This invention relates to data processing, and more particularly to systems and methods for quorum-based data processing.
Generally, a quorum is defined as the minimum number of members of a group or society that must be present at any of its meetings to make the proceedings of that meeting valid. There are many everyday applications where a secret decryption key or code needs to be accessed without putting all the trust for its safekeeping in the hands of one person. It is desirable that the authorisation power of any one individual is limited and that a number of individuals need to participate together to generate the secret in a manner in which an individual does not learn the secret. It is also desirable that a number of different secrets may be generated securely without having to renew the secret information retained by the individuals. Any such system needs to be robust and not vulnerable to advances in high power computing coming for example from implementations of quantum computers.
According to one aspect, the present invention provides a method or system for controlling access to stored encrypted data, wherein an encryption or decryption key is constructed from a predetermined, minimum number of secret quorum data sets. The quorum size is denoted by k. The system can generate a plurality of quorum data sets from which the encryption or decryption keys may be constructed. The number of quorum data sets generated may be based on the total number of participants, denoted as n. The fixed quorum number of data sets required to reconstruct the key is k. The required quorum number of data sets is a smaller number than the total number of participants and the quorum participants can be any of the participants. In the following the participants are referred to as players (or player devices), which may be hardware or software based equipment entities, under autonomous control or control by an associated individual.
The invention may be hardware based implemented for example as in Hardware Security Modules (HSM's) or implemented in software running on servers, desk top computers, mobile devices or implemented in a combination of hardware and software in cars, trains, aeroplanes or other platforms.
As well as encryption or decryption keys the invention may be used to generate quorum based passwords, authentication tokens or digital signatures. In the following description, the generic term “key” is used to denote such an encryption or decryption key, password, authentication token or digital signature key.
According to yet another aspect, the present invention provides a method of quorum-based data recovery, comprising generating a total of m randomly generated secret data values from which n data sets are calculated and distributed to each player who keeps their data set secret. Once the data sets are distributed the m randomly generated secret data values are permanently destroyed along with all copies. The n data sets are sets of m numbers or symbols which may be in any pre-selected number base with key construction calculations carried out using arithmetic or algebraic rules from a finite field or rational numbers including integers.
Each of the m values of the randomly generated secret data may be distributed amongst the n players by using the well documented technique known as polynomial secret sharing which is an example of Lagrange polynomial interpolation. An example is secret sharing. Each of the m values of randomly generated secret data is impressed on one or more coefficients of a polynomial of degree k-1. The other coefficients are randomly chosen. A typical implementation may have m equal to several hundred so that several hundred polynomials are generated. Each player is assigned a distinct value, a player index and a player's data set corresponds to the set of polynomials' values realised when the polynomials' variable is equal to the player's index value. For a quorum of k players each polynomial has degree k-1.
Each key may be given a distinct index value such as key 1, key 2, etc. The key index may be a label for the key. To generate the key itself the label value may be input to a circuit implementing a cascade of nested non-linear devices such as for example a series of devices with each device realising a hash function. The circuit can consist of several hundred nested non-linear devices, the number of devices corresponding to the value m. Each of the players is in possession of such a circuit implemented, for example, in hardware or simulated in software. When a quorum of k active players is formed, each active player uses their respective circuit to multiply each non-linear device input or output with a value from their data set multiplied by the appropriate Lagrange constant to form a single output after summation, referred to as a quorum portion, a key fragment or a key component. The key itself is constructed by combining all k player key components together.
In a further embodiment each player has multiple circuits and multiple data sets with all of the net circuit outputs combined together to form a single output for that player.
In other embodiments each non-linear device is an encryption circuit having its own encryption key or is a general non-linear device with multiple inputs used by the device.
An identical key, or a set of keys, can be generated by different embodiments using a different number of players to form a quorum. One embodiment may be used to generate a key used for encryption and a second embodiment may be used to generate the same key to be used for decryption. In these embodiments which generate identical keys the polynomials will usually not be the same. The polynomials can have different coefficients or even have a different degree. This means that a different size of quorum with a different number of players may be used to generate a key to be used for encryption compared to the size of quorum of players used to generate the same key to be used for decryption. It is possible for an embodiment to have a quorum of size one with a single player or entity such as an HSM generating the keys.
In some embodiments, the generated key may be used not as an encryption key but as the source for generating additional key material for use as encryption or decryption keys, authentication keys and initialisation vectors by employing one or more Key Derivation Functions (KDF's) on the generated key.
The quorum key generation may be used to generate an encryption key for encrypting a document or data file to produce a cipher text. Subsequently the same quorum process may be used to generate the decryption key needed to decrypt the cipher text back into the original data file or document.
The key index or label may itself be a data file or a portion of a data file or stream. The generated key may be used as a key for decrypting an encrypted data file or for accessing a secure unit, device or module.
The players may comprise one or more of: a computing device, an authentication token, a security dongle or interconnected hardware systems.
According to another aspect, the present invention provides a computer-implemented method of quorum-based data recovery, comprising generating a plurality of quorum data sets from said original data and a software based realisation of the nested non-linear circuits.
According to yet another aspect, the present invention provides a system for controlling access to data, wherein the data is encoded into a predefined number of quorum data sets based at least upon a predefined number of participants and a predefined minimum number of said participants that are required to access the data, whereby the original data can be recovered from any combination of said minimum number of quorum data sets.
A further embodiment ensures that the players, even if they all collude together, cannot know the final key that is produced. This is done by providing to the recipient additional, secret inputs to a key derivation function, which operates on the key collectively provided by the players, in order to produce the final key.
In further aspects, the present invention provides a system comprising means for performing the above methods. In yet other aspects, there is provided a computer program arranged to carry out the above methods when executed by a programmable device.
There now follows, by way of example only, a detailed description of embodiments of the present invention, with references to the figures identified below.
A first embodiment of the invention will now be described for an example method of implementing quorum-based data processing within a secured computing or hardware environment, where recovery of sensitive data, such as a secret key or a secure data file, is only possible when a predefined minimum number of associated quorum key components are received from a corresponding quorum of available authorised participants. It will be appreciated that the embodiments described herein are applicable to many types and forms of secured computing and hardware environments and data processes carried out therein. As one example, the secured computing environment may facilitate secured access to encrypted data by a quorum of authorised personnel, such as selected directors and/or employees of a corporate entity, by reconstructing a decryption key based on quorum key components received from a quorum of authorised personnel. As another example, the secured computing environment may facilitate controlled access to the original secure data file, by reconstructing the original secret data based on quorum data received from a quorum of authorised personnel. As yet another example, the secured computing environment may facilitate access by a quorum of authenticated personnel to a product or service (e.g. a bank account, a secure web site), and/or a facility (e.g. via an electronic lock of a physical building, lab, vault, safe deposit box, critical infrastructure system, etc.). In such an example, the secret key would be used for authentication instead of decryption, where by coming together and providing the predetermined minimum number of quorum keys, the quorum participants can be authenticated to be allowed access to the secured assets. In further examples the secret key would be used for generating a digital signature, where by coming together and providing the predetermined minimum number of quorum key components, the quorum participants can sign off a commercial transaction or a block of transactions in crypto currency applications.
In the set up stage similar for each embodiment a number or symbol base is firstly defined, such as a prime or prime power field or the set of rational numbers and multiple secret values are generated usually by a random number generator. Typically several hundred secret values may be generated. Each secret value defines one or more coefficients of a polynomial. In the following example each secret value defines the x0 coefficient, but could define the xi coefficient or be split amongst coefficients. Referring to
f
j(x)=Sj+r1x+r2x2+ . . . rk-1xk-1
where Sj is the secret value and the coefficients r1, r2, r3, r4 . . . rk-1 are randomly chosen for each polynomial. The index j runs from 1 to m, where m is the total number of secret values. Each player is assigned a unique value, termed a player index and furthermore each player is sent, securely, their secret data set consisting of all of the polynomial values that result when x is set equal to their player index.
With n players and player indices x1, x2, x3, x3 . . . xn
Player 1 is sent the secret data set f1(x1), f2(x1), f3(x1), f4(x1), f5(x1) . . . fm(x1) a set of m numbers or symbols depending on the number base.
Player 2 is sent the secret data set f1(x2), f2(x2), f3(x2), f4(x2), f5(x2) . . . f1m(x2)
Player 3 is sent the secret data set f1(x3), f2(x3), f3(x3), f4(x3), f5(x3) . . . f1m(x3)
Player n is sent the secret data set f1(xn), f2(xn), f3(xn), f4(xn), f5(xn) . . . f1m(xn)
The set up procedure is shown in schematic form in
In this example the quorum size is chosen to be 3 so the polynomials are of degree 2. As there are 6 secret values in this example, there are 6 polynomials
f
1(x)=24273+16533x+19657x2
f
2(x)=9595+27619x+8215x2
f
3(x)=19002+7189x+9280x2
f
6(x)=12823+18554x+22732x2
It will be noticed that the first coefficient of each successive polynomial is equal to the next value of the secret values. All other polynomial coefficients are randomly chosen modulo 33347.
In this example the player indices are 1, 2, 3, 4 and 5, the same as the player number but player indices may be chosen randomly as long as these are distinct from each other. The secret data set provided to Player 1 is f1(1), f2(1), f3(1), f4(1), f5(1) and f6(1), with all polynomial evaluations carried out modulo 33347. Accordingly the Player 1 data set is:
27116 12082 2124 18837 20640 20762
The secret data set provided to Player 2 is f1(2), f2(2), f3(2), f4(2), f5(2) and f6(2)
Accordingly the Player 2 secret data set is:
2579 30999 3806 25597 21869 7471
Similarly the other player secret data sets are:
Once these secret data sets are communicated to their respective players the original multiple secrets and the polynomials are permanently deleted together with all copies. The set up phase is now complete for the first embodiment.
The generation of a key is shown schematically in
Each player respectively sends their key component output to the recipient who combines these to form the key Kx.
Continuing the example above, consider that the players forming the quorum are players 1, 3 and 4 and the key index is x=19114. In this case
Ω1(x)=12071 Ω2(x)=22204 and Ω3(x)=25680
and the outputs are summed modulo 33347 to produce
Kx=Ω1(x)+Ω2(x)+Ω3(x) modulo 33347=26608
If a different quorum set of players are involved, say players 1, 2 and 5 then
Ω1(x)=6752 Ω2(x)=5333 and Ω3(x)=14523
and the outputs are summed modulo 33347 to produce
Kx=Ω1(x)+Ω2(x)+Ω3(x) modulo 33347=26608
Notice that the same key is produced despite the key components being different. Player 1 has a different output to before because a different set of player indices is involved causing the Player 1 Lagrange coefficient to change.
The circuits that are used to produce the three quorum player outputs in the first embodiment are shown in
The parameters A1 to Am are equal to λx1·f1(x1) to λx1·fm(x1) where the player's index is x1 and λx1 is the Lagrange coefficient which is dependent on the other quorum player indices. Similarly the parameters B1 to Bm are equal to λx2·f1(x2) to λx2·fm(x2) where the player's index is x2 and λx2 is the Lagrange coefficient dependent on the other participating quorum player indices.
Shown in
As an example for a quorum of 3, the Lagrange coefficients are:
For the example above with player indices 1, 3 and 4
The input to the circuits is the index of the key to be generated. This is denoted as x, which may have any value within the range of symbols or numbers defined at the set up stage. The index x is followed by zeros and the single delay feedback shift register stage ensures that x is still input to the hash 1 device at the time the hash 5 output is formed. At this point all of the nested hash function outputs are available. The hash outputs are respectively multiplied by A1 to Am and summed to produce the output Ω1(x). Denoting the function of hash 1 as h1(x), hash 2 as h2(x), and so on so that the circuit of
Ω1(x)=x·A1+h1(x)·A2+h2(h1(x))·A3+h3(h2(h1(x)))·A4+h4(h3(h2(h1(x))))·A5+h5(h4(h3(h2(h1(x)))))·A6
It would seem unlikely that a series of non-linear devices executing a series of different hash functions being multiplied by different numbers would produce the correct key component independently of which quorum combination of players is being used. However this is shown to be true by considering the second embodiment which is shown in
Independent of the player index chosen, e.g. x=1, the secret data set provided to Player 1 is f1(1), f2(1), f3(1), f4(1), f5(1) and f6(1). Accordingly the Player 1 data set is:
24273 9595 19002 24271 22367 12823
This is the same as the original set of multiple secret values. Referring to
As before denoting the function of hash 1 as h1(x), hash 2 as h2(x), and so on the output of the circuit shown in
K
x
=x·S
1
+h
1(x)·S2+h2(h1(x))·S3+h3(h2(h1(x)))·S4+h4(h3(h2(h1(x))))·S5+h5(h4(h3(h2(h1(x)))))·S6
Considering the example above, x=19114, and the same values of S1 to S6, Kx=26608
Referring back to the first embodiment, and
Ω1(x)=x·A1+h1(x)·A2+h2(h1(x))·A3+h3(h2(h1(x)))·A4+h4(h3(h2(h1(x))))·A5+h5(h4(h3(h2(h1(x)))))·A6
For
Ω2(x)=x·B1+h1(x)·B2+h2(h1(x))·B3+h3(h2(h1(x)))·B4+h4(h3(h2(h1(x))))·B5+h5(h4(h3(h2(h1(x)))))·B6
For
Ω3(x)=x·C1+h1(x)·C2+h2(h1(x))·C3+h3(h2(h1(x)))·C4+h4(h3(h2(h1(x))))·C5+h5(h4(h3(h2(h1(x)))))·C6
Note that with the properties of Lagrange polynomial interpolation A1+B1+C1=S1, A2+B2+C2=S2, A3+B3+C3=S3, A4+B4+C4=S4, A5+B5+C5=S5 and A6+B6+C6=S6 The sum of the key components produced by the three quorum players
Consequently starting with the same multiple secret values, embodiment 1 produces the same key as embodiment 2, regardless of which particular combination of players form a quorum.
In the first and second embodiments the hash functions h1(x) to hm-1(x) should preferably be kept secret. These should be routinely changed in order to ensure the security of the quorum encryption system. For a series of key indices y1, y2, y3, y4, y5 . . . ym the quorum keys produced are Ky1, Ky2, Ky3, Ky4, Ky5 . . . Kym and these keys are fully independent of each other. Even if all the hash functions plus the key indices y1, y2, y3, y4, y5 . . . ym-1 plus all of the keys Ky1, Ky2, Ky3, Ky4, Ky5 . . . Kym-1 are known by an attacker, the attacker cannot narrow the choices for Kym knowing key index ym. This is because the secret data set S1 to Sm consists of m unknown values. In addition to knowing the hash functions and the key indices, the attacker needs to know at least m quorum keys before being able to learn any of the values S1 to Sm. If the attacker does know the hash functions h1(x) to hm-1(x), he or she has to rely on these remaining constant. If any one or more of these hash functions are changed before m quorum keys have been output since the last change of these hash functions, the attacker cannot improve on just guessing the value of the next output quorum key, even having all of that prior knowledge.
An example of a well proven method of symmetric key encryption is the Advanced Encryption Standard (AES), as defined in Federal Information Processing Standards Publication 197, United States National Institute of Standards and Technology (NIST), Nov. 26, 2001. AES is an example of an symmetric encryption system where there is a secret key that is used to encrypt the plaintext into ciphertext. The third embodiment utilises nested AES encryption devices instead of hash functions as shown in
Ω1(x)=x·A1+AESk1(x)·A2+AESk2(AESk1(x))·A3+AESk3(AESk2(AESk1(x)))·A4+AESk4(AESk3(AESk2(AESk1(x))))·A5+AESk5(AESk4(AESk3(AESk2(AESk1(x)))))·A6
Similarly the output of the circuit shown in
Ω2(x)=x·B1+AESk1(x)·B2+AESk2(AESk1(x))·B3+AESk3(AESk2(AESk1(x)))·B4+AESk4(AESk3(AESk2(AESk1(x))))·B5+AESk5(AESk4(AESk3(AESk2(AESk1(x)))))·B6
Similarly the output of the circuit shown in
Ω3(x)=x·C1+AESk1(x)·C2+AESk2(AESk1(x))·C3+AESk3(AESk2(AESk1(x)))·C4+AESk4(AESk3(AESk2(AESk1(x))))·C5+AESk5(AESk4(AESk3(AESk2(AESk1(x)))))·C6
With this embodiment, again as shown in
Ω1(x)+Ω2(x)+Ω3(x)=x·(A1+B1+C1)+AESk1(x)·(A2+B2+C2)+AESk2(AESk1(x))·(A3+B3+C3)+AESk3(AESk2(AESk1(x)))·(A4+B4+C4)+AESk4(AESk3(AESk2(AESk1(x))))·(A5+B5+C5)+AESk5(AESk4(AESk3(AESk2(AESk1(x)))))·(A6+B6+C6)=Kx
As before the properties of Lagrange polynomial interpolation ensure that A1+B1+C1=S1, A2+B2+C2=S2, A3+B3+C3=S3, A4+B4+C4=S4, A5+B5+C5=S5 and A6+B6+C6=S6
The sum of the key components produced by the three quorum players
x·S
1+AESk1(x)·S2+AESk2(AESk1(x))·S3+AESk3(AESk2(AESk1(x)))·S4+AESk4(AESk3(AESk2(AESk1(x))))·S5+AESk5(AESk4(AESk3(AESk2(AESk1(x)))))·S6=Kx
With the properties of Lagrange polynomial interpolation the sum of the key components produced by the three quorum players, Kx is the same key regardless of which combination of three players of the n players form the quorum.
The key Kx is the same key that is produced by the circuit for the fourth embodiment, which is shown in
Similar to the earlier embodiments, in the third and fourth embodiments the secret AES encryption keys k1 to km-1 should be routinely changed in order to ensure the security of the quorum encryption system. For a series of key indices y1, y2, y3, y4, y5 . . . ym the quorum keys produced are Ky1, Ky2, Ky3, Ky4, Ky5 . . . Kym and these keys are fully independent of each other. Even if all the AES encryption keys plus the key indices y1, y2, y3, y4, y5 . . . ym-1 and all of the keys Ky1, Ky2, Ky3, Ky4, Ky5 . . . Kym-1 are known by an attacker, the attacker cannot narrow the choices for Kym knowing key index ym. This is because the secret data set S1 to Sm consists of m unknown values. In addition to all of the key information, the attacker needs to know at least m quorum keys before being able to learn any of the values S1 to Sm. If any one or more of these AES keys are changed before m quorum keys have been output since the last setting of AES encryption keys, the attacker cannot improve on just guessing the value of the next output quorum key, even knowing all of the previous output quorum keys.
The fifth embodiment utilises nested Generalised Non-Linear (GNL) devices which is a generic name for a device that contains an arbitrary predetermined mapping function which maps input values to an output value. This may be implemented as a look up table, a look up table combined with a processor or as non-linear hardware electronics. The nested use of these devices is shown in the circuits shown in
(x)=x·A1+GNLψ1(x)·A2+GNLψ2(GNLψ1(x))·A3+GNLψ3(GNLψ2(GNLψ1(x)))·A4+GNLψ4(GNLψ3(GNLψ2(GNLψ1(x))))·A5+GNLψ5(GNLψ4(GNLψ3(GNLψ2(GNLψ1(x)))))·A6
Similarly another quorum player using the circuit shown in
Ω2(x)=x·B1+GNLψ1(x)·B2+GNLψ2(GNLψ1(x))·B3+GNLψ3(GNLψ2(GNLψ1(x)))·B4+GNLψ4(GNLψ3(GNLψ2(GNLψ1(x))))·B5+GNLψ5(GNLψ4(GNLψ3(GNLψ2(GNLψ1(x)))))·B6
As in this example the quorum is formed from three active players, the third player uses the circuit shown in
Ω3(x)=x·C1+GNLψ1(x)·C2+GNLψ2(GNLψ1(x))·C3+GNLψ3(GNLψ2(GNLψ1(x)))·C4+GNLψ4(GNLψ3(GNLψ2(GNLψ1(x))))·C5+GNLψ5(GNLψ4(GNLψ3(GNLψ2(GNLψ1(x)))))·C6
The three active player key component outputs are added together as shown in
As before the properties of Lagrange polynomial interpolation ensure that A1+B1+C1=S1, A2+B2+C2=S2, A3+B3+C3=S3, A4+B4+C4=S4, A5+B5+C5=S5 and A6+B6+C6=S6
The sum of the key components produced by the three quorum players is
x·S
1+GNLψ1(x)·S2+GNLψ2(GNLψ1(x))·S3+GNLψ3(GNLψ2(GNLψ1(x)))·S4+GNLψ4(GNLψ3(GNLψ2(GNLψ1(x))))·S5+GNLψ5(GNLψ4(GNLψ3(GNLψ2(GNLψ1(x)))))·S6=Kx
As before, the properties of Lagrange polynomial interpolation ensure that the same key is produced regardless of which particular combination of three players form the quorum.
The same key is also produced by the sixth embodiment which features a quorum of a single player. The circuit that is used is shown in
x·S
1+GNLψ1(x)·S2+GNLψ2(GNLψ1(x))·S3+GNLψ3(GNLψ2(GNLψ1(x)))·S4+GNLψ4(GNLψ3(GNLψ2(GNLψ1(x))))·S5+GNLψ5(GNLψ4(GNLψ3(GNLψ2(GNLψ1(x)))))·S6=Kx
As in the earlier embodiments one or more of the multiple inputs ψ1 to ψ5 to the GNL devices should be changed periodically in case of the worst case situation where an attacker has been able to compromise the previously generated quorum keys plus knowledge of the associated key index values as well as previous GNL multiple input ψ1 to ψ5 values. As with earlier embodiments, even with this knowledge, future quorum keys cannot be predicted by the attacker provided the attacker has not had access to at least m quorum keys prior to the change in one or more of the ψ1 to ψ5 values.
As well as hardware realisations, the various embodiments may be implemented in software running on a computing platform represented schematically in
Alternative embodiments may be implemented as control logic in hardware, firmware, or software or any combination thereof.
As previously mentioned the values processed in the various embodiments may be numbers or symbols which may from any pre-selected number base such as a Galois field based on a prime or prime power or based on rational numbers including integers. Alternatively, values may be integers reduced modulo q where q is any fixed integer or may be just integers with no modulo operation. In the latter case there is a potential problem in that the inverse of a particular value may not exist because of the choice of number base. The problem arises in the calculation of the Lagrange coefficients. For a general quorum of k players from n players, the Lagrange coefficient for a player with player index x1 is
If a factor in the denominator does not have an inverse then λx1 cannot be evaluated. The solution is to set the quorum key not to Kx but to (n-1)! Kx. The player with index x1 now computes terms similar to
Similar expressions are obtained for the other player outputs. The numerator now always contains the same factors as the denominator and no inverses are required.
An example of a quorum documents encryption system is shown in
Quorum construction of a key starts with the key indices source originating a key index for the key, u. This index is sent to the player communication centre which uses two key derivation functions (KDF) with respective keys p and q to produce α and β which are sent to the players. The key derivation functions are there to ensure that it is impossible for an attacker, knowing u and gaining access to some secret keys, to obtain any information about the two sets of original multiple secrets.
A choice is made of one of the embodiments from embodiments one, three or five. From the key index u the final generated secret key is Ku=Kα+Kβ by implementing two instances of the embodiment. The key Ku is constructed from the players' outputs. Each of the k active quorum players uses their 2m shares to calculate respectively a combined value Zi(u)=Xi(u)+Yi(u) which they output as shown in
Document encryption is carried out using AES-GCM, the AES variant that is AES with Galois Counter Mode which is a combined encryption and authentication method. As well as the encryption key K, AES-GCM requires a distinct initialisation vector, IV of 96 bits. A HMAC key derivation function is used to expand Ku into the key K and the IV. The HMAC function used to generate the IV includes as input the document to be encrypted concatenated with a timestamp. This is to ensure that each generated IV is distinct, necessary for AES-GCM.
With K and IV calculated the document is encrypted into the ciphertext Cu which is stored in the cipher texts registry as shown in
The document decryption system is shown in
As shown in
Each of the k active players uses their 2m shares to calculate their respective Zi(u)=Xi(u)+Yi(u) which they output as shown in
From Ku the recipient derives the AES-GCM decryption key K and IV. The recipient is then able to decrypt the document cipher text retrieved from the cipher texts registry to produce the required document.
Quorum Digital Signature for Cryptocurrency Block Chain
The system in outline is shown in
In this example it is assumed that a hash based digital signature system is to be used since this is future proof from quantum computer attack unlike conventional digital methods such as RSA and Digital Signature Algorithm. Hash based digital signature systems are authenticated by using disclosed tree values to calculate the tree root and comparing this value with the public record.
In a Merkel hash tree there are 2λ private keys Xi and 2λ public keys Yi where commonly Yi=hash(Xi). The hash function is typically a cryptographic hash function such as SHA-256 having the property that it is highly first and second preimage resistant. Knowing Yi it is virtually impossible to determine Xi except by brute force search. Secondly knowing Xi and Yi it is virtually impossible to determine a different value of X that hashes to Yi.
Hash based signature systems are one time use signature systems such that each different signature requires and uses one of the private keys. Signature index i uses private key Xi with the Xi usually chosen randomly and the corresponding Yi calculated along with evaluation of the Merkel tree in a set up phase.
The invention may be used, for example the second embodiment, to generate the private keys by using as input the signature index i for the key index generating Ki as the output, then setting Xi equal to Ki running the index i from 1 through to 2λ. With the 2λ Xi values produced the corresponding 2λ Yi hashes are calculated and the Merkel tree evaluated with publication of the tree root value. The Xi private keys are then permanently deleted.
When signing block i the first embodiment is used with i as key index input to generate, using a quorum of players, the private key Xi. With Xi quorum generated the one time use digital signature is then able to be constructed along with the hash based verifications which form part of the digital signature in keeping with current practice.
Independent Key Authority Applications
In several applications there is a need for a trusted authority to be able to generate keys without ever knowing the keys they generate. Similarly sometimes it is required that users are never able to generate keys themselves. In this way the number of keys is strictly controlled. Furthermore the trusted authority which generates the keys cannot, by definition, access any of the users' encrypted secrets. This can be useful in a commercial environment where one company, a security company manage generation and distribution of keys and a client company uses the keys. An example is a secure cloud enterprise provider and an independent client company that uses the cloud to store their corporate information. Encrypted files may be managed by both companies since they both know the encryption key indices which are common. In the case of the cloud provider, storage of duplicated encrypted files can be avoided, significantly reducing storage costs.
The system is shown in
An example of a cloud based storage system based on this aspect is shown in
The cloud based storage system is provided by a cloud storage company that accommodates storage of encrypted files for client companies. The cloud storage company holds no encryption keys and cannot open any of the stored encrypted files but does manage the files. In particular it does not want to waste storage space by storing any duplicates of encrypted files uploaded by employees of their client companies. This is achieved by associating each encrypted file with an encryption key index which the cloud storage company knows.
The recipient first generates a key index which is sent to the cloud service which uses its quorum servers to generate key components Ω1(x), Ω2(x) and Ω3(x) respectively and these are sent to the recipient as shown in
The recipient encrypts a file using the key Ky and uploads the encrypted file along with the key index to the cloud as shown in
Quorum McEliece Public Key Cryptosystem
There is a public key system known as the McEliece system which was invented by the distinguished mathematician Robert McEliece and published in 1978, “A Public-Key Cryptosystem based on Algebraic Coding Theory”, DSN Progress Report 42-44. The method depends upon the difficulty of correcting unknown random errors contained in a redundant cipher text. The redundancy is based upon parity bits generated from an unknown Goppa error correcting code by using the public key. The private key contains information about the particular Goppa code used and enables the random errors contained in the cipher text to be removed. The McEliece public key cryptosystem is one of the few public key cryptosystems that is immune from attack by a quantum computer unlike systems such as RSA and Elgamal. There have been a number of improvements and variations published such as U.S. Pat. No. 5,054,066, U.S. Pat. No. 8,958,553 and GB1501874.0.
The invention provides a means to realise a quorum based McEliece system. As an example, User A wants to send to User B an encrypted confidential file using the McEliece system but User A does not want User B to be able to access the confidential file without implicit permission from a quorum of senior officials within their organisation. The encryption stage is shown in
The HSM securely sends to User A the key Ku. User A adds the key Ku to the cipher text, modulo p to form a blinded cipher text and sends the blinded cipher text to User B. User A encrypts the key index u and input parameters ψ1 to ψm using User B's McEliece public key and sends the resulting cipher text to User B.
User B uses his or her private key to decrypt the key index u and input parameters ψ1 to ψm and sends these parameters to a quorum of k players as shown in
During setup, each of the n players have been given, using the prime field p, their respective m realised polynomial values according to the fifth embodiment. The x0 coefficients of the m polynomials having been set to the same secret values as used in the HSM.
With encrypted file access permission granted each of the quorum players sends to User B, as shown in
It should be noted that several variants of this system are possible. For example, instead of using the prime field p for the polynomial evaluation and Lagrange interpolation the Galois field GF(2s) may be used matching the Galois field used by the McEliece system. This simplifies addition and subtraction as this is now modulo 2, implemented by the exclusive OR function. Other variants include limiting the blinding to a sub-set of the cipher text such as the parity bits portion of the cipher text rather than the complete cipher text.
It will become apparent to a person skilled in the art that this quorum combination is not limited to the McEliece public key cryptosystem but may be applied to any public key or symmetric key encryption system.
It will be understood that embodiments of the present invention are described herein by way of example only, and that various changes and modifications may be made without departing from the scope of the invention.
For example, in the embodiments described above, each player device implements a plurality of computational modules (also referred to as circuits or devices), with each module realising a corresponding hash function, an encryption function, or a multiple input/output mapping function. Furthermore, in the embodiments described above, the plurality of computational modules define an ordered series, whereby each module is used once and the output from one module is provided as input to the next module in the series, apart from the final module. As those skilled in the art will appreciate, each player device may be configured to utilise one or more of plurality of computational modules more than once in the defined series. For example, the output from the final module in the defined order may be provided as input back to the first module in the defined order, to implement a recursive ordered series for a predefined number of recursions.
As another alternative, the key indices and input circuit parameters as well as key components can be themselves encrypted, using any suitable encryption system, with a common or distinct key known only to the intended participant, to prevent any third parties learning this information.
For the embodiments that feature inputs to one or more circuits of nested devices, additional elements or values may be provided as inputs, such additional elements or values can represent or be associated with further information for verifying or authenticating a particular individual or entity, and may be received or retrieved from various data sources. For example, the additional elements or values may be current Global Positioning System (GPS) coordinates of a user's computing device, automatically determined and retrieved from a GPS module of the device. Inputs needed to reconstruct the original key may be data associated with the player's current physical location, as described by GPS coordinates retrieved from the associated computing device (or from a connected GPS module). The quorum participants have to be at, or within, a predefined geographical location, or at the same location as the other participants, in order for the original data to be reconstructed. Additionally or further alternatively, the additional values may be time or date stamps so that quorum participants have to input their data at predefined times or dates in order for the original data to be reconstructed. Additionally or further alternatively, the additional values may be identification data associated with the computing device, such as a mobile phone number, identification number, network address, serial number, etc. The reconstruction process would therefore include automatic retrieval of the identification data from the computing device as additional inputs to produce the reconstructed key, where reconstruction of the original key is only possible if the quorum portions are received from an authorised device. In this way, a further level of identity verification and authentication is thereby integrated into the quorum-based data process of the present embodiment.
In the embodiments described above, the quorum key or code portions are transmitted to and stored by computing devices of respective authorised users of the system. As those skilled in the art will appreciate, as an alternative, the quorum key or code portions may instead be provided in the form of an authentication token. For example, the quorum key or code portions may be encoded and stored in a magnetic strip of a physical card, or may be encoded as a bar- or QR-code that is printed on a physical or displayed on a virtual card, or may be encoded and stored in a RFID tag. As another example, the quorum key or code portions may be stored in a hardware dongle with a wireless data communication interface for communicating the quorum data to the quorum system via a corresponding communication interface. As yet another example, the quorum system may be configured with an interface for receiving user input of the respective quorum key or code portions, and to output the reconstructed data temporarily on a display, or to communicate the reconstructed data to a further data processing device for example to complete decryption of data using the reconstructed secret key, or to a device controlling access to a secured asset, such as an electronic lock that is unlocked in response to receiving the correct reconstructed passcode. In such an example, the quorum system may be incorporated as a processing module or element of the further data processing device or access controlling device. Additionally, the quorum key or code portions may be electronically communicated to the respective authorised users, for example by email or text message.
As another alternative, rather than sub-dividing the quorum data amongst authorised players as described in the embodiments above, the simulated circuits and quorum vectors may be distributed amongst a plurality of computing device(s), authentication token(s) and/or security dongle(s) associated with one particular user, for improved multi-factor authentication based on quorum portions received from the predefined minimum number of user authentication devices.
Yet further alternative embodiments may be envisaged, which nevertheless fall within the scope of the following claims.
Number | Date | Country | Kind |
---|---|---|---|
1614246.5 | Aug 2016 | GB | national |