outside to obtain or destroy the information and efficiency.

One obvious way to guard the information against loss or destruction is to make multiple copies of it and distribute them amongst trustworthy parties. This has two obvious drawbacks. Too few copies might cause the loss of the information while too many copies could lead to the information falling into wrong hands. Moreover, each trusted party is in the


390

possession of all of the information.

In 1979 Blakley and Shamir independently introduced what is known under the name ”threshold schemes”. In those schemes pieces of information are distributed amongst ”trustees” in such a way that any number of trustees which achieve a quorum or threshold can reconstruct the information. Clearly ”reconstruction of the information” can be replaced by ”gaining access’), ”starting a computer program”, ”signing a cheque” or anything which is similar to this. A more formal definition reads as follows.

A t-threshold scheme consists of s >_ t pieces of information, called

(i) a secret datum X can be retrieved from any t of the s shadows and (ii) X cannot be determined from any t - 1 or fewer of the s shadows.

shadows, such that

The second condition needs some explanation. First of all, it means that the knowledge of t - 1 shadows should suggest every possible datum with about the same probability. If the number of possible data is finite, then one can, of course, guess the correct datum in a finite amount of time and the knowledge o f t - 1 shadows might even reduce the time necessary. It should, however, be beyond any reasonable computing time.

The security considerations depend on the nature of the secret datum X. If the value of X is, for instance, the master key of a cryptosystem ([3], [S]), then a correct guess of X compromises the system. The probability to do this might be different to the probability to cheat the system by entering ”made-up” shadows. If the knowledge of X is by itself of no

use, X might be a trigger to start a computer program, then this probability determines the security level. The possible difference of these two probabilities is illustrated by the schemes given in Section 3.3.

In the above definition the number s stands for the maximum number of shadows one can hand out to the trustees. If s = t , the loss of any one

391

shadow is, by definition, equivalent to the loss of the secret datum. This is also the case, if s > t but the number of shadows handed out is equal to t. Administrative procedures such as a back-up list of all shadows, of course, prevent such a break down but impair the security.

Hence it is advantageous to the designer of a t-threshold scheme, if he has some room of manoeuvre between t and s. This allows him to fix the number of distributed shadows according to his needs.

In the present paper we discuss a class of threshold schemes with t = 2 and 3 which have the property that the level of security and with it the number s can be chosen as high and large as desired. They are based on so-called generalized quadrangles. These finite incidence structures also allow the construction of threshold schemes which cater for the situation where the trustees do not trust each other and a threshold has to be achieved in each one of a number of distrusting parties. This could, for instance, also be useful in a situation which involves not only human be- ings but say computer programs as well. We conclude this introduction with a definition of such threshold schemes.

A ( t l , . , . , t,)-thTeshoZd scheme is a t-threshold scheme with t = CF=l ti where the set of shadows is partitioned into n subsets Bi (i = 1,. . . , n) , with lBil = si, ELl s; = s, and a quorum of ti 5 si is needed in each set Bi. If just n thresholds t l , . . . ,t, have to be achieved and it does not matter in which one of the sets Bi, we call it a ( t l , . . . ,in)*-threshold scheme.

2 GEOMETRIC BACKGROUND

An incidence structure is a triple ( P , B , I ) which consists of two nonempty and disjoint sets P and B and a subset I C_ P x B. The elements of P and B are called points and blocks (or in our context lines), respectively. I is called the incidence relation. We say that a point x and a

392

Line L are incident with each other and write x I L if and only if the pair (2, L ) is an element of I.

A (finite) generalized quadrangle (GQ) of order ( u , ~ ) is an incidence structure which satisfies the following axioms:

(i) Each point is incident with exactly 1 + 7 lines (7 2 1) and two distinct points are incident with at most one line.

(ii) Each line is incident with exactly 1 + u points (g 2 1) and two distict lines are incident with at most one point.

(iii) For every point x and every line L which are not incident with each other, there exists a unique line which is incident with both x and a (unique) point on L.

It follows from this definition that every GQ of order (0, T) has associated with it a GQ of order (T, a) which is obtained by interchanging the rdes of the points and lines. We call it the dual GQ. This implies that in any definition or theorem the words ”points” and ”lines” and the parameters ”u” and ”7” may be interchanged.

The definition allows us to identify each line with the set of points it is incident with. This and the obvious geometric structure of a GQ are the reasons for expressions such as ”z lies on L”, ”x is contained in L” for x I L and ” L and M intersect each other in the point 2’’ for L I x I M .

We call two not necessarily distinct points x and y collinear and write x - y, if there exists a line which contains both of them. If there is no such Line we say that they are not collinear and write z + y. The set of

points collinear with a point x is denoted by xL (note that x E xl).

Axiom (iii) is crucial for understanding most of the arguments in this paper. It means that, except for exactly one line, all the remaining 7 lines through x do not intersect the line L. So a generalized quadrangle

393

does not contain a "triangle".

The proof of the following lemma is left to the reader as an easy exercise with the exception of (iii) a proof of which can be found in [7].

Lemma 1 L e t (P, B , I ) be a generalized quadrangle of order (a, r), t h e n

(ii) lzL1 = 1 + (T + 1)a for aU points z E P

(iii) c + T divides ar(a + I)(T + 1).

The threshold schemes we are going to introduce are based on the span of pointsets. The truce of a pair (z,y) of distinct points is defined to be the set zL n y' and is denoted as tr(z,y)=(z,y}l. More generally, one can define for A c P, the set AL = n {zl I z E A } . The span of two distinct points x and y, is defined as s p ( z , y ) = ( ~ , y } ~ ~ = { u E P I u E zL Vz Etr(z,y)). Hence it consists of all points which are collinear with every point in the trace of z and y,

If 2 and y are couinear, then sp(s, y) is the unique line through 3: and y and hence Isp(z,y)l = a + 1. If x and y are not collinear, then no two of the points of zLn+ marked by "0" in the diagram above are collinear. We note that z, y are in sp(z, y),

394

no two points of sp(z, y) are collinear and Isp(z, y)I 5 T + 1. The latter follows since the points of sp(z, y) have to be contained in the T + 1 lines through any of the points of zL n yl.

Finally, a triad (of points) is a triple of mutually non-collinear points. Given a triad T = (z, y, z ) , a centre of T is just a point of T I =tr(z, y, 2).

The reader who is interested in finding out more about the theory of generalized quadrangles is referred to the book by Payne and Thas [7].

3 THESCHEMES

3.1 The 2-Threshold Schemes

Let G be a generalized quadrangle of order (m , r ) with 0, T > 1, and let x and y be two non-collinear points of G. Then the points of sp(z,y) can be used as the shadows of a 2-threshold scheme with the secret datum X being the span of 2: and y.

For consider two distinct points w and z of sp(z,y). As points of the span they are not collinear but each one of them is collinear with every point in z1 f l yl- Hence zzI n wL=z* n yL and sp(z, w)=sp(z, y)=X. So the secret datum is determined by any two of the shadows. The probability to obtain X with the knowledge of no or just one shadow depends on the number of shadows in X. This number is subject to the structure of G and the particular choice of the span. It is however, never greater than r + 1. We obtain the following expression for the possibility that the secret datum is revealed by entering a valid shadow and some other point.

s - 1 7- Prob = < * (3.1)

a 2 r + U r + B - a2r+ar+a When setting the security level one has, however, to take into account that a trustee knows some finite geometry and for some reason or other the lines through his own shadow. This increases his probability of a successful attempt to break the system to

395

s - 1 1 u2r Is2

5 - (3.2) -- s - 1 Prob = - u2r + a7 + 0 - (ur + u)

as he can rule out the QT + u points which are collinear with his shadow. Equation (3.2) implies that the security level only depends on Q or, in other words, the number of points on a line, if sp(x,y) contains T + 1 points. If this is the case, the pair (z,y) is called regular. A point x is said to be regular, if for every y, y + x, the pair (z, y) is regular.

So far we have not said anything about the existence of generalized quadrangles. If a point of a GQ is regular then 2 r (see [7]). So the smallest case is u = r . Such generalized quadrangles exist indeed. The ones in which all the points are regular are derived from the projective geometry PG(3, q). The points of the GQ are just the points of PG(3, g)

while the lines are the totally isotropic lines with respect to a symplectic polarity. For the necessary background in finite geometry the reader is referred to [l], [S]. As these geometries exist for every prime power q, we have obtained an infinite class of 2-threshold schemes which admit q + 1 shadows at a security level of l /q2 and have an implementation size of q3 + q2 + q + 1 points and lines. Since these generalized quadrangles are coordinatized (see [7]), they can be implemented on a computer.

Using a regular pair of points for an implementation supplies us with at least r + 1 2 JI. + 1 shadows at a security level of l/u2 since the inequalities T~ 2 u 2 r hold (see [7]). Such a number is in nearly all cases far beyond anything needed. So the question arises whether one should use a non-regular pair of points whose span is sufficiently large. A span containing s points increases the security level to (s - 1)/ra2 at the same order (a, 7). For instance, the generalized quadrangles derived from a non-singular hermitian variety in PG(4, q2) have order (q2 , q3) . Here the spans consist of q + 1 points. Hence the probability to cheat is approximately l /q6 while the above examples attain a security level of only l /q4 at the same line-size. This is, however, not the only criterion for the magnitude of the implementation.

396

It should be mentioned that regular pairs have a non-negligible advantage when it comes to the actual implementation, since we can make use of the following observation. Two points z' and y' belong to sp(z,y) if and only if they are collinear with every one of the points in x1 i l y'. Checking this is clearly not feasible. If the pair (z, y) is regular, it sufEces to show that x' and y' are collinear with just two of those points. Since in this case the trace of a span is equal to the span of the trace. So we just have to store two points of the trace and check whether z' and y' are collinear with both of them. The amount of computation needed for this depends on the number of coordinates and the particular field used for the coordinatization.

3.2 The 3-Threshold Schemes

The threshold schemes constructed in the preceding section were based on pairs of non-collinear points. Now we are going to use triads of points. We will see that, when assessing the security of the new systems, it is not sufficient to just transfer the considerations made for the 2-threshold schemes. The "extension" will provide an attacker with new possibilities.

Let (5, y, z ) form a triad, and let sp(a, y, z ) = {z, y, z}'~ be the secret datum X. It is easy to see that any three points of X uniquely determine X. So condition (i) for a 3-threshold scheme is satisfied. Two disloyal trustees with i-espective shadows x',y' have a success rate of

(s - 2)/(a2r + a7 + I7 - 1) (3.3)

in a staight forward attack. If they can rule out the 2a(r + 1) - ( r + 1) = 2ar+2u-r-1 points which are collinear with z', y', then their probability to break the system is

s - 2 Prob = . (3.4)

g2r - ur - a + r So far everything is similar to the case of two non-collinear points. Being able to rule out the points of tr(z',y'), however, opens up new ways of

397

breaking the system in this situation as we will see later.

The number of shadows depends on the underlying GQ. If this is of order (a,u2) with a > 1, then tr(z,y,z) = {z,y,z}’ always consists of a + 1 points and hence sp(z, y, z ) contains at most a + 1 points. The point z is 3-regular, if Isp(z, y,z)I = a + 1 for any triad (z,y,z) through z in G. Hence X contains s = cr + 1 shadows.

Examples of such generalized quadrangles are Q ( 5 , q), the elliptic qua- drics in PG(5, q), for every prime power q. These give rise to 3-threshold schemes with q + 1 shadows. We will discuss the security using the generalized quadrangles of order (a , u2). For these Equation (3.4) reads

c r - l 1 (3-5) Prob = --. -

a4-a3+a2-a a3+a

If the two trustees z‘ and y’ can work out the points of tr(z‘,y’) they could make use of this knowledge and the relationship between a trace and its span. They take any point u in tr(z,y), choose a Line L through this point and a point g # u on L. The probability that u is in tr(z, y, Z)

is (a+ l)/(a2+ l), the one for L to intersect sp( t , y, z ) in a point different to z and y is (a - l)/(a2 - l), while the probability that g is indeed this point is l/a. Assuming that the three events are independent the two disloyal trustees succeed in breaking the system with a probability of

(3.6) 1

-, a + l a - 1 1 a2+1 ( 7 2 - 1 u a3+a -.-._- -

So all this effort has not increased their chances. An improvement of this attack can be made if one knows conditions under which a line L through z does or does not intersect sp(z,y,z) and the checking of these conditions could be done without the system knowing it. Seing able to determine a correct line raises the ”success rate” t o (a + l)/(a3 + a) .

Clearly a lot of computing would have to go into such an attack. Any decrease in the security level given by (3.4) was based on the assumption that the trustees know not only their coordinates but also enough about the implementation to work out tr(d,y’). If they can do this it is a h

398

fair to assume that they can determine a point of sp(z’,y’) and feed the system this point. As sp(z, y, z ) is contained in sp(z’, y’) the security now depends only on the size of sp(z’, 9‘) which is bounded above by a2 + 1. This yields a probability of

a - 1 a - 1 1 (3.7) -. Prob = >-- -

Isp(x‘,y’)/ - 0 2 - 1 a f l Hence, if the trustees know the underlying implementation, the security level depends only on the span of 2‘ and y’ and might be unacceptable.

There is clearly no need for a trustee to know ”his” shadow but one cannot rule out the possibility that he does. There is, however, in this scheme a way to prevent the trustee from making use of his knowledge. Before the system checks the shadows for their validity it does apply a secret coordinate transformation to them. So the secret datum X is not the span of the points z,y and z but of their transforms. This renders the knowledge of both tr(z‘,y‘) and sp(z’,y’) a useless information and increases the security level to the security level given in (3.4).

3.3 Combined Schemes

Distinct threshold schemes defined on the same underlying GQ obviously give rise to ( t l , . . . , t,)-threshold schemes. Using the geometry of the GQ allows the construction of more sophisticated schemes.

Let G be a generalized quadrangle with a > T in which every point is regular. To construct a (1,2)*-threshold scheme we choose a triad (z, y, z )

where z is not coUinear with any point in sp(z,y). The condition a > T guarantees the existence of such triads since there are .(a - .)(a - 1) points z for every pair (2, y) of non-collinear points. As the secret datum X we select an arbitrary point of tr(z,y). Putting Bl = sp(x,y) and B2 = tr(X,z) we obtain a (1,2)*-threshold scheme.

To verify this we note that ,z is not collinear with X as (z,y) is a regular pair. The regularity of all points also implies that every triad has

399

exactly 0,1, or T + 1 centres (see [7]).

Let d , y ’ be two shadows of B1 and z’ a shadow of B2. If they form a triad, then, in view of Axiom(iii), X is the unique centre of this triad. If z’ and, say x’ are collinear, then X is the unique point on the line through z’ and x* which is collinear with y‘. Now consider the case that two shadows are in B2 and one is in B1. The trace T of the two points in B2 has exactly one point in common with tr(z,y), namely the point X. This is the only point of T which is collinear with the shadow in B1.

Two non-collinear shadows, whether or not they belong to the same class, determine a trace which contains X and T further points. Hence their probability to guess X is

(3.8). 1

T + 1

Even if all the trustees of one class join their forces they cannot improve this probability. If the two shadows are collinear, then X is one of the c7 - 1 2 r points on their common line. So this case gives a probability of

1 1 a - 1 - 7 < - (3.9).

We note that there are no non-trivial examples known of generalized quadrangles with u = T + 1. Examples which can be used are the duals of those mentioned in the preceding section. They are of order ( q 2 , q ) , where q is any prime power.

Using the same kind of implementation as before one can check that the shadows belong to the correct classes. We store three points X,Z and w, where w is in tr(z, y). When three points together with their respective ”class numbers” are entered, the system checks that they are collinear with the appropiate pair of the three stored points. So we have joined two 2-threshold schemes to form a (1,2)*-threshold scheme.

400

Since the system checks the entered values for the correct class, the probability to break the system is smaller then the ones given above, if the knowledge of X in itself is not equivalent to a compromise of the system. There are several ways to construct a possible third shadow. None of these yields a better probability than trying to figure out X first and then a "correct" shadow. So the probability in (3.8) has to be multiplied by 1/(a - 1) and the one given in (3.9) by l/a. So the chances to enter a correct third shadow are about 1/?. It should be mentioned that a coordinate transformation will reduce all these probababilities to about 1 over the number of points of the GQ. So two trustees stand no better chance than two outsiders who just know the underlying GQ.

We conclude this section with an example involving a "supershadow".

Let (z,y,z) be a triad such that z is not in sp(z,y). Then sp(z,y) and sp(z,z) have just the point z in common. We define three classes B1 = {z}, B2 = sp(x,y)\{x} and B3 = sp(x,z)\{x}, and let X =

tr(x,y) U tr(x,z). This yields both a (l,l,l)- and a (0,2,2)-threshold scheme with the shadow z being more powerful than the other shadows. We note that tr(z, y) and tr(z, z ) intersect in a unique point u, say. So, if every point is regular, we only need to store u and a further point in each trace. We leave it to the reader to work out the various probabilities to cheat the system.

Acknowledgement

The first author is indebted to the Philips Research Laboratory Brussels for the facilities they offered during the preparation of this paper.

References

[l] T. Beth, D. Jungnickel and H. Lenz, Design Theory, Wissenschafts- verlag Bibliographisches Institut Mannheim, 1985.

401

[Z] A. Beutelspacher and K. Vedder, Geometric Structures as Threshold Schemes. Proc. of the IMA Conference on Cryptography and Coding Theory, Cirencester, Oxford Univ. Press (to appear).

[3] G. R. Blakley, Safeguarding cryptographic keys. Proceedings NCC, AFIPS Press, Montvale, N.J., Vol. 48 (1979), 313-317.

[4] M. De Soete and J. A. Thas, A coordinatization of the generalized quadrangles of order ( s , s + 2), to appear in J. C. T. (A).

[5] G. Hanssens and H. Van Maldeghem, Coordinatization of Generul- ized Quadrangles, Annals of Discr. Math. 37 (1988), 195-208.

[6] D. R. Hughes and F. C. Piper, Design Theory, Cambridge University Press, 1985.

[7] S. E. Payne and J. A. Thas, Finite generalzed quadrangles, Research Notes in Math. # l l O , Pitman Publ. Inc. 1984.

[8] A. Shamir, Row to share a secret, Communications ACM, Vol. 22 nr.11 (1979), 612-4313.

A UNIVERSAL ALGORITHM FOR HOMOPHONIC CODING

Christoph G. Gunther Asea Brown Boveri Corporate Research

CH-5405 Baden, Switzerland

ABSTRACT

This contribution describes a coding technique which transforms a stream of message symbols with an arbitrary frequency distribution into a uniquely decodable stream of symbols which all have the same fiequency.

I . INTRODUCTION

In a Caesar cipher each letter from the alphabet {a ,b , . . . , z } is replaced by the successor of the successor of its successor, i.e. the alphabet is shifted by three: {a,b, . . . , z } -+ { d , e, . . . , c}. In general, there are 26 possible shifts, and we say that the cipher defined by these shifts has a key size of logz 26 21 4.7, which is very small. If we, however, consider the set of all permutations of the alphabet {a , b , . . . , z } , we get a cipher with a key size log, 26! 2: 88. This is more than one third larger than 56, which is the key size of todays most widely used cipher DES. Nevertheless, the cipher described is not secure for the encryption of English plaintext. In English the letters from the alphabet occur with the frequencies p , 2~ 0.13, p t 11 0.09, p a N 0.08, . . . , andp, 1z1 0.001 (see e.g. [l]), and therefore a frequency analysis of the cryptogram immediately reveals the chosen permutation.

In this respect, English is neither an exception amongst the natural languages nor amongst the technical data streams like ASCII codes or A-modulated speech. All of them show statistical irregularities through unequal probabilities of the symbols or correlations between the symbols. The above permutation cipher is also not exceptional, it is the most general block cipher defined on an alphabet of 26 symbols.

In order to describe more accurately the weakness discussed, we consider the uncertainty of the key, i .e. of the enciphering permutation, when n symbols or


406

blocks of symbols of the cipher text are known. This uncertainty is quantified by the equivocation of the key k E IC given n cipher blocks (CO, c-I,. . . , ~ ( ~ - 1 1 ) E cn [2]:

H(~Ico,c-I, .*.,c-(n-1)). (1)

The smallest n for which the key is completely determined is called the unicity distance d. According to Shannon [2] and Hellman 131, it is given by

where T is the length over which the blocks become statistically independent and where the basis of the logarithms involved in the definition of H is equal to the size C of the cipher alphabet C. For English texts, Hellman [3] has estimated that

which implies d 21 1.5 H ( k ) . (4)

In the case of DES, the key is therefore completely specified by the redundancy in the text after two cipher blocks of 64 bits each. The only property that has prevented so far the design of efficient algorithms to break DES is the mismatch between the statistical information and the block structure of DES.

Even if cryptography is based to a large extent on the complexity of certain computations, unconditionally secure systems are preferable. In the present situation, unconditional security can be achieved by a suitable conditioning of the message either by reducing its redundancy with a data compression algorithm or by increasing its entropy in a randomisation process. The reduction of redundancy is more attractive from a theoretical point of view. The data compression algorithms known today, however, only imply a unicity distance proportional to the size of their encoding table, which makes them practically useless for the present purpose.

Amongst the randomisation techniques, homophonic coding seems by far the most adequate, as was pointed out by Massey [4]. The basic idea of such a coding is to improve the distribution of the symbols in the cipher text alphabet C towards equidistribution by introducing a suitable number of representations for each letter from the message alphabet JM and by randomly choosing one of the representations at each step. Such a coding was already used in 1401 by the Duke of Mantua in his correspondence with Simeone de Crema [5] and is also well known through the

407

Beale ciphers [6]. An example which by its simplicity is particularly suitable to explain this type of encoding was proposed by Massey [4]. In this example, the message stream consists of independent, identically distributed ( i i . d.) random variables from the alphabet M = {a ,b} with the letter frequencies p a = 2 and pb = i. A homophonic code for this example is defined on the image alphabet C = {0,1}* by

f 00 01 wi th probability 1/3 each, a - l , o

b - { 11 wi th probability 1, ( 5 )

i.e. the message m = a is encoded at random into 00,01,10, with equal prob- abilties. As a consequence of this encoding, the message source stays i.i.d. and becomes equidistributed, and the unicity distance skips from d = 5.3 H ( k ) to infinity if at least two keys are used.

A similar approach can in principle be chosen for every rational frequency distribution. In general, this will however lead to an enormous data expansion. Furthermore, the frequency distribution completely specifies the cipher text alphabet in this scheme. Both disadvantages are avoided in the systematic approach we shall adopt now.

11. DESCRIPTION OF THE ALGORITHM

The homophonic code defined in equation (5) contains two essential elements, an encoding table, i.e. the association of the symbols 00,Ol and 10 with the letter a and the association of the symbol 11 with the letter b, and an encoding rule which states that each representation of a letter has to be chosen with equal probability. The construction of these two elements are the main steps in the universal algorithm. In order to get an idea of the general form of these elements, we observe that the following mapping also defines a homophonic code for the above example:

0 with probability 2/3, 10 with probability 1/3,

b ---+ { 11 with probability 1.

This mapping causes a smaller data expansion than the previous one. The mapping itself is obtained by noting that the second bit in the strings 00 and 01 of equation (5) does neither carry information nor contribute to the equidistribution. The mapping can be interpreted as follows: if a 0 is transmitted it is to represent an a, if a 1 is transmitted it is not to represent any letter but just to tell the decoder to

408

wait for the next symbol in order to determine the information transmitted. With this interpretation the encoding table can be rewritten as two tables (see Figure 1) with ir denoting the prefix symbol, i.e. the symbol which tells the decoder to wait and to decode the next symbol according to table T(2) :

T (1) T (2)

Fimre 1: T h e encoding tables f o r the example M = { a , b } , C = (0, l}, 3 pa = and pb = 1 4 '

This form of the encoding table immediatly suggests the association with a binary, or more generally with a C-ary representation of the frequency distribution { P , } ~ E M . And the two objectives of having a number of representations of the letters in the encoding tables which is proportional to the probability of that letter and of having at least one letter represented in each table together with the above association lead to the following general construction of the encoding tables:

Initialisation:

Cons t ruc t ion of the i-th table T ( i ) :

a) The dimension K; of the table T ( i ) is determined by

b) A number nk') := [C"%ph"-l)] of symbols p?>'), . . . ,pa ( i ,nc) ) E C"; is chosen to

represent the letter cy in table T( i ) .

c) The remaining T L ( ~ ) := C". - CaEM nt' symbols c(i,l), . . . , g( i ,n( ' ) ) E C"' are chosen as prefix symbols.

409

C o m p u t a t i o n o f phi’ and loop control:

If distribution is determined by

= 0, the construction is completed. If di) # 0, the new probability

i is incremented by one and the next table is constructed.

The encoding tables for the slightly more complex example M = {a,b,c}, C = {0,1} and p a = &, P b = 3 1 and p , = $ are shown in Figure 2.

0

1 4 5 12

5 1 -+- 12 4

3 a

1

- -

Fiwre 2: T h e encoding tables f o r the example M = { a , b , c } , C = {0,1} and li, pa = z, p , = a. T h e first table has size C2 = 4 as, due to

pa < $: Qa E iu, n o letter can be represented an a table of size c = 2 . T h e symbols in the dark areas represent the letter a . T h e symbols in the pale areas are prefix symbols which are used in the representation of several letters. T h e codewords 00, 110, 11110, 1111110,. . . all repre- s en t t he letter a .

p a = 1

410

p(rlm=a) c

The number of tables generated in this example is infinite. However, only three of these tables are truly different (T(2") = T ( 2 ) , T(2n+1) = T ( 3 ) , V n 2 1). The partition of the interval [0, 1) induced by the probability distribution (p, ,pb,pc}, which is represented in Figure 2, is useful for the construction of the tables themselves and also for the formulation of the encoding rule. If an a is to be encoded, the rule for the first symbol reads: choose at random a number T in the interval [0, A) , if T < $ transmit the s_vmbolOO if T 2 $ transmit the s-mbol 11 and encode a using the next table. This rule is symbolically represented in Figure 3:

I I I

-- a

b

C

00

01

10

11

FiRure 3: Symbolic representation of the first step in the encoding of a . A number

the symbol 00 is transmitted and the encoding ends, else the symbol 11 is transmitted and further steps are needed to transmit the letter a to the receiver.

T is chosen randomly according to the distribution p(r lm = a) . If r < 5 1

With these considerations in mind, it is no longer difficult to derive the general encoding algorithm:

a) Read a new symbol a E M from the data stream.

b) Set i = 1.

c) Choose a random number T E [O,pb;"-')).

d) If Cnir 5 nk;', transmit pa (;,rc"ir]) and go to a), (i, r+(cRar-nt))l)

if C X ~ T > n$, transmit 0 pa , increment i by one and go to c).

The effect of this algorithm is to combine the message source and the randomness from homophonic coding such that all symbols 00, 01, 10 and 11, and a fortiori 0 and 1, become equally likely. This does not only hold for the first step but for

41 1

every one, which immediately implies the statistical independence of the output stream if the symbols from the source are statistically independent. With these remarks, the proof of the following theorem is easy:

Theorem 1: If a message source generates a sequence of i.i.d. variables but with unequal letter probabilities, then the sequence obtained by applying the universal homophonic coding algorithm is i.i.d. and has equal letter probabilities.

Many sources are modelled more accurately by a hlarkovian process with finite memory. For them the following theorem applies:

Theorem 2: If the message source can be described by a Markovian process with finite memory 7, then the sequence obtained by applying the universal homophonic coding algorithm, with the probability distribution EM replaced by the conditional probability distribution {pQlp- l ,..., a- , } c r ;Q- l ,..., a - , E ~ , is i.2.d. and has equal letter probabilities.

In both cases we thus have perfect statistical properties and therefore an infinite unicity distance.

So far the homophonic coding algorithm has been described without taking its practical aspects into consideration. Amongst these, the two most important ones are the termination conditions for the table construction and the data expansion.

111. TERMINATION OF THE TABLE CONSTRUCTION

Two simple conditions for the termination of the table construction are obtained from the observation that the algorithm induces the following representation of the probabilities p a :

with i-1

j=1

This is a special form of a C-ary expansion and therefore easily implies: Lemma 3 : a. If all probabilities have a finite C-ary expansion, the table

construction stops.

tables becomes ultimately periodic. b. If all probabilities are rational, the sequence of constructed

Condition b is a termination condition as only a finite number of tables needs to be determined and stored. So in all practical situations the table construction terminates, but eventually after a very large number of tables.

412

In applications, a given key is only used for a finite message length and correspondingly the unicity distance does not need to be larger than this length. Therefore, we can tolerate a deviation of the probabilities q7 of the cipher symbol y from its ideal value and restrict the algorithm to a maximum of say I + 1 tables. If this is done by constructing I tables according to the algorithm of Sec- tion I1 and by adding one table, which contains a representation for every symbol cy E M with p i ' > 0, the probability gr of the symbol y E C is given by:

where i7 is the frequency of the symbol y in table T('sl), where M is the size of the alphabet M , where n ~ + ~ is the dimension of that table, and where Xi is given bv

In this expression, the error gr - 6 converges exponentially to zero for 1 - 00 and the Taylor expansion of the entropy

therefore implies an ezponential increase of the unicity distance with the table size 1.

IV . DATA EXPANSION

From the description in Section I1 it is rather obvious that the algorithm will change the data rate. In some singular cases in which the distribution is concen- trated on a few symbols, this change can be a lowering of the rate. In the example M = (a , b,c , d } , p a = 4, pb = g, p , = Is, p d = $, and C = {O, 1) the compression factor is g. In the generic case this change will, however, be an expansion and it is very important to have some information on how large this expansion will be.

Theorem 4 : The ratio X of the output rate divided by the input rate of the homophonic coding algorithm is

3 1 1

413

In this theorem we have taken to our disadvantage the value logc M for the input rate (instead of rlogciCI1) in order not to overestimate the mismatch between the usual alphabet { a , b, . . . , z } and the technically relevant binary alphabet. For M 5 C we have the following general result:

L e m m a 5 : a. If M 5 C, the data expansion X is bounded by

X 5 c *log, c. b. For Ad = C = 2 or 3, the distribution

(=V-l C

1 - (7) c-1 c p j :=

has a da ta expansion X = C . log, C.

The proof of this lemma follows easily from the observation that R; = 1 and T Z ( ~ ) 5 C- 1 if M 5 C. Lnfortunately, the lemma is too weak for most applications.

Therefore, we have estimated the average value of A, with the average taken over all probability distributions For M 5 C we have obtained

A Monte Carlo simulation has confirmed this estimate and has provided the following results for the relevant cases M = 27 (usual alphabet with blank) and C = 2,4,8,16,32,64,128,256 : (the error of X is 5 0.1)

C = 2 4 8 16 32 64 128 256 (A} = 2.7 2.4 1.9 2.4 1.7 1.7 1.6 1.8

Finally, we have also computed X for the frequency distribution of letters in English texts, as taken from Beker and Piper [ l ] : (the error of X is 5 0.1)

C = 2 4 8 16 32 61 128 256 X = 2.7 2.3 2.0 2.3 1.6 1.5 1.6 1.8

If we compare this with the above results we see that English is quite typical. Furthermore, we note that a suitable choice of the alphabet size C can considerably reduce the data expansion. This indicates that our simple rule for the choice of the dimension ~i of table T(*) was not optimal and that it can be further improved.

41 4

V . CONCLUSION

In the present contribution we have shown that homophonic coding is an efficient precoding, suitable to increase the unicity distance of a cipher to any required length. Furthermore, even if only the lower order correlations are smoothed out, attacks on the higher order dependencies become practically infeasible due to the variable length of the codewords. The additional random data transmitted causes a data expansion by a factor of roughly two. It can, however, be used to further strengthen the system by suitably randomising the cipher applied to the precoded data. Finally, we note that the described precoding can, after some s m d modifications, be run in an adaptive way. Homophonic coding is thus highly adequate to substantially increase the strength of ciphers in most applications.

ACKNOWLEDGMENT

I would like to thank Professor James L. Massey for his continuous interest and support .

REFERENCES

[l] H. Beker, F. Piper, Cipher Systems, The protection of Communications, Northwood Books, London (1982).

[2] C. E. Shannon, “Communication theory and secrecy systems,” Ben System Tech. J., vol. 28, pp. 636-715 (1949).

[3] M. E. Hellman, “An extension of the Shannon theory approach to cryptography,” IEEE Trans. on Inform. Theory, vol. IT-23, pp. 289-294 (May 1977).

ory Workshop, Bellagio (Italy). [4] J . L. Massey, “On probabilistic encipherment,” 1987 E E E Information The-

[5] D. Kahn, The Codebreakers, The Story of Secret Writing, Weidenfeld and Nicolson, London (1966).

[6] “The Beale Ciphers”, The Beale Cipher ASSOC., Medfield, Mass. (1978).

A NEW PROBABILISTIC ENCRYPTION SCHEME

He Jingmin and Lu Kaicheng

Dept. of Computer Science, Tsinghua University

Beijing, People's Republic of China

Abstract. In this paper we present a new probabilistic public key cryptosystem.

The system is polynomially secure. Furthermore, it is highly efficient in that it's

message expansion is l+(k-l)/l, where k is the security parameter and 1 the length

of the encrypted message. Finally, the system can be used to sign signatures.

1. Introduction

The most important problem in modern cryptography is how to encrypt messages in

a secure and efficient way. Here two things are of equal importance: security and ef-

ficiency.Up to now three different notions of security have been proposed: Coldwasser

and Micali's polynomial security, semantic security [l], and Y-security introduced

by Yao [ 2 ] . Micali et al([3]) have pointed out that these three notions are essen-

tially equivalent. In this paper we'll adopt the notion of polynomial security. AS

to the efficiency, it usually means the encrypting and decrypting time and the mes-

sage expansion.

The earliest public key cryptosystem is RSA [ 4 ] . RSA is highly efficient be - cause it's message expansion is about one (the possiblely least value). However, it's

security remains to be proven. Actually RSA is a deterministic cryptosystem and Can't

be Secure according to [l]. In another direction, Goldwasser and Micali [l] presented

the first probabilistic encryption scheme whose polynomial security is rigorously

proven. But their scheme is not efficient at all. They encrypt every bit of the mess-

age independently, so the message expansion is k (the security parameter) and this

makes the scheme totally unvalued in practice.

In this paper we concern both security and efficiency. We present a new "rada iterative encryption scheme"

efficiency. The idea is simple: we randomly and iteratively encrypt the plaintext bit

by bit. In this way we can get a secure public key cryptosystem with a low message

expansion of l+(k-l)/l, where 1 is the length of the plaintext and k the security Par-

which can achieve both polynomial security and high


41 6

ameter. The one more lucky thing is that the new scheme can be used to sign digital

signatures, which seems impossible in the schemes of [l], [5] and [ 6 ] .

Remark: Blum and Goldwasser have presented another secure probabilistic encryp-

tion method with a message expansion of l+k/l. Their method is similar to that of B1-

urn et a1.([5]), in which it exlusive-or the plaintext with a sequence of the

length generated by a pseudo-random number generator. For the details see [5] and [ 61

same

2 . Background

4.

Let N denote the set of positive integers and n6N. Let Z* ={xi l s x < n and 1 (x,n) =1 1 , Z =ix 1 1 d x 4 n and (x/n)=l) , where (x/n) is the Jacobi symbol Of

x mod n. The symbol In1 denotes the binary length of n.

Let Q be a predicate defined on Z1 such that Q (x)=l iff x is a quadratic re-

sidue mod n . Let \ denote the set of "hard composite integers", i.e., H ={nln=Pq,

where p and q are distinct primes such that (pl=]q\=k.). k

The security of our scheme is based on the quadratic residuosity assumption (-)-

From QRA Goldwasser dMicali have proven the following.

Lemma 1 ([l]). Under QR4, the predicate Q defined on Z i is unappoximable by any

circuit of polynomial size even if some quadratic nonresidue mod n are known. (Recall

that a circuit C &-approximates a predicate Q:B-+{O,l) if C(x)=Q(x) for at least

fraction 1/2+E of the xCB.)

a

Let J =tx\l&xLn/Z and (x/n)=l}. Lec QRn denote the set of quadratic residues mod

n. It is easy to prove the following

Lemma 2 . Let n=pq where p and q are distinct primes such that p=q=3 mod 4. Then

each zfQR has exactly one square root that is in Jn and we denote this root by sqr(z) is restricted to 1 defined on Zn We point out that Lemma 1 will still hold when Q

Jn, and we still call the result Lemma 1.

3 . The New Encryption Scheme

Let n=pq as in L e m a 2 . Let y be a quadratic nonresidue mod n. Now we introduce a function E as follows:

E : Jnx {O,l}-Jn Y {0,1)

2

2

2 En(x,l)=( x y mod n, 0 ) 2 =(-x y mod n, 1)

if x 2 mod n+n/2, E (x,O)=( xmod n, 0 )

otherwise.

2 if x y mod n<n/2,

otherwise.

=( -x mod n, 1)

From Lemma 2 we know that En is invertible. The inverse of En is denoted by Dn can be specified as follows:

and

41 7

Dn: Jn x {O,lf-bJn x ( 0 , l )

Dn(z, j)=( sqr(z), 0 ) if j=O and zGQR.

=( sqr(zy ),1) if j=1 and ztQR.

=( sqr(-zy ), 1) if j=1 and ziQR.

=( sqr(-z), 0 ) if j=1 and z4QR. 1

-1

-1

For convenience we denote the first and second components of E (x,i) by En(x,i) and

En(x,i) respectively. 2

For any positive integer 1, E can be generalized as follows:

En: Jn x ;0,l)'-.Jn x {O,l)'

En(x,m l...m 1 )=(xl, bl...bl)

where

xo =xs 1 x. =E ( x. mi), 1 ll 1-1'

b. =E ( x . mi), 1 n 1-1'

i =l,Z, ..., 1. The generalized E is also invertible and it's inverse is still denoted by D . n

Now let k (an even number) be the security parameter. The new probabilistic pub-

lic key cryptosystem works as follows:

(1) it randomly selects two distinct primes p and q such that p=q=3 mod 4 and

\ P I = Iq i=k/2 , ( 2 ) s e t s n=pq,

(3) picks y, a quadratic nonresidue mod n, and finally,

( 4 ) outputs (n,y) and {p,q).

Some user, say A, publicizes the pair ( n , y) and keeps secret the pair {p,q).

l"'ml to Encryption: Suppose some user B want to send a binary message m=m A. Then he encrypts rn as follows:

(1) Randomly selects an xCJ and sets z=x.

( 2 ) Performs step ( 3 ) for i=1,2, ..., 1.

(3)(z,bi):=En(z,mi).

( 4 ) Sends A the ciphertext E (x,m)=(z,b l...bl). 2 Encrypting an 1-bit long message m takes O(lk ) time, and m is transformed into

an (l+k-1)-bit long ciphertext. So the message expansion is l+(k-l)/l which is much

less than k (the message expansion of Goldwasser and Micali's scheme).

Decryption: Upon receiving the ciphertext (z,b l...b ), user A decrypts it as 1

follows :

(1) Performs step ( 2 ) for i=l,1-1, ..., 1. ( 2 ) (z,mi):=Dn(z,bi).

(3) Gets the message m=m 3 l'"ml -

Recovering m ( I m l = l ) from it's ciphertext takes O(lk ) time. IJsing the proof techniques in [3] and [ 6 ] , we can prove the following

41 0

Theorem. The crypcosystem introduced above is polynomially secure.

Proof. The proof is tedious long and omitted here.

4 . AppLications

To sign a message m, we randomly select an xCJ and forms

S(m) = ( m, Dn(x,m) )

S(m) will be the signature of m. Of course this simple signature is not strong.

computing E (z,b)=(x,m), the forger can easily forge the signature of an (unpredict-

able) message m. This is the so-called "chosen signature attack" and can be prevented

in several ways.0ne way is as follows: randomly select x,ytJn, xty, and let S(m)=(m,

Dn(x,m), Dn(y,m)). This time forging the signature of even an unpredictable message

m requires finding w,z€J b,b*E{O,l)*, such that E (w,b)=E (z,b'), and this seems

impossible.

By

n'

Note that in the above mentioned signature scheme, the signature of ml...mi or mi...ml for any i (1Sihl) can be easily obtained when the signature of m l...ml is

known. But we may avoid this danger by letting, for example,

S(m l...ml)=(ml...ml, D (x,m l . . . r n l ) , Dn(y, mth ... ml m l . . . m t , 2 + , ) . n Clearly various signature schemes can be devised based on our new public key crypto-

system. We leave the open problem of implementing a concrete signature scheme, to-

gether with a rigorious security proof.

References

[l] S.Goldwasser and S.Micali, Probabilistic encryption, Journal of Computer and

System Sciences 28 (1984), 270-299. [ 2 ] A.Yao, Theory and application of trapdoor functions, Proceedings of the 23rd

Annual Symposium on Foundations of Computer Sciencn, 1982, 80-91.

[3] S.Micali, C.Rackoff, and B.Sloan, The notion of security for probabilistic cry-

ptosystems, CRYPTO 86,31.

[4] R.Rivest, A.Shamir, and L.Adleman, A method for obtaining digital signatures and

public key cryptosystems, Corn. ACM, 21 (1978) , 120-126.

[ 5 ] M.Blum and S.Golduasser, An efficient probabilistic public-key encryption scheme

which hides a11 partial information, CRYPTO 8 4 , 289-299.

[ 6 ] L.Blum, M.Blurn, and M.shub, A simple unpredictable pseudo-random number generator,

SZAM J. Computing, 15:2, 1986, 364-383.

PUBLIC QUADRATIC POLYNOMIAL-TUPLES FOR EFFICIENT SIGNATURE-VERIFICATION

AND MESSAGE-ENCRYPTION

Tsutomu Matsumoto

Hideki Imai

Division of Electrical and Computer Engineering YOKOHAMA NATIONAL UNIVERSITY 156 Tokiwadai, Hodogaya, Yokohama, 240 Japan

Abstract This paper discusses an asymmetric cryptosystem C* which consists of public transformations of compIerity O(m2n3) and secret transformations of complexity O( (mn)'(m + logn)), where each complexity is measured in the total number of bit-operations for processing an mn-bit message block. Each public key of C' is an n-tuple of quadratic n-variate polynomials over GF(2m) and can be used for both verifying signatures and encrypting plaintexts. This paper also shows that for C" it is practically infeasible to extract the n-tuple of n-variate polynomials representing the inverse of the corresponding public key.

I. INTRODUCTION

With the aid of public-key cryptography"], how much computation is sufficient to keep the authenticity and the confidentiality of digital data? Reducing the computational complexity implies wider and deeper uti- lization of the fascinating nature of public-key cryptography. This paper gives an answer to this challenging question by constructing an asymmetric cryptosystem C' (called c-star) which consists of public transformations of complexity O( m2n3) and secret transformations of complexity O((mn)'(m + logn)), where each complexity is measured in the total number of bit-operations for processing a message block of mn bits.

Each public key of C" is an n-tuple


420

of quadratic n-variate polynomials over K = GF(2m) , and the corresponding public transformation translates a message block ( E K“ into another message block 77 E K”, by evaluating F at (. Here the term “quadratic polynomials ” means “polynomials of degree 2”, and the degree d e g ( P ) of a polynomial

P(Z0, ...) Z,4) = C { P : o. . . i ,_ l z ~ . . . Z B - * ~ i o , . . . , i , _ l %,-I 2 O},

is determined by

42 1

On the other hand, Fell and Diffiel61 have proposed an approach of combining DES-like structure into multivariate polynomials and con- cluded that their approach seems not to produce polynomial-tuples satisfying the request (2) since the degrees of the original and the inverse polynomial-tuple are the same. Here, the degree deg(Q) of a polynomial- tuple Q = [&('), . . . , Q(*-')] is defined as rnas(deg(&(j))lj = 0, - . * , t-l}.

Also, Z h o ~ [ ~ $ ~ ] have proposed a cryptosystem using polynomial-tuples over GF(2) constructed by a method similar to Fell's and Diffie's.

However, at least by the method due to Matsumoto et al. it is possible to systematically construct low-degree multivariate polynomial-tuples whose inverse polynomial-tuples have very high degree. Actually, this paper shows that for C* it is practically infeasible to extract the n-tuple G of n-variate polynomials representing the inverse of the corresponding public key F .

In the following, Chapter I1 describes the definition of the asymmetric cryptosystem C* and three important theorems for it. Chapter I11 develops concrete algorithms for implementing C* and proves Theorem 2, which states the operational complexity of C* . Chapter IV describes the process of deriving C* and proves both Theorem 1, which states the consistency of the definition of C* , and Theorem 3, which guarantees a certain security aspect of C* . And Chapter V concludes the paper.

11. THE PROPOSED ASYMMETRIC CRYPTOSYSTEM

Definition 1. The asymmetric cryptosystem C* is defined by the following public items Pl,. . .,P5 and secret items Sl,. . . ,S4.

[Public Items]

P1. A positive integer rn and an integer n 2 3, but n # 4; P2. A finite field K of order q = 2" with an adder and a multiplier;

P3. The set of message blocks K", which is the n-dimensional vector space consisting of all n-tuples over K ;

P4. Each public key is an n-tuple F of quadratic n-variate polynomials over K ;

P5. The public transformation algorithm PA, which transforms a message block < E K" into another message block 77 = PA(F,E) E K" by evaluating F at <.

422

[Secret Items]

S1. A v-degree extension field L(ul of K and a K-isomorphism $(,) from

S2. Each secret key is a tuple I? = [SR,TR,r,OJ :

K" to L(,) for each integer v = (2X + 1)2P with X 2 1 and p 2 0;

S2-1. Two n-tuples SR and T R of n-variate polynomials of degree one over K , representing affine bijections 5-1 and t-' on K" ;

S2-2. A partition T = [nl, . . . , nd] of the integer n such thzt

where d 2 1 and n; = (2; + 1)2.; with 1, 2 1 and rj 2 0 ;

S2-3. The 7r determines a bijection

and projections

i where a; = C j=l nj ;

with 1 5 bi <= 1; ; S2-4. A tuple 0 = [e l , . . . ,Sd] of positive integers, where 6; = bi2"

S3. The structure of the public key : F represents the composite function f : K" + K", f = t o p-' o [GG:), . . . ,$~ t ) ] o [ e l , . . . ,ed] 0 [$(,I), . * * 7 $ ( ? I d ) ] p '7 where

S4. The secret transformation algorithm SA, which outputs < = SA(T, 7) :

step 1 {A f ine transformation}: Evaluate T" at 7 E K" to obtain 2, = TR(q) E K" ;

step 2 {Separation}: Compute pl(w) E I?"', . . . , p , j ( u ) E Knd from v E K" , i.e., split up a tuple of length n into d subtuples of lengths nl , . . . , nd;

step 3 Execute the following steps for i = 1 to d :

(i-1) {Decoding}: According to the base of L(ni) determined by the translate the ni-tuple pi(v) into an ele- K-isomorphism

ment zi = d(n;)(pi(u)) of L(n,) ;

423

(i-2) {Powering}: Compute

- h - w; = 2; ' E L("J

from t; E L ( n i ) , where hi is the multiplicative inverse of h; = 1 + qp modulo q r i - 1 ;

( W i ) E (i-3) {Encoding}: Compute the vector-representation K"' of w; E L+) ;

step 4 {Concatenation}: Compute

i.e., concatenate di-tuples of lengths nl , . . . , n d into a tuple of length n ;

step 5 { A f i n e transformation}: Evaluate S R at u E K" to obtain .$ = SR(u) E K".

The validity of Definition 1 is checked and summarized as the following theorem.

Theorem 1. For every appropriate pair [F, r] of keys of C* ,

PA(F, S A ( r , q ) ) = 7 , for any E K",

SA(I' ,PA(F,<)) = .$, for any ( E K". (Proof) See Chapter IV.

We can develop concrete algorithms for C* and have the

Theorem 2. The size of a message block S M B = mn [bit]

The description length of

- a secret key = DSK N 2mn2 [bit] - a public key = DPK - imn3 [bit]

424

The circuit-size complexity (measured in the number of GF(2)-operations for one message block) of

- the secret key generation = C ~ K G = O(rn2n2) - the public key generation = CPKG ='0(rn2n4)

- the secret transformation = CSA = O(rn2nn2(rn + logn))

( = O(m2n(rn + n)) if n = O(d) ) - the public transformation = CPA = O(rn2n3)

( = O(rn2n2+'), (0 < E 5 1) if transform n blocks at a time).

(Proof) See Chapter I11 .

Suppose that P is an n'-tuple of n-variate polynomials. Define a function rup by

T % ~ ( P ) = n' . ( Ie::$:)) . It can be easily shown that the total number of nonzero terms of P , denoted by .(P), is always less than or equal to T ~ , ( P ) .

For the security of C* , the next theorem shows that it is practically infeasible for large n to extract the n-tuple G of n-variate polynomials representing the inverse of the function represented by the corresponding public key F .

Theorem 3. The degree of n-variate n-tuple G satisfies :

- -q 5 deg(G) 5 2 { ( 4 - 1)nd f 1)- 27-1 - 1 1

2 In particular, if nd is odd and gcd(Od, nd) = 1, the most right inequality becomes an equality, and also a upper bound T ~ ~ ( G ) of the number of terms in G satisfies

where E is the Napier's number 2.718. ' . .

(Proof) See Chapter TV .

425

426

Besides the above aspect, we must discuss the complexity of de- ducing a secret key by decomposing the corresponding public key; the period of the public transformation which reflects the robustness of the system against the iteratively-transforming-attack; the relation between bit-security and block-security, etc.

For small values of the parameters m and n, we have some experimental results showing that there seems to be no apparent clues to reduce the complexities of the above mentioned atacks. However, more advanced theories should be necessary to confirm this circumstantial evidence.

In our present point of view, if the parameters are set to be 1 5 rn 5 then C* can achieve both high security 32, 32 5 n 5 64, and 64 5 mn,

and great realizability.

111. ALGORITHMS FOR C' AND THEIR COMPLEXITY

I11 -1. Secret Key and Its Generation As defined in Definition 1, a secret key for C' consists of four parts: two n-tuples of linear n-variate polynomials S R and T R , a partition x = [nl, . . . , n d ] of n and a tuple of integers 0 = [el , . . . , B d ] .

First, we consider SR and TR. Let B represent either of them. B can be represented by an n-tuple B, over K and an n-dimensional square matrix Bc as follows:

B is bijective iff the matrix Bt is nonsingular.

As there are a great many nonsingular matrices, Bc can be found using the method of trial and error. However, it will be shown in Section I11 -3 that to generate a public key, we have to solve the following linear system in 50, . . . , zn-l :

Hence we can use an excellent method - the LDU decomposition method. That is, we can first select an n-dimensional lower triangular matrix L over K whose diagonal components are all 1, a non-zero n-dimensional diagonal matrix D over K , and an n-dimensional upper triangular matrix

427

U over K whose diagonal components are all 1, then find the product of them

Bc = LDU.

Apparently, Bc is nonsingular, since L, D and U are all nonsingular. Of course, there are other nonsingular matrices not expressible by the above formula, but that part is very small. Using L,D and U but not Bc, solving the system (1) becomes fairly convenient.

Obviously, it requires mn(n + 1) [bit) to describe B. Further, it requires 2 ziz1 log n;[bit] to describe T and 0 which cannot exceed n [bit]. Thus, we have the following estimations:

d

DsK{the description length of secret key of C*} = ( 2 m ( n + 1) + 1). [bit] N 2mn2 [bit],

CsKc{the circuit - size complexity of secret key generation of C*} =0(m2n2) [ G F ( 2 ) - operation].

I11 -2. The Secret Transformation Algorithm The secret transformation algorithm S A consists of (step l)N(step 5 ) outlined in Definition 1. The running time of (step 1) and (step 5 ) performing affine transformations is clearly O ( m 2 n 2 ) [ G F ( 2 ) - operation]. As compared with the other steps, the running time of (step a ) , (step 3-i-l), (step 3-i-3) and (step 4) can be neglected. Now what remain to be investigated are only the concrete algorithm which performs powering in step (step 3-i-2), and its complexity. Taking advantage of features of hi, this section constructs an efficient algorithm for the powering.

First, we have the following theorem.

Theorem 4. For integers m, q,! , n, b, and 8 satisfying m > 0 , q = 2",k' > O , T 2 0, n = (2!+ 1)2',0 < b 5 t , 8 = b2', the integer h = 1 + qe possesses a multiplicative inverse element h modulo (qn - l), which can be expressed as

"-1 e--1 1-1 - h {( C 2 ' ) ( C qJ)(x q2ek) + q2e'} . .2"-' (modqn - 1).(2)

i = O j = O k=O

428

Proof: We notice that

From this theorem we see that the hth power of an element of a finite field L of order q n can be computed from the (C;z: b')th and the bath powers of the element for some a and 6 .

Let us consider evaluating the (C::; b')th power. For example, we can use the fact that

6

b' = ( ( b 2 + l ) b 2 + l ) ( b + 1 ) b + 1 (3) i=O

6 ' to compute z , the xi=* b'th power of z, by the following algorithm:

(stepl) y +- z ;

(step2) y - yb2 . y ;

(step31 y - yb2 - z ;

W P 4 ) Y - Y b . Y ;

(step5) y - yb . z ; (step6) z - y .

429

This algorithm requires 4 multiplications and 4 evaluations of the bkth power (where k is a suitable positive integer). The latter operation requires about 6 times b-th powering.

Similarly, for general C::; b’, to evaluate the (z::: b’)th power can be completed by using a formula like (3). The complexity is estimated as follows.

Theorem 5. (X::; b’) th power can be accomplished in

For two positive integers a and b, evaluating the

(0 Llog2.u] + W2(a) - 1 times multiplications ;

(7) [log, u] + W2 ( u ) - 1 times evaluation of the bk th power,

where k is a suitable positive integer and where Wz(u) denotes the 2- weight of u defined by

W2(u) = C{Ujlj = 0 ) 1) * . a},

when the binary representation of a is

u = C{2j . U j l O 5 a j < 2, j = 0,1, . . -}.

Furthermore, if evaluating the bk th power is done by evaluating iteratively the bth power, then (v) can be expressed as

(q‘) (u - 1) times evaluation of the 6th power.

Proof(sketch): For a general (Cyli b; ) , we form the corresponding formula like (3). Counting the number of “+’, appearing in the right hand side of the formula, we get (C) and ( q ) ; summing the superscripts of b, we get (71’). 4

Corollary 1. For positive integers u and b, the complexity of evaluating the (c:zi b’) th power is estimated as “O(1oga) times multiplication” , if the complexity of evaluating the bth power can be neglected as compared to that of multiplication.

It is known[g] that, for the n-degree extension field L of a finite field K of order q, there always exists a base of L over K which takes

430

the form of [ p , p q , @ q 2 , . . . , ,BQ"-'] (called a normal base). Let V ( x ) = [q, . . . , x,-,] E K" denote the (vector) representation of an element x of L by a normal base [p,,BQ,,Bq2, . . . , ,f?* 1, i.e., x is expressed as x = ~~~~ x ipq ' . Now, for any integer k, we have

"-1 .

since xp = z;, where csk(v(2)) is a bijection on K", and represents the k-step (right) cyclic shift operation.

By the use of this well-known fact, we see that the complexity of evaluating the qkth power of an element of L, can be neglected as compared to the complexity of the L-multiplication (the multiplication of two elements over L ), if elements of L are represented by using a normal base of L over K.

Assembling all the above results, we get an algorithm for evaluating the k h power over the field L of order q", where q, n, h satisfy the conditions stated in Theorem 4.

[HPA : algorithm for evaluating the 71th power]

PREREQUISITE Each element of L is given in the form of a vector representation by a normal base of L over K . PROCEDURE (Outline): Evaluating the hth power according to (2). No-

powers, is decomposed into the L-multiplication and evaluating the 27th and the q6th powers of elements of L by using formulae like (3). Also, all the evaluations of the q'th power are performed by cyclic shifts to the right.

tice that evaluating the 2'th, the x;ii qjth and the zk=O c-1 q 2ekth

The complexity of the algorithm HPA is estimated in the following theorem.

Theorem 6. For HPA, O ( m + logn) times L-multiplication are sufficient for evaluating the x t h power of an element of L. And hence, the circuit-size complexity of HPA is

O(rn2n2(rn + logn)) [GF(2) - operation].

431

Proof: From Corollary 1, we know that evaluating the C,",: qith and the ~ ~ ~ ~ q 2 " t h powers can be performed in O(log6) and O(logl), respectively, times Emultiplication. Since B , C < n/2, the summation of them is O(1ogn). And also we know, from Theorem 5, that evaluating the 2'th power can be performed in at most m - 1 + [log mJ + W2(m) - 1 = O ( m ) times L-multiplication. Further, evaluating q2"th and the qe-'th powers can be done only by cyclic shifts, hence the complexities of them c m be neglected. Now, evaluating the 2*-lth power can be accomplished in (m - 1) times multiplication. Summing all the the above terms, we get the first half of the theorem. The second half of the theorem is obvious, since the L-multiplication can be done in O(m2n2) times operations over GF(2). L,

Thus, when the algorithm HPA is used in evaluating power, the total circuit-size complexity CSA of the secret transformation algorithm is estimated by

d

O(m2n2) + O(m2np(rn + logn;)) [GF(2) -operation]. i = l

The above estimation can be further condensed to

CSA = 0 ( m2 n2 ( m + log n)) [GF( 2) - operation].

In particular, if there is a constant co independent from n such that n; < CO, i.e., if n = O ( d ) , then it holds Cf=, O(rn2n~(rn+logni)) = O(m3n) , which implies that the circuit-size complexity of the secret transformation algorithm can be estimated by

CSA = O(m2n(m + n ) ) [GF(2) - operation].

I11 -3. Public Key and Its Generation

A public key F of C* is an n-tuple of n-variate polynomials over K . SO obviously, we have

D p K = mT,p(F) [bit] 1 2

= -mn(n + l ) (n + 2) [bit]

1 N -mn3 [bit]

2

432

for the description length DpK of a public key of C' . Next, we consider how to generate a public key F . F can be ex-

pressed by n-tuples F,, F;, F;,, F,j E K" as

n-1 "-1

where F;; = 0 when m = 1. Thus, we can first compute, according to the definition of the public transformation, values of F at the points corresponding to several elements of K", then from these values, find F,, F;, Fii, F;, by the use of the interpolation method, and finally, generate the desired F .

Now suppose that 7, E K n is a 0 vector, 7; E K" a vector whose i th (0 5 i < n) coodinate is 1 but all of the others are 0, and q;, E K" a vector whose i th and j t h (0 5 i < j < n ) coodinates are 1 but all of the others are 0. When m 2 2, we have

When m = 1, we have

Hence, the n-tuple F of n-vatiate polynomials can be computed from

433

Applying this method, we have the following algorithm :

[PKG : algorithm for generating a public key ] (step 1){Evaluating y = F ( q ) E K" at 7 = v,,qj,uq;, q;k }

(step 1-1) : Compute w E K n satisfying S R ( u ) = q ;

(step 1-2) : Find p;(w) E K"1 (1 <_ i <_ d) ; (step 1-3) : Execute the following steps for i = 1 to d :

(step 1-3-i-1) : Find w; = $yn , ) (p ; (w) ) E L(n,); (step 1-3-i-2) : Compute z; = wh' E L(,,,); (step 1-3-i-3) : Find +G:)(zi) E K".;

(step 1-4) : Find si = p-'(+G;)(z1), . . . , $;,f,,(zd)) E K";

(step 1-5) : Find y E K" satisfying T R ( r ) = (;

(step 2) : Find F,, Fi, Fi;, F,, according to (6).

Using the matrices L, D and U, based on which ST and T R were computed in Section I11 -1, (step 1-1) and (step 1-5) can be executed in O(n2) K-operation. According to Theorem 5 , (step 1-3-i-2) can be executed in 0(rn2n:)[GF(2) - operation]. Notice that the complexities of the other steps can be neglected as compared to these, and there are totally ("i2) points 7 to be used, we can estimate the complxity of (step 1) bY

d (" ; 2) (20(rn2n2) + c O(m2n;)} = O(m2n4) i= 1

[GF( 2) - operation].

From (6), the complexity of (step 2) is estimated as

n.O(rn*n)+n.O(mn) + .O(mn) = O(mn2 (m+n)) [GF(2)-operation].

Thus we conclude that

CpKc{the circuit - size complexity of public key generation of C* 1 = O(m2n4) [GF(2) - operation].

434

I11 -4. Public Transformation Algorithm

As noted in Definition 1, the public transformation algorithm P A evaluates the polynomial tuple F at points of K". Let

be a vector corresponding to 2 = [ro, . . . , ~ n - 1 1 , and

be a +n(n + 3) x n matrix. Using S and F , we can rewrite (5) as

F ( z ) = F, + zE.

So, we can first find 5, then find F ( s ) to perform the public transformation. This complexity is

= 0 ( ~ 2 ~ 3 ) [GF(2) - operation].

Furthermore, when performing public transformation on n message blocks do) , . . . , d n - l ) in parallel, we can do it by computing Ao + xF according to an n x 3n(n+3) matrix 2 = [do), . . . , dn-l)]T and an n x n matrix A0 = [F,, . . . , F,IT. A0 + XF can be rewitten into

where X i and A; are n x n matrices and satisfies X = [ X I , . . . , Xn+3] and = [ A l , . . . , A,+3]T, respectively. Here, we can multiply two matrices in

0(n2+') [K-operation] (0 < E 5 1) by the use of various, say Strassen's, divide and conqure methods. Thus, in this case, the circuit-size complexity of public transformation for one block is

{ ( n + 3) * O(n2+") - O ( m * ) } / n = O(rn2n2+") [GF(2) - operation].

I11 -5. Collection of Main Results

Theorem 2 can be directly proved by the results of the above four sections.

435

Corollary 2. Theorem 2 become :

For C* with m w n and mn = N , the parameters in

Now we briefly compare C* with the RSA cryptosystem[l0I. For the RSA system, the complexities of secret transformation and public transformation are both O ( N 3 ) for a block of size N . When a particular secret key or a public key is selected, the corresponding complexity can be reduced to less than O ( N 3 ) . However, it seems that, in general, we have no way to reduce both of them. As opposed to the above fact, the order of the complexity of public transformation of C* is much lower than that of the RSA system. Also, for the RSA system, public and secret keys connot be generated if an integer with certain particular properties is not found. For C* , keys can be easily genarated.

is greater than those of previous systems with the same block size. However, this is not always a demerit because the total number of usable keys of C* is larger than that of those. Further, the large description length will not be a serious problem, if public keys are kept by the corresponding owner after they are certificated by the manager of the system or network, and when necessary, sent to other ones with the certificates.

The description length of a key for C*

I11 -6. Implementation-Primary Results

Using a 32-bit microprocessor MC68020 (16.67 MHz) on a SONY NEWS UNIX workstation with programs written in the "C language, our first implementation confirms that algorithms S A and P A run at least 100 Kbps for m = 8 and n = 32. Since these programs are not optimized, we may expect that C* can run much faster in the same environment.

Besides this , we also have been implementing C* using multiple transputers (T414, T800) with accam programs, and verifying high performance. Detailed results will appear in another paper.

436

IV. A THEORY OF POLYNOMIAL-TUPLE ASYMMETRIC CRYPTOSYSTEMS

In this chapter we discuss why we have stated C* as Definition 1 and prove Theorem 1 and Theorem 3.

IV -0. Preliminaries

Basic concepts and notations used in this chapter are sketched in the following.

Finite Fields[g] Let p be a prime integer, m and n positive integers, and q = p". Fix a finite field K of. order q (i.e., with q elements). Denote by K" the n-dimensional vector space over K , each element of which is an n-tuple over K . Determine an n-degree extension field L of K . L contains q" elements. When L is taken as an n-dimensional vector space over K , L is isomorphic to K". The isomorphism between L and K" will be denoted by a bijection + : K" ----f L.

Polynomial Representations of Functions Denote by L[u] the polynomial ring over L in indeterminate u , and by ( P ( u ) ) the ideal generated by apolynomial P(u) E L[u]. As shown in [ll], any function fl : L -+ L can be represented by a univariate polynomial E ( u ) E L[u], where E ( u ) is uniquely determined in the residue class ring L[u]/(uqn - u ) (i-e., mod(u9" - u ) is applied ). In other words, we always have fl((E') = E(<) for every (E' E L , and furthermore, there is just one such E(u) which has no terms divisible by uQn. Such an E ( u ) is called the univariate polynomial representation of fi over L , and denoted by

Similarly, functions f2 : L + I C n , f 3 : K" -+ L , and f4 : K" --f

K" can be uniquely represented by a tuple of polynomials over L in indeterminate u mod(u9" - u) , a polynomial over L in indeterminates TO,. . . ,2n-1 mod (xi - zo, . . . , zz-l - zn- l ) , and a tuple of polynomials over K in indeterminates TO,. . . ,z,-1 mod (2: - zo,. . . , z:-l - xn-l), respectively. These items are called the univariate polynomial n-tuple representation of f2 over L, the n-variate polynomial representation of f3 over L , and the n-variate polynomial n-tuple representation of f4 over IC, and denoted by if*], [fs] and [,fd], respectively.

Ufd.

437

Functions Represented by Algorithms

Polynomials or tuples of polynomials can be considered to be a kind of algorithms. In general, there are two sets I and J with related to an algorithm A. When A outputs q E J on input ( E I , we say A represents a function I ---c J,< H 7, and denote the function by { A ) . For example, since the polynomial representation Ifl] of the function fl is considered to be an algorithm, it is apparent that ([fl]) = f l .

Functions on Integers

Let a be an integer greater than 1, i a nonnegative integer. Denote the a-ary representation of i by

We define a function W, on the nonnegative integers as follows:

W,(i) = E{ij1j = 0,1,. . -}.

Wa(z) is called the a-weight of i, which has the following properties:

(Wl) If s 2 0, t 2 0 and 0 5 s + t < a, then

(W2) If 0 5 t < a, then

(W3) If s 2 0 , t 2 0 and s + t = a" - 1, then

Also, we define a function R, from the positive integers to the nonnegative integers as follows:

Ra(i) = max{j 2 012 is divisible by a'}.

R,(i) is called the a-rank of i, which has the following properties:

438

(Rl) &(i) is equal to the number of consecutive 0's appearing in the least significant digits of the a-ary representation of the positive integer i.

(R2) If a is a prime and s > 0 and t > 0, then R,(s.t) = R,(s)+R,(t).

Functions from Polynomials to Integers

For a univariate polynomial E ( u ) = Eo + E1u + E2u2 + . I - + Edud, the exponential a-weight wt,(E) of E is defined by

Besides this, we use the notations d e g ( P ) , .(P), and T ~ ~ ( P ) for polynomial-tuple P as defined in Chapter I.

IV -1. Multivariate Equations and Cryptosystems

Imagine that we are to realize a public-key signature scheme, when given an asymmetric cryptosystem with multivariate polynomial-tuples as public keys. Finding the valid signature z with respect to a message M and a public key F can be rephrased as solving the equation F ( z ) = M for z given F and M . The essential idea behind the present research is that we can employ a system of multivariate algebraic equations as the equation F ( z ) = M . The grounds for it are that, in general, as briefly introduced in Chapter I, it is an extremely difficult problem to solve systems of multivariate algebraic equations. Of course, when given hints about a system, say some information on the structure of F , one may be able to to solve the system quickly.

In the rest of this chapter, we will aim at constructing a system of multivariate algebraic equations F ( s ) = M. The system corresponds to an asymmetric cryptosystem supporting both authenticity and confidentiality, so we cannot say the system is a completely general one. But it should not be easy to get any hint on effectively solving the system of equations, i.e., the system should possess no apparent features. In a sense, the system should be a nearly random one.

439

IV -2. From Univariate Polynomials Into Tuples of Multivariate Polynomials

For our purposes, we require that the above tuple F of multivariate polynomials represents a bijection, and that the equation F ( z ) = M can be readily solved when given some knowledge on it. Hence, we take the following approach[4] : We begin our discussion by thinking about univariate polynomials. Coping with such polynomials is relatively easy. Then we transform them into multivariate ones. Several aspects have to be considered : (1) Tuples of multivariate polynomials must be made as random its possible; (2) It should be easy to estimate the size, and the likes, of the resulting multivariate polynomial-tuples from the basic univariate polynomials.

Here is an idea. Following the ways of thinking on the algorithm composition method proposed in [5], we consider a function f : K" -+ K" expressed as follows ( K is a finite field of order q = p" with prime p ) :

where s and t are affine bijections on K" , n is a positive integer which can be partitioned into d positive integers satisfying n = n1 fn2 +- - . + n d , and L; is an n;-degree extension field of the field K . $* is an isomorphism from Kn* to L; , and e; a bijection on L,. Further, p , : K" -+ K"* is a projec-

K n * , and p : K" + K"1 x - . . x K"d is a bijection determined by tion which maps [Q,. . . ,z,+~] E K" to [z I - l , . . . ,r(c;=l nJl- l I € c,=, "J

pL1= [/117.-.,pd]*

Apparently, the function f is a bijection. Now we establish an asymmetric cryptosystem which uses f as a public transformation.

Definition 2. Let K" be the set of message blocks. The following system constitutes an asymmetric cryptosystem. The system is constructed by designating

(1) if], an n-tuple of n-variate polynomials over K , as a public key;

(2) it-'], ley1], . . . , [.;I] and is-'] as a secret key;

(3) the evaluation of [ f ]I as the public transformation algorithm;

(4) the operations series in the following order as the secret transformation algorithm:

440

(a) the evaluation of

(b) the projections due to pi ,

(c) the transformations due to $;,

(d) the evaluations of [e;lD,

(e) the transformations due to $ i l l

(f) the concatenation due to p, and

(g) the evaluation of 1s-'1.

This asymmetric cryptosystem will be called C,* for short.

IV -3. Degree of A Tuple of Multivariate Polynomials Now, the size of public key and the complexity of public transformation of C,* can be estimated by the following formulae:

{ The description length of a public key of C,* } = O ( ~ ( [ f l ) log, p)[bZt] .

{ The complexity of a public transformation of C,* } = o ( ~ ( [ f ] ) m ~ ) [GF(2) - operation].

Clearly, both the descreption length of a public key and the complexity of a public transformation are increasing functions of .(If]) - the number of terms in the n-tuple [f] ( the public key ) of n-variate polynomials. From the equations (7) and (8), we can see that [f] is hardly sparse, but dense in most cases. Thus, decreasing deg ([in) which dominates the upper bound Tu,([fl) of .(if)), is strongly related to reducing the description length of a public key and the complexity of the public transformation.

Similarly, i t is also true that in most cases, the polynomial representation [f-'] of a secret transformation f-' of C,* is dense. Therefore, increasing deg ([pI]) which dominates ~ ~ ~ ( [ f - l ] ) is related to raising the number of terms in ~ ( [ f - l ] ) , and also related. to raising tremen- dously the complexity of extracting the secret key from the public key [ j ] ] by the use of the symbolic computation, the interpolation, or other methods for solving algebraic equations.

First, turn our attention to a basic theorem.

Theorem 7. Let s and t be any two affine functions on the vector space K " , E denote the set of all functions on the finite field L. We have the following (i), (ii) and (iii) :

44 1

(i) For any e E E ,

[[el = constant [t o $-I o e o t j ~ o s] = constant.

(ii) For any e E E ,

(iii) If and only if both s and t are bijections, the following holds for all e E E

[el # constant a deg([t o o e o tjI o s]) = wt,((e]).

Proof (sketch): Proving this theorem is not difficult but wastes pages. So, we mention here only that the proof for general q can be readily obtained from that for the case q = 2, which is described in [12]. 4

Using Theorem 7, we can compute the degree of the multivariate polynomial tuple [ f 1 from the exponential q-weights of univariate polynomials [ell , . . . , [ e d ] . The computing method is described in the following theorem.

Theorem 8. are true :

For the bijection f defined by (7) and (8), the followings

1) deg ([In) = rnax{wt,([ei~)Ii = 1,. . . , d }

2) deg([f-l]) = max{wt,([e;'])li = l , . . . , d } .

Proof: Using a bijection e : L + L , g can be expressed as

From Theorem 7, we get

deg (us]) = Wt,(uen).

Also, from (7) and (9), f can be expressed as

442

so, from Theorem 7 we have

(10) and (11) imply

Well, from (8) we have

and according to the definition of the degree of a tuple of polynomials, we have

deg([g]) =max{deg(8$i10e,o'$;n)li= 1, . . . , d } . (13)

Further, from Theorem 7, we get

(12),(13) and (14) imply the first half of the theorem. The second half can be proved in the same way. 4

IV -4. Univariate Monomials as Grounds

The functions e; a.re bijections expressed by univariate polynomials. Poly- nomials representing bijections are also called permutation polynomials, and it is well-known that there are many kinds of such polynomials. However, in this paper, we only deal with those [ e ; ] which possess the simplest form - the monk monomials. Other forms of [ e ; ] will be topics for further discussion. We do so for several reasons :

i) It is easy to judge whether a monic monomial represents a bijection or not;

ii) When the bijections e; are represented by monic monomials [e;] , their inverse functions ey l are also represented by monic monomials [.$], so it is easy to compute [e;'] from [e;] .

iii) A monic monomial can be readily evaluated.

443

Now let [ei], i = 1,. . . , d, be a monic monomial in indeterminate u over the finite field L; of order grin, which takes the form of

[e;](u) = uh*, o < < qn' - 1. (15)

Since the exponents constitutes a multiplicative semi-group of order q"' - 1, e; forms a bijection only when hi and g"' - 1 are relatively prime, i.e., only when gcd(hi,q"' - 1).= 1.

< Q"; - 1 is the multiplicative inverse element of hi modulo (qni -l), then Be;'] forms a monic monomial in indeterminate v :

Furthermore, suppose that 0 <

- [ei'](v) = v", o < hi < q n i - 1. (16)

Since exponential q-weights of [e;] and [ e f ' ] are equal to the q-weights of hi and respectively, Theorem 8 immediately implies a new theorem:

Theorem 9. have

For the bijection defined by (7), (81, (15) and (16), we

1) deg([f]) = max{W,(hi)li = 1,. . . , d }

2) deg([f-']) = rnax{W,(h;)li = 1,. . . ,d } .

As mentioned in the beginning of Section IV -3, a small deg([f]), but a large deg( [j-'1) are desirable. Considering Theorem 9, we require that for al l i, W,(h;) are smal l , but for some i, W,(h;) is large .

Assume that deg([f]) = 1. Now we have W,(h;) = 1 for all i, and also W,(h;) = 1 for all i. This implies that deg([f-']l) = 1, which is not desirable. Hence, it is essential that deg([f) 3 2. The rest of this chapter will be concerned with the case deg( [ j l ) = 2, which can be easily treated. The other cases will also be topics for further discussion.

IV -5 . Utilizing Tuples of Quadratic Multivariate Polynomials

For the simplicity of presentation, in this section we only treats the case d = 1, and instead of n;,$,,L;,ei and hi , we will use the notations n, $, L, e and h. The results can be easily generalized to the cases d 2 2.

As stated in the end of the last section, here we still assume deg((f]) = 2, i.e., W,(h) = 2. The following theorem can be easily obtained.

444

Theorem 10. Let p be a prime integer, m,n,q and h be integers satisfying m > 0 , n > 0, q = p" , 0 < h < q" - 1, and gcd(h, q" - 1) = 1. Then p = 2 is the necessary condition for W,(h) = 2.

Proof: Assume q be odd. When W,(h) = 2, h can be written as h = q i ( l+ q'), where j and 6 are nonnegative integers. Hence h must be even. Also notice that q" - 1 is apparently even. Thus gcd(h, q" - 1) must be divided by 2, which contradicts to the assumption of gcd(h, q"-1) = 1. Therefore q must be even. Put it in other words, p = 2 is the necessary condition for W,(h) = 2. 4

In the sequel, we will always suppose that p = 2, i.e., q = 2m.

Now that W,(h) = 2, as mentioned in the proof of Theorem 10, h can be expressed as

h = qJ (1 + q')

where j and 6 are nonnegative. Since $-I O(U,'}O$J is a linear function, we can consider the functions of evaluating the qjth power together with the affine transformations s and t , between them the function e is inserted. So it suffices to consider the case j = 0, and 0 5 6 5 [72/2J.

If 8 = 0, t henh = 2. In this case, e is a bijection since gcd(2, q"-1) = 1. Now consider the n-variate n-tuple representation of the bijection t o +-I o e o $ o s over K :

Since both p = 2 and h = 2, it is clear that each P, contains only constant terms and the terms xi,. . . , In this case, one can quickly solve the following system of quadratic multivariate polynomial equations in indeterminates 20,. . . , zndl :

First, taking the system as a system of linear equations in variables zi, . . . one can readily solve the new system and get xi,. . . , xi-1. Then, one can uniquely determine z; from zf (note that p = 2). The

445

above algorithm ( method) requires about 0 ( n 3 ) times operations over the field K . So such a system is far from being a good cryptosystem.

Now let us assume that 8 # 0 furthermore.

From the above discussions, it becomes obvious that we can concentrate our attention upon the case h = l+q', 0 < 8 < ln/2_/. The function e = (uh ) is a bijection if€ gcd(h,q" - 1) = 1, which can be restated in another way :

Theorem 11. Let m, q, 8, n and h be integers satisfying m > 0, q = 2",0 < 0 < n and h = 1 + g o . We have gcd(h,qn - 1) = 1 iff R2(8) 2 R2(n), where Rz(0) (resp. R2(n)) is the 2-rank of8 (resp. n).

Proof: From Theorem A1 of Appendix, it can be proved that gcd(h, qn- 1) = gcd(1 + '2me,2mn - 1) = 1 is equivalent to R2(m8) 2 R2(mn). Ac- cording to the property (R2) of 2-rank functions, we have Rz(m8) = &(m) + R2(0) and R2(mn) = R2(m) + R2(n), which implies the theorem. 4

According to Theorem 11, it is necessary that n 2 3. Thus it suffices for us to consider those 8 restricted by

where T- is a nonnegative integer and .t is a positive integer such that

n = (2.t + 1 ) . 2', T = &(n).

In this case, the q-weight of TI can be calculated from the q-rank of h, as is stated in the following theorem.

Theorem 12. For integers m,q,%,n,h satisfying m > 0,q = 2",0 5 0 < n, h = 1 + q', gcd(h, 4" - 1) = 1, the q-weight of the multiplicative inverse element % of h modulo ( q R - 1) is given by:

446

Proof: In Appendix (Lemma A2), we have

and also from Appendix (Lemma A3), we have

hence,

2Wq(Q = (Q - l)(n - R,(?i)) + 1

and it proves the theorem. 4

Corollary 3. Under Theorem 12, we have

Proof: n, which implies the corollary. 4

0 5 R,(z) 5 n-1, since 0 < ?i < Q"-1. Hence 1 5 n-Rq(x) 5

Now we see that, fortunately, W,(?i) can be increased greatly even when Wq(h) = 2. In certain special cases, the q-weight o fh can be exactly calculated by using the following theorem.

Theorem 13. R,(?i) = 2" - 1 when gcd(b, 2& + 1) = 1.

Proof: Hence

q(2c+')B E l(modq" - l), since ( 2 t + 1)8 = ( 2 t + 1)2'b = nb.

Let Q = q2r, the above equation becomes :

2c - 1 h - Qbk(-l)'(modq" - 1).

2 k=O

Since gcd(b, 2 l + 1) = 1, the multiplicative inverse element 5 of b modulo (2&+ 1) exists. Assume that j = ( b k ) mod (2& + l ) , k can be expressed as k = (z j ) mod (2 + 1). Hence

. 21

Using the relation 1 q . q2c-1 . Q-'(modq" - I), we get

21

In other words, h can be written as

- hEq2'-1. (-) 4 A(modq" - I),

2

i=o 21-1

[i;(i+l)]mod(2ft1) + Q21 = 1 + c Qi ( - l ) i = O

Apparently, A is not divisible by q. Also, we have

and

Therefore, from 0 < h < q" - 1, we have

Q 2

- h = q2'-I , (-) . A , q does not divide A

(Notice : not 2, but = ). Hence R,(h) = 2' - 1. 4

448

From Theorem 12 and Theorem 13, it can be shown that, when n ( T = 0) and 8 is relatively prime to n, the q-

becomes zero, and the q-weight of h reaches its maximum - is an odd integer 2 3 rank of z { ( q - 1). + 1). Thus, when R,(h) = 0, we get 1

where E is the base of natural logarithms. The above us that the n-variate polynomial n-tuple representation

inequality tells of the function

f-' = s-l o o e-* o II, o t-' , contains approximately exponentially in m and n many number of nonzero terms, and writing down all those terms is practically impossible. The correctness of the inequality can be ascertained by a simple calculation using the definition of T,~, Theorem 9, Theorem 12, and the Stirling's formula on factorials.

IV -6. Proof of Theorem 1 and Theorem 3

In Sections IV -3, -4 , -5, we discussed in detail specializations of C,* . The resulting asymmetric cryptosystem is nothing but our C* defined in Definition 1. Therefore we can see that Theorem 1 really holds. And the first half of Theorem 3 follows from Theorem 9 and Corollary 3 and from that nl 5 - - 5 nd. The second half of Theorem 3 immediately follows from the discussions made in the end of Section IV-5.

V . CONCLUDING REMARKS On a basis different from the previous, this paper has proposed and analyzed an asymmetric cryptosystem C* which can serve for both digital signatures and encryption.

An advantage of C* over the previous asymmetric cryptosystems is that both secret and public transfromations can be done in complexity much less than U( N 3 ) for a message block of size iV. Actually, we have implemented C* with the languages "C" and Occam on 32-bit micropro- cessors and verified high performance of C' .

The description length of a key for C' is greater than that of previous systems with the same block size. However, this is not always a dement as mentioned in Section I11 -5.

Thus the present authors believe that C* is a cryptosystem worth investigating for everybody interested in high-speed cryptographic communications.

449

ACKNOWLEDGMENT

The authors wish t o thank Youichi Takashima for his help on making numerical examples of C* and Yuliaag Zheng for his kind interpretation of the Chinese papers [7, 81. This work was supported in part by the Ministry of Educations, Science and Culture under Grant-in-Aid for Encouragement of Young Scientists # 62750283.

REFERENCES

[ 11 Diffie,W. and Hellman,M.E., L‘New directions in cryptography,” IEEE Transactions on Information Theorey, IT-22, 6, pp.644-654, (Nov. 1976).

[2] Cardoza,E., Lipton,R. and Meyer,A.R.,“Exponential space complete problems for Petri nets and commutative semigroups,” Conf. Record of the 8th Annual ACM Symposium on Theory of Computing, pp.50- 54, (1976).

[3] Garey,M.R. and Johnson,D.S., Computer and Intractability: A guide to the theory of NP-comptleteness, Freeman,(1979).

[4] Matsumoto,T., Imai,H., Harashima,H. and Miyakawa,H., “A class of asymmetric cryptosystems using obscure representations of enciphering functions,” 1983 National Convention Record on Information Systems, IECE Japan, 58-5, (Sept. 1983) (in Japanese).

[5] Matsumoto,T., Harashima,H. and Imai,H., “A theory of constructing multivariate-polynomial-tuple asymmetric cryptosystems,” Proceed- ings of 1986 Symposium on Cryptography and Information Security, E2, Susono, Japan, (Feb. 1986) (in Japanese).

161 Fel1,H. and Diffie,W., “Analysis of a public key approach based on polynomial substitution,” Advances in Cryptology - CRYPT0 ‘85, Springer, pp.340-349, (1986).

[7] Zhou,T., “Boolean public key cryptosystem of the second order,” Journal of China Institute of Communications, Vo1.5, No.3, pp.30- 37, (July 1984) (in Chinese).

450

[8] Zhou,T., "A note on boolean public key cryptosystem of the second order," Journal of China Institute of Communications, Vo1.7, No.1, pp.85-92, (Jan. 1986) (in Chinese).

[9] Lidle,R. and Niederreiter,H., Finite Fields, Addison-Wesley (1983).

[lo] Rivest,R.L., Shamir,A. and Adleman,L., "A mehtod of obtaing digital signatures and public key cryptosystems," Communications of ACM, V01.21, No.2, pp.120-126, (Feb.1978).

[ll] TakahashiJ., "Switching functions constructed by Galois extension fields," Information and Control, Vo1.48, pp.95-108, (1983).

[12] Matsumoto,T.,Imai,H.,Harashima,H. and Miyakawa,H., "A cryptographically useful theorem on the connection between uni and multivariate polynomials," Transactions of the Institute of Electronics and Communication Engineers, V0l.E68, No.3, pp.139-146, (March 1985).

APPENDIX

Lemma A l . a = bf + c, then

If integers a , b , c and f satisfy a > b > c 2 0 and

gcd(2" f 1,2* + 1) = gcd(P + 1,2'f

gcd(2= + 1, 2b - 1) = g ~ d ( 2 ~ - 1,2" + 1).

Proof: From 2" f 1 = 2bf2c f 1

and 2bf = (71 + (2* f 1))f

f = c (;) (71)j(2b f 1)f-.j

= (2b f l){E (i) (Tl) j (P * 1)f -J- l } + ( r f l ) f ,

j = O

j = O 3

45 1

we get

f-1 2" f 1 = ( 2 b + l){E (f) (-1)J(2b + l)f-j-1}2c + (-1)f2" f 1,

j = O 3

Theorem A l . then

If integers a,b ,d satisfy a > 0 , b > 0,d = gcd(a,b),

1; Rz(4 2 & ( b )

2d + 1; &(a ) < RZ(b). gcd(2" + 1,2' - 1) =

Proof: By applying Lemma A1 iteratively, we can find that gcd(2= + 1,2b - 1) is equivalent to g ~ d ( 2 ~ f 1,2' + 1) = g ~ d ( 2 ~ f l ,2) = 1 or g ~ d ( 2 ~ rjt 1, 2' - 1) = g ~ d ( 2 ~ + 1,O) = 2d + 1. Now from the definition of R2 and Lemma A l , we have

&(a) < &(b) a &(a) = R z ( d ) < R2(b) Rl(U/d) = &(a) - & ( d ) = 0 -1 R * ( b / d ) = &(b) - &(d) > 0

= -1 and ( - l > b / d = 1

gcd(2" + 1, 2d + 1) = g ~ d ( 2 ~ + 1,2O + (-1))

= Z d + l

gcd(2' - 1,2d + 1) = g ~ d ( 2 ~ + 1,2O - 1) -1 = 2 d + 1

'. (2d + 1)1 gcd(2" + 1,2b - 1)

which proves the theorem. 4

Lemma A2. For integers m,q,O,n and h with m > 0,q = 2",0 I 8 < n, h = 1 + q*,gcd(h,q" - 1) = 1, the multiplicative inverse element h of h satisfies -

452

Proof: Let the q-ary representaiton of 71 be % = xylt q'J;, (0 5 J; < q ) . B y introducing an integer k, (1 + q') a h can be writen as k ( q n - 1) + 1. Hence,

qn - h = q e z - (k - l ) (q" - 1) (A2 - 2)

Because

n-1 0-1

we get

n-1 0-1

- from (A2-2). Also, q" - h < qn - 1 since h > 1. Hence

which implies (A2-1). 4

Lemma A3. If an integer a satisfies 1 5 u 5 q" - 1, then

where X = R,(u).

Proof: qX . b and b is not divisible by q. Thus

We can uniquely determine a positive integer b such that a =

Also, from q" - a = qn - q X b = q X ( ~ n - X - b ) , we get

453

Since b is not divisible by q , and can be expressed as

by using the properties (Wl) and (W2) of W,, we get

1.e.;

W,(b) = W,(b - 1) + 1. (A3 - 3)

Furthermore, from ( b - 1) + (@"" - b) = q"-' - 1 and the property (W3) of W,, we get

W,(b - 1) + W,(q"-X - b) = (n - X)(q - 1). (A3 - 4)

Thus, by (A3-l) , ( A 3 - 2 ) , (A3-3) , and (A3-4), we have the following:

Wq(4 + W,(C - a ) = W,(b) + Wq(q"-X - b) = 1 + Wq(b - 1) + Wq(q"-' - b)

= 1 + (71 - X)(q - 1) 4.

Some Applications of Multiple Key Ciphers

Colin Boyd, British Telecom,

Data Security Laboratory, 1, Cutler Street, Ipswich IP1 lW, UK.

Abstract

This paper describes an implementation of a cipher system with any number of keys which is a generalisation of the RSA cryptosystem. Three applications of such a cipher system are given. The general properties required for possible alternative implementations are discussed.

1 Introduction

The insight of Diffie and Hellman [6] was that the enciphering and deciphering keys of a cryptosystem need not be the same. Therefore a cryptosystem could have two keys , one of which would remain secret and the other would be made public. This has led to numerous applications such as digital signatures.

The aim in this paper is to investigate some of the consequences of generalising these ideas. We consider doing this in two ways. Firstly the number of keys in the cryptosystem can be increased to three o r more. Secondly the different keys can be distributed to sets of users other than a single user or the set of all users.

We start off the paper with some general ideas about multiple-key ciphers and then consider some applications and how they fit in with these ideas. The applications considered in this paper are selective distribution of information to subsets of a group of users, digital signatures with more than one signatory, and electronic voting. There are many other potential applications. The scheme we consider here appears to be useful for applications of a type concerning different groups of interacting users. The


456

importance of such applications is discussed together with some examples in [5].

2 Multiple Key Ciphers

We shall explain our concept of a multiple key cipher in terms of a generalisation of the RSA public key scheme [7]. Other implementations are possible and the precise properties of RSA that are used are examined in section 4 of this paper. An

important property of RSA that we make use of is its multiplicative property, namely with fixed modulus and any keys kl,k2,

E(E(M,kl),kZ) = E(M,kl.kZ)

for any message M. Our construction of a multiple key cipher is as follows.

A modulus m is chosen by the owner of the scheme to be the product of two large primes as in the RSA scheme. The Special properties of the primes which are desirable in RSA axe a160 desired here. A number of keys kl,k2,. . . ,kn are then chosen to satisfy the property

kl.k 2...kn = 1 mod 0(m).

The klf...kn-l may be chosen at random and kn then chosen to satisfy the equation. To encrypt with the key ki a message MI with 0 < M < m-1, is transformed by

E(M,ki) = M**ki mod m.

Then it follows that

some integer r, = M**(r.@(n) + 1) mod m for

= M by Fermat's Little Theorem.

457

Note that because of the multiplicative property it does not matter in which order the keys are used.

Let U be any population of users of the scheme and K the set of keys {kl , k2,. . . ,%I. Any subset of K can be distributed to any subset of U. A message that has been encrypted with a certain number of the keys in K may then be read by a certain subset of U and can only have been written by another subset of U. These subsets are defined by possession of the necessary keys.

For example consider the case where there are only two keys r and s. Let R be the subset of users of the population who possess the key r and S be the set who possess s . These subsets overlap in the subset of users who possess both keys, which may or may not be empty.

The following table shows the status of the possible messages.

Message Can be read by Can be written by

M**r mod m S M**s mod m R

R

S

In the case that R is equal to the whole population U, and S is a single user, we arrive at the familiar situation of the RSA public key cryptosystem. Then messages of the type M**r mod m can

be written by anybody but are confidential to the single user, whereas those of the form M**s mod m can be read by anybody but must have been produced by the single user.

When the number of keys is increased to three there are many more possibilities. We extend the previous diagram by adding a third

458

group of users T in possession of the key t.

T I The following table shows the status of the possible messages.


M**r mod m S n T

M**s mod m R n T M**t mod m S n R M**rs mod m T

M**rt mod m S M**st mod m R

R s T

R n S R n T S n T

Where the table indicates that the message can be read or written by S T, it can be written or read by any member of both groups, or, what is just as important, can be written or read by any member of S and any member of T in collaboration. In an application some of the named subsets of U may be empty. In the applications described in this paper we always assume the existence of an authority which is responsible for generating and distributing keys.

3 Applications

3.1 Selective Distribution

This application is concerned with distributing information to one or more selected users out of some user population. There are

various situations where different sets of information may be required to be made available to different sets of entities. Examples are confidential information in companies which is restricted to different departments, and. database information which is only available to those groups who have paid for it.

In order to restrict the information only to authorised users the information will be encrypted. The information could be encrypted with a different key for each authorised user or group but this would require many different versions of the information to be held or distributed. Therefore we require that each piece of information is only encrypted with one key but that any combination of the users may be defined for reception of a particular piece of information.

The obvious way to solve this problem is for the authority to issue a key for every possible combination of users. The problem with this is that if there are N users then 2**N-1 keys are required which quickly becomes large as N increases. The solution described here uses the multiple-key cipher and requires only N different keys.

Consider a set-up with three users of a system. The authority chooses three keys r,s and t with

r.s.t = 1 mod 0(m).

Let us call the users A, B and C. These users are then issued with the key sets {r,s}, {r,t}, and {s,t} respectively. The authority can then choose any combination of the users it wishes to distribute a given message M. The way this can be done is illustrated in the following table.

Message Can be read by

M**K M**S M**t M**rs

C

B A

B and C

460

Message Can be read by

M**rt M**st

A and C A and B

Of course messages to be read by all three users can be sent in the clear.

The above scheme can be extended to any number of users by choosing the same number of keys as there are groups. suppose there are N users and N keys kl,k2,. . .kN. Each user is distributed all keys except one, so that the i‘th user is distinguished by not possessing key ki. Messages are encrypted by the authority using any combination of the keys, and messages are kept secret from the i’th user by leaving ki out of the keys used in the encryption.

Note the flexibility of this scheme in regard to members leaving or joining the system. This property is identified in [5] as being of great importance in “group oriented cryptography”. Members may be added or removed without the need to change the keys of any other members. The authority will only need to re-calculate its inverse key.

In order for this scheme to work the users must not be able to collude to share keys since the keys of any two users could be used to read every piece of information. If this is likely the keys would need to be distributed by the authority in a tamperproof form which could not be read by the users, and which could only be used in a fixed protocol.

For example, the tamper proof module could be programmed only to output messages which satisfy a certain redundancy condition when decrypted with the correct key. Messages from the authority will be provided with the redundancy condition before encryption.

A similar problem to that addressed here is discussed by Simmons in [8], where the idea of a tamper resistant module plays an integral part in the solution.

461

3.2 Double Signatures

The idea of digital signature is now well known. In many commercial applications the signature of more than one person is required on a document. We call a signature requiring more than one key a multisignature. Typical uses for such a multisignature are cheques issued by companies which need to be authorised by two people and contracts which are to be signed by business partners.

Multiple key ciphers can provide a neat solution to this problem. A detailed account of various schemes is given in [l]. In this section we show a solution that fits into the general framework of multiple key ciphers. We restrict ourselves to the case Of just two signatories.

Two keys r and s are selected randomly (subject to the condition that they are prime to 0(m)) and t is chosen to satisfy

r.s.t = 1 mod Q(m).

The keys r and s are distributed to the authorised signatories and t is made public. In order to sign the message M the first signatory forms the signature

S1 = M**r mod m

and passes it to the second signatory. The second signatory Can recover the message using s and t since

Sl**st mod m = M.

Furthermore he knows it has been signed by the first signatory. If he is satisfied he forms

S2 = Sl**s mod m

= M**rs mod m

and passes it to the recipient. The recipient and any member of the public can verify the signature since

462

S2**t mod m = M.

In terms of the model described in section 2 we may take U to be the set of all users. The keys r and s are then issued to sets Of authorised signatories R and S and the key t is issued to all Of U. The following table shows the status of the messages.


s1 S R

s2 U R n S

In [l] it is shown how this idea may be extended so that the two signatories can be any from a group. For example this would allow any two directors from the board of a company to sign a document.

Note, however, that it is not possible to extend this scheme to more than two signatories in the obvious way. This is because every signatory needs to be able to read the partial signature before signing, which is only possible for the first or last signatory. It is shown in [l] how this property can be turned to advantage to implement "blind signatures"([3]).

3 . 3 A Simple Voting Scheme

Various schemes have been proposed for electronic voting ([2],[4]). This application of multiple key ciphers is a new simple voting scheme. It enables users to verify that their votes have been counted while keeping votes anonymous to all other voters. It has the useful property that there is no interactive behaviour required between the authority and the voters, and also that no secret key is required by the voters. In the form explained here it is only suitable for voting either 'yes' or 'no', but the scheme could be extended to allow any number of answers.

The scheme suffers from the disadvantage that the authority is able to read the vote of any person, if it also acts as the issuer of the 'voting slips'. There appears to be a conflict in

463

voting schemes, also mentioned in [ 4 ] , between maintaining the confidentiality of the votes cast and ensuring that no voter Votes twice. Trust has to be placed somewhere and in this scheme an independent trusted voting authority is assumed. This is consistent with the way that paper voting 'schemes usually work.

Three keys r,s,t are involved, of which r is kept secret by the issuing authority and s and t are made public. As usual the authority chooses r,s and t to satisfy

r.s.t = 1 mod 0(m).

Each voter is issued a voting slip V which is a block consisting of two parts. One part is a random number g which is used to ensure that the slip is not used more than once, and the other is a component of redundancy which is used to avoid forgery. The redundancy could consist, for example, of every other bit of g

being fixed. (The redundancy component can be changed for each election, thus allowing the same keys to be used on many different occasions.)

The voting slip is issued to the voter as V**r mod m. (This must be transported secretly to the correct voter, a problem we do not address herel) If the voter wants to vote 'yes' he forms

(V**r)**s mod m

and sends it to the ballot. Similarly if he wants to vote 'no' he sends

(V**r)**t mod m.

The authority can then validate and count each vote V' by forming

V'**t mod m

or v'**s mod m

and checking for the redundancy condition. The claimed value of the vote can be sent with it in order to reduce processing.

464

Voting slips may not be forged since they are signed by the issuing authority. On the other hand they are anonymous (except to the issuing authority) since the voting keys are public. In terms of the model of section two a valid vote must have been written by the issuing authority plus any user, and can be read by any user.

If the same random number is found more than once then all votes with that number should be discarded. (Of course, there is a small probability, depending on the number of voters and the size of m, that a valid vote is discarded.) Copies of all the votes (including any discarded ones) can be published with the results of the ballot and each voter can confirm that his vote was included.

4 Abstraction : Hultiple Key Ciphers as Groups

For concreteness we have looked at multiple key ciphers as

generalisations of the RSA cryptosystem. In this section w e try to abstract the essential properties of RSA that we have used and discuss what could be a more general approach.

We start off f r o m a finite message space M and consider our cryptosystem as a finite set of keys K which are permutations Of

M. That i s each k in K is a map M --> M which is one-to-one and onto (a bijection). We have found a need for the followinc, properties.

Closure Property

Any two keys k and j in K may be concatenated so that k o j is another key in K.

Inverse Property

Each key k in K has an inverse k-l in K such that

Associative Property

465

For any three keys j,k,l in R, we have

j o (k o 1) = ( j o k) o 1.

Commutative property

For any two keys k and j in K, we have

k o j = j o k.

We have used these properties to enable us to construct key sets f o r a multiple key cipher as follows.

First choose any keys in K then concatenate them. The number of keys chosen is not limited and depends on the application.

i) By the associative property the result of the concatenation does not depend on the order in which it is performed.

ii) By the Closure Property the concatenated values give a valid key k in K.

iii) The complementary key of k exists by the Inverse Property.

iv) The commutative property is required because it should not matter in which order the keys are used.

These properties are exactly those that are required to define K as an Abelian Group. The inverse property is common to all invertible cryptosystems including block ciphers such as DES. The Closure property, however, is not normally held by a symnetric block cipher but it is held by RSA. The associative and commutative properties are held in our extension of RSA.

In the case of our RSA extension the message space M consists Of the integers less than the RSA modulus, and the key group consists of the multiplicative group of integers Zn*.

One property of RSA that we have used but not mentioned yet is the trapdoor property. This allows the 'owner' of the 'scheme, Or

466

what we have sometimes called the 'authority' in this paper, to obtain the correct complementary key while preventing unauthorised parties from finding such a key. In the applications considered in this paper the trapdoor property was relied upon, but further applications may be found which will not require it while the properties in section 2, regarding which entities may read o r write a message, still apply. This opens up the possibility of different implementations of multiple key ciphers which do not depend on existing public key cryptosystems. One possible example is the field of integers modulo a prime. Users given a single key selected randomly by the authority can have no knowledge of other users keys allocated by the authority which together form a complementary set.

An interesting further development might be to consider the effect of removing various of the group properties. For example, without the commutative property the order of use of keys would have different effects; this could be significant, for example in the double signatures application.

5 Acknowledgements

I would like to thank E.J.Humphreys for many valuable discussions on the topics in this paper and Mark Stirland for pointing out some errors in an earlier version. Acknowledgement is made to the Director of Research and Technology for permission to publish this paper.

6 References

[l] C.A.Boyd, Digital Multisignatures, IMA Conference On Cryptography and Coding, Cirencester, December 1986.

[ 2 ] D.L.Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms, Comm.ACM, 24,2,(1981), 84-88.

[3] D.L.Chaum, Blind signatures for untraceable payments, Proceedings of Crypto 82, Plenum Press 1983, pp.199-203.

467

[4] J.D.Cohen & M.J.Fischer, A Robust and Verifiable Cryptographically Secure Election Scheme, Proceedings of IEEE Conference on Foundations of Computer Science, 1985.

[5] Y.Desmedt, Society and Group Oriented cryptography, Proceedings of Crypto 87.

[6] W.Diffie & M.Hellman, New Directions in Cryptography, IEEE Transactions on Information Theory,IT-22,6,1976.

[7] R.Rivest, A.Shamir ti L.Adelman, A method for obtaining digital signatures and public key cryptosystems, Com.ACM 21,2(1978), 120-126.

(81 G.J.Simmons, How to (selectively) broadcast a secret, Proceedings of IEEE Conference on Security and Privacy 1985.

Author Index

Agneu. G . A. , 139. 251 Beth. T . , 77 Bo>d, c. A , , 455 Braridt, J . . 167 Brickell, C. F . , 51. 27; Camion, P . , 97 Campana. IT.. 129 Chambers, i f - . G . , 325. 331 Chaum. D . . 177 Cohen. R . . 129 Damgard. I. 13.. 167 Davida, G . I . , 183 Davis, J . .4., 235 Decroos, h l . , 257 Den Boer. B.. 293 Dcsmedt. 1.. G . . 2 3 . 183 De Soete. M . , 57. 389 Ding. C . , 335 Di Porto. .I., 211 Dlay, S. S . . 267 Filipponi, P. 211 Girault. AI.. 129. 281 Godlewski. P h . . 97 Gorgui-Naguib. R. S., 267 Govaerts, R., 257 Gollmann. D . . 331 Guillou. L . C . , 123 Giinther. C. G . . 105 Hirano. K . . 245 Holdridge, D. B . . 235 Hoornaert . F . . 257 Imai. I I . . 419

Jingniin. H.. 1 1 5 Kaicheng, L . . 11.5 Kawarnura. S . . 2-15 Knapskog. S. J . , 107 Knobloch, H. -J . . 67 Iio\arna. K. . 11 L d I l d T O C k . P.. 167 Lee. P. J . . 275 Lin. D. ~ 351 Liu, h l . . 3\51 l Ia tsnrnoto. T . . 319 l l c i e r I T . . 301 l lul l in . R. C . . 159, 251 Nicderreiter. 1 1 . . 191 Ohta. I < . . 11 Okamoto. E . , 361 Purdy. G . R . , 35 Quisquater, J.-J. ~ 123 Rueppel. K. '4.. 3 Schnorr. c'. P.. 225 Sgarro, A . . 375 Simmons. G . J . . 35 Smeets. B. J . I I . , 323 Staffelbach, 0 . . 301 Stinson. D. R . . 51 Tezuka, S . . 317 Tofin, P., 281 j7allee, B . . 281 \.ande\valle, J . . 237 1-anstone, S. A\. , 159. 251 I-edder. K. . 389

Keyword Index

Anonymity. see User anonymity Arbitration. 35, 51 At tacks

Birthday attack, 129 Correlation attack, 301 Attack using lock-in effects. 331 Meet in the middle attack. 129

Authentication. 23. 3 5 , 51. 57. 87, 97, 107, 123

Signature see also Identification and

Basis Kormal basis. 251 Reduction of lattice basis. 281

Block ciphers DES, 225 Feistel structure, 225 FEAL, 2'33

Claw free permutations. 23, 167 Codes

Error correcting codes. 275 Error detpcting codes. 97 hlaximal distance separable

codes. 9; Continued fraction, 191 Cryptanalysis. 375

Block ciphers, 293 Public key systems. 275, 281

Stream ciphers. 301, 331 see also Attacks

Databasis. see Registration in

Designs, 57 Diffie-Hellman Algorithm,

s e t Key Discrete exponentiation, 159, 251,

25;

databasis

Election protocols, see i.oting

El-Gamal scheme, see Signature Entropy, 375 E2 q u i vo c a t i on, 3 T 5 Error correction. s e f Codes Error detcction, see Codes Euler tot ient function, 267

protocols

Factorization Quadatic sieve. 235

Feistel structure, see Block ciphers Fiat -S ham ir scheme ,

S C T Identification

Geometric schemes, 57, 389 Goldwasser-Alicaii-Rivest scheme,

see Signature

Hamming distance, 361 Nash furictio~is. 123. 129 Hardxare. 8;. 123. 183. 2:;

Implementativn of basic operations. 2-15. 231

s c t also Discrete exponentiation n n d 11 o d 111 a r ari t t i m e t i c

J I o ~ r i o p h o ~ i i c coding. 10 5

Identification. 33. 77. 123. 183 Fiat-Stiarriir scheme, 77 . 87. 123.

183 Irriprints. scc Shaduws Incidence strilctiire5. 57. 389 I I I for I I 1 at 1 u 11 t 1 I c u r y . 3 73 Int egri t > . 97

h: e>. Conference lie!. distribution. 11 Uiffie-Hellman. 3 . 159 lie\. agreement. 3 , 159 K e > distribution, 3. 11. 1.59 3Iultiple ke!. 455 Substantial number of keys, 361

Knapsack. 97

Linear complexity. 191 linear complexity profiles. 191 s F E n /so l lassey- Berlekamp

Linear recurring m-array. 351 Lu b y - R ackov generator,

Lucas numbers. 211

.A1 g ori t h m

scc Pseudorandom sequences

llassey-Berlekamp Algorithm, 345

1 I c Eliece scheme. s r f Public key cryptosystems

llultiplication and reduction, 110 dular arithmetic

8 7 . 2-13

Normal basis. see Basis

f’ayriierlt untraceabilitJ., 107. 177 I’rimality tests. 211 Prime,

.scf Factorization SF^ Prirrialit>~ tests

s e e \iil)liminal channel Prisonrier problerri ~

Privac) protected payment, 107 Probabilistic mcryption. 41 5 Pseiidoprinies. s t c Primalit>, tests l’seudorandorn sequences

Cascade generators, 331 Clock control. 331 Correlation attack. s t t .Attacks Luby and Hackov generator, 225 Son-linear functions, 301. 317 Shift register sequences. 301.

\\-indmill generators. 325 Public key cryptosystems, 419

Diffie-Hellman scheme,

El-Gamal scheme. see Signature 1Ic Eliece scheme, 275 Okamoto scheme, 281 Ri\-est-Shamir-.4dleman scheme,

325. 331

see Key

10;. 257. 455

Random numbers, set Pseudorandom sequences

Registration in databases anonymous and verifiable. 167

RS.4, s t e Public ke! cr) ptos? s i err15 Running k e ~ generators

see Pseudorandorri sequences

Semantic kriox! ledge. 375 Semientrop!. 5ft eritrop? Semieqiiil ocation, S C L cquix ocnt

Shadows ant3 Imprints. 123, 129 Shift register s~rnthesis. 3-15 Signature 2.3. 35, 51. 37. 87, 129

El-Ganial scheme. 7 7 , 159 G o I d w ~ a s s e r - h I i c a l ~ - ~ i ~ cst

281, 115

scheme, 23, 35

Statistical tests. 22 5 see u h o Hash functions

011

Sublirriinal free protocols. 23. 35

Table look-up. 245 Threshold scherrirs. 389

\-otirig protocols. 7;. -155

TYilliams integers. 23. 35 Il’itncss. 167

Zrro knowledge proof. 23. 35. 57. 7;. 6 7 . 123. 183

Advances in Cryptology â€” EUROCRYPT â€™88: Workshop on the Theory and Application of Cryptographic Techniques Davos, Switzerland, May 25â€“27, 1988 Proceedings

Documents