1. Field of the Invention
The present invention relates to computerized cryptographic systems and methods for encrypting communications in a computer network or electronic communications system, and particularly to an RNS-based cryptographic system and method that forces an attacker to perform blind factorization of an unknown integer from which the residue number system is derived, and which may also include blind randomization to further secure the system from attack.
2. Description of the Related Art
In recent years, the Internet community has experienced explosive and exponential growth. Given the vast and increasing magnitude of this community, both in terms of the number of individual users and web sites, and the sharply reduced costs associated with electronically communicating information, such as e-mail messages and electronic files, between one user and another, as well as between any individual client computer and a web server, electronic communication, rather than more traditional postal mail, is rapidly becoming a medium of choice for communicating information. The Internet, however, is a publicly accessible network, and is thus not secure. The Internet has been, and increasingly continues to be, a target of a wide variety of attacks from various individuals and organizations intent on eavesdropping, intercepting and/or otherwise compromising or even corrupting message traffic flowing on the Internet, or further illicitly penetrating sites connected to the Internet.
Encryption by itself provides no guarantee that an enciphered message cannot or has not been compromised during transmission or storage by a third party. Encryption does not assure integrity due to the fact that an encrypted message could be intercepted and changed, even though it may be, in any instance, practically impossible, to cryptanalyze. In this regard, the third party could intercept, or otherwise improperly access, a ciphertext message, then substitute a predefined illicit ciphertext block(s), which that party, or someone else acting in concert with that party, has specifically devised for a corresponding block(s) in the message. The intruding party could thereafter transmit the resulting message with the substituted ciphertext block(s) to the destination, all without the knowledge of the eventual recipient of the message.
The field of detecting altered communication is not confined to Internet messages. With the burgeoning use of stand-alone personal computers, individuals or businesses often store confidential information within the computer, with a desire to safeguard that information from illicit access and alteration by third parties. Password controlled access, which is commonly used to restrict access to a given computer and/or a specific file stored thereon, provides a certain but rather rudimentary form of file protection. Once password protection is circumvented, a third party can access a stored file and then change it, with the owner of the file then being completely oblivious to any such change.
A residue number system (RNS) represents a large integer using a set of smaller integers, such that computation may be performed more efficiently. The RNS relies on the Chinese remainder theorem of modular arithmetic for its operation. In an RNS, the vector {p1, p2, . . . , pL} forms a set of moduli, referred to as the RNS “basis” β, in which the moduli {p1, p2, . . . , pL} are relatively prime with respect to one other. Using typical RNS convention, the product
is represented as p and defines the dynamic range of the system. The vector {m1, m2, . . . mL} is the RNS representation of an integer M, which is less than P, where ml=<M>p
Further, the operations of addition, subtraction, and multiplication are defined over the set {0, . . . , P−1} as:
C±D=(<cl±dl>p
C×D=(<cl×dl>p
Equations (1) and (2) illustrate the parallel carry-free nature of RNS arithmetic. The reconstruction of m from its residues {m1, m2, . . . , mL} is based on the Chinese Remainder Theorem:
The vector {m1, m2, . . . , mL}, where 0≦m′l<pl, is the Mixed Radix System (MRS) representation of an integer M less than P, such that
It should be noted that, with regard to RNS equations (3) through (7), a change in any one of the residue values ml can have an effect on the whole number M.
Residue number systems are well known in computer systems. Residue number systems can convert the problem of arithmetic operations on a large integer to a series of simpler operations on small integers, with resulting efficiency in computation. However, although there have been some attempts to utilize residue number systems in cryptographic systems, these efforts are either still not computationally efficient or are vulnerable to attack.
Thus, a system and method for performing blind factorization-based residue number system encryption with blind randomization solving the aforementioned problems is desired.
The RNS-based cryptographic system and method uses a symmetric residue number system (RNS) for encryption and decryption of messages communicated over a communications channel, i.e., the sender and receiver agree upon a set of relatively prime numbers, referred to as the basis, whose product is an integer, and both the RNS and the integer are kept secret.
Although there are many variations described herein, in general, encryption is performed as follows. First, data strings corresponding to a plaintext message are embedded into message integers that are residues of corresponding members of the basis. Next, a set of cipher elements are formed by raising the message integer to a power, the result being modulo the corresponding member of the set of relatively prime numbers. When the power is 1, the message integer is multiplied by an integer base raised to a power, the result being modulo the corresponding member of the set of relatively prime numbers. In either case, the power is an agreed secret value. Next, the cipher elements are combined to form an integer vector, and the integer vector is converted into a cipher integer value using the RNS and the Chinese Remainder Theorem. This integer is sent to the receiving correspondent.
When an encrypted message is received, the cipher integer value is converted to the corresponding integer vector of cipher elements by determining the residues of the cipher integer value modulo the corresponding set of relatively prime numbers in the RNS. The cipher elements are converted to the corresponding message integers using the agreed upon secret power (and corresponding integer base, when used). The plaintext message is then recovered from the message integers.
The most that may be known by an attacker is an upper bound of the integer from which the RNS is derived, which can be determined from the binary length of the cipher integer value, if that value is not padded. In order to break the cipher, the attacker must factor the unknown integer knowing only the upper bound, which is a computationally hard problem. Integer factorization is computationally hard when the integer is known (this forms the security for the RSA algorithm, for example), but is even more difficult when only the upper bound is known, thereby forming the primary basis for security of the present system and method. In addition, if the attacker is able to solve the integer factorization problem, the attacker must also solve a discrete logarithm problem (either the message integer raised to a power other than 1, or a selected integer raised to a power other than one, the power being kept secret), which is also a computationally hard problem.
In addition to blind factorization, the method may use blind randomization for further security. Blind randomization is not employed when the plaintext is encrypted into the cipher elements, but is used to pad the cipher elements after the plaintext is encrypted. Moreover, the sending correspondent is able to change the randomization pattern from one block of the cipher to the next without prior agreement or synchronization with the receiving correspondent. In blind randomization, the sending correspondent generates a second residue number system in which the set contains elements that are relatively prime to each other and that are relatively prime to the elements of the first residue number system. The second residue number system is used to generate random values that are concatenated with the cipher elements used to compute the cipher integer. When the message bit string is too long to encrypt into one block, for the second block, the sending correspondent can change the number of elements in the second RNS, the values of the elements of the second RNS, and/or the mechanism used to generate the random numbers from the second RNS, all without prior agreement with the receiving correspondent and without communicating the change in the randomization pattern to the receiving correspondent. Blind randomization further hides from the attacker the number of elements in the first RNS and the upper bound of the unknown integer, making blind factorization even more difficult.
For still further security, when sending block ciphers using either Electronic Code Book (ECB) or Cipher Block Chaining, RNS basis hopping may be used for protection against collision attacks, such as birthdays attacks, which are sometimes effective when the same plaintext is encrypted into the same ciphertext. The RNS basis hopping may be used on the encryption basis, on the blind randomization basis, or both. In RNS hopping on the encryption basis, for each block of ciphertext, the sending correspond selects a subset of the basis that will be used to encrypt the plaintext message, and inserts a code in an agreed message element that advises the receiving correspondent which elements are used for encryption in the block, and which elements are not. In RNS hopping on the blind randomization basis, the sending correspondent uses a random subset of the elements of the second RNS (used to generate random elements to pad the cipher elements) for each block in the cipher.
These and other features of the present invention will become readily apparent upon further review of the following specification and drawings.
The sole drawing FIGURE is a block diagram illustrating system components for a system for performing blind factorization-based residue number system encryption with blind randomization according to the present invention.
The system and method for performing blind factorization-based residue number system encryption with blind randomization provides for improved secure communication over an insecure channel through the use of blind integer factorization. Blind randomization may be used as a further measure to make blind factorization even more secure against attacks, and RNS hopping of the encryption basis and/or the randomization basis may be used to make the resulting block ciphers more secure against collision attacks where the same plaintext is encrypted into the same ciphertext. It should be noted that, in the present method, all of the resulting block ciphers are scalable.
A conventional integer factorization problem is given by the following. Given a known integer P, find the prime numbers pl where l−1, . . . , L, such that
In contrast, blind integer factorization is given as follows. For an unknown integer P with a known upper bound, find the prime numbers pl where l−1, . . . , L, such that
Blind integer factorization can be seen as factorization of unknown integers into its prime factors using only knowledge about the upper bound of the integer. Thus, blind integer factorization is a computationally “hard” problem when compared with conventional integer factorization. In other words, the blind integer factorization problem is a more general problem than factoring a known integer P into its prime factors. It should be noted that only the upper bound of the integer P could be known to an attacker, but the actual value of P is not known. These issues make the blind integer factorization problem a much harder problem than factoring a known integer P into its prime factors.
Although there are many variations described herein, in general, encryption is performed as follows. First, data strings corresponding to a plaintext message are embedded into message integers that are residues of corresponding members of the basis. Next, a set of cipher elements are formed by raising the message integer to a power, the result being modulo the corresponding member of the set of relatively prime numbers. When the power is 1, the message integer is multiplied by an integer base raised to a power, the result being modulo the corresponding member of the set of relatively prime numbers. In either case, the power is an agreed secret value. Next, the cipher elements are combined to form an integer vector, and the integer vector is converted into a cipher integer value using the RNS and the Chinese Remainder Theorem. This integer is sent to the receiving correspondent.
When an encrypted message is received, the cipher integer value is converted to the corresponding integer vector of cipher elements by determining the residues of the integers modulo the corresponding set of relatively prime numbers in the RNS. The cipher elements are converted to the corresponding message integers using the agreed upon secret power (and corresponding integer base, when used). The plaintext message is then recovered from the message integers.
In the first step, data strings corresponding to a plaintext message are embedded into message integers that are residues of corresponding members of the basis. It should be understood that embedding the plaintext message may be accomplished by any suitable method of embedding message data bits into an integer m modulo p. In the following, it is assumed that an integer m modulo p requires N bits to represent its value. Further, (mbN-1, mbN-2, . . . , mb0) is the binary representation of the integer value m, where mbi represents the i-th bit. Additionally, in the following examples of embedding methods, (dNd−1, dNd−2, . . . , d0) denotes the message data bit string to be embedded into the integer m modulo p, which consists of Nd bits, where di denotes the i-th bit of the message data bit string.
In a first embedding method, the residue value m carries information about the message data only. Thus, in order to guarantee the embedding of the whole message data string into the residue value m, the length of the data string must be Nd≦(N−1): Embedding at the sending correspondent may be done as follows. (1) Setting mbi=di for i−0, . . . , Nd−1, thus using the Nd bits of the message data bit string as the Nd least significant bits of the integer m. (2) Setting the next (N−(Nd+1)) significant bits mbi for i−Nd, . . . , (N−2) of the integer value m randomly. (3) Setting the most significant bit mN-1 of the integer m as:
At the receiving correspondent, the bits of the message data block are recovered from the residue value m by taking the Nd least significant bits.
In some of the above embodiments, extra information needs to be sent by the sending correspondent regarding the bit patterns of the data block embedded in an integer m modulo p. One possible method is to use a parity check bit, which is also embedded into the same modulo value. In other words, in addition to the data block, an extra bit must be embedded into the same modulo value.
Thus, in this case, the length of the message data bit string must be Nd≦(N−2) in order to guarantee the embedding of the whole message data string into the residue value m. Embedding at the sending correspondent is done as follows. (1) Calculating the parity bit dp of the message data bit string (dNd−1, dNd−2, . . . , d0) as dp=dNd−1⊕dNd−2⊕ . . . ⊕d0, where ⊕ denotes the exclusive-OR operation. (2) Setting the least significant bit mb0 of the modulo value equal to the data block parity bit as mb0=dp. (3) Setting mbi=di-1 for i=1, . . . , Nd, thus using the Nd bits of the message data bit string as the next Nd significant bits of the integer m. (4) Setting the next (N−(Nd+2)) significant bits mbi for i=(Nd+1), . . . , (N−2) of the integer value m randomly. (5) Setting the most significant bit mbN-1 of the integer m as:
At the receiving correspondent, the parity bits of the message data block are recovered from the residue value m by taking the least significant bit, and the bits of the message data block are recovered from the residue value m by taking the next Nd least significant bits.
In some embodiments, the message data bit string is embedded into L integers ml modulo pl for l−1, . . . , L. Assume that an integer ml modulo pl can be represented using Ni bits. Assuming that the message data bit string has a length of Ns bits, then the limit on the number of bits Ns of a message data string when using the first embedding method described above is
A message data block with Ns bits may embedded into L modulo integers ml for l=1, . . . , L in the following manner, assuming that the elements of the RNS basis {p1, p2, . . . , pL} are ordered in decreasing value.
Embedding at the sending correspondent is done as follows. (1) Reading the next (Nl−1) bits of the message data string. (2) Embedding the (Nl=1) bits of the message data string into the integer value ml modulo p. (3) Repeating (1) and (2) for l=1, . . . , L. Embedding the (Nl−1) bits is done as follows. (1) Setting mbi=di for i=0, . . . , Nd−1 thus using the Nd bits of the message data bit string as the Nd least significant bits of the integer m. (2) Setting the next (N−(Nd+1)) significant bits mbi for i=Nd, . . . , (N−2) of the integer value m randomly. (3) Setting the most significant bit mbN-1 of the integer m as:
At the receiving correspondent, the bits of the message data block are recovered from the residue value m by taking the Nd least significant bits.
A pre-processing stage may also be used prior to embedding a message data bit string into L modulo integers. It is assumed that the message data bit string consists of Ns bits. [dN
At the sending correspondent, the data vector [dN
At the receiving correspondent, the vector [dhN
is not sufficient to break the RNS protocols described herein.
After the plaintext message has been embedded into a set of message integers ml, the next step in the method is to form a set of cipher elements. Methods of forming the cipher elements are described in the following examples, which, for convenience, also describe the subsequent steps for sending the encrypted message, and for decrypting a received message. For present purposes, it is useful to view the cipher elements as being formed according to the general formula:
cl=(ml)d·gk mod pl.
In the above formula, if d=1, the formula reduces to:
cl=ml·gk mod pl.
Exemplary variations of RNS-based cryptographic methods according to this reduced formula are described in Examples 1-5. On the other hand, if k=0, the formula reduces to:
cl=(ml)d·mod pl.
Exemplary variations of RNS-based cryptographic methods according to this reduced formula are described in Examples 6-10.
In the following, the symbol e denotes set membership, “gcd” denotes greatest common divisor, and Zp is used to denote the set {0, . . . , p−1}.
In a first embodiment, the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer klεZp
The sending correspondent then performs the following: (e) embedding message bit strings into L integer values ml, where l=1, . . . , L, such that 0≦ml≦pl for l=1, . . . , L; (f) computing a set of integer cipher elements cl modulo pl as cl=ml·(gl−1)k
To decrypt the message, the receiving correspondent performs the following: (j) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (k) computing the message element values ml modulo pl as ml=cl·glk
It should be noted that the security in the above depends upon blind integer factorization of the integer
which is unknown, as well as L discrete logarithm problems, provided that the blind integer factorization problem is resolved. It should be further noted that the Chinese remainder theorem (CRT) requires that the factors {p1, p2, . . . , pL} of P need only be relatively prime with respect to one another. In other words, it is not necessary that each factor pl need to be a prime number itself. This implies that the blind integer factorization problem in this protocol is not factoring the integer P into its prime factors. The attacker would need to find the correct factors which are relatively prime to each other. For any non-prime integer, the factorization into relatively prime factors does not have to be unique. This makes the blind integer factorization problem even harder.
Information about the about upper bound of the value of
can be leaked from the number of bits used to represent the ciphertext C. An attacker can perform an exhaustive search for the possible values of P that are less than the upper bound, but it should be remembered that the attacker also needs to figure out the value of L; i.e., the number of prime factors. One cannot determine this value from a single integer value C that is sent from the sending correspondent to the receiving correspondent. It is clear that if neither the value of P nor the value of L is known, the problem becomes undetermined.
Additionally, the level of security is increased further in the case where the elements gl for l=1, . . . , L are not known. Further, it should be noted that the message data bits are embedded directly in the RNS domain and that the CRT is not performed at the receiving correspondent, which makes this protocol suitable for receiving devices that have limited power recourses, such as a mobile/wireless terminals. Further, it is relatively difficult to relate the value C to the vector {m1, m2, . . . , mL} without knowledge of the basis β. It should also be noted that the strength is scalable, which can be simply achieved by either increasing the number of shared secret elements L and/or by using larger relatively prime numbers.
In the above, the exponentiation used in encryption and decryption is performed modulo the elements pl for l=1, . . . , L. Since the strength of the protocol is primarily based on blind integer factorization, not all of the prime numbers used need to be large. In fact, a trade-off between computational efficiency and security exists, depending upon the choice of the size of the selected prime numbers. Further, it should be understood that making the values gl public will not leak any information about the elements pl for l=1, . . . , L. In order to increase the efficiency, the values gl can be chosen such that their inverse is relatively easy to compute. As an example, if gl=2, then the inverse is given by
for prime pl. Since the elements pl are prime, (pl+1) is always even.
Further, efficiency can be improved by choosing the integers kl⊖Zp
In order to reduce the number of computational steps, one exponentiation key may be used. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}, and wherein pmax=Max(p1, p2, . . . , pL), where Max represents a maximum value operation, and lmax=l for l=1, . . . , L, where pmax=pl; (b) agreeing on an integer kl⊖Zp
The sending correspondent then performs the following: (e) embedding message bit strings into L integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L; (f) computing a value gmax as gmax=gk mod pmax; (g) computing a set of integer cipher elements cl modulo pl as cl=ml·(gmax−1 mod pl) mod pl for l=1, . . . , L; (h) combining the set of integer cipher element values cl for l=1, . . . , L to form a single integer vector {c1, c2, . . . , cL}; (i) converting the integer vector {c1, c2, . . . , cL} into an integer value C using the Chinese remainder theorem and the basis β; and (j) sending the integer value C to the receiving correspondent.
To decrypt the message, the receiving correspondent performs the following: (k) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for i=1, . . . , L from the integer C as cl=C mod pl; (1) computing the value gmax as gmax=gk mod pmax; (m) computing the message element values ml modulo pl as ml=cl·gmax mod pl; and (n) recovering the message bit string from the element values ml for l=1, . . . , L.
In this variation, flexibility is added in the changing of the encryption keys and the initialization phase is simplified: the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} relatively prime with respect to one another and form a part of a shared secret key, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}, and wherein pmax=Max{p1, p2, . . . , pL}, where Max represents a maximum value operation, and lmax=l for l=1, . . . , L, where pmax=pl; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) embedding message bit strings into L integer values ml, where l=1, . . . , L and lmax≠l, such that 0≦ml<pl for l=1, . . . , L; (d) selecting an integer k⊖Zp
The receiving correspondent then performs the following: (l) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (m) setting gmax=cl
It should be noted that, in the above, the sending correspondent can change the key k and the value of g for each individual block being encrypted. Information about the encrypting key is then sent as part of the ciphertext. This is similar to the one time pad. It should be remembered that the security of this protocol is still based on blind integer factorization.
In the following alternative embodiment, computation is reduced even further. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL} where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL} without loss of generality, the elements {p1, p2, . . . , pL} are listed in decreasing value, and wherein pmax=Max(p1, p2, . . . , pL), where Max represents a maximum value operation, where pmax=p1 and p1 and p2 are chosen to be prime; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) embedding message bit strings into L integer values where l=2, . . . , L, such that 0≦ml<pl for l=2, . . . , L; (d) selecting an integer kεZp
The receiving correspondent then performs the following: (m) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (n) setting g1=c1; (o) computing the first message element value m2 modulo p2 as m2=c2·g1 mod p2; (p) computing the message element values ml modulo pl for l=3, . . . , L−1 as ml=(cl−ml-1) mod pl; and (q) recovering the message bit string from the element values ml for l=2, . . . , L.
It is often desirable that the encryption method used not only provide privacy or confidentiality of messages, but also authenticity. This property guarantees that the only feasible way to produce a valid ciphertext is to apply the encryption function to some message M, which requires knowledge of the secret information. In this case, the secret information is the RNS basis {p1, p2, . . . , pL}. This is shown in the following alternative embodiment.
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer klεZp
The sending correspondent then performs the following: (e) embedding message bit strings into L−1 integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L using a parity check embedding method; (f) computing a value mL as
(g) computing a set of integer cipher elements cl modulo pl as cl=ml·(gl−1)k
The receiving correspondent then performs the following: (k) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (l) computing the message element values ml modulo pl as ml=cl·glk
and (p) checking if the generated parity check bits and parity bits recovered from the element values ml for l=1, . . . , L are equal, and if m′L=mL, then authenticating the decrypted message.
It should be noted that the above approach to authenticity can be applied to any of Examples 1-4.
In this variation, the term “gcd” represents the greatest common divisor operation. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer elεZp
The sending correspondent then performs the following: (d) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (e) embedding message bit strings into L integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L; (f) computing a set of integer cipher elements cl modulo pl as cl=mld
The receiving correspondent then performs the following: (j) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (k) computing the message element values ml modulo pl as ml=cle
It should be noted that the security in the above depends upon blind integer factorization of the integer
which is unknown, as well as L discreet logarithm problems, provided that the blind integer factorization problem is resolved. Information about the about upper bound of the value of
can be leaked from the number of bits used to represent the ciphertext C. An attacker can perform an exhaustive search for the possible values of P that are less than the upper bound, but it should be remembered that the attacker also needs to figure out the value of L; i.e., the number of prime factors. One cannot determine this value from a single integer value C that is sent from the sending correspondent to the receiving correspondent. It is clear that if neither the value of P nor the value of L is known, the problem becomes undetermined.
Additionally, the CRT is not performed at the receiving correspondent. This makes this protocol suitable for receiving devices which have limited power recourses, such as a wireless terminal, for example. It should be further noted that the computation to find the integers dl for each element pl over l=1, . . . , L is only performed at the sending correspondent. This also makes this protocol suitable for receiving devices that have limited power resources, such as wireless terminals. Further, it is relatively difficult to relate the value C to the vector {m1, m2, . . . , mL} without knowledge of the basis β. It should also be noted that the strength is scalable, which can be simply achieved by either increasing the number of shared secret elements L and/or by using larger relatively prime numbers.
In the above, the exponentiation used in encryption and decryption is performed modulo the elements pl for l=1, . . . , L. Since the strength of the protocol is primarily based on blind integer factorization, not all of the prime numbers used need to be large. In fact, a trade-off between computational efficiency and security exists, depending upon the choice of the size of the selected prime numbers. Further, it should be understood that one can always pad the bit string of the value of the ciphertext C with extra bits to confuse an attacker about the range of the ciphertext C and, thus, the upper bound of P.
In this variation, the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting an integer elεZp
The receiving correspondent then performs the following: (i) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (j) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (k) computing the message element values ml modulo pl as ml=cld
In the above, the advantage of making el public is that the sending correspondent can change the key unilaterally without the need for a prior agreement with the receiving correspondent. Additionally, minimal information is leaked about the primes pl by the public information about the integers el for l=1, . . . , L by the fact that gcd(el, (pl−1))=1, since many prime numbers can satisfy this condition.
In this variation, redundant representation is utilized to reduce any leaking information which may occur by the public information regarding the integers el for l=1, . . . , L, by the fact that gcd(el, (pl−1))=1. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting an integer elεZp
The receiving correspondent then performs the following: (j) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (k) computing the integer values e′l as el=e′l mod pl for l=1, . . . , L; (l) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (m) computing the message element values ml modulo pl as ml=cld
In the above, the use of redundant information adds additional uncertainty about the true values of el for l=1, . . . , L and, thus, adds uncertainty on any useful information that might be inferred from the public integers e′l for l=1, . . . , L.
In this variation, one exponentiation key is used to reduce the number computations. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting an integer elεZp
The receiving correspondent then performs the following: (j) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (k) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (l) computing a first message element value ml modulo pl as ml=cld
It is often desirable that the encryption method used not only provide privacy or confidentiality of messages, but also authenticity. This property guarantees that the only feasible way to produce a valid ciphertext is to apply the encryption function to some message M, which requires knowledge of the secret information. In this case, the secret information is the RNS basis {p1, p2, . . . , pL}. This is shown in the following alternative embodiment.
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as P={p1, p2, . . . , pL}; (b) agreeing on an integer elεZp
The sending correspondent then performs the following: (d) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (e) embedding message bit strings into L−1 integer values where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L using a parity check embedding method; (f) computing a value mL as
(g) computing a set of integer cipher elements cl modulo pl as cl=mld
The receiving correspondent then performs the following: (k) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (l) computing the message element values ml modulo pl as ml=cle
and (p) checking if the generated parity check bits and parity bits recovered from the element values ml for l=1, . . . , L are equal, and if m′L=mL, then authenticating the decrypted message.
It should be noted that the above approach to authenticity can be applied to any of Examples 6-9 described above.
Examples 1-10 describe cryptographic methods that rely only on blind factorization for their security. However, each of these embodiments may also be used with blind randomization in which the set of cipher elements is padded with random values. In blind randomization, random elements are not added during encryption of the plaintext message into the cipher elements, but are added to the cipher elements. Further, the random elements may be added and changed by the sending correspondent without synchronization with the receiving correspondent. Examples 11-20 illustrate the application of blind randomization to Examples 1-10.
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer klεZp
The sending correspondent then performs the following: (e) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (f) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (g) embedding message bit strings into L integer values ms, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L; (h) computing a set of integer cipher elements cl modulo pl as c=ml·(gl−1)k
The receiving correspondent then performs the following: (m) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (n) computing the message element values ml modulo pl as ml=cl·glk
It should be noted that, in blind randomization, the receiving correspondent does not need to know (i) the number of elements J; (ii) the values of the elements in the vector {q1, q2, . . . , qJ}; (iii) the mechanisms used to generate the random numbers modulo the elements of {q1, q2, . . . , qJ}; or (iv) the random numbers {r1, r2, . . . , rJ}. These are known only to the sending correspondent. In other words, there is no need to synchronize the randomization between the sending and receiving correspondent.
When encrypting a message bit string which is longer than the number of bits that can be encrypted with one block, the sending correspondent can change (i) the number of elements J; (ii) the values of the elements in the vector {q1, q2, . . . , qJ}; and (iii) the mechanisms used to generate the random numbers modulo the elements of {q1, q2, . . . , qJ} without the need to send any additional information about them to the receiving correspondent.
Blind randomization reduces the chances of collisions exploited in birthday attacks, since the same message bit string will be coded into two different cipher texts when using two different vectors of random numbers {r1, r2, . . . , rJ}. Additionally, the message bit string can only be recovered from the elements of the integer vector {m1, m2, . . . , mL}, which cannot be obtained from the integer value C mod P directly. In other words, the message bit strings cannot be recovered without the knowledge of the RNS basis {p1, p2, . . . , pL}, which requires blind factorization of P, which is unknown. Therefore, using blind randomization does not degrade the security of blind factorization. In fact, security of blind factorization is enhanced when using blind randomization since the range of the ciphertext C, given by
is much higher than the actual range of the message bit string given by
As noted in the previous embodiments, the security strength of blind factorization depends on identifying the range P and then the corresponding shared secret elements in the basis {p1, p2, . . . , pL}. If identifying the range of P is made more difficult, the problem of blind factorization also becomes more difficult. It is difficult to relate the value C with the vector {m1, m2, . . . , mL} without knowledge of the basis {p1, p2, . . . , pL}.
The only information that the knowledge of C leaks is its maximum range, which is
One cannot determine the number of elements used in the RNS basis β={p1, p2, . . . , pL, q1, q2, . . . , qJ} from knowledge of the range of C, since the elements {q1, q2, . . . , qJ} are relatively prime to each other and are relatively prime to the secret elements {p1, p2, . . . , pL}, and also because the factorization of C into relatively prime numbers is not unique. Similarly, the agreed upon upper limit for the number of bits used to represent the ciphertext does not leak any significant information for the same reasons.
Further, in the above, the strength is scalable, which can be simply achieved by either increasing the number of shared secret elements L and/or using larger relatively prime numbers. Additionally, there is no need to calculate the CRT at the receiving correspondent, which is very efficient and suitable for entities that have limitations in resources and/or are restricted by power consumption, such as mobile terminals.
In blind randomization, there is also no need for additional circuits at the receiving correspondent to generate the random numbers used at the sending correspondent, which may also be advantageous for devices with limited power resources.
In order to reduce the number of computational steps, one exponentiation key is used, the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}, and wherein pmax=Max(p1, p2, . . . , pL), where Max represents a maximum value operation, and lmax=l for l=1, . . . , L, where pmax=pl; (b) agreeing on an integer kεZp
The sending correspondent then performs the following: (e) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (f) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (g) embedding message bit strings into L integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L; (h) computing a value gmax as gmax=gk mod pmax; (i) computing a set of integer cipher elements cl modulo pl as cl=ml·(gmax−1 mod pl) mod pl for l=1, . . . , L; (j) generating J random values rj, where j=1, . . . , J, such that 0≦rj<qj for j=1, . . . , J; (k) combining the set of integer cipher element values cl for l≦1, . . . , L and the values rj for j=1, . . . , J to form a single integer vector {c1, c2, . . . , cL, r1, r2, . . . , rJ}; (l) converting the integer vector {c1, c2, . . . , cL, r1, r2, . . . , rJ} into an integer value C using the Chinese remainder theorem and the basis β; and (m) sending the integer value C to the receiving correspondent.
The receiving correspondent then performs the following: (n) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (o) computing the value gmax as gmax=gk mod pmax; (p) computing the message element values ml modulo pl as ml=cl·gmax mod pl; and (q) recovering the message bit string from the element values ml for l=1, . . . , L.
In a further alternative embodiment, flexibility is added in the changing of the encryption keys and the initialization phase is simplified, the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL} where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}, and wherein pmax=Max(p1, p2, . . . , pL), where Max represents a maximum value operation, and lmax=l for l=1, . . . , L, where pmax=pl; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (d) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (e) embedding message bit strings into L integer values ml, where l=1, . . . , L and lmax≠l, such that 0≦ml<pl for l=1, . . . , L; (f) selecting an integer kεZp
The receiving correspondent then performs the following: (o) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (p) setting gmax=cl
It should be noted that, in the above, the sending correspondent can change the key k and the value of g for each individual block being encrypted. Information about the encrypting key is then sent as part of the ciphertext. This is similar to the one time pad. It should be remembered that the security of this protocol is still based on blind integer factorization.
In the following alternative embodiment, computation is reduced even further. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL} and, without loss of generality, the elements {p1, p2, . . . , pL} are listed in decreasing value, and wherein pmax=Max(p1, p2, . . . , pL), where Max represents a maximum value operation, where pmax=pl and p1 and p2 are chosen to be prime; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (d) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (e) embedding message bit strings into L integer values ml, where l=2, . . . , L, such that 0≦ml<pl for l=2, . . . , L; (f) selecting an integer kεZp
The receiving correspondent then performs the following: (p) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (q) setting g1−c1; (r) computing the first message element value m2 modulo p2 as m2=c2·g1 mod p2; (s) computing the message element values ml modulo pl for l=3, . . . , L−1 as ml=(cl−ml-1)mod pl; and (t) recovering the message bit string from the element values ml for l=2, . . . , L.
It is often desirable that the encryption method used not only provide privacy or confidentiality of messages, but also authenticity. This property guarantees that the only feasible way to produce a valid ciphertext is to apply the encryption function to some message M, which requires knowledge of the secret information. In this case, the secret information is the RNS basis {p1, p2, . . . , pL}. This is shown in the following alternative embodiment:
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer klεZp
The sending correspondent then performs the following: (e) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (f) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (g) embedding message bit strings into L−1 integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L using a parity check embedding method; (h) computing a value mL as
(i) computing a set of integer cipher elements cl modulo pl as cl=ml·(gl−1)k
The receiving correspondent then performs the following: (n) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (o) computing the message element values ml modulo pl as ml=cl·glk
and (r) checking if the generated parity check bits and parity bits recovered from the element values ml for l=1, . . . , L are equal, and if m′L=mL, then authenticating the decrypted message.
It should be noted that the above approach to authenticity can be applied to any of Examples 11-14 described above.
In the further alternative embodiment given below, the term “gcd” represents the greatest common divisor operation. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer elεZp
The sending correspondent then performs the following: (d) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (e) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (f) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (g) embedding message bit strings into L integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L; (h) computing a set of integer cipher elements cl modulo pl as cl=mld
The receiving correspondent then performs the following: (m) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (n) computing the message element values ml modulo pl as ml=cle
An additional alternative embodiment includes the following steps. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (d) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (e) selecting an integer elεZp
The receiving correspondent then performs the following: (l) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (m) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (n) computing the message element values ml modulo pl as ml=cld
In the above, the advantage of making public is that the sending correspondent can change the key unilaterally without the need for a prior agreement with the receiving correspondent. Additionally, minimal information is leaked about the primes pl by the public information about the integers el for l=1, . . . , L by the fact that gcd(el(pl−1))=1, since many prime numbers can satisfy this condition.
In the following alternative embodiment, redundant representation is utilized to reduce any leaking information which may occur by the public information regarding the integers el for l=1, . . . , L, by the fact that gcd(el(pl−1))=1:
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (d) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (e) selecting an integer elεZp
The receiving correspondent then performs the following: (m) generating the set of integer cipher elements c; using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (n) computing the integer values e′l as el=e′l mod pl for l≦1, . . . , L; (o) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (p) computing the message element values ml modulo pl as ml=cld
In the above, the use of redundant information adds additional uncertainty about the true values of et for l=1, . . . , L and, thus, adds uncertainty on any useful information that might be inferred from the public integers et for l=1, . . . , L.
In the following further alternative embodiment, one exponentiation key is used to reduce the number computations.
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; and (b) agreeing on an upper limit for a number of bits to be used to represent a ciphertext.
The sending correspondent then performs the following: (c) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (d) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (e) selecting an integer elεZp
The receiving correspondent then performs the following: (m) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (n) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (o) computing a first message element value ml modulo pl as ml=cld
It is often desirable that the encryption method used not only provide privacy or confidentiality of messages, but also authenticity. This property guarantees that the only feasible way to produce a valid ciphertext is to apply the encryption function to some message M, which requires knowledge of the secret information. In this case, the secret information is the RNS basis {p1, p2, . . . , pL}. This is shown in the following alternative embodiment:
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer elεZp
The sending correspondent then performs the following: (d) selecting a set of elements {q1, q2, . . . , qJ} where J is an integer greater than zero and where the elements {q1, q2, . . . , qJ} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q1, q2, . . . , qJ} being known to the sending correspondent only and the number of bits needed to represent the value of
are within the upper limit for the number of bits used to represent the ciphertext agreed upon by the sending and receiving correspondents; (e) forming the residue number system basis β as {p1, p2, . . . , pL, q1, q2, . . . , qJ}; (f) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (g) embedding message bit strings into L−1 integer values ml, where l=1, . . . , L, such that 0≦ml<pl for l=1, . . . , L using a parity check embedding method; (h) computing a value mL as
(i) computing a set of integer cipher elements cl modulo pl as cl=mld
The receiving correspondent then performs the following: (n) generating the set of integer cipher elements cl using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer C as cl=C mod pl; (o) computing the message element values ml modulo pl as ml=cle
and (r) checking if the generated parity check bits and parity bits recovered from the element values ml for l=1, . . . , L are equal, and if m′L=mL, then authenticating the decrypted message.
It should be noted that the above approach to authenticity can be applied to any of Examples 16-19 described above.
There are many ways of encrypting data streams that are longer than a single block into a block cipher. The conventional approach is to divide the data stream into a sequence of blocks of the same size as the block cipher. Two commonly used modes of operation employing standard ways (modes) of operation employing digital electronic signatures are the Electronic Code Book (ECB) and Cipher Block Chaining (CBC). For ECB, the encryption of one block must be independent of the data in the previous block. In CBC, each block of cipher is chained to the preceding block of cipher.
When sending block ciphers using either Electronic Code Book (ECB) or Cipher Block Chaining, RNS basis hopping may be used for protection against collision attacks, such as birthdays attacks, which are sometimes effective when the same plaintext is encrypted into the same ciphertext. The RNS basis hopping may be used on the encryption basis, on the blind randomization basis, or both. In RNS hopping on the encryption basis, for each block of ciphertext, the sending correspond selects a subset of the basis that will be used to encrypt the plaintext message, and inserts a code in an agreed message element that advises the receiving correspondent which elements are used for encryption in the block, and which elements are not. In RNS hopping on the blind randomization basis, the sending correspondent uses a random subset of the elements of the second RNS (used to generate random elements to pad the cipher elements) for each block in the cipher. RNS basis hopping is illustrated in the following Examples 21-29. In the following, it is assumed that the maximum block size that can be embedded into the L residue values {m1, m2, . . . , mL} is N, and that the message data bit string length is a multiple of N, such as (u+1)N. In other words, the number of blocks is (u+1).
The following alternative embodiment utilizes hopping of the encryption basis. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p′1, p′2, . . . , p′L′}, where L′ is an integer greater than or equal to one, where the elements {p′1, p′2, . . . , p′L′} are relatively prime with respect to one another and form a part of a shared secret; (b) agreeing on an integer k′lεZp′
The sending correspondent then performs the following, starting with i=0 and repeating steps (g) through (l) to encrypt the i-th block until i>u: (g) selecting a code from the list of codes agreed upon to select (L−1) elements {pi,1, pi,2, . . . pi,L−1} from the elements {p′1, p′2, . . . , p′L′} to form an RNS basis β={pi,1, pi,2, . . . pi,L−1} for the i-th block, where pi,L=pL; (h) embedding message bit strings into (L−1) integer values mi,l, where l=1, . . . , L−1, such that 0≦mi,l<pl for l=1, . . . , L−1; (i) computing a set of integer cipher elements ci,l modulo pi,j as ci,l=mi,l·(gi,l−1)k
The receiving correspondent then performs the following, starting with i=0 and repeating steps (m) through (r) to encrypt the i-th block until i>u: (m) generating the integer cipher element ci,L using the element pi,L from the integer Cl as ci,L=Cl mod pi,L; (n) computing the message element values mi,L modulo pi,L as mi,L=ci,L·gi,Lk
It should be noted that since the same bit string can be encrypted using different encryption bases in this protocol, the occurrence of collisions that are exploited in birthday attacks is minimized even further. Further, there is no need to synchronize basis selection between the sending and receiving correspondent. The information about which basis is used by the sending correspondent is sent with the cipher text. The alternative is to have identical code generation circuits at the sending and receiving correspondent which must be initialized to the same starting point. This has the drawback of requiring additional circuitry at the receiving correspondent. The above protocol circumvents the need for such circuits and for synchronization. Additionally, if ti and tj are relatively prime to each other, then so are tin and tjm. If ti, tj and tl are relatively prime to each other, then so are (titj) and tl. This can be exploited to generate more relatively prime sets from an agreed upon relatively prime set.
The following alternative embodiment illustrates hopping of the blind randomization basis. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis P given as β={p1, p2, . . . , pL}; (b) agreeing on an integer klεZp
The sending correspondent then performs the following: (e) selecting a set of elements {q′1, q′2, . . . , q′J′} where J′ is an integer greater than zero and where the elements {q′1, q′2, . . . , q′J′} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q′1, q′2, . . . , q′J′} being known to the sending correspondent only; starting with i=0, then repeating steps (f) through (m) to encrypt the i-th block until i>u: (f) randomly selecting a sub-set of elements {qi,1, qi,2, . . . , qi,J} from the {q′1, q′2, . . . , q′J′} where the number of bits needed to represent
is within the upper limit agreed upon by the sending and receiving correspondents; (g) forming the residue number system basis β as {pi,1, pi,2, . . . , pi,L, qi,1, qi,2, . . . , qi,J}; (n) embedding message bit strings into L integer values mi,l, where l=1, . . . , L, such that 0≦mi,l<pl for l=1, . . . , L; (i) computing a set of integer cipher elements ci,l modulo pl as ci,l=mi,l·(gi,l−1)k
The receiving correspondent then performs the following: starting with i=0, then repeating steps (n) through (p) until i>u: (n) generating the set of integer cipher elements ci,l using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer Ci as ci,l=Ci mod pi,l; (o) computing the message element values mi,l modulo pi,l as mi,l=ci,l·gi,lk
It should be noted that hopping the basis of blind randomization will reduce even further the occurrence of collisions that are exploited in birthday attacks, since likelihood that the same message bit string will be coded into two different ciphertexts is much higher, given that two different randomizing bases and/or two different vectors of random numbers {r1, r2, . . . , rJ} could be used. Additionally, if ti and tj are relatively prime to each other, then so are tin and tjm. If ti, tj and tl are relatively prime to each other, then so are (titj) and tl. This can be exploited to generate more relatively prime sets from an agreed upon relatively prime set.
The following alternative embodiment utilizes both hopping of the encryption basis and hopping of the blind randomization basis:
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p′1, p′2, . . . , p′L′}, where L′ is an integer greater than or equal to one, where the elements {p′1, p′2, . . . , p′L′} are relatively prime with respect to one another and form a part of a shared secret; (b) agreeing on an integer k′lεZp′
The sending correspondent then performs the following: (g) selecting a set of elements {q′1, q′2, . . . , q′J′} where J′ is an integer greater than zero and where the elements {q′1, q′2, . . . , q′J′} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q′1, q′2, . . . , q′J′} being known to the sending correspondent only; starting with i=0, repeating steps (h) through (q) to encrypt the i-th block until i>u: (h) selecting a code from the list of codes agreed upon to select (L−1) elements {pi,1, pi,2, . . . , pi,L−1} from the elements {p′1, p′2, . . . , p′L′}; (i) randomly selecting a sub-set of elements {qi,1, qi,2, . . . , qi,J} from the set {q′1, q′2, . . . , q′J′}, where the number of bits needed to represent
is within the upper limit agreed upon by the sending and receiving correspondents; (j) forming the residue number system basis β as {pi,1, pi,2, . . . , pi,L, qi,1, qi,2, . . . , qi,J}; (k) embedding message bit strings into (L−1) integer values mi,l, where l=1, . . . , L−1, such that 0≦mi,l<pl for l=1, . . . , L−1; (l) embedding message bit strings of the code used by the sending correspondent to select the (L−1) elements {pi,1, pi,2, . . . , pi,L−1} for the i-th block into the integer values mi,l, such that 0≦mi,l<pL; (m) computing a set of integer cipher elements ci,l modulo pi,l as ci,l=mi,l·(gi,l−1)k
The receiving correspondent then performs the following, starting with i=0 and repeating steps (r) through (w) to encrypt the i-th block until i>u: (r) generating the integer cipher element ci,L modulo pi,L from the integer Ci as ci,L=Ci mod pi,L; (s) computing the message element values mi,L modulo pi,L as mi,L=ci,L·gi,Lk
In the above, it should be noted that reduction of the likelihood of occurrence of collision is due to a combination of the random selection of the set {pi,1, pi,2, . . . , pi,L}, which could be different for each message block, and the random selection of the set {qi,1, qi,2, . . . , qi,J}, which is different for each message block.
The following alternative embodiment utilizes ECB and hopping of the encryption basis.
The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p′1, p′2, . . . , p′L′}, where L′ is an integer greater than or equal to one, where the elements {p′1, p′2, . . . , p′L′} are relatively prime with respect to one another and form a part of a shared secret; (b) agreeing on an integer et e′lεZp
The sending correspondent then performs the following: (f) computing an integer d′l for each element p′l, where l=1, . . . , L, such that e′ld′l mod pl=1; starting with i=0, repeating steps (g) through (m) to encrypt the i-th block until i>u; (g) selecting a code from the list of codes agreed upon to select (L−1) elements {pi,1, pi,2, . . . , pi,L−1} from me elements {p′1, p′2, . . . , p′L′} to form the residue number system basis β as {pi,1, pi,2, . . . , pi,L, pi,L} for the i-th block, where pi,L=pL; (h) embedding message bit strings into (L−1) integer values mi,l, where l=1, . . . , L−1, such that 0≦mi,l<pl for l=1, . . . , L−1; (i) embedding message bit strings of the code used by the sending correspondent to select the (L−1) elements {pi,1, pi,2, . . . , pi,L−1} for the i-th block into the integer values mi,L, such that 0≦mi,L<pL; (j) computing a set of integer cipher elements ci,l modulo pi,l as ci,l=mi,ld
The receiving correspondent then performs the following, starting with i=0 and repeating steps (n) through (s) to encrypt the i-th block until i>u: (n) generating the integer cipher element ci,L modulo pi,L from the integer Ci as ci,L=Ci mod pi,L; (o) computing the message element values mi,L modulo mi,L=ci,Le
The following alternative embodiment utilizes ECB and hopping of the blind randomization basis, the sending and receiving correspondents both perform the following; (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer elεZp
The sending correspondent then performs the following: (d) selecting a set of elements {q′1, q′2, . . . , q′J′} where J′ is an integer greater than zero and where the elements {q′1, q′2, . . . , q′J′} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q′1, q′2, . . . , q′J′} being known to the sending correspondent only; starting with i=0, repeating steps (e) through (l) to encrypt the i-th block until i>u: (e) randomly selecting a sub-set of elements {qi,1, qi,2, . . . , qi,J} from the set {q′1, q′2, . . . , q′J′}, where the number of bits needed to represent
is within the upper limit agreed upon by the sending and receiving correspondents; (f) forming the residue number system basis β as {pi,1, pi,2, . . . , pi,L, qi,1, qi,2, . . . , qi,J}; (g) embedding message bit strings into L integer values mi,l, where l=1, . . . , L, such that 0≦mi,l<pl for l=1, . . . , L; (h) computing a set of integer cipher elements ci,l modulo pi,l as ci,l=mi,ld
The receiving correspondent then performs the following, starting with i=0 and repeating steps (m) through (p) to encrypt the i-th block until i>u: (m) generating the integer cipher element ci,L modulo pi,L from the integer Ci as ci,L=Ci mod pi,L; (n) generating the set of integer cipher elements ci,l using the set of elements {pi,1, pi,2, . . . , pi,L} for l=1, . . . , L from the integer Ci as ci,l=Ci mod pi,l for l=1, . . . , L; (o) computing the residue message element values mi,l modulo pi,l as mi,l=ci,le
The following alternative embodiment utilizes ECB and both hopping of the encryption basis and hopping of the blind randomization basis, the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p′1, p′2, . . . , p′L′}, where L′ is an integer greater than or equal to one, where the elements {p′1, p′2, . . . , p′L′} are relatively prime with respect to one another and form a part of a shared secret; (b) agreeing on an integer e′lεZp
The sending correspondent then performs the following: (f) selecting a set of elements {q′1, q′2, . . . , q′J′} where J′ is an integer greater than zero and where the elements {q′1, q′2, . . . , q′J′} are relatively prime with respect to one another and which are also relatively prime with respect to the elements {p1, p2, . . . , pL}, the set {q′1, q′2, . . . , q′J′} being known to the sending correspondent only; starting with i=0, repeating steps (g) through (p) to encrypt the i-th block until i>u: (g) selecting a code from the list of codes agreed upon to select (L−1) elements {pi,1, pi,2, . . . , pi,L−1} from the elements {p′1, p′2, . . . , p′L′}; (h) randomly selecting a sub-set of elements {qi,1, qi,2, . . . , qi,J} from the set {q′1, q′2, . . . , q′J′}, where the number of bits needed to represent
is within the upper limit agreed upon by the sending and receiving correspondents; (i) forming the residue number system basis β as {pi,1, pi,2, . . . , pi,L, qi,1, qi,2, . . . , qi,J}; (j) embedding message bit strings into (L−1) integer values mi,l, where l≦1, . . . , l−1, such that 0≦mi,l<pl for l=1, . . . , L−1; (k) embedding message bit strings of the code used by the sending correspondent to select the (L−1) elements {pi,1, pi,2, . . . , pi,L−1} for the i-th block into the integer values mi,L, such that 0≦mi,L<pL; (l) computing a set of integer cipher elements ci,l modulo pit as ci,l=mi,ld
The receiving correspondent then performs the following, starting with i=0 and repeating steps (q) through (v) to encrypt the i-th block until i>u: (q) generating the integer cipher element ci,L modulo pi,L from the integer Ci as ci,L=Ci mod pi,L; (r) computing the message element values mi,L modulo pi,L as mi,L=ci,L·gi,Lk
In the following examples, it is assumed that the maximum block size that can be embedded into the L residue values {m1, m2, . . . , mL} is N, and that the message data bit string length is a multiple of N, such as uN. In other words, the number of blocks is u.
This example uses cipher block chaining (CBC) for block streams. The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer klεZp
The sending correspondent then performs the following: (f) embedding message bit strings of the i-th block into L integer values mi,l, where l=1, . . . , L, such that 0≦mi,l<pl for l=1, . . . , L; (g) computing the set of chained values mi,l for l=1, . . . , L as mci,l=mci-1,l+mi,l; (h) computing a set of integer cipher elements ci,l modulo pl as ci,l=mci,l·(gl−1)k
The receiving correspondent then performs the following: (l) generating the set of integer cipher elements ci,l using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer Ci as ci,l=Ci mod pi,l; (m) computing the message element values mci,l as mcl=cl·glk
The following enhanced embodiment uses CBC for block streams, the sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p1, p2, . . . , pL}, where L is an integer greater than or equal to one, where the elements {p1, p2, . . . , pL} are relatively prime with respect to one another and form a part of a shared secret, and which are further used as a residue number system basis β given as β={p1, p2, . . . , pL}; (b) agreeing on an integer elεZp
The sending correspondent then performs the following, starting with i=0 and repeating steps (e) through (k) until i>u: (e) computing an integer dl for each element pl for l=1, . . . , L, such that eldl mod pl=1; (f) embedding message bit strings into L integer values mi,l, where l=1, . . . , L, such that 0≦mi,l<pl for l=1, . . . , L; (g) computing a set of chained residue values mci,l for l=1, . . . , L as ci,l=mci-1,l; (h) computing a set of integer cipher elements ci,l modulo pl as cl=mi,ld
The receiving correspondent then performs the following, starting with i=0 and repeating steps (l) through ( ) until i>u: (l) generating the set of integer cipher elements ci,l using the set of elements {p1, p2, . . . , pL} for l=1, . . . , L from the integer Ci as ci,l=Ci mod pl; (m) computing the message element values mci,l modulo pl as mci,l=ci,le
The following embodiment also uses CBC for block streams: The sending and receiving correspondents both perform the following: (a) agreeing on a set of elements {p′1, p′2, . . . , p′L′}, where L′ is an integer greater than or equal to one, where the elements {p′1, p′2, . . . , p′L′} are relatively prime with respect to one another and form a part of a shared secret; (b) agreeing on an integer e′lεZp
The sending correspondent then performs the following: (g) computing an integer d′l for each element p′l for l=1, . . . , L, such that e′ld′l mod p′l=1; starting with i=0, repeating steps (h) through (o) to encrypt the i-th block until i>u: (h) selecting a code from the list of codes agreed upon to select (L−1) elements {pi,1, pi,2, . . . pi,L−1} from me elements {p′1, p′2, . . . , p′L′} to form the residue number system basis β as {pi,1, pi,2, . . . pi,L}; (i) embedding message bit strings into (L−1) integer values mi,l, where l=1, . . . , L−1, such that 0≦mi,l<pl for l=1, . . . , L−1; (j) embedding message bit strings of the code used by the sending correspondent to select the (L−1) elements {pi,1, pi,2, . . . pi,L−1} for the i-th block into the integer values mi,L, such that 0≦mi,L<pL; (k) computing a set of chained residue values mci,l for l=1, . . . , L as mci,l=mci-1,l+mi,l; (l) computing a set of integer cipher elements ci,l modulo pl as ci,l=mi,ld
The receiving correspondent then performs the following, starting with i=0 and repeating steps (p) through (w) to encrypt the i-th block until i>u: (p) generating the integer cipher element ci,L modulo pi,L from the integer Ci as ci,L=Ci mod pi,L; (q) computing the message element value mi,L modulo pi,L as mi,L=ci,Le
In several of the above embodiments, the elements of an RNS basis are selected from a predefined set of prime or relatively prime numbers. Assuming that {z′1, z′2, . . . , z′L′} represents a predefined set of prime numbers, then one simple method of using a code to identify the selected elements used in an RNS basis is to use a code with L′ bits. Assuming that the set {z′1, z′2, . . . , z′L′} is ordered in a decreasing value, then there are 2L′ possible subsets of the set {z′1, z′2, . . . , z′L′}, and, thus, there are 2L′ possible RNS bases to choose from. The code to identify which subset is used can be constructed as follows: If the l-th bit of the L′ bit code is set to one, this implies that element z′l is used, and if the l-th bit of the L′ bit code is set to zero, this implies that element z′l is not used.
To ensure random selection, the L′ bit code needs to be generated by a random number generator. Any suitable conventional binary random number generators modulo 2L′ may be used, such as those shown in U.S. Pat. No. 5,077,793, which is hereby incorporated by reference in its entirety.
It should be understood that the calculations may be performed by any suitable computer system, such as that diagrammatically shown in the sole drawing FIGURE. Data is entered into system 100 via any suitable type of user interface 116, and may be stored in memory 112, which may be any suitable type of computer readable and programmable memory. Calculations are performed by processor 114, which may be any suitable type of computer processor and may be displayed to the user on display 118, which may be any suitable type of computer display.
Processor 114 may be associated with, or incorporated into, any suitable type of computing device, for example, a personal computer or a programmable logic controller. The display 118, the processor 114, the memory 112 and any associated computer readable recording media are in communication with one another by any suitable type of data bus, as is well known in the art.
Examples of computer-readable recording media include a magnetic recording apparatus, an optical disk, a magneto-optical disk, and/or a semiconductor memory (for example, RAM, ROM, etc.). Examples of magnetic recording apparatus that may be used in addition to memory 112, or in place of memory 112, include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape (MT). Examples of the optical disk include a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc-Read Only Memory), and a CD-R (Recordable)/RW.
In the above, two computational “hard” problems have been used in the design of the cryptography algorithms. These are: integer factorization and the discrete logarithm problem. The integer factorization problem can be stated as follows: given an integer n, find the prime numbers {p1, p2, . . . , pL} such that
The security strength of the protocols described above is based on hiding the RNS basis β. The only information an attacker has to gain knowledge about the basis is the number of bits used to represent the ciphertext, NC. The strength of the above protocols therefore depends on solving the following problem: Given the maximum number of bits used to represent an integer P, Nc, find the integer P and the set {p1, p2, . . . , pL} such that
and P<2N
Thus, finding elements {p1, p2, . . . , pL} of the basis β is equivalent to integer factorization, where only the upper bound of the integer is known. Therefore, one can conclude the following: the security of the RNS-based block cipher is dependent on a well known mathematically hard problem; and the integer to be factorized is not known and the only information that is known is its upper bound. Thus, the security of the above protocols depends on problems that are computationally harder than conventional factorization, since the integer value
is not known. This harder problem is referred to as “blind factorization” in the above. It should be noted that blind integer factorization is an even harder problem to solve than the normal factorization problem.
It will be understood that the methods described herein may be carried out on any cryptographic device, which may be a computer, a PDA, a smart phone, etc.
It is to be understood that the present invention is not limited to the embodiments described above, but encompasses any and all embodiments within the scope of the following claims.
Number | Name | Date | Kind |
---|---|---|---|
4991210 | Chaum | Feb 1991 | A |
5077793 | Falk et al. | Dec 1991 | A |
5345507 | Herzberg et al. | Sep 1994 | A |
6282295 | Young et al. | Aug 2001 | B1 |
6389136 | Young et al. | May 2002 | B1 |
7000110 | Terao | Feb 2006 | B1 |
7088821 | Shaik | Aug 2006 | B2 |
7200225 | Schroeppel | Apr 2007 | B1 |
7995749 | Michaels | Aug 2011 | B2 |
8190892 | Ghouti et al. | May 2012 | B2 |
20020186848 | Shaik | Dec 2002 | A1 |
20030108196 | Kirichenko | Jun 2003 | A1 |
20040223609 | Wu | Nov 2004 | A1 |
20050005125 | Zhang et al. | Jan 2005 | A1 |
20050018851 | Venkatesan et al. | Jan 2005 | A1 |
20050069135 | Brickell | Mar 2005 | A1 |
20060013389 | Harrison et al. | Jan 2006 | A1 |
20060117181 | Brickell | Jun 2006 | A1 |
20070076865 | Lauter et al. | Apr 2007 | A1 |
20100169657 | Ghouti et al. | Jul 2010 | A1 |
Number | Date | Country |
---|---|---|
2503533 | Sep 2012 | EP |
Number | Date | Country | |
---|---|---|---|
20120140920 A1 | Jun 2012 | US |