The present invention relates to encoding and decoding of information and, more particularly, to a public key cryptosystem for encryption and decryption of digital messages by computer systems.
There are a number of different public key cryptosystems that have been proposed some of which are in widespread use in practical applications. They are all based on the extreme difficulty of performing a computation in reverse without the knowledge of some secret information whilst the computation in the forward direction is straightforward. There is a public key used for encryption which is of no use for decryption which can only be done by using a secret, private key.
Public key encryption is an invaluable technology enabling information to be encrypted and securely sent from one person to another without the need for a secret key to be shared ahead of time between the parties. The first method was secretly invented in 1973 by Ellis, Cocks and Williamson whilst working at GCHQ and was based on the difficulty of finding discrete logarithms. Their method was independently invented by Diffie and Hellman who published their Diffie-Hellman key exchange in 1976.
Another method was independently invented in 1978 by Rivest, Shamir and Adleman, based on the considerable difficulty of factorising large integers into prime factors. It is known as RSA and is in widespread use today. Since then other methods have been invented such as ElGamal and Elliptic Curve Cryptography (ECC).
Another different public key system is the McEliece system invented by the distinguished mathematician Robert McEliece in 1978. It is the first example of code based cryptography and uses the family of binary Goppa error correcting codes. The McEliece method relies on the difficulty of correcting unknown random errors if the particular Goppa code used in generating the public and private keys is unknown. A plaintext message is encoded into binary codewords using the public key and a randomly chosen error pattern containing up tot bits is added to each codeword to produce the ciphertext. In decryption the associated private key is used to deploy an error correcting decoder based upon the underlying Goppa code to correct the errored bits in each codeword, prior to retrieval of the plaintext message.
A further different public key system is described in U.S. Pat. No. 6,081,597 to Hoffstein, Pipher and Silverman. The described system uses polynomial algebra based on circulants and a modulo arithmetic based on two numbers p and q. Successful decryption is probabilistic, not certain, although the risk of failure can be made negligible by suitable choice of parameters.
Aspects of the present invention are set out in the accompanying claims, advantageously providing a secure cryptosystem implementing relatively small public key sizes.
According to one aspect, the present invention provides a method of encrypting a digital message, the method comprising:
(a) generating a private key polynomial having coefficients from a first sub-set of predefined Galois field elements;
(b) constructing an inverse private key polynomial having coefficients which are an inverse of said private key polynomial where the polynomial product of the private key polynomial and the inverse private key polynomial modulo a third polynomial F(x) is equal to 1;
(c) generating a polynomial B(x) having coefficients from a second sub-set of said Galois field elements;
(d) constructing a public key polynomial by multiplying the inverse private key polynomial by the polynomial B(x) modulo F(x);
(e) representing the digital message as a polynomial M(x) having coefficients from a third sub-set of said Galois field elements;
(f) generating a session key polynomial S(x) having coefficients from a fourth sub-set of said Galois field elements; and
(g) generating an encrypted message by multiplying the session key polynomial S(x) by the public key polynomial, modulo F(x), and adding the result to the message polynomial M(x) to produce a polynomial representation of a cipher text.
According to another aspect, the present invention provides a method of encrypting a digital message, the method comprising:
(a) generating a private key polynomial having coefficients from a first sub-set of predefined Galois field elements;
(b) constructing an inverse private key polynomial having coefficients which are an inverse of said private key polynomial where the polynomial product of the private key polynomial and the inverse private key polynomial modulo a third polynomial F(x) is equal to 1
(c) generating a polynomial B1(x) having coefficients from a second sub-set of said Galois field elements;
(d) generating a polynomial B2(x) having coefficients from a third sub-set of said Galois field elements;
(e) generating a polynomial R1(x) having coefficients from a fourth sub-set of said Galois field elements;
(f) generating a polynomial R2(x) having coefficients from a fifth sub-set of said Galois field elements;
(g) constructing a public key polynomial by multiplying the inverse private key polynomial by the sum of the polynomial B1(x) and R1(x), modulo F(x), and then adding the polynomials B2(x) and R2(x);
(h) representing the digital message as a polynomial M(x) having coefficients from a sixth sub-set of said Galois field elements;
(i) generating a session key polynomial S(x) having coefficients from a seventh sub-set of said Galois field elements; and
(j) generating an encrypted message by multiplying the session key polynomial S(x) by the public key polynomial, modulo a polynomial F(x), and adding the result to the message polynomial M(x) to produce a polynomial representation of a cipher text.
In a further aspect, there is provided a post-quantum, public key cryptosystem which is polynomial based and where the private key polynomial has coefficients from a sub-set of Galois field elements and plain text message polynomials have coefficients from a second sub-set of Galois field elements. The public key polynomial is constructed using the inverse of the private key polynomial and a randomly chosen polynomial having coefficients chosen from a third sub-set of Galois field elements. Cipher texts are constructed using the public key and randomly chosen session key polynomials. For implementation a small prime base field such as 2, 3 or 5 may be used in constructing the prime power Galois field.
In other aspects, there are provided apparatus and systems configured to perform the methods as described above. In a further aspect, there is provided a computer program comprising machine readable instructions arranged to cause a programmable device to carry out any one of the methods as described above.
There now follows, by way of example only, a detailed description of embodiments of the present invention, with references to the figures identified below.
The system 1 comprises a public and private key pair generator 7, for example as a processing module of the receiver device 3b, that generates the recipient's public key 9a and a corresponding private key 9b, based on polynomial algebra modulo a predefined number or function. The recipient's public key 9a may be shared publicly, for example communicated to the transmitter device 3a via the data network 5, and stored in a memory 11a of the transmitter device 3a. The generated cryptography keys 9 may also be stored in a memory 11b of the associated receiver device 3b. The transmitter device 3a also comprises an encoder (encryption) module 13 configured to encode (encrypt) input plaintext into cipher text, using the generated public key 9a and a session key output by a session key generator 15 of the transmitter device. The session key may be generated 3a by the session key generator 15 each time the encoder 13 is used to encrypt an input data message M(x) 43.
The recipient device 3b comprises a complementary decoder (decryption) module 17 configured to decode (decrypt) cipher text that was encrypted using the generated public key 9a, into plaintext using the corresponding private key 9a. In this embodiment, output from the decoder module 17 is passed to a session key reconstructor module 19 that reconstructs a session key from the decrypted plaintext, using polynomial algebra modulo the predefined number or function. The decrypted plaintext and the reconstructed session key may be passed to a data verifier module 21 for additional data processing to verify, for example, that the reconstructed session key contains embedded data elements that correspond to data elements in and/or derived from the decrypted plaintext.
Respective random number generator modules 17 may also be provided in the devices 3, to generate and provide random numbers to the key generator modules 7,15 and encoder module 13, as will be described in more detail below.
The devices 3 may be of a type that is known per se, such as a desktop computer, laptop computer, a tablet computer, a smartphone such as an iOS®, Blackberry® or Android® based smartphone, a ‘feature’ phone, a personal digital assistant (PDA), or any processor-powered device with suitable input and output means. The data network 7 may comprise a terrestrial cellular network such as a 2G, 3G, 4G or 5G network, a private or public wireless network such as a WiFi®-based network and/or a mobile satellite network or the Internet. It is appreciated that a plurality of computing devices 3 may be operable concurrently within the system 1, as transmitters and/or recipients of data therebetween. Although not illustrated, the devices 3 would typically also include the complementary data processing modules to generate, send, receive and process received data as described in the present embodiments.
As will be described in greater detail below, the encryption technique of the described embodiments is based on polynomial algebra involving constrained polynomial coefficients from a Galois field, modulo a predefined fixed polynomial F(x), while the decryption technique is based on the complementary polynomial algebra whose validity depends on elementary Galois field theory. As is known in the art, the polynomial is a convenient representation of ordered coefficients, and as will be described in detail below, the processing modules of the system 1 are configured to perform designated operations on coefficients of respective constructed polynomials. Advantageously, the security of the public key cryptosystem is provided by the interaction of the polynomial computation system with the dependence on polynomials whose coefficients are from constrained sub-sets of a Galois field. Security also relies on the known fact that for most lattices, it is very difficult to find the shortest vector if there are a large number of vectors which are only moderately longer than the shortest vector.
In practice for cryptographic security, much larger field sizes and longer key lengths, several hundred symbols long would be used. For example, a secure system may use a GF of size 28=256 (suitable for symbol alphabet, such as ANSI, ASCII or Unicode characters sets) or 216=65536 (suitable for larger symbol alphabets).
A private key polynomial constructor 31 of the key generator 3-1 receives an input sequence of random data, such as a random sequence of binary 0's and 1's, from the random number generator 23. The private key polynomial constructor 31 generates a private key 9b consisting of a sequence of random coefficients selected from the input random sequence, provided these coefficients are from a sub-set of the Galois field. In the present worked example, the generated private key 9b consists of coefficients whose value is from a defined first sub-set 40-1 of the Galois field, consisting in this worked example, the GF(16) elements: 0100, 0110, 0010 and 0000. Coefficients are selected from the input random sequence until there are a total of N randomly chosen coefficients from the first sub-set 40-1 of the Galois field. In this worked example, N=14 and the private key has 14 coefficients.
To simplify decryption, the first coefficient of the randomly chosen private key may have 1000 added modulo 2. An example of such a private key polynomial has the following sequence of coefficient values:
1000 0000 0010 0000 0100 0010 0110 0110 0010 0010 0110 0000 0000 0010
In this example, the symbols correspond to symbols from a Galois field of GF(24) generated by the primitive generator polynomial: 1+x+x4. With α denoting a primitive root, all of the symbols from this field may be mapped as a power of a together with their representation in binary and as a decimal number. These symbols are tabulated below:
Based on the predefined mapping of Table 1, the exemplary private key 5b above may be represented in decimal numbers as:
The same exemplary sequence may be represented as a polynomial (with zero value coefficients omitted):
Pk(x)=1+α13x2+α14x4+α13x5+α10x6+α10x7+α13x8+α13x9+α10x10+α13x13
In the described embodiments, the inverse polynomial Qk(x) to the private key polynomial Pk(x) is calculated by the key generator 3. This may be done in several ways. In the present embodiment, a squaring module 33 of an inverse private key polynomial generator 35 as shown in
To compute the inverse of Pk(x) 34, it is noted for some integer w that, [Pk(x)]w=Pk(x) modulo 1+α−5x+xN where w=2r.
For the present worked example, [Pk(x)]w=Pk(x) modulo 1+α−1x+x14 where w=239.
Accordingly, the squaring module 33 computes the square of Pk(x) modulo 1+α−lx+x14 and repeatedly squares the result until the result is equal to Pk(x). It follows that the inverse of Pk(x) 34 as computed by the inverse private key polynomial generator 35 can be represented as:
Qk(x)=[Pk(X)]w−2.
It should be noted that 2r−2=2r−1+2r−2+2r−3+2r−4+2r−5 . . . +4+2
For the present worked example, 239−2=238+237+236+4+2
In this embodiment, the squaring module 33 obtains the inverse Qk(x) 34 by multiplying [Pk(x)]2 by [Pk(x)]4 and by [Pk(x)]8 then by [Pk(x)]16 and so on up to power 238.
Accordingly, following from the present worked example, the inverse private key polynomial generator 35 computes the inverse private key polynomial as:
Qk(x)=α13+α10x+α5x2+α6x3+α12x4+α8x5+α°x6+α13x7+α3x8+α9x9+α1x10+α7x11+α6x12+α3x13
or with the coefficients represented as decimal numbers using the predefined mapping of Table 1, the sequence:
It can be verified by polynomial multiplication, for example based on GF(16) arithmetic with reference to Table 1, that:
Pk(x)·Qk(x)=1 modulo 1+α−1x+x14
It should be noted that whilst Pk(x) has restricted coefficients from a sub-set of the Galois field listed in Table 1, Qk(x) has coefficients which can take any value of the Galois field. The above worked example may be represented in generalised form so there is a Qk(x) that is the inverse of Pk(x) such that
Pk(x)·Qk(x)=1 modulo F(x)
where F(x) may be an irreducible polynomial or reducible polynomial, such as a circulant polynomial of the type 1+xN. Circulant polynomials are used in further embodiments described below. For cases where F(x) is reducible, some particular examples of Pk(x) may have common factors with F(x) and therefore Qk(x) does not exist. If this happens, another example for Pk(x) can be selected for which Qk(x) does exist.
Other methods of determining the inverse polynomial Qk(x) from Pk(x) may be used by the inverse private key polynomial generator 35 instead of the squaring technique as implemented by the squaring module 25, such as Gaussian elimination or the extended Euclidean algorithm. The generated inverse private key polynomial Qk(x) 34 may be stored together with the associated public and private key pair polynomials 9a,9b in the memory 11b of the receiver 3b.
As shown in
Equivalently, B(x)=α14+α14x2+α14x3+α14x4+α14x9+α14x10+α14x12
A polynomial multiplier 39 receives the polynomial B(x) 38 output by the constrained coefficients polynomial generator module 37 with the inverse private key polynomial Qk(x) output by the inverse private key polynomial generator 35, and produces the public key Pub(x) by multiplying together Qk(x) and B(x) using Galois field arithmetic for the resulting polynomial coefficients, modulo a defined polynomial F(x). In the present worked example, F(x) is an irreducible polynomial, 1+αx+x14
Pub(x)=Qk(x)·B(x)modulo 1+α−1x+x14
Following from the present worked example, the result output by the polynomial multiplier 39 is the public key polynomial:
Pub(x)=α9+α13x+α7x2+α12x3+α13x4+α6x5+α6x6+α11x7+α4x8+α4x9+α8x10+α7x11+α12x12+α7x14
M(x)=1+x2+x3+x6+x7+x8+x9+x10
In binary representation, the coefficients of this example secret message are:
The random number generator 23 feeds an input data sequence, for example of random 1's and 0's, to a session key generator 15-1 which in this embodiment is configured to compute a constrained sub-set of coefficients from a fourth Galois field sub-set 40-4 of elements or symbols for a session polynomial S(x), in a similar manner as discussed above with reference to the constrained coefficients polynomial generator 37 shown in
An example session key sequence of coefficients of S(x) in decimal numbers using the notation of Table 1 is:
Equivalently expressed, the session key polynomial is S(x)=α11+α11x+α14x2+α11x3+α0x5+α14x8+α14x9+α11x11+α11x12+α11x13
By constraining coefficients of the various polynomials to be from predefined sub-sets of the Galois field makes it possible for the message polynomial to be contained within the cipher text but only recoverable through knowledge of the private key polynomial. The cipher text, C(x) is constructed by the encoder 13-1, as depicted in
C(x)=Pub(x)·S(x)+M(x)modulo 1+α−1x+x14
With the example result:
C(x)=α11+α14x+α10x2+α3x3+α11x4+α10x6+α8x7+α12x8+α6x11+α13x12+α12x13
The cipher text coefficients represented as decimal numbers are:
Before the addition of M(x), these coefficients are
It can be seen that the message is a small perturbation vector added to a vector that appears to be a pseudo random vector. Advantageously, the security provided by the system 1 is that without knowing the private key, it is impossible to determine which coefficients have been perturbed, except by computationally intractable trial and error.
In binary, the cipher text is:
Advantageously, it can be seen that the product B(x)·S(x) has coefficients from binary Galois field (modulo 2) additions involving only α14, α13 and α12 and not α0. The product M(x)·Pk(x)=M(x)+W(x) where W(x) has coefficients from the Galois field sub-set α4, α6, α9, α10, α12, α13, α14 and 0 but not α0. Consequently, M(x), which only has coefficients which are α0 or 0, may be determined by the decoder 17-1 from the first binary row of the product C(x)·Pk(x). This may be seen clearly from the binary representation of B(x)·C(x):
The binary version of C(x)·Pk(x) is:
The output from the polynomial multiplication module 39 is passed to a coefficient masking module 49 of the decoder 17-1, which is used to mask off all but the first row of the input coefficient data. Following from the above worked example, the coefficient masking module 49 produces the output data:
It will be observed that this output is identical to the original binary representation of the coefficients of M(x).
It will be appreciated that in the present worked example, the reconstruction of M(x) has been possible by constraining coefficients of the private key Pk(x) to combinations of α14, α13, α10 and zero, apart from the x0 coefficient which is a0. In addition, the public key factor B(x) 38 has coefficients limited to α14 and zero. The session key S(x) has coefficients limited to combinations of α0, α14 and zero. M(x) has coefficients limited to α0 and zero. It is these restrictions to combinations of sub-field elements that enables M(x) to be reconstructed unambiguously from the cipher text by using the private key polynomial.
It is also appreciated that different choices of coefficient constraints for the above polynomials may be made with the result that it is possible, knowing the private key, to achieve unambiguous reconstruction of M(x). For example the public key factor B(x) 38 could have coefficients limited to α0 and zero with the session key S(x) having coefficients limited to combinations of α14, α13, α10 and zero.
In cases where the message may be shorter than N bits, the restriction on some coefficients may be removed. For example if the message is shortened by 4 bits, the first 4 symbols of the private key may also include α12 further increasing the entropy in the selection of the private key. In addition the first 4 coefficients of the public key factor B(x) 38 may have coefficients which include α13 or the first 4 coefficients of the session key S(x) may have coefficients which include α13.
Furthermore the private key Pk(x) may have coefficients from combinations of α14, α13, α0 and zero but in this case the reconstructed message polynomial M′(x) derived by masking off all but the first row of the binary representation of the decrypted cipher text will need to be multiplied by the inverse of a polynomial D(x) defined by the α0 coefficients of Pk(x) in order to reconstruct the original message polynomial M(x).
Having derived M(x) 43 from the received cipher text 47, it is possible to reconstruct the session key S(x) 41′-1.
As shown, the session key reconstructor 19-1 receives input cipher text C(x) and decrypted message data M(x), and provides the data as input coefficient data to a coefficient adder 45 of the session key reconstructor 19-1, which computes the Galois field subtraction of input data, in this case modulo 2 addition. The computed output from the coefficient adder 45 is passed to a polynomial multiplier 39 of the session key reconstructor 19-1, which multiplies the received input with the inverse of the public key polynomial Pub(x), denoted as T(x), 53.
Since in the binary case C(x)−M(x)=C(x)+M(x)=Pub(x)·S(x), it can be seen that multiplying C(x)+M(x) by the inverse of Pub(x), T(x) 53, modulo the fixed polynomial F(x), produces the recovered session key S(x) 41′-1:
S(x)=[C(x)−M(x)]·T(x)modulo F(x)
It is appreciated that instead of choosing S(x) randomly, S(x) can convey 2N bits of information so that in total the cipher text conveys 3N bits of information.
Correspondingly, a data verifier module 21-1 in such an alternative embodiment, as shown in the functional block flow diagram of
The random bits contained in the session key polynomial S(x) 41 provide semantic security in that the cipher text C(x) 47 is different each time the message M(x) 43 is encrypted even if M(x) 43 is the same because the session key polynomial S(x) 41 will be different each time.
The entropy of the public key may be increased by increasing the length of the cipher text. The entropy may also be increased by increasing the Galois field size of the coefficients of polynomials. This also provides more freedom in the choice of Galois field sub-sets for the constrained coefficients of the session key polynomial and message polynomial. As an example consider the Galois field GF(256) generated by the primitive polynomial 1+x2+x3+x4+x8.
With GF(256), the coefficients of the private key Pk(x) may now be constrained to be randomly selected combinations of α254, α253, α252, α251, α250, α249 and zero, apart from the x0 coefficient of Pk(x) which has α0 added to it. The public key factor B(x) 38 has randomly selected coefficients limited to the sub-set α254 and zero. The session key S(x) has randomly selected coefficients limited to the Galois field sub-set defined by all combinations of α0, α254, α253, α252, α251, α250, α249 and zero. The message M(x) has coefficients limited to α0 and zero. In terms of decimal numbers the coefficients may be defined by integer values in the inclusive range 0 to 255.
As an example for N=20, the private key polynomial Pk(x) has the following randomly chosen coefficients from the Galois field sub-set described above:
For N=20, the modulo polynomial F(x) is now modulo 1+a−1X+x20. The calculated inverse polynomial, modulo F(x), is Qk(x) which turns out to have the following coefficients:
The public key factor B(x) 38 has randomly selected coefficients:
The calculated public key Pub(x)=Qk(x)·B(x) has coefficients:
With a session key polynomial S(x) having randomly selected coefficients:
And message polynomial M(x) having coefficients:
1 1 0 0 0 1 1 1 1 1 0 0 0 0 0 1 1 0 0 0:
The constructed cipher text polynomial has coefficients:
This forms the cipher text.
Without addition of M(x) the vector is:
It can be seen that M(x) causes minor perturbations to this vector to form the cipher text. In binary representation the cipher text is:
After multiplying by Pk(x), the decrypted cipher text in binary is:
It will be noticed that the first row is identical to the message M(x) and this is obtained by masking off the first bit of the decrypted cipher text.
In the case of M(x)=0, the decrypted cipher text is:
It will be noticed that all the rows are now different. This is because M(x)·Pk(x) modulo 1+α−1x+x20 contributes to all of the rows and when M(x) is zero this contribution is zero.
The session key S(x) may be retrieved from the cipher text polynomial C(x) after the message M(x) has been reconstructed by subtracting M(x) from C(x) and multiplying by the inverse of the public key polynomial, modulo F(x).
This is because {C(x)−M(x)}·Pub(x)−1=S(x)·Pub(x)·Pub(x)−1=S(x).
This is useful when the session key S(x) is not generated from randomly selected coefficients but instead where coefficients of the session key carry or embody implanted additional information, such as the hash of the message or a second message.
Further alternative embodiments use a different means of differentiating the message within the coefficients of the polynomial obtained by multiplying the cipher text polynomial by Pk(x) when decrypting the cipher text. As discussed above, the polynomial coefficients are Galois field elements defined by a primitive polynomial with a primitive root a. In this exemplary alternative embodiment different sub-sets of the Galois field symbols are defined, each of the Galois field elements may be split into a quotient times a code generator polynomial plus a remainder, termed the residue. For example, with primitive polynomial 1+x+x4 and with a as a primitive root, an example of a code generator polynomial in powers of α−1 is:
Consider the field element 1+α−1+α−3, this field element is represented by constituent data components:
1+α−1+α3=(1+α−1+α−2)(1+α−1)+α−1
Thus, the element 1+α−1+α−3 may be considered as a codeword:
(1+α−1+α−2)(1+α−1)=1+α−3
plus a residue α−1.
Similarly all of the other Galois Field elements may be split into binary representations of codewords plus residues, for example as shown in Table 2 for the representations of exemplary Galois Field size GF(24).
In this exemplary embodiment, the private key polynomial Pk(x), 9b is a binary polynomial, and the coefficients will be randomly chosen from the Galois field sub-set α0=1 or 0, with 16 coefficients. In the present worked example, the coefficients are:
So Pk(x)=x3+x6+x9+x10+x11+x12+x13+x14
The inverse polynomial Qk(x) is found by the intermediate step of repeatedly squaring Pk(x), modulo 1+α−1x+x16 until the result is Pk(x) as described above. Qk(x) may then be determined with the result that
Pk(x)·Qk(x)=1 modulo 1+α−1x+x16
It is found that
(x3+x6+x9+x10+x11+x12+x13+x14)w=(x3+x6+x9+x10+x11+x12+x13+x14)modulo 1+α−1x+x16 for w=259
And
Qk(x)=α27+α18x+α11x2+α20x3+αx5+α13x6+α22x7+α3x8+α12x9+α30x10+α5x11+α24x12+α14x13+α29x14+α11x15
As shown in
B(x)=α4+α4x4+α4x6+α4x7+α4x10+α4x11+α4x12+α4x13+α4x14
The randomly generated codeword coefficients polynomial B(x) 63 may be stored together with the associated public and private key pair polynomials 9a,9b in the memory 11b of the receiver 3b.
As shown in
Pub(x)=B(x)·Qk(x)modulo 1+α−1x+x16
Following the present worked example, the polynomial multiplier 39 computes the public key polynomial as:
Pub(x)=α26+α3x+α3x2+α16x3+α6x4+α2x5+α6x6+α26x7+α21x8+α23x9+α15x10+α7x11+αx12+α9x13+α13x14+α23x15
The corresponding encoder module 13-2 for constructing cipher texts in this alternative embodiment is shown in the block flow diagram of
A worked example will be given with S(x)=x3+x6+x7+x11+x12+x13+x15
In this example, the message polynomial M(x) 43a consists of coefficients which are residues consisting of all four additive combinations of 0, 1 and α−1.
An example is:
M(x)=α13x2+α30x5+α30x7+α13x9+α30x11+α13x12+α30x14+α30x15
As shown in
C(x)=Pub(x)·S(x)modulo F(x)+M(x), where F(x) is 1+α−1x+x16
resulting in the example output cipher text 47:
C(x)=α22+α28x+α16x2+α14x4+α28x5+α16x6+α19x7+α21x8+α0x9+α18x10+α27x11+α28x12+α24x13+α18x14+α13x15
As shown, the decoder 17-2 receives the cipher text polynomial C(x) 47 and uses a first polynomial multiplier 39a to multiply C(x) 47 by the private key polynomial Pk(x) retrieved from memory 11b, modulo the defined fixed polynomial F(x). Following from the present worked example where F(x) is 1+α−1x+x16, the first polynomial multiplier 39 produces the output:
As discussed above, in the present embodiment, the codeword coefficients polynomial B(x) 63 has coefficients which are codewords, and multiplication by S(x) which has binary coefficients will result in coefficients which are the sum of codewords, some of which are multiplied by α−1 due to the modulo 1+α−1x+x16 operation. This explains why the coefficients of B(x) were constrained to exclude codewords with the most significant bit equal to a 1. Advantageously, this provides space within the Galois field sub-set for the codeword coefficients to be multiplied by α−1 without incurring a primitive polynomial, e.g. 1+x2+x5, modulo operation which would otherwise result in coefficients that are no longer codewords from the defined sub-set of the Galois field.
Consequently, following from the present worked example, B(x)·S(x) modulo 1+a−1x+x16 has coefficients which are all codewords. Similarly, the private key Pk(x) 9b is a polynomial with binary coefficients so that Pk(x)·M(x) modulo F(x), e.g. 1+α−1x+x16, is a polynomial whose coefficients are all residues. The secret message M(x) polynomial 43 was similarly constrained to have residue coefficients that could be multiplied by α−1 and still remain residues.
Accordingly, as shown in
In the present example, the residues of the coefficients of C(x)·Pk(x) as decimal numbers are calculated by the coefficients residues calculator 67 to be:
As a polynomial representation, this is Pk(x)·M(x).
The original message M(x) 43′ is reconstructed by multiplying by the inverse of Pk(x) which is Qk(x), using a second polynomial multiplier 39b (which may be the same processing module as the first polynomial multiplier 39a), and the original secret message 43′ is recovered and output by the decoder 17-2 as shown in
M(x)=Qk(x)·Pk(x)·M(x)modulo F(x), where F(x) is 1+α−1x+x16
The security strength of the codeword based system in the embodiments described above depends upon keeping the private key Pk(x) secret. In the systems described above, the worked example public key is computed as Pub(x)=Pk(x)−1·B(x) modulo 1+α−1x+0, where B(x) is a polynomial whose coefficients are all codewords. An attacker does not know the code generator polynomial 68, because this is part of the private key but there are not a large number of possibilities.
One possible strategy an attacker may use is to trial different versions of a polynomial Y(x) until a Y(x) is found such that Y(x)·Pub(x)=B(x), a polynomial whose coefficients are all codewords, trying in parallel all possible code generator polynomials. It is possible that an efficient algorithm may be found to carry out this attack.
To provide strength against such an attack, the public key may be constructed from multiple polynomials whose coefficients are both codewords and residues. Specifically in this exemplary system:
Pub(x)=Pk(x)−1·[B1(x)+R1(x)]+B2(x)+R2(x)modulo 1+α−1x+xN
where B1(x) and B2(x) are polynomials whose coefficients are all codewords and R1(x) and R2(x) are polynomials whose coefficients are all residues.
The cipher text C(x) is constructed as:
C(x)=Pub(x)·S(x)+M(x)modulo 1+α−1x+xN
The session key polynomial S(x) 41 has coefficients which are from one sub-set of the Galois field. As one example the coefficients may be binary taking only values α0=1 and 0. The message polynomial M(x) has coefficients that are restricted to the Galois field sub-set that are all residues as defined by the codeword generator polynomial 68.
As shown in
The coefficients of the residues coefficients polynomial R1(x) are all randomly chosen residues with the applied constraint that their most significant bit corresponds to α−5. As decimal numbers, in this example, these coefficients are:
21 60 19 60 6 36 32 52 8 12 36 40 4 59 12 61
As described in the embodiments above, a private key polynomial generator 31 of the key generator 3-3 produces a private key polynomial based on input random data from the random number generator 23 and a first sub-set 40-1 of the Galois field GF(212) elements. In this worked example, the first sub-set of elements 40-1 is α0 and 0, and the generated private key polynomial Pk(x) is a binary polynomial with random coefficients:
The inverse of Pk(x), Qk(x) 34, is obtained using an inverse private key polynomial generator 35 of the key generator 3-3. The inverse private key polynomial 34 in the present worked example has computed coefficients:
A polynomial multiplier 39 of the key generator 3-3 receives the polynomial B(x) 38 output by the constrained coefficients polynomial generator module 37 with the inverse private key polynomial Qk(x) output by the inverse private key polynomial generator 35.
The key generator 3-3 in this embodiment includes a second codeword and residues coefficients polynomial constructor 67b (which may be the same processing module as the first polynomial constructor 67a) that generates a second codeword polynomial B2(x) and a corresponding second residues coefficients polynomial R2(x), based on input random data from the random number generator 23. Collectively, the second codeword polynomial B2(x) and residues coefficients polynomial R2(x) will be referred to as second codeword and residues polynomials 69b. The coefficients of the polynomial B2(x) are also all randomly chosen by the constructor 67b from the second GF(212) sub-set 40-2, consisting codewords with the two most significant bits always equal to 0. As decimal numbers, in this example, these coefficients are:
The coefficients of the polynomial R2(x) are all randomly chosen residues with the constraint that their most significant bit corresponds to α−4. As decimal numbers, in this example, these coefficients are:
As shown in
Pub(x)=Qk(x)[B1(x)+R1(x)]+B2(x)+R2(x)modulo F(x),
The coefficients of Pub(x) in this example are found to be:
Once the public key polynomial Pub(x) 9a has been obtained and communicated to the transmitter device 3a, cipher texts may be constructed using the encoder 13 of the transmitter device 3a for example as discussed above with reference to
Decryption of an example cipher text according to the present alternative embodiment will now be described, following from the present worked example. As discussed above, the session key S(x) has randomly chosen coefficients which are from the predefined fourth sub-set 40-4 of the Galois field. Following from the above worked example, the predefined sub-set 40-4 is α0 and 0, and the session key 41 coefficients S(x) are the binary values:
The message polynomial M(x) has coefficients which are residues such that their most significant bit corresponds to α−5. As decimal numbers, in this worked example, these coefficients values are:
The cipher text polynomial C(x)=Pub(x)S(x) modulo 1+α−1x+x16+M(x)
In this example, the cipher text polynomial C(x) coefficients are:
In order to decrypt the cipher text encoded using the public key polynomial 9a generated by the key generator 3-3 as discussed above with reference to
The resulting output from the polynomial multiplier 39 is added to the first codeword polynomial B1(x), as generated by the first codeword and residues coefficients polynomial constructor 67a of the key generator 3-3, and resulting polynomial is passed to an inverse polynomial constructor 35 to calculate the inverse polynomial to form the translation polynomial 75:
T(x)=[Pk(x)·B2(x)modulo 1+α−1x+x16+B1(x)]−1
In the present worked example, the coefficients of the translation polynomial T(x) are:
In this example, the coefficients of U(x), computed and output by the polynomial multiplier 39, are:
Each coefficient of U(x) is divided by the code generator polynomial 68, which in this worked example is 1+α−1+α−2+α−4+α−5+α−7, and the computed residues are added modulo 2 to the corresponding coefficients of the intermediate polynomial U(x), using a codeword coefficients calculator 77 of the session key reconstructor 19-3. This process turns every coefficient of U(x) into a codeword. Denoting this codeword polynomial as V(x), the coefficients of V(x) output by the codeword coefficients calculator 77 in this worked example are:
Examining the components of U(x), the terms S(x)·B1(x)+Pk(x)·S(x)·B2(x) modulo 1+α−1x+x16 have coefficients which are codewords and the terms S(x)·R1(x)+Pk(x)·S(x)·R2(x)+M(x)·Pk(x) modulo 1+α−1x+x16 have coefficients which are residues. This is because S(x) and Pk(x) are binary polynomials and the terms S(x)·R1(x)+Pk(x)·S(x)·R2(x)+M(x)·Pk(x) modulo 1+α−1x+x16 have coefficients which remain as residues after the polynomial multiplications despite the modulo 1+α−1x+x16 operation because of the coefficient constraints that were imposed on R1(x), R2(x) and M(x).
Accordingly V(x)=S(x)·[B1(x)+Pk(x)·B2(x)] modulo 1+α−1x+x16
The codeword polynomial V(x) is multiplied by the translation polynomial T(x) modulo F(x)=1+α−1x+x16, using a second polynomial multiplier 39b of the session key reconstructor 19-3 (which may be the same processing module as the first polynomial multiplier 39a), to reproduce the session key 41′-3, e.g.:
This is because V(x)·T(x)=S(x)·[B1(x)+Pk(x)·B2(x)]·[B1(x)+Pk(x)·B2(x)]−1 modulo 1+α−1x+x16=S(x).
Having recovered the session key, S(x) 41′-3, the decoded message polynomial 43′ may be determined by the corresponding decoder 17-3 of this alternative embodiment, as shown in the block flow diagram of
C(x)+Pub(x)·S(x)=M(x)+Pub(x)·S(x)+Pub(x)·S(x)=M(x)
In some implementations it is attractive to use circulant polynomials because these have the simplest polynomial modulo operation in that all that needs to be carried out is just a circular shift. In another alternative embodiment, the fixed modulo polynomial F(x) instead has the form 1+xN, where the public, private key, message and cipher text polynomials have N coefficients each corresponding to N Galois field symbols.
As discussed in embodiments above, the private key polynomial Pk(x) 9b consists of a polynomial of degree N−1 having symbols from a base prime power Galois field GF(bk), commonly b=2, but any small prime power may be used. A typical value for k may be k=8. Also as before, the private key polynomial has coefficients which are randomly chosen from a first sub-set of the elements of GF(bk) 40-1.
The inverse polynomial Qk(x) is determined from Pk(x) by repeatedly using a squaring module 33 of the inverse private key generator 35 as shown in
Pk(x)·Qk(x)=1 modulo 1+xN
Since the circulant polynomial 1+xN is not an irreducible polynomial, not all examples for Pk(x) will have an inverse polynomial. Consequently, more than one candidate Pk(x) may need to be generated by the private key constructor 31 before a corresponding inverse Qk(x) is determined.
As shown in
The public key polynomial 9a is obtained by the polynomial multiplier 39 multiplying the constrained coefficients polynomial B(x) 38 with the inverse private key polynomial Qk(x), modulo F(x)=1+xN, as shown in
Pub(x)=B(x)·Qk(x)modulo 1+xN.
C(x)=Pub(x)·S(x)modulo F(x)+M(x),
where F(x) in this embodiment is 1+xN.
M(x)=Mask{C(x)·Pk(x)modulo 1+xN}
It will be appreciated that a circulant version of the codeword and residue coefficient embodiments as discussed above with reference to
Various aspects of the present invention can be implemented by software, firmware, hardware, or a combination thereof.
Computer system 1900 includes one or more processors, such as processor 1904. Processor 1904 can be a special purpose or a general-purpose processor. Processor 1904 is connected to a communication infrastructure 1906 (for example, a bus, or network).
Computer system 1900 also includes a main memory 1908, preferably random access memory (RAM), and may also include a secondary memory 1910. Secondary memory 1910 may include, for example, a hard disk drive 1912, a removable storage drive 1914, flash memory, a memory stick, and/or any similar non-volatile storage mechanism. Removable storage drive 1914 may comprise a floppy disk drive, a magnetic tape drive, an optical disk drive, a flash memory, or the like. The removable storage drive 1914 reads from and/or writes to a removable storage unit 1918 in a well-known manner. Removable storage unit 1918 may comprise a floppy disk, magnetic tape, optical disk, etc. which is read by and written to by removable storage drive 1914. As will be appreciated by persons skilled in the relevant art(s), removable storage unit 1918 includes a non-transitory computer usable storage medium having stored therein computer software and/or data.
In alternative implementations, secondary memory 1910 may include other similar means for allowing computer programs or other instructions to be loaded into computer system 1900. Such means may include, for example, a removable storage unit 1922 and an interface 1920. Examples of such means may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM, or PROM) and associated socket, and other removable storage units 1922 and interfaces 1920 which allow software and data to be transferred from the removable storage unit 1922 to computer system 1900.
Computer system 1900 may also include a communications interface 1924. Communications interface 1924 allows software and data to be transferred between computer system 1900 and external devices. Communications interface 1924 may include Wireless or mobile communications infrastructure, a modem, a network interface (such as an Ethernet card), a communications port, a PCMCIA slot and card, or the like.
Computer system 1900 may additionally include computer display 1909. According to an embodiment, computer display 1909, in conjunction with display interface 1907, can be used to display interfaces of associated user applications.
In this document, the terms “computer program medium,” “non-transitory computer readable medium,” and “computer usable medium” are used to generally refer to media such as removable storage unit 1918, removable storage unit 1922, and a hard disk installed in hard disk drive 1912. Computer program medium, computer readable storage medium, and computer usable medium can also refer to memories, such as main memory 1908 and secondary memory 1910, which can be memory semiconductors (e.g. DRAMs, etc.). These computer program products are means for providing software to computer system 1900.
Computer programs (also called computer control logic) are stored in main memory 1908 and/or secondary memory 1910. Computer programs may also be received via communications interface 1924. Such computer programs, when executed, enable computer system 1900 to implement the present invention as discussed herein. In particular, the computer programs, when executed, enable processor 1904 to implement the processes of the present invention, such as the system component architectures of
The invention is also directed to computer program products comprising software stored on any computer useable medium. Such software, when executed in one or more data processing device, causes a data processing device(s) to operate as described herein. Embodiments of the invention employ any computer useable or readable medium, known now or in the future. Examples of computer useable mediums include, but are not limited to, primary storage devices (e.g., any type of random access memory), secondary storage devices (e.g., hard drives, USB memory sticks, floppy disks, CD ROMS, ZIP disks, tapes, magnetic storage devices, optical storage devices, MEMS, nano-technological storage device, etc.), and communication mediums (e.g., wired and wireless communications networks, local area networks, wide area networks, intranets, Cloud based services, etc.).
It will be understood that the various embodiments of the present invention are described by way of example only, and that various changes and modifications may be made without departing from the scope of the invention. In particular, it will be appreciated that aspects of the above discussed embodiments may be combined to form further embodiments. It should also be appreciated that the sub-modules of each of the key generator, encoder, decoder, session key generator, session key reconstructor, etc. may be combined into a single module or divided into additional modules, and/or share or use common processing modules/components, such as the polynomial multiplier, adder, etc. The system and processing modules may also include other components, sub-components, sub-modules, and devices commonly found in a computing system/device, which are not illustrated in the Figures for clarity of the description.
Yet further alternative embodiments may be envisaged, which nevertheless fall within the scope of the following claims.
Number | Date | Country | Kind |
---|---|---|---|
1607908.9 | May 2016 | GB | national |