The present invention relates to encryption systems. More particularly, the present invention relates to encryption key distribution for generating secure session keys. Most particularly, the present invention is a system and method for polynomial-based encryption key distribution.
The number of applications requiring secure communications between low-power and higher-power devices is growing. For example, in the future buildings will be equipped with low-cost and low-energy sensors that will not only control the temperature in the buildings but will also contribute to a building's security. That is, they will collect information concerning security of the building, such as individuals entering and leaving. They will send the information they gather to a facility, i.e., another point in the building that gathers and processes this information. In this scenario it is important that the gathering point is able to trust the sensor information inputs.
One way to provide a level of trust is to incorporate simple cryptographic tools to secure communication between sensors and the gathering point and to allow authentication of the information being transmitted. However, sensors likely only have a limited amount of power available and ideally these sensors obtain their power form their environment, e.g., solar power or RF powered. Because of this low-power availability, public key cryptography becomes very expensive and makes the device slow. Further, secret key systems require that all participants have a shared secret key in order to communicate securely.
Another application where low-power cryptography is important is Chip-in-Disc, RFID-tag technology. Here the communication takes place between a high-power disc player and a low-power disc. The chip contained therein controls the right of access to the content on the disc. The chip provides keys to the content to the disc player if it is convinced that the player is trustworthy and the disc player will only play the content if it is convinced that the chip can be trusted.
Both of these example applications and others like them need a low-cost and low-power cryptographic key management system. However, such low-cost and low-power systems are very constrained in both storage capacity and computing power.
A prior art scheme suggested by Blundo et al. is based on a scheme of Blom and uses a symmetric polynomial in a scheme of Blom wherein p(x,y): GF(Q)2→GF(q) (q is a prime power), and p(x,y)=p(y, x) is a symmetric polynomial. Suppose, further, that there is only one type of device A and that a device A gets an identity XA∈GF(q) together with the secret polynomial qA(y)=p(xA,y). Any two devices A and B can construct a shared secret key KA,B=qA(XB)=qB(XA) by communicating their identities to one another and applying the secret polynomial thereto. For a group G, associate with each g∈G a representation Πg, which is a homomorphism from the group G to the space of linear mappings L(V) on some vector space V (this vector space can be the space of polynomials p:GF(q)2→GF(q)≡P). The scheme of Blom is described in R. Blom, Non-Public Key Distribution, Advances in Cryptology-Proceedings of Crypto 82, pps 231-236, 1983 and R. Blom, An Optimal Class of Symmetric Key Generation Systems, Advances in Cryptology-Proceedings of EUROCRYPT84, pps 335-338, 1985, the entire contents of both of which are hereby incorporated by reference. The scheme of Blundo et al. is described in C. Blundo, A. De Santis, A. Herzberg, Skutten, U. Vaccaro, & M. Yung, Perfectly Secure Key Distribution for Dynamic Conferences, Advances in Cryptology-CRYPTO93, pp. 110-125, 1994, the entire contents of which is hereby incorporated by reference.
Consider the matrix group:
then for g in G the representation Πg of G on the space of linear mappings on the vector space P is given by:
(Πg(p))(x,y)=p(g*(x,y)).
It is clear that this map gives a homomorphism from the group G to L(P). It flows easily from the definition of the group G and that of a symmetric polynomial p that the polynomial p is invariant under the action of the group G.
More generally, let group G act on the vector space V⊕V as follows:
g(x⊕y)=y⊕x
And define p(x,y)= where P is a symmetric matrix, i.e.,
and
denotes an inner product on V (Note that g2=1 for g in G). Then, it follows that p is invariant under the action of the g group G. Given a matrix P, one can always obtain a symmetric matrix PS as follows
P
S
=P+P
T.
where T stands for the transpose of a matrix.
A polynomial is made invariant in the same way, as follows:
p
S(x,y)=p(x,y)+p(y,x)=p(x,y)+p(g(x,y)).
Referring now to
Initialization phase:
1. at step 101 A and B each get an identity and the identical but secret symmetric polynomial p(x,y)=p(y,x) in two variables x and y;
Session Key Generation Phase
2. at step 102A sends its identity xA∈GF(q)to B;
3. at step 103 B sends its identity xB∈GF(q) to A;
4. at step 104 A computes the key using the received identity of B, its own identity and the previously distributed secret symmetric polynomial such that KA,B=qA(xB)=p(xA,xB);
5. at step 105 B computes the key using the received identity of A, its own identity and the previously distributed secret symmetric polynomial such that KA,B=qB(xA)=xB, xA); and
6. the shared, identical secret key is KA,B=qA(xB)≡qB(xA).
These prior art approaches do not leverage the different capability of devices and do not provide more than one secret session key per use.
Thus, a solution is needed that allows inexpensive low-power devices and expensive higher-power devices to share multiple secret session keys to allow secure communication in the future between these devices.
The system and method of the present invention provide a polynomial-based key distribution scheme that allows low-cost low-power devices to share multiple secret session keys with higher-cost higher-power devices.
A first preferred embodiment of the present invention is a key distribution scheme using polynomials in multiple variables and which applies to at least two kinds of devices.
A second preferred embodiment is a key distribution scheme using polynomials in multiple variables that are invariant under group transformations and which applies to at least two kinds of devices.
A third embodiment for an asymmetric protocol is provided that forces an eavesdropper to break at least one of the more difficult to break device, i.e., a higher-cost, higher-power device.
A fourth embodiment forces an adversary to break at least one harder to break device, i.e., a higher-cost, higher-power device.
It is to be understood by persons of ordinary skill in the art that the following descriptions are provided for purposes of illustration and not for limitation. One skilled in the art understands that there are many variations that lie within the spirit of the invention and the scope of the appended claims. Unnecessary detail of known functions and operations may be omitted from the current description so as not to obscure the present invention.
In a first preferred embodiment of the present invention, devices of at least two kinds use distributed multivariate polynomials to construct secret keys.
First, define a polynomial in multiple variables such that the maximum power of
p(x1, . . . , xk):GF(q)k→GF(q)
any of its
variables is at most n−1. Polynomial p(x1, . . . , xk) represents a master key in the distribution scheme and is not stored with any of the devices; only the polynomials qA, qB, etc., which are derived from p are pre-distributed to A, B, etc.
Consider two kinds of devices split into sets A and B. For A∈A define a secret polynomial qA in multiple variables as follows:
q
A(yi+1, . . . , yk)=p(xiA, . . . , xiA, yi+1, . . . , yk)
and for B∈B define a secret polynomial qB in multiple variables is as follows:
q
B(y1, . . . , yi)=p(y1, . . . , yi, xi+1B, . . . , xKB)
after exchanging the xjA's and xjB's devices A and B compute their mutually agreed secret key KA,B using their respective secret polynomials:
KA,B=qA(xi+1B, . . . , xkB)=qB(x1A, . . . , xiA).
Devices of type A need to store nk−i+i elements in GF(q) (polynomial qA has degree n and is a polynomial in k−i variables, hence, we need nk−i coefficients in GF(q) to describe qA, the identity of A costs another i elements in GF(q)) and devices of type B need to store ni+k−i elements in GF(q).
Referring now to
1. at step 201 A and B each get an identity and a respective polynomial
q
A(yi+1, . . . , yk)=p(x1A, . . . , xiA, yi+1, . . . , yk) and
q
B(y1, . . . , yi)=p(y1, . . . , yi, xi+1B, . . . , xkB)
2. at step 202 A sends its identity x1A, . . . , xiA∈GF(q) to B;
3. at step 203 B sends its identity xi+1B, . . . , xkB∈GF(q) to A;
4. at step 204 A computes the key using the received identity of B and the to A previously distributed secret polynomial qA such that
K
A,B
=q
A(xi+1B, . . . , xkB)=p(x1A, . . . , xiA, xi+1B, . . . , xkB);
5. at step 205 B computes the key using the received identity of A and the to B previously distributed secret symmetric polynomial qB such that
K
A,B
=q
B(x1A, . . . , xiA)=p(x1A, . . . , xiA, xi+1B, . . . , xkB); and
6. the mutually agreed secret key is KA,B=qA(xi+1B, . . . , xkB)=q(x1A, . . . , xiA).
Devices of type A need to store nk−i+i elements in GF(q). Devices of type B need to store ni=k−i elements in GF(q).
In a preferred embodiment, devices of type A are low-cost low-power devices while devices of type B are higher cost devices having more functionality.
In a second preferred embodiment of the present invention, devices of at least two kinds use a distributed multivariate polynomial to construct secret keys, wherein the polynomial is invariant under the action of a certain group. This embodiment provides a way to obtain multiple session keys per each pair of devices that are equivalent in performance to repetition of the first embodiment.
Consider a polynomial:
p(x1, . . . , xk):GF(pm)→GF(pm)
in multiple variables which is invariant under a group G consisting of k×k matrices over GF(pm). The construction of such a polynomial begins with an arbitrary polynomial P(x),x=(x1, . . . , xk), such that,
is invariant under G. That is, for each g∈G the evaluation of p(x)=P(gx)=Πg∘P(x).
Let n−1 be the maximum power of xj in p(x).
Let 1≦i<k and define
s(G)={M∈G:∀x∃y(x1, . . . , xi, yi+1, . . . , yk)=(y1, . . . , yi, xi+1, . . . , xk)M}
Consider two kinds of devices split into sets A and B. For A∈A and for B∈B, after exchanging the xjA's and xjB's devices A and B compute a unique yA,B,M for each matrix M∈s(G) such that their mutually agreed secret key is:
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=qB(y1A,B,M, . . . , yiA,B,M).
Each pair of devices A and B can share |s(G)| uniformly distributed secret session keys. However, devices of the same kind cannot share secrets.
In addition to the storage described for the first embodiment described above, all devices need to store a parameterization of s(G). For example, if G is a cyclic group then only its generating matrix needs to be stored.
G can be generated, for example, as follows. Let H be a group and define the group G as follows: G={h⊕h|h∈H}. Then M=h⊕h, we have the following equations:
(yi+1A,B,M, . . . , ykA,B,M)=h(xi+1B, . . . , xkB)
(y1+1A,B,M, . . . , yiA,B,M)=h−1(x1A, . . . , xiA)
It can be easily shown that if the session keys are equal for M1,M2∈G for all devices A and B that this implies that M1=M2 and hence all session keys are different (except for accidental collisions).
Referring now to
Initialization Phase:
1. at step 301 A and B each gets an identity, a secret polynomial qA and qB respectively, and a parameterization s(G);
Session Key Generation Phase:
2. at step 302 A selects M in s(G) at random and sends M's parameter representation and A's identity x1A, . . . , xiA∈GF(pm)to B;
3. at step 303 B sends its identity xi+1B, . . . , xkB∈GF(pm)to A;
4. at step 304 A computes the key using the received identity of B and its own polynomial qA such that:
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=p(x1A, . . . , xiA, yi+1A,B,M, . . . , ykA,B,M);
5. at step 305 B computes the key using the received identity of A and its own polynomial qB such that
K
M
A,B
q
B(y1A,B,M, . . . , yiA,B,M)=p(y1A,B,M, . . . , yiA,B,M, xi+1B, . . . , xkB); and pos
6. the mutually agreed secret key is
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=qB(y1A,B,M, . . . , yiA,B,M).
In a preferred embodiment, devices of type A are low-cost low-power devices while devices of type B are higher cost devices having more functionality.
A third embodiment is a variation of the second embodiment that allows both devices to compute an identical key without a more difficult to break device revealing its identity.
For a low-cost low power device A∈A and for a higher-power more functional device B∈ B, let A first transmit its identity to the harder to break device B. B then computes the vector (yi+1A,B,M, . . . , ykA,B,M) using its identity and polynomial. Without revealing its identity, B transmits this vector to A which can now compute KMA,B. This asymmetric protocol does not reveal the identity of B and more important the lower-cost and easier to break device does not need to store a representation of the group G.
Referring now to
Initialization Phase:
1. at step 401 A and B each get an identity, a secret polynomial, and B gets a parameterization s(G);
Session Key Generation Phase:
2. at step 402 A sends its identity x1A, . . . , xiA∈GF(pm) to B;
3. at step 403 B selects M in s(G) at random using the previously distributed parameterization of the group s(G) and computes the key using the received identity of A and its own polynomial qB such that
K
M
A,B
=q
B(y1A,B,M, . . . , yiA,B,M)=p(x1A, . . . , xiA, yi+1A,B,M, . . . , ykA,B,M);
4. at step 404 B computes and sends the vector (yi+1A,B,M, . . . ykA,B,M) to A;
5. at step 405 A computes the key using the received vector and its own polynomial qA such that
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=p(X1A, . . . , xi+1A,B,M, . . . , ykA,B,M); and
6. the mutually agreed secret key is
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=q(y1A,B,M, . . . , yiA,B,M).
Instead of hiding group G, as in the third embodiment, a fourth embodiment hides A's identity from A by storing an encrypted version of A. The encrypted identity of A is sent to B and B then uses a master key (known to all devices in B) to decrypt the encrypted identity of A. This forces an adversary to break at least one harder to break device in B.
If the identities of type A devices are stored in encrypted form in these devices, then an interpolation attack based on getting the q polynomials of A devices does not work. It is essential to know the identities in order for such an attack to work. This means that the attacker is forced to break at least one B device to get to know the master key with which the identities of the A devices are encrypted.
Referring now to
1. at step 501 A and B each get an identity with A's identity being encrypted=E(x1A, . . . , xiA), a secret polynomial, and B gets a parameterization s(G);
2. at step 502 A sends its encrypted identity E(x1A, . . . , xiA)∈GF(pm) to B;
3. at step 503 B decrypts the received identity of A, selects M in s(G) at random using the previously distributed parameterization of the group s(G) and computes the key using the decrypted identity of A and its own polynomial qB and such that
K
M
A,B
q
B(y1A,B,M, . . . , yiA,B,M)=p(x1A, . . . , xiA, xi+1B, . . . , xkB);
4. at step 504 B uses its identity and polynomial to compute the vector
(yi+1A,B,M, . . . , ykA,B,M), which B then sends to A;
5. at step 505 A computes the key using the received vector and its own polynomial qA such that
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=p(x1A, . . . , xiA, yi+1A,B,M, . . . , ykA,B,M); and
6. the mutually agreed secret key is
K
M
A,B
=q
A(yi+1A,B,M, . . . , ykA,B,M)=qB(y1A,B,M, . . . , yiA,B,M).
Referring now to
Referring now to
In general, type A devices are lower-power devices, such as chip-in-discs, and type B devices are functionally more capable higher power devices, such as disc-players.
While the preferred embodiments of the present invention have been illustrated and described, it will be understood by those skilled in the art that various changes and modifications may be made, and equivalents may be substituted for elements thereof without departing from the true scope of the present invention. In addition, many modifications may be made to adapt to a particular situation, such as the relative capabilities of the devices, and the teaching of the present invention can be adapted in ways that are equivalent without departing from its central scope. Therefore it is intended that the present invention not be limited to the particular embodiments disclosed as the best mode and alternative thereto contemplated for carrying out the present invention, but that the present invention include all embodiments falling within the scope of the appended claims.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB05/53115 | 9/21/2005 | WO | 00 | 3/30/2007 |
Number | Date | Country | |
---|---|---|---|
60614731 | Sep 2004 | US |